Micro Focus

Fortify WebInspect

Software Version: 22.2.0

Windows® operating systems

Installation Guide

Document Release Date: November 2022

Software Release Date: November 2022

Installation Guide

Legal Notices

Micro Focus

The Lawn

22-30 Old Bath Road

Newbury, Berkshire RG14 1QN

UK

https://www.microfocus.com

Warranty

The only warranties for products and services of Micro Focus and its affiliates and licensors (“Micro Focus”) are set forth in the

express warranty statements accompanying such products and services. Nothing herein should be construed as constituting an

additional warranty. Micro Focus shall not be liable for technical or editorial errors or omissions contained herein. The

information contained herein is subject to change without notice.

Restricted Rights Legend

Confidential computer software. Except as specifically indicated otherwise, a valid license from Micro Focus is required for

possession, use or copying. Consistent with FAR 12.211 and 12.212, Commercial Computer Software, Computer Software

Documentation, and Technical Data for Commercial Items are licensed to the U.S. Government under vendor's standard

commercial license.

Copyright Notice

© Copyright 2004-2022 Micro Focus or one of its affiliates

Trademark Notices

All trademarks, service marks, product names, and logos included in this document are the property of their respective owners.

Documentation Updates

The title page of this document contains the following identifying information:

l

Software Version number

l

Document Release Date, which changes each time the document is updated

l

Software Release Date, which indicates the release date of this version of the software

This document was produced on November 02, 2022. To check for recent updates or to verify that you are using the most

recent edition of a document, go to:

https://www.microfocus.com/support/documentation

Micro Focus Fortify WebInspect (22.2.0)

Page 2 of 46

Installation Guide

Contents

Contacting Micro Focus Fortify Customer Support

For More Information

About the Documentation Set

Fortify Product Feature Videos

Chapter 1: Welcome to Micro Focus Fortify WebInspect

The Main Features of Fortify WebInspect

Crawling and Auditing

Manual Ha cking Control

Summary and Fixes

Scanning Policies

Sortable and Cust omizable Views

Enterprise-Wide Usage Capabilitie s

API and Web Services Scans

Integration Ca pabilities

Hacker-level In sights

Related Documents

Micro Focus Fortify ScanCentral DAST

Micro Focus Fortify WebInspect

Micro Focus Fortify WebInspect Enterprise

Chapter 2: Installing WebInspect

Installation Recommendation

Micro Focus Fortify WebInspect (22.2.0)

Page 3 of 46

Installation Guide

SQL Server Database Privileges

About the Installer Files

Installation Options

Using the Setup Wizard

Using the msiexec Prog ram

Normal Installation

Reboot Message Su ppression

Synchronou s Installation

Using the WIConfig Program

Required Pa rameters to Configure a Sensor

Optional Parameters to Configure a Sensor

Guidelines When Using Azure SQL Databas e

Updating Fortify WebInspect

Directory Structure

Chapter 3: Licensing WebInspect

Licensing with the License Wizard

Connect to M icro Focus

License File Activation

AutoPass Activatio n

Fortify Activation

Act ivating with an Au toPass License Server

Register 15-day Trial

License Revocation

Licensing with the License Utility

Syntax for Named Users

Syntax for Concurrent U sers

Configuring Fortify WebInspect to use the LIM

For Existing (Licensed) Fortify WebInspect Installations

For New (Unlicensed) Fortify WebInspect Installations

Micro Focus Fortify WebInspect (22.2.0)

Page 4 of 46

Installation Guide

Chapter 4: The WebInspect SDK

Installation Recommendation

Installing the WebInspect SDK

Verifying the Installation

Send Documentation Feedback

Micro Focus Fortify WebInspect (22.2.0)

Page 5 of 46

Installation Guide

Preface

Preface

Contacting Micro Focus Fortify Customer Support

Visit the Support website to:

l

Manage licenses and entitlements

l

Create and manage technical assistance requests

l

Browse documentation and knowledge articles

l

Download software

l

Explore the Community

https://www.microfocus.com/support

For More Information

For more information about Fortify software products:

https://www.microfocus.com/cyberres/application-security

About the Documentation Set

The Fortify Software documentation set contains installation, user, and deployment guides for all

Fortify Software products and components. In addition, you will find technical notes and release notes

that describe new features, known issues, and last-minute updates. You can access the latest versions

of these documents from the following Micro Focus Product Documentation website:

https://www.microfocus.com/support/documentation

To be notified of documentation updates between releases, subscribe to Fortify Product

Announcements on the Micro Focus Community:

https://community.microfocus.com/cyberres/fortify/w/fortify-product-announcements

Fortify Product Feature Videos

You can find videos that highlight Fortify products and features on the Fortify Unplugged YouTube

channel:

https://www.youtube.com/c/FortifyUnplugged

Micro Focus Fortify WebInspect (22.2.0)

Page 6 of 46

Installation Guide

Change Log

Change Log

The following table lists changes made to this document. Revisions to this document are published

between software releases only if the changes made affect product functionality.

Software Release /

Document Version

Changes

22.2.0

Updated:

l

Features list with new API scanning functionality. See "The Main

Features of Fortify WebInspect" on page 9.

l

WIConfig information with 2FA server and OAST server options. See

"Using the WIConfig Program" on page 25.

22.1.0

Added:

l

Guidelines for using Azure SQL database. See "Guidelines When Using

Azure SQL Database" on page 29.

Updated:

l

WIConfig.exe content with support for Azure SQL database. See "Using

the WIConfig Program" on page 25.

21.2.0

Updated:

l

List of features to include API discovery and the Web Fuzzer tool. See

"The Main Features of Fortify WebInspect" on page 9.

l

l

URL in AutoPass licensing instructions. See "AutoPass Activation" on

The default value for the LIM Service Virtual Directory name. See

"Configuring Fortify WebInspect to use the LIM" on page 42.

21.1.0

Added:

l

Tip about using Fortify WebInspect with the Fortify ScanCentral DAST

sensor service. See "Installation Options" on page 18.

Updated:

l

Features list with updates to API scans and addition of hacker-level

insights. See "The Main Features of Fortify WebInspect" on page 9.

Micro Focus Fortify WebInspect (22.2.0)

Page 7 of 46

Installation Guide

Change Log

Software Release /

Document Version

Changes

Removed:

l

Requirement for running Fortify WebInspect as an administrator.

Micro Focus Fortify WebInspect (22.2.0)

Page 8 of 46

Chapter 1: Welcome to Micro Focus Fortify

WebInspect

Micro Focus Fortify WebInspect is the most accurate and comprehensive automated Web application

and Web services vulnerability scanning solution available today. With Fortify WebInspect, security

professionals and compliance auditors can quickly and easily analyze the numerous Web applications

and Web services in their environment. Fortify WebInspect is the only product that is maintained and

updated daily by the world’s leading Web security experts. These solutions are specifically designed

to assess potential security flaws and to provide all the information you need to fix them.

Fortify WebInspect delivers the latest evolution in scanning technology, a Web application security

product that adapts to any enterprise environment. As you initiate a scan, Fortify WebInspect assigns

“assessment agents” that dynamically catalog all areas of a Web application. As these agents

complete the assessment, findings are reported to a main security engine that analyzes the results.

Fortify WebInspect then launches audit engines to evaluate the gathered information and apply

attack algorithms to locate vulnerabilities and determine their severity. With this smart approach,

Fortify WebInspect continuously applies appropriate scan resources that adapt to your specific

application environment.

The Main Features of Fortify WebInspect

The following is a brief overview of what you can do with Micro Focus Fortify WebInspect, and how it

can benefit your organization.

