Establishing connections

This section explains how to establish connection with Kaspersky Industrial CyberSecurity for Networks.

Overview

To make API calls, you must establish a connection with Kaspersky Industrial CyberSecurity for Networks (gRPC server). This connection is secure and uses certificates for authentication.

About certificates

To establish connections to the gRPC server, a client must use the following certificates and keys:

• gRPC server certificate (product_facade_grpc_server.crt)

  This certificate is generated for the gRPC server host name by a system administrator and is used by a client to authenticate the server.

• gRPC server certificate authority (CA) certificate (product_facade_grpc_ca.crt)

  This certificate is generated for the gRPC server host name and is used by the gRPC server to check client certificates.

  This certificate can be bundled into the client.crt file or distributed separately.

• Client certificate or a certificate bundle (client.crt)

  The client certificate is generated for a client host name and is used by a client for authentication. The system administrator can distribute this file as a certificate or as a certificate bundle. The certificate bundle contains the client certificate generated for the client host name and all the intermediate certificates up to the root certificate product_facade_grpc_ca.crt.

  It is assumed that this file contains a certificate bundle. If this file contains only the client certificate, you must create the certificate bundle yourself by grouping the client certificate, all the intermediate certificates (if any), and the gRPC server CA certificate into one file. The order of certificates in this file must form a certificate chain starting from the client certificate and up to the gRPC server CA certificate.

• Client key (client.key)

  This is a private key for the client certificate.

Please contact your system administrator to obtain these files. All the certificates and keys must be in PEM format.

The certificates are generated for a specific host name. In this section, it is assumed that server certificates are generated for the kics4net.example.com host name and client certificates are generated for the client.example.com host name.

Establishing a secure connection to the gRPC server

To establish a connection to Kaspersky Industrial CyberSecurity for Networks, create a gRPC secure channel using the provided certificates and keys and provide this channel as a parameter when creating stubs.

The following example demonstrates establishing a secure connection to the gRPC server located at kics4net.example.com:13522 and creating an event stub that uses this channel.

Creating a secure port for connections from the gRPC server

To handle tag change events, you must run a service that accepts incoming connections from the Kaspersky Industrial CyberSecurity for Networks gRPC server. This service must use the same certificates and keys that are used for establishing connections to the gRPC server. The client certificate and key are used as server certificates (so that gRPC server can authenticate this service). The gRPC server certificate is used by this service to authenticate connections from the gRPC server.

The following example demonstrates how to create a secure port for listening to incoming connections from the gRPC server: