HP Fortify Runtime
Software Version 4.10
Java Edition Installation and Configuration Guide
Document Release Date: April 2014
Software Release Date: April 2014
Legal Notices
Warranty
The only warranties for HP products and services are set forth in the express warranty statements
accompanying such products and services. Nothing herein should be construed as constituting an additional
warranty. HP shall not be liable for technical or editorial errors or omissions contained herein.
The information contained herein is subject to change without notice.
Restricted Rights Legend
Confidential computer software. Valid license from HP required for possession, use or copying. Consistent
with FAR 12.211 and 12.212, Commercial Computer Software, Computer Software Documentation, and
Technical Data for Commercial Items are licensed to the U.S. Government under vendor's standard
commercial license.
Copyright Notice
© Copyright 2014 Hewlett-Packard Development Company, L.P.
Documentation Updates
The title page of this document contains the following identifying information:
•
Software Version number
•
Document Release Date, which changes each time the document is updated
•
Software Release Date, which indicates the release date of this version of the software
To check for recent updates or to verify that you are using the most recent edition of a document, go to:
http://h20230.www2.hp.com/selfsolve/manuals
This site requires that you register for an HP Passport and sign in. To register for an HP Passport ID, go to:
http://h20229.www2.hp.com/passport-registration.html
You will also receive updated or new editions if you subscribe to the appropriate product support service.
Contact your HP sales representative for details.
Part Number: 1-151-2014-04-410-01
Contents
Preface . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . v
Contacting HP Fortify. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . v
Technical Support . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . v
Corporate Headquarters. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . v
Website . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . v
About the HP Fortify Software Security Center Documentation Set . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . v
Change Log . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .vi
Chapter 1: Introduction. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 7
Intended Audience . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 7
Related Documents . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 7
Chapter 2: Overview of HP Fortify Runtime . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 9
Chapter 3: Securely Deploying HP Fortify Runtime . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 10
About Securing Access to Facilities. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 10
About Changing the Default Protected-by Page for RTAP . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 10
Chapter 4: Overview of HP Fortify Runtime Installation . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 11
Overview of Installing HP Fortify Runtime . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 11
About HP Fortify Runtime Integration Modes . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 12
Java Agent Mode . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 12
Compatibility Mode . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 12
About HP Fortify Runtime Operational Modes. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 12
Standalone Mode . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 12
Federated Mode . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 13
HP Fortify Runtime Operating Systems, JRE Environments, and Application Servers . . . . . . . . . . . . . . . . . . . 13
Chapter 5: Installing HP Fortify Runtime . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 14
About HP Fortify Runtime Installation Resources . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 14
Choosing an Installation Location. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 14
Installing HP Fortify Runtime Products . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 15
Manual UNIX Runtime Installation . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 20
About HP Fortify Runtime Startup . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 21
Checking the System Log . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 21
Uninstalling HP Fortify Runtime . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 21
Chapter 6: Performing Post-Installation Configuration Tasks . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 22
Management of HP Fortify Runtime Configuration Files . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 22
Contents of the HP Fortify Runtime Configuration Directory. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 22
Creating a HP Fortify Runtime Product Configuration File . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 22
Configuring Software Security Center to Expect a HP Fortify Runtime Host Connection . . . . . . . . . . . . . . . . 23
Contents
iii
Specifying Configuration Files when Starting HP Fortify Runtime . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 23
Configure the Application Server for HP Fortify Runtime Using Java Agent Mode. . . . . . . . . . . . . . . . . . . . . . . 24
About Running with HP Fortify Runtime . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 24
Starting a Java Program with HP Fortify Runtime. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 24
Using the Fortify Script . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 25
Adding HP Fortify Runtime to a WebSphere Server. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 25
Specifying the javaagent Path Without Space Characters . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 25
Using the WebSphere Console to Define javaagent . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 26
Using the wsadmin Command-line Utility to Configure the Startup Script . . . . . . . . . . . . . . . . . . . . . . . . . . 26
Adding HP Fortify Runtime to a JBoss Server . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 27
Adding HP Fortify Runtime to a Tomcat Server. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 27
About Windows Service Installation . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 27
Adding HP Fortify Runtime to a WebLogic Server . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 28
Adding HP Fortify Runtime to a System Service . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 28
Configuring HP Fortify Runtime for Compatibility Mode . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 28
About the Boot Jar Builder Utility . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 28
Adding the Boot Jar Builder Step to an Application’s Startup Script . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 29
Modifying an Application Server Windows Batch Script to Start with HP Fortify Runtime . . . . . . . . . . . . . . 29
Using Compatibility Mode with WebSphere . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 30
Modifying the WebSphere Configuration. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 30
Modifying the WebSphere Startup Script. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 31
Chapter 7: Configuring HP Fortify Runtime in Federated Mode . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 32
Overview of HP Fortify Runtime Federated Mode . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 32
Enabling HP Fortify Runtime Communications . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 33
Overview of the Bootstrap Configuration File . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 33
Specifying Controller Connection Settings . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 33
Summary of Federated Mode Configuration Options . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 34
Including Standalone Settings in a Federated Mode Configuration . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 35
Appendix A: HP Fortify Runtime Glossary . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 36
Contents
iv
Preface
Contacting HP Fortify
If you have questions or comments about any part of this guide, contact HP Fortify at:
Technical Support
650.735.2215
fortifytechsupport@hp.com
Corporate Headquarters
Moffett Towers
1140 Enterprise Way
Sunnyvale, CA 94089
650.358.5600
contact@fortify.com
Website
http://www.hpenterprisesecurity.com
About the HP Fortify Software Security Center Documentation Set
The HP Fortify Software Security Center documentation set contains installation, user, and deployment guides
for all HP Fortify Software Security Center products and components. It also includes technical notes and
release notes that describe new features, known issues, and last-minute updates. The latest versions of these
documents are available on the HP Software Product Manuals site:
http://h20230.www2.hp.com/selfsolve/manuals
Preface
v
Change Log
The following table tracks changes made to the HP Fortify Runtime Java Edition Installation and Configuration
Guide.
Software Release-version
Date
Change
3.90 - 01
5/3/2013
New edition of guide. Consolidates installation and configuration
content for HP Fortify Runtime products and reflects latest
installation and setup wizard.
Change Log
vi
Chapter 1: Introduction
This document contains information and procedures that enable you to install and configure HP Fortify
Runtime: Java Edition.
Intended Audience
This guide is intended for use by enterprise security leads, development team managers, or someone that is
responsible for installation and ongoing maintenance of a Runtime system. HP Fortify Runtime: Java Edition
protects programs running under a supported Java Virtual Machine (JVM). The program can be a web
application container or any other Java program.
Related Documents
The following documents provide additional information about HP Fortify Runtime:
HP Fortify Runtime: .NET Edition Installation and Configuration Guide
This document provides system and database administrators with complete instructions on how to install and
configure HP Fortify Runtime for the .NET platform.
HP Fortify Runtime: Java Edition Designer Guide
This document provides information to aid in the configuration and customization of HP Fortify Runtime for a
given application that operates on a Java platform. The audience for this guide may be a HP Fortify Runtime
Solution Designer who often creates event handlers and chooses values for settings, sometimes writes rules,
and occasionally creates a monitor. The Runtime Solution Designer must understand both software and
security.