Crawling and Auditing

Fortify WebInspect uses two basic modes for determining your security weaknesses:

l

A crawl is the process by which Fortify WebInspect identifies the structure of the target Web site. In

essence, a crawl runs until no more links on the URL can be followed.

l

An audit is the actual vulnerability assessment.

When a crawl and an audit are combined into one function, it is termed a scan. A scan combines

application crawl and audit phases into a single fluid process. The scan is refined based on real-time

audit findings, resulting in a comprehensive view of an entire Web application’s attack surface.

Intelligent engines employ a structured, logic-based approach to analyzing an application and then

customize attacks based on the application’s behavior and environment. Fortify WebInspect combines

sophisticated, ground-breaking scanning technologies with a database of known Web application

vulnerabilities.

Micro Focus Fortify WebInspect (22.2.0)

Page 9 of 46

Installation Guide

Chapter 1: Welcome to Micro Focus Fortify WebInspect

Reporting

Use Fortify WebInspect reports to gain valuable, organized application information. You can

customize report details, deciding what level of information to include in each report, and gear the

report for a specific audience. You can save reports in a variety of formats, and you can also include

graphic summaries of vulnerability data.

Manual Hacking Control

With Fortify WebInspect, you can see what’s really happening on your site, and simulate a true attack

environment. Fortify WebInspect functionality gives you the ability to view the code for any page that

contains vulnerabilities, then make changes to server requests and resubmit them instantly.

When using the Web Proxy tool, you can also pause the client-server data flow when Web Proxy

receives a request from the client, receives a response from the server, or finds text that satisfies the

search rules you create.

Summary and Fixes

Fortify WebInspect provides summary and remediation information for all vulnerabilities detected

during a scan. This includes reference material, links to patches, instructions for prevention of future

problems, and vulnerability solutions. As new attacks and exploits are formulated, we update our

remediation database. Use Smart Update on the Fortify WebInspect toolbar to update your database

with the latest vulnerability solution information.

Scanning Policies

You can edit and customize scanning policies to suit the needs of your organization, reducing the

amount of time it takes for Fortify WebInspect to complete a full scan.

Fortify WebInspect also lets you extend the product’s capabilities to meet your organization’s specific

needs. You can configure Fortify WebInspect to adapt to any web application environment and use

the custom check wizard to create custom attacks.

Sortable and Customizable Views

When conducting or viewing a scan, the navigation pane on the left side of the Fortify WebInspect

window includes the Site, Sequence, Search, and Step Mode buttons, which determine the contents

(or “view”) presented in the navigation pane. The following are descriptions of the views:

l

Sequence view displays server resources in the order they were encountered by Fortify

WebInspect during an automated scan or a manual crawl (Step Mode).

l

Search view allows you to locate sessions that fulfill the criteria you specify.

l

Site view presents the hierarchical file structure of the scanned site.

Micro Focus Fortify WebInspect (22.2.0)

Page 10 of 46

Installation Guide

Chapter 1: Welcome to Micro Focus Fortify WebInspect

l

Step Mode is used to navigate manually through the site, beginning with a session you select from

either the site view or the sequence view.

Enterprise-Wide Usage Capabilities

The integrated scan process provides a comprehensive overview of your Web presence from an

overall enterprise perspective, enabling you to selectively conduct application scans, either

individually or scheduled, of all Web-enabled applications on the network.

API and Web Services Scans

Fortify WebInspect supports scanning GraphQL, gRPC, OData, Postman, Swagger (also known as

Open API), and SOAP by way of the API Scan Wizard, WI.exe, and the WebInspect REST API.

API Discovery

With API discovery, any Swagger or OpenAPI schema that is detected during a scan will have its

endpoints added to the existing scan and authentication will be applied to the endpoints using

automatic state detection. In addition, probes will be sent to default locations of popular API

frameworks to discover schemas.

Integration Capabilities

You can integrate Fortify WebInspect with some of the most widely-used application security

development and testing tools, including the following:

l

Burp

l

Postman

l

Selenium WebDriver

Export Wizard

Fortify WebInspect’s configurable XML export tool enables users to export (in a standardized XML

format) any and all information found during the scan. This includes comments, hidden fields,

JavaScript, cookies, Web forms, URLs, requests, and sessions. Users can specify the type of

information to be exported. The Export Wizard also includes a “scrubbing” feature that prevents any

sensitive data from being included in the export.

Hacker-level Insights

Fortify WebInspect flags libraries that are detected in the application during the scan. This

information provides developers and security professionals with context relating to the overall

security posture of their application. While these findings do not necessarily represent a security

Micro Focus Fortify WebInspect (22.2.0)

Page 11 of 46

Installation Guide

Chapter 1: Welcome to Micro Focus Fortify WebInspect

vulnerability, it is important to note that attackers commonly perform reconnaissance of their target

in an attempt to identify known weaknesses or patterns.

Testing Tools

A robust set of diagnostic and penetration testing tools is packaged with Fortify WebInspect. These

include:

l

Audit Inputs Editor

l

Compliance Manager

l

Encoders/Decoders

l

HTTP Editor

l

License Wizard

l

Log Viewer

l

Policy Manager

l

Regular Expression Editor

l

Server Analyzer

l

Site Explorer

l

SQL Injector

l

SWFScan

l

Traffic Tool

l

Web Discovery

l

Web Form Editor

l

Web Fuzzer

l

Session-based Web Macro Recorder

l

Web Macro Recorder with Macro Engine 7.1

l

Web Proxy

l

Web Services Test Designer

Related Documents

This topic describes documents that provide information about Micro Focus Fortify software

products.

Note: You can find the Micro Focus Fortify Product Documentation at

https://www.microfocus.com/support/documentation. Most guides are available in both PDF and

HTML formats. Product help is available within the Fortify LIM product and the Fortify

WebInspect products.

Micro Focus Fortify WebInspect (22.2.0)

Page 12 of 46

Installation Guide

Chapter 1: Welcome to Micro Focus Fortify WebInspect

All Products

The following documents provide general information for all products. Unless otherwise noted, these

documents are available on the Micro Focus Product Documentation website.

Document / File Name

Description

About Micro Focus Fortify Product

Software Documentation

This paper provides information about how to access

Micro Focus Fortify product documentation.

About_Fortify_Docs_<version>.pdf

Note: This document is included only with the

product download.

Micro Focus Fortify License and

Infrastructure Manager Installation

and Usage Guide

This document describes how to install, configure, and use

the Fortify License and Infrastructure Manager (LIM),

which is available for installation on a local Windows

server and as a container image on the Docker platform.

LIM_Guide_<version>.pdf

Micro Focus Fortify Software System This document provides the details about the

Requirements

environments and products supported for this version of

Fortify Software.

Fortify_Sys_Reqs_<version>.pdf

Micro Focus Fortify Software Release This document provides an overview of the changes made

Notes

to Fortify Software for this release and important

information not included elsewhere in the product

documentation.

FortifySW_RN_<version>.pdf

What’s New in Micro Focus Fortify

Software <version>

This document describes the new features in Fortify

Software products.

Fortify_Whats_New_<version>.pdf

Micro Focus Fortify ScanCentral DAST

The following document provides information about Fortify ScanCentral DAST. Unless otherwise

noted, these documents are available on the Micro Focus Product Documentation website at

https://www.microfocus.com/documentation/fortify-ScanCentral-DAST.

Document / File Name

Description

Micro Focus Fortify ScanCentral

This document provides information about how to

Micro Focus Fortify WebInspect (22.2.0)

Page 13 of 46

Installation Guide

Chapter 1: Welcome to Micro Focus Fortify WebInspect

Document / File Name

Description

DAST Configuration and Usage Guide configure and use Fortify ScanCentral DAST to conduct

dynamic scans of Web applications.

