Upgrading CxSAST to v9.4.0
This page applies only to full upgrades and not to hotfixes. CxSAST supports upgrades from up to the two previous versions.
Notice
Make sure to back up your Cx databases prior to running any software update. Schedule the database backup to create compressed files with unique file names in a separate folder from the main database files.
For upgrading from v8.8 or v8.9, first install v9.2, and only then proceed with installing v9.4. If you use an earlier version of CxSAST, contact Checkmarx Support before you start upgrading.
Make sure that the SQL password does not exceed 32 characters.
If you are switching Java versions, for example, due to upgrading or otherwise modifying your CxSAST installation in a way that requires a newer Java installation, you have to update the newer Java location with the certificate from the previous Java location. This means you have to copy the cacerts file from the previous Java location (..\Checkmarx Risk Management\jre\lib\security\) to the new Java location (<install path>\openjdk-8u242-b08-jre\lib\security\) and overwrite the existing cacerts file in the new location with your existing cacerts file.
Some environment variables are renamed, but the names are not updated in the list of Environment Variables list. Therefore, you have to manually verify that the environment variable names match the respective listed ones. If they do not match, you have to manually update them under Windows Properties as explained once the upgrade is complete. Incompatible environment variable names cause CxSAST to fail.
If you intend to use TLS,
follow the guide under Configuring SSL between CxManager and CxEngine and verify the certificate's installation location as mentioned in the guide.
make sure to add CX_ENGINE_CERTIFICATE_SUBJECT_NAME as environment variable as explained, if it is not listed already.
For an upgrade from CxSAST 9.3 to CxSAST 9.4, the New Flow will be enabled only for new projects. For existing projects, it will be enabled or disabled depending on the New Flow configuration in 9.3. So if a customer was using New Flow for a project in the 9.3 installation, New Flow will be enabled for the project in the upgrade to 9.4. If a customer was using the original flow for a project in the 9.3 installation, New Flow will be disabled for that project in the upgrade to 9.4.
Before you start:
Make sure there are currently no scans running.
Stop all Cx Windows services and Web servers, depending on the Checkmarx components installed on the server:
On a centralized host
CxSystemManager
CxJobsManager
CxScansManager
CxScanEngine
Management and Orchestration:
CxARM
CxARMETL
Web server:
Stop Internet Information Services (IIS). To do so, open Internet Information Services (IIS) and click Stop under Manage Server or open a command-line shell (CMD) as Administrator and enter "iisreset /stop".
On a CxEngine host (if applicable):
CxScanEngine
Notice
Make sure to back up your Cx databases prior to running any software update. Schedule the database backup to create compressed files with unique file names in a separate directory from the main database files.
To upgrade CxSAST:
Download the CxSAST installation package.
Extract the downloaded ZIP archive, supplying the password provided by Checkmarx support.
Run CxSetup.exe on each server component host and perform the upgrade according to the Installing CxSAST procedure.
During the upgrade, the Checkmarx installer automatically performs a backup copy of configuration files. The Checkmarx backup files are located at %appdata%\checkmarx (usually C:\Users\<user>\AppData\Roaming\Checkmarx).
Back-up the following files in case they need to be restored after the upgrade:
<Drive>:\Program Files\Checkmarx\Checkmarx Audit\DefaultConfig.xml
<Drive>:\Program Files\Checkmarx\Checkmarx Engine Server\DefaultConfig.xml
<Drive>:\Program Files\Checkmarx\Executables\*.*
Back-up the following file for use during the upgrade process:
<Drive>:\Program Files\Checkmarx\Licenses\License.cxl
Back-up the following file for use if you are unable to find or connect to the database during the installation:
<Drive>:\Program Files\Checkmarx\Configuration\DBConnectionData.config
Notice
To configure Access Control and ActiveMQ for High Availability, refer to Configuring Access Control for High Availability Environments and Configuring ActiveMQ for High Availability Environments.
For upgrading the Manager/Portal server in a distributed environment, the ActiveMQ component is automatically selected when using the Easy Upgrade option.
For high availability deployments, each manager (such as the ScanManager) must be upgraded individually.
Validate that all Cx Windows services and Web servers (depending on the Checkmarx components installed on the server) have started:
On a centralized host:
CxSystemManager
CxJobsManager
CxScansManager
CxSastResults
CxScanEngine
Management and Orchestration:
CxARM
CxARMETL
CxRemediationIntelligence
Shared services:
ActiveMQ
Web server:
Stop Internet Information Services (IIS). To do so, open Internet Information Services (IIS) and click Stop under Manage Server or open a command-line shell (CMD) as Administrator and enter "iisreset /stop".
World Wide Web Publishing Service
IIS Admin Service
Notice
If you have the IIS configured for both HTTP (80) and HTTPS (443), HTTPS (443) takes priority, and the system is configured accordingly.
After upgrading to CxSAST 9.4, you have to reconnect the new engines using a different URL, if you use a different port than the default port 8088.
The new URL for the new engine for CxSAST 9.4 and up is http://{IP or FQDN}:8088.
If you use a different port than 8088, you have to manually update the URL to http://{IP or FQDN}:{custom port}
If required start each one manually.
Notice
By default, all product services are installed and configured to run with Windows Network Service account. When upgrading from v8.8/8.9, any non-default accounts for new CxSAST Services (CxSASTResults, CxRemidiationIntelligence, ActiveMQ) and IIS Application Pools (CxAccessControl) might need to be updated and customized according to your existing policy. You should also verify that all other previously existing CxSAST services and IIS Application Pools are still managed by your customized account. For updating non-default service accounts, refer to Configuring CxSAST for using a non-default User (Network Service) for CxServices & IIS Application Pools.
Upgrading CxSAST in High Availability Solutions
To install and configure high availability solutions, refer to the relevant instructions. In addition, a diagram that outlines the architecture for high availability solutions is available.
To edit any of the protocols in use, the station and/or port definitions for any of the upgraded Cx components, refer to Changing the Server Name, IP or Port for Checkmarx Components for further information and instructions.