Configuring SSL for the Checkmarx Software Exposure Platform
SSL (Secure Sockets Layer) is the standard security technology for establishing an encrypted link between a web server and a browser. This link ensures that all data passed between the web server and browsers remain private and intact. To be able to create an SSL connection the web server requires an SSL Certificate.
Checkmarx Software Exposure Platform (SSL)
To secure communications between all Checkmarx Software Exposure Platform components, we recommend that you install signed certificates and enable SSL on all machines/servers to enforce SSL security (HTTPS). These instructions guide you through the procedure to configure the Secure Sockets Layer (SSL) Protocol for the Checkmarx Software Exposure Platform in Distributed Architecture or High Availability Architecture environments. They also include links to topics that are directly related to this procedure.
Configuring SSL
SSL can be configured via the Checkmarx Software Exposure Platform components for each machine/server accordingly. To configure the SSL, follow the instructions below:
1. All machines/servers in the Checkmarx Software Exposure Platform must be part of the same domain and configured in the Domain Name System (DNS) when using machine names
2. Enable SSL support for Access Control by configuring the appsettings.json file (<dir>:\Program Files\Checkmarx\Checkmarx Access Control\appsettings.json):
3. Enable SSL Support on the CxManager according to these instructions.
4. Configure all Checkmarx Software Exposure Platform components for HTTPS in the DB table [CxDB].dbo.[cxComponentConfiguration] as follows:
Replace IdentityAuthority, CxARMPolicyURL, CxARMURL, CxSASTManagerUri and WebServer keys to include HTTPS with the relevant server name.
5. Enable SSL support on the CxEngine(s) according to these instructions.
6. Restart the ActiveMQ and all CxManager services, for any changes in the database.
7. Enable SSL support on the load balancer according to instructions provided by your vendor. If you are using Nginx as the load balancer, you can use the following configuration:
8. Enable TLS support (on all machines/servers) according to these instructions.
9. Enable FIPS compliance (on all machines/servers) according to your supported operating system (see example).
10. Enable SSL support and FIPS compliance for Management & Orchestration (M&O) according to these instructions.