SC_DAST_Guide_<version>.pdf

Micro Focus Fortify WebInspect

The following documents provide information about Fortify WebInspect. Unless otherwise noted,

these documents are available on the Micro Focus Product Documentation website at

https://www.microfocus.com/documentation/fortify-webinspect.

Document / File Name

Description

Micro Focus Fortify WebInspect

Installation Guide

This document provides an overview of Fortify

WebInspect and instructions for installing Fortify

WebInspect and activating the product license.

WI_Install_<version>.pdf

Micro Focus Fortify WebInspect User

Guide

This document describes how to configure and use

Fortify WebInspect to scan and analyze Web

applications and Web services.

WI_Guide_<version>.pdf

Note: This document is a PDF version of the Fortify

WebInspect help. This PDF file is provided so you

can easily print multiple topics from the help

information or read the help in PDF format. Because

this content was originally created to be viewed as

help in a web browser, some topics may not be

formatted properly. Additionally, some interactive

topics and linked content may not be present in this

PDF version.

Micro Focus Fortify WebInspect and

OAST on Docker User Guide

This document describes how to download, configure,

and use Fortify WebInspect and Fortify OAST that are

available as container images on the Docker platform.

The Fortify WebInspect image is intended to be used in

automated processes as a headless sensor configured by

way of the command line interface (CLI) or the

WI_Docker_Guide_<version>.pdf

application programming interface (API). It can also be

run as a Fortify ScanCentral DAST sensor and used in

conjunction with Fortify Software Security Center.

Micro Focus Fortify WebInspect (22.2.0)

Page 14 of 46

Installation Guide

Chapter 1: Welcome to Micro Focus Fortify WebInspect

Document / File Name

Description

Fortify OAST is an out-of-band application security

testing (OAST) server that provides DNS service for the

detection of OAST vulnerabilities.

Micro Focus Fortify WebInspect Tools

Guide

This document describes how to use the Fortify

WebInspect diagnostic and penetration testing tools and

configuration utilities packaged with Fortify WebInspect

and Fortify WebInspect Enterprise.

WI_Tools_Guide_<version>.pdf

Micro Focus Fortify WebInspect Agent This document describes how to install the Fortify

Installation Guide

WebInspect Agent for applications running under a

supported Java Runtime Environment (JRE) on a

supported application server or service and applications

running under a supported .NET Framework on a

supported version of IIS.

WI_Agent_Install_<version>.pdf

Micro Focus Fortify WebInspect Agent This document describes the detection capabilities of

Rulepack Kit Guide

Fortify WebInspect Agent Rulepack Kit. Fortify

WebInspect Agent Rulepack Kit runs atop the Fortify

WebInspect Agent, allowing it to monitor your code for

software security vulnerabilities as it runs. Fortify

WebInspect Agent Rulepack Kit provides the runtime

technology to help connect your dynamic results to your

static ones.

WI_Agent_Rulepack_Guide_

<version>.pdf

Micro Focus Fortify WebInspect Enterprise

The following documents provide information about Fortify WebInspect Enterprise. Unless otherwise

noted, these documents are available on the Micro Focus Product Documentation website at

https://www.microfocus.com/documentation/fortify-webinspect-enterprise.

Document / File Name

Description

Micro Focus Fortify WebInspect

Enterprise Installation and

Implementation Guide

This document provides an overview of Fortify WebInspect

Enterprise and instructions for installing Fortify WebInspect

Enterprise, integrating it with Fortify Software Security

Center and Fortify WebInspect, and troubleshooting the

installation. It also describes how to configure the

WIE_Install_<version>.pdf

components of the Fortify WebInspect Enterprise system,

which include the Fortify WebInspect Enterprise application,

Micro Focus Fortify WebInspect (22.2.0)

Page 15 of 46

Installation Guide

Chapter 1: Welcome to Micro Focus Fortify WebInspect

Document / File Name

Description

database, sensors, and users.

Micro Focus Fortify WebInspect

Enterprise User Guide

This document describes how to use Fortify WebInspect

Enterprise to manage a distributed network of Fortify

WebInspect sensors to scan and analyze Web applications

and Web services.

WIE_Guide_<version>.pdf

Note: This document is a PDF version of the Fortify

WebInspect Enterprise help. This PDF file is provided so

you can easily print multiple topics from the help

information or read the help in PDF format. Because

this content was originally created to be viewed as help

in a web browser, some topics may not be formatted

properly. Additionally, some interactive topics and

linked content may not be present in this PDF version.

Micro Focus Fortify WebInspect

Tools Guide

This document describes how to use the Fortify WebInspect

diagnostic and penetration testing tools and configuration

utilities packaged with Fortify WebInspect and Fortify

WebInspect Enterprise.

WI_Tools_Guide_<version>.pdf

Micro Focus Fortify WebInspect (22.2.0)

Page 16 of 46

Chapter 2: Installing WebInspect

This chapter contains instructions on installing Micro Focus Fortify WebInspect.

Installation Recommendation

Fortify recommends that you do not install Fortify WebInspect on the same machine as Micro Focus

Fortify WebInspect Enterprise. Doing so may result in known issues that affect the usability of the

products.

Prerequisites

Before you install Fortify WebInspect, install a supported or recommended version of the following

third-party software:

l

.NET Framework

l

SQL Server or SQL Server Express

For information about the supported versions of these software products and other system

requirements, see the Micro Focus Fortify Software System Requirements.

SQL Server Database Privileges

The account specified for the database connection must also be a database owner (DBO) for the

named database. However, the account does not require sysadmin (SA) privileges for the database

server. If the database administrator (DBA) did not generate the database for the specified user, then

the account must also have the permission to create a database and to manipulate the security

permissions. The DBA can rescind these permissions after Fortify WebInspect sets up the database,

but the account must remain a DBO for that database.

About the Installer Files

The following installer files are available for 64-bit operating systems:

l

WebInspect64.exe – An executable file that launches an embedded Windows installer file

l

WebInspect64.msi – A Windows installer file

Double-clicking any of the installer files launches the Setup Wizard which guides you through the

installation. For more information, see "Using the Setup Wizard" on the next page.

Micro Focus Fortify WebInspect (22.2.0)

Page 17 of 46

Installation Guide

Chapter 2: Installing WebInspect

Installation Options

You can install Micro Focus Fortify WebInspect using the Setup Wizard or the msiexec program. You

can use the WIConfig program to override Fortify WebInspect configurations after installation.

Tip: You can use a classic Fortify WebInspect installation with the Fortify ScanCentral DAST

sensor service. For more information, see the Micro Focus Fortify ScanCentral DAST

Configuration and Usage Guide.

Using the Setup Wizard

Use the following procedure to install Fortify WebInspect using the Setup Wizard.

Note: After installing Fortify WebInspect, the program will auto launch and require that you

license the product before continuing. For information on licensing Fortify WebInspect, see

"Licensing with the License Wizard" on page 33.

1. Double-click the .exe or .msi file to start the Setup Wizard.

The Welcome to the Micro Focus WebInspect Setup Wizard window appears.

2. Click Next.

Micro Focus Fortify WebInspect (22.2.0)

Page 18 of 46

Installation Guide

Chapter 2: Installing WebInspect

The End-User License Agreement window appears.

3. Review the license agreement. If you accept it, select the check box and click Next; otherwise

click Cancel.

Micro Focus Fortify WebInspect (22.2.0)

Page 19 of 46

Installation Guide

Chapter 2: Installing WebInspect

If you accept the license agreement, the Destination Folder window appears.

4. In the Destination Folder window, do one of the following:

l

If you are installing Fortify WebInspect as a sensor for Micro Focus Fortify WebInspect

Enterprise, do not make any changes to the default Destination Folder. Click Next.

