Kaspersky Security Center Web Console installation parameters

For installing Kaspersky Security Center Web Console Server on devices running Linux, you must create a response file—a .json file that contains parameters for connecting Kaspersky Security Center Web Console to the Administration Server.

You can sign in to Kaspersky Security Center Web Console by using the following methods:

By using domain authentication (single sign-on)
This method is provided by Identity and Access Manager (IAM) and is used for secure authentication in Kaspersky Security Center Web Console connected to Administration Server version 16 and later. If you want to use the domain authentication with SSO, you must specify additional parameters for interaction with the IAM component during Kaspersky Security Center Web Console installation, and you must also enable Kerberos domain authentication.

Example of a response file with a minimal set of parameters for signing in to Administration Server by using domain authentication (single sign-on)

{

"address": "ksc-web-console.example.com",

"port": 8080,

"trusted": {

"Administration Server with SSO": {

"iamHost": "ksc-iam.example.com",

"iamOAuthPort": 4444,

"iamProxyPort": 9050,

"iamCertPath": "/var/opt/kaspersky/klnagent_srv/iam/main_certificate.pem",

"iamPATPath": "/var/opt/kaspersky/klnagent_srv/iam/initial_token.txt",

"kscPort": 13299,

"kscCertPath": "/var/opt/kaspersky/klnagent_srv/1093/cert/klserver.cer"

}

},

"acceptEula": true

}
By specifying the name and password of the domain user
Before you sign in with a domain user account, poll the domain controller to obtain the list of domain users. Then, you have to specify the domain user name and password to sign in to the Administration Server.
By specifying the name and password of the internal user
Example of a response file with a minimal set of parameters for signing in to Administration Server by specifying the name and password of the domain user or the internal user

{

"address": "ksc-web-console.example.com",

"port": 8080,

"trusted": {

"Administration Server without SSO": {

"kscHost": "ksc.example.com",

"kscPort": 13299,

"kscCertPath": "/var/opt/kaspersky/klnagent_srv/1093/cert/klserver.cer"

}

},

"acceptEula": true

}

To support all connection methods, the response file must include the installation parameters for accessing the Administration Server with SSO domain authentication and the Administration Server without SSO domain authentication.

Here is an example of a response file containing an extended set of parameters and two trusted Administration Servers:

{

"address": "ksc-web-console.example.com",

"port": 8080,

"defaultLangId": 1049,

"enableLog": false,

"trusted": {

"Administration Server with SSO": {

"iamHost": "ksc-iam.example.com",

"iamOAuthPort": 4444,

"iamProxyPort": 9050,

"iamCertPath": "/var/opt/kaspersky/klnagent_srv/iam/main_certificate.pem",

"iamPATPath": "/var/opt/kaspersky/klnagent_srv/iam/initial_token.txt",

"kscPort": 13299,

"kscCertPath": "/var/opt/kaspersky/klnagent_srv/1093/cert/klserver.cer"

"Administration Server without SSO": {

"kscHost": "ksc.example.com",

"kscPort": 13299,

"kscCertPath": "/var/opt/kaspersky/klnagent_srv/1093/cert/klserver.cer"

}

"acceptEula": true,

"certPath": "/root/server.crt",

"keyPath": "/root/key-without-passphrase.pem",

"webConsoleAccount": "Group1:User1",

"managementServiceAccount": "Group1:User2",

"serviceWebConsoleAccount": "Group1:User3",

"pluginAccount": "Group1:User4",

"messageQueueAccount": "Group1:User5",

"natsMessageQueueAccount": "Group1:User6"

}

You can install the Kaspersky Security Center Web Console either on the same device as the Administration Server or on a separate device. When installing Kaspersky Security Center Web Console to an external device, the Kaspersky Security Center Web Console (specified by address)and Administration Server address (specified by iamHost or kscHost)are different, otherwise these parameters have the same values.

The webConsoleAccount, managementServiceAccount, serviceWebConsoleAccount, pluginAccount, messageQueueAccount, and natsMessageQueueAccount parameters must not be used separately from each other: specify the values either for all of these parameters, or for none of them.

If you want to use a custom certificate, specify both the certPath and keyPath parameters. If you do not specify the parameters or specify only one, the web browser keeps informing you that your connection is not private.

