Skip to main content

Enabling SSL Support on the CxManager

SSL (Secure Sockets Layer) is the standard security technology for establishing an encrypted link between a web server and a browser. This link ensures that all data between the web server and browsers remains private and integral. To create an SSL connection, the web server requires an SSL Certificate.

CxManager (SSL)

To secure communications between all Checkmarx Software Exposure Platform components, we recommend installing a signed certificate and enabling SSL on the CxManager to enforce SSL security (HTTPS). The instructions below explain how to enable SSL support on the CxManager.

Enabling SSL Support

SSL support can be enabled via the IIS Management console on the CxManager server. The enablement steps can be performed manually from the CxManager server:

  1. Prepare a CA certificate for the Checkmarx Software Exposure Platform Server (in a distributed deployment - for CxManager), signed by a third-party certificate authority such as VeriSign , and install it on the Server or CxManager.

    Notice

    Although it is not considered as safe as CA certification, SSL can also be enabled using Self Signed Certificates; see Create a Self-Signed Server Certificate in IIS.

  2. From the Start menu, select All Programs. Click Accessories, and then click Run. The Run window is displayed.

    6436182764.png

  3. In the Open box, type inetmgr and then click <OK>. The IIS Manager window is displayed.

    6436182761.png

  4. Select Default Web Site from the Connections panel.

  5. Select Bindings from the Actions pane. The Site Bindings window is displayed.

    6436182758.png

  6. Click <Add>. The Add Site Bindings window is displayed.

    6436182755.png

  7. Under Type, select https.

  8. Select SSL Certificate and select your pre-installed certificate from the list.

  9. Click <OK> and then <Close>.

Enabling only HTTPS/SSL Support

If you want to use only HTTPS/SSL, return to the IIS Manager window and, for each relevant web service (CxWebClient, CxWebInterface), perform the following:

  1. In the Connections pane, double-click Default Web Site.

    6436182752.png

  2. Select CxWebClient and double-click on SSL Settings.

  3. Select Require SSL and click Apply from the Actions pane.

    Note

    Perform the same SSL settings actions for CxRestAPI and CxWebInterface.

  4. Go to C:\Program Files\Checkmarx\CheckmarxWebPortal\Web, open the web.config file for editing and using the Search tool, search for "CxWSResolver.CxWSResolver".

  5. Change the value "http://" to "https://" and replace the value "localhost" (if available) with your pre-installed certificate's <name/subject>.

  6. Right-click on the Server (highest level in the hierarchical tree) and select Stop from the drop-down. Once stopped, right-click on the Server again and choose Start.

  7. Update URLs in the database.

    Notice

    Use the post-installation utility to update values in the database, as described in Post-Installation Procedures.

    If the post-installation utility is not installed, open the SQL server using SQL Server Management Studio (SSMS) and execute the following SQL queries:

    To retrieve values:

    select * from [CxDB].[dbo].[CxComponentConfiguration]WHERE [Key] = 'IdentityAuthority';
select * from [CxDB].[dbo].[CxComponentConfiguration]WHERE [Key] = 'CxSASTManagerUri';
select * from [CxDB].[dbo].[CxComponentConfiguration]WHERE [Key] = 'Webserver';
select * from [CxDB].[accesscontrol].[ConfigurationItems]WHERE [Key] = 'SERVER_PUBLIC_ORIGIN';

    To update values:

    USE [CxDB]
GO 

UPDATE [dbo].[CxComponentConfiguration]
   SET [Value] = 'https://<FQDN>/CxRestAPI/auth'
 WHERE [Key] = 'IdentityAuthority'
GO 

USE [CxDB]
GO 

UPDATE [dbo].[CxComponentConfiguration]
   SET [Value] = 'https://<FQDN>'
 WHERE [Key] = 'CxSASTManagerUri'
GO

USE [CxDB]
GO

UPDATE [dbo].[CxComponentConfiguration]
   SET [Value] = 'https://<FQDN>'
 WHERE [Key] = 'Webserver'
GO

USE [CxDB]
GO

UPDATE [accesscontrol].[ConfigurationItems]
   SET [Value] = 'https://<FQDN>'
 WHERE [Key] = 'SERVER_PUBLIC_ORIGIN'
GO

    Then restart the Cx services.

  8. In the SAST Web Portal interface, go to Settings > Application Settings > General. The General Settings window is displayed.

    6436182749.png

  9. Click <Edit> at the bottom of the page.

  10. Enter your Server URL (e.g., https://checkmarx.corp.net) into the Web Server Address field.

  11. Click <Update> to save the changes.

  12. The CX_ES_ACCESS_CONTROL_URL environment variable must be updated from HTTP:// to HTTPS://, and the hostname must be replaced according to the certificate.

For more information on how to edit Windows OS system environment variables, see CxSAST Environment Variables.

Defining HTTPS Settings

After installing CxSAST, define the IIS bindings at the ExternalListenUrls key in the appsettings json file. If, for example, port 80 (HTTP) and port 443 (HTTPS) have to be bound, the syntax looks as follows: "ExternalListenUrls": http://*:80;https://*:443 . The appsettings json file resides in the Checkmarx Access Control folder.

Enabling HTTP Strict Transport Security (HSTS)

When moving to HTTPS, users should consider enabling HSTS to avoid redirecting users from HTTP to HTTPS.

Overview

HSTS is an Internet standard that forces browsers to always connect to a website over HTTPS. HSTS avoids the need for the unsecure practice of redirecting users from HTTP to HTTPS. If a browser 'knows' that a domain has HSTS enabled, it responds as follows:

  • Always uses an https:// connection, even when following an http:// link or after typing a domain into the URL address field without specifying a protocol.

  • Removes the ability for users to click through warnings about invalid certificates.

HSTS is implemented by adding an HTTP header to each browser request response. In its simplest form, the policy tells a browser to enable HSTS for that exact domain or subdomain/site and to remember it for a given number of seconds (max-age):

Strict-Transport-Security: max-age=31536000;

In its strongest and recommended form, the HSTS policy includes all subdomains, and indicates a willingness to be “preloaded” into browsers:

Strict-Transport-Security: max-age=31536000; includeSubDomains; preload

Notice

When using the ‘preload’ directive, be aware that you may not be able to revert this choice once the directive has been propagated and stored on client browsers for a long period.

Additional information on the HSTS protocol can be found in the following resources:

Enabling HSTS

By default, CxSAST is not configured for HTTPS, therefore it does not have the HSTS headers built in. The solution is to instruct IIS to intercept each request/response and add the HSTS header to each response. Depending on the IIS version, this can be achieved by one of the following:

  • Using the Microsoft URL Rewrite Module for IIS 7 or higher.

  • Using the latest IIS 10.0 versions with built-in support for HSTS

Detailed IIS instructions can be found in these Microsoft documents:

Connecting to CxManager (SSL) or CxSAST Web Portal from other client machines

Trusted certificates must be installed on all SAST components.

Client machines will fail to communicate with the CxSAST Web portal if the client machines do not have trusted certificates. For example, the CxEngine server cannot access the CxSAST Web portal without a trusted certificate, and as a result, the engine status will be Offline.

The solution is to install and trust all certificates in the certificate chain (if it exists), including the Root CA certificate, the Intermediate CA certificate, and the End-User certificate.

To install an SSL certificate into the trusted root CA store, perform one of the following:

In this section: