Helm Deployment of Fortify SSC behind an ALB (Application Load-balancer)

Deploying legacy software in a modern cloud environment

Fortify Software Security Center (SSC)

It has been sometime since I touched this software.

During my first job, I was tasked to set this up in a Windows VM, slowly moving towards a container environment, hosting it in a AWS ECS Fargate Environment.

This was back in 2020, now in 2022, Microfocus tech team has probably improved its skills and now released container images for its server instance.

Docker Images

However, these images are not made public despite requiring a license to work. (I guess the ssc.war file could still be extracted and reused in other ways…)

Hence, one would need to create a DockerHub account, write an email request for them to whitelist to get access to the fortify container

Helm Chart

An “opinionated” deployment method is also provided, hence bringing me to the point of writing this article.

Tomcat — HTTPS on by default
The main reason why the helm chart required a keystore by default because as of the latest tomcat version 9 containers, they are configured to be only HTTPS by default.

In a usual scenario of fronting the entire application with tomcat it is okay to do so, however, with the era of Kubernetes on us, most of the resources living in the cluster are actually fronted by an Nginx Ingress Controller with SSL Certs offloading.

“Tweaking the Helm Chart”

Hence, in order to make it work properly behind a loadbalancer, we need to replace two files:

entrypoint.sh

server.xml

The first is due to the fact that the second last line of the script runs a template function using java to generate the server.xml file based on the environment variables and the autoconfig file.

View the below gist for a sample

Hence, the webapp.yaml file has to updated to reflect this mount points:

Namely, adding two extra volumes to be mounted.

Packing up

Hence, when running this helm deployment, remember to either reference the entire helm folder or zip it up and reference an entirely different Chart version. If not, Helm would not upgrade from the current version.

That’s all! Maybe when I feel that I have more time, I might want to share how to link this up with Okta SSO with the correct steps (WHICH ARE NOT FOUND in their official docs)

Oh by the way, this took me some time to find out because Microfocus’s support would only support their way of deployment and I had to dig around Tomcat containers and observed how they function.

Thankfully I had an ex-colleague who sent me his Dockerfile which he used to build the Fortify SSC container image from scratch which uncovered some of the internal workings of a Fortify SSC server before I could crack this puzzle!