Installing CxSAST (v9.0.0)

Owned by Johannes Stark (Unlicensed)
Last updated: Jan 12, 2021
15 min read

Before installing CxSAST, make sure that you understand the System Architecture and that your server host(s) complies with the Server Host Requirements. To install CxSAST, you have to download and extract the installation archive and install required third-party components.

To install and configure high availability solutions, refer to the relevant instructions. A diagram that outlines the architecture for high availability solutions is available here.

Installation Permissions

The user performing the installation must have administrative network permissions (user name and password) for the computer/server running CxSAST Services.

SQL Server Database

If the database uses Windows domain authentication, the station with the product installed on it must be added to a Windows domain. In addition, the user account performing the installation (Centralized or CxManager) must have SA permission on the database server for the duration of the installation process. If SA permission is unavailable, certain prerequisites must be fulfilled prior to the installation:

If the database uses SQL Server native authentication, prepare an SQL Server user account. This account must have SA permissions for the duration of the installation process. If SA permission are unavailable, certain prerequisites must be fulfilled prior to the installation. 

  • Build three SQL databases using the names CxDB, CxActivity and CxARM.
  • Create login for SQL User and associated it with the DB_owner permission for CxDB, CxActivity and CxARM. Define this user in the CxSAST installation.When installing SQL, you are asked to define a password to access the internal CxARM database. This password must not exceed 32 characters.

For upgrades, all previously defined SQL connection parameters are loaded from the existing configuration. If Windows authentication is being used, run the installer with the same user that is defined for the CxServices or any other Windows authenticated user with DB owner permission on CxDB, CxActivity and CxARM. Make sure that the SQL User's password does not consist of more than 32 characters. This may mean that you have to reset this password before you start upgrading.

To change the user credentials used for CxDB connectivity, refer to Configuring User Credentials for CxDB Connectivity.


AWS RDS

DBaaS is not supported natively, but AWS RDS can still be used. To run RDS, you need to create three databases, CxDB, CxActivity and CxARM. Provide the user with the Checkmarx dbo privileges for the newly created databases. Run the installer again and when the installation connects to the database and when a message appears that the three databases are already existing, click Continue. Once the installation is complete, the RDS starts running.

Preparing for Installation

Follow the instructions below to obtain/validate your license and make the installation package available.

Obtaining and Validating a License

It is recommended to obtain a license before you start your installation. This way you will be able to provide the license during the installation and be able to use the product immediately.

Your CxSAST license is tied to a specific station (server); so all you have to do is to run the Cx HID Generator and a HID (hardware identification number) is provided. The HID Generator can be downloaded from the Cx Utilities page.

To receive your license, submit the Hardware ID to your technical contact or sales manager. If you are not sure whom to send the Hardware ID to, open a support ticket.

If CxSAST is already installed and you have not yet obtained a permanent CxSAST license, submit the Hardware ID to your Checkmarx sales representative or open a support ticket to obtain your production license file. The Hardware ID can be found at Start > All Programs > Checkmarx > HardwareId.

Making the Installation Package Available

Follow the instructions below to make the installation package available on each server component host.

  1. Download the CxSAST installation package. The installation package downloads as a zip archive.
  2. Copy the zip archive to each server component host and extract it there to a folder of your choice. To extract the zip archive, you may have to enter a password that has been provided by Checkmarx support
  3. Install the required third-party components and then start installing CxSAST by running CxSetup.exe .

Prerequisites

If not already installed on the server host, you have to make the third-party components listed below available before you can complete installing the CxSAST application. The required resources and installation packages are available in the extracted CxSAST installation package in a folder called third_party.

  • C++ Redist 2010 and 2015 SP3
  • IIS v7.0 or higher
  • NET Core 2.1.16 (or higher 2.1.x versions) Runtime & Hosting
  • MS SQL
  • Java JRE 1.8.0 (64-bit)

For additional information, refer to Server Host Requirements.

  • The third-party components can be installed and made available as part of the CxSAST setup at the Prerequisite Check stage, although it is recommended to do it beforehand. Additional information on these third-party components are available under Preparing the Environment
  • The approved and recommended Java version is 1.8. The minimum version for Oracle is 8u241 and for AdoptOpenJdk ,it is 8u242
  • CxSAST requires the 64-bit version of Java. The 32-bit version results in an error during the installation.

IIS

 1. Navigate to the third_party folder in the setup folder of your CxSAST installation package, for example C:\Users\<name>\Downloads\Software Installations\CxSAST 9.0\CxSAST.900.Release.Setup_9.0.0.32148-1.

