When establishing an HTTPS connection with Kaspersky CyberTrace instances, Balancer checks if the certificate received from Kaspersky CyberTrace matches the reference certificate located in the directory specified in CertDirPath
parameter of the kl_balancer.conf
configuration file.
Checking certificates is possible only under Rest API, for only Rest API deals with https. This section does not refer to detecting.
If the reference certificate of the Kaspersky CyberTrace instance is not available in the directory, or the directory does not exist, Balancer performs the following:
%CERT_PATH%/%INSTANCE%_%CT_PORT%.pem
file, where:CERT_PATH
is a directory specified in the CertDirPath
parameter of the kl_balancer.conf
configuration file.INSTANCE
is a host name/IP value specified in the Instances
> Instance
element for a certain Kaspersky CyberTrace instance.CT_PORT
is a port value specified in the matching_port
attribute of the Instances
> Instance
element for a certain Kaspersky CyberTrace instance.If the Kaspersky CyberTrace certificate does not match the reference certificate, Balancer performs the following:
If the host name/IP, or the port of a Kaspersky CyberTrace instance used in High Availability deployment is changed, the reference certificate of the instance will be saved again. The old certificate will not be automatically removed. Removal of unused certificates is under responsibility of Kaspersky CyberTrace administrator.
Changing Kaspersky CyberTrace certificate
Certificate changing on the side of Kaspersky CyberTrace requires manual certificate changing on the side of Balancer.
To change the Kaspersky CyberTrace certificate:
sc stop cybertrace
(in Windows)
systemctl stop cybertrace.service
(in Linux)
sc start cybertrace
(in Windows)
systemctl start cybertrace.service
(in Linux)
sc stop KasperskyBalancerService
(in Windows)
systemctl stop cybertrace_balancer.service
(in Linux)
On the side of Kaspersky CyberTrace, copy the httpsrv\kl_feed_service_cert.pem
file to the %CERT_PATH%
directory on the Balancer side, and rename it to the %INSTANCE%_%CT_PORT%.pem
file.
sc start KasperskyBalancerService
(in Windows)
systemctl start cybertrace_balancer.service
(in Linux)
For more information on changing certificates, see section Generating SSL certificates for Kaspersky CyberTrace Web.
Checking certificate settings
To check certificate settings of the Kaspersky CyberTrace instance selected:
sc stop KasperskyBalancerService
(in Windows)
systemctl stop cybertrace_balancer.service
(in Linux)
enabled = "false"
in the Instances
section of the kl_balancer.conf
configuration file. sc start KasperskyBalancerService
(in Windows)
systemctl start cybertrace_balancer.service
(in Linux)
GET/api/v.1.1/suppliers
) to the Balancer port (specified in api_port
).sc stop KasperskyBalancerService
(in Windows)
systemctl stop cybertrace_balancer.service
(in Linux)
enabled = "true"
in the Instances
section of the kl_balancer.conf
configuration file.sc start KasperskyBalancerService
(in Windows)
systemctl start cybertrace_balancer.service
(in Linux)