Micro Focus

Fortify Application Defender

Software Version: 20.4.0


On-Premises Installation Guide


Document Release Date: December 2020 Software Release Date: December 2020



Legal Notices

Micro Focus The Lawn

22-30 Old Bath Road Newbury, Berkshire RG14 1QN UK

https://www.microfocus.com

Warranty

The only warranties for products and services of Micro Focus and its affiliates and licensors (“Micro Focus”) are set forth in the express warranty statements accompanying such products and services. Nothing herein should be construed as constituting an additional warranty. Micro Focus shall not be liable for technical or editorial errors or omissions contained herein. The information contained herein is subject to change without notice.

Restricted Rights Legend

Confidential computer software. Except as specifically indicated otherwise, a valid license from Micro Focus is required for possession, use or copying. Consistent with FAR 12.211 and 12.212, Commercial Computer Software, Computer Software Documentation, and Technical Data for Commercial Items are licensed to the U.S. Government under vendor's standard commercial license.


Copyright Notice

© Copyright 2016 - 2020 Micro Focus or one of its affiliates

Trademark Notices

Adobe™ is a trademark of Adobe Systems Incorporated.

Microsoft® and Windows® are U.S. registered trademarks of Microsoft Corporation. UNIX® is a registered trademark of The Open Group.

Documentation Updates

The title page of this document contains the following identifying information:

To check for recent updates or to verify that you are using the most recent edition of a document, go to: https://www.microfocus.com/support-and-services/documentation


Contents


Preface                             

5

Contacting Micro Focus Fortify Customer Support

                   5

For More Information                       

5

About the Documentation Set                    

5

Change Log                           

6

Getting Started                          

7

Intended Audience                        

7

Hardware Requirements                      

7

Software Requirements                       

9

Application Defender Installation Package                

11

On-Premises Environment                     

12

Single-Instance Installation                    

12

Clustered-Instance Installation                   

13

Deployment Hosts                        

13

Application Host Services                      

14

Infrastructure Host Services                     

15

Database Host Services                      

17

Vertica Database                        

17

Email Server                          

17

Installation                           

18

Before You Begin                        

18

Prepare the Environment                      

18

Enforce Firewall Rules                       

24

Initialize Swarm Cluster                      

24

Creating Secrets, Overlay Network, and Run Services

                   25

Upgrading from 20.3.0 or Later                     

27

Upgrading from 20.2.X or Earlier Release                  

28

Scaling the Cluster                         

29

Manual Scaling                         

29

Automatic Scaling                        

30

Services                           

30

Nodes                            

30

Add Service to a Node                       

31


Docker Cluster Commands                      

32

Additional Installation Notes                      

34

Integrating LDAP Servers                      

34

SMTP Email Server Authentication                   

35

Java Keystore                         

35

Self-signed Server Certificate                     

35

Server Certificate Signed by Valid Certificate Authority            

35

Standalone Postgres Database (Optional)                

36

Fortify Application Defender System Hardening               

36

Logging Policy                          

37

Application Services                        

38

Additional References                        

40

Send Documentation Feedback                     

41


Preface

Contacting Micro Focus Fortify Customer Support

If you have questions or comments about using this product, contact Micro Focus Fortify Customer Support using one of the following options.

To Manage Your Support Cases, Acquire Licenses, and Manage Your Account

https://softwaresupport.softwaregrp.com

To Call Support

1.844.260.7219


For More Information

For more information about Fortify software products: https://software.microfocus.com/solutions/application-security


About the Documentation Set

The Fortify Software documentation set contains installation, user, and deployment guides for all Fortify Software products and components. In addition, you will find technical notes and release notes that describe new features, known issues, and last-minute updates. You can access the latest versions of these documents from the following Micro Focus Product Documentation website:

https://www.microfocus.com/support-and-services/documentation


Change Log

The following table lists changes made to this guide.


Software Release-Version


Change

20.3.0

Updated:

Updated the installation process. Removed separate installation flows for single and Cluster installations.

Removed:

Installing a Single Fortify Application Defender Instance Installing a Clustered Fortify Application Defender Instance

19.4.0

Added:

Support for Secure LDAP

19.3.0

Added:

LDAP configuration instructions.

Getting Started

This document provides instructions on how to install and run Micro Focus Fortify Application Defender.

This section contains the following topics:


Intended Audience                           

7

Hardware Requirements                          

7

Software Requirements                          

9

Application Defender Installation Package                   

11

On-Premises Environment                         

12

Deployment Hosts                           

13

Application Host Services                         

14

Infrastructure Host Services                        

15

Database Host Services                          

17

Vertica Database                            

17

Email Server                             

17


Intended Audience

This document provides information on deploying Fortify Application Defender on premises. To deploy Fortify Application Defenderyou should have experience installing and configuring Docker containers. In addition, you should have a basic understanding of hardware and server management.

For information on using the software, consult the program Help system.


Hardware Requirements


Note: While you can create an installation with a single Vertica instance, Fortify strongly recommends that you deploy a Vertica cluster of three or more instances. If you only install a single Vertica instance, your data is not replicated and you risk losing security event data.


Component

CPU

Memory

Hard Drive

Application

8 cores

16 GB

500 GB HDD

Infrastructure

16 cores

32 GB

1 TB SSD


Component

CPU

Memory

Hard Drive

Postgres database

4 cores

8 GB

500 GB HDD

Vertica

2 cores

8 GB

500 GB HDD per host

Fortify recommends a minimum of three Vertica instances in a production environment.

For additional Vertica requirements, see "Additional References" on page 40.


Software Requirements

The following software requirements apply to both single host and cluster installations, except where noted.