 

 2. Navigate to the IIS_Installation_instructions folder and refer to the instructions there on installing and enabling IIS for the Windows version in use.

C++, .NET, MS SQL

 1. In the third_party folder, navigate to the folder with the first component to install.

 

 2. Run the setup and follow the onscreen instructions.

 3. Repeat this for the remaining components that have to be installed yet.

  • When installing SQL, you are asked to define a password to access the internal CxARM database. This password must not exceed 32 characters.
  • If you upgrade, you may have to reset the existing password as passwords could exceed 32 characters in previous versions.

Java

The files of the required Java Runtime Environment are available in a zip archive and are only copied into a new folder and not installed.

To make the Java Runtime Environment available:

 1. In the third_party folder, navigate to the Java folder. In this folder, there is one zip file listed. 

 3. Open the zip archive and extract its content to a folder of your choice. It contains a folder called openjdk-8u242-b08-jre that accommodates all the required files for installing and operating CxSAST successfully. The openjdk-8u242-b08-jre folder is also referred to as the JRE folder throughout this document.

 4. Copy the openjdk-8u242-b08-jre to a non-personal folder under a folder created for Java application. This folder may for example be <root directory>:\Program Files on your PC. 

 

Installing CxSAST

Prerequisites and Recommendations

  • The required Web Server for Checkmarx is IIS Server. If the IIS Server still missing, it is be installed by the CxSAST installer which requires the Windows installation media to be accessible. 
  • SQL 2012 Express SP2 is included with the CxSAST installer. It is installed in the event that no other version of SQL is already installed.

Installation

IMPORTANT NOTES:

  • For upgrading from v8.7 or prior versions, you are first required to install v8.8/v8.9 and only then proceed with the v9.0 installation. For more information, refer to Installing CxSAST (v8.8.0 to v8.9.0).
  • For upgrading from v8.8/v8.9 to v9.0 you are first required to perform the Access Control data migration procedure. For more information, refer to Access Control Data Migration Installer.

 1. Once you have downloaded the CxSAST Installation package and made the third-party components available, run the CxSetup.exe. The Checkmarx Welcome window is displayed.

 

 4. Click ALL IN ONE to continue, ADVANCED to define additional setup options, or X to exit.

 5. For upgrades, the options are EASY UPGRADE to continue and ADVANCED to define additional setup options.

 

 6. In both instances, the Checkmarx License Agreement window is displayed.

 

 7. Review and accept the license agreement by checking the 'I accept the terms in the License Agreement' checkbox. Click Next to continue.

 8. If you selected ADVANCED, the additional Installation Options window is displayed.

 

 9. Click Select to define the CxSAST installation location.

  • To avoid permission restrictions, install CxSAST in <root directory>:\Program Files .
  • For upgrades, previously installed location settings and product components are loaded from the existing configuration and cannot be changed. You can however install or remove product components by using the modify feature. For more information, refer to Modifying CxSAST.

 10 Select the required components for this installation from the available list.

  • Selecting CxSAST Components:
    • POC/Evaluation - Select to install Audit, Engine, Manager, Management and Orchestration, ActiveMQ and Web Portal

    • Distributed Architecture - Select to install either Engine or Manager, Management and Orchestration, ActiveMQ and/or Web Portal

      For upgrading Manager/Portal server in a distributed environment, the ActiveMQ component is automatically selected when using the 'Easy Upgrade' option.

    • Centralized Architecture - Select to install Engine, Manager, Management and Orchestration, ActiveMQ and Web Portal (Audit, if you plan to create and customize queries on the host).
    • CxEngine Server only - Select to install Engine (see Adding a CxEngine Server).
  • You can also select the option to install related shortcuts on your desktop.


 11. Click Next. The Prerequisites Check window is displayed, indicating the status of all required third-party components.

  

 12. Components that are already in place are labeled accordingly.

       Missing component are labeled. To add them, do the following:

  • For any missing component (except the Java Runtime Environment), click the Prerequisites Folder button to navigate to the supplied components and install each one separately. To do so, follow the on-screen instructions.
  • For the required Java Runtime Environment (JRE), click Browse and select the entire JRE folder (and not only the bin folder) that you copied to your station (e.g. C:\Program Files\openjdk-8u242-b08-jre, C:\Program Files\Java\jre1.8.0_241 or C:\Program Files\Java\jdk1.8.0_241\jre). These instructions assume that you have extracted and copied the content of the provided ZIP archive to the relevant location.
    If you did not make the Java files available, refer to the instructions at the top to do so and then click Recheck Prerequisites to repeat the validation process.
  • All prerequisites must be labeled , otherwise the setup cannot be completed and CxSAST is not installed.

