Skip to main content

Docker Deployment

Requirements

Component

Link

Docker (and Docker Compose)

https://docs.docker.com/get-docker/

Docker Configuration

This guide describes installing and running Policy Management components as Docker containers.

  1. You will need a database user account with admin privileges. See how you can create one here.

  2. Ensure that there is connectivity to the database host.

  3. Setup Deployment (configurations regarding authentication, authorization, and other customizations) in the CxSAST Manager host.

    1. Run PowerShell as an Administrator and go to the cx-pm-setup.ps1 script file location (CxPolicyManagement-X.X.X\Docker).

    2. Paste the following command with these mandatory parameters:

      Note

      In this example, the Portal is configured on a container available on port 3000, the backend is on port 5555 , and the hostname is CxPolicyManagement.

      .\cx-pm-setup.ps1 -BaseAddressService http://CxPolicyManagement -BaseAddressPortal http://CxPolicyManagement -BaseAddressIdentityProvider http://IdentProvDomain -Username <database_User> -DeploymentType Docker -PortalPort 3000 -ServicePort 5555

    3. Press Enter and input the password of the parameterized user with permission to access the database.

      The script will create the docker-compose.yml and server.env files needed for the next steps in the Docker host machine.

    For more information on the script, check Deployment Setup.

Warning

To use a hostname different from the IP address (e.g., CxPolicyManagement), you need to make an additional step - How to set up a hosts file.

Note

  • <database_User>: replace with the username to connect to the database.

  • DatabaseHost parameter should also be passed if the host differs from the local host.

  1. Obtain the latest Policy Management package and images from your Checkmarx representative.

    1. Load the images into your Policy Management host Docker.

      docker image load --input policy-management-service.tar
      docker image load --input policy-management-ui.tar
  2. Configure the Policy Management settings using environment variables.

    1. Create a server.env file (or use the one created from the script) with the following variables:

      1. CONNECTION_STRING (Required) - Database connection string to a SQL Server. Ensure you use the correct public address and port for your database, User, and password.

        (warning)1433 is the default port for SQL Server. If you are experiencing issues, see Error Connection to Database for assistance.

      2. PM_API_URL (Required) - Endpoint for the Policy Management API (http://<pm service address>:<api_port>/policymanagement/api).

      3. ACCESS_CONTROL_BASE_URL (Required) - Endpoint for the CxSAST Access Control host (http://<AC base address>:<port>).

    2. For example, using the scenario described above, the connection string should look like this:

      CONNECTION_STRING=Data Source=192.0.2.1,1433;Initial Catalog=CxDB;User ID=db_user;Password=my_password;TrustServerCertificate=True;Pooling=True
      PM_API_URL=http://CxPolicyManagement:5555/policymanagement/api
      ACCESS_CONTROL_BASE_URL=http://IdentProvDomain
  3. Create the application's containers: one for the Portal (policy-management-ui) and another for the Backend (policy-management-service). There are two ways to achieve this:

    • Using the Docker compose tool (recommended).

      1. Create a docker-compose.yml (or use the one created from the script) with the following:

        version: '3'
        services:
        ##################################################################################
            policy-management-service:
                image: policy-management-service:latest
                container_name: policy-management-service
                restart: always
                env_file: server.env
                ports:
                    - "5555:8080"
                volumes:
                    -  <path_on_host_machine>:/app/Logs/CxPolicyManagerClient
                networks:
                    - "cx"
        ##################################################################################
            policy-management-ui:
                image: policy-management-ui:latest
                container_name: policy-management-ui
                restart: always
                env_file: server.env
                ports:
                    - "3000:8080"
                depends_on:
                    - "policy-management-service"
                networks:
                    - "cx"
        ##################################################################################
        networks:
            cx:
      2. In the policy-management-service container’s volumes, change <path_on_host_machine> to your desired path where the logs will be stored - both absolute and relative paths work. Make sure your docker-compose.yml and server.env files are in the same folder, and run the following command:

        docker-compose -f docker-compose.yml up -d
    • Running the following Docker commands.

      docker run -p 5555:8080 --env-file=server.env --restart always --name policy-management-service --volume <absolute_path_on_host_machine>:/app/Logs/CxPolicyManagerClient policy-management-service:latest
      docker run -p 3000:8080 --env-file=server.env --restart always--name policy-management-ui policy-management-ui:latest

      Change <absolute_path_on_host_machine> to your desired path where the logs will be stored (only absolute paths work). You can also change the path of where your logs will be stored in the server.env.