HP Fortify Runtime: .NET Edition Designer Guide
This document provides information to aid in the configuration and customization of HP Fortify Runtime for a
given application that operates on a .NET platform. The audience for this guide may be a HP Fortify Runtime
Solution Designer who often creates event handlers and chooses values for settings, sometimes writes rules,
and occasionally creates a monitor. The HP Fortify Runtime Solution Designer must understand both software
and security.
HP Fortify Runtime Application Protection Operator Guide
This guide provides information and procedures that enable you to run and monitor the operation of HP
Fortify Runtime Application Protection. The audience for this guide may be enterprise security leads,
development team managers, and developers.
HP Fortify SecurityScope User Guide.
This guide provides information and procedures that enable you to run and monitor the operation of HP
Fortify SecurityScope. The audience for this guide may be enterprise security leads, development team
managers, and developers.
HP Fortify RTAP Rulepack Kit Guide
This document describes the detection capabilities of HP Fortify Runtime Application Protection (RTAP) and
the HP Fortify RTAP Rulepacks. Specifically, each category of attack, vulnerability, or audit event detected by
RTAP is described in this document.
Chapter 1: Introduction
7
HP Fortify RTAL Rulepack Kit Guide
This document describes the capabilities of the HP Fortify Runtime Application Logging (RTAL) Rulepack Kit.
Fortify RTAL Rulepack is a special Runtime Kit for HP Fortify Runtime. It provides information about web
application internal activities to ArcSight analysis servers so that these events can be correlated with other
existing ArcSight event information.
HP Fortify SecurityScope Rulepack Kit Guide
This document describes the detection capabilities of HP Fortify SecurityScope Rulepacks. SecurityScope
Rulepacks runs atop HP Fortify’s Runtime Engine, allowing it to monitor your code for software security
vulnerabilities as it runs. SecurityScope Rulepacks provide the runtime technology to help connect your
dynamic results to your static ones. It is most commonly used with WebInspect to enhance its results.
HP Fortify Demonstration Suite Installation and Usage Guide for HP Fortify Software Security Center
This document provides information that is used both to install and to run the HP Fortify Software Security
Center Demonstration Suite on Java and .NET platforms. It provides the instructions for performing simulated
attacks against both Java and .NET demonstration applications and also presents the outcomes of these
simulated attacks. The outcomes presented simulate what happens when your web applications are protected
by RTAP and when they are not.
HP Fortify Runtime Configuration Editor Technical Note
This document provides information that describes the usage of the HP Fortify Runtime Configuration Editor.
The HP Fortify Runtime Configuration Editor is a GUI editor that enables you to modify configuration settings
for HP Fortify Runtime whether you are running in standalone or federated mode.
HP Fortify Runtime Diagnostic Tool Technical Note
This document provides information that describes the usage of the HP Fortify Runtime Diagnostic Tool. The
HP Fortify Runtime Diagnostic Tool is a command line tool that surveys and validates that an application host
system meets minimum HP Fortify Runtime requirements and dependencies for fully functioning installation
and usage. It is used as a pre-install checker and as a tool that gathers and checks important diagnostic
information such as unsupported environments and manual configuration changes.
HP Fortify Software Security Center Installation and Configuration Guide
This document provides system and database administrators with complete instructions on how to install and
configure Software Security Center server software.
HP Fortify Software Security Center User Guide
Software Security Center provides security team leads with a high-level overview of the history and current
status of a project. It helps your security and development teams work together to resolve security flaws
quickly and accurately by making correlated data from HP Fortify Static Code Analyzer (SCA), HP WebInspect,
and HP Fortify Runtime available through its online collaboration environment. This document is intended for
use by enterprise security leads, development team managers, and developers.
HP Fortify Software Security Center System Requirements
This document provides system and database administrators with the minimum and recommended
requirements for installing and using HP Fortify software.
Chapter 1: Introduction
8
Chapter 2: Overview of HP Fortify Runtime
HP Fortify Runtime serves as a base for HP Fortify Runtime products that automatically identify and monitor
security–critical code inside applications, detect security events and mitigate attacks. HP Fortify Runtime can
log monitored events to HP Fortify Software Security Center, to HP ArcSight Logger/Enterprise Security
Manager, and to the file system—enabling you to detect threats and block attacks accurately. HP Fortify
Runtime also enables session and user behavior monitoring and multi-step customized event responses.
HP Fortify Runtime observes a target program and attaches monitors to it as specified by rules, provides an
environment for the execution of monitors, and executes the event handler chain when monitors generate
events. A single invocation of HP Fortify Runtime monitors one and only one program.
Figure 1 shows the relationship of HP Fortify Runtime components and illustrates an operational overview.
Figure 1: Overview of HP Fortify Runtime components
1. The target program is the user’s code, application server, standard libraries, and any support code loaded
by Java.
2. A program point is a location of interest in the target program such as a sensitive method call, any part of
an attack surface, or a method boundary.
3. A monitor watches a program point.
4. A rule configures a monitor. Rules come in HP rulepacks or user-defined rule files.
5. When a monitor finds what it’s looking for it creates an event.
6. Event handlers tell HP Fortify Runtime what to do with different kinds of events; users can write their own
event handlers.
7. When an event handler matches, it can dispatch the event to a log file or to a network service.
8. An event handler can also invoke an action.
9. An action can change the state of the target program; among other things, it can throw an exception, show
a message, or modify a variable value.
See the HP Fortify Runtime Glossary, on page 36 for definitions of HP Fortify Runtime terms.
Chapter 2: Overview of HP Fortify Runtime
9
Chapter 3: Securely Deploying HP Fortify Runtime
The Software Security Center Server family of products collect and display information about an enterprise’s
applications. That information includes concise summaries about the security vulnerabilities of that source
code.
In the same way that security precautions should be applied to your applications, you should secure access to
HP Fortify Runtime products. Moreover, the concentrated summarization of security vulnerabilities provided
by the Software Security Center family of products may mandate an even higher level of secure deployment.
About Securing Access to Facilities
HP Fortify Runtime products collect and display information about security vulnerabilities in applications.
Because this information offers various opportunities for mishandling or abuse, HP Fortify recommends that
administrators deploy the HP Fortify Runtime products in a secure operations facility.
You should also secure the underlying HP Fortify Runtime product’s file system and restrict access to the HP
Fortify Runtime product’s installation directory.
About Changing the Default Protected-by Page for RTAP
By default, when the RTAP product detects an attack against an application, RTAP displays a Protected by HP
Fortify HTML page. This default RTAP behavior presents a possible security issue because the default HTML
pages divulges how you are protecting your applications.
Your secure deployment of the RTAP product should therefore be revised to present a generic error page
rather than a page that discloses any information about your enterprise’s security mechanisms.
For information about changing the default RTAP product response to attacks, including the display of the
default Protected By HP Fortify page, see the Runtime Application Protection Operator Guide.
Chapter 3: Securely Deploying HP Fortify Runtime
10
Chapter 4: Overview of HP Fortify Runtime
Installation
This chapter contains the following topics:
•
Overview of Installing HP Fortify Runtime
•
About HP Fortify Runtime Integration Modes
•
About HP Fortify Runtime Operational Modes
•
HP Fortify Runtime Operating Systems, JRE Environments, and Application Servers
Overview of Installing HP Fortify Runtime
The installation of HP Fortify Runtime is described below.
