Troubleshooting
Introduction
This page is designed to help you address issues that may arise during deployment (or even after), categorized into three sections: issues applicable to both scenarios, Docker-specific issues, and Windows-specific issues.
We aim to provide quick insights and solutions for a smooth deployment and user experience.
Notice
If you encounter challenges not covered here or have additional questions, please contact our team.
If you’re just getting a blank white page on both the Policy Management Portal and the Policy Management Swagger page and have a console log of an error stating Uncaught SyntaxError: Unexpected token, as shown in the images below, your browser might be too old. You need to update it to load the page's javascript.
Common Issues
Outdated Browser
If you’re just getting a blank white page on both the Policy Management Portal and the Policy Management Swagger page and have a console log of an error stating Uncaught SyntaxError: Unexpected token
as shown in the images below, your browser might be too old.
You need to update it to load the page's javascript.
Session - Silent Renew Fails
In a scenario with a customized hostname without SSL, and your session is not renewed, this is due to how modern browsers handle cookies, which apply strict policies to improve web security (by restricting when cookies are sent with cross-origin requests, they help mitigate certain types of attacks such as Cross-Site Request Forgery (CSRF) and Cross-Site Script Inclusion (XSSI)). Therefore, SSL is mandatory to take advantage of a scenario where Policy Management is hosted using a customized hostname.
For more details, see here.
Creating a New Admin User in the Database
Using MSSQL, run the following query replacing the username and password:
USE master; CREATE LOGIN <username> WITH PASSWORD = '<password>'; ALTER SERVER ROLE sysadmin ADD MEMBER <username>;
How to set up a hosts file?
If you create a new site and pretend to use the same port as localhost, you need to update the host file to allow communication to your hostname using the same port used by localhost.
Or, if you want to access Policy Management, deployed with a hostname, from a machine that isn’t where it was deployed, you need to map the hostname to the host’s IP address.
Access to host file
C:\Windows\System32\drivers\etc\hosts
with admin permissions.At the end of the file, add the following line where
<ip_address>
is the IP address of the machine where Policy Management is deployed and<hostname>
is the Hostname that you selected for the base address:<ip_address> <hostname>
For example:
127.0.0.1 CxPolicyManagement
Warning
127.0.0.1
is the IP address that serves Ipv4 for the local host. If you want to access Policy Management from another machine, use the public IP address of the machine where Policy Management was deployed and the hostname.
Deployment Setup Issues
SqlCmd
The deployment setup script executes a set of queries in the SAST database and uses the SqlCmd util to execute them. It means that to be able to execute this command, you need to have SQL Server Management tools or sqlcmd Utility installed in your machine.
Warning
If you get the error: “sqlcmd : The term 'sqlcmd' is not recognized as the name or cmdlet, function, script file or operable program.“ you need to install SqlCmd.
To do it, follow the link: https://learn.microsoft.com/en-us/sql/tools/sqlcmd-utility?view=sql-server-ver16
If you are trying to access Policy Management or execute a plugin from a different computer where Policy Management was deployed, and you are having an error, please check if you set the host file in your computer correctly to allow your computer to resolve the hostname.
Console Application (Non) Support in the ISE
The PowerShell Team mentions some limitations on how the ISE interacts with console applications, which you must be aware of for apps like FTP and Netsh. First of all, the ISE Runs console apps that don’t require user input just fine.” for this reason, you need to use, specifically, the PowerShell console.
Migration Issues
Invalid object name STRING_SPLIT
error
The policies_migration.sql migration script uses a function called STRING_SPLIT
that is only available on SQL Server 2016 (13.x) and later. To use this function, the compatibility level setting of the database must be at least 130.
Check the current compatibility level with:
SELECT compatibility_level FROM sys.databases WHERE name = 'CxDB';
And change it with:
ALTER DATABASE [CxDB] SET COMPATIBILITY_LEVEL = 130;
Run the script again to ensure all the M&O data migrated successfully. You may revert it to its initial value at any time.
Windows Issues
Product Version Information
You can find the version installed for both products inside the root of each folder (backend and frontend) in the README.md file.
Following the example in the Windows Deployment page, that would be in:
C:\Program Files\Checkmarx\CxPolicyManagement\Portal\README.md
C:\Program Files\Checkmarx\CxPolicyManagement\Backend\README.md
Backend
Connection String Change
If you edited the connection string after installing Policy Management, to change the username or password, ensure the EncryptionKey and EncryptionVector have empty values.
ADO Plugin Necessary Fix
If you use the Checkmarx One Azure DevOps (ADO) plugin, there is a necessary fix for the plugin’s HTTP request to keep the plugin working. First, verify the Physical Path of the Default Website in the Advanced Settings:
The cx-pm-setup.ps1 script creates a web.config file with URL Rewrite rules in the IIS Default Web Site default physical path. However, a few scenarios can cause the plugin HTTP request to fail.