Important! If you are installing Fortify WebInspect as a sensor, you must use the default

Destination Folder. Otherwise, SmartUpdates to the sensor will not work. The default

Destination Folder is:

C:\Program Files\Fortify\Fortify WebInspect

l

Otherwise, you can accept the default Destination Folder or choose a different folder into

which you want to install the software. Click Next.

Micro Focus Fortify WebInspect (22.2.0)

Page 20 of 46

Installation Guide

Chapter 2: Installing WebInspect

The Sensor Configuration window appears.

5. To install Fortify WebInspect as a sensor:

a. In the Configure WebInspect as a Sensor for this installation (optional) area, select

Configure WebInspect as a Sensor.

b. Enter the Enterprise Manager URL, that is, the URL of Fortify WebInspect Enterprise

manager.

c. In the Sensor Authentication group, enter the Windows account credentials for this sensor.

For important information about installing Fortify WebInspect as a sensor and configuring it

to work with Fortify WebInspect Enterprise, see the Micro Focus Fortify WebInspect

Enterprise Installation and Implementation Guide.

6. Click Next.

Micro Focus Fortify WebInspect (22.2.0)

Page 21 of 46

Installation Guide

Chapter 2: Installing WebInspect

The Ready to install Micro Focus WebInspect window appears.

7. Click Install.

Micro Focus Fortify WebInspect (22.2.0)

Page 22 of 46

Installation Guide

Chapter 2: Installing WebInspect

When the installation process is complete, the Completed the Micro Focus WebInspect Setup

Wizard window appears.

8. Select Launch Fortify WebInspect and click Finish.

The Setup Wizard closes and Fortify WebInspect launches.

Using the msiexec Program

You can install Micro Focus Fortify WebInspect from the command line interface (CLI) or with a script

using the msiexec program. After installing the product, you can license it from the CLI with the

License Utility. For more information, see "Licensing with the License Utility" on page 40.

The following installation methods are supported when installing from the command line interface or

with a script:

l

Normal Installation

l

Reboot Message Suppression

l

Silent Mode

l

Synchronous Installation

The following paragraphs provide details about these installation methods.

Normal Installation

A normal installation includes a user interface that prompts you to accept or change the default

installation options. To run a normal installation, type the following at the command line prompt or

Micro Focus Fortify WebInspect (22.2.0)

Page 23 of 46

Installation Guide

Chapter 2: Installing WebInspect

use it in a script:

msiexec /I "<directory>:\webinspect.msi"

Replace <directory> with the location where the webinspect.msi file resides on your machine. To

install Fortify WebInspect on a 64-bit operating system, use the webinspect64.msi file.

Reboot Message Suppression

If some files that need to be updated are in use during the installation, the installer prompts you that

a reboot is required to complete the installation. Using the msiexec program, you can suppress these

messages during the installation. To suppress reboot messages, type the following at the command

line prompt or use it in a script:

msiexec /I "<directory>:\webinspect.msi" REBOOT=Suppress

Important! Using this method, the installation completes normally without any messages to

reboot. However, if files were in use during the installation and a reboot is required, Fortify

WebInspect may not run until you reboot your machine.

Silent Mode

You can suppress the user interface altogether by using the silent mode method. Using this method,

all user prompts and messages are suppressed, and the default installation options are used. To use

silent mode, type the following at the command line prompt:

msiexec /I "<directory>:\webinspect.msi" REBOOT=Suppress /qn

Important! There is no way to specify non-default installation options without user interaction.

To override the default configurations, use the WIConfig program. For information, see "Using

the msiexec Program" on the previous page.

Synchronous Installation

Installing Fortify WebInspect from the command line interface or with a script using the commands

described above starts the installation as a background task. You can type commands or run other

script operations while Fortify WebInspect is installing in the background. If you were to attempt to

run the WIConfig program immediately after submitting the msiexec command, the WIConfig

program would fail because the Fortify WebInspect installation would not have completed. You can

avoid this issue by running a synchronous installation, which means that you cannot further interact

with the command prompt or run the next line in a script until the installation is complete.

To run a synchronous installation, type the following at the command line prompt or use it in a script:

Start /wait msiexec /I "<directory>:\webinspect.msi" REBOOT=Suppress /qn

Micro Focus Fortify WebInspect (22.2.0)

Page 24 of 46

Installation Guide

Chapter 2: Installing WebInspect

Using the WIConfig Program

The msiexec program installs Micro Focus Fortify WebInspect, but it does not configure Fortify

WebInspect with any non-default configuration settings. You can use the WIConfig program after

installation to override the default configuration settings.

Note: You must run the WIConfig program with administrative privileges.

Important! If one of the parameters fails, the configuration will be left in an unknown state. You

must re-run WIConfig.exe with a configuration that will succeed to ensure the setup is in a

known state.

For example, if you were to run WIConfig.exe using the following options:

WIConfig.exe /CreateDatabase /DisableSmartUpdateOnStartup /DisableTelemetry

–SqlConnString <string>

Where you specified a connection string, but the Create Database option failed, you would not

know if SmartUpdate and Telemetry had been disabled.

Syntax

WIConfig.exe [/?] [/AcceptUntrustedCerts] [/CreateDatabase]

[/DisableSmartUpdateOnStartup] [/DisableTelemetry]

[/EnableAzureDatabaseSupport] [-FipsCompliance <string>] [-LicenseFile

<string>] [-LIMPassword <string>] [-LIMPool <string>] [-LIMUrl <string>] [-

RCServerAuthType <string>] [-RCServerHost <string>] [-RCServerPort <number>]

[/RCServerUseHTTPS] [-SensorlD <string>] [-SensorProxyAddress <string>] [-

SensorProxyPassword <string>] [-SensorProxyPort <number>] [-

SensorProxyUsername <string>] [-SensorServicePassword <string>] [-

SensorServiceUsername <string>] [-SensorSqlConnString <string>] [-

SensorSqlConnType <string>] [-SensorWIEPassword <string>] [-SensorWIEUsername

<string>] [-SqlConnString <string>] [-WIOASTServerAddress] [-WIEUrl <string>]

Parameters

The following table describes the optional parameters.

Parameter

Description

Specifies file name to use for command line arguments.

Command line arguments take precedence over those

specified in the file. An options file is an XML file where

each XML element corresponds to a case-insensitive

-optionsFile

Micro Focus Fortify WebInspect (22.2.0)

Page 25 of 46

Installation Guide

Chapter 2: Installing WebInspect

Parameter

Description

switch name and flags are defined as attributes on the

main tag.

Example:

<options flag1="true" flag2="true">

<switch1>value</switch1>

<switch2>value</switch2>

</options>

Displays the help information.

/?

Accepts untrusted SSL certificates and suppresses

warnings.

/AcceptUntrustedCerts

Caution! This option can be insecure. Use this option

only with self-signed certificates from parties you

trust.

/CreateDatabase

Creates the database specified by SqlConnString if the

database does not exist. If the database exists and the

schema is correct, this option will have no effect. If the

database exists, but the schema is the wrong version, this

command will fail.

Prevents SmartUpdate from running automatically when

Fortify WebInspect starts.

/DisableSmartUpdateOnStartup

Disables Fortify WebInspect Telemetry.

/DisableTelemetry

Enables support for Azure SQL database. For more

information, see "Guidelines When Using Azure SQL

Database" on page 29 .

/EnableAzureDatabaseSupport

Tip: After configuring support for Azure SQL

database, you can add the connection to your Fortify

WebInspect database configuration in the same way

as a remote SQL Server. For more information, see

the Micro Focus Fortify WebInspect User Guide.

Enables/disables FIPS compliance.