  

  • The recommended Java version is 1.8. The minimum version for Oracle is 8u241. For AdoptOpenJdk, the minimum version is 8u242. Verify that the minimum version is installed on your server before continuing.
  • In case Java JRE is automatically updated to a new version, you have to manually update the JRE folder path in the CX_JAVA_HOME environment variable, otherwise CxSAST stops operating.

 13. Once all prerequisite components are installed, click Next to continue. The CxSAST SQL Server Configuration window is displayed.

 

 14. Select the Server from the SQL Server Instance list. If using a non-standard database port, provide the server name with a comma followed by the port number (e.g. LOCALHOST\SQLEXPRESS,25).

For upgrades, previously defined SQL Server instance settings are loaded from the existing configuration and cannot be changed.

For CxSAST, define a connection to the installed SQL Server or to any other SQL server on your network, by selecting one of the following:

  • Connect using Integrated Windows Authentication (login not required)
  • Connect using SQL Server Authentication (provide SQL user name and password for login with SA permissions).

Click Test Connection. A "Connection OK" message is displayed upon confirmed connection to the CxSAST SQL Server.


If the "SQL Connection Test Results" message indicates that connection to the SQL Server has failed, verify the following:

  • Host, port and login credentials are correct
  • The station is a member of a Windows domain (if not, either join the station to a domain and perform a restart, or connect using SQL Server Authentication)
  • The SQL Server Browser Windows service is running (if not, enable and start it).

A notification displays, if existing SQL Express files are detected.

 15. Click OK on the message, and then click NEXT to continue. The Message Broker Configuration window is displayed.

 

  • The default OpenWire port is 61616.
  • The NEXT button is enabled when the default port is available. If unavailable, define another available port.
  • In case the ActiveMQ is uninstalled and reinstalled using a non-default port, a manual update in the DB is required to match the change - Databases > CxDB > Tables > CxComponentConfiguration > ActiveMessageQueueURL > Key Value (e.g. tcp://<AMQ_URL>:<non-default_port>)
  • Make sure that port 61616 is open in all relevant firewalls between the ActiveMQ server and the following components:

 16. Click Next. If installing Management and Orchestration, the Remediation Intelligence Configuration window is displayed. 

 

  • In older versions and previous builds of the current version of CxSAST, Automated Prioritization was called Remediation Intelligence. The screen image below still refers to this previous name.

  • The default port is 8082.
  • The NEXT button is enabled, if the default port is available. If unavailable, define another available port.

 17. Click Next. If installing Management and Orchestration, the Apache Tomcat Configuration window is displayed.

 

  • Default ports (as displayed) are:
    • HTTP port is 8080
    • HTTPS port is 8443
  • The NEXT button is enabled when the default port(s) are available. The installer verifies that ports are not blocked, but does not check, if ports are part of IIS bindings. If you suspect that one of the relevant ports is part of IIS bindings, open IIS and check it. You can only complete the installation, if ports are not blocked and if they are not part of IIS bindings. If port(s) are unavailable, define other available port(s) in the respective Port fields.

 18. Click NEXT. If installing Management and Orchestration, the M&O Layer SQL Server Configuration window is displayed.


If the M&O database resides on a separate server, SQL Server Instance must read <IP address of the M&O DB server>\SQLEXPRESS. If it reads localhost\SQLEXPRESS instead, cancel the setup and start it again.

 

 19. Select the Server from the SQL Server Instance list. If using a non-standard database port, provide the server name with a comma followed by the port number (e.g. LOCALHOST\SQLEXPRESS,25).

For upgrades, previously defined SQL Server instance settings are loaded from the existing configuration and cannot be changed, unless the Management and Orchestration component was only added in the latest upgrade.

 20. For Management and Orchestration, define the SQL Server connection by selecting one of the following:

  • Connect using Integrated Windows Authentication (login not required)
  • Connect using SQL Server Authentication (provide SQL user name and password for login with SA permissions)
For M&O Layer SQL Server connectivity, both Dynamic and Static port configurations are supported. For more information, refer to Configuring Management & Orchestration SQL Server for Dynamic and Static Port Connectivity.

 21. Click Test Connection. A "Connection successful" message is displayed upon confirmed connection to the SQL Server.


If the "SQL Connection Test Results" message indicates that connection to the SQL Server has failed, verify the following:

  • Host, port and login credentials are correct
  • The station is a member of a Windows domain (if not, either join the station to a domain and perform a restart, or connect using SQL Server Authentication)
  • The SQL Server Browser Windows service is running (if not, enable and start it).

 22. Click OK on the message, and then click NEXT. The License Activation window is displayed.

 

For upgrades, the license information (if it exists and is valid) is automatically loaded from the existing configuration and the License Activation window is not displayed.

 23. Select the preferred licensing method by selecting one of the following:

  • Import New LicenseIf you already have a valid CxSAST license file, select the Import New License option and then click Import License.  Browse to the file location and click Open.
  • Request New License: If you have not yet obtained a permanent CxSAST license, select Request New License and then click Copy to Clipboard. Send the copied Hardware ID (HID) to your Checkmarx sales representative or open a support ticket

 

Once you have obtained a new or updated Checkmarx license, you can use the license importer to import the license into CxSAST. For more information, refer to Updating the CxSAST License).

 24. Click NEXT to continue.

If your license does not match your current Hardware ID (HID), a warning message is displayed. Please import a different license or request for a new one from your Checkmarx sales representative or open a support ticket.

If the default port 80 is occupied, the Validate Port window is displayed. If required, select another port and click Validate Port.

Port 80 is allocated as the default port for Checkmarx applications. In clean installations the Validate Port window is displayed only if one of the following occurs: 

  • Port 80 is occupied by a non-default website or application
  • Default website does not exist and port 80 is occupied by another application or website
  • Default website does exist (occupies a different port) and port 80 is occupied by another application or website.

 25. Click NEXT to continue. The Setup Summary window is displayed.

 

 26. Check the setup summary according to your component selection and license details.

For upgrades, the license information is not displayed because it has already been loaded from the existing configuration.

 27. Click INSTALL to continue, BACK to return to the previous window, or to exit. The Installation in Progress window is displayed.

 

If the installation fails, the "Setup failed" message is displayed. For more information, see the installation logs. If you need further assistance, please open a support ticket

Once the installation is complete the Installation Completed Successfully window is displayed.

 

If you installed Management and Orchestration on the Congratulations window, by default the Start Database Synchronization checkbox is selected. This enables Management and Orchestration by initializing the automatic synchronization process. This process may take a while, depending on the amount of data being synchronized. 

To continue now with the database synchronization, leave the checkbox checked and click CLOSE. If required, reboot the server (you receive a prompt, if rebooting is necessary). The database synchronization starts automatically.

For more information about installing Management and Orchestration, see Installing Management and Orchestration.

To perform the database synchronization at another time, clear the checkbox, and click CLOSE. At a later time use the ETL tool to perform the synchronization, located at <Installation folder>\Checkmarx\Checkmarx Risk Management\ETL\etl_executor.exe, for example  C:\Program Files\Checkmarx\Checkmarx Risk Management\ETL\etl_executor.exe

If attempting to install CxSAST with an existing Management and Orchestration database, the subsequent ETL DB sync will fail, due to a limitation in Management and Orchestration. Therefore, in order to reinstall CxSAST, either delete the existing Management and Orchestration database before reinstalling, or reinstall with a new Management and Orchestration database.

Installed Services Check

 1. Go to Start > Control Panel > System and Security > Administrative Tools > Services

Make sure the following installed Checkmarx services and Web server are started:

On a centralized host:

  • CxSystemManager
  • CxJobsManager
  • CxScansManager
  • CxSastResults
  • CxScanEngine
  • Management and Orchestration:
    • CxARM
    • CxARMETL
    • CxRemediationIntelligence
  • Shared services:
    • ActiveMQ
  • Web server (run "iisreset /start" from elevated CMD or Start action for the server name in IIS Console):
    • World Wide Web Publishing Service
    • IIS Admin Service

On a CxEngine host (if applicable):

  • CxScanEngine

By default all product services are installed and configured to run with Windows Network Service account. For updating or customizing non-default service accounts, please refer to Configuring CxSAST for use with a non-default user (Network Service) - CxServices & IIS Application Pools.

