Fortify sample server.xml and entrypoint.sh

entrypoint.sh

#!/bin/bash
set -e -o pipefail

if [ -x "$(command -v "$1")" ]; then
    exec "$@"
fi

assertIsSet() {
    # $1=variable_value $2=variable_name
    if [ -z "$1" ]; then
        echo "Environment variable $2 is required"
        exit 1
    fi
}

assertIsReadable() {
    # $1=file_path $2=variable_name
    if [ -n "$1" ] && [ ! -r "$1" ]; then
        echo "A file referenced by environment variable $2 does not exists or is not readable"
        exit 1
    fi
}

assertIsSetAndReadable() {
    # $1=file_path $2=variable_name
    assertIsSet "$1" "$2"
    assertIsReadable "$1" "$2"
}

loadFileToEnv() {
    # $1=src_file_path $2=src_variable_name $3=dst_variable_name
    assertIsSetAndReadable "$1" "$2"
    # not POSIX bourne shell compatible, but supported at least by bash, busybox ash and dash
    export "$3"="$(head -1 "$1" | tr -d '\n\r')"
}

#
# Set default file locations
#

# default secrets directory
secret_dir="$FORTIFY_HOME/secrets"

if [ -z "$COM_FORTIFY_SSC_AUTOCONFIGPATH" ] && [ -e "$secret_dir/ssc.autoconfig" ]; then
    export COM_FORTIFY_SSC_AUTOCONFIGPATH="$secret_dir/ssc.autoconfig"
fi

if [ -z "$COM_FORTIFY_SSC_LICENSEPATH" ] && [ -e "$secret_dir/fortify.license" ]; then
    export COM_FORTIFY_SSC_LICENSEPATH="$secret_dir/fortify.license"
fi

if [ -z "$COM_FORTIFY_SSC_SECRETKEY" ] && [ -e "$secret_dir/secret.key" ]; then
    export COM_FORTIFY_SSC_SECRETKEY="$secret_dir/secret.key"
fi

if [ -z "$HTTP_SERVER_CERTIFICATE_KEYSTORE_FILE" ] && [ -e "$secret_dir/certificate-keystore" ]; then
    export HTTP_SERVER_CERTIFICATE_KEYSTORE_FILE="$secret_dir/certificate-keystore"
fi

if [ -z "$HTTP_SERVER_CERTIFICATE_KEYSTORE_PASSWORD_FILE" ] && [ -e "$secret_dir/certificate-keystore-password" ]; then
    export HTTP_SERVER_CERTIFICATE_KEYSTORE_PASSWORD_FILE="$secret_dir/certificate-keystore-password"
fi

if [ -z "$HTTP_SERVER_CERTIFICATE_KEY_PASSWORD_FILE" ] && [ -e "$secret_dir/certificate-key-password" ]; then
    export HTTP_SERVER_CERTIFICATE_KEY_PASSWORD_FILE="$secret_dir/certificate-key-password"
fi

unset secret_dir

#
# Set JVM system properties and options
#

export CATALINA_OPTS="-XX:MaxRAMPercentage=50.0 -Djava.awt.headless=true $CATALINA_OPTS"
if [ -n "$JVM_TRUSTSTORE_FILE" ]; then
    assertIsSetAndReadable "$JVM_TRUSTSTORE_FILE" JVM_TRUSTSTORE_FILE
    loadFileToEnv "$JVM_TRUSTSTORE_PASSWORD_FILE" JVM_TRUSTSTORE_PASSWORD_FILE JVM_TRUSTSTORE_PASSWORD
    CATALINA_OPTS="$CATALINA_OPTS -Djavax.net.ssl.trustStore='$JVM_TRUSTSTORE_FILE'"
    CATALINA_OPTS="$CATALINA_OPTS -Djavax.net.ssl.trustStorePassword='$JVM_TRUSTSTORE_PASSWORD'"
else
    unset JVM_TRUSTSTORE_FILE
    unset JVM_TRUSTSTORE_PASSWORD_FILE
fi

if [ -n "$COM_FORTIFY_SSC_LOGPATH" ]; then
    # supported by application too, setting this on commandline used configured directory also for ssc_boot.log
    CATALINA_OPTS="$CATALINA_OPTS -Dcom.fortify.ssc.logPath='$COM_FORTIFY_SSC_LOGPATH'"
else
    unset COM_FORTIFY_SSC_LOGPATH
fi

