Skip to main content

Enabling SSL Support on the CxManager

SSL (Secure Sockets Layer) is the standard security technology for establishing an encrypted link between a web server and a browser. This link ensures that all data passed between the web server and browsers remain private and integral. To be able to create an SSL connection the web server requires an SSL Certificate.

CxManager (SSL)

To secure communications between all Checkmarx Software Exposure Platform components, we recommend that you install a signed certificate and enable SSL on the CxManager to enforce SSL security (HTTPS). The instructions below explain how to enable SSL support on the CxManager.

Enabling SSL Support

Support for SSL can be enabled via the IIS Management console on the CxManager server. The enablement steps can be performed manually from the CxManager server:

  1. Prepare a CA certificate for the Checkmarx Software Exposure Platform Server (in a distributed deployment - for CxManager), signed by a third-party certificate authority such as VeriSign and install it on the Server or CxManager.

    Notice

    Although it is not considered as safe as CA certification, SSL can also be enabled using Self Signed Certificates, see Create a Self-Signed Server Certificate in IIS.

  2. From the Start menu, select All Programs. Click Accessories, and then click Run. The Run window is displayed.

    6436182764.png
  3. In the Open box, type inetmgr and then click <OK>. The IIS Manager window is displayed.

    6436182761.png
  4. Select Default Web Site from the Connections.

  5. Select Bindings from the Actions pane. The Site Bindings window is displayed.

    6436182758.png
  6. Click <Add>. The Add Site Bindings window is displayed.

    6436182755.png
  7. Under Type, select https.

  8. Select SSL Certificate and select your pre-installed certificate from the list.

  9. Click <OK> and then <Close>.

Enabling only HTTPS/SSL Support

If you want to use only HTTPS/SSL, return to the IIS Manager window and, for each relevant web service (CxWebClient, CxWebInterface), perform the following:

  1. In the Connections pane, double-click Default Web Site.

    6436182752.png
  2. Select CxWebClient and double-click on SSL Settings.

  3. Select Require SSL and click Apply from the Actions pane.

    Note

    Perform the same SSL settings actions for CxRestAPI as well as CxWebInterface.

  4. Go to C:\Program Files\Checkmarx\CheckmarxWebPortal\Web, open the web.config file for editing and using the Search tool, search for "CxWSResolver.CxWSResolver".

  5. Change the value "http://" to "https://" and replace the value "localhost" (if available) with your pre-installed certificate's <name/subject>.

  6. Right-click on the Server (highest level in the hierarchical tree) and select Stop from the drop-down. Once stopped right-click on the Server again and select Start.

  7. In the SAST Web Portal interface, go to Management > Application Settings > General. The General Settings window is displayed.

    6436182749.png
  8. Click <Edit>.

  9. Enter your Server URL (e.g., https://checkmarx.corp.net) into the Web Server Address.

  10. Click <Update> to save the changes.

  11. The following environment variables must be updated from HTTP:// to HTTPS://, and the hostname must be replaced according to the certificate:

    • CX_ES_ACCESS_CONTROL_URL

    • CX_ES_END_POINT

  12. Change the value of the following environment variable from "false" to "true":

    • CX_ENGINE_TLS_ENABLE

For more information on how to edit Windows OS system environment variables, see CxSAST Environment Variables.

Defining HTTPS Settings

After installing CxSAST, define the IIS bindings at the ExternalListenUrls key in the appsettings json file. If, for example, port 80 (HTTP) and port 443 (HTTPS) have to be bound, the syntax looks as follows: "ExternalListenUrls": http://*:80;https://*:443 . The appsettings json file resides in the Checkmarx Access Control folder.

Enabling HTTP Strict Transport Security (HSTS)

When moving to HTTPS, users should consider enabling HSTS to avoid redirecting users from HTTP to HTTPS.

Overview

HSTS is an Internet standard, defined to force browsers to always connect to a website over HTTPS. HSTS avoids the need for the unsecure practice of redirecting users from HTTP to HTTPS. If a browser 'knows' that a domain has HSTS enabled, it responds as follows:

  • Always uses an https:// connection, even when following an http:// link or after typing a domain into the URL address field without specifying a protocol.

  • Removes the ability for users to click through warnings about invalid certificates.

HSTS is implemented by adding an HTTP header on each response to a browser request. In its simplest form, the policy tells a browser to enable HSTS for that exact domain or subdomain/site, and to remember it for a given number of seconds (max-age):

Strict-Transport-Security: max-age=31536000;

In its strongest and recommended form, the HSTS policy includes all subdomains, and indicates a willingness to be “preloaded” into browsers:

Strict-Transport-Security: max-age=31536000; includeSubDomains; preload

Notice

When using the ‘preload’ directive, be aware that you may not be able to revert this choice once the directive has been propagated and stored on client browsers for a long period of time.

Additional information on the HSTS protocol can be found in the following resources:

Enabling HSTS

By default, CxSAST is not configured for HTTPS, therefore it does not have the HSTS headers built in. The solution is to instruct IIS to intercept each request/response and add the HSTS header to each response as a result. Depending on the IIS version, this may be achieved by one of the following:

  • Using the Microsoft URL Rewrite Module for IIS 7 or higher

  • Using the latest IIS 10.0 versions with built-in support for HSTS

Detailed IIS instructions can be found in these Microsoft documents: