Skip to main content

Troubleshooting

Introduction

This page is designed to help you address issues that may arise during deployment (or even after), categorized into three sections: issues applicable to both scenarios, Docker-specific issues, and Windows-specific issues.

We aim to provide quick insights and solutions for a smooth deployment and user experience.

Notice

If you encounter challenges not covered here or have additional questions, please contact our team.

If you’re just getting a blank white page on both the Policy Management Portal and the Policy Management Swagger page and have a console log of an error stating Uncaught SyntaxError: Unexpected token, as shown in the images below, your browser might be too old. You need to update it to load the page's javascript.

Common Issues

Outdated Browser

If you’re just getting a blank white page on both the Policy Management Portal and the Policy Management Swagger page and have a console log of an error stating Uncaught SyntaxError: Unexpected token as shown in the images below, your browser might be too old.

You need to update it to load the page's javascript.

2024-01-10_09h37_20.png
2024-01-10_09h37_03.png

Session - Silent Renew Fails

In a scenario with a customized hostname without SSL, and your session is not renewed, this is due to how modern browsers handle cookies, which apply strict policies to improve web security (by restricting when cookies are sent with cross-origin requests, they help mitigate certain types of attacks such as Cross-Site Request Forgery (CSRF) and Cross-Site Script Inclusion (XSSI)). Therefore, SSL is mandatory to take advantage of a scenario where Policy Management is hosted using a customized hostname.

For more details, see here.

Creating a New Admin User in the Database

Using MSSQL, run the following query replacing the username and password:

USE master;
CREATE LOGIN <username> WITH PASSWORD = '<password>';
ALTER SERVER ROLE sysadmin ADD MEMBER <username>;

How to set up a hosts file?

If you create a new site and pretend to use the same port as localhost, you need to update the host file to allow communication to your hostname using the same port used by localhost.

Or, if you want to access Policy Management, deployed with a hostname, from a machine that isn’t where it was deployed, you need to map the hostname to the host’s IP address.

  1. Access to host file C:\Windows\System32\drivers\etc\hosts with admin permissions.

  2. At the end of the file, add the following line where <ip_address> is the IP address of the machine where Policy Management is deployed and <hostname> is the Hostname that you selected for the base address:

    <ip_address> <hostname>

    For example:

    127.0.0.1 CxPolicyManagement

Warning

127.0.0.1 is the IP address that serves Ipv4 for the local host. If you want to access Policy Management from another machine, use the public IP address of the machine where Policy Management was deployed and the hostname.

Deployment Setup Issues

SqlCmd

The deployment setup script executes a set of queries in the SAST database and uses the SqlCmd util to execute them. It means that to be able to execute this command, you need to have SQL Server Management tools or sqlcmd Utility installed in your machine.

Warning

If you get the error: “sqlcmd : The term 'sqlcmd' is not recognized as the name or cmdlet, function, script file or operable program.“ you need to install SqlCmd.

To do it, follow the link: https://learn.microsoft.com/en-us/sql/tools/sqlcmd-utility?view=sql-server-ver16

If you are trying to access Policy Management or execute a plugin from a different computer where Policy Management was deployed, and you are having an error, please check if you set the host file in your computer correctly to allow your computer to resolve the hostname.

Console Application (Non) Support in the ISE

The PowerShell Team mentions some limitations on how the ISE interacts with console applications, which you must be aware of for apps like FTP and Netsh. First of all, the ISE Runs console apps that don’t require user input just fine.” for this reason, you need to use, specifically, the PowerShell console.

Migration Issues

Invalid object name STRING_SPLIT error

The policies_migration.sql migration script uses a function called STRING_SPLIT that is only available on SQL Server 2016 (13.x) and later. To use this function, the compatibility level setting of the database must be at least 130.

Check the current compatibility level with:

SELECT compatibility_level FROM sys.databases WHERE name = 'CxDB';

And change it with:

ALTER DATABASE [CxDB] SET COMPATIBILITY_LEVEL = 130;

Run the script again to ensure all the M&O data migrated successfully. You may revert it to its initial value at any time.

Windows Issues

Product Version Information

You can find the version installed for both products inside the root of each folder (backend and frontend) in the README.md file.

Following the example in the Windows Deployment page, that would be in:

C:\Program Files\Checkmarx\CxPolicyManagement\Portal\README.md

C:\Program Files\Checkmarx\CxPolicyManagement\Backend\README.md

Backend

Connection String Change

If you edited the connection string after installing Policy Management, to change the username or password, ensure the EncryptionKey and EncryptionVector have empty values.

ADO Plugin Necessary Fix

If you use the Checkmarx One Azure DevOps (ADO) plugin, there is a necessary fix for the plugin’s HTTP request to keep the plugin working. First, verify the Physical Path of the Default Website in the Advanced Settings:

physical-path.gif

The cx-pm-setup.ps1 script creates a web.config file with URL Rewrite rules in the IIS Default Web Site default physical path. However, a few scenarios can cause the plugin HTTP request to fail.