1. Prepare for HP Fortify Runtime installation as follows.
a. Use the information in the System Requirements document to ensure that your target applications run
on a supported Java Runtime Environment (JRE).
b. Prepare a supported computer by downloading your HP Fortify Runtime license file and the installation
package for the appropriate operating system. This information is covered in Installing HP Fortify
Runtime, on page 14.
c. Decide which integration mode is appropriate for your environment: Java Agent Mode or Compatibility
Mode. Java Agent Mode is covered in Configure the Application Server for HP Fortify Runtime Using Java
Agent Mode, on page 24. Compatibility Mode is covered in Configuring HP Fortify Runtime for
Compatibility Mode, on page 28.
d. If you are installing RTAP, select an operational mode. For which operational mode to use, see About HP
Fortify Runtime Integration Modes, on page 12 of this chapter.
e. If you are installing RTAP in federated mode, locate the system name and port number of your Software
Security Center installation.
f. If you are installing RTAL, locate the system name (or IP address) and port number of your ArcSight
ESM Syslog Connector.
2. Install HP Fortify Runtime and set up the application server as follows.
a. Execute the HP Fortify Runtime installer downloaded in Step 1b, answering the questions with the
information determined in Step 1.
b. For most common application servers, the HP Fortify Runtime Setup Wizard (automatically invoked by
the HP Fortify Runtime Installer) will modify the startup script of the application server. Optionally, the
HP Fortify Runtime Setup Wizard will advise what changes are needed and these can be made
manually.
c. Using the HP Fortify Runtime Configuration Editor, make any desired changes to the HP Fortify
Runtime configuration file.
3. Restart the application server as follows.
a. If the application server startup script was modified in Step 2, just use it to start or restart the
application server.
b. If the application startup script wasn't modified, manually include HP Fortify Runtime in the target
programs startup process, see Configure the Application Server for HP Fortify Runtime Using Java Agent
Mode, on page 24 or Configuring HP Fortify Runtime for Compatibility Mode, on page 28.
Chapter 4: Overview of HP Fortify Runtime Installation
11
4. Verify that HP Fortify Runtime has started successfully. Look at the log file to determine if you succeeded in
starting HP Fortify Runtime. The last line in the log file either indicates a successful start of HP Fortify
Runtime or provides a message explaining why HP Fortify Runtime did not successfully start. For more
information on diagnosing HP Fortify Runtime startup, see About HP Fortify Runtime Startup, on page 21.
About HP Fortify Runtime Integration Modes
All HP Fortify Runtime products (RTAL, RTAP, SecurityScope) run in either of two integration modes:
•
Java Agent mode
•
Compatibility mode
Java Agent Mode
The Java Agent integration mode uses a feature available in the JRE since version 5. Java Agent mode is simple
and powerful and the recommended mode to use. Integration is achieved simply by adding an additional
command line argument when starting java. When using Java Agent integration, all features of all HP Fortify
Runtime products are available, including the ability to add new rules to a running application without a
restart.
Compatibility Mode
The Compatibility integration mode provides a way to use HP Fortify Runtime in environments where Java
Agent mode is not available (such as with version 1.4 of the JRE). Using Compatibility Mode requires running
an extra step to prepare the environment before executing the target application. In Compatibility Mode, rules
cannot be changed dynamically. In order to change rules, the application must be restarted.
About HP Fortify Runtime Operational Modes
RTAP and RTAL runs in either of two operational modes.
•
Standalone mode
•
Federated mode
SecurityScope runs in only Standalone mode.
Standalone Mode
When running in Standalone mode, HP Fortify Runtime:
•
Writes to local log files and/or a specified syslog server
•
Uses local configuration, rules, and related HP Fortify Runtime files and resources
•
Does not communicate with a Federation Controller
Not communicating with a Federation Controller prevents the correlation of events from multiple instances of
HP Fortify Runtime, such as those used to protect a distributed application.
Chapter 4: Overview of HP Fortify Runtime Installation
12
Federated Mode
When running in Federated mode, HP Fortify Runtime:
•
Operates as part of a Federation
•
Uses configuration, rules, and related HP Fortify Runtime files and resources downloaded from a
Federation Controller
•
Reports events back to a Federation Controller
Communicating with a Federation Controller enables the correlation of events from multiple instances of HP
Fortify Runtime, such as those used to protect a distributed application.
HP Fortify Runtime Operating Systems, JRE Environments, and
Application Servers
See the System Requirements document for information about supported operating systems, Java HP Fortify
Runtime environments, and application servers.
Chapter 4: Overview of HP Fortify Runtime Installation
13
Chapter 5: Installing HP Fortify Runtime
This chapter contains the following topics:
•
About HP Fortify Runtime Installation Resources
•
Installing HP Fortify Runtime Products
•
About HP Fortify Runtime Startup
•
Uninstalling HP Fortify Runtime
About HP Fortify Runtime Installation Resources
For details on obtaining HP Fortify software and a license for your software, see the System Requirements
document.
Choosing an Installation Location
In general, installing HP Fortify Runtime in a path that does not contain space characters simplifies the startup
procedures when using HP Fortify Runtime to protect programs running under application servers.
Installing HP Fortify Runtime for Use with an IBM WebSphere Application Server
If you plan to use HP Fortify Runtime in conjunction with an IBM WebSphere application server, you must
install HP Fortify Runtime in a directory whose path contains no spaces. If a WebSphere application server’s
startup command specifies a path to HP Fortify Runtime that includes space characters, then the server will
not start.
Specifying Installation Paths on Windows Computers
On Windows computers, the HP Fortify Runtime installation program installs HP Fortify Runtime in
C:\HP_Fortify\HP_Fortify_Runtime_Java_4.10 by default.
For information about using the javaagent startup parameter to manually add HP Fortify Runtime protection
to a program or application server, see Configure the Application Server for HP Fortify Runtime Using Java
Agent Mode, on page 24.
Specifying Installation Paths on Linux-based Computers
On Linux-based computers, the HP Fortify Runtime installation program installs HP Fortify Runtime in
~/HP_Fortify/HP_Fortify_Runtime_Java_4.10 by default.
Chapter 5: Installing HP Fortify Runtime
14
Installing HP Fortify Runtime Products
To install HP Fortify Runtime products use the procedures in this section.
1. Copy your HP Fortify license file, fortify.license, into the directory on your computer containing the
HP Fortify Runtime installer.
2. Start the installer for your operating system, as follows:
•
If you are installing HP Fortify Runtime products on a Linux-based system, execute the
HP_Fortify_Runtime_Java_4.10_linux.run file.
•
If you are installing HP Fortify Runtime products on a Windows-based system, double-click the
HP_Fortify_Runtime_Java_4.10_windows.exe file.
Note: Administrator privileges are required to install HP Fortify Runtime products on Windows-based
systems.
3. On the welcome step, click Next.
4. On the License Agreement step, read the license agreement, select I accept the agreement, and then click
Next.
5. On the Installation Directory step, specify the installation directory for HP Fortify Runtime, and then click
Next.
6. On the Select Configuration step, from the Select configuration list, select the Runtime configuration you
want to install, and then click Next.
