Skip to main content

Installing CxSAST in Centralized Environment

Before installing CxSAST, make sure that you understand the System Architecture and that your server host(s) complies with the Server Host Requirements. To install CxSAST, you have to download the archive, extract the installation executable CxSetup.exe and install required third-party components.

Notice

To install and configure high availability solutions, refer to the relevant instructions. A diagram that outlines the architecture for high availability solutions is available here.

Starting with CxSAST 9.4, users can select the service account on which CxSAST related services are running while installing CxSAST. Further information and instructions are available on this page.

Prerequisites and Recommendations

  • The required Web Server for Checkmarx is IIS Server. If the IIS Server is missing, it will be installed together CxSAST, which requires the Windows installation media to be accessible.

  • SQL 2012 Express SP2 is included with the CxSAST installer. It is installed, if there is no other version of SQL already installed.

Installation

Notice

  • You can directly upgrade to CxSAST 9.4 from an earlier build of version 9.4 and from versions 9.3 or 9.2.

  • To upgrade from version 9.0, you have to first upgrade at least to version 9.2 and only then you can upgrade to version 9.4.

  • For upgrading from version 8.8 or 8.9, you have to first upgrade to version 9.0, which requires migrating the Access Control data as explained in Access Control Data Migration Installer.

  1. Once you have downloaded the CxSAST Installation package and made the third-party components available, run 6436164819.png CxSetup.exe.

    If you install CxSAST without any previous installations of CxSAST, continue here:

    6459687172.png

    o Click <ALL-IN-ONE-INSTALLATION> to continue the centralized installation, or click <X> to exit.

    o By default, Management & Orchestration does not install with CxSAST. To install Management & Orchestration, click <ADVANCED INSTALLATION> and then selectInstall Management (M&O)when you are asked to select installation options as explained below.

    If you install a newer build or upgrade from version 9.2 or 9.3, continue here:

    6458409578.png

    o To upgrade while preserving your current configuration, click <EASY UPGRADE> to continue.

    o To add components, for example Management & Orchestration, click <ADVANCED INSTALLATION>. Select the desired installation options and follow the instructions below to continue.

    Note: If you wish to install components on more than one host, refer to Installing CxSAST in a Distributed Environment for further information and instructions.

    In either case, the Checkmarx License Agreementwindow is displayed.

    6458409582.png
  2. Review and accept the license agreement by checking I accept the terms in the License Agreement.

  3. Click <NEXT> to continue. If you clicked <ADVANCED INSTALLATION> before, the additional Installation Options window is displayed with all components selected, except for Install Management (M&O).

    Note: By default, Management & Orchestration does not install together with CxSAST. To include it with the installation, select

    6436164735.png

    Install Management (M&O) under Installation Options.

    6458409586.png
  4. Click <Select> to define the CxSAST installation location.

    Note:

    o To avoid permission restrictions, install CxSAST under <root directory>:\Program Files .

    o For upgrades, previously installed location settings and product components are loaded from the existing configuration and cannot be changed. You can however install or remove product components by using the modify feature. For further information and instructions, refer to Modifying CxSAST.

  5. Click <NEXT>. The Prerequisites Check window is displayed, indicating the status of all required third-party components.

    6458704104.png

    Note:

    o Available components are labeled

    6436164837.jpg

    . All prerequisites must be available, otherwise the setup cannot be completed and CxSAST is not installed.

    o Missing components are labeled

    6436165113.png

    .

    6458704108.png

    Note:

    o Clicking Prerequisites Folder conveniently opens the third_party folder where all the prerequisite third party installation files or instructions are contained. This convenience only works if, when you extracted the third_party_<version>. zip file, you copied the third_party folder to the same folder where the CxSetup.exe installation file is located. If you did not do that before, you can do copy it now, while the wizard is still open, and continue with the third party installations.

    o For any missing component (except the Java Runtime Environment), click the Prerequisites Folder button to navigate to the supplied components and install each one separately. To do so, follow the on-screen instructions.

    o For the required Java Runtime Environment (JRE), click Browse and select the entire JRE folder (and not only the bin folder) that you copied to your station, for example C:\Program Files\openjdk-8u242-b08-jre, C:\Program Files\Java\jre1.8.0_241 or C:\Program Files\Java\jdk1.8.0_241\jre. These instructions assume that you have extracted and copied the content of the provided ZIP archive to the relevant location.

    If you did not make the Java files available, follow the instructions given in the Java section in Preparing CxSAST for Installation and then click Recheck Prerequisites to repeat the validation process.

    Note:

    o The recommended Java version is 1.8. The minimum version for Oracle is 8u241. For AdoptOpenJdk, the minimum version is 8u242. Verify that the minimum version is installed on your server before continuing.

    o In case Java JRE is automatically updated to a new version, you have to manually update the JRE folder path in the CX_JAVA_HOME environment variable, otherwise, CxSAST stops operating.

  6. Once all required components are installed, click <NEXT> to continue. The CxSAST SQL Server Configuration window is displayed.

    6458704112.png
  7. Select the server from the SQL Server Instance list. If using a non-standard database port, provide the server name with a comma followed by the port number (e.g., LOCALHOST\SQLEXPRESS,25).

    Note: For upgrades, previously defined SQL Server instance settings are loaded from the existing configuration and cannot be changed.

  8. For CxSAST, define a connection to the installed SQL Server or to any other SQL server on your network, by selecting one of the following:

    o Connect using Integrated Windows Authentication (also called Windows domain authentication) - login not required

    o Connect using SQL Server Authentication (also called SQL Server native authentication) - requires SQL user name and password for login with SA permissions

  9. Click <Test Connection>.

    o If the database was not in use, a message appears that indicates that the connection was successful.

    o If a previously used database exists, A message appears that a database was detected. In this case, you may continue using the database or re-install it as explained in the message.

    Note: If the "SQL Connection Test Results" message indicates that the connection to the SQL Server has failed, verify the following:

    o Host, port and login credentials are correct.

    o The host is a member of a Windows domain. If it is not part of a Windows domain, either join the host to a domain and restart it, or connect using SQL Server Authentication.

    o The SQL Server Browser Windows service is running. If it is not running, enable and start it.

    6459195614.png
  10. Click <OK>, and then click <NEXT>to continue. The Message Broker Configuration window is displayed.

    6459883716.png

    Note:

    o The default ActiveMQ port is 61616.

    o <NEXT> is enabled when the default port is available. If unavailable, define another available port.

    o In case the ActiveMQ is uninstalled and reinstalled using a non-default port, a manual update in the database is required to match the change - Databases > CxDB > Tables > CxComponentConfiguration > ActiveMessageQueueURL > Key Value (e.g., tcp://<AMQ_URL>:<non-default_port>)

    o Make sure that port 61616is open in all relevant firewalls between the ActiveMQ server and the following components:

    - CxManager servers (for Access Control, Scan Manager and Results Services). This includes high availability configurations with multiple CxManagers. For additional information on configuring Access Control and ActiveMQ for high availability, refer to Configuring Access Control for High Availability Environments and Configuring ActiveMQ for High Availability Environments.

    - CxEngine servers

    - M&O server

  11. Click <NEXT>. If installing Management and Orchestration, the Remediation Intelligence Configuration window is displayed.

    6459883720.png

    Note:

    o In older versions and previous builds of the current version of CxSAST, Automated Prioritization was called Remediation Intelligence. The screen image below still refers to this previous name.

    o The default port is 8082.

    o <NEXT> is enabled, if the default port is available. If unavailable, define another available port.

  12. Click <NEXT>. If installing Management and Orchestration, the Apache Tomcat Configuration window is displayed.

    6459883724.png

    Note:

    o The default ports are the following ones:

    - HTTP port is 8080 - HTTPS port is 8443 o <NEXT> is enabled, if the default port(s) are available. The installer verifies that ports are not blocked, but does not check, if ports are part of IIS bindings. If you suspect that one of the relevant ports is part of IIS bindings, open IIS and check it. You can only complete the installation, if ports are not blocked and if they are not part of IIS bindings. If port(s) are unavailable, define other available port(s) in the respective Port fields.

  13. Click <NEXT>. If installing Management and Orchestration, the M&O Layer SQL Server Configuration window is displayed.

    Note: If the M&O database resides on a separate server, SQL Server Instance must read <IP address of the M&O DB server>\SQLEXPRESS. If it reads localhost\SQLEXPRESS instead, cancel the setup and start it again.

    6460801040.png
  14. Select the Server from the SQL Server Instance list. If using a non-standard database port, provide the server name with a comma followed by the port number (e.g., LOCALHOST\SQLEXPRESS,25).

    Note: For upgrades, previously defined SQL Server instance settings are loaded from the existing configuration and cannot be changed, unless the Management and Orchestration component was only added in the latest upgrade.

  15. For Management and Orchestration, define the SQL Server connection by selecting one of the following:

    o Connect using Integrated Windows Authentication (login not required)

    o Connect using SQL Server Authentication(provide SQL user name and password for login with SA permissions)

    Note: For M&O Layer SQL Server connectivity, both Dynamic and Static port configurations are supported. For more information, refer to Configuring Management & Orchestration SQL Server for Dynamic and Static Port Connectivity.

