-
Notifications
You must be signed in to change notification settings - Fork 87
Proxy and HTTPS Configuration
CxFlow can use a proxy server for making HTTP/HTTPS connections to the internet by adding additional arguments to the startup command. Irrespective of which scan engine is used, the proxy configuration will remain the same.
The following arguments are required:
http.proxyHost – the host or IP address of the proxy server.
http.proxyPort – the port used by the proxy server.
http.proxyUser - Optional and only needed if the proxy server needs authentication.
http.proxyPassword - Optional and only needed if the proxy server needs authentication.
Or
https.proxyHost - the host or IP address of the proxy server.
https.proxyPort - the port used by the proxy server.
https.proxyUser - Optional and only needed if the proxy server needs authentication.
https.proxyPassword - Optional and only needed if the proxy server needs authentication.
java -Dhttp.proxyHost=myproxyserver.com -Dhttp.proxyPort=9595 -jar cxflow.jar <Additional-CxFlow-parameters>
java -Dhttp.proxyHost=myproxyserver.com -Dhttp.proxyPort=9595 -Dhttp.proxyUser=<proxy user> -Dhttp.proxyPassword=<proxy password> -jar cxflow.jar <Additional-CxFlow-parameters>
To use CxFlow over HTTPS, an SSL certificate is required to be imported into a keystore.
See documentation on importing certificates here:
https://docs.oracle.com/cd/E54932_01/doc.705/e54936/cssg_create_ssl_cert.htm#CSVSG180
https://www.baeldung.com/spring-boot-https-self-signed-certificate
To allow CxFlow to trust self-signed certificates, the parameter '--checkmarx.trustcerts = true' needs to be provided via command line when starting the cxflow.
java -Dhttp.proxyHost=myproxyserver.com -Dhttp.proxyPort=9595 -jar cxflow.jar --checkmarx.trustcerts = true' <Additional-CxFlow-parameters>
CxFlow is a Springboot application driven by a YAML configuration file. CxFlow can be configured to run over HTTPS by updating the application.yml configuration file.
Edit the application.yml file and update the server section as follows:
server:
port: <desired_ssl_port - usually 443 or 8443>
ssl:
key-store: <keystore filename>
key-store-password: <key/store password>
key-store-type: { JKS | PKCS12 }
key-alias: <key alias in the keystore>
enabled-protocols:
- TLSv1.3
- TLSv1.2
https://docs.spring.io/spring-boot/docs/current/reference/htmlsingle/#howto-configure-ssl
Assumptions:
- JDK 8 installed
- Windows Machine running CxFlow
Open a CMD prompt and type the following
keytool -genkeypair -alias cxflow -keyalg RSA -keysize 2048 -storetype PKCS12 -keystore C:\keystorecxflow.p12 -validity 3650
keytool -export -alias cxflow -keystore C:\keystorecxflow.p12 -rfc -file C:\cxflow.cert
//Import certificate to Windows Trust Store
certutil.exe -addstore root C:\cxflow.cert
Insert the following into the application.yml file
port: 443
ssl:
key-store: C:\keystorecxflow.p12
key-store-password: xxxxx
key-store-type: PKCS12
key-alias: cxflow
enabled-protocols:
- TLSv1.3
- TLSv1.2
To allow CXFlow to accept custom enterprise certificates without altering the default cacert, you can configure it to trust additional certificates by adding them to a custom trust store.
See documentation on importing certificates here:
keytool -importcert -file <path-to-your-certificate> -keystore custom-truststore.jks -alias <your-alias>
checkmarx:
version: 9.4
username: admin@cx
truststorepath: C:\\Users\\abc\\OneDrive - Checkmarx\\Desktop\\certificate\\custom-truststore1.jks
truststorepassword: satyam
customkeystore: true