Installation of Fortify 20.2.0 eDAST in Easy Steps

2021
Installation of Fortify 20.2.0 eDAST

in Simple Steps v0.1
Vikas.Johari@MicroFocus.com
Micro Focus
17 February 2021
Page # 1
Trademarks For Micro Focus trademarks, refer to the Micro Focus Trademark Information on the
Micro Focus website (http://www.microfocus.com/about/legal).
Micro Focus and the Micro Focus logo, among others, are trademarks or registered
trademarks of Micro Focus (IP) Limited or its subsidiaries in the United Kingdom,
United States and other countries. All other marks are the property of their respective
owners. A trademark symbol (® TM etc.) denotes a Micro Focus trademark; an
asterisk (*) denotes a third-party trademark.
Legal Notice
Copyright 2021 Micro Focus and its affiliates.
All rights reserved. No part of this publication may be reproduced, photocopied, stored
on a retrieval system, or transmitted without the express written consent of the
publisher.
Micro Focus India Pvt Ltd

Unit No 705 - 7th Floor
Leela Business Park
Andheri Kurla Road
Andheri ( East),
Mumbai – 400059
Details Report Date: 17 February 2021
Prepared By: Vikas Johari – vikas.johari@microfocus.com
Reviewed By: Rohit Baryah – rohit.baryah@microfocus.com
Version: 0.1
Confidential – Property of Micro Focus’s Security, Risk and Governance Solutions Group.
<Document Installation Of Fortify 20.2.0 Edast In Easy Steps.Docx, updated on 17-Feb-21>
Copyright 2019 Micro Focus and its affiliates. All rights reserved. No part of this publication may be reproduced, photocopied, stored on a retrieval system, or
transmitted without the express written consent of the publisher
Page # 2
Table of Contents
Table of Contents .......................................................................................................................................... 2
eDAST Architecture ....................................................................................................................................... 4
Software Security Center (SSC) ................................................................................................................. 4
LIM ............................................................................................................................................................ 4
DAST API.................................................................................................................................................... 4
DAST Global Service .................................................................................................................................. 4
ScanCentral DAST Database ...................................................................................................................... 5
WebInspect Sensor ................................................................................................................................... 5
Permissions in Fortify Software Security Center (SSC) ............................................................................. 5
Lessons learned from mistakes ..................................................................................................................... 6
Lab VM Environment ................................................................................................................................ 7
Setting up Server ........................................................................................................................................... 7
Updating the hosts file .............................................................................................................................. 7
Installation and configuration of the Docker ................................................................................................ 8
Pulling Docker images ............................................................................................................................... 8
Setting up LIM as License Server................................................................................................................... 8
Update WebInspect (WI) License................................................................................................................ 16
Installing eDAST Configuration Tool ........................................................................................................... 21
Configuring WebInspect as Sensor in ScanCentral DAST ............................................................................ 34
Running the Basic Scan ............................................................................................................................... 38
Installation and Configuration of WebInspect Docker version with eDAST ............................................... 44
Running the REST API Scan ......................................................................................................................... 45
Running the Scan using Login Macro .......................................................................................................... 49
Generating Reports ..................................................................................................................................... 54
Using the eDAST REST API........................................................................................................................... 56
Using REST APIs via Swagger ................................................................................................................... 57
Using REST APIs via Postman .................................................................................................................. 60
Using REST APIs to integrate with any CI/CD Pipeline ............................................................................ 61
Appendix ..................................................................................................................................................... 67
Appendix 1: Installing Fortify .................................................................................................................. 67
Appendix 2: Installing FortifyClient ......................................................................................................... 67
Option 1: ............................................................................................................................................. 67
Page # 3
Option 2: ............................................................................................................................................. 67
Appendix 3: .NET Requirement for ScanCentral DAST ........................................................................... 67
Page # 4
eDAST Architecture
Fortify ScanCentral DAST is a dynamic application security testing tool that is comprised of the Fortify
WebInspect sensor service and other supporting technologies that you can use in conjunction with
Fortify Software Security Center.
Software Security Center (SSC)

