Upgrading CxSAST to v9.6.0
This page applies only to full upgrades and not to hotfixes. CxSAST supports upgrades from up to the two previous versions.
Warning
Management and Orchestration (M&O) is no longer supported in 9.6. You cannot continue with the upgrade if you have M&O installed. Please contact your Checkmarx support team to remove M&O from your environment.
Notice
Make sure to back up your Cx databases before running any software updates. Schedule the database backup to create compressed files with unique names in a separate folder from the main database files.
To upgrade from v8.9, first install v9.2, then install v9.4 and then proceed with installing v9.5. If you use an earlier version of CxSAST, contact Checkmarx Support before upgrading.
Make sure that the SQL password does not exceed 32 characters.
Some environment variables are renamed, but the names are not updated in the Environment Variables list. Therefore, you must manually verify that the environment variable names match those listed. If they do not match, you must manually update them under Windows Properties, as explained, once the upgrade is complete. Incompatible environment variable names cause CxSAST to fail.
If you intend to use TLS,
follow the guide under Configuring SSL between CxManager and CxEngine and verify the certificate's installation location as mentioned in the guide.
make sure to add CX_ENGINE_CERTIFICATE_SUBJECT_NAME as an environment variable, as explained, if it is not listed already.
Before you start:
Make sure no scans are running or queued.
Stop all Cx Windows services and Web servers, depending on the Checkmarx components installed on the server:
On a centralized host
CxSystemManager
CxJobsManager
CxScansManager
CxScanEngine
Web server:
Stop Internet Information Services (IIS). To do so, open Internet Information Services (IIS) and click
Stop under Manage Server or open a command-line shell (CMD) as Administrator and enter "iisreset /stop".
On a CxEngine host (if applicable):
CxScanEngine
Notice
Make sure to back up your Cx databases before running any software updates. Schedule the database backup to create compressed files with unique names in a separate directory from the main database files.
To upgrade CxSAST:
Download the CxSAST installation package.
Extract the downloaded ZIP archive and supply the password provided by Checkmarx support.
Run CxSetup.exe on each server component host and perform the upgrade according to the Installing CxSAST procedure.
The Checkmarx installer automatically performs a backup copy of configuration files during the upgrade. The Checkmarx backup files are at %appdata%\checkmarx (usually C:\Users\<user>\AppData\Roaming\Checkmarx).
Back-up the following files in case they need to be restored after the upgrade:
<Drive>:\Program Files\Checkmarx\Checkmarx Audit\DefaultConfig.xml
<Drive>:\Program Files\Checkmarx\Checkmarx Engine Server\DefaultConfig.xml
<Drive>:\Program Files\Checkmarx\Executables\*.*
Back up the following file for use during the upgrade process:
<Drive>:\Program Files\Checkmarx\Licenses\License.cxl
Back up the following file for use if you are unable to find or connect to the database during the installation:
<Drive>:\Program Files\Checkmarx\Configuration\DBConnectionData.config
Notice
To configure Access Control and ActiveMQ for High Availability, refer to Configuring Access Control for High Availability Environments and Configuring ActiveMQ for High Availability Environments.
For upgrading the Manager/Portal server in a distributed environment, the ActiveMQ component is automatically selected when using the Easy Upgrade option.
Each manager (such as the ScanManager) must be upgraded individually for high-availability deployments.
Validate that all Cx Windows services and Web servers (depending on the Checkmarx components installed on the server) have started:
On a centralized host:
CxSystemManager
CxJobsManager
CxScansManager
CxSastResults
CxScanEngine
Shared services:
ActiveMQ
Web server:
Stop Internet Information Services (IIS). To do so, open Internet Information Services (IIS) and click
Stop under Manage Server or open a command-line shell (CMD) as Administrator and enter "iisreset /stop".World Wide Web Publishing Service
IIS Admin Service
Notice
If you have the IIS configured for both HTTP (80) and HTTPS (443), HTTPS (443) takes priority, and the system is configured accordingly.
After upgrading to CxSAST 9.5, you must reconnect the new engines using a different URL if you use a port different from the default port 8088.
The new URL for the new engine for CxSAST 9.5 and up is http://{IP or FQDN}:8088.
If you use a different port than 8088, you have to manually update the URL to http://{IP or FQDN}:{custom port}
If required, start each one manually.
Notice
All product services are installed and configured to run with a Windows Network Service account by default. When upgrading from v8.8/8.9, any non-default accounts for new CxSAST Services (CxSASTResults, ActiveMQ) and IIS Application Pools (CxAccessControl) might need to be updated and customized according to your existing policy. You should verify that your customized account manages all previously existing CxSAST services and IIS Application Pools. To update non-default service accounts, refer to Configuring CxSAST for using a non-default User (Network Service) for CxServices & IIS Application Pools.
Upgrading CxSAST in High Availability Solutions
To install and configure high-availability solutions, see instructions. In addition, a diagram that outlines the architecture for high-availability solutions is available.
To edit the protocols in use, the station and/or port definitions for any upgraded Cx components, refer to Changing the Server Name, IP, or Port for Checkmarx Components for further information and instructions.