7. On the Fortify License Location step, specify the full path to your fortify.license file, and click Next.
8. The installer displays the following step only if you selected one of the following Runtime configurations:
•
Application View (RTAL)
•
Application View & Protection (RTAL+RTAP)
9. Fill in the ESM Syslog Connector name/address and the ESM Syslog Connector port number fields, and then
click Next.
Chapter 5: Installing HP Fortify Runtime
15
The installer displays the following step only if you selected the Federation Bootstrap (SSC) Runtime
configuration.
10. Fill in the SSC Server and SSC Port fields, and then click Next.
11. Click Next.
Once the all the HP Fortify Runtime files have been unpacked the Runtime Setup Wizard launches
automatically to help you to configure HP Fortify Runtime on your application server.
12. Click Next to begin the set-up process.
Chapter 5: Installing HP Fortify Runtime
16
13. Use the default HP Fortify Runtime home directory or use Browse to navigate to your HP Fortify Runtime
installation directory and then click Next.
14. Use the default Fortify license directory for the location of your fortify.license file or use Browse to
navigate to the directory where the fortify.license file is located and then click Next.
Chapter 5: Installing HP Fortify Runtime
17
15. Use Browse to navigate to the directory where your application server is installed and then click Next.
16. The above Runtime Setup Wizard panel provides the options of modifying your application server’s
startup scripts automatically by the Runtime Setup Wizard or allowing you to modify the startup scripts
yourself.
•
If you choose the Allow the Setup Wizard to modify the script automatically and then click Next, the
subsequent Setup Wizard panel provides a summary of the script’s modifications.
•
If you choose I want to make the changes myself and then click Next, the subsequent Setup Wizard panel
provides suggestions for the proper modification of each script.
Chapter 5: Installing HP Fortify Runtime
18
17. Click Next.
18. From the Runtime Setup Wizard, click Finish.
19. From the Runtime Installer, click Finish.
Chapter 5: Installing HP Fortify Runtime
19
Manual UNIX Runtime Installation
To manually install HP Fortify Runtime on a Unix-based operating system, use the instructions in this section.
See the System Requirements document for more information about supported operating systems.
1. Place the UNIX installation package in a local directory.
2. In the directory containing the HP Fortify Runtime installation package, open a command window.
3. In the command window, use the gunzip and tar programs to unpack the following HP Fortify Runtime
installation file as follows.
gunzip HP_Fortify_Runtime_Java_4.10_Unix.tar.gz
tar -xvf HP_Fortify_Runtime_Java_4.10-RTA-Unix.tar
4. Copy your HP Fortify license file, fortify.license, into the installation directory.
5. Select which configuration file will be your default configuration based on the Runtime product you want
to install.
Runtime Product
Configuration File
Runtime Application Logging (RTAL),
Application View
application_logging_config.xml
Runtime Application Logging (RTAL) + Runtime
Application Protection (RTAP)
application_logging_protection_config.xml
Runtime Application Protection (RTAP) standalone mode
application_protection_config.xml
Runtime Application Protection (RTAP) federation mode
federation_bootstrap_config.xml
Security Scope
security_scope_config.xml
WebInspect Agent
webinspect_agent_config.xml
a. Navigate to <install_dir>/config.
b. Copy the product configuration file you selected to rt_config.xml.
6. If you have selected either of the application_logging_* configurations, you must edit the
rt_config.xml file and replace the value of the SyslogServer and SyslogPort settings indicating the
location of your ESM Syslog Connector.
7. If you have selected the federation_bootstrap configuration then you must edit the rt_config.xml
file and replace the value of the Controller and ControllerPort settings indicating the location of your
HP Fortify Software Security Center server.
8. Run the Setup Wizard by executing the <install_dir>/bin/setup file. Answer the questions presented
in the dialogs to complete the setup.
Chapter 5: Installing HP Fortify Runtime
20
About HP Fortify Runtime Startup
This section describes how you can check that there was a successful startup of HP Fortify Runtime with your
application.
Checking the System Log
After starting the application server, check the HP Fortify Runtime system log to ensure that HP Fortify
Runtime was started and that there were no errors.
By default, the system log is located in <Runtime_Home>/log/system.log. When operating in Federated
mode, system log messages can also be viewed under Runtime > Administration > Hosts in Software Security
Center.
Check the system log for a message similar to the following.
Example 1: System log startup message
[<PID> <TIMESTAMP> INFO] Fortify Runtime setup complete
Ensure that the timestamp on the message corresponds to the time that the application server was started.
Also ensure that there are no messages in the log with the prefix WARN, ERROR or FATAL.
If the log file does not exist or no messages are present that correspond to the application server startup time,
this indicates that HP Fortify Runtime is not running. Take the following steps to debug the problem.
•
Check the startup arguments to Java with reference to the startup instructions for Java.
•
Examine the stderr output from the program to check for any fatal configuration errors.
Uninstalling HP Fortify Runtime
Before uninstalling HP Fortify Runtime, it is necessary to undo any setup script changes. Those were either
done automatically by the Setup Wizard or done manually. To undo the automatic changes, run the Setup
Wizard from the command line using the -u option. This removes any lines referencing HP Fortify Runtime in
your application server script. Manual changes should be undone manually.
To uninstall HP Fortify Runtime on a Windows-based system, use the standard Windows method of removing
a program that is installed on your computer via the Control Panel's uninstall a program functionality.
In addition, the HP Fortify Runtime installers for both Windows and Linux include an uninstall script which
you may run to uninstall HP Fortify Runtime. The script files are located in the install directory and are named
as follows:
•
On Windows systems, Uninstall_HPFortifyRuntimeJava_4.10.exe
•
On Linux systems, Uninstall_HPFortifyRuntimeJava_4.10.run
Chapter 5: Installing HP Fortify Runtime
21
Chapter 6: Performing Post-Installation
Configuration Tasks
If there is a constraint in your environment that does not allow you to run the Setup Wizard, this chapter
provides the manual steps that guide you through HP Fortify Runtime configuration before starting the
program for the first time.
Management of HP Fortify Runtime Configuration Files
When HP Fortify Runtime starts up, it loads its configuration file. The HP Fortify Runtime configuration file
specifies one of two operational modes: Standalone or Federated.
In Standalone mode, the configuration file also specifies HP Fortify Runtime’s configuration settings, rules, and
event handlers. In Federated mode, HP Fortify Runtime receives its configuration from its Federation
Controller.
Contents of the HP Fortify Runtime Configuration Directory
Upon installation, the directory <install_dir>\config contains the following files:
•
rt_config.xml
•
application_logging_config.xml
•
application_protection_config.xml
•
application_logging_protection_config.xml
•
security_scope_config.xml
•
federation_bootstrap_config.xml
•
webinspect_agent_config.xml
HP Fortify Runtime reads its configuration from rt_config.xml by default. This file is a copy of the other
configuration files, as chosen and customized at install time.
The other files in this directory are configuration files for HP Fortify Runtime products. The configuration file
you selected at install time determines what product’s configuration file contents you copy into
rt_config.xml.
The federation_bootstrap_config.xml file serves as an example of a bootstrap configuration file. It can
be modified to create a bootstrap configuration file to start HP Fortify Runtime products (specifically RTAP
and RTAL) in Federated mode.