The Physical Path for the Default Web Site is not %SystemDrive%\inetpub\wwwroot: copy the file in your <backend_folder>\ADO_plugin_fix\web.config (in the Windows Deployment: C:\Program Files\Checkmarx\CxPolicyManagement\Backend\ADO_plugin_fix\web.config) to the location of your Default Web Site’s Physical Path.
web.config file already exists in %SystemDrive%\inetpub\wwwroot\web.config: Add the Rewrite Rules that are in <backend_folder>\ADO_plugin_fix\web.config (in the example above: C:\Program Files\Checkmarx\CxPolicyManagement\Backend\ADO_plugin_fix\web.config) to your web.config file.
CxSast Policy Management was deployed as a new website: Edit the Rewrite Rule action to redirect the requests to the correct URL. In the web.config file created (by you or the PowerShell script) in the Default Web Site’s Physical Path, edit the URL attribute of the action element by adding the correct Policy Management API URL in the beginning. According to the example in the deployment guide, you would need to make the following changes:
HTTP Error 500.30 - ASP.NET Core app failed to start
Open Event Viewer on Windows, go to Windows Logs>Application, and try to find the most recent error from the IIS source. There, we can find the source of the problem.
A possible cause for this problem could be that the database user does not have sufficient permissions; check if the user you are setting for the database connection has the role “sysadmin“.
Another possible cause could be a misconfiguration in appsettings.json. Compare whether ConnectionStrings has the same parameters as the ones shown in the Windows Deployment page example. (If you edit the connection string, ensure the EncryptionKey and EncryptionVector have empty values after you make changes).
Errors Connecting to the Database
If you have issues connecting to the database with credentials, an issue could be that SQL Server Authentication is disabled.
You can easily verify this by testing if you can log in SSMS using SQL Server Authentication.
If not, you need to first enable that login option in the properties of the database.
After that, open Sql Server Configuration Manager and restart your SQL Server service.
In the end, also restart IIS.
Docker Issues
Backend
Errors Connecting to the Database
If you’re having issues connecting to the Database and the Backend container logs, include a FATAL error:
A network-related or instance-specific error occurred while establishing a connection to SQL Server. The server was not found or was not accessible. Verify that the instance name is correct and that SQL Server is configured to allow remote connections. (provider: TCP Provider, error: 40 - Could not open a connection to SQL Server: Could not open a connection to SQL Server)
There might be an issue with the SQLEXPRESS TCP/IP protocol.
You can check if it is enabled and what your port is in Sql Server Configuration Manager.
If you make any changes, you need to restart the SQL Server (SQLEXPRESS) service in the first option of the list on the left SQL Server Services.
Product Version Information
You can find the version installed for both products by viewing the content of the README.md file inside the "/app" directory of each container (frontend and backend).
To quickly check the version, you can run the following bash command (replacing the container name or ID):
docker exec -it <container_name_or_id> cat /app/README.md
Complementary Configurations
Note
The instructions below are only necessary for specific cases.
How to Create a New Admin User in the Database
Using MSSQL
Run the following query replacing the username and password:
USE master; CREATE LOGIN <username> WITH PASSWORD = '<password>'; ALTER SERVER ROLE sysadmin ADD MEMBER <username>;
How to Set Up a Host File
If you are creating a new site and need to use the same port as localhost, you need to update the host file to allow communication to your hostname using the same port.
Access to host file
C:\Windows\System32\drivers\etc\hosts
with admin permissionsAt the end of the file, add the following line where
< Hostname>
is the hostname that you selected for the policy management website:127.0.0.1 <hostname>
In this guide's example:
127.0.0.1 CxPolicyManagement
Portal
Redirect Problems
Open the URL Rewrite module for the backend application. If there are any rules present, they should be removed:
Ensure that the
web. Config
file exists within the Portal folder and has the contents described in URL Rewrite. If the file doesn't exist, place it there manually.
Backend
HTTP Error 500.30 - The ASP.NET Core app failed to start
First, open Event Viewer on Windows, go to Windows Logs>Application, and try to find the most recent error from the IIS source. There, we can see the source of the problem.
A possible cause for this problem could be that the database user does not have sufficient permissions; check if the user you are setting to the database has the role "sysadmin. "
Another possible cause could be a misconfiguration in appsettings.json. Compare whether ConnectionStrings has the same parameters as the previously mentioned ConnectionStrings.
Error Connecting to Database
If you have issues connecting to the database with credentials, test if you can log in to SSMS using SQL Server Authentication.
If not, you should enable that login option in the properties of the database.
After that, you should open SQL Server Configuration Manager and restart your SQL Server service.
In the end, restart IIS.