The Fortify Software Security Center (SSC) is the user interface (UI) provides a way to view the DAST
scans list, sensors list, sensor pools, settings, and scan schedules. You can also access the DAST Settings
Configuration wizard from the UI.
ScanCentral DAST communicates with Fortify Software Security Center by way of the Software Security
Center Rest API.
ScanCentral DAST retrieves Application and Version information and user permissions from the Fortify
Software Security Center database. ScanCentral DAST uploads scans for triage to the database as FPR
files.
LIM
The License and Infrastructure Manager (LIM) Docker container provides the licensing service for the
ScanCentral DAST components.
DAST API
The ScanCentral DAST REST API Docker container provides communication between the sensor and the
ScanCentral DAST database. It also communicates with the LIM for licensing, and Fortify Software
Security Center.
The container name is scancentral-dast-api.
DAST Global Service

The ScanCentral DAST Global Service Docker container does the following:
• Starts scans (including scheduled scans)
• Communicates messages to and from the ScanCentral DAST Sensor Service
• Imports scan results to the Fortify Software Security Center database
• Performs additional background tasks
Note: The ScanCentral DAST Global Service uses SmartUpdate to obtain the most recent SecureBase
updates.
Page # 5
The container name is scancentral-dast-globalservice.
ScanCentral DAST Database

Configuration settings for ScanCentral DAST are stored in the ScanCentral DAST database. The
ScanCentral DAST REST API and ScanCentral DAST Global Service connect to the database on start up to
retrieve configuration settings.
WebInspect Sensor
The Fortify WebInspect sensor is either a Docker container or a Windows computer that runs the
ScanCentral DAST Sensor Service and a Fortify WebInspect sensor. The sensor does the following:
• Starts and runs scans
• Reports scan statistics to the ScanCentral DAST Global Service
• Uploads the scan to the ScanCentral DAST Rest API
Note: The ScanCentral DAST Sensor uses SmartUpdate to obtain the most recent SecureBase updates.
Permissions in Fortify Software Security Center (SSC)
The permissions designated by your user role in Fortify Software Security Center determine the types of
tasks you can perform on ScanCentral DAST scans, sensors, sensor pools, settings, and scan schedules.
The following table describes the default roles in Fortify Software Security Center that allow dynamic-
related tasks.
ScanCentral DAST Tasks Application Developer Manager Security View-

Security Tester Lead only
Manage pools and sensors Yes Yes
View Data Yes Yes Yes Yes Yes
Create, run, change, and delete Yes Yes
scans, schedules, and settings
Run scans from existing settings Yes
templates
Download artifacts (settings, Yes Yes Yes
scans, and logs)
Page # 6
Lessons learned from mistakes

Few pointers which can help you to deploy Fortify eDAST in your PoC / Lab environment –
1. ScanCentral DAST's containers by default downloads and use C: unless the docker is configured
in such a way to use other Drive Letter.
2. Containers cannot read the hosts file of the HOST server. So sometimes you have to use IP
Address instead of FQDN.
3. Containers use NAT network to connect to external world.
4. Check the Appendix 3: .NET Requirement for ScanCentral DAST, if you want to use existing
WebInspect Standalone as Sensor for eDAST.
5. Keep eDAST Activation keys handy.
6. Your Docker ID has "fortifydocker" organization assigned, else you will not able to pull eDAST
images.
7. Windows Firewall should be Off.
Page # 7
Lab VM Environment
Fortify Server
GitSuSE Server
Window
Server
A Windows 2019 VM is configured with 16 GB RAM, 4 vCPU and 100 GB HDD.
This VM has standard SSC installed using SQL Server. Installation steps can be found in
https://community.microfocus.com/t5/tkb/usercontributedarticlespage/user-id/223632#
It is also recommended to install WebInspect Standalone but do not activate the license.
Setting up Server
These servers are hosted on the AWS environment hence it requires some basic changes to work
properly.
Updating the hosts file

Identify the Private IP Address assigned to your Fortify server.
Update the IP Address in C:\Windows\System32\drivers\etc\hosts file.
The hostname will remain fortify202.myhome.com only IP Address need to be changed.
Verify using ping.
REBOOT the server.

