Docker Deployment
Requirements
Component | Link |
---|---|
Docker (and Docker Compose) |
Docker Configuration
This guide describes installing and running Policy Management components as Docker containers.
You will need a database user account with admin privileges. See how you can create one here.
Ensure that there is connectivity to the database host.
Setup Deployment (configurations regarding authentication, authorization, and other customizations) in the CxSAST Manager host.
Run PowerShell as an Administrator and go to the cx-pm-setup.ps1 script file location (CxPolicyManagement-X.X.X\Docker).
Paste the following command with these mandatory parameters:
Note
In this example, the Portal is configured on a container available on port 3000, the backend is on port 5555 , and the hostname is CxPolicyManagement.
.\cx-pm-setup.ps1 -BaseAddressService http://CxPolicyManagement -BaseAddressPortal http://CxPolicyManagement -BaseAddressIdentityProvider http://IdentProvDomain -Username <database_User> -DeploymentType Docker -PortalPort 3000 -ServicePort 5555
Press Enter and input the password of the parameterized user with permission to access the database.
The script will create the
docker-compose.yml
andserver.env
files needed for the next steps in the Docker host machine.
For more information on the script, check Deployment Setup.
Warning
To use a hostname different from the IP address (e.g., CxPolicyManagement
), you need to make an additional step - How to set up a hosts file.
Note
<database_User>: replace with the username to connect to the database.
DatabaseHost parameter should also be passed if the host differs from the local host.
Obtain the latest Policy Management package and images from your Checkmarx representative.
Load the images into your Policy Management host Docker.
docker image load --input policy-management-service.tar docker image load --input policy-management-ui.tar
Configure the Policy Management settings using environment variables.
Create a
server.env
file (or use the one created from the script) with the following variables:CONNECTION_STRING
(Required) - Database connection string to a SQL Server. Ensure you use the correct public address and port for your database, User, and password.1433
is the default port for SQL Server. If you are experiencing issues, see Error Connection to Database for assistance.PM_API_URL
(Required) - Endpoint for the Policy Management API (http://<pm service address>:<api_port>/policymanagement/api
).ACCESS_CONTROL_BASE_URL
(Required) - Endpoint for the CxSAST Access Control host (http://<AC base address>:<port>
).
For example, using the scenario described above, the connection string should look like this:
CONNECTION_STRING=Data Source=192.0.2.1,1433;Initial Catalog=CxDB;User ID=db_user;Password=my_password;TrustServerCertificate=True;Pooling=True PM_API_URL=http://CxPolicyManagement:5555/policymanagement/api ACCESS_CONTROL_BASE_URL=http://IdentProvDomain
Create the application's containers: one for the Portal (
policy-management-ui
) and another for the Backend (policy-management-service
). There are two ways to achieve this:Using the Docker compose tool (recommended).
Create a
docker-compose.yml
(or use the one created from the script) with the following:version: '3' services: ################################################################################## policy-management-service: image: policy-management-service:latest container_name: policy-management-service restart: always env_file: server.env ports: - "5555:8080" volumes: - <path_on_host_machine>:/app/Logs/CxPolicyManagerClient networks: - "cx" ################################################################################## policy-management-ui: image: policy-management-ui:latest container_name: policy-management-ui restart: always env_file: server.env ports: - "3000:8080" depends_on: - "policy-management-service" networks: - "cx" ################################################################################## networks: cx:
In the policy-management-service container’s
volumes
, change<path_on_host_machine>
to your desired path where the logs will be stored - both absolute and relative paths work. Make sure yourdocker-compose.yml
andserver.env
files are in the same folder, and run the following command:docker-compose -f docker-compose.yml up -d
Running the following Docker commands.
docker run -p 5555:8080 --env-file=server.env --restart always --name policy-management-service --volume <absolute_path_on_host_machine>:/app/Logs/CxPolicyManagerClient policy-management-service:latest docker run -p 3000:8080 --env-file=server.env --restart always--name policy-management-ui policy-management-ui:latest
Change
<absolute_path_on_host_machine>
to your desired path where the logs will be stored (only absolute paths work). You can also change the path of where your logs will be stored in theserver.env
.
SSL Configuration
To deploy over SSL using Docker, an nginx container is used as a load balancer for the incoming requests, redirecting them to the desired service, so you must update the above docker-compose.yml
file.
If you deploy your app with HTTPS, make sure in the server.env
and cx-pm-setup.ps1 script, the URL protocols are changed from "http" to "https" along with removing the ports from the URLs.
Below, you can find what the script command, server.env, docker-compose, and the nginx conf files would look like when deploying over SSL following the above example, but with some differences. As mentioned above, the script will generate server.env and docker-compose.yml files you can use.
Note
You must create the nginx conf file before proceeding.
Setup Deployment Script Command
(Changes made: removed ports, changed URL protocol to https , and used the domain names)
.\cx-pm-setup.ps1 -BaseAddressService https://CxPolicyManagement -BaseAddressPortal https://CxPolicyManagement -BaseAddressIdentityProvider https://IdentProvDomain -Username <database_User> -DeploymentType Docker
server.env
(Changes made: removing the port, changing URL protocol to https , and using the domain names)
CONNECTION_STRING=Data Source=192.0.2.1,1433;Initial Catalog=CxDB;User ID=db_user;Password=my_password;TrustServerCertificate=True;Pooling=True PM_API_URL=https://CxPolicyManagement/policymanagement/api ACCESS_CONTROL_BASE_URL=https://IdentProvDomain
docker-compose.yml
(Changes made: adding rev-proxy
service and removing ports from Policy Management containers)
version: '3' services: ################################################################################## rev-proxy: image: nginx container_name: nginx restart: unless-stopped ports: - "443:443" volumes: - ~/.nginx/conf.d:/etc/nginx/conf.d/ - ~/.nginx/certs:/etc/nginx/certs networks: - "cx" ################################################################################## policy-management-service: image: policy-management-service:latest container_name: policy-management-service restart: unless-stopped env_file: server.env volumes: - <path_on_host_machine>:/app/Logs/CxPolicyManagerClient networks: - "cx" ################################################################################## policy-management-ui: image: policy-management-ui:latest container_name: policy-management-ui restart: unless-stopped env_file: server.env depends_on: - "policy-management-service" networks: - "cx" ################################################################################## networks: cx:
default.conf
server{ listen 443 ssl http2; listen [::]:443 ssl http2; server_name *.cxquality.com; ssl_certificate certs/cxquality.crt; ssl_certificate_key certs/cxquality.key; ssl_session_timeout 1d; ssl_session_cache shared:MozSSL:10m; # about 40000 sessions # curl https://ssl-config.mozilla.org/ffdhe2048.txt > /path/to/dhparam.pem ssl_dhparam certs/dhparam.pem; # intermediate configuration ssl_protocols TLSv1.2; ssl_ciphers ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384; ssl_prefer_server_ciphers off; # HSTS (ngx_http_headers_module is required) (63072000 seconds) add_header Strict-Transport-Security "max-age=63072000" always; client_max_body_size 20m; location /swagger { proxy_pass http://policy-management-service:8080; } location /policymanagement/api { proxy_pass http://policy-management-service:8080; } location / { proxy_pass http://policy-management-ui:8080; } }
Pay attention to the volumes of the nginx container in docker-compose. Replace ~/.nginx/conf.d:
and ~/.nginx/certs:
with the path of your conf file and certificates.
You also need to configure the nginx container configuration file (in the example: default.conf
) with your desired server_name
and the location of the certificate files.