Adding Trusted Certificates

Connection from the OpenText SAST applications and tools to other Fortify products and external systems might require communication over HTTPS. Some examples include:

• The OpenText SAST applications and tools such as Fortify Audit Workbench, Fortify Extension for Visual Studio, and Fortify Scan Wizard typically require an HTTPS connection to communicate with Application Security. By default, these tools do not trust self- or locally-signed certificates.

• OpenText SAST configured as a ScanCentral SAST sensor uses an HTTPS connection to communicate with the Controller.

When using HTTPS, OpenText SAST applications and tools will by default apply standard checks to the presented SSL server certificate, including a check to determine if the certificate is trusted. If your organization runs its own certificate authority (CA) and the OpenText SAST applications and tools need to trust connections where the server presents a certificate issued by this CA, you must configure the OpenText SAST applications and tools to trust the CA. Otherwise, the use of HTTPS connections might fail.

You must add the trusted certificate of the CA to the OpenText™ Application Security Tools keystore. The OpenText™ Application Security Tools keystore is in the <tools_install_dir>/jre/lib/security/cacerts file. You can use the keytool command to add the trusted certificate to the keystore.

To add a trusted certificate to the OpenText™ Application Security Tools keystore:

1. Open a command prompt, and then run the following command:

   <tools_install_dir>/jre/bin/keytool -importcert -alias <alias_name> -cacerts -file <cert_file>

   where:

   • <alias_name> is a unique name for the certificate you are adding.

   • <cert_file> is the name of the file containing the trusted root certificate in PEM or DER format.

2. Enter the keystore password.

   The default password is changeit.

3. When prompted to trust this certificate, select yes.