Page # 8
Installation and configuration of the Docker

Run the below PowerShell (as Administrator) commands to install Docker in your Windows 2019 VM.
Install-WindowsFeature -Name Containers
Install-Module -Name DockerMsftProvider -Repository PSGallery -Force
Install-Package -Name docker -ProviderName DockerMsftProvider
[Net.ServicePointManager]::SecurityProtocol = [Net.SecurityProtocolType]::Tls12
Invoke-WebRequest "https://github.com/docker/compose/releases/download/1.27.4/docker-
compose-Windows-x86_64.exe" -UseBasicParsing -OutFile $Env:ProgramFiles\Docker\docker-
compose.exe
Restart-Computer
After VM reboots open the PowerShell and run the command -

Docker login
Enter your docker id and password, Docker will generate a file named
C:\Users\Administrator\.docker\config.json. Make sure your docker id has "fortifydocker" organization
assigned, else you will not able to pull eDAST images.
Pulling Docker images

Note: the below PowerShell commands are for your reference, the docker images are already pulled
into the VM. Do not run these commands.
docker pull fortifydocker/lim
Setting up LIM as License Server

Create a folder named C:\lim (the LIM Container needs these files to be in C:\lim folder. Do not create
this folder elsewhere) and create a file named C:\lim\lim.env using Notepad++ and copy the below
content.
#!--LIM Dockerenvfile.--!
LimUseSSL=false
LimAdminWebSiteName=limadmin
LimServiceSiteName=limservice
LimDirectory=c:\lim
LimAdminUsername=fortify
LimAdminPassword=FortifyDAST1
LimAdminEmail=limadmin@limadmin.com
Page # 9
LimAdminFriendlyName=limadmin
Create a runLIMcontainer.ps1 file in C:\lim as –
docker run -v c:/lim:c:/lim --restart always -d -p 81:80 --env-file

c:\lim\lim.env --memory=8g --cpus=2 --name lim fortifydocker/lim
This command will run lim docker image on port 81, if you want to use port 80 then make the change in
the above command also in the rest of the document refer whenever lim is being used.
Run the runLIMcontainer.ps1 using PowerShell.
Open the URL http://fortify202.myhome.com:81/limadmin in Chrome.
Page # 10
Login using User Name: fortify and Password: FortifyDAST1
Click Activate to activate your Lim server.
Page # 11
Read the License Information then click OK.
Confirmation Message will display.
Click on ADMIN -> USERS.
Click Add.
Page # 12
Enter the below details and click OK.
User Name: eDASTAdmin

Login Name: eDASTAdmin
eMail Addess: eDASTAdmin@myhome.com
Receives Email: UnChecked
Password: novell@123
Confirm Password: novell@123
Click LICENSES.
Page # 13
Click on ADD LICENSE.
Paste the eDAST Activation Token provided by Trainer, add a Description and click OK.
Validate the LICENSE GUID and click on ADD LICENSE to add WebInspect License.
Page # 14
Paste the Activation Token for WebInspect, click OK.
Now we have both licenses added, lets create a license Pool.
Click on ADD LICNESE POOL.
Pool Name: eDASTPool

Pool Description: eDAST Pool
Pool Password: novell@123
Confirm Pool Password: novell@123
Click OK.
Page # 15
Click on ADD LICNESE.
Enter the SEAT COUNT as 2, click OK.
Page # 16
Validate the Licenses in the Pool then Click OK.
Close the Browser window. Lim is ready to use.
Update WebInspect (WI) License

Start WebInspect 20.2.0 from the Desktop icon.
On Licensing Window
Page # 17
Click Activate Now.
Select Connect to Fortify License and Infrastructure Manager. Click Next.
Page # 18
Enter the below details –
URL: http://fortify202.myhome.com:81/limservice
Pool Name: eDASTPool
Network Proxy: UnChecked
Click Next.
Page # 19
Click Finish.
Click Close on the What's New window.
Click Yes in the Updates Available window.
Page # 20
Click "Download" button in SmartUpdate popup.
Wait for Download to complete.
Click OK. On SmartUpdate complete message.
Open Lim URL and check the Current Activity Details, you will see a WebInspect License has been
assigned to WebInspect installed on the VM.
Check the Current Product Usage, you will see IN USE count non zero.
Click File -> Exit to close WebInspect.
Page # 21
Open Lim URL and check the Current Activity Details, Current Product Usage and Lease History, identify
the difference.
Installing eDAST Configuration Tool
Make sure SSC is running and you are able to login using credentials admin / sscadmin@123.
Use the URL: http://fortify202.myhome.com:8180/ssc
Open Administration -> Users -> Local.
Page # 22
Enter the details as below –
Username: eDASTAdmin
First Name: eDAST
Last Name: Admin
Email: edastadmin@myhome.com
Role: Administrator
Password: sscadmin@123
Confirm Password: sscadmin@123
User must change password at next login: Disabled
Password Never Expired: Enabled
Suspended: Disabled
Click Save.
Logout and login using eDASTAdmin in SSC to validate the user.
Open Downloads folder using Windows Explorer.

