Skip to main content

Installing CxSAST in Centralized Environment

Before installing CxSAST, make sure that you understand the System Architecture and that your server host(s) complies with the Server Host Requirements. To install CxSAST, you have to download the archive, extract the installation executable CxSetup.exe and install the required third-party components.


To install and configure high-availability solutions, refer to the relevant instructions. A diagram that outlines the architecture for high-availability solutions is available here.

Starting with CxSAST 9.4, users can select the service account on which CxSAST-related services are running while installing CxSAST. Further information and instructions are available on this page.

Prerequisites and Recommendations

  • The required Web Server for Checkmarx is IIS Server. If the IIS Server is missing, it will be installed together with CxSAST, which requires the Windows installation media to be accessible.

  • SQL 2012 Express SP2 is included with the CxSAST installer. It is installed, if there is no other version of SQL already installed.



  • You can directly upgrade to CxSAST 9.4 from an earlier build of version 9.4 and from versions 9.3 or 9.2.

  • To upgrade from version 9.0, you have to first upgrade at least to version 9.2 and only then you can upgrade to version 9.4.

  • For upgrading from version 8.8 or 8.9, you have to first upgrade to version 9.0, which requires migrating the Access Control data as explained in Access Control Data Migration Installer.

  1. Once you have downloaded the CxSAST Installation package and made the third-party components available, run CxSetup.exe.

    If you install CxSAST without any previous installations of CxSAST, continue here:

    • Click <ALL-IN-ONE-INSTALLATION> to continue the centralized installation, or click <X> to exit.

    • If you are installing a newer build or reverting to a previous version, continue here:

    • To upgrade while preserving your current configuration, click <EASY UPGRADE> to continue.

    • To add components, click <ADVANCED INSTALLATION>. Select the desired installation options and follow the instructions below to continue.

    • If you wish to install components on more than one host, refer to Installing CxSAST in a Distributed Environment for further information and instructions.

    The Checkmarx License Agreementwindow is displayed.

  2. Review and accept the license agreement by checking I accept the terms in the License Agreement.

  3. Click <NEXT> to continue. If you clicked <ADVANCED INSTALLATION> before, the additional Installation Options window is displayed with all components selected.

  4. Click <Select> to define the CxSAST installation location.


    • To avoid permission restrictions, install CxSAST under <root directory>:\Program Files.

    • For upgrades, previously installed location settings and product components are loaded from the existing configuration and cannot be changed. However, you can install or remove product components by using the modifying feature. For further information and instructions, refer to Modifying CxSAST.

  5. Click <NEXT>. The Prerequisites Check window is displayed, indicating the status of all required third-party components.



    • Available components are labeled 6436164837.jpg. All prerequisites must be available, otherwise, the setup cannot be completed and CxSAST will not be installed.

    • Missing components are labeled 6436165113.png.



    Clicking Prerequisites Folder conveniently opens the third_party folder where all the prerequisite third-party installation files or instructions are contained. This convenience only works if, when you extracted the third_party_<version>. zip file, you copied the third_party folder to the same folder where the CxSetup.exe installation file is located. If you did not do this before, you can copy it now, while the wizard is still open, and continue with the third-party installations.

    For any missing component (except the Java Runtime Environment), click the Prerequisites Folder button to navigate to the supplied components and install each one separately, as described in the on-screen instructions.

    For the required Java Runtime Environment (JRE), click Browse and select the entire JRE folder (not only the bin folder) that you copied to your computer, for example, C:\Program Files\openjdk-8u242-b08-jre, C:\Program Files\Java\jre1.8.0_241 or C:\Program Files\Java\jdk- These instructions assume that you have extracted and copied the content of the provided ZIP archive to the relevant location. Click Recheck Prerequisites to complete the validation process.

    If you did not make the Java files available, follow the instructions given in the Java section in Preparing CxSAST for Installation and then click Recheck Prerequisites to repeat the validation process.

    In case Java JRE is automatically updated to a new version, you have to manually update the JRE folder path in the CX_JAVA_HOME environment variable, otherwise, CxSAST stops operating.

  6. Once all required components are installed, click <NEXT> to continue. The CxSAST SQL Server Configuration window is displayed.

  7. Select the server from the SQL Server Instance list. If using a non-standard database port, provide the server name with a comma followed by the port number (e.g., LOCALHOST\SQLEXPRESS,25).

    Note: For upgrades, previously defined SQL Server instance settings are loaded from the existing configuration and cannot be changed.

