Skip to main content

Upgrading CxSAST to v9.4.0

This page applies only to full upgrades and not to hotfixes. CxSAST supports upgrades from up to the two previous versions.

Notice

  • Make sure to back up your Cx databases prior to running any software update. Schedule the database backup to create compressed files with unique file names in a separate folder from the main database files.

  • For upgrading from v8.8 or v8.9, first install v9.2, and only then proceed with installing v9.4. If you use an earlier version of CxSAST, contact Checkmarx Support before you start upgrading.

  • Make sure that the SQL password does not exceed 32 characters.

  • If you are switching Java versions, for example, due to upgrading or otherwise modifying your CxSAST installation in a way that requires a newer Java installation, you have to update the newer Java location with the certificate from the previous Java location. This means you have to copy the cacerts file from the previous Java location (..\Checkmarx Risk Management\jre\lib\security\) to the new Java location (<install path>\openjdk-8u242-b08-jre\lib\security\) and overwrite the existing cacerts file in the new location with your existing cacerts file.

  • Some environment variables are renamed, but the names are not updated in the list of Environment Variables list. Therefore, you have to manually verify that the environment variable names match the respective listed ones. If they do not match, you have to manually update them under Windows Properties as explained once the upgrade is complete. Incompatible environment variable names cause CxSAST to fail.

  • If you intend to use TLS,

    • follow the guide under Configuring SSL between CxManager and CxEngine and verify the certificate's installation location as mentioned in the guide.

    • make sure to add CX_ENGINE_CERTIFICATE_SUBJECT_NAME as environment variable as explained, if it is not listed already.

  • For an upgrade from CxSAST 9.3 to CxSAST 9.4, the New Flow will be enabled only for new projects. For existing projects, it will be enabled or disabled depending on the New Flow configuration in 9.3. So if a customer was using New Flow for a project in the 9.3 installation, New Flow will be enabled for the project in the upgrade to 9.4. If a customer was using the original flow for a project in the 9.3 installation, New Flow will be disabled for that project in the upgrade to 9.4.

Before you start:

  1. Make sure there are currently no scans running.

  2. Stop all Cx Windows services and Web servers, depending on the Checkmarx components installed on the server:

    • On a centralized host

      • CxSystemManager

      • CxJobsManager

      • CxScansManager

      • CxScanEngine

      • Management and Orchestration:

        • CxARM

        • CxARMETL

      • Web server:

        Stop Internet Information Services (IIS). To do so, open Internet Information Services (IIS) and click 6436169307.png Stop under Manage Server or open a command-line shell (CMD) as Administrator and enter "iisreset /stop".

      • On a CxEngine host (if applicable):

        • CxScanEngine

    Notice

    Make sure to back up your Cx databases prior to running any software update. Schedule the database backup to create compressed files with unique file names in a separate directory from the main database files.

    To upgrade CxSAST:

    1. Download the CxSAST installation package.

    2. Extract the downloaded ZIP archive, supplying the password provided by Checkmarx support.

    3. Run CxSetup.exe on each server component host and perform the upgrade according to the Installing CxSAST procedure.

    4. During the upgrade, the Checkmarx installer automatically performs a backup copy of configuration files. The Checkmarx backup files are located at %appdata%\checkmarx (usually C:\Users\<user>\AppData\Roaming\Checkmarx).

      • Back-up the following files in case they need to be restored after the upgrade:

        • <Drive>:\Program Files\Checkmarx\Checkmarx Audit\DefaultConfig.xml

        • <Drive>:\Program Files\Checkmarx\Checkmarx Engine Server\DefaultConfig.xml

        • <Drive>:\Program Files\Checkmarx\Executables\*.*

      • Back-up the following file for use during the upgrade process:

        • <Drive>:\Program Files\Checkmarx\Licenses\License.cxl

      • Back-up the following file for use if you are unable to find or connect to the database during the installation:

      • <Drive>:\Program Files\Checkmarx\Configuration\DBConnectionData.config

      Notice

    5. Validate that all Cx Windows services and Web servers (depending on the Checkmarx components installed on the server) have started:

      • On a centralized host:

        • CxSystemManager

        • CxJobsManager

        • CxScansManager

        • CxSastResults

        • CxScanEngine

        • Management and Orchestration:

          • CxARM

          • CxARMETL

          • CxRemediationIntelligence

        • Shared services:

          • ActiveMQ

        • Web server:

          Stop Internet Information Services (IIS). To do so, open Internet Information Services (IIS) and click 6436169307.png Stop under Manage Server or open a command-line shell (CMD) as Administrator and enter "iisreset /stop".

          • World Wide Web Publishing Service

          • IIS Admin Service

      Notice

      • If you have the IIS configured for both HTTP (80) and HTTPS (443), HTTPS (443) takes priority, and the system is configured accordingly.

      • After upgrading to CxSAST 9.4, you have to reconnect the new engines using a different URL, if you use a different port than the default port 8088.

        • The new URL for the new engine for CxSAST 9.4 and up is http://{IP or FQDN}:8088.

        • If you use a different port than 8088, you have to manually update the URL to http://{IP or FQDN}:{custom port}

    6. If required start each one manually.

    Notice

    By default, all product services are installed and configured to run with Windows Network Service account. When upgrading from v8.8/8.9, any non-default accounts for new CxSAST Services (CxSASTResults, CxRemidiationIntelligence, ActiveMQ) and IIS Application Pools (CxAccessControl) might need to be updated and customized according to your existing policy. You should also verify that all other previously existing CxSAST services and IIS Application Pools are still managed by your customized account. For updating non-default service accounts, refer to Configuring CxSAST for using a non-default User (Network Service) for CxServices & IIS Application Pools.

    Upgrading CxSAST in High Availability Solutions

    To install and configure high availability solutions, refer to the relevant instructions. In addition, a diagram that outlines the architecture for high availability solutions is available.

    To edit any of the protocols in use, the station and/or port definitions for any of the upgraded Cx components, refer to Changing the Server Name, IP or Port for Checkmarx Components for further information and instructions.