Page # 23
Extract "ScanCentral_DAST_20.2.zip" in Downloads folder.
In the Downloads\ScanCentral_DAST_20.2 folder, run the "ScanCentral DAST - Config Tool Setup
20.2.312.exe"
Page # 24
Enter the below details in Database Connection.
Server: your_server_private_ip,1433 for example 172.31.86.99,1433. The 1433 is the MS SQL

server port.
User Name: sa
Create new database: Enabled
Database Name: eDAST
Page # 25
Click Validate.
Validate should success. Scroll down.
In the Standard Account enter the below –
User name: sa
Click Validate.
Page # 26
Validate should success, click Next.
Click Initialize database.
Database Initialization will take a few moments. Take a tea break.
Page # 27
Click OK.
Click Next.
Click on Do Not Use SSL.
Page # 28
Run the ScanCentral DAST API without SSL: Enable
Click Next.
Enter the SSC Settings as below –
SSC URL: http://<your_servers_private_ip>:8180/ssc for example http://172.31.86.99:8180/ssc
Service Account Username: eDASTAdmin
Service Account Password: novell@123
Click Validate.
After validation enter the API Settings as below -
DAST API URL: http://<your_servers_private_ip>:85/api for example http://172.31.86.99:85/api
Allow all origin for CORS policy: Enabled
Scroll down for LIM Settings –

Page # 29
Enter the LIM Settings as below –
LIM URL: : http://<your_servers_private_ip>:81/limservice for example

http://172.31.86.99:81/limservice
Service account username: eDASTAdmin
Service account password: novell@123
Default LIM Pool Name: eDASTPool
Default LIM Pool Password: novell@123
Click Validate.
Scroll down.
No change required in Proxy Settings.
Scroll down.
Page # 30
In the Sensor Settings –
Sensor Service Token: ChangeMe!123
In Other Settings –
Allow UnTrusted server certificates: Enabled
Retain completed Scans: Eanbled
Click Next.
Click on Download launch artifacts.
Page # 31
Save the edast-start.zip file in Downloads folder.
Extract the edast-start.zip file in Downloads folder using 7-Zip as above.
This folder contains the below files –
Page # 32
File Name Use

appsettings.json This file configures the sensor service. Use this file to run the Fortify
ScanCentral DAST Sensor Service and a Fortify WebInspect sensor.
docker-compose.yml This file pulls images and starts containers for the DAST API and
DAST Global Service.
edast-api.pfx If you generated a certificate using the configuration tool, this
certificate file must be on the host computer where the DAST API
container will be running.
Note: This file is not downloaded if you use a certificate provided by
a certificate authority (CA) or use an existing certificate.
pull-and-start- This PowerShell script pulls the DAST Global Service and DAST API
containers.ps1 images from Docker Hub, and then starts the containers.
pull-and-start-sensor- This PowerShell script pulls the Fortify WebInspect image from
container.ps1 Docker Hub, and then starts the container.
pull-images.ps1 This PowerShell script pulls the DAST Global Service and DAST API
images from Docker Hub, but does not start the containers.
pull-sensor- This PowerShell script pulls the Fortify WebInspect image from
container.ps1 Docker Hub, but does not start the container.
service-token.txt This text file contains the shared secret that all your DAST sensors
must use to authenticate with the DAST API.
start-containers.ps1 This PowerShell script starts the DAST Global Service and DAST API
containers, but does not pull the images.
start-sensor- This PowerShell script starts the Fortify WebInspect container, but
container.ps1 does not pull the image.
Lets pull the images and start the containers.
Go to Extracted folder, Shift-Right Click and select Open PowerShell window here.
Run the below command –

