Skip to main content

Upgrading CxSAST to v9.6.0

This page applies only to full upgrades and not to hotfixes. CxSAST supports upgrades from up to the two previous versions.

Warning

Management and Orchestration (M&O) is no longer supported in 9.6. You cannot continue with the upgrade if you have M&O installed. Please contact your Checkmarx support team to remove M&O from your environment.

Notice

  • Make sure to back up your Cx databases before running any software updates. Schedule the database backup to create compressed files with unique names in a separate folder from the main database files.

  • To upgrade from v8.9, first install v9.2, then install v9.4 and then proceed with installing v9.5. If you use an earlier version of CxSAST, contact Checkmarx Support before upgrading.

  • Make sure that the SQL password does not exceed 32 characters.

  • Some environment variables are renamed, but the names are not updated in the Environment Variables list. Therefore, you must manually verify that the environment variable names match those listed. If they do not match, you must manually update them under Windows Properties, as explained, once the upgrade is complete. Incompatible environment variable names cause CxSAST to fail.

  • If you intend to use TLS,

    • follow the guide under Configuring SSL between CxManager and CxEngine and verify the certificate's installation location as mentioned in the guide.

    • make sure to add CX_ENGINE_CERTIFICATE_SUBJECT_NAME as an environment variable, as explained, if it is not listed already.

Before you start:

  1. Make sure no scans are running or queued.

  2. Stop all Cx Windows services and Web servers, depending on the Checkmarx components installed on the server:

    • On a centralized host

      • CxSystemManager

      • CxJobsManager

      • CxScansManager

      • CxScanEngine

      • Web server:

        Stop Internet Information Services (IIS). To do so, open Internet Information Services (IIS) and click 6436169307.png Stop under Manage Server or open a command-line shell (CMD) as Administrator and enter "iisreset /stop".

      • On a CxEngine host (if applicable):

        • CxScanEngine

    Notice

    Make sure to back up your Cx databases before running any software updates. Schedule the database backup to create compressed files with unique names in a separate directory from the main database files.

    To upgrade CxSAST:

    1. Download the CxSAST installation package.

    2. Extract the downloaded ZIP archive and supply the password provided by Checkmarx support.

    3. Run CxSetup.exe on each server component host and perform the upgrade according to the Installing CxSAST procedure.

    4. The Checkmarx installer automatically performs a backup copy of configuration files during the upgrade. The Checkmarx backup files are at %appdata%\checkmarx (usually C:\Users\<user>\AppData\Roaming\Checkmarx).

      • Back-up the following files in case they need to be restored after the upgrade:

        • <Drive>:\Program Files\Checkmarx\Checkmarx Audit\DefaultConfig.xml

        • <Drive>:\Program Files\Checkmarx\Checkmarx Engine Server\DefaultConfig.xml

        • <Drive>:\Program Files\Checkmarx\Executables\*.*

      • Back up the following file for use during the upgrade process:

        • <Drive>:\Program Files\Checkmarx\Licenses\License.cxl

      • Back up the following file for use if you are unable to find or connect to the database during the installation:

      • <Drive>:\Program Files\Checkmarx\Configuration\DBConnectionData.config

      Notice

    5. Validate that all Cx Windows services and Web servers (depending on the Checkmarx components installed on the server) have started:

      • On a centralized host:

        • CxSystemManager

        • CxJobsManager

        • CxScansManager

        • CxSastResults

        • CxScanEngine

        • Shared services:

          • ActiveMQ

        • Web server:

          Stop Internet Information Services (IIS). To do so, open Internet Information Services (IIS) and click 6436169307.png Stop under Manage Server or open a command-line shell (CMD) as Administrator and enter "iisreset /stop".

          • World Wide Web Publishing Service

          • IIS Admin Service

      Notice

      • If you have the IIS configured for both HTTP (80) and HTTPS (443), HTTPS (443) takes priority, and the system is configured accordingly.

      • After upgrading to CxSAST 9.5, you must reconnect the new engines using a different URL if you use a port different from the default port 8088.

        • The new URL for the new engine for CxSAST 9.5 and up is http://{IP or FQDN}:8088.

        • If you use a different port than 8088, you have to manually update the URL to http://{IP or FQDN}:{custom port}

    6. If required, start each one manually.

    Notice

    All product services are installed and configured to run with a Windows Network Service account by default. When upgrading from v8.8/8.9, any non-default accounts for new CxSAST Services (CxSASTResults, ActiveMQ) and IIS Application Pools (CxAccessControl) might need to be updated and customized according to your existing policy. You should verify that your customized account manages all previously existing CxSAST services and IIS Application Pools. To update non-default service accounts, refer to Configuring CxSAST for using a non-default User (Network Service) for CxServices & IIS Application Pools.

    Upgrading CxSAST in High Availability Solutions

    To install and configure high-availability solutions, see instructions. In addition, a diagram that outlines the architecture for high-availability solutions is available.

    To edit the protocols in use, the station and/or port definitions for any upgraded Cx components, refer to Changing the Server Name, IP, or Port for Checkmarx Components for further information and instructions.