Network Connection

All Fortify Application Defender hosts (application, infrastructure, Postgres, and Vertica) need to communicate with each other. Communication ports on the Fortify Application Defender apps server must be open to allow all application servers access to the Fortify Application Defender service.

Application Defender is supplied with Docker swarm, soit uses the Docker overlay networking subsystem to creates a distributed network among multiple Docker daemon hosts. The network works with host-specific networks so that connected containers can securely communicate with each other.


Docker Hub

A Docker Hub account is needed to access Fortify Application Defender docker images. To gain access to the required Docker repositories, provide your Docker Hub account username to your Fortify Application Defender account team or Fortify technical support representative.


Firewall Rules

Firewalls on all machines must be configured to allow communication across hosts. Your Application Hosts should be able to pull images from the Docker Hubs. For additional port information, see "Additional Installation Notes" on page 34.


SMTP Server (mail)

Fortify Application Defender sends an email notification to each user in the system. Provide a reference to the SMTP server for Fortify Application Defender to use. For more information, see "Additional Installation Notes" on page 34.

Vertica Database Cluster


Logging Policy

Protect the appdefender.properties, applications.env, and infrastructures.env according to recommendation in <Application Defender System Hardening>

The following logging policy tables provide information about each of the Fortify Application Defender services.


Application Services

All Application Services use rsyslog as a logging driver. Rsyslog stores all logs in a default docker volume location. To find the exact path, execute the next command and note Mountpoint parameter. In most cases, it will be “/var/lib/docker/volumes/applications_rsyslog_logs/_

data”docker inspectapplications_rsyslog_logs ls < Mountpoint >


Svc #

Docker Image

Data Location Log

Internal Daemon Rotation Policy

Container

Log Rotation Policy

1

ui-customer

Log: Rsyslog Volume Folder e.g.

/var/lib/docker/volumes/applications_rsyslog_logs/_ data/ui_customer

max-size: "50m"max-file: "9"

2

ui-internal

Log: Docker Container Folder e.g.

/home/defender/docker/containers/<container_id>/

max-size: "50m"max-file: "9"

3

backend-jobs

Log: Docker Container Folder e.g.

/home/defender/docker/containers/<container_id>/

max-size: "50m"max-file: "9"

4

command-channel

Log: Docker Container Folder e.g.

/home/defender/docker/containers/<container_id>/

max-size: "50m"max-file: "9"

5

edge

Log: Docker Container Folder e.g.

/home/defender/docker/containers/<container_id>/

max-size: "50m"max-file: "9"

6

topologies

Log: Docker Container Folder e.g.

/home/defender/docker/containers/<container_id>/

max-size: "50m"max-file: "9"

7

db-migrations

Log: Docker Container Folder e.g.

/home/defender/docker/containers/<container_id>/

max-size: "50m"max-file: "9"

8

Zookeeper

Data Location: $defender_data/zookeeper

Log: $defender_logs/

Internal Daemon Rotation Policy: autopurge.purgeInterval=24 autopurge.snapRetainCount=10

max-size: "50m"max-file: "9"

9

Kafka

Data Location: defender_data/kafka

Log: $defender_logs/kafka

Internal Daemon Rotation Policy: log.retention.hours=168

max-size: "50m"max-file: "9"

10

Storm-nimbus

Log: $defender_logs/storm_nimbus

Internal Daemon Rotation Policy: 100 MB 9 Files

max-size: "50m"max-file: "9"


11

Storm-supervisor

Log: $defender_logs/storm_supervisor

Internal Daemon Rotation Policy: 100 MB 9 Files

max-size: "50m"max-file: "9"

12

Storm-ui

Log: $defender_logs/storm_ui

Internal Daemon Rotation Policy: 100 MB 9 Files

max-size: "50m"max-file: "9"

13

Cassandra

Data Location: $defender_data/cassandra

Log: $defender_logs/cassandra

Internal Daemon Rotation Policy: 20 MB 20 files

max-size: "50m"max-file: "9"

14

Postgres


max-size: "50m"max-file: "9"

15

Vertica


max-size: "50m"max-file: "9"

16

Syslog


max-size: "50m"max-file: "9"


Additional References

For assistance in configuring the recommended hardware components in your Fortify Application Defender on-premises installation see the documentation listed in the following table.


Software Component


Documentation URL

Docker Compose

https://docs.docker.com/compose/install/

Docker Control and configure with systemd

https://docs.docker.com/engine/admin/systemd/

Docker Engine

https://docs.docker.com/engine/installation/ubuntulinux/

Docker Hub Account

https://hub.docker.com/

Docker Protect the daemon socket

https://docs.docker.com/engine/security/https/

Docker Swarm Configuration

https://docs.docker.com/swarm/plan-for-production/ https://docs.docker.com/swarm/install-manual/

Docker Swarm for TLS

https://docs.docker.com/swarm/configure-tls/

Postgres

http://www.postgresql.org/docs/9.4/static/index.html

Vertica

Version 8.1.x:

https://my.vertica.com/docs/7.1.x/HTML/#Authoring/InstallationGuide/Other

/InstallationGuide.htm%3FTocPath%3DInstallation%2520Guide%7C 0

https://my.vertica.com/docs/Hardware/HP_ Vertica%20Planning%20Hardware%20Guide.pdf

Version 9.1.x: https://www.vertica.com/documentation/vertica/9-1-x/

Send Documentation Feedback

If you have comments about this document, you can contact the documentation team by email. If an email client is configured on this computer, click the link above and an email window opens with the following information in the subject line:

Feedback on On-Premises Installation Guide (Fortify Application Defender 20.4.0)

Just add your feedback to the email and click send.

If no email client is available, copy the information above to a new message in a web mail client, and send your feedback to FortifyDocTeam@microfocus.com.

We appreciate your feedback!