pull-and-start-containers.ps1
Page # 33
It will take a while. Take a tea break.
When completed then the Chrome Browser, open the Portainer URL :
http://fortify202.myhome.com:9000/
Login using credentials – admin / novell@123
Click on the Docker Icon.
Verify edast-start_scancentral-dast-globalservice_1 and edast-start_scancentral-dast-api_1 containers

are running.
Open SSC, login as admin / sscadmin@123
Go to Administration -> Configuration -> ScanCentral DAST.
Page # 34
Enable ScanCentral DAST: Enabled.
ScanCentral DAST Server URL: http://fortify202.myhome.com:85/api
Click Save.
A confirmation message will be displayed.
Logout from SSC.
Stop and Start SSC's Tomcat service.
Login into SSC using admin.
Click on SCANCENTRAL -> DAST.
If you can see the above screen then ScanCentral DAST is configured successfully.
Configuring WebInspect as Sensor in ScanCentral DAST
Open services.msc and locate the WebInspect API service.
Page # 35
Open the Properties -> Log on. Change to
This Account: .\Administrator
Click OK and Start the service.
Go to the Downloads\ScanCentral_DAST_20.2 folder. Extract the ScanCentral DAST - Sensor Service.zip

file using 7-zip.
Rename the ScanCentral DAST - Sensor Service folder as SensorService.
Move the SensorService folder to C:\
Page # 36
Open the C:\SensorService folder
Copy the appsettings.json file from Downloads\edast-start folder to C:\SensorService and overwrite the
file. Contains of the file will be as below, it should have the IP Address of your VM in row number 9.
Open CMD in C:\SensorService folder and run the below command –

sc create ScannerWorkerService
binpath="C:\SensorService\EDAST.ScannerWorkerService.exe" start=auto
Page # 37
Open Services.msc and locate the ScannerWorkerService.
Open the Properties -> Log On.
Change to -
This Account: .\Administrator
Click OK and Start the service.
Open SSC -> SCANCENTRAL -> DAST -> Sensors.
Page # 38
The WebInspect installed on the VM is configured as a Sensor. Lets configure and run a Scan.
Running the Basic Scan

Open SSC, login as admin.
Create an application named Zero via eDAST with version 1.0.
Click on SCANCENTRAL -> DAST -> Scans.
Click on NEW SCAN.
Page # 39
From Drop Down select "Zero via eDAST" application and version 1.0. Click Next.
Scan Type: Standard Scan
Crawl and Audit: Enabled
URL: http://zero.webappsecurity.com
Submit for triage: Enable
Policy: Standard
User Agent: Default
Click Next.
Page # 40
Click Next, lets not create the Login Macro this time.
Enable Traffic Monitor: Enabled
Click Next.
Page # 41
Enter the Name of Scan Settings as "Zero via eDAST", click Save then Click Run.
Select "FORTIFY202" in Sensor.
Click Run.
Click OK.
Page # 42
Click Close.
In Scans, scroll right to see the status of the scan.
Click Refresh.
When it changes to Running click on it. You can see the Statistics.
Page # 43
In the Task Manager you can see the WebInspect is running.
Let the Scan to complete. Check the Vulnerabilities in Application on SSC.
Page # 44
Installation and Configuration of WebInspect Docker version with eDAST
Open Downloads\edast-start container.
Shift-Right Click and select Open PowerShell window here.
Run pull-and-start-sensor-containers.ps1 in PowerShell.
It will take a while, take a Tea break.
Open SSC -> SCANCENTRAL -> DAST -> Sensors. A new Sensor will appear, this is the Dockerized
WebInspect Sensor configured with eDAST.
Page # 45
Now Reboot the server.
When SSC Starts then open Downloads\edast-start container.
Shift-Right Click and select Open PowerShell window here.
Run start-containers.ps1 in PowerShell. It will start all the Containers.
Now Open SSC -> SCANCENTRAL -> DAST -> Sensors. You should able to see both Sensors.
Running the REST API Scan

In SSC, create an Application named "PetStore using Containerized eDAST" version 1.0.
Open SSC -> SCANCENTRAL -> DAST -> Scans -> New Scan.
Select "PetStore using Containerized eDAST" version 1.0. from drop down, click Next.
Page # 46
Scan Type: API Scan

Type: Open API
Definition: URL
URL: https://petstore.swagger.io/v2/swagger.json
Click Validate.
If Validated then -
Submit for triage: Enabled
Audit Depth (Policy): Standard
User Agent: Default
Click Next.
Click Next, No Changes required.
Page # 47
Single-Page Application: Disabled

Enable Traffic Monitor: Enabled
Click Next.
Enter the Settings name as "PetStore API Scan", Click Save, then Click Run.
Page # 48
Select the Containerized Sensor. Click Run.