if [ -n "$COM_FORTIFY_SSC_SECRETKEY" ]; then
    assertIsSetAndReadable "$COM_FORTIFY_SSC_SECRETKEY" COM_FORTIFY_SSC_SECRETKEY
    CATALINA_OPTS="$CATALINA_OPTS -Dcom.fortify.ssc.secretKey='$COM_FORTIFY_SSC_SECRETKEY'"
else
    unset COM_FORTIFY_SSC_SECRETKEY
fi

#
# Set defaults and validate Tomcat configuration values and render Tomcat's server.xml
#

# Use less secure but more compatible SSL configuration by default
# See https://ssl-config.mozilla.org/#server=tomcat
if [ -z "$HTTP_SERVER_TLS_PROTOCOLS" ]; then
    export HTTP_SERVER_TLS_PROTOCOLS='TLSv1.3+TLSv1.2'
    if [ -z "$HTTP_SERVER_TLS_CIPHERS" ]; then
        export HTTP_SERVER_TLS_CIPHERS='ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384'
    fi
fi

assertIsSetAndReadable "$HTTP_SERVER_CERTIFICATE_KEYSTORE_FILE" HTTP_SERVER_CERTIFICATE_KEYSTORE_FILE
loadFileToEnv "$HTTP_SERVER_CERTIFICATE_KEYSTORE_PASSWORD_FILE" HTTP_SERVER_CERTIFICATE_KEYSTORE_PASSWORD_FILE HTTP_SERVER_CERTIFICATE_KEYSTORE_PASSWORD
loadFileToEnv "$HTTP_SERVER_CERTIFICATE_KEY_PASSWORD_FILE" HTTP_SERVER_CERTIFICATE_KEY_PASSWORD_FILE HTTP_SERVER_CERTIFICATE_KEY_PASSWORD

case "$HTTP_SERVER_CERTIFICATE_VERIFICATION" in
required | optional)
    if [ -n "$HTTP_SERVER_TRUSTSTORE_FILE" ]; then
        assertIsSetAndReadable "$HTTP_SERVER_TRUSTSTORE_FILE" HTTP_SERVER_TRUSTSTORE_FILE
        loadFileToEnv "$HTTP_SERVER_TRUSTSTORE_PASSWORD_FILE" HTTP_SERVER_TRUSTSTORE_PASSWORD_FILE HTTP_SERVER_TRUSTSTORE_PASSWORD
    fi
    ;;
none | '')
    export HTTP_SERVER_CERTIFICATE_VERIFICATION=none
    unset HTTP_SERVER_TRUSTSTORE_FILE
    unset HTTP_SERVER_TRUSTSTORE_PASSWORD_FILE
    ;;
*)
    echo "Invalid value specified for HTTP_SERVER_CERTIFICATE_VERIFICATION: $HTTP_SERVER_CERTIFICATE_VERIFICATION"
    echo "Valid values are: required, optional, none"
    exit 1
    ;;
esac

# normalize deployment context, can be empty and it must not end with slash
HTTP_SERVER_SSC_PATH_PREFIX="/${HTTP_SERVER_SSC_PATH_PREFIX#/}" # ensure leading slash
HTTP_SERVER_SSC_PATH_PREFIX="${HTTP_SERVER_SSC_PATH_PREFIX%/}"  # remove trailing slash

#
# Validate remaining settings
#

if [ -n "$COM_FORTIFY_SSC_AUTOCONFIGPATH" ]; then
    assertIsSetAndReadable "$COM_FORTIFY_SSC_AUTOCONFIGPATH" COM_FORTIFY_SSC_AUTOCONFIGPATH
    assertIsSetAndReadable "$COM_FORTIFY_SSC_LICENSEPATH" COM_FORTIFY_SSC_LICENSEPATH
else
    unset COM_FORTIFY_SSC_AUTOCONFIGPATH
    unset COM_FORTIFY_SSC_LICENSEPATH
fi

