The CxSAST is based on IIS Application Pools and CxServices. For each of these the local Network Service is defined as default by the CxSAST installer.
If Active Directory (SSO) is used then the SPNs for the application server IRLs must be added to the user that the applicartion pools run under in order for Kerberos to work correctly
It is important to differentiate between the components as not all of them are used for the same purpose.
IIS Application Pools
- CxClientPool - Application Pool of the Web Portal - the user that is defined here will not influence any external tools.
- CxPool - Application Pool of the CxManager - the user that is defined here is used for connection to a third party server, e.g. TFS, GIT, SVN, etc..
- CxPoolRestAPI - Application Pool of the RestAPI - the user that is defined here will not influence any external tools.
The user assigned to the IIS App Pools will must have access to the CxDB and CxActivity databases in the SQL Server, if 'Integrated Security=True' in - DBConnectionData.config file.
Services for the CxManager - The user that is defined here (and to the CxPool) is used for the connection to the SQL server (if 'Integrated Security=True' in - DBConnectionData.config file):
- Web server:
- World Wide Web Publishing Service
- IIS Admin Service
- Management and Orchestration:
- Shared services:
- ActiveMQ – Message Broker (Apache message queue broker) for communicating between Checkmarx products
Service for the CxEngine - The user that is defined here is required to be in the Administrators group of the server or (recommended!) - run the netsh command for this user
For resolving issues, it is recommended to keep all the CxServices defined with the same user.
Ensure that the user accessing the Cx storage folders (CxSrc, CxReports, ExtSrc) has the appropriate read/write permissions.
1. Ensure that the user running the CxServices has the appropriate authorization, i.e. has domain access, administration rights, etc.
2. In the Service Manager (services.msc), check the Log On As user accounts for each of the following:
If any of the CxServices are anything other than the default Network Service, make sure you know the user account's full credentials.
3. Open Windows Services:
4. Right click on a CxService and select Properties.
5. Select the Log On tab, enter the appropriate user credentials and click OK.
IIS (Application Pools)
1. In the IIS Manager, navigate to Application Pools, and check the user Identity of each of the following:
If any of the Cx Application Pools are anything other than the default Network Service, make sure you know the user account's full credentials.
2. Open IIS Manager Console:
3. Click Application Pools and then select any of the Cx Application Pools.
4. Click Advanced Settings on the Action menu.
5. In Advanced Settings window, scroll to Identity (under Process Model) and double click the user that is defined.
6. In the Application Pool Identity window, select the Custom Account radio button and click Set.
7. Enter the appropriate user credentials and click OK.
Cx Storage Folders
1. Verify that the user accessing the Cx storage folders (CxSrc, CxReports, ExtSrc) has the appropriate read/write permissions.
2. To modify the read/write permissions for Cx storage folders:
1. Navigate to the desired Cx storage folder (C:\CxSrc, C:\CxReports, C:\ExtSrc)
2. Right-click the folder, click Properties, and then click the Security tab.
3. Click Edit and select the user or group for which you want to change the permissions.
4. Check the permissions that you want to add for that user or group.
For a single manager with local folders, define read/write permissions.
5. Click Apply to save the changes.
3. Repeat this procedure for the remaining Cx storage folders.