Skip to main content

Configuring SSL for the Checkmarx Software Exposure Platform

SSL (Secure Sockets Layer) is the standard security technology for establishing an encrypted link between a web server and a browser. This link ensures that all data passed between the web server and browsers remain private and intact. To be able to create an SSL connection the web server requires an SSL Certificate.

Checkmarx Software Exposure Platform (SSL)

To secure communications between all Checkmarx Software Exposure Platform components, we recommend that you install signed certificates and enable SSL on all machines/servers to enforce SSL security (HTTPS). These instructions guide you through the procedure to configure the Secure Sockets Layer (SSL) Protocol for the Checkmarx Software Exposure Platform in Distributed Architecture or High Availability Architecture environments. They also include links to topics that are directly related to this procedure.

Configuring SSL

SSL can be configured via the Checkmarx Software Exposure Platform components for each machine/server accordingly. To configure the SSL, follow the instructions below:

1. All machines/servers in the Checkmarx Software Exposure Platform must be part of the same domain and configured in the Domain Name System (DNS) when using machine names

2. Enable SSL support for Access Control by configuring the appsettings.json file (<dir>:\Program Files\Checkmarx\Checkmarx Access Control\appsettings.json):

3. Enable SSL Support on the CxManager according to these instructions.

4. Configure all Checkmarx Software Exposure Platform components for HTTPS in the DB table [CxDB].dbo.[cxComponentConfiguration] as follows:

Replace IdentityAuthority, CxARMPolicyURL, CxARMURL, CxSASTManagerUri and WebServer keys to include HTTPS with the relevant server name.

SQL Query to view current values:

SELECT * FROM [CxDB].[dbo].[CxComponentConfiguration] WHERE [Key] = 'IdentityAuthority'

SELECT * FROM [CxDB].[dbo].[CxComponentConfiguration] WHERE [Key] = 'CxARMPolicyURL'

SELECT * FROM [CxDB].[dbo].[CxComponentConfiguration] WHERE [Key] = 'CxARMURL'

SELECT * FROM [CxDB].[dbo].[CxComponentConfiguration] WHERE [Key] = 'CxSASTManagerUri'

SELECT * FROM [CxDB].[dbo].[CxComponentConfiguration] WHERE [Key] = 'WebServer'

SQL Queries to set URL’s to SSL:

UPDATE [CxDB].[dbo].[CxComponentConfiguration]

SET [Value] = 'https://{server FQDN}/CxRestAPI/auth'

WHERE [Key] = 'IdentityAuthority'

UPDATE [CxDB].[dbo].[CxComponentConfiguration]

SET [Value] = 'https://{server FQDN}:8443'

WHERE [Key] = 'CxARMPolicyURL'

UPDATE [CxDB].[dbo].[CxComponentConfiguration]

SET [Value] = 'https://{server FQDN}:8443'

WHERE [Key] = 'CxARMURL'

UPDATE [CxDB].[dbo].[CxComponentConfiguration]

SET [Value] ='https://{server FQDN}'

WHERE [Key] = 'CxSASTManagerUri'

UPDATE [CxDB].[dbo].[CxComponentConfiguration]

SET [Value] = 'https://{server FQDN}'

WHERE [Key] = 'WebServer'

Example:

UPDATE [CxDB].[dbo].[CxComponentConfiguration]

SET [Value] = 'https://cxsast.checkmarx.net/CxRestAPI/auth'

WHERE [Key] = 'IdentityAuthority'

UPDATE [CxDB].[dbo].[CxComponentConfiguration]

SET [Value] = 'https://cxsast.checkmarx.net:8443'

WHERE [Key] = 'CxARMURL'

5. Enable SSL support on the CxEngine(s) according to these instructions.

6. Restart the ActiveMQ and all CxManager services, for any changes in the database.

7. Enable SSL support on the load balancer according to instructions provided by your vendor. If you are using Nginx as the load balancer, you can use the following configuration:

                  worker_processes  1;

events {
    worker_connections  1024;
}

http {
    include       mime.types;
    default_type  application/octet-stream;
    sendfile        on;
    keepalive_timeout  65;

        upstream gol-ha2-lb.cxquality.com {
                ip_hash;
                server gol-ha2-mn1.cxquality.com:443;
                server gol-ha2-mn2.cxquality.com:443;
        }
        
    server {
                listen       80;
                listen       443 ssl;
                server_name gol-ha2-lb.cxquality.com;
                
                ssl_certificate Cert/newcert.cer;
                ssl_certificate_key Cert/newkey2.key;
                
                ssl_protocols TLSv1.2;
                ssl_ciphers ECDHE-RSA-AES256-GCM-SHA512:DHE-RSA-AES256-GCM-SHA512:ECDHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-SHA384;
                ssl_prefer_server_ciphers on;
                add_header Strict-Transport-Security "max-age=31536000; includeSubDomains; preload";
                
                ssl_session_timeout 5m;
                ssl_session_cache shared:SSL:50m;
                ssl_session_tickets off;
                server_tokens off;

location / {
            root   html;
            index  index.html index.htm;
                        proxy_pass https://gol-ha2-lb.cxquality.com/;
        }
    }
}

8. Enable TLS support (on all machines/servers) according to these instructions.

9. Enable FIPS compliance (on all machines/servers) according to your supported operating system (see example).

10. Enable SSL support and FIPS compliance for Management & Orchestration (M&O) according to these instructions.

In this section:

Was this helpful?

Would you like to provide feedback? Just click here to suggest edits.