We recommend that you specify port numbers above 1024. If you want Kaspersky Security Center Web Console to work on ports below 1024, after installation you have to run the following command:

sudo setcap 'cap_net_bind_service=+ep' /var/opt/kaspersky/ksc-web-console/node

If you do not have the setcap utility, you can install it. Click this link to view the commands.

When you install Kaspersky Security Center Web Console on the Linux ALT operating system, you must specify a port number other than 8080, because port 8080 is used by the operating system.

The table below describes the parameters that can be specified in a response file.

Parameters for installing Kaspersky Security Center Web Console on devices running Linux

Parameter	Description	Available values
`address`	Address for connecting to Kaspersky Security Center (required). If you install Kaspersky Security Center Web Console on Kaspersky Security Center Server, use the address that you specified when installing Kaspersky Security Center Linux. If you install Kaspersky Security Center Web Console on an external device, specify the device external IP address to be used by the web browser for connecting to Kaspersky Security Center Web Console Server.	String value. Example: `"ksc.example.com"`
`port`	Port used by Kaspersky Security Center Web Console to receive connections from web browsers (required).	Numerical value. The recommended value is 8080 (except for the Linux ALT operating system).
`defaultLangId`	Language of user interface (by default, `1033`). If necessary, you can change the language of Kaspersky Security Center Web Console interface.	Numerical code of the language: German: `1031` English: `1033` Spanish: `3082` Spanish (Mexico): `2058` French: `1036` Japanese: `1041` Kazakh: `1087` Polish: `1045` Portuguese (Brazil): `1046` Russian: `1049` Turkish: `1055` Simplified Chinese: `4` Traditional Chinese: `31748` If no value is specified, then English (en-US) language is used.
`enableLog`	Whether or not to enable Kaspersky Security Center Web Console trace logging. We recommend that you change the default value for the parameter only if a Kaspersky Technical Support specialist requests.	Boolean value: `true`—Logging is enabled. `false`—Logging is disabled (selected by default).
`trusted`	List of addresses of trusted Administration Servers that Kaspersky Security Center Web Console can connect to. For Administration Server that supports domain authentication with single sign-on: Administration Server name that will be displayed in the login window. `iamHost` is the address (FQDN, host name, or IP address) of the Administration Server, which includes the IAM component, and to which Kaspersky Security Center Web Console connects. `iamOAuthPort` is the port that is used for exchanging authentication tokens over the OpenID Connect authentication protocol (default value is 4444). This port is used both for communication between Kaspersky Security Center Web Console Server and Administration Server with IAM, and between the browser (used with Kaspersky Security Center Web Console) and Administration Server with IAM. `iamProxyPort` is the port that is used for connecting Kaspersky Security Center Web Console Server to the IAM (default value is 9050). `iamCertPath` is the path to the certificate of IAM. The default path to the certificate: var/opt/kaspersky/klnagent_srv/iam/main_certificate.pem. `iamPATPath` is the path to the token used for registration of Kaspersky Security Center Web Console as an OAuth-client in IAM. This file is generated during the Kaspersky Security Center Linux installation. The default path to the token: var/opt/kaspersky/klnagent_srv/iam/initial_token.txt. `kscPort` is the port that is used for connecting Kaspersky Security Center Web Console and IAM to Administration Server over OpenAPI (default value is 13299). `kscCertPath` is the path to the Administration Server certificate. The certificate is located on the device where Administration Server is installed. The default path to the certificate: /var/opt/kaspersky/klnagent_srv/1093/cert/klserver.cer. For Administration Server that does not support domain authentication with single sign-on: Administration Server name that will be displayed in the login window. `kscHost` is the address (FQDN, host name, or IP address) of the Administration Server that Kaspersky Security Center Web Console connects to. `kscPort` is the OpenAPI port that is used for connecting Kaspersky Security Center Web Console Server to Administration Server (default value is 13299). `kscCertPath` is the path to the Administration Server certificate. The certificate is located on the device where Administration Server is installed. The default path to the certificate: /var/opt/kaspersky/klnagent_srv/1093/cert/klserver.cer. When installing Kaspersky Security Center Web Console to an external device, copy the Administration Server certificate file (specified by `kscCertPath`), the IAM certificate file (specified by `iamCertPath`), and the token file (specified by `iamPATPath`) from the device with Administration Server installed to the external device. Specify the local path to these files in the response file for the Web Console installer.	A section of the JSON file in the following format: "trusted": { "Administration Server with SSO": { "iamHost": "ksc-iam.example.com", "iamOAuthPort": 4444, "iamProxyPort": 9050, "iamCertPath": "/var/opt/kaspersky/klnagent_srv/iam/main_certificate.pem", "iamPATPath": "/var/opt/kaspersky/klnagent_srv/iam/initial_token.txt", "kscPort": 13299, "kscCertPath": "/var/opt/kaspersky/klnagent_srv/1093/cert/klserver.cer" }, "Administration Server without SSO": { "kscHost": "ksc.example.com", "kscPort": 13299, "kscCertPath": "/var/opt/kaspersky/klnagent_srv/1093/cert/klserver.cer" } }
