Checking HTTPS certificates

When establishing an HTTPS connection with Kaspersky CyberTrace instances, Balancer checks if the certificate received from Kaspersky CyberTrace matches the reference certificate located in the directory specified in CertDirPath parameter of the kl_balancer.conf configuration file.

Checking certificates is possible only under Rest API, for only Rest API deals with https. This section does not refer to detecting.

If the reference certificate of the Kaspersky CyberTrace instance is not available in the directory, or the directory does not exist, Balancer performs the following:

  1. Saves the certificate received from Kaspersky CyberTrace in the %CERT_PATH%/%INSTANCE%_%CT_PORT%.pem file, where:
    • CERT_PATH is a directory specified in the CertDirPath parameter of the kl_balancer.conf configuration file.
    • INSTANCE is a host name/IP value specified in the Instances > Instance element for a certain Kaspersky CyberTrace instance.
    • CT_PORT is a port value specified in the matching_port attribute of the Instances > Instance element for a certain Kaspersky CyberTrace instance.
  2. Continues establishing HTTPS connection using the certificate received.

If the Kaspersky CyberTrace certificate does not match the reference certificate, Balancer performs the following:

  1. Stops establishing HTTPS connection with the Kaspersky CyberTrace instance.
  2. Returns status code 500 with the following error information:
    • IP/host name of the Kaspersky CyberTrace instance.
    • Port number of the Kaspersky CyberTrace instance.
    • Problem description: HTTPS connection with the Kaspersky CyberTrace instance has not been established, since the server certificate does not match the one expected.

If the host name/IP, or the port of a Kaspersky CyberTrace instance used in High Availability deployment is changed, the reference certificate of the instance will be saved again. The old certificate will not be automatically removed. Removal of unused certificates is under responsibility of Kaspersky CyberTrace administrator.

Changing Kaspersky CyberTrace certificate

Certificate changing on the side of Kaspersky CyberTrace requires manual certificate changing on the side of Balancer.

To change the Kaspersky CyberTrace certificate:

  1. Stop the Kaspersky CyberTrace instance service.

    sc stop cybertrace (in Windows)

    systemctl stop cybertrace.service (in Linux)

  2. Change the certificate of the Kaspersky CyberTrace instance.
  3. Start the Kaspersky CyberTrace instance service.

    sc start cybertrace (in Windows)

    systemctl start cybertrace.service (in Linux)

  4. Stop the Balancer service.

    sc stop KasperskyBalancerService (in Windows)

    systemctl stop cybertrace_balancer.service (in Linux)

  5. On the side of Balancer, change the certificate for the Kaspersky CyberTrace instance.

    On the side of Kaspersky CyberTrace, copy the httpsrv\kl_feed_service_cert.pem file to the %CERT_PATH% directory on the Balancer side, and rename it to the %INSTANCE%_%CT_PORT%.pem file.

  6. Start the Balancer service.

    sc start KasperskyBalancerService (in Windows)

    systemctl start cybertrace_balancer.service (in Linux)

For more information about changing certificates, see section Generating SSL certificates for Kaspersky CyberTrace Web.

Checking certificate settings

To check certificate settings of the Kaspersky CyberTrace instance selected:

  1. Stop the Balancer service.

    sc stop KasperskyBalancerService (in Windows)

    systemctl stop cybertrace_balancer.service (in Linux)

  2. For all Kaspersky CyberTrace instances, except for the selected instance, specify enabled = "false" in the Instances section of the kl_balancer.conf configuration file.
  3. Start the Balancer service.

    sc start KasperskyBalancerService (in Windows)

    systemctl start cybertrace_balancer.service (in Linux)

  4. Send any request outlined in the AllowedRequests section (for example, GET/api/v.1.1/suppliers) to the Balancer port (specified in api_port).
  5. Ensure that the response holding status 200, as well as the list of sources used, are received.
  6. Stop the Balancer service.

    sc stop KasperskyBalancerService (in Windows)

    systemctl stop cybertrace_balancer.service (in Linux)

  7. For all Kaspersky CyberTrace instances from step 2, specify enabled = "true" in the Instances section of the kl_balancer.conf configuration file.
  8. Start the Balancer service.

    sc start KasperskyBalancerService (in Windows)

    systemctl start cybertrace_balancer.service (in Linux)

Page top