Security Configuration Checker tool

, ,
#1

Hi Guru’s

Any one is using this security tool in your environments and if YES any pros and crons using this product?

https://empower.softwareag.com/images/IS_SCC_Readme_v1_tcm121-136175.pdf

Please also give info on how you obtained this product reaching SAG sales person or downloaded via SUM having with License already?

Appreciate your any inputs to this!!

TIA,
RMG

#2

Hi RMG Guru,

Hope you are doing good.

We had used it in our environments to generate the report about security vulnerabilities. You can download the tool from http://techcommunity.softwareag.com/ecosystem/communities/public/webmethods/contents/codesamples/30636b31-99aa-11e5-a65f-cd8d7ef22065/?title=Integration+Server+-+Security+Configuration+Checker

Run the tool with the following command:

$ java -jar scc.jar -l (For licensefile, contact security@softwareag.com with the hostname/ip-addresses where the Integration Server is deployed. Make sure you send an email from your official empower account)

Follow the directions as guided by the interactive command line utility.

Refer to screenshots section in the README Guide for more details.

Note: Please copy enttoolkit from <IS_Install_Dir>\common\lib\ext\enttoolkit.jar in to scc_lib folder in the tool.

#3

Hi,

would be nice if these checks still apply to recent 9.x versions or if this tool should be updated to check against the new security features (oauth, keystore aliases, …).

Regards,
Holger

#4

We had tested this tool on v9.8. Even in readme says “it has been tested on all 9.x versions with Oracle jdk 1.8”. However to report bugs or provide suggestions, please send an e-mail to security@softwareag.com

#5

@Holger, Yes the tool is available for IS 9.x versions as the documentation says :smiley:

@ Mahesh, How is your tool user experience with it? Any feedback please and so I can note.

TIA,
RMG

#6

Hi, yes its a good security tool. Althrough, you may need the penetration testing services to secure the complete platform.

#7

I’m not so sure with that but I guess it’s okay to use. I don’t see anything wrong with that software. Maybe a little training on how to use it for your website would do. But it’d do just fine, I guess.

#8

Hi ,

IS_10.1_Core_Fix17
While running SCC , we are getting below

ReverseHttpGateway
Recommendation:
Reverse HTTP Gateway is not set on the Server.

Even though in our environment we have reverse invoke already present.

Regards