Skip to main content

Upgrading CxSAST to v9.4.0

This page applies only to full upgrades and not to hotfixes. CxSAST supports upgrades from up to the two previous versions.

Notice

  • Make sure to back up your Cx databases prior to running any software update. Schedule the database backup to create compressed files with unique file names in a separate folder from the main database files.

  • For upgrading from v8.8 or v8.9, you have to first install v9.0 and only then proceed with installing v9.3. If you use an earlier version of CxSAST, contact Checkmarx Support before you start upgrading.

  • Make sure that the SQL password does not exceed 32 characters.

  • If you are switching Java versions, for example, due to upgrading or otherwise modifying your CxSAST installation in a way that requires a newer Java installation, you have to update the newer Java location with the certificate from the previous Java location. This means you have to copy the cacerts file from the previous Java location (..\Checkmarx Risk Management\jre\lib\security\) to the new Java location (<install path>\openjdk-8u242-b08-jre\lib\security\) and overwrite the existing cacerts file in the new location with your existing cacerts file.

  • Some environment variables are renamed, but the names are not updated in the list of Environment Variables list. Therefore, you have to manually verify that the environment variable names match the respective listed ones. If they do not match, you have to manually update them under Windows Properties as explained once the upgrade is complete. Incompatible environment variable names cause CxSAST to fail.

  • If you intend to use TLS,

    o follow the guide under Configuring SSL between CxManager and CxEngine (v9.3.0) and verify the certificate's installation location as mentioned in the guide.

    o make sure to add CX_ENGINE_CERTIFICATE_SUBJECT_NAMEas environment variable as explained, if it is not listed already.

  • For an upgrade from CxSAST 9.3 to CxSAST 9.4, the New Flow will be enabled only for new projects. For existing projects, it will be enabled or disabled depending on the New Flow configuration in 9.3. So if a customer was using New Flow for a project in the 9.3 installation, New Flow will be enabled for the project in the upgrade to 9.4. If a customer was using the original flow for a project in the 9.3 installation, New Flow will be disabled for that project in the upgrade to 9.4.

Before you start:

  1. Make sure there are currently no scans running.

  2. Stop all Cx Windows services and Web servers, depending on the Checkmarx components installed on the server:

    On a centralized hosto CxSystemManager

    o CxJobsManager

    o CxScansManager

    o CxScanEngine

    o Management and Orchestration:

    = CxARM

    = CxARMETL

    o Web server: Stop Internet Information Services (IIS). To do so, open Internet Information Services (IIS) and click

    6436169307.png

    Stop under Manage Server or open a command-line shell (CMD) as Administrator and enter "iisreset /stop". On a CxEngine host (if applicable):

    o CxScanEngine

Notice

Make sure to back your Cx databases up prior to running any software update. Schedule the database backup to create compressed files with unique file names in a separate directory from the main database files.

To upgrade CxSAST:

  1. Download the CxSAST installation package.

  2. Extract the downloaded ZIP archive, supplying the password provided by Checkmarx support.

  3. Run CxSetup.exe on each server component host and perform the upgrade according to the Installing CxSAST procedure.

  4. During the upgrade, the Checkmarx installer automatically performs a backup copy of configuration files. The Checkmarx backup files are located at %appdata%\checkmarx (usually C:\Users\<user>\AppData\Roaming\Checkmarx).

    Note: The following files should be backed-up in case they need to be restored after an upgrade "<Drive>:\Program Files\Checkmarx\Checkmarx Audit\DefaultConfig.xml" "<Drive>:\Program Files\Checkmarx\Checkmarx Engine Server\DefaultConfig.xml" "<Drive>:\Program Files\Checkmarx\Executables\*.*" The following files should be backed up and used during the upgrade process: "<Drive>:\Program Files\Checkmarx\Licenses\License.cxl" The following files should be backed-up and used if you are unable to find or connect to the database during installation:"<Drive>:\Program Files\Checkmarx\Configuration\DBConnectionData.config"

    Note:

    o To configure Access Control and ActiveMQ for High Availability, refer to Configuring Access Control for High Availability Environment and Configuring ActiveMQ for High Availability Environments.

    o For upgrading the Manager/Portal server in a distributed environment, the ActiveMQ component is automatically selected when using the 'Easy Upgrade' option.

    o For high availability deployments, each manager (ScanManager, etc.) must be upgraded individually.

  5. Validate that all Cx Windows services and Web servers (depending on the Checkmarx components installed on the server) have started:

    On a centralized host:o CxSystemManager

    o CxJobsManager

    o CxScansManager

    o CxSastResults

    o CxScanEngine

    o Management and Orchestration:

    = CxARM

    = CxARMETL

    = CxRemediationIntelligence

    o Shared services:

    = ActiveMQ

    o Web server: Stop Internet Information Services (IIS). To do so, open Internet Information Services (IIS) and click

    6436169307.png

    Stop under Manage Server or open a command-line shell (CMD) as Administrator and enter "iisreset /stop".

    = World Wide Web Publishing Service

    = IIS Admin Service

    Note:

    o If you have the IIS configured for both HTTP (80) and HTTPS (443), HTTPS (443) takes priority, and the system is configured accordingly.

    o After upgrading to CxSAST 9.4, you have to reconnect the new engines using a different URL, if you use a different port than the default port 8088. = The URL of the CxSAST engines until CxSAST 9.2 used to be http://{IP or FQDN}/CxSourceAnalyzerEngineWCF/CxEngineWebServices.svc

    = The new URL for the new engine for CxSAST 9.4 and up is http://{IP or FQDN}:8088.

    = If you use a different port than 8088, you have to manually update the URL to http://{IP or FQDN}:{custom port}

  6. If required start each one manually.

Notice

By default, all product services are installed and configured to run with Windows Network Service account. When upgrading from v8.8/8.9, any non-default accounts for new CxSAST Services (CxSASTResults, CxRemidiationIntelligence, ActiveMQ) and IIS Application Pools (CxAccessControl) may need to be updated and customized according to your existing policy. You should also verify that all other previously existing CxSAST services and IIS Application Pools are still managed by your customized account. For updating non-default service accounts, please refer to Configuring CxSAST for use with a non-default user (Network Service) - CxServices & IIS Application Pools.

Upgrading CxSAST in High Availability Solutions

To install and configure high availability solutions, refer to the relevant instructions. In addition, a diagram that outlines the architecture for high availability solutions is available.

To edit any of the protocols in use, the station and/or port definitions for any of the upgraded Cx components, refer to Changing the Server Name, IP or Port for Checkmarx Components for further information and instructions.