Configuring SSL between CxManager and CxEngine (v9.3.0)
CxSAST supports secure communication between CxManager and CxEngine based on SSL certificates. These instructions take Windows and Linux support for CxEngine into consideration.
The Cx Engine is working on a WCF service that is not managed via the IIS console. The steps below explain how to configure the secure connection on both the CxManager and the CxEngine servers.
The secure connection is established between two servers only, it can be configured with Self Signed Certificates or real CA`s certificates.
Windows
This section explains how to establish a secure connection when running CxEngine under Windows.
CxEngine Host
It is recommended to use the PowerShell command New-SelfSignedCertificate as explained for self-signed certificates.
The certificate must have the following key usages: DigitalSignature, KeyEncipherment
The command’s syntax differs between PowerShell versions.
Create a certificate (Certificate Authority-CA or self-signed).
Use one of the following examples of the New-SelfSignedCertificate PowerShell command to create a certificate and place it under Local Machine\Personal\Certificates (you can also copy the certificate subject’s name from the output of the command):WinServer 2012:
New-SelfSignedCertificate -DnsName "domain" -CertStoreLocation "cert:\LocalMachine\My"WinServer 2016 / Windows-10:
New-SelfSignedCertificate -DnsName "domain" -CertStoreLocation "cert:\LocalMachine\My" -Subject "CX_SUBJECT" -KeyUsage DigitalSignature, KeyEncipherment
Make the private key available to the service. To do so, go to Local Machine\Personal\Certificates and then to Manage Private Keys on the certificate.
Add the user account that runs the EngineService (“Network Service” by default) to the list of authorized users. Read permissions are sufficient.
Copy (do not import) the certificate to Local Machine\Trusted Root Certification Authority\Certificates
Set these environment variables on the host (machine) level, as explained in the next section under To set the environment variables.
To set the environment variables:
Before setting the environment variables, you must know the Certificate-Subject.
To obtain the pfx certificate subject name, open the PowerShell and run
Get-PfxCertificate –FilePath <full path of the PFX file>, for example
Get-PfxCertificate -FilePath "C:\Users\Administrator\Desktop\myCert.pfx".Enter your certificate’s password when prompted. The Certificate-Subject appears as illustrated below.
Set the following environment variables as follows, which includes entering the certificate subject that you just obtained:
SETX CX_ENGINE_TLS_ENABLE true /m
SETX CX_ENGINE_CERTIFICATE_SUBJECT_NAME Certificate-Subject /m
(for example: SETX CX_ENGINE_CERTIFICATE_SUBJECT_NAME CN=CxEngine /m)
It is possible to use CX_ENGINE_CERTIFICATE_THUMBPRINT instead CX_ENGINE_CERTIFICATE_SUBJECT_NAME
SETX CX_ENGINE_CERTIFICATE_THUMBPRINT Thumbprint
(for example: SETX CX_ENGINE_CERTIFICATE_THUMBPRINT 40B9BC7195F39FCA8FDB0C93F8CD1F1A72D2E697 /m
4. Restart the CxEngineService.
Manager Host
If the SAST services run under a user account – put the certificate in Current user\Trusted Root Certification Authority\Certificates, or in Local machine\Trusted Root Certification Authority\Certificates.
If the services run under the Network Service account – put the certificate in Local machine\Trusted Root Certification Authority\Certificates.
Public keys .cer/.crt are sufficient.
Linux
Use a pfx (pkcs12) certificate.
Engine Host
The CxEngine server package consists of the components listed below. Additional information is available in the installation instructions for Linux.
cx-engine-server.tar
server.env
run.sh
readme.md
To establish a secure connection:
Copy the certificate to the location of your certificates, for example, /usr/my/certificates
Update the following environment variables in the server.env file:
CX_ENGINE_TLS_ENABLE=true
CX_ENGINE_CERTIFICATE_SUBJECT_NAME=Certificate-Subject It is possible to use CX_ENGINE_CERTIFICATE_THUMBPRINT instead CX_ENGINE_CERTIFICATE_SUBJECT_NAMECX_ENGINE_CERTIFICATE_THUMBPRINT=Thumbprint
ActiveMQ secure communication TLS (Optional)
Copy the AMQ broker certificate to the location of your certificates, for example, /usr/my/certificates/<broker_cert>
Modify server.env file with the following:
CX_ES_MESSAGE_QUEUE_URL=ssl://<Active_MQ_host_address>:<MQ_PORT>?transport.BrokerCertFilename=%2Fusr%2Fmy%2Fcertificates%2F<broker_cert>If the same certificate used for both engine communication and MQ broker simply modify server.env file as following:
CX_ES_MESSAGE_QUEUE_URL=ssl://<Active_MQ_host_address>:<MQ_PORT>
Volume the certificates location to the container (as shown below)
Pass engine certificate arguments to the container (as shown below):
cert_filepath - the certificate path volume to the container
cert_password - the certificate passwordModify run.sh script “docker run” command as follows:
docker run --env-file ./server.env -d -p 0.0.0.0:8088:8088 -v /usr/my/certificates:/app/certificate/ cx-engine-server --cert_filepath /app/certificate/certificate.pfx --cert_password my_cert_passwordRun script sh run.sh
Manager Host
If the SAST services run under a user account – put the certificate in Current user\Trusted Root Certification Authority\Certificates, or in Local machine\Trusted Root Certification Authority\Certificates.
If the services run under the Network Service account – put the certificate in Local machine\Trusted Root Certification Authority\Certificates.