## Introduction OpenText Core Application Security (formerly Fortify On Demand) is a Software as a Service application security product offered by OpenText. This guide walks you through the steps to gather the necessary information and configure your OpenText Core Application Security tenant for the purpose of creating an integration with Synqly's Application Security connector. ## Prerequisites Before you begin, ensure that you have: - Access to your tenant's OpenText Core Application Security web interface - Access to a user account with the Administration Tenant Level Permission (this is included in the default Security Lead role) ## Required API Key Roles | Operation | OpenText Core Application Security API Key Role | | --- | --- | | Query Applications | Read Only | | Query Application Findings | Read Only | | Query findings across all applications | Read Only | | Get Application Finding Details | Read Only | ## Generating API Credentials Before you begin, ensure that you have access to a valid user account with the Administration Tenant Level Permission and access to the OpenText Core Application Security web interface. ### 1. Navigation To begin generating a new set of OpenText Core Application Security API credentials, log into the OpenText Core Application Security web interface and take note of the URL. Once logged in, select **Administration** from the top navigation bar. Next, navigate to the sidebar and select **Settings**. Once in the settings menu, select **API**. From here, you may either choose to create a new set of API credentials or use a set of already existing credentials. Due to rate limiting, it is recommended that you create a new set of API credentials to use for the Synqly integration. If you choose to create a new set of API credentials, go to the next section titled [*2. Creating New Credentials (Recommended)*](#2.-creating-new-api-credentials-recommended); otherwise, skip the next step and go to the section titled [*3. Generating the API Key Secret*](#3.-generating-the-secret-key). ### 2. Creating New API Credentials (Recommended) To create a new set of API credentials, select the **+ Add Key** button in the upper right-hand corner. Add a name for this key, select a role that includes the required permissions for this provider's supported Synqly Operations, and make sure the "Authorize app to use API" setting is set to Yes. Permissions required for this provider's supported Synqly Operations can be found above in the section titled [*Required API Key Roles*](#required-api-key-roles). Finally, select the **Save** button and proceed to the next step titled [*3. Generating the API Key Secret*](#3.-generating-the-api-key-secret). ### 3. Generating the Secret Key Find the API Key that you will use for the Synqly integration and ensure it has the required permissions as found above in the section titled [*Required API Key Roles*](#required-api-key-roles). If your API Key does not have the required permissions, edit the key's role, select a different key, or create a new one by following the instructions in the section titled [*2. Creating New API Credentials (Recommended)*](#2.-creating-new-api-credentials-recommended). Once you have selected an API Key that has all the required roles, take note of its value. Next, select the **New Secret** text in the row of the API Key that you wish to use. Confirm you want to create a new secret for the API Key by selecting **Yes**. Finally, take note of the secret key. The URL, API Key, and Secret Key will each be used when creating a new Synqly OpenText Core Application Security integration. ## Configuring the Integration To configure a new OpenText Core Application Security integration in the Synqly system, provide each of the values as defined below: | Integration Parameter | Description | | --- | --- | | Client ID | This is the API Key value gathered when generating the API credentials | | Client Secret | This is the Secret Key value gathered when generating the API credentials | | Base URL | This is the URL used to access the OpenText Core Application Security web interface with the added third-level domain of `api` |