Adding trusted certificates

Connection from OpenText SAST to other OpenText Application Security Software products and external systems might require communication over HTTPS. Some examples include:

  • OpenText SAST by default requires an HTTPS connection to communicate with the LIM server for license management.

    The property com.fortify.sca.lim.RequireTrustedSSLCert determines whether the connection with the LIM server requires a trusted SSL certificate. For more information about this property, see LIM Properties.

  • The fortifyupdate command-line tool uses an HTTPS connection either automatically during a Windows system installation or manually (see Manually installing Fortify security content) to update Fortify security content.

  • OpenText SAST configured as a Fortify ScanCentral SAST sensor uses an HTTPS connection to communicate with the Controller.

When using HTTPS, OpenText SAST and its applications will by default apply standard checks to the presented SSL server certificate, including a check to determine if the certificate is trusted. If your organization runs its own certificate authority (CA) and OpenText SAST needs to trust connections where the server presents a certificate issued by this CA, you must configure OpenText SAST to trust the CA. Otherwise, the use of HTTPS connections might fail.

You must add the trusted certificate of the CA to the OpenText SAST keystore. The OpenText SAST keystore is in the <sast_install_dir>/jre/lib/security/cacerts file. You can use the keytool command to add the trusted certificate to the keystore.

To add a trusted certificate to the OpenText SAST keystore:

  1. Open a command prompt, and then run the following command:

    <sast_install_dir>/jre/bin/keytool -importcert -alias <alias_name> -cacerts -file <cert_file>

    where:

    • <alias_name> is a unique name for the certificate you are adding.

    • <cert_file> is the name of the file that contains the trusted root certificate in PEM or DER format.

  2. Enter the keystore password.

    The default password is changeit.

  3. When prompted to trust this certificate, select yes.