Click Close.
Wait for Scan to Start and Complete.
Check the Vulnerabilities in Applications.
Page # 49
Running the Scan using Login Macro

Create a new Application or create a new Application Version 2.0 of Zero via eDAST.
Open SSC -> SCANCENTRAL -> DAST -> Scans -> New Scan.
Select the Application and its version then click Next.
Scan Type: Standard Scan
Crawl and Audit: Enabled
URL: http://zero.webappsecurity.com
Page # 50
Submit to Triage: Enabled
User Agent: Chrome
Click Next.
Site Authentication: Enable
Click on Download Macro Recorder 5.1, download and install it.
Click on Open Macro Recorder 5.1.
Click on Open MacroRecorder5_0 in the Popup. Wait a few mins, the TruClient will open, check the Task
Bar of Windows it may be there.
Page # 51
Click on the Record button and create the Login Macro using your skills. Use the credentials Username /
Password for http://zero.webappsecurity.com
Make sure TruClient has detected the logout conditions.
Close the TruClient and Save the Script.
Enter a file name as "Zero_loginMacro" and click save.
Page # 52
In Scan Settings, click Import and select the Zero_LoginMacro file from Documents.
Click Next.
Page # 53
Click Next.
Enter the Settings name as "Zero via LoginMacro".
Save, Run on Dockerized version of Sensor then click Close.
Page # 54
Wait for Scan to Start and Complete. It will take an hr to complete while by the mean time you can take
a Coffee break.
Generating Reports
Now we have two scan results uploaded on SSC via eDAST. Lets try to generate few reports from SSC.
Login into SSC using admin / sscadmin@123. Click on REPORTS -> NEW REPORTS.
Click on "ISSUE REPORTS", scroll down and locate and select "Vulnerability Report".
In the Report name, enter a name i.e. Zero Vuln Report, click Browse.
Page # 55
Select the Application i.e. "Zero via eDAST", then select the version i.e. 2.0. Now click on DONE.
Click on GENERATE.
Wait for Processing to complete.
Page # 56
When Status changes to Complete then click on Download button.
It will download the file "ZeroVulnReport.pdf" file. Open the file.
Check the report.
Similarly, you can generate more types of reports.
Using the eDAST REST API
Swagger document of the eDAST is given in http://fortify202.myhome.com:85/swagger/index.html
Lets use few API calls.
Page # 57
Using REST APIs via Swagger
Scroll down till you find the Auth APIs.
Expand the POST call of /api/auth
Identify the Request Body which is "application/json-patch+json" and Example value which needs
username and password in Json format.
Click on "Try it out".
Modify the username and pssword's values and click on Execute.
Page # 58
Scroll down and check the Response section.
Identify the Request URL (note it in Notepad++) and Response Body. Notice the Token value starts with
"FORTIFYTOKEN", note down the token in Notepad ++, i.e. –
FORTIFYTOKEN M2U5NjcxYTUtNmNjYS00NDdmLWJiMGItNDA1ZmJjZmY4Njc0
Note: this value will be different in your server.
Note: The CIToken of REST API via SSC can also be used along with FORTIFYTOKEN key as it will be used
below.
Now, scroll up till the top of the page and click on "Authorize" button.
In the Popup, paste the token value as above and click Authorize.
Page # 59
Click Close.
In the Applications API calls, expand the GET /api/application call, by clicking on GET.
Click on "Try it out".
Scroll down and click on "Execute".
Page # 60
Scroll down and check the Request URL and Response Body, you will able to see the applications, ID and
Scanner Pool details.
Using REST APIs via Postman

Lets try to run the same calls with Postman. Open Postman (it may take some time to start).
Create a Request as below -
Method: POST
URL: http://fortify202.myhome.com:85/api/auth
Body: raw
Type: JSON
In the body paste the below –

{
"username": "admin",
"password": "sscadmin@123"
Click "Send" button.