To run the Pool Check for the installed application: 

 1. Go to Start > Control Panel > All Control Panel Items > Administrative Tools > Internet Information Services (IIS) Manager

 

 2. Make sure the following installed application pools are started:

On a centralized host:

  • CxClientPool
  • CxPool
  • CxPoolRestAPI
  • CxAccessControl

If any of the IIS Pools are not started automatically after installing, restart the station.

 

Enable Long Path Support in CxSAST Application

.NET framework 4.6.2 and above supports the Long Path feature by default. The following actions should be taken in order for the Long Path feature to be defined.

This configuration should only be added on a station with .NET 4.6.2 or above installed, otherwise there will be issues in the application.

The following configuration should be added to the Web Service and REST API:

<httpRuntime targetFramework="4.6.2" />

The web.config file is usually located in the following path: <Installation folder>\Checkmarx\Checkmarx Web Services\CxWebInterface\web.config , for example  C:\Program Files\Checkmarx\Checkmarx Web Services\CxWebInterface\web.config

For example:

<system.web>
     <httpRuntime targetFramework="4.6.2" />
     <compilation targetFramework="4.5.1" debug="true"/>
</system.web>

If the httpRuntime already exists, add the targetFramework attribute as follows:  

           <httpRuntime maxRequestLength="2097151" executionTimeout="36000" targetFramework="4.6.2" />

Login to the CxSAST Web Interface

Access the CxSAST web interface in one of the following ways:

  • Access CxSASTlocally (from the server host): use the Checkmarx Portal shortcut on the Desktop or navigate to the Checkmarx folder (Start > All Programs > Checkmarx > Checkmarx Portal).
  • Access CxSAST from any other computer: make sure that organizational routing and firewall configuration allow the client computer to access the CxSAST Server. Point your browser to: http://<server>/cxwebclient/login.aspx where <server> is the IP address or resolvable hostname of the CxSAST Server.

If '3rd party cookies' are disabled in your browser, you will not be able to log into the CxSAST Web Interface via 'http://localhost'. If this is the case you will need to use 'http://<FQDN>', where <FQDN> is the Fully Qualified Domain Name and consists of both the hostname and domain name (e.g. http://mqserver.company.com:5555).

Upon a clean installation, a single Administrator Account needs to be created using Access Control. For more information, refer to Accessing the Access Control Web Interface.

General Settings

 1. Go to Settings > Application Settings > General. The General Settings screen is displayed.

 

 2. Click Edit to enable changes.

Server Settings

  • If permitted by your CxSAST license, set the “Maximum number of concurrent scans” to the desired number for all the CxEngine Servers.

Enable Long Path Support in Server Settings

 1. In order for the long path support to be fully enabled in CxSAST, click Edit and check the Long Path Support checkbox.

Confirm that all application servers support long paths, otherwise scans with long path files may fail.

 2. Click Update to save the changes.

SMTP Settings

 1. Provide the relevant SMTP settings. Other settings should usually be left as they are.

 2. Optionally, you can configure the "From" field of emails. If you don't configure it, it will be left empty.

 3. Click Update to save changes.

My Profile Settings

 1. Go to My Profile > General. The My Profile screen is displayed.

 

Email Verification

  • Verify that the email address in the CxSAST profile settings is of a valid format, i.e. John.Smith@example.com, and not John.Smith@example. This step is required for Codebashing registration.
You can subsequently change the Administrator password and add CxSAST users. For more information, refer to Access Control User Management.

Engine Settings (in a distributed architecture)

 1. Go to Settings > Application Settings > Engine Management. The Engine Management window is displayed.

 

 2. Click Register Engine Server. The Register Engine Server window is displayed.

 

 3. Assign a Server Name to the engine and provide the Server URL to enable CxManager to communicate with CxEngine. The URL looks simalr to the following:

http://<Server_Name>/CxSourceAnalyzerEngineWCF/CxEngineWebServices.svc
where <Server_Name> is the CxEngine host's IP address or resolvable name. 

 4. Optionally you can define Scan LOC Limits (maximum lines of code allowed).


  • It is recommended to validate the defined URL by opening it in a browser on the CxManager Server.
  • If you have multiple CxEngine Servers, repeat this procedure for each Engine Server.

 5. Click Update.

Installation Verification

 1. Go to Settings > Application Settings > Installation Information.

 

 2. Validate that you have successfully installed the correct version and/or hot-fix and review all CxSAST system components ensuring that they are all of the same version.

After upgrading, if you need to modify a protocol, a station and/or port definitions for upgraded Cx components, please refer to Changing the Server Name, IP or Port for Checkmarx Components for further information and instructions.

.