-FipsCompliance

Micro Focus Fortify WebInspect (22.2.0)

Page 26 of 46

Installation Guide

Chapter 2: Installing WebInspect

Parameter

Description

The value can be one of the following:

{enable|disable}

Specifies the path to the Micro Focus license file.

-LicenseFile

-LIMPassword

-LIMPool

Specifies the LIM pool password.

Specifies the LIM pool name.

Specifies the LIM URL.

-LIMUrl

Specifies the WebInspect API Server authentication type.

The value can be one of the following:

-RCServerAuthType

{None|Basic|NTLM|ClientCert}

Specifies the hostname the WebInspect API Server should

-RCServerHost

listen on. Use + for all.

Specifies the WebInspect API Server port to listen on.

Runs the WebInspect API Server over HTTPS.

Specifies the SQL Server database connection string.

Internal use only.

-RCServerPort

/RCServerUseHTTPS

-SqlConnString

-TwoFAListenerAddress

-TwoFAListenerPort

-WIOASTServerAddress

Internal use only.

Specifies the WebInspect out-of-band application security

testing (OAST) server address to configure local DNS

service (for use in networks that lack an Internet

connection).

Internal use only.

Internal use only.

Internal use only.

-WISECluster

-WISEClusterAuthToken

-WISEClusterMaxPoolSize

Micro Focus Fortify WebInspect (22.2.0)

Page 27 of 46

Installation Guide

Chapter 2: Installing WebInspect

Required Parameters to Configure a Sensor

The following table describes the required parameters for configuring Fortify WebInspect as a sensor

for Micro Focus Fortify WebInspect Enterprise.

Note: To configure a sensor, you must first install WebInspect to run as a sensor.

Parameter

Description

Specifies the URL for the WebInspect Enterprise server.

Untrusted certificates will be accepted.

-WIEUrl

Example:

-WIEUrl <https://server.domain.com/WIE/>

Specifies the domain and user account for the sensor

when connecting to the WebInspect Enterprise server.

-SensorWIEUsername

-SensorWIEPassword

The values must be in the format of <domain>\<user>.

Specifies the password for the sensor when connecting to

the WebInspect Enterprise server.

Optional Parameters to Configure a Sensor

The following table describes the optional parameters for configuring Fortify WebInspect as a sensor.

Parameter

Description

Specifies the user account for the WebInspect Sensor

-SensorServiceUsername

Windows service. If no user name is provided, LOCAL

SYSTEM will be used.

Specifies the password for the user account to be used for

the WebInspect Sensor Windows service.

-SensorServicePassword

-SensorProxyAddress

-SensorProxyPort

Specifies the proxy address if required to access the

WebInspect Enterprise server.

Specifies the proxy port if required to access the

WebInspect Enterprise server.

Micro Focus Fortify WebInspect (22.2.0)

Page 28 of 46

Installation Guide

Chapter 2: Installing WebInspect

Parameter

Description

Specifies the proxy user name if required to access the

WebInspect Enterprise server.

-SensorProxyUsername

Specifies the proxy password if required to access the

WebInspect Enterprise server.

-SensorProxyPassword

-SensorSqlConnType

Specifies the SQL connection type. The value can be one

of the following:

{SQLServer|SQLExpress}

If this parameter is not provided, the connection type

defined for Fortify WebInspect will be used. If this

parameter is defined, validation will occur to ensure the

connection.

Specifies the SQL Server database connection string for

the sensor. If none is provided, SQL Express will be used.

-SensorSqlConnString

The connection string must be in the standard format.

Example:

Data Source=<server>;Initial

Catalog=<database>;Integrated

Security=False;User ID=<DB

user>;Password=<password>;User

Instance=False

Guidelines When Using Azure SQL Database

Follow these guidelines when using Azure SQL database:

l

Fortify WebInspect requires a SQL Server Admin user for database creation. Ensure that this

account exists in Azure SQL prior to using the /EnableAzureDatabaseSupport parameter.

l

External clients connect to Azure SQL database through a gateway with a public IP address. This

type of connection results in latency that can significantly affect scan performance. Fortify

recommends that you use Azure SQL database only when Fortify WebInspect is installed inside the

Azure Infrastructure.

Micro Focus Fortify WebInspect (22.2.0)

Page 29 of 46

Installation Guide

Chapter 2: Installing WebInspect

Updating Fortify WebInspect

Micro Focus security engineers uncover new vulnerabilities nearly every day. They develop attack

agents to search for these malicious threats, and then update our corporate database so that you will

always be on the leading edge of Web application security.

To ensure that you have up-to-date information about the Micro Focus Fortify WebInspect catalog of

vulnerabilities, you can use the Smart Update feature of Fortify WebInspect to contact the Micro

Focus knowledgebase server each time you start the application. If vulnerability or program updates

are available, Fortify WebInspect informs you and asks if you want to install them.

For complete information about updating Fortify WebInspect, including how to update installations

lacking an Internet connection, see the Update SecureBase topic in the Micro Focus Fortify

WebInspect User Guide or the Fortify WebInspect help.

Directory Structure

The following table describes the directories created and used by Micro Focus Fortify WebInspect,

assuming that the main drive is “C” and the user accepts the default directories suggested by the

installation program. This information can assist customers and Fortify Customer Support in

troubleshooting.

Purpose

Path

Comments

Installation

Directory

Can be set by the user during

installation. SmartUpdate of

full Fortify WebInspect

version will override

everything that exists in this

directory.

C:\Program Files\Fortify\Fortify

WebInspect

Note: If you are updating from an earlier

version, the default installation directory is

C:\Program Files\HP\HP WebInspect

Important! When Fortify

WebInspect is installed as

a sensor for Micro Focus

Fortify WebInspect

Enterprise, you must use

the default Destination

Folder. Otherwise,

SmartUpdates to the

sensor will not work.

Micro Focus Fortify WebInspect (22.2.0)

Page 30 of 46

Installation Guide

Chapter 2: Installing WebInspect

Purpose

Path

Comments

Compliance template

directory; can be modified by

Smart Update.

<Installation Directory>\

ComplianceTemplates

Contains subdirectories for

sample scans, and a login

macro and a WSDL file for

zero.webappsecurity.com.

<Installation Directory>\Samples

C:\ProgramData\HP\HP WebInspect

Subdirectories include

Policies, Schedule,

SecureBase database, Server

Analyzer, Settings, and

SupportChannel.

Licenses activated on the

local machine.

C:\ProgramData\HP\Licenses\WebInspect

C:\ProgramData\HP\SmartUpdate

SmartUpdate directory where

new patches are downloaded.

Security checks are copied

and inserted into the

database; other artifacts are

copied into installation

directory (for example,

Compliance Template).

1

Application

Data

Directory

All data required for Fortify

WebInspect that is not

user-specific.

%localappdata%\HP

1

User Data

Directory

All data created by the user

and not global for the

application. Subdirectories

include

%localappdata%\HP\HP WebInspect

ComplianceTemplates,

Exports, Logs, Plugins,

Reporting, ScanData, and

Tools.

Micro Focus Fortify WebInspect (22.2.0)

Page 31 of 46

Installation Guide

Chapter 2: Installing WebInspect

1

%localappdata% represents the location of local application data for your operating system. For

example, for Windows 10 (using the default C: drive), %localappdata% is

C:\Users\<username>\AppData\Local.

Micro Focus Fortify WebInspect (22.2.0)

Page 32 of 46

Chapter 3: Licensing WebInspect

This chapter contains information on the options for activating the product license, including licensing

with the License Wizard and licensing with the License Utility. It also includes information about

configuring Fortify WebInspect to use a Fortify License Infrastructure Manager (LIM).

