Before installing CxSAST, make sure that you understand the System Architecture, that your server host(s) complies with the server host requirements, and that you have properly prepared the installation environment.
Prior to installing CxSAST, if not already installed on the server host, install the following prerequisites, which are included in the installation zip file (“third party” folder):
- IIS (Windows 7 or greater) - see the OS-specific instructions (IISInstallationProcess.rtf file)
- MS SQL
- VC++ Runtime Redistributable
For more information, see server host requirements.
The user performing the installation must have administrative network permissions (user name and password) for the computer/server running CxSAST Services.
Setting Up CxSAST
It is recommended to obtain a license before you start your installation. This way you will be able to provide the license during the installation and be able to use the product immediately.
Your CxSAST license is tied to a specific machine (server); so all you have to do is to run the Cx HID Generator and a HID (hardware identification number) is provided. The HID Generator can be downloaded from the Cx Utilities page.
Please send the Hardware ID number to your technical contact or your sales manager. They will send you back your license. If you do not know who to send the Hardware ID to, please send it to email@example.com.
- Download the CxSAST installation package.
- On each server component host:
- Extract the downloaded ZIP archive, supplying the password provided by Checkmarx support.
- Run CxSetup.exe and begin the installation.
Prerequisites and Recommendations
- The installer requires .Net 4.7.1 Framework installed on your server (If missing, it will be installed by the CxSAST installer).
- The required Web Server for Checkmarx is IIS Server (if missing, it will be installed by the CxSAST installer on the condition that the Windows installation media is accessible).
- SQL 2012 Express is included with the CxSAST installer and is installed (if defined) in the event that no other version of SQL is already installed.
Once you have downloaded the CxSAST Installation package, run the CxSetup.exe. The Checkmarx Welcome window is displayed.
Click ALL IN ONE to continue, ADVANCED to define additional setup options, or X to exit. The Checkmarx License Agreement window is displayed.
Review and accept the license agreement by checking the 'I accept the terms in the License Agreement' checkbox. Click Next to continue.
If you selected ADVANCED, the additional Installation Options window is displayed.
Click Select to define the CxSAST installation location.
Select the required product features for this installation from the available list. You can also select the option to install related shortcuts on your desktop.
Click Next. The Prerequisites Check window is displayed, showing the status of all prerequisite components.
For any prerequisite not installed, click the respective INFO button for additional installation information, and then click Prerequisites Folder to install the missing component(s).
Click Recheck Prerequisites to confirm the installation status.
When all prerequisite components are installed, click Next to continue. The CxSAST SQL Server Configuration window is displayed.
For CxSAST, define a connection to the installed SQL Server or to any other SQL server on your network, by selecting one of the following:
- Connect using integrated Windows authentication (login not required)
- Connect using SQL Server authentication (provide SQL user name and password for login with SA permissions).
Click Test Connection. A "Connection OK" message is displayed upon confirmed connection to the SQL Server.
A notification displays if existing SQL Express files are detected.
Click OK on the message, and then click NEXT to continue.
If installing CxARM, the CxARM Message Broker Configuration window is displayed.
If installing CxARM, the Apache Tomcat Configuration window is displayed.
If installing CxARM, the CxARM SQL Server Configuration window is displayed.
For CxARM, define the SQL Server connection by selecting one of the following:
- Connect using Integrated Windows Authentication (login not required)
- Connect using SQL Server Authentication (provide SQL user name and password for login with SA permissions)
Click Test Connection. A "Connection successful" message is displayed upon confirmed connection to the SQL Server.
Click OK on the message, and then click NEXT.
The License Activation window is displayed.
Select the preferred licensing method by selecting one of the following:
- Import new license: If you already have a valid CxSAST license file, select the Import New License option and then click Import License Browse to the file location.
- Request new license: If you have not yet obtained a permanent CxSAST license. Select the Request New License option and then click Copy to Clipboard. Send the copied Hardware ID to your Checkmarx sales representative or contact Checkmarx support.
Click NEXT to continue.
If the default port 80 is occupied, the Validate Port window is displayed.
If required, select another port and click Validate Port.