Creating a HP Fortify Runtime Product Configuration File
For users who use a Java version that does not support Java agents you may change how HP Fortify Runtime
behaves on startup. You do this by modifying the contents of rt_config.xml file. The following procedure
illustrates replacing the contents of rt_config.xml.
Chapter 6: Performing Post-Installation Configuration Tasks
22
To replace the contents of rt_config.xml with a your HP Fortify Runtime product’s configuration:
1. If it is already running, stop HP Fortify Runtime.
2. In <install_dir>/config, back up rt_config.xml.
Backing up rt_config.xml preserves any customizations you have made to the file after initial
installation of HP Fortify Runtime.
3. In <install_dir>/config, copy the contents of your HP Fortify Runtime product’s configuration file into
rt_config.xml.
Continue with the procedures in the following section.
Configuring Software Security Center to Expect a HP Fortify
Runtime Host Connection
Before you complete the procedure in this section, you must first verify that you have a functioning
installation of Software Security Center up and running. Once you have created the Bootstrap configuration
file as described in the previous section, to set up the HP Fortify Runtime Host in the Controller use the
following procedure.
Note: This procedure is relevant to Federated mode only.
1. Save and close the rt_config.xml file that you modified in Creating a HP Fortify Runtime Product
Configuration File.
2. Check to make sure that Software Security Center is started. If it is not, start it.
3. In the Software Security Center UI, navigate to the Runtime tab > Administration > Hosts to add a new HP
Fortify Runtime Host.
4. Click Add.
5. In the Create Host dialog enter the Host name or IP address of the machine where you installed the HP
Fortify Runtime Host.
6. The Federation list defaults to Default Federation.
7. Click Save.
The less secure method is to click Edit (which appears across from the “Accept Connections From
Undefined Hosts” text). See the Runtime Application Protection Operator Guide, Chapter 6, “Getting Started
with the Runtime Console,” “Enabling Connections For all Undefined Hosts” section for instructions on how
to use this method.
8. Depending on your Integration Mode, see Configure the Application Server for HP Fortify Runtime Using Java
Agent Mode or Configuring HP Fortify Runtime for Compatibility Mode for explanations of how to start HP
Fortify Runtime for a web application or non-web application.
Once you have added HP Fortify Runtime protection to an application as explained in Configure the Application
Server for HP Fortify Runtime Using Java Agent Mode or Configuring HP Fortify Runtime for Compatibility Mode
verify that HP Fortify Runtime is operating in federated mode by navigating in Software Security Center to the
Runtime tab > Administration and observing that the Status column has the text Connected and the Last
Communication column appears non-blank and displays a date and time.
Specifying Configuration Files when Starting HP Fortify
Runtime
When you add HP Fortify Runtime protection to a JVM, you can also specify the location of a non-default HP
Fortify Runtime configuration file. For information about incorporating a HP Fortify Runtime configuration
file specification in the JVM command line, see Starting a Java Program with HP Fortify Runtime, on page 24.
Chapter 6: Performing Post-Installation Configuration Tasks
23
Configure the Application Server for HP Fortify Runtime Using
Java Agent Mode
This section includes the following topics:
•
About Running with HP Fortify Runtime
•
Starting a Java Program with HP Fortify Runtime
•
Using the Fortify Script
•
Adding HP Fortify Runtime to a WebSphere Server
•
Adding HP Fortify Runtime to a JBoss Server
•
Adding HP Fortify Runtime to a Tomcat Server
•
Adding HP Fortify Runtime to a WebLogic Server
•
Adding HP Fortify Runtime to a System Service
About Running with HP Fortify Runtime
HP Fortify Runtime protects programs run by a supported Java Virtual Machine (JVM). In general, Java Agent
Mode is for Java 5 or higher. Adding HP Fortify Runtime in Java Agent Mode requires adding a javaagent
command-line argument to the command that starts the JVM. In some cases the best way to add this
parameter is to modify the script used to invoke the JVM, but many Java application servers provide an
environment variable that can be used to pass extra arguments to the JVM, in which case adding the
javaagent command-line argument to an environment variable could be preferable.
Starting a Java Program with HP Fortify Runtime
To start HP Fortify Runtime with a new Java container or a standalone Java program, add a javaagent
command line argument as follows.
Example 2: javaagent command line argument
java -javaagent:<Runtime-Home>/lib/FortifyAgent.jar[=<PathToConfigFile>] <classpath
and other java args here> Program_Name
A simple command line might appear as follows.
Example 3: javaagent simple command line
java -javaagent:../../../lib/FortifyAgent.jar HelloWorld
Note: When using both the -javaagent and -agentlib parameters, put the -javaagent parameter before
the -agentlib parameter.
Chapter 6: Performing Post-Installation Configuration Tasks
24
Using the Fortify Script
The script bin/fortify is a shortcut for adding the -javaagent argument to the environment variables used
by popular application server startup scripts, including Tomcat, JBoss and WebLogic.
The script is a way to get started in a testing or staging environment where the application server is started
manually. It is not recommended for production environments, since it might be omitted when the application
server is restarted. Instead, the application server startup scripts should be modified to include the javaagent argument.
The script may be used as follows.
Example 4: HP Fortify Script
<Runtime-Home>/bin/fortify startup.bat
The script takes an optional argument to specify the runtime configuration file as follows.
Example 5: HP Fortify Script with optional argument
<Runtime-Home>/bin/fortify -config my_config.xml startup.bat
Adding HP Fortify Runtime to a WebSphere Server
To add HP Fortify Runtime protection to an IBM WebSphere application server, you must incorporate the
javaagent parameter into the WebSphere server’s startup processes.
Depending on how you choose to administer your WebSphere servers, you may:
•
Use the WebSphere administrative console to configure the server
•
Use the WebSphere wsadmin command-line utility
Specifying the javaagent Path Without Space Characters
If you are running HP Fortify Runtime in conjunction with a WebSphere application server, the WebSphere
startup command’s javaagent parameter cannot include space characters. If a WebSphere application
server’s startup command specifies a path to HP Fortify Runtime that includes space characters, then the
server will not start.
For information about installing HP Fortify Runtime in a directory that does not contain spaces, see Choosing
an Installation Location, on page 14.
Chapter 6: Performing Post-Installation Configuration Tasks
25
Using the WebSphere Console to Define javaagent
You may add HP Fortify Runtime to a WebSphere application server by using the WebSphere administrative
console to add the javaagent parameter to the server’s JVM startup sequence.
The procedure in this section assumes you are familiar with the WebSphere administrative console, and with
that console’s server configuration tools.
To use the WebSphere administrative console to add HP Fortify Runtime to a WebSphere server:
1. Open the WebSphere administrative console and in the WebSphere application servers page, select a server.
2. For the selected server’s configuration, configure the JVM.
In the Generic JVM Arguments box, type:
-javaagent:<install_dir>/lib/FortifyAgent.jar
3. When using WebSphere 7 or later versio, add the following argument to the JVM arguments along with
-javaagent:
-Xshareclasses:none
4. Stop, and then restart, the WebSphere application server to apply the changes.
Using the wsadmin Command-line Utility to Configure the Startup Script
You may add HP Fortify Runtime protection to a WebSphere servers by using the WebSphere wsadmin
command-line utility and HP Fortify Runtime websphereJvmSetup.jacl script to configure the WebSphere
server’s startup script.