`acceptEula`	Whether or not you want to accept the terms of the End User License Agreement (EULA). The file containing the terms of the EULA is downloaded together with the installation file.	Boolean value: `true`—I confirm that I have fully read, understand, and accept the terms and conditions of this End User License Agreement. `false`—I do not accept the terms of the License Agreement (selected by default). If no value is specified, the Kaspersky Security Center Web Console installer shows you the EULA and asks whether or not you agree to accept the terms of the EULA.
`certDomain`	If you want to generate a new self-signed certificate, use this parameter to specify the FQDN for connecting web browser to Kaspersky Security Center Web Console.	String value.
`certPath`	Use the parameter to specify the path to the Kaspersky Security Center Web Console custom certificate that is trusted in your infrastructure and meets the requirements for custom certificates. You can specify only one private key (`keyPath`) for one certificate or for a certificate chain.	String value. Encrypted certificates are not supported by Kaspersky Security Center Web Console. On the device where Kaspersky Security Center Web Console is to be installed, specify the path to the certificate file in the PEM format. Example: `/root/server.crt`
`keyPath`	Use the parameter to specify the path to the private key associated with the Kaspersky Security Center Web Console custom certificate specified in `certPath` parameter.	String value. The file with the private key must not be encrypted. On the device where Kaspersky Security Center Web Console is to be installed, specify the path to key file in the PEM format. Example: `/root/key-without-passphrase.pem`
`webConsoleAccount`	Name of the account under which the Kaspersky Security Center Web Console service is run.	String value in the following format: `"<group name>:<user name>"`. Example: `"Group1:User1"`. If no value is specified, the Kaspersky Security Center Web Console installer creates a new account with the default name `user_management_%uid%`.
`managementServiceAccount`	Name of the account under which the Kaspersky Security Center Web Console Management Service is run.	String value in the following format: `"<group name>:<user name>"`. Example: `"Group1:User2"`. If no value is specified, the Kaspersky Security Center Web Console installer creates a new account with the default name `user_nodejs_%uid%`.
`serviceWebConsoleAccount`	Name of the account under which the Kaspersky Security Center Web Console service is run.	String value in the following format: `"<group name>:<user name>"`. Example: `"Group1:User3"`. If no value is specified, the Kaspersky Security Center Web Console installer creates a new account with the default name `user_svc_nodejs_%uid%`.
`pluginAccount`	Name of the account under which the Kaspersky Security Center Product Plugins service is run.	String value in the following format: `"<group name>:<user name>"`. Example: `"Group1:User4"`. If no value is specified, the Kaspersky Security Center Web Console installer creates a new account with the default name `user_web_plugin_%uid%`.
`messageQueueAccount`	Name of the account under which the Kaspersky Security Center Web Console Message Queue service is run.	String value in the following format: `"<group name>:<user name>"`. Example: `"Group1:User5"`. If no value is specified, the Kaspersky Security Center Web Console installer creates a new account with the default name `user_message_queue_%uid%`.
`natsMessageQueueAccount`	Name of the account under which the Kaspersky Security Center Web Console NATS service is run.	String value in the following format: `"<group name>:<user name>"`. Example: `"Group1:User6"`. If no value is specified, the Kaspersky Security Center Web Console installer creates a new account with the default name `user_message_queue_%uid%`.

For security reasons, we do not recommend specifying the webConsoleAccount, managementServiceAccount, serviceWebConsoleAccount, pluginAccount, messageQueueAccount, and natsMessageQueueAccount parameters.

If you decide to specify these parameters, make sure that the custom user accounts belong to the same security group. When the parameters are not specified, the Kaspersky Security Center Web Console installer creates a default security group, and then creates user accounts with default names in this group.