Click NEXT to continue. The Setup Summary window is displayed.
Check the setup summary according to your selection.
Click INSTALL to continue, BACK to return to the previous window, or X to exit. The Installation in Progress window is displayed.
Once complete the Installation Completed Successfully window is displayed.
To continue now with the database synchronization:
Leave the checkbox selected, and then click CLOSE. If required, reboot the server (you will receive a prompt if rebooting is necessary). The database synchronization process starts automatically.
To perform the database synchronization at another time:
Alternatively, you can manually initiate the synchronization process at a later time by clearing the checkbox now, and clicking Close. At a later time use the ETL tool to perform the synchronization, located at: C:\Program Files\Checkmarx\Checkmarx Risk Management\ETL\etl_executor.exe
NOTE:This folder may vary according to the selected Checkmarx installation folder.
For more information on Application Risk Management, see Installing CxARM.
Installed Services Check
Go to Start > Control Panel > System and Security > Administrative Tools > Services
Make sure the following installed Checkmarx services are started:
On a centralized host:
- Web Server:
- IIS Admin Service
- World Wide Web Publishing Service
- Application Risk Management:
On a CxEngine host:
Installed Application Pool Check
Go to Start > Control Panel > All Control Panel Items > Administrative Tools > Internet Information Services (IIS) Manager
Make sure the following installed application pools are started:
On a centralized host:
Enable Long Path Support in CxSAST Application
.NET framework 4.6.2 and above supports the Long Path feature by default. The following actions should be taken in order for the Long Path feature to be enabled.
The following configuration should be added to the Web Service and REST API:
<httpRuntime targetFramework="4.6.2" />
<httpRuntime targetFramework="4.6.2" />
<compilation targetFramework="4.5.1" debug="true"/>
Login to the Web Interface
Access the CxSAST web interface in either of the following ways:
Access CxSAST locally (from the server host) by using the Checkmarx Portal shortcut on the Desktop or navigate to the Checkmarx folder (Start > All Programs > Checkmarx > Checkmarx Portal).
To access CxSAST from any other computer, make sure that organizational routing and firewall configuration allow the client computer to access the CxSAST server. Point your browser to: http://<server>/cxwebclient/login.aspx where <server> is the IP address or resolvable hostname of the CxSAST server.
Upon a fresh installation, a single Administrator Account needs to be created.
Once the Set Administrator Credentials window is displayed, add the following credentials:
- Administrator User Name
- Confirm Password
Click Confirm to complete.
You can subsequently change the Administrator password and add CxSAST users.
In a distributed architecture:
Go to Management > Application Settings > Engine Management. The Engine Management window is displayed.
Click Register Engine Server. The Register Engine Server window is displayed.
Give the Engine a Server Name, and provide the Server URL, so that CxManager will be able to communicate with CxEngine. The URL should be: http://<Server_Name>/CxSourceAnalyzerEngineWCF/CxEngineWebServices.svc
(where <Server_Name> is the CxEngine host's IP address or resolvable name).
Optionally define Scan LOC Limits (maximum lines of code allowed).
Multiple CxEngine Servers:
If you have multiple CxEngine Servers, repeat the above step for each one.
Go to Management > Application Settings > General.
After updating the information, at the bottom of the page, click Update:
If permitted by your CxSAST license, set the “Maximum number of concurrent scans“ to the desired number for all the CxEngine Servers.
Enable Long Path Support in Server Settings
In order for the long path feature to be fully supported in CxSAST, click Edit and check the Long Path Support checkbox.
Click Update to save the changes.
Provide SMTP settings. Other settings should usually be left as they are. Optionally, you can configure the "From" field of emails. If you don't configure it, it will be left empty.
Click Update to save changes.
If licensed for CxOSA, select the OSA (Open Source Analysis) scan option and click Update.
Verify that the email address in the CxSAST profile settings (My Profile > Account Information) is of a valid format, i.e. John.Smith@example.com, and not John.Smith@example. This is required for AppSec Coach registration.
Go to Management > Application Settings > Installation Information.
Validate that you have successfully installed the correct version and/or hot-fix and review all CxSAST system components ensuring that they are all of the same version.