The following table lists the websphereJvmSetup.jacl script’s required and optional parameters.
Table 1: Required and Optional websphereJvmSetup.jacl Parameters
Parameter
-fortifyHome
Required
X
Description
Specifies HP Fortify Runtime <install_dir>.
-cell
Specifies the WebSphere server’s cell.
-server
Specifies the WebSphere server’s name.
Default: server1
-node
Specifies the WebSphere server’s node name.
Using Slash Mark Characters in Path Specifiers
In both Windows and non-Windows computers, when specifying path names to the wsadmin command-line
utility, use the slash mark character (“/”).
To use wsadmin and websphereJvmSetup.jacl to configure the WebSphere server’s startup script:
1. In <Websphere home>/profiles/AppSrvN/bin, open a command window.
In the preceding path, N specifies the number of the WebSphere server you are configuring.
2. In the command window, type the following command line:
wsadmin -conntype none -f <install_dir>/tools/websphereJvmSetup.jacl -fortifyHome
<install_dir>
3. In Windows computers type wsadmin.bat.
For additional websphereJvmSetup.jacl parameters, see Table 1.
Chapter 6: Performing Post-Installation Configuration Tasks
26
The wsadmin command line utility updates the JVM options in the WebSphere servers startup
configuration file.
4. Restart the WebSphere server to apply the changes.
Adding HP Fortify Runtime to a JBoss Server
The JBoss startup script passes arguments from the JAVA_OPTS environment variable to Java. Add the
following to your JBoss startup script to configure JBoss to start with HP Fortify Runtime.
Example 6: Unix
JAVA_OPTS="-javaagent:<Runtime-Home>/lib/FortifyAgent.jar $JAVA_OPTS"
export JAVA_OPTS
Example 7: Windows
set JAVA_OPTS="-javaagent:<Runtime-Home>\lib\FortifyAgent.jar %JAVA_OPTS%"
Alternatively, create a wrapper script which sets the options as above and then calls the JBoss startup script.
Adding HP Fortify Runtime to a Tomcat Server
The Tomcat startup script passes arguments from the CATALINA_OPTS environment variable to Java. Add the
following to your Tomcat startup script to configure Tomcat to start with HP Fortify Runtime.
Example 8: Unix
CATALINA_OPTS="-javaagent:<Runtime-Home>/lib/FortifyAgent.jar $CATALINA_OPTS"
export CATALINA_OPTS
Example 9: Windows
set CATALINA_OPTS="-javaagent:<Runtime-Home>\lib\FortifyAgent.jar %CATALINA_OPTS%"
Alternatively, create a wrapper script which sets the options as above and then calls the Tomcat startup script.
About Windows Service Installation
If Tomcat is installed as a Windows Service, open the Configure Tomcat application (tomcat6w.exe for
Tomcat 6). Add the -javaagent argument to the Java Options section under the Java tab.
Chapter 6: Performing Post-Installation Configuration Tasks
27
Adding HP Fortify Runtime to a WebLogic Server
The WebLogic startup script passes arguments from the JAVA_OPTIONS environment variable to Java. Add the
following to your WebLogic startup script to configure WebLogic to start with HP Fortify Runtime.
Example 10: Unix
JAVA_OPTIONS="-javaagent:<Runtime-Home>/lib/FortifyAgent.jar $JAVA_OPTIONS"
export JAVA_OPTIONS
Example 11: Windows
set JAVA_OPTIONS=-javaagent:<Runtime-Home>\lib\FortifyAgent.jar %JAVA_OPTIONS%
Alternatively, create a wrapper script which sets the options as above and then calls the WebLogic startup
script.
Adding HP Fortify Runtime to a System Service
To add HP Fortify Runtime protection to a JVM or application server running as a system service, you must
incorporate the javaagent parameter into that portion of the service’s startup process that starts the
service’s JVM.
Configuring HP Fortify Runtime for Compatibility Mode
Compatibility Mode is an integration mode which allows HP Fortify Runtime to operate with Java Virtual
Machines which do not support Java Agents. This includes all implementations of Java 1.4. Compatibility Mode
allows operation when Java Agent Mode is not possible, but with some limitations. In Compatibility Mode,
changes to the HP Fortify Runtime configuration which involve adding, removing, or changing rules cannot be
applied dynamically. In such cases, HP Fortify Runtime will refuse to load the new configuration until the JRE
is restarted.
About the Boot Jar Builder Utility
The Boot Jar Builder utility creates a bootclasspath jar file that can be prepended to the Java bootclasspath
to start a program with HP Fortify Runtime. On completion, it will write the name of the jar file to standard
output.
Example 12: Creating a boot jar file
java -jar <Runtime-Home>/lib/BootJarBuilder.jar [-config <runtime-config>] [output <output-file>]
Start a Java application with the boot jar as follows.
Example 13: Starting an application using the generated boot jar file
java -Xbootclasspath/p:<BootJarOutput> [java arguments]
When using versions 1.5 or newer of the J9 JRE from IBM, an additional argument must be specified as follows.
Chapter 6: Performing Post-Installation Configuration Tasks
28
Example 14: Additional argument
java -Xbootclasspath/p:<BootJarOutput> -Xshareclasses:none [java arguments]
The boot jar file is specific to the HP Fortify Runtime configuration that is to be used to run the application. By
default, it will be generated for the default configuration (rt_config.xml). To start an application with a nondefault configuration, pass the configuration to the boot jar builder as follows.
Example 15: Creating a boot jar file using a non-standard configuration
java -jar <Runtime-Home>/lib/BootJarBuilder.jar -config my_config.xml
Adding the Boot Jar Builder Step to an Application’s Startup Script
The boot jar file can be re-used for multiple runs of the target application, but a new one must be generated
any time configuration or rules are changed. The recommended practice is to add the Boot Jar Builder step to
the application's startup script, so that a new boot jar file is generated using the latest configuration each time
the application starts.
Modifying an Application Server Unix Shell Script to Start with HP Fortify Runtime
You may modify the startup shell script (.sh) for an application server to run with HP Fortify Runtime in
Compatibility Mode.
Add a step to the startup script to generate the boot jar, and add the boot jar to the Java bootclasspath. This
ensures that a new boot jar is generated each time the application server is started using the latest
configuration.
The following example shows how steps can be inserted into a startup script to generate the boot jar. This
example assumes that the startup script uses a variable named JAVA to represent the path to the Java HP
Fortify Runtime executable, and uses a variable named JAVA_OPTS to store options that will be passed to the
Java HP Fortify Runtime when the application server is invoked. The details may vary with specific application
servers.
Example 16: Unix shell startup script
...
FORTIFY_BOOTJAR=`"${JAVA}" -jar <Runtime-Home>/lib.14/BootJarBuilder.jar`
JAVA_OPTS="-Xbootclasspath/p:${FORTIFY_BOOTJAR} ${JAVA_OPTS}"
...
Modifying an Application Server Windows Batch Script to Start
with HP Fortify Runtime
You may modify the startup batch script (.bat or .cmd) for an application server to run with HP Fortify
Runtime in Compatibility Mode.
Add a step to the startup script to generate the boot jar, and add the boot jar to the Java bootclasspath. This
ensures that a new boot jar is generated each time the application server is started using the latest
configuration.
