Upgrading CxSAST to v9.0.0 and v9.2.0

Owned by Johannes Stark (Unlicensed)
Last updated: Jun 16, 2021 by Eliezer Basner (Unlicensed)
4 min read

CxSAST supports upgrades from up to the two previous versions, for example from v8.8 to v9.0 or v8.9 to v9.2.

  • If you upgrade from v8.7 or earlier versions, you have to first install v8.8 or v8.9 and then proceed to installing v9.0 or v9.2 respectively.
  • This page applies to full upgrades only. It does not apply to hotfixes.

To prepare for upgrading:

  • Back up your Cx databases prior to running the software update. Schedule the database backup to create compressed files with unique file names in a separate folder.
  • Migrate the Access Control data. For additional information, refer to Access Control Data Migration Installer.
  • Back up the content of the EngineScanLog folder and restore it to the new EngineScanLog folder after completing the upgrade. The EngineScanLog folder is located at <install path>\EngineScanLog. The install path is usually C:\Program Files\Checkmarx.
  • Make sure that the SQL password does not exceed 32 characters. You may have to reset this password before upgrading as the SQL password could exceed 32 characters in previous versions. For further information, refer to Installing CxSAST (v9.0.0) 
  • If you are switching Java versions, for example due to upgrading or otherwise modifying your CxSAST installation in a way that it requires a newer Java installation, you have to update the newer Java location with the certificate from the previous Java location. This means, you have to copy the cacerts file from the previous Java location (..\Checkmarx Risk Management\jre\lib\security\) to the new Java location (<install path>\openjdk-8u242-b08-jre\lib\security\) and overwrite the existing cacerts file in the new location with your existing cacerts file.

Before you start:

 1. Make sure there are no scans currently running.

 2. Stop all Cx Windows services and Web servers (depending on the Checkmarx components installed on the server):

     On a centralized host

  • CxSystemManager
  • CxJobsManager
  • CxScansManager
  • CxScanEngine
  • Management and Orchestration:
    • CxARM
    • CxARMETL
  • Web server: Stop Internet Information Services (IIS). To do so, open Internet Information Services (IIS) and click Stop under Manage Server or open a command line shell (CMD) as Administrator and enter "iisreset /stop".

     On a CxEngine host (if applicable):

  • CxScanEngine


Make sure to back your Cx databases up prior to running any software update. Schedule the database backup to create compressed files with unique file names in a separate directory from the main database files.

To upgrade CxSAST:

 1. Download the CxSAST installation package.

 2. Extract the downloaded ZIP archive, supplying the password provided by Checkmarx support.

 3. Run the CxSetup.exe on each server component host and perform the upgrade according to the Installing CxSAST procedure.

 4. During upgrade the Checkmarx installer automatically performs a backup copy of configuration files. To locate the Checkmarx backup files go to Start > Search > and type "%appdata%" (C:\Users\<user>\AppData\Roaming\Checkmarx).

The following files should be backed-up in case they need to be restored after an upgrade
"<Drive>:\Program Files\Checkmarx\Checkmarx Audit\DefaultConfig.xml"

"<Drive>:\Program Files\Checkmarx\Checkmarx Engine Server\DefaultConfig.xml"
"<Drive>:\Program Files\Checkmarx\Executables\*.*"

The following files should be backed up and used during the upgrade process:
"<Drive>:\Program Files\Checkmarx\Licenses\License.cxl"

The following files should be backed-up and used if you are unable to find or connect to the database during installation:
"<Drive>:\Program Files\Checkmarx\Configuration\DBConnectionData.config"

 5. Validate that all Cx Windows services and Web servers (depending on the Checkmarx components installed on the server) have started:

     On a centralized host:

  • CxSystemManager
  • CxJobsManager
  • CxScansManager
  • CxSastResults
  • CxScanEngine
  • Management and Orchestration:
    • CxARM
    • CxARMETL
    • CxRemediationIntelligence
  • Shared services:
    • ActiveMQ
  • Web server: Stop Internet Information Services (IIS). To do so, open Internet Information Services (IIS) and click Stop under Manage Server or open a command line shell (CMD) as Administrator and enter "iisreset /stop".
    • World Wide Web Publishing Service
    • IIS Admin Service
  • If you have the IIS configured for both HTTP (80) and HTTPS (443), HTTPS (443) takes priority, and the system is configured accordingly.
  • After upgrading to CxSAST 9.0, make sure that all external IIS bindings are defined at the ExternalListenUrls key in the appsettings json file. If, for example, port 80 (HTTP) and port 443 (HTTPS) were bound, the setting must look as follows:  "ExternalListenUrls": http://*:80;https://*:443 . The appsettings json file resides in the Checkmarx Access Control folder.

  • After upgrading to CxSAST 9.0, check the CxSASTManagerUri key located in the SQL [Cxdb].dbo.[CxComponentConfiguration] database table and verify that the protocol previously in use has been preserved. For example, if the protocol was HTTPS, it must still be set to HTTPS as follows: SET [VALUE]='https://{fqdn}'.
    {fqdn} stands for fully qualified domain name of your CxSAST Manager Server.

     Click for the full queries to view and update the value
    • SQL QUERY VIEW CURRENT VALUE
      select * from [CxDB].dbo.[CxComponentConfiguration] WHERE [Key] = 'CxSASTManagerUri'
    • SQL QUERY TO UPDATE VALUE
      UPDATE [CxDB].dbo.[CxComponentConfiguration]
      SET [VALUE] = 'https://{fqdn}'
          WHERE [Key] = 'CxSASTManagerUri'

 6. If required start each one manually.

By default all product services are installed and configured to run with Windows Network Service account. When upgrading from v8.8/8.9 to v9.0, any non-default accounts for new CxSAST Services (CxSASTResults, CxRemidiationIntelligence, ActiveMQ) and IIS Application Pools (CxAccessControl) may need to be updated and customized according to your exisiting policy. You should also verify that all other previously existing CxSAST services and IIS Application Pools are still managed by your customized account. For updating non-default service accounts, please refer to Configuring CxSAST for use with a non-default user (Network Service) - CxServices & IIS Application Pools.

Upgrading CxSAST in High Availability Solutions

To install and configure high availability solutions, refer to the relevant instructions. In addition, a diagram that outlines the architecture for high availability solutions is available here.

To edit any of the protocols in use, the station and/or port definitions for any of the upgraded Cx components, refer to Changing the Server Name, IP or Port for Checkmarx Components for further information and instructions.

Incremental Scans

After upgrades (major versions or hotfixes) or Content Pack updates, it is highly recommended to first run full scans before running incremental scans.