SSL Configuration

To deploy over SSL using Docker, an nginx container is used as a load balancer for the incoming requests, redirecting them to the desired service, so you must update the above docker-compose.yml file.

If you deploy your app with HTTPS, make sure in the server.env and cx-pm-setup.ps1 script, the URL protocols are changed from "http" to "https" along with removing the ports from the URLs.

Below, you can find what the script command, server.env, docker-compose, and the nginx conf files would look like when deploying over SSL following the above example, but with some differences. As mentioned above, the script will generate server.env and docker-compose.yml files you can use.

Note

You must create the nginx conf file before proceeding.

Setup Deployment Script Command

(Changes made: removed ports, changed URL protocol to https , and used the domain names)

.\cx-pm-setup.ps1 -BaseAddressService https://CxPolicyManagement -BaseAddressPortal https://CxPolicyManagement -BaseAddressIdentityProvider https://IdentProvDomain -Username <database_User> -DeploymentType Docker

server.env

(Changes made: removing the port, changing URL protocol to https , and using the domain names)

CONNECTION_STRING=Data Source=192.0.2.1,1433;Initial Catalog=CxDB;User ID=db_user;Password=my_password;TrustServerCertificate=True;Pooling=True
PM_API_URL=https://CxPolicyManagement/policymanagement/api
ACCESS_CONTROL_BASE_URL=https://IdentProvDomain

docker-compose.yml

(Changes made: adding rev-proxy service and removing ports from Policy Management containers)

version: '3'
services:
##################################################################################
    rev-proxy:
        image: nginx
        container_name: nginx
        restart: unless-stopped
        ports:
            - "443:443"
        volumes:
            - ~/.nginx/conf.d:/etc/nginx/conf.d/
            - ~/.nginx/certs:/etc/nginx/certs
        networks:
            - "cx"
##################################################################################
    policy-management-service:
        image: policy-management-service:latest
        container_name: policy-management-service
        restart: unless-stopped
        env_file: server.env
        volumes:
            -  <path_on_host_machine>:/app/Logs/CxPolicyManagerClient
        networks:
            - "cx"
##################################################################################
    policy-management-ui:
        image: policy-management-ui:latest
        container_name: policy-management-ui
        restart: unless-stopped
        env_file: server.env
        depends_on:
            - "policy-management-service"
        networks:
            - "cx"
##################################################################################
networks:
    cx:

default.conf

server{
    listen 443 ssl http2;
    listen [::]:443 ssl http2;

    server_name *.cxquality.com;
    ssl_certificate     certs/cxquality.crt;
    ssl_certificate_key certs/cxquality.key;
    ssl_session_timeout 1d;
    ssl_session_cache shared:MozSSL:10m;  # about 40000 sessions

    # curl https://ssl-config.mozilla.org/ffdhe2048.txt > /path/to/dhparam.pem
    ssl_dhparam certs/dhparam.pem;

    # intermediate configuration
    ssl_protocols TLSv1.2;
    ssl_ciphers ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384;
    ssl_prefer_server_ciphers off;

    # HSTS (ngx_http_headers_module is required) (63072000 seconds)
    add_header Strict-Transport-Security "max-age=63072000" always;

    client_max_body_size 20m;
    location /swagger {
        proxy_pass http://policy-management-service:8080;
    }

    location /policymanagement/api {
        proxy_pass http://policy-management-service:8080;
    }

    location / {
        proxy_pass http://policy-management-ui:8080;
    }
}

Pay attention to the volumes of the nginx container in docker-compose. Replace ~/.nginx/conf.d: and ~/.nginx/certs: with the path of your conf file and certificates.

You also need to configure the nginx container configuration file (in the example: default.conf ) with your desired server_name and the location of the certificate files.