Configuring CxSAST for using a non-default User (Network Service) for CxServices & IIS Application Pools
By default all product services are installed and configured to run with Windows Network Service account. This instructions describes how to configuring CxSAST for use with a non-default user (Network Service) that includes CxServices & IIS Application Pools.
Outline
It is important to differentiate between the components as not all of them are used for the same purpose.
IIS Application Pools
CxClientPool - Application Pool of the Web Portal - the user that is defined here will not influence any external tools.
CxPool - Application Pool of the CxManager - the user that is defined here is used for connection to a third party server, e.g., TFS, GIT, SVN, etc..
CxPoolRestAPI - Application Pool of the RestAPI - the user that is defined here will not influence any external tools.
CxAccessControl - Application Pool of the Access Control portal
Notice
The user assigned to the IIS App Pools must have access to the CxDB and CxActivity databases in the SQL Server, if 'Integrated Security=True' in - DBConnectionData.config file.
Services
Services for the CxManager - The user that is defined here (and to the CxPool) is used for the connection to the SQL server (if 'Integrated Security=True' in - DBConnectionData.config file):
CxSystemManager
CxJobsManager
CxScansManager
CxSastResults
CxScanEngine
Web server:
World Wide Web Publishing Service
IIS Admin Service
Access Control
Management and Orchestration:
CxARM
CxARMETL
CxRemediationIntelligence
Shared services:
ActiveMQ – Message Broker (Apache message queue broker) for communicating between Checkmarx products
Service for the CxEngine- The user that is defined here is required to be in the Administrators group of the server or (recommended!) - run the netsh command for this user
CxScanEngine
Notice
For resolving issues it is recommended to keep all the CxServices defined with same user.
Java Folders
In order to allow Cx services to read and write in the Java folder when users use their own non-default service account, the relevant must grant Read/Write/Modify permissions to the Java folders (<root directory>:\Program Files\Java\jdk1.8.0_241\jre).
To grant permissions on the Java folders:
1. Ensure that the relevant user is logged on to the station with admin rights.
2. Navigate to the jdk1.8.0_241 folder, which is usually located at C:\Program Files\Java\jdk1.8.0_241
3. Right-click jre and select Properties from the menu to open the jre Properties dialog.
4. Navigate to the desired non-default service (not the default Network Services) and add permissions to read, write and modify. The permission profile must look as illustrated in the jre Properties screen image above.
5. Apply the new settings and close the folders.
Storage Folders
Ensure that the user who accesses the Cx storage folders (CxSrc, CxReports, ExtSrc) has the appropriate read/write permissions.
Configuration
CxServices
1. Ensure that the user running the CxServices has the appropriate authorization, i.e., has domain access, administration rights, etc.
2. In the Service Manager (services.msc) you should check the Log On As user accounts of each of the following:
CxJobsManager
CxScanEngine
CxScansManager
CxSystemManager
CxARM
CxARMETL
CxRemediationIntelligence
ActiveMQ
Notice
If any of the CxServices are anything other than the default Network Service, make sure you know the user account's full credentials.
3. Open Windows Services:
4. Right click on a CxService and select Properties.
5. Select the Log On tab, enter the appropriate user credentials and click OK.
IIS (Application Pools)
1. In the IIS Manager, navigate to Application Pools, and check the user Identity of each of the following:
CxClientPool
CxPool
CxPoolRestAPI
CxAccessControl
Notice
If any of the Cx Application Pools are anything other than the default Network Service, make sure you know the user account's full credentials.
2. Open IIS Manager Console:
3. Click Application Pools and then select any of the Cx Application Pools.
4. Click Advanced Settings on the Action menu.
5. In theAdvanced Settings window, scroll to Identity (under Process Model) and double click the user that is defined.
6. In the Application Pool Identity window, select the Custom Account radio button and click Set.
7. Enter the appropriate user credentials and click OK.
Cx Storage Folders
1. Ensure that the user accessing the Cx storage folders (CxSrc, CxReports, ExtSrc) has the appropriate read/write permissions.
2. To modify the read/write permissions for Cx storage folders:
1. Navigate to the desired Cx storage folder (C:\CxSrc, C:\CxReports or C:\ExtSrc)
2. Right-click on the folder, click Properties, and then click the Security tab.
3. Click Edit and select the user or group that you want to change the permissions for.
4. Check the permissions that you want to add for that user or group.
Notice
For a single manager with local folders, define read/write permissions.
5. Click Apply to save the changes.
3. Repeat this procedure for the remaining Cx storage folders.