Page # 61
In the Response section below, you will the token. Save the token in Notepad++.
Create a new Request in Postman as below -
Method: GET
URL: http://fortify202.myhome.com:85/api/applications
In Headers add a Key named "Authorization" and paste the token value from the previous call
(/api/auth). Click Send.
Check the Response section.
Using REST APIs to integrate with any CI/CD Pipeline

Most of the CI / CD Pipelines runs on either on Linux or Windows platform.
Fortify eDAST as a /api/scans/start-scan-cicd REST API call designed for CI / CD integration.
Page # 62
Lets use the Swagger interface to initiate the scan via this REST Call.
Login into SSC -> SCANCENTRAL -> DAST -> Settings List.
It has a list of all CICD Identifiers for each settings. Pickup a setting's CICD Identifier. i.e. e94d681e-
a078-4ffd-ad3f-e67d93d236ad it is for PetStore API Scan, lets use it. Go back to Swagger doc, click
on "Try it out" button of the API.
Note: Assuming you are still authorized on the Swagger.
Page # 63
Change the cicdtoken and assign a name, remove scannerID and useAssignedScannerOnly variables.
Click Execute.
Scroll down and check the response. If you see an id with a value which means scan is accepted in
eDAST. Note down the CURL command in to Notepad++.
Check the Scans in SSC.
Page # 64
The new Scan is in the Queue.
Lets try to run the same API call via PowerShell.
Pickup the Curl command used in the call via Swagger as example -
curl -X POST "http://fortify202.myhome.com:85/api/scans/start-scan-cicd" -H
"accept: text/plain" -H "Authorization: FORTIFYTOKEN
Y2U0YTlhNTctNjBkYi00MDI1LWEwNjktNTViYTMwYzZiZmJk" -H "Content-Type:
application/json-patch+json" -d "{ \"cicdToken\": \"e94d681e-a078-4ffd-ad3f-
e67d93d236ad\", \"name\": \"PetStore API Scan via Swagger\",}"
The PowerShell command will be as –

Invoke-RestMethod -Method "Post" -Uri
"http://fortify202.myhome.com:85/api/scans/start-scan-cicd" -headers @{
'Authorization'='FORTIFYTOKEN
Y2U0YTlhNTctNjBkYi00MDI1LWEwNjktNTViYTMwYzZiZmJk'} -ContentType
"application/json-patch+json " -Body "{'cicdToken':'e94d681e-a078-4ffd-ad3f-
e67d93d236ad', 'name':'PetStore API Scan via PowerShell'}"
Run the PoweShell -
Check the SSC.
You will see a new scan.
Lets use Postman and CIToken of SSC to initiate a scan.
Open SSC -> ADMINISTRATION -> Users -> Token Management -> New.
Page # 65
Select the Token Type as CIToken and enter a Description, click Save.
It will generate two type of tokens, save them into a text file. We will be using the first token generated
for REST API.
Start Postman, create a POST request with the URL -

http://fortify202.myhome.com:85/api/scans/start-scan-cicd
In Headers, add a Key named Authorization and Value FORTIFYTOKEN

ZDA2OGNkMzgtNTVjZS00NmFhLThjN2UtZTAxYTQyMWJmODI1
Note: ZDA2OGNkMzgtNTVjZS00NmFhLThjN2UtZTAxYTQyMWJmODI1 is the CIToken of SSC for REST

API.
Click on Body.
Page # 66
Select raw and JSON from drop down. In the body enter the below -
{
"cicdToken":"e94d681e-a078-4ffd-ad3f-e67d93d236ad",
"name":"PetStore API Scan via Postman",
}
Note: the token value e94d681e-a078-4ffd-ad3f-e67d93d236ad is CICD Identifier of

Petstore API Scan setting.
Click Send.
If everything goes well then you will see the ID value and response code 201.
Check the SCANCENTRAL -> DAST -> Scans.
The scan will be in the queue.
This is one of the most simple way to integrate with any CI/CD Tool. You can use the REST API and either
Curl command or PowerShell script to initiate the Scan.
Page # 67
Appendix
Appendix 1: Installing Fortify
There are quite a good step by step (Easy Steps) documents available to install and configure Fortify for
a CoE / PoC / Lab Environment.
Visit - https://community.microfocus.com/t5/tkb/usercontributedarticlespage/user-id/223632
Appendix 2: Installing FortifyClient