  8. For CxSAST, define a connection to the installed SQL Server or to any other SQL server on your network, by selecting one of the following:

    • Connect using Integrated Windows Authentication (also called Windows domain authentication) - login is not required

    • Connect using SQL Server Authentication (also called SQL Server native authentication) - requires SQL user name and password for login with SA permissions

  9. Click <Test Connection>.

    • If the database was not in use, a message appears that indicates that the connection was successful.

    • If a previously used database exists, A message appears that a database was detected. In this case, you may continue using the database or re-install it as explained in the message.


    If the "SQL Connection Test Results" message indicates that the connection to the SQL Server has failed, verify the following:

    • The host, port, and login credentials are correct.

    • The host is a member of a Windows domain. If it is not part of a Windows domain, either join the host to a domain and restart it or connect using SQL Server Authentication.

    • The SQL Server Browser Windows service is running. If it is not running, enable it and start it.

  10. Click <OK>, and then click <NEXT>to continue. The Message Broker Configuration window is displayed.



    • The default ActiveMQ port is 61616.

    • <NEXT> is enabled when the default port is available. If unavailable, define another available port.

    • In case the ActiveMQ is uninstalled and reinstalled using a non-default port, a manual update in the database is required to match the change - Databases > CxDB > Tables > CxComponentConfiguration > ActiveMessageQueueURL > Key Value (e.g., tcp://<AMQ_URL>:<non-default_port>)

    • Make sure that port 61616 is open in all relevant firewalls between the ActiveMQ server and the following components:

      • CxManager servers (for Access Control, Scan Manager, and Results Services). This includes high availability configurations with multiple CxManagers. For additional information on configuring Access Control and ActiveMQ for high availability, refer to Configuring Access Control for High Availability Environments and Configuring ActiveMQ for High Availability Environments.

      • CxEngine servers

  11. On the message, click <OK>, and then click <NEXT>. You are now asked to define your service account settings.



    Since SAST Version 9.4, you can select the service account with which the CxSAST-related services will run. In previous versions, these services were running with the Network Service account by default.

  12. Select the service account on which the CxSAST-related services are going to run:

    • Network Service account (default)

    • This account: A dedicated account that you may have added to serve your CxSAST application. Enter the user credentials to enable CxSAST to access this account.

    The example below illustrates the services associated with the Network Service account.

  13. Click <Test User Account> to verify and test this account. If successful, <NEXT> turns green and you can continue the installation.

  14. Click <NEXT>. The Engine Configuration window is displayed.

  15. If Enable TLS is checked, the TLS flag is enabled and additional manual configuration is required.

  16. Click <NEXT>. The License Activation window is displayed.




    • If you already have a valid license from your previous installation, the license information is automatically loaded from the existing configuration and the License Activation window is not displayed.

    • If the License Activation window appears while installing or upgrading, you have to provide an updated license file. Any existing license file from a previous installation will be rendered invalid.

  17. Select the preferred licensing method by selecting one of the following:

    • Import New License : If you already have a valid CxSAST license file, select the Import New License option and then click Import License. Browse to the file location and click <Open>.

    • Request New License: If you have not yet obtained a permanent CxSAST license, select Request New License and then copy your Hardware ID to the clipboard. Send the copied Hardware ID (HID) to your Checkmarx sales representative or open a support ticket. In this case, you can continue the wizard and import the new license once you received it. CxSAST does not operate without an updated license.



    To update the license at a later stage with an updated license file, use the License Importer utility as explained.

  18. Click <NEXT> to continue.


    If your license does not match your current Hardware ID (HID), a warning message is displayed. In this case, obtain the proper license from your Checkmarx sales representative and use the License Importer utility to import it as explained once you received it.

    If the default port 80 is occupied, the Validate Port window is displayed. If required, select another port and click <Validate Port>.

    Port 80 is allocated as the default port for Checkmarx applications. In clean installations the Validate Port window is displayed only if one of the following occurs:

    • Port 80 is occupied by a non-default website or application

    • There is no default website and port 80 is occupied by another application or website

    • A default website is defined, but it occupies a different port. Port 80 is occupied by another application or website.

  19. Click <NEXT> to continue. The Setup Summary window is displayed.



    If your license remains valid after upgrading according to your license agreement with Checkmarx or you upgrade your CxSAST version with a newer build of the same version, the license information is not displayed because it has already been loaded from the existing configuration.

  20. Click <INSTALL> to continue. The Installation in Progress window is displayed and the application is installed and configured.

    • To return to the previous window, click <BACK>.

    • To exit, click <X>.


    Once the installation is complete the Installation Completed Successfully window is displayed.

    If a component could not be set up, but CxSAST is still ready to operate, the Installation Completed Successfully window is displayed with a warning.

    If the installation fails, the "Setup Failed" message is displayed. For more information, refer to the installation logs. If you need further assistance, please open a support ticket.