Security Configuration Checker tool

rmg · June 24, 2016, 8:19pm

Hi Guru’s

Any one is using this security tool in your environments and if YES any pros and crons using this product?

https://empower.softwareag.com/images/IS_SCC_Readme_v1_tcm121-136175.pdf

Please also give info on how you obtained this product reaching SAG sales person or downloaded via SUM having with License already?

Appreciate your any inputs to this!!

TIA,
RMG

Mahesh_K_Sreenivas · June 24, 2016, 9:32pm

Hi RMG Guru,

Hope you are doing good.

We had used it in our environments to generate the report about security vulnerabilities. You can download the tool from http://techcommunity.softwareag.com/ecosystem/communities/public/webmethods/contents/codesamples/30636b31-99aa-11e5-a65f-cd8d7ef22065/?title=Integration+Server+-+Security+Configuration+Checker

Run the tool with the following command:

$ java -jar scc.jar -l (For licensefile, contact security@softwareag.com with the hostname/ip-addresses where the Integration Server is deployed. Make sure you send an email from your official empower account)

Follow the directions as guided by the interactive command line utility.

Refer to screenshots section in the README Guide for more details.

Note: Please copy enttoolkit from <IS_Install_Dir>\common\lib\ext\enttoolkit.jar in to scc_lib folder in the tool.

Holger_von_Thomsen · June 27, 2016, 6:50pm

Hi,

would be nice if these checks still apply to recent 9.x versions or if this tool should be updated to check against the new security features (oauth, keystore aliases, …).

Regards,
Holger

Mahesh_K_Sreenivas · June 27, 2016, 10:10pm

We had tested this tool on v9.8. Even in readme says “it has been tested on all 9.x versions with Oracle jdk 1.8”. However to report bugs or provide suggestions, please send an e-mail to security@softwareag.com

rmg · June 29, 2016, 5:37pm

@Holger, Yes the tool is available for IS 9.x versions as the documentation says

@ Mahesh, How is your tool user experience with it? Any feedback please and so I can note.

TIA,
RMG

Ch_Mark · September 29, 2016, 6:57am

Hi, yes its a good security tool. Althrough, you may need the penetration testing services to secure the complete platform.

Anna_Hampton · November 16, 2016, 9:54am

I’m not so sure with that but I guess it’s okay to use. I don’t see anything wrong with that software. Maybe a little training on how to use it for your website would do. But it’d do just fine, I guess.

SHAHBAZ_KHAN · December 23, 2020, 8:27am

Hi ,

IS_10.1_Core_Fix17
While running SCC , we are getting below

ReverseHttpGateway
Recommendation:
Reverse HTTP Gateway is not set on the Server.

Even though in our environment we have reverse invoke already present.

Regards