FortifyClient requires AnalysisUploadToken from SSC to upload the FPR file in SSC. This tool does not
require to fortify.license file, but it needs JRE.
Option 1:
FortifyClient tool exists in the “Tools” folder on Fortify_20.2.0_Server_WAR_Tomcat.zip file.
You can copy "fortifyclient" folder to any machine and if required set the PATH to fortifyclient\bin
folder.
Option 2:
During the installation of SCA, it will be installed in C:\Program
Files\Fortify\Fortify_SCA_and_Apps_20.2.0\bin folder and it will be added into PATH as well.
Appendix 3: .NET Requirement for ScanCentral DAST

1. Dotnet Runtime 4.8 - https://dotnet.microsoft.com/download/dotnet-framework/thank-
you/net48-web-installer
2. ASP.NET Core Runtime 3.1.x (Hosting Bundle) https://dotnet.microsoft.com/download/dotnet-
core/thank-you/runtime-aspnetcore-3.1.9-windows-hosting-bundle-installer
Page # 68
Page # 69
<! ---- EoF ---->

Installation of Fortify 20.2.0 eDAST in Easy Steps

Uploaded by

Copyright:

Available Formats

You might also like

Installation of Fortify 20.2.0 eDAST in Easy Steps

Uploaded by

Document Information

Copyright

Available Formats

Share this document

Share or Embed Document

Sharing Options

Did you find this document useful?

Is this content inappropriate?

Copyright:

Available Formats

Installation of Fortify 20.2.0 eDAST in Easy Steps

Uploaded by

Copyright:

Available Formats

2021

Installation of Fortify 20.2.0 eDAST

Micro Focus India Pvt Ltd

Details Report Date: 17 February 2021

Prepared By: Vikas Johari – vikas.johari@microfocus.com

Reviewed By: Rohit Baryah – rohit.baryah@microfocus.com

Software Security Center (SSC)

The container name is scancentral-dast-api.

DAST Global Service

The container name is scancentral-dast-globalservice.

ScanCentral DAST Database

Permissions in Fortify Software Security Center (SSC)

ScanCentral DAST Tasks Application Developer Manager Security View-

Lessons learned from mistakes

A Windows 2019 VM is configured with 16 GB RAM, 4 vCPU and 100 GB HDD.

Updating the hosts file

Update the IP Address in C:\Windows\System32\drivers\etc\hosts file.

The hostname will remain fortify202.myhome.com only IP Address need to be changed.

Verify using ping.

REBOOT the server.

Installation and configuration of the Docker

Install-Module -Name DockerMsftProvider -Repository PSGallery -Force

Install-Package -Name docker -ProviderName DockerMsftProvider

After VM reboots open the PowerShell and run the command -

Pulling Docker images

Setting up LIM as License Server

Create a runLIMcontainer.ps1 file in C:\lim as –

docker run -v c:/lim:c:/lim --restart always -d -p 81:80 --env-file

Run the runLIMcontainer.ps1 using PowerShell.

Open the URL http://fortify202.myhome.com:81/limadmin in Chrome.

Login using User Name: fortify and Password: FortifyDAST1

Click Activate to activate your Lim server.

Read the License Information then click OK.

Confirmation Message will display.

Click on ADMIN -> USERS.

Enter the below details and click OK.

User Name: eDASTAdmin

Click on ADD LICENSE.

Paste the Activation Token for WebInspect, click OK.

Now we have both licenses added, lets create a license Pool.

Click on ADD LICNESE POOL.

Pool Name: eDASTPool

Click on ADD LICNESE.

Enter the SEAT COUNT as 2, click OK.

Validate the Licenses in the Pool then Click OK.

Close the Browser window. Lim is ready to use.

Update WebInspect (WI) License

Click Activate Now.

Select Connect to Fortify License and Infrastructure Manager. Click Next.

Enter the below details –

Pool Name: eDASTPool

Network Proxy: UnChecked

Click Close on the What's New window.

Click Yes in the Updates Available window.

Click "Download" button in SmartUpdate popup.

Wait for Download to complete.

Click OK. On SmartUpdate complete message.

Click File -> Exit to close WebInspect.

Installing eDAST Configuration Tool