Configuring SSL for the Checkmarx Software Exposure Platform (v9.0.0 and up)

SSL (Secure Sockets Layer) is the standard security technology for establishing an encrypted link between a web server and a browser. This link ensures that all data passed between the web server and browsers remain private and intact. To be able to create an SSL connection the web server requires an SSL Certificate.

Checkmarx Software Exposure Platform (SSL)

To secure communications between all Checkmarx Software Exposure Platform components, we recommend that you install signed certificates and enable SSL on all machines/servers to enforce SSL security (HTTPS). These instructions guide you through the procedure to configure the Secure Sockets Layer (SSL) Protocol for the Checkmarx Software Exposure Platform in Distributed or High Availability environments. They also include links to topics that are directly related to this procedure.

Configuring SSL

SSL can be configured via the Checkmarx Software Exposure Platform components for each machine/server accordingly. To configure the SSL, follow the instructions below:

1. All machines/servers in the Checkmarx Software Exposure Platform must be part of the same domain and configured in the Domain Name System (DNS) when using machine names


 Click here to know more

If CA certificate and Test VMs are of different domains, you need to change Test VMs domain before starting with the configuration, use below steps for the same,

  1. Add host details into C:\Windows\System32\drivers\etc\hosts file. (In case of distributed environment, add details of all hosts in the setup)
  2. Run 'Project Update-DNS' Jenkins pipeline to update domain of the VMs.
  3. Restart the VMs.

2. Enable SSL support for Access Control by configuring the appsettings.json file (<dir>:\Program Files\Checkmarx\Checkmarx Access Control\appsettings.json):

 Click for the full query

Update ExternalListenUrls to reflect IIS configured bindings:

        http(s)://*(port)
        Example: "ExternalListenUrls": "https://*:443"

If more than one binding is configured:

http(s)://*(port);http(s)://*(port)
Example: "ExternalListenUrls": "https://*:443;https://*:123"

3. Enable SSL Support on the CxManager according to these instructions.

4. Configure all Checkmarx Software Exposure Platform components for HTTPS in the DB table [CxDB].dbo.[cxComponentConfiguration] as follows:

    Replace IdentityAuthority, CxARMPolicyURL, CxARMURL, CxSASTManagerUri and WebServer keys to include HTTPS with the relevant server name.

 Click for the queries and an example

SQL Query to view current values:

SELECT * FROM [CxDB].[dbo].[CxComponentConfiguration] WHERE [Key] = 'IdentityAuthority'
SELECT * FROM [CxDB].[dbo].[CxComponentConfiguration] WHERE [Key] = 'CxARMPolicyURL'
SELECT * FROM [CxDB].[dbo].[CxComponentConfiguration] WHERE [Key] = 'CxARMURL'
SELECT * FROM [CxDB].[dbo].[CxComponentConfiguration] WHERE [Key] = 'CxSASTManagerUri'
SELECT * FROM [CxDB].[dbo].[CxComponentConfiguration] WHERE [Key] = 'WebServer'

SQL Queries to set URL’s to SSL:

UPDATE [CxDB].[dbo].[CxComponentConfiguration]
SET [Value] = 'https://{server FQDN}/CxRestAPI/auth'
WHERE [Key] = 'IdentityAuthority'

UPDATE [CxDB].[dbo].[CxComponentConfiguration]
SET [Value] = 'https://{server FQDN}:8443'
WHERE [Key] = 'CxARMPolicyURL'

UPDATE [CxDB].[dbo].[CxComponentConfiguration]
SET [Value] = 'https://{server FQDN}:8443'
WHERE [Key] = 'CxARMURL'

UPDATE [CxDB].[dbo].[CxComponentConfiguration]
SET [Value] ='https://{server FQDN}'
WHERE [Key] = 'CxSASTManagerUri'

UPDATE [CxDB].[dbo].[CxComponentConfiguration]
SET [Value] = 'https://{server FQDN}'
WHERE [Key] = 'WebServer'

Example:

UPDATE [CxDB].[dbo].[CxComponentConfiguration]
SET [Value] = 'https://cxsast.checkmarx.net/CxRestAPI/auth'
WHERE [Key] = 'IdentityAuthority'

UPDATE [CxDB].[dbo].[CxComponentConfiguration]
SET [Value] = 'https://cxsast.checkmarx.net:8443'
WHERE [Key] = 'CxARMURL'

5. Enable SSL support on the CxEngine(s) according to these instructions.

6. Restart the ActiveMQ and all CxManager services, for any changes in the database.

7. Enable SSL support on the load balancer according to instructions provided by your vendor. If you are using Nginx as the load balancer, you can use the following configuration:

 Click to expand and view the configuration:

8. Enable TLS support (on all machines/servers) according to these instructions.

9. Enable FIPS compliance (on all machines/servers) according to your supported operating system (see example).

10. Enable SSL support and FIPS compliance for Management & Orchestration (M&O) according to these instructions.