Skip to main content

Deployment - Additional Information


For troubleshooting, check Troubleshooting.

This page describes setting up the Policy Management (PM) authentication and authorization. It also provides client-related customizations required for Windows deployment and creates configuration files to help deploy Docker containers.

Authorization and Authentication

Policy Management integrates both authentication and authorization with CxSAST Access Control. For that:

  • New clients are created:

    • policy_management_api.

    • policy_management_swagger (to authenticate through Swagger).

    • policy_management_portal.

  • The new permission is created:

    • manage-policies (for policies management).

  • The new role is created:

    • Security Risk Manager (for policies management).


Roles must be created and/or edited manually in Access Control to include the new permission.

Setup Script


Execute the script in Administrator mode in a Windows PowerShell console.

Execute the script (in the PolicyManagement folder,\PolicyManagement\cx-pm-setup.ps1) in the CxSAST Manager host.

Parameters and Execution

The script has the following parameters:

  • DeploymentType(Default: Windows; Options: “Windows,” “Docker”) - To configure the type of deployment.

  • PostBuild (Default: true) - Configure some client-related customizations (which only occur if the deployment type is Windows and are mandatory or create necessary files for Docker deployment).

  • InstallationPath (Default: C:\Program Files\Checkmarx) - Configure the CxSAST base installation folder.

  • ServicePort - Configure the IIS/Docker port where the PM Service will be deployed.

  • PortalPort - Configure the IIS/Docker port where the PM Portal will be deployed.

  • BaseAddressService - To configure the PM Service host IP or name.

  • BaseAddressPortal - To configure the PM Portal host IP or name.

  • APIAlias - To configure the alias of PM Service API.

  • PortalAlias - To configure the alias of PM Portal.

  • BaseAddressIdentityProvider - To configure the CxSAST Identity Provider IP or name.

  • DatabaseHost (Default: .\SQLEXPRESS) - Configure the SQL Server host where the CxSAST database is deployed.

  • Username - To configure the SQL Server username for the CxSAST database access.

When the SQL Script step runs, if a Username is selected, there will be a prompt to insert the Password (the user input is hidden, so when writing, no characters will be shown).



If no Username is set, the SQL Server will try to use Windows Authentication.


If you get Sqlcmd: Error: Microsoft ODBC Driver 17 for SQL Server: Login failed after using the correct password, check Error Connecting to Database.



.\cx-pm-setup.ps1 -ServicePort 5555 -PortalPort 3000 -BaseAddressService -BaseAddressPortal -BaseAddressIdentityProvider http://IdentProvDomain -InstallationPath "C:\Program Files\Checkmarx" -DatabaseHost "localhost\SQLExpress" -Username SomeUser


An error message might appear regarding the script not being digitally signed when running the script.

Execute one of the following command lines:

Set-ExecutionPolicy -Scope Process -ExecutionPolicy Bypass


powershell -ExecutionPolicy Bypass "& '.\cx-pm-setup.ps1'"

System Requirements


This script should be executed in all machines where the SAST is installed.

If you have a High Availability environment, you must run it on all machines where the SAST is installed.

Docker Deployment

If you run the script with the parameter -DeploymentType "Docker" (and leave the PostBuild with the default true value as you should), the script will also create the docker-compose.yml and server.env files using the parameters you provided to then use these files for the Docker deployment.

In the server.env file, you'll still need to replace some placeholders regarding the database connection string: the <public_adress> of your Database and the <password> for the User used in the parameters.

You can then move them to the desired Docker host machine and proceed with the deployment.

Windows Deployment

If you run the script with the default parameter -DeploymentType "Windows" (and leave the PostBuild with the default true value as you should), the script will try to create a URL Redirect rule to fix an issue related to Checkmarx One Azure DevOps (ADO) plugin, for more details see here.

CxSast Upgrade Scenario

After a major upgrade in SAST (for example, v9.6 to v9.7), some configurations regarding Policy Management will be lost (scope, roles, and permissions). Run the cx-pm-setup.ps1 script again.