Licensing with the License Wizard

The first time you launch Micro Focus Fortify WebInspect, the program displays the License Wizard.

The License Wizard prompts you to select one of the following options:

l

Activate Now: use this option if you have purchased a license or have access to a license through a

License Infrastructure Manager (LIM). For more information, see "Activate Now" below.

l

Register 15-day trial: use this option if you would like to try out Fortify WebInspect for 15 days.

After your 15-day trial elapses, you can purchase a license and convert your trial into a fully-

licensed version. For more information, see "Register 15-day Trial" on page 39.

As a technology preview, WebInspect provides limited support for AutoPass licenses. If you have

opted to use an AutoPass license, close the Welcome to Fortify Licensing window and follow the steps

in "Activating with an AutoPass License Server" on page 37.

If you have questions about your licensing, contact the license team for your region.

l

North, Central, and South America: mi.licensing-na@microfocus.com

l

Europe, the Middle East, and Africa: mi.licensing-emea@microfocus.com

l

Asia-Pacific: licensesapac@microfocus.com

Activate Now

Activate Now allows you to activate Fortify WebInspect in one of the following ways:

l

Connecting to a Micro Focus corporate license server

l

Using a license file for offline installations

l

Connecting to an AutoPass License Server (APLS) and using a concurrent (floating) license

l

Connecting to a License Infrastructure Manager (LIM) server and using a concurrent license

Note: To connect to a LIM, you must first install the LIM on a Windows server. For more

information on the LIM requirements, see the Micro Focus Fortify Software System Requirements

document. For information on installing and managing concurrent licenses using the LIM, see

Micro Focus Fortify License and Infrastructure Manager User Guide.

Micro Focus Fortify WebInspect (22.2.0)

Page 33 of 46

Installation Guide

Chapter 3: Licensing WebInspect

To activate Fortify WebInspect:

1. On the Welcome to Fortify Licensing window, click Activate Now.

The wizard displays the Configure WebInspect Licensing window.

2. In the Licensing Method group, choose one of the following:

l

Connect directly to Micro Focus corporate license server - Select this option if licensing is

controlled by a Micro Focus server and the installation is connected to the Internet.

l

Install License File - Select this option for an installation that is not connected to the Internet.

This option is for offline product activation.

l

Connect to AutoPass License Server - Select this option if licensing is controlled by your

local server running the APLS software.

l

Connect to Fortify License and Infrastructure Manager - Select this option if licensing is

controlled by your local server running the LIM software.

3. Click Next.

If you chose Connect directly to Micro Focus corporate license server, the License Wizard displays

the Named License Activation window. Proceed to "Connect to Micro Focus" below.

If you chose Install License File, the License Wizard displays the License File Activation window. Go

to "License File Activation" on the next page.

If you chose Connect to AutoPass License Server, the License Wizard displays the APLS License

Activation window. Go to "Activating with an AutoPass License Server" on page 37.

If you chose Connect to Fortify License and Infrastructure Manager, the License Wizard displays

the Concurrent License Activation window. Go to "Connect to LIM" on page 38.

Connect to Micro Focus

1. In the Activation Token area, enter the 32-digit license token sent to you by email from Micro

Focus. Omit any hyphens that may appear in the string (or copy the token, position your cursor in

the first block of the Activation Token field, and press Ctrl + V to paste the token).

2. The default URLs are as follows:

l

Fortify Service URL– https://licenseservice.fortify.microfocus.com/

l

AutoPass Service URL– https://appas-prd-ellb.itcs.softwaregrp.com/

Change these URLs only if directed to do so by Fortify Customer Support personnel.

3. If this computer accesses the Internet through a proxy, select the Network Proxy option and

select a setting from the Proxy Profile drop-down list. Click Edit and complete the Proxy Profile

dialog box as necessary.

l

If you select Use PAC file to load proxy settings from a Proxy Automatic Configuration (PAC)

file, you must click Edit, enter the URL of the PAC file in the Configure proxy using PAC File

URL field, and click Save on the Proxy Profile dialog box.

l

If you select Use Explicit Proxy Settings, you must click Edit, configure a proxy by entering

Micro Focus Fortify WebInspect (22.2.0)

Page 34 of 46

Installation Guide

Chapter 3: Licensing WebInspect

the requested information for the Explicitly configure proxy option, and click Save on the

Proxy Profile dialog box.

4. Enter the information requested in the User Information group. The information you provide is

kept in strict confidence and is not shared with anyone outside of Micro Focus.

5. Click Next.

The Congratulations window appears and Fortify WebInspect is activated.

License File Activation

If your WebInspect is installed on a computer that is not connected to the Internet, select an option

for file activation.

If the activation instructions in your welcome email indicate that you must generate a License

Request file from within WebInspect to start the process, follow the steps listed under "Fortify

Activation" below.

AutoPass Activation

To activate a license generated by AutoPass:

1. Select AutoPass Activation.

2. Copy the device codes from the Device Codes field.

3. On a machine that is connected to the Internet, open a browser and navigate to

https://sld.microfocus.com/mysoftware/index.

4. Follow the instructions online to activate your Fortify WebInspect license.

Fortify Activation

For this option, you must create a license request file containing information about the computer

where Fortify WebInspect is installed. Then, using a separate Internet-connected computer, access a

web site (https://licenseservice.fortify.microfocus.com/OfflineLicensing.aspx) to transmit the file to a

server, which will download a license file that you can copy and install on the computer that is not

connected to the Internet.

To activate a license generated by the Fortify license server:

1. Select Fortify Activation.

2. In the Activation Token field, enter the 32-digit license token sent to you by email from Micro

Focus. Omit any hyphens that may appear in the string (or simply copy the token, position your

cursor in the first block of the Activation Token field, and press Ctrl + V).

3. Click File to the right of the License Request File field.

4. Select a location where the license request file will be saved. The name of the request file is

formatted as WebInspectLicenseReq.xml.

Micro Focus Fortify WebInspect (22.2.0)

Page 35 of 46

Installation Guide

Chapter 3: Licensing WebInspect

Tip: Be sure to save this file to a portable device or in a location that is accessible by a

machine that has access to the Internet.

5. Click Save.

6. On a computer that is connected to the Internet, open a browser and navigate to

https://licenseservice.fortify.microfocus.com/OfflineLicensing.aspx.

7. Select the option that describes how the license request file was generated and click Next.

The Enter Request File for Processing page appears.

8.

Click Browse, and then locate and select WebInspectLicenseReq.xml.

9. Click Process Request File.

If the request is processed successfully, the Successfully processed Request for Micro Focus

Fortify Licensing page appears.

10. Click Retrieve Response File.

Micro Focus Fortify WebInspect (22.2.0)

Page 36 of 46

Installation Guide

Chapter 3: Licensing WebInspect

11. In the File Download window, click Save and specify the location on the portable device where

you want to download the response file LicenseResp.xml.

12. Return to the computer where you are installing Fortify WebInspect. Copy the

LicenseResp.xml file from the portable device to a location on this computer.

13. In the Complete Offline License Activation window, click the File button next to the License

Response File field, and then locate and select the LicenseResp.xml file.

14. Click Next.

Information pertaining to your installed license appears in the License Details section.

15. Click Finish.

This completes the licensing procedure.

Activating with an AutoPass License Server

The AutoPass License Server (APLS) enables you to manage the concurrent (floating) licenses for

your software products. A concurrent license is shared dynamically between multiple client users.

Using concurrent licenses enables you to purchase the number of licenses equal to the largest

number of users likely to be active at any time, instead of the total number of users of a product.

The APLS manages the licenses acquired from the Micro Focus Software Licenses and Downloads

(SLD) portal. These licenses are then installed on the APLS. When a client computer needs a license,

the client sends a request to the APLS and a license is checked out to this user. After the client user's

work session ends (or when the license expires), the license is returned to the APLS for renewal or for

use by other users.

For more information, see the AutoPass License Server User Guide or help.

Note: Contact your APLS administrator to obtain the information required for configuring Fortify

WebInspect to use APLS.

To configure Fortify WebInspect to use APLS:

1. In the URL field, enter the URL of the APLS.

2. In the Username and Password fields, type your user name and password.

3. If connecting to the APLS through a proxy, select Network Proxy and choose a setting from the

Proxy Profile list.

l

If you select Use PAC file to load proxy settings from a Proxy Automatic Configuration (PAC)

file, you must click Edit and enter the URL of the PAC file in the Configure proxy using PAC

File URL field.

l

If you select Use Explicit Proxy Settings, you must click Edit and configure a proxy by

entering the requested information for the Explicitly configure proxy option.

4. Enter the information requested in the User Information group.

The information you provide is kept in strict confidence and is not shared with anyone outside of

Micro Focus.

5. Click Next.

Micro Focus Fortify WebInspect (22.2.0)

Page 37 of 46

Installation Guide

Chapter 3: Licensing WebInspect

Information pertaining to your installed license appears in the License Details section.

6. Click Finish.

This completes the licensing procedure.

Connect to LIM

The LIM allows you to manage concurrent licenses for Fortify WebInspect in a manner that best suits

your organization’s development and testing environment. For example, your company may have

Fortify WebInspect software installed on 25 machines, but holds a concurrent license that permits a

maximum of 10 instances to be active at any one time. Using the LIM, you can allocate and deallocate

those 10 seats in any way you like, without coordinating or negotiating through the Micro Focus

central licensing facility.

Note: Contact your LIM administrator to obtain the information required to complete this

procedure.

To configure Fortify WebInspect to use the LIM:

1. In the URL field, enter the URL of the License and Infrastructure Manager.

2. Enter the name of the license pool and its password in the Pool Name and Password fields.

3. If authorization is required to access the LIM, select Network Authorization and then enter your

user name and password.

4. If this computer accesses the Internet through a proxy:

a. Select the Network Proxy option.

b. Select a setting from the Proxy Profile drop-down list.

c. Click Edit and complete the Proxy Profile dialog box as necessary.

o

If you select Use PAC file to load proxy settings from a Proxy Automatic Configuration

(PAC) file, you must click Edit and enter the URL of the PAC file in the Configure proxy

using PAC File URL field.

o

If you select Use Explicit Proxy Settings, you must click Edit and configure a proxy by

entering the requested information for the Explicitly configure proxy option.

d. Click Save on the Proxy Profile dialog box.

5. Click Next.

6. On the Complete on-site License Activation window, select the manner in which you want the

License and Infrastructure Manager to handle the license associated with Fortify WebInspect.

l

Connected License - The computer can run the product only when the computer is able to

contact the LIM. Each time you start the software, the LIM allocates a seat from the license pool

to this installation. When you close the software, the seat is released from the computer and

allocated back to the pool, allowing another user to consume the license.

l

Detached License - The computer can run the product anywhere, even when disconnected

from your corporate intranet (on which the LIM is normally located), but only until the

expiration date you specify. This allows you to take your laptop to a remote site and run the

Micro Focus Fortify WebInspect (22.2.0)

Page 38 of 46

Installation Guide

Chapter 3: Licensing WebInspect

software. When you reconnect to the corporate intranet, you can access the Application

License settings and reconfigure from Detached to Connected.

7. Click Next.

Information pertaining to your installed license appears in the License Details section.

8. Click Finish.

This completes the licensing procedure.

Register 15-day Trial

Use the following procedure to begin a free 15-day trial of Fortify WebInspect.

1. On the Welcome to Fortify Licensing window, click Register 15 Day Trial.

The wizard displays a window prompting you to enter information about you and your company.

2. Enter the requested information.

3. If this computer accesses the Internet through a proxy:

a. Select the Network Proxy option.

b. Select a setting from the Proxy Profile drop-down list.

c. Click Edit and complete the Proxy Profile dialog box as necessary.

o

If you select Use PAC file to load proxy settings from a Proxy Automatic Configuration

(PAC) file, you must click Edit and enter the URL of the PAC file in the Configure proxy

using PAC File URL field.

o

If you select Use Explicit Proxy Settings, you must click Edit and configure a proxy by

entering the requested information for the Explicitly configure proxy option.

d. Click Save on the Proxy Profile dialog box.

4. Click Next.

The program attempts to contact Micro Focus servers, which will send an email message to you

containing a 32-character activation token.

5. Click Finish.

6. When the email arrives, in the Fortify WebInspect menu bar click Edit > Application Settings.

7. On the Application Settings window, select License from the left pane.

8. Enter the 32-digit license token, omitting any hyphens that may appear in the string (or copy the

token, position your cursor in the first block of the activation token field, and press Ctrl + V to

paste the token).

9. Click OK.

License Revocation

If your Fortify WebInspect license expires, or if your facility is managing licenses through the LIM and

the administrator releases your license, you will not be able to conduct or schedule scans.

Micro Focus Fortify WebInspect (22.2.0)

Page 39 of 46

Installation Guide

Chapter 3: Licensing WebInspect

To regain a license if you use the LIM:

1. In the Fortify WebInspect menu bar, click Edit > Application Settings.

2. On the Application Settings window, select License from the left pane.

3. Verify your license data.

4. Click OK.

If necessary, contact Fortify Customer Support or your LIM administrator.

Licensing with the License Utility

If you installed Fortify WebInspect from the command line interface (CLI) or with a script using the

msiexec program, you can use the LicenseUtility.exe application to license your product. The

License Utility application is installed in the Fortify WebInspect installation directory. For more

information, see "Directory Structure" on page 30.

Syntax for Named Users

Use the following syntax for a named user and an activation token:

LicenseUtility.exe [-? | -notrial | -p <product> -token <token> | -

deactivate | -serviceURL <url>]

Syntax for Concurrent Users

Use the following syntax for concurrent users and a Fortify License & Infrastructure Manager (LIM):

LicenseUtility.exe [-? | -limURL <limURL> -limPool <limPool> -limPswd

<password>]

Options

The following table describes the options and the type of license to which the option applies.

Option

Description

License Type

Both

Displays the usage notes for the License Utility.

-?

Named User

-deactivate

If used with the -p option, deactivates product license and

exits using the command line arguments.

Sets network authentication using the format

Concurrent User

Page 40 of 46

-limAuth

user:password. The user can be passed in as

Micro Focus Fortify WebInspect (22.2.0)

Installation Guide

Chapter 3: Licensing WebInspect

Option

Description

License Type

domain\username to support a domain account.

Configures the proxy using a PAC file URL.

Concurrent User

Concurrent User

-limPacFile

-limPool

Specifies the LIM pool name. If used with the -p, -limURL,

and -limPswd options, configures the product to use a

LIM for licensing.

Sets an explicit proxy using the format

Concurrent User

-limProxy

user:password@host:port or

user:password@ip:port.

Tip: The user can be passed in as domain\username

to support a domain account.

Specifies the LIM Pool password.

Specifies the LIM service URL.

Concurrent User

Concurrent User

Named User

-limPswd

-limURL

-notrial

-p

Removes the free 15-day trial option.

Indicates the Fortify product you are licensing. If used

alone, skips the product selection step.

Named User

Specifies the Micro Focus Fortify License Service URL.

Named User

-serviceURL

Tip: This is not the URL the LIM administrator uses to

access the LIM web interface. This is the URL you

selected as the Root Web Site during LIM

initialization. The URL is a combination of the website

configured in IIS and the limservice in the format

https://<server-url>/<service-directory>.