The following example shows how steps can be inserted into a startup script to generate the boot jar. This
example assumes that the startup script uses a variable named JAVA to represent the path to the Java HP
Fortify Runtime executable, and uses a variable named JAVA_OPTS to store options that will be passed to the
Chapter 6: Performing Post-Installation Configuration Tasks
29
HP Fortify Runtime when the application server is invoked. The details may vary with specific application
servers.
Example 17: Batch startup script
...
for /F "tokens=*" %%b in ('"%JAVA%" -jar "<RuntimeHome>\lib.14\BootJarBuilder.jar"') do set FORTIFY_BOOTJAR=%%b
set JAVA_OPTS=-Xbootclasspath/p:"%FORTIFY_BOOTJAR%" %JAVA_OPTS%
...
Usage notes for Boot Jar Builder utility are as follows.
•
The Boot Jar Builder utility should be run with the same Java executable that is used to run the target
application.
•
Any Java bootclasspath arguments passed to Java for the target application should also be passed to Java
when running the Boot Jar Builder utility.
Using Compatibility Mode with WebSphere
Determining whether and how to use Compatibility mode with WebSphere requires knowing which version
and type of JRE is in use. To determine this, run the following command. The Java executable is usually found
in the java/bin directory under the WebSphere installation.
Example 18: Version and type of JRE
java -version
Note: the version of Java reported, as well as the type (IBM J9 VM or Java HotSpot). Check the System
Requirements document to see if Compatibility mode is required or if Java Agent mode may be used instead.
As with Java Agent mode, running WebSphere in Compatibility mode requires modifying the Generic JVM
Arguments setting for the server using the Administrative Console.
Because these settings are not easily changed, the best practice for setting up Compatibility mode for
WebSphere is to pick a fixed path for the boot jar. The Generic JVM arguments can be configured to refer to
that fixed path, and the startup script used to start WebSphere can be modified to generate a boot jar at that
path each time WebSphere is started.
Pick a location on the system to store the boot jar file. This location must be writable by the script that starts
WebSphere and readable by the WebSphere Java process. In the examples below, this location will be referred
to as <boot-jar-path>.
Modifying the WebSphere Configuration
Use the Administrative Console to modify the Generic JVM Arguments setting for the server.
For IBM J9 versions 1.5 and newer, add the following arguments.
Example 19: IBM J9 additional arguments
-Xshareclasses:none -Xbootclasspath/p:<boot-jar-path>
For all other JREs, add the following arguments.
Chapter 6: Performing Post-Installation Configuration Tasks
30
Example 20: JRE arguments (non-IBM J9)
-Xbootclasspath/p:<boot-jar-path>
Modifying the WebSphere Startup Script
Determine which start script is used to start WebSphere (this is usually named startServer or startNode).
For Windows batch scripts, add the following line to the script.
Example 21: Windows batch scripts
"%JAVA_EXE%" -jar <Runtime-Home>\lib\BootJarBuilder.jar -output <boot-jar-path>
For non-Windows shell scripts, add the following line to the script.
Example 22: Non-Windows batch scripts
"$JAVA_EXE" -jar <Runtime-Home>/lib/BootJarBuilder.jar -output <boot-jar-path>
Chapter 6: Performing Post-Installation Configuration Tasks
31
Chapter 7: Configuring HP Fortify Runtime in
Federated Mode
If you have installed RTAP and/or RTAL you may use the instructions in this chapter to manually configure
these HP Fortify Runtime products in Federated mode.
This chapter contains the following topics:
•
Overview of HP Fortify Runtime Federated Mode
•
Enabling HP Fortify Runtime Communications
•
Overview of the Bootstrap Configuration File
•
Including Standalone Settings in a Federated Mode Configuration
Overview of HP Fortify Runtime Federated Mode
You can configure one or more HP Fortify Runtime Hosts to run in Federated mode.
In Federated mode, each HP Fortify Runtime Host in a given Federation:
•
Receives its configuration from the same Federation Controller
•
Transmits security events to the same Federation Controller
Communicating with a Federation Controller enables the correlation of events from multiple instances of HP
Fortify Runtime product instances, such as those used to protect a distributed application.
The following figure shows the relationship of three HP Fortify Runtime Hosts to an instance of Software
Security Center running as those Hosts’ Federation Controller.
Figure 2: Overview of HP Fortify Runtime Federated Mode
Upon initial execution, the HP Fortify Runtime product delays the execution of the target program until it
receives a configuration from its Federation Controller. After HP Fortify Runtime product receives a
configuration, it caches the configuration. It uses the cached configuration until the Federation Controller
sends a new configuration. This enables a HP Fortify Runtime Host running in Federated Mode to restart
without waiting for the Federation Controller to re-send the configuration.
Chapter 7: Configuring HP Fortify Runtime in Federated Mode
32
An administrator must configure Software Security Center to act as a Federation Controller and to allow
communication with hosts. For information about using Software Security Center as the Federation
Controller, see the Software Security Center User Guide. Note that the HP Fortify Runtime product always uses
SSL to communicate with the Federation Controller.
Enabling HP Fortify Runtime Communications
Software Security Center includes a Runtime tab. The Runtime tab enables Federation Controller features
that are used to configure, monitor, and manage instances of HP Fortify Runtime products running in
Federated mode.
By default, the HP Fortify Runtime product does not enable communication with Software Security Center, or
enable the Runtime tab. You must enable communications between the HP Fortify Runtime Host and Software
Security Center to enable HP Fortify Runtime to run in Federated mode. To do so, follow the procedures in the
Software Security Center Installation and Configuration Guide.
Overview of the Bootstrap Configuration File
In Federated Mode rt_config.xml is referred to as the bootstrap file. It allows the HP Fortify Runtime
product to find a Federation Controller and download a complete configuration.
For RTAP and/or RTAL running in Federated mode, the Federated mode configuration file contains one major
section: Global Settings.
Example 23 illustrates the general form of a Federated mode configuration file.
Example 23: HP Fortify Runtime bootstrap XML
<FortifyRuntime
xmlns="xmlns://www.fortifysoftware.com/schema/runtime/configuration"
xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance">
<GlobalSettings>
<Setting name="Controller">sscserver.example.com</Setting>
</GlobalSettings>
</FortifyRuntime>
Specifying Controller Connection Settings
As shown in Example 23 the Setting element’s name attribute equals Controller. The Controller attribute in
turn specifies the DNS name or IP address of the HP Fortify Runtime Host’s Federation Controller.
If a configuration file includes a Controller attribute, then the HP Fortify Runtime Host operates in
Federated mode.
Chapter 7: Configuring HP Fortify Runtime in Federated Mode
33
Summary of Federated Mode Configuration Options
Table 2 lists the settings you can specify in the Bootstrap configuration file.
Table 2: HP Fortify Runtime Federated Mode Configuration Settings
Name
Description
AuthDirectory
Specifies where the HP Fortify Runtime Host stores the
authentication credentials it receives from its Federation
Controller.
If a HP Fortify Runtime Host attempts to connect to its
Federation Controller for the first time, and the Federation
Controller accepts that connection request, then the Federation
Controller sends the Host that Host’s authentication credentials.
Default: ${FortifyHome}/internal/auth
The DNS name or IP address of the HP Fortify Runtime Host’s
Federation Controller.