  16. Click <Test Connection>. A "Connection successful" message is displayed upon confirmed connection to the SQL Server.

    Note:

    o If the "SQL Connection Test Results" message indicates that an existing database has been detected, follow the onscreen instructions to either continue with that database or install a new one.

    o If the database belongs to a previous version of CxSAST, you have to remove it and install a new one, otherwise CxSAST does not operate. If you uninstall CxSAST, the database is not removed automatically.

    o If the "SQL Connection Test Results" message indicates that connection to the SQL Server has failed, verify the following:

    = Host, port and login credentials are correct

    = The station is a member of a Windows domain. If it is not part of a Windows domain, either join the station to one and restart it, or connect using SQL Server Authentication.

    = The SQL Server Browser Windows service is running. If it is not running, enable and start it.

  17. On the message, click <OK>, and then click <NEXT>. You are now asked to define your service account settings.

    6460801044.png

    Note: Version 9.4 introduces the possibility to select the service account with which the CxSAST related services are going to run. In previous versions, these services have been running with the Network Service account by default.

  18. Select the service account on which the CxSAST related services are going to run:

    o Local System account o Network Service account (default)

    o This account: A dedicated account that you may have added to serve your CxSAST application. Enter the user credentials to enable CxSAST to access this account.

    The example below illustrates the services associated with the Network Service account.

    6460801048.png
  19. Click <Test User Account> to verify and test this account. If successful, <NEXT> turns green and you can continue the installation.

  20. Click <NEXT>. The Engine Configuration window is displayed.

    6460801052.png
  21. If Enable TLS is checked, the TLS flag is enabled and additional manual configuration is required.

  22. Click <NEXT>. The License Activation window is displayed.

    6461194281.png

    Note:

    o If you already have a valid license from your previous installation, the license information is automatically loaded from the existing configuration and the License Activation window is not displayed.

    o If the License Activation window appears while installing or upgrading, you have to provide an updated license file. Any existing license file from a previous installation will be rendered invalid.

  23. Select the preferred licensing method by selecting one of the following:

    o Import New License : If you already have a valid CxSAST license file, select the Import New License option and then click Import License. Browse to the file location and click <Open>.

    o Request New License: If you have not yet obtained a permanent CxSAST license, select Request New License and then copy your Hardware ID to the clipboard. Send the copied Hardware ID (HID) to your Checkmarx sales representative or open a support ticket. In this case, you can continue the wizard and import the new license once you received it. CxSAST does not operate without an updated license.

    6461194289.png

    Note: To update the license at a later stage with an updated license file, use the License Importer utility as explained.

  24. Click <NEXT> to continue.

    Note: If your license does not match your current Hardware ID (HID), a warning message is displayed. In this case, obtain the proper license from your Checkmarx sales representative and use the License Importer utility to import it as explained once you received it.

    If the default port 80 is occupied, the Validate Port window is displayed. If required, select another port and click <Validate Port>.

    Note: Port 80 is allocated as the default port for Checkmarx applications. In clean installations the Validate Port window is displayed only, if one of the following occurs:

    o Port 80 is occupied by a non-default website or application

    o There is no default website and port 80 is occupied by another application or website

    o A default website is defined, but it occupies a different port. Port 80 is occupied by another application or website.

  25. Click <NEXT> to continue. The Setup Summary window is displayed.

    6461194285.png

    Note:

    o In case you upgrade your CxSAST version with a newer build of the same version and use the previously configured database that included M&O, the setup summary indicates that M&O could not be installed because it is already configured.

    o If your license remains valid after upgrading according to your license agreement with Checkmarx or you upgrade your CxSAST version with a newer build of the same version, the license information is not displayed because it has already been loaded from the existing configuration.

  26. Click <INSTALL> to continue. The Installation in Progress window is displayed and the application is installed and configured.

    o To return to the previous window, click <BACK>.

    o To exit, click <X>.

    6461194293.png

    Note:

    o Once the installation is complete the Installation Completed Successfully window is displayed.

    o If a component could not be set up, but CxSAST is still ready to operate, the Installation Completed Successfully window is displayed with a warning.

    o If the installation fails, the "Setup Failed" message is displayed. For more information, refer to the installation logs. If you need further assistance, please open a support ticket.

    6461030457.png
    6461030461.png

Notice

If you install CxSAST with Management and Orchestration, the Congratulations window appears with the Start Database Synchronization checkbox and the installation must be completed with synchronizing the database.