Suppresses all popups and answers 'no' to interactive

Both

-silent

-token

prompts. See -y option for more information.

Specifies the Fortify Product Activation Token GUID. If

Named User

used with the -p option, licenses the product and exits

using the command line arguments.

Places the application as the top window on the desktop.

Both

-topMost

Micro Focus Fortify WebInspect (22.2.0)

Page 41 of 46

Installation Guide

Chapter 3: Licensing WebInspect

Option

Description

License Type

When running in silent mode, answers 'yes' to interactive

prompts.

Both

-y

Configuring Fortify WebInspect to use the LIM

You can configure existing (licensed) and new (unlicensed) Micro Focus Fortify WebInspect

installations to use the License and Infrastructure Manager (LIM). This section describes how to

configure Fortify WebInspect to use the LIM.

For Existing (Licensed) Fortify WebInspect Installations

To configure Fortify WebInspect installations that are already licensed:

1. Start Fortify WebInspect.

2. Click Edit > Application Settings.

3. On the Application Settings window, in the WebInspect group, select License.

4. In the License Details group, click Configure Licensing....

The License Wizard appears.

5. In the Licensing Method group, click Connect to local License and Infrastructure Manager

and click Next.

6.

Type the URL of the LIM server in the format https://<server-url>/<service-

directory> where:

l

server-url is the site you specified during initialization as the root web site.

l

service-directory is the directory you specified during initialization as the Service Virtual

Directory name (the default is “LIM.Service”).

Example:

http://<LIMServer_IP_Address>/LIM.Service

Tip: This is not the URL the LIM administrator uses to access the LIM web interface. This is

the URL you selected as the Root Web Site during LIM initialization. The URL is a

combination of the website configured in IIS and the portion of the LIM that you are

configuring, such as the limservice. If you selected "Default Web Site" during initialization and

do not know the URL, you will need to browse your default site in IIS to determine the URL.

7. Type the Pool Name from which to extract a license for this instance of Fortify WebInspect.

8. Type the Password that will allow access to the specified license pool.

9. If network authentication is required, select the Network Authentication check box and enter a

valid User Name and Password.

Micro Focus Fortify WebInspect (22.2.0)

Page 42 of 46

Installation Guide

Chapter 3: Licensing WebInspect

10. Click Next.

11. Do one of the following:

l

To allow others to use this license when Fortify WebInspect closes, select Concurrent License.

l

To allow Fortify WebInspect to disconnect from the LIM for an extended period of time, select

Detached Lease and enter an Expiration Date.

12. Click Next.

13. Click Finish and OK.

For New (Unlicensed) Fortify WebInspect Installations

To configure new Fortify WebInspect installations:

1. Start Fortify WebInspect.

The License Wizard appears.

2. Select Activate Now.

3. In the Licensing Method group, click Connect to local License and Infrastructure Manager

and click Next.

4.

Type the URL of the LIM server in the format https://<server-url>/<service-

directory> where:

l

server-url is the site you specified during initialization as the root Web site.

l

service-directory is the directory you specified during initialization as the Service Virtual

Directory name (the default is “LIM.Service”).

Tip: This is not the URL the LIM administrator uses to access the LIM web interface. This is

the URL you selected as the Root Web Site during LIM initialization. The URL is a

combination of the website configured in IIS and the portion of the LIM that you are

configuring, such as the limservice. If you selected "Default Web Site" during initialization and

do not know the URL, you will need to browse your default site in IIS to determine the URL.

5. Type the Pool Name from which to extract a license for this instance of Fortify WebInspect.

6. Type the Password that will allow access to the specified license pool.

7. If network authentication is required, select the Network Authentication check box and enter a

valid User Name and Password.

8. Click Next.

9. Do one of the following:

l

To allow others to use this license when Fortify WebInspect closes, select Concurrent License.

l

To allow Fortify WebInspect to disconnect from the LIM for an extended period of time, select

Detached Lease and enter an Expiration Date.

10. Click Next.

11. Click Finish and OK.

Micro Focus Fortify WebInspect (22.2.0)

Page 43 of 46

Chapter 4: The WebInspect SDK

The WebInspect Software Development Kit (SDK) is a Visual Studio extension that enables software

developers to create an audit extension to test for a specific vulnerability in a session response.

Caution! Fortify recommends that the WebInspect SDK be used only by qualified software

developers who have Visual Studio expertise.

For more information about the WebInspect SDK, see the WebInspect Help in Micro Focus Fortify

WebInspect or the WebInspect SDK Help which is available in Visual Studio after the SDK installation.

Installation Recommendation

The WebInspect SDK does not need to be installed on the same machine as a Fortify WebInspect

product. In most cases, it will be installed on the software developer’s development machine. However,

if you are developing new extensions that will require debugging, Fortify recommends that you install

Fortify WebInspect on the development machine where you will be creating the extension. Doing so

will allow you to test your extension locally. For existing extensions that do not require debugging,

you do not need to install Fortify WebInspect locally.

For minimum requirements for installing and using the WebInspect SDK, see the Micro Focus Fortify

Software System Requirements.

Installing the WebInspect SDK

To use the WebInspect SDK, the developer must install a Visual Studio extension file named

WebInspectSDK.vsix.

During installation of Fortify WebInspect, a copy of the WebInspectSDK.vsix file is installed in the

Extensions directory in the Fortify WebInspect installation location. The default location is one of the

following:

l

C:\Program Files\Fortify\Fortify WebInspect\Extensions

l

C:\Program Files (x86)\Fortify\Fortify WebInspect\Extensions

To install the SDK where Fortify WebInspect is installed on the developer's machine:

1.

Navigate to the Extensions folder and double click the WebInspectSDK.vsix file.

The VSIX Installer is launched.

2. When prompted, select the Visual Studio product(s) to which you want to install the extension

and click Install.

The WebInspect Audit Extension project template is created in Visual Studio. Continue with

"Verifying the Installation" on the next page.

Micro Focus Fortify WebInspect (22.2.0)

Page 44 of 46

Installation Guide

Chapter 4: The WebInspect SDK

To install the SDK where Fortify WebInspect is not installed on the developer's machine:

1.

Navigate to the Extensions folder and copy the WebInspectSDK.vsix file to portable media,

such as a USB drive.

2. Insert the drive into the development box that has Visual Studio installed, as well as the other

required software and hardware.

3.

Navigate to the USB drive and double click the WebInspectSDK.vsix file.

The VSIX Installer is launched.

4. When prompted, select the Visual Studio product(s) for which you want to install the extension

and click Install.

The WebInspect Audit Extension project template is created in Visual Studio. Continue with

"Verifying the Installation" below.

Verifying the Installation

To verify that the extension was successfully installed:

1. In Visual Studio, select Tools > Extensions and Updates.

2. Scroll down the list of extensions.

If you see WebInspect SDK in the list, the extension was installed successfully.

Micro Focus Fortify WebInspect (22.2.0)

Page 45 of 46

Send Documentation Feedback

If you have comments about this document, you can contact the documentation team by email.

Note: If you are experiencing a technical issue with our product, do not email the documentation

team. Instead, contact Micro Focus Fortify Customer Support at

https://www.microfocus.com/support so they can assist you.

If an email client is configured on this computer, click the link above to contact the documentation

team and an email window opens with the following information in the subject line:

Feedback on Installation Guide (Fortify WebInspect 22.2.0)

Just add your feedback to the email and click send.

If no email client is available, copy the information above to a new message in a web mail client, and

send your feedback to fortifydocteam@microfocus.com.

We appreciate your feedback!

Micro Focus Fortify WebInspect (22.2.0)

Page 46 of 46