Controller
If the HP Fortify Runtime configuration file specifies a
Controller, then the HP Fortify Runtime Host operates in
Federated mode.
This setting is required.
The optional port number specification used to communicate
with the Federation Controller.
ControllerPort
Default: 10234
MaxWaitForInitialConfiguration
The integer number of seconds the Host waits to receive an
initial configuration from its Federation Controller before
abandoning the request.
Default: 30
ProcessName
A name for the program running in this process. Currently used
to assign the process to a federation. If not specified, the
controller will assign the runtime to the default federation for
the host. If specified, it must be the name of a federation, and the
controller will add the runtime to named federation.
Default: None
RemoteConfigDirectory
The directory where the host stores configuration and rules files
sent from the controller.
Default:
${FortifyHome}/internal/remote_config
Chapter 7: Configuring HP Fortify Runtime in Federated Mode
34
Table 2: HP Fortify Runtime Federated Mode Configuration Settings (Continued)
Name
Description
StartUsingCachedConfiguration
Controls whether HP Fortify Runtime starts the target program
using a cached set of configuration files or waits for the
controller to send the most up-to-date configuration before
starting the target program. If true, the host will begin
operation using a local cache of configuration information
(provided the cache has been established in a previous run.) If
false, the host will wait for the latest configuration from the
controller before running the target program. If HP Fortify
Runtime has never received a configuration from the controller,
it will always wait for a configuration before starting the target
program.
To start runtime in Federated mode, but not use the
configuration that's been cached on disk, set
StartUsingCachedConfiguration to false in the bootstrap
configuration.
Default: true
Including Standalone Settings in a Federated Mode
Configuration
You may include HP Fortify Runtime Standalone mode configuration settings in a bootstrap configuration file.
Bootstrap file settings become default values in the Federated configuration. In other words, if the Federated
configuration specifies a setting that also appears in the bootstrap configuration file, the value from the
Federated configuration is used. If the Federated configuration does not specify a value for a setting that
appears in the bootstrap configuration, the value from the bootstrap configuration is used.
Chapter 7: Configuring HP Fortify Runtime in Federated Mode
35
Appendix A: HP Fortify Runtime Glossary
Table 3 lists the terms that have specific meaning for HP Fortify Runtime.
Table 3: Runtime Terms
Term
Description
Action
A change to the state of the target program. An action can be invoked by an
event handler.
Examples of actions include throwing an exception, showing an error page,
terminating the user’s session, or rewriting the value of a variable in the
target program.
Application
A user-supplied program running under the control of an application server.
Because HP Fortify Runtime monitors everything that happens in an
application server, by default it watches all applications running under the
application server.
Application Assignment
Rule
The user-supplied criteria for sorting events from an application server
according to the application that generated the event.
For example, an application server running applications A and B might have
two application assignment rules: one rule that associates events with /a in
the URL with application A and a second rule that associates events with /b
in the URL with application B.
Cluster
An event handler construct used to match a sequence of events.
For example, an event handler might use a cluster to specify that users
should be logged out after they attempt three cross-site scripting attacks.
Compatibility Mode
An integration mode which allows HP Fortify Runtime to operate with Java
Virtual Machines which do not support the Java Agents. Compatibility Mode
allows operation when Java Agent Mode is not possible, with some
limitations.
Configuration Bundle
A file containing all of the information the federation controller uses to
govern a federation, including a configuration template, rules, settings, and
administrator-specified event handlers.
An administrator might configure and test HP Fortify Runtime in a staging
environment, then export a configuration bundle from the staging server and
import the configuration bundle into the production server.
Configuration Template
The basis of the configuration the federation controller sends to a host.
The Runtime Console allows a Security Designer to add functionality to a
configuration by supplying additional event handlers or overriding the
values of settings.
Dispatch
An asynchronous event routing as specified by an event handler.
HP Fortify Runtime can dispatch events to a log file, an external system such
as syslog, or to a federation controller. The federation controller can dispatch
events to the database or to an alert.
Appendix A: HP Fortify Runtime Glossary
36
Table 3: Runtime Terms (Continued)
Term
Description
Event
A hierarchical collection of event attributes. Events are assembled by
monitors from information in a rule and from the state of the target program.
An event can include information such as the name of a vulnerability
category, the HTTP request that generated the event, information about an
attack, and a the stack trace with the program point for the monitory that
created the event.
Event Attribute
An labeled value contained in an event. For example, an event related to SQL
injection could carry the following attribute:
category: SQL Injection
This event attribute has the label category and the value SQL Injection.
Event Handler
A configuration element that matches against events.
When an event handler matches an event, it can optionally dispatch the
event or, if the event handler is operating in the context of HP Fortify
Runtime, carry out an action in the target program.
Event Handler Chain
A ordered set of event handlers that defines a response to events.
Each event handler in the chain is given an opportunity to handle an event.
By default the evaluation of the event handler chain stops after the first event
handler fires. The default event handler is carried out if no other event
handlers match the event.
Federation
A group of HP Fortify Runtime product instances managed as a single logical
entity.
When operating as part of a federation, HP Fortify Runtime product
instances are said to be in Federated mode.
Members of a federation are configured by a federation controller. The
members can report events back to the federation controller.
Federation Controller
The Software Security Center server that coordinates the actives of hosts
operating together in a Federation.
Federated Mode
The operating mode in which a Runtime instance coordinates its activities
with other instances through a federation controller.
HP Fortify Runtime
The software that observes a target program.
HP Fortify Runtime is responsible for attaching monitors to the target
program as specified by rules, providing an environment for the execution of
monitors, and for executing the event handler chain when monitors generate
events.
A single invocation of HP Fortify Runtime monitors one and only one target
program.
Host
A computer running one or more federated instances of an HP Fortify
Runtime product.
Host Configuration
The set of files that determine the behavior of an HP Fortify Runtime product
on a host.
The host configuration includes rules files and a configuration file specifying
global settings, rules, and event handlers.
Appendix A: HP Fortify Runtime Glossary
37
Table 3: Runtime Terms (Continued)
Term
Description
Java Agent Mode
The default Java integration mode. Java Agent Mode is available in JVMs
version 1.5 and newer, is the simplest mode of operating an HP Fortify
Runtime product with a JVM, and allows for the most capabilities.
Monitor
A Java or .NET class built to watch program points. Monitors are connected
to the target program as specified by rules. Monitors can create events. The
runtime includes a set of predefined monitors, but users can also add their
own monitors.
Program Point
A location within a target program specified by a rule.
Rule
A rule specifies a set of program points and names a set of monitors.
HP Fortify Runtime applies the rule by attaching the named monitors to the
specified program points.
A rule may include a configuration for each named monitor including
information such as the attributes that the monitor should set when it
creates an event or other settings that determine the behavior of the
monitor.
Standalone Mode
The self-sufficient operating mode. HP Fortify Runtime depends only on
locally available resources (rules, configuration, and monitors). It does not
coordinate its activities with other instances of the runtime or with a
federation controller. An alternative to Federated Mode.
Target Program
The program being monitored by HP Fortify Runtime.
The target program can be any Java or .NET program. It could be an
application server with multiple applications running under it, or it could be
an independent application.
Appendix A: HP Fortify Runtime Glossary
38