Preparing to Install Fortify WebInspect Enterprise

This section describes how to prepare for installing Micro Focus Fortify WebInspect Enterprise by installing and configuring the prerequisite software, creating an account for a sensor user, and ensuring secure HTTPS operation.

If you are integrating Fortify WebInspect Enterprise with Micro Focus Fortify Software Security Center, see Installing or Upgrading Fortify Software Security Center (Optional).

Installing IIS, ASP.NET, and .NET Framework

You must install and configure Internet Information Services (IIS), ASP.NET, and the Microsoft .NET Framework, if applicable. The following paragraphs provide guidance for installing and configuring these components.

Note: These instructions describe a third-party product and might not match the specific, supported version you are using. See your product documentation for the instructions for your version.

Note: When you select role services to add, some or all of their subordinate role services might be automatically selected as well. Leave any automatic selections as is. If a message appears indicating that other particular role services must also be installed, click the button to add them and they will be automatically selected for installation.

To install IIS and add the Web Server (IIS) server role and required role services:

  1. In the Server Manager, click Manage and then Add Roles and Features.

    The Add Roles and Features Wizard appears.

  2. Follow the wizard to select the installation type and destination server.

  3. On the Server Roles window, do the following:

    • Select the Web Server (IIS) check box, if it is not already selected.

    • If you are installing a standalone or decoupled Fortify WebInspect Enterprise, then expand the Web Server > Security role service and select the Windows Authentication check box.

      Important! If you do not select Windows Authentication, you will not be able to connect to the Fortify WebInspect Enterprise Manager and complete the initialization.

  4. Click Next.

  5. On the Features window under .NET Framework <version> Features, select .NET Framework <version> and ASP.NET <version>.

    Note: The version of .NET Framework and ASP.NET available in IIS depends on the OS version you are using. For example, you may see .NET Framework 4.6 or .NET Framework 4.7.

  6. Click Next.

  7. On the Role Services window under Application Development, select ASP.NET <version>.

  8. Click Install to install IIS with the features, roles, and role services you selected.

IIS Integrated Mode

During installation or upgrade, the Fortify WebInspect Enterprise Manager Web Service (WIE server) will be set up in IIS using the IIS integrated mode for the application pool. This means that the Fortify WebInspect Enterprise web site no longer needs to have ISAPI filters configured or ISAPI and CGI restrictions configured in IIS. Integrated mode does not use either of these elements.

IIS Application Pool Identity

Fortify WebInspect Enterprise no longer uses ASP.NET impersonation. Previously, ASP.NET impersonation was used to ensure that the account that was logged onto the server had the appropriate permissions to folders, registry keys, and encryption methods. However, Fortify WebInspect Enterprise now uses IIS7 and the application pool identity, which provides most of the required permissions.

This means that ASP.NET impersonation will not be enabled in the Authentication section of the application in IIS. The application will run with the application pool identity account, which is IIS AppPool\WIEAppPool. Fortify recommends that you do not change this account in IIS.

Important! The Fortify WebInspect Enterprise server application uses the IIS application pool identity. Because the IIS application pool is not a true Windows account, Fortify WebInspect Enterprise cannot use Windows authentication for the database connection. Customers must create a SQL Server account that can be used for the database connection.

Installing SQL Server

Install a supported version of SQL Server software if it is not already installed.

Fortify recommends that you configure the database server on a separate machine from either Fortify Software Security Center or Fortify WebInspect Enterprise.

Important! If you are integrating Fortify WebInspect Enterprise with Fortify Software Security Center, the Fortify WebInspect Enterprise SQL Server database requires case-insensitive collation. This is opposite the requirement for Fortify Software Security Center databases.

Creating a Sensor User

Create a local user account or an Active Directory user account in Windows, with a recognizable name such as WIEsensor, to be used as a sensor user for Fortify WebInspect Enterprise. Note the domain name, the account name, and the password.

Ensuring Secure HTTPS Operation

Fortify strongly recommends that you do the following to use HTTPS securely:

  1. Completely disable SSLv2.

  2. Enable TLS 1.1 and 1.2.

  3. Disable weak ciphers, generally defined as:

    • Ciphers having key length less than 128 bits

    • NULL ciphers

    • Ciphers that use MD5

    • Ciphers that use anonymous key exchange

    • Ciphers that use RC2

Using SAN or Wildcard Certificates and Non-Standard Ports in IIS

The Fortify WebInspect Enterprise Initialization Wizard does not overwrite certificate and port bindings that you create in IIS. As a result, you can use SAN or wildcard certificates and non-standard ports when configuring the Fortify WebInspect Enterprise Manager Web Service during initialization.

To use a SAN or wildcard certificate:

To use a non-standard port:

For more information, see Configuring the Web Service.

HTTP Binding Host Name

If the HTTP binding in IIS does not contain a host name, the Initialization Wizard will create the HTTP URL using the server name. This configuration causes an issue with downloading the thin client for Guided Scan, reporting, and scan imports.

To prevent this issue:

To correct this issue, do one of the following:

For more information, refer to your IIS and SQL Server documentation.

Using HTTPS with Guided Scan and Reports

By default, using Guided Scan or generating reports in conjunction with a self-signed certificate requires that HTTP be enabled for Fortify WebInspect Enterprise. However, if you use a signed certificate, then you can manually modify the HTTP URL setting in the WIE database to use HTTPS.

To use HTTPS:

  1. Run the following commands in the WIE database:

    SELECT * FROM ConfigSetting WHERE SettingName = 'WIE.HttpUrl'

    UPDATE ConfigSetting SET SettingValue='https://my.host.com/wie/' WHERE SettingName = 'WIE.HttpUrl'

  2. Restart the WIE application pool for this change to take effect.

Important! The HTTP URL setting will need to be manually modified if the Initialization Wizard is run again.

Databases in Availability Groups

If your SQL database is part of an availability group, remove it from the AlwaysOn Availability Group. After the WIE initialization is complete, rejoin the database to the availability group.

For more information, refer to your SQL Server documentation.

Mirrored Databases

If your SQL database is mirrored, set the partner option to OFF on the master database. After the WIE initialization is complete, perform a restore on the mirrored database and set the partner option to ON on the master database.

For more information, refer to your SQL Server documentation.