#
# Create directories required on Tomcat startup
#

mkdir -p "$CATALINA_TMPDIR"
mkdir -p "$CATALINA_WORKDIR"
mkdir -p "$CATALINA_LOGSDIR"

# Workaround for runtime-bridge command failing on read-only filesystem [DE-267109]
mkdir -p "${COM_FORTIFY_SSC_LOGPATH}/runtime-bridge"

#
# Render server configuration template and start Tomcat
#

# java "$APP_HOME/tools/AttributeTemplateRenderer.java" "$CATALINA_HOME/conf/server-tpl.xml" "$CATALINA_HOME/conf/server.xml"
exec /bin/bash "${CATALINA_HOME}/bin/catalina.sh" "$@"
exit 9

server.xml

<?xml version="1.0" encoding="UTF-8"?>
<!--
  Licensed to the Apache Software Foundation (ASF) under one or more
  contributor license agreements.  See the NOTICE file distributed with
  this work for additional information regarding copyright ownership.
  The ASF licenses this file to You under the Apache License, Version 2.0
  (the "License"); you may not use this file except in compliance with
  the License.  You may obtain a copy of the License at

      http://www.apache.org/licenses/LICENSE-2.0

  Unless required by applicable law or agreed to in writing, software
  distributed under the License is distributed on an "AS IS" BASIS,
  WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
  See the License for the specific language governing permissions and
  limitations under the License.
-->
<!-- Note:  A "Server" is not itself a "Container", so you may not
     define subcomponents such as "Valves" at this level.
     Documentation at /docs/config/server.html
 -->
<Server port="8005" shutdown="SHUTDOWN">
    <Listener className="org.apache.catalina.startup.VersionLoggerListener"/>
    <!-- Prevent memory leaks due to use of particular java/javax APIs-->
    <Listener className="org.apache.catalina.core.JreMemoryLeakPreventionListener"/>
    <Listener className="org.apache.catalina.core.ThreadLocalLeakPreventionListener"/>

    <!-- A "Service" is a collection of one or more "Connectors" that share
         a single "Container" Note:  A "Service" is not itself a "Container",
         so you may not define subcomponents such as "Valves" at this level.
         Documentation at /docs/config/service.html
     -->
    <Service name="Catalina">

        <!-- A "Connector" represents an endpoint by which requests are received
             and responses are returned. Documentation at :
             Java HTTP Connector: /docs/config/http.html
             Java AJP  Connector: /docs/config/ajp.html
             APR (HTTP/AJP) Connector: /docs/apr.html
        -->

        <Connector maxThreads="4" minSpareThreads="1"
                   port="8080"
	           proxyPort="443"
		   proxyName="<your_hostname_here>"
                   protocol="org.apache.coyote.http11.Http11Nio2Protocol"
                   server="Apache"
                   connectionTimeout="10000"
                   scheme="https"
                   secure="true"
        />
        <!-- An Engine represents the entry point (within Catalina) that processes
             every request.  The Engine implementation for Tomcat stand alone
             analyzes the HTTP headers included with the request, and passes them
             on to the appropriate Host (virtual host).
             Documentation at /docs/config/engine.html -->
        <Engine name="Catalina" defaultHost="localhost">

            <Host name="localhost" deployOnStartup="true" autoDeploy="false" failCtxIfServletStartFails="true"
                  workDir="/fortify/tomcat/work">

                <!-- Access log processes all example.
                     Documentation at: /docs/config/valve.html
                     Note: The pattern used is equivalent to using pattern="common" -->
                <Valve className="org.apache.catalina.valves.AccessLogValve" directory="logs"
                       prefix="localhost_access_log" suffix=".txt"
                       pattern="%h %l %u %t &quot;%r&quot; %s %b"/>

                <!-- Disable stacktrace and server version displayed in server default HTML error pages
                     (displaying such information is considered a security issue)
                     Return custom error page for 404 Page not found error -->
                <Valve className="org.apache.catalina.valves.ErrorReportValve"
                       showReport="false"
                       showServerInfo="false"
                       errorCode.404="webapps/error404.html"
                       errorCode.0="webapps/errorGeneral.html"/>

                <Context path="" docBase="/app/ssc"
                         useHttpOnly="true"/>

            </Host>

        </Engine>

    </Service>

</Server>