  1. The Physical Path for the Default Web Site is not %SystemDrive%\inetpub\wwwroot: copy the file in your <backend_folder>\ADO_plugin_fix\web.config (in the Windows Deployment: C:\Program Files\Checkmarx\CxPolicyManagement\Backend\ADO_plugin_fix\web.config) to the location of your Default Web Site’s Physical Path.

  2. web.config file already exists in %SystemDrive%\inetpub\wwwroot\web.config: Add the Rewrite Rules that are in <backend_folder>\ADO_plugin_fix\web.config (in the example above: C:\Program Files\Checkmarx\CxPolicyManagement\Backend\ADO_plugin_fix\web.config) to your web.config file.

  3. CxSast Policy Management was deployed as a new website: Edit the Rewrite Rule action to redirect the requests to the correct URL. In the web.config file created (by you or the PowerShell script) in the Default Web Site’s Physical Path, edit the URL attribute of the action element by adding the correct Policy Management API URL in the beginning. According to the example in the deployment guide, you would need to make the following changes:

    rewrite_url.png

HTTP Error 500.30 - ASP.NET Core app failed to start

image-20231222-143129.png

Open Event Viewer on Windows, go to Windows Logs>Application, and try to find the most recent error from the IIS source. There, we can find the source of the problem.

  • A possible cause for this problem could be that the database user does not have sufficient permissions; check if the user you are setting for the database connection has the role “sysadmin“.

  • Another possible cause could be a misconfiguration in appsettings.json. Compare whether ConnectionStrings has the same parameters as the ones shown in the Windows Deployment page example. (If you edit the connection string, ensure the EncryptionKey and EncryptionVector have empty values after you make changes).

Errors Connecting to the Database

If you have issues connecting to the database with credentials, an issue could be that SQL Server Authentication is disabled.

You can easily verify this by testing if you can log in SSMS using SQL Server Authentication.

image-20231227-110142.png

If not, you need to first enable that login option in the properties of the database.

image-20231227-110416.png

After that, open Sql Server Configuration Manager and restart your SQL Server service.

image-20231227-110633.png

In the end, also restart IIS.

Docker Issues

Backend

Errors Connecting to the Database

If you’re having issues connecting to the Database and the Backend container logs, include a FATAL error:

A network-related or instance-specific error occurred while establishing a connection to SQL Server. The server was not found or was not accessible. Verify that the instance name is correct and that SQL Server is configured to allow remote connections. (provider: TCP Provider, error: 40 - Could not open a connection to SQL Server: Could not open a connection to SQL Server)

There might be an issue with the SQLEXPRESS TCP/IP protocol.

You can check if it is enabled and what your port is in Sql Server Configuration Manager.

image-20240116-153836.png

If you make any changes, you need to restart the SQL Server (SQLEXPRESS) service in the first option of the list on the left SQL Server Services.

Product Version Information

You can find the version installed for both products by viewing the content of the README.md file inside the "/app" directory of each container (frontend and backend).

To quickly check the version, you can run the following bash command (replacing the container name or ID):

docker exec -it <container_name_or_id> cat /app/README.md

Complementary Configurations

Note

The instructions below are only necessary for specific cases.

How to Create a New Admin User in the Database

  • Using MSSQL

    1. Run the following query replacing the username and password:

      USE master;
CREATE LOGIN <username> WITH PASSWORD = '<password>';
ALTER SERVER ROLE sysadmin ADD MEMBER <username>;

How to Set Up a Host File

If you are creating a new site and need to use the same port as localhost, you need to update the host file to allow communication to your hostname using the same port.

  1. Access to host file C:\Windows\System32\drivers\etc\hosts with admin permissions

  2. At the end of the file, add the following line where < Hostname> is the hostname that you selected for the policy management website:

    127.0.0.1 <hostname>

    In this guide's example:

    127.0.0.1 CxPolicyManagement

Portal

Redirect Problems

  • Open the URL Rewrite module for the backend application. If there are any rules present, they should be removed:

    image-20231226-152817.png

  • Ensure that the web. Config file exists within the Portal folder and has the contents described in URL Rewrite. If the file doesn't exist, place it there manually.

Backend

HTTP Error 500.30 - The ASP.NET Core app failed to start

image-20231222-143129.png

First, open Event Viewer on Windows, go to Windows Logs>Application, and try to find the most recent error from the IIS source. There, we can see the source of the problem.

  • A possible cause for this problem could be that the database user does not have sufficient permissions; check if the user you are setting to the database has the role "sysadmin. "

  • Another possible cause could be a misconfiguration in appsettings.json. Compare whether ConnectionStrings has the same parameters as the previously mentioned ConnectionStrings.

Error Connecting to Database

If you have issues connecting to the database with credentials, test if you can log in to SSMS using SQL Server Authentication.

image-20231227-110142.png

If not, you should enable that login option in the properties of the database.

image-20231227-110416.png

After that, you should open SQL Server Configuration Manager and restart your SQL Server service.

image-20231227-110633.png

In the end, restart IIS.

In this section: