The following pre-installation steps are required.
While preparing the environment, make sure that all users have the read permission for all files that will be mounted to the container, such as configuration files, files related to licensing, private keys, and certificates. This is necessary because Kaspersky Scan Engine does not have root privileges when it runs inside the container.
To prepare your environment for installing Kaspersky Scan Engine:
Unpack the distribution kit:
If Kaspersky Scan Engine is not installed on your computer, unpack the distribution kit to /opt/kaspersky/ScanEngine.
If Kaspersky Scan Engine is already installed on your computer, you can unpack the distribution kit to any directory, but you must use the configuration files and kl_scanengine_db.key from the existing installation. For more information about kl_scanengine_db.key, see below.
Make sure that pg_hba.conf is configured in such a way that kavebase (Kaspersky Scan Engine database) is available from your Kaspersky Scan Engine containers.
Enable Kaspersky Scan Engine GUI. A typical configuration is described in Manual installation, subsection "Enabling Kaspersky Scan Engine GUI", but some files may be located in different directories of the distribution kit.
Make sure to encrypt the user name and password of the user that will interact with the Kaspersky Scan Engine database, as described in the subsection "Enabling Kaspersky Scan Engine GUI". Using unencrypted credentials poses a serious security risk.
To deploy and use Kaspersky Scan Engine you need to accept the terms of the End User License Agreement (EULA).
To do that, open klScanEngineUI.xml, and then do the following:
Read the End User License Agreement (EULA) for Kaspersky Scan Engine. The EULA is located at doc/license.txt.
If you agree to the terms of the EULA, proceed to the next step. If you decline the terms of the EULA, cancel the installation.
Accept the EULA. In the klScanEngineUI.xml file, change <Common>rejected</Common> to <Common>accepted</Common>.
If you want to use Kaspersky Security Network (KSN), read the EULA for KSN and the Privacy Policy. This EULA is located at doc/ksn_license.txt and contains the link to the Privacy Policy.
If you agree to the terms of the EULA for KSN and the Privacy Policy, proceed to the next step. If you decline the terms of the EULA for KSN or the Privacy Policy, proceed to step 4.
Accept the EULA for KSN. Change <KSN>rejected</KSN> to <KSN>accepted</KSN> in klScanEngineUI.xml.
In the <Mode> element, specify the mode that Kaspersky Scan Engine will work in:
For HTTP mode:
<Mode>httpd</Mode>
For ICAP mode:
<Mode>icap</Mode>
In the <EnableUI> element, specify whether you want to use Kaspersky Scan Engine GUI:
If you want to use Kaspersky Scan Engine GUI, specify 1 in the <EnableUI> element:
<EnableUI>1</EnableUI>
If you do not want to use Kaspersky Scan Engine GUI, specify 0 in the <EnableUI> element:
<EnableUI>0</EnableUI>
If you enabled Kaspersky Scan Engine GUI, do the following:
Specify the address of the kavebase database in the DatabaseSettings > ConnectionString element by using the format %IP%:%port%.
If needed, change the port at which Kaspersky Scan Engine GUI will be available in the ServerSettings > ConnectionString element. In this case, you will also need to change the corresponding port in the containers > ports > containerPort and ports > targetPort elements of the YAML configuration file:
For HTTP mode, modify the kaspersky_httpd_kubernetes.yaml file.
For ICAP mode, modify the kaspersky_icapd_kubernetes.yaml file.
If you want to deploy Kaspersky Scan Engine in Kubernetes and use your own certificate and private key for Kaspersky Scan Engine GUI, uncomment the <SSLCertificatePath> and <SSLPrivateKeyPath> elements marked "For Kubernetes" and comment out the elements marked "For Docker".
It is recommended to call your certificate kl_scanengine_cert.pem and your private key kl_scanengine_private.pem, otherwise you will need to change their names in the klScanEngineUI.xml configuration file.
Save and close klScanEngineUI.xml.
If you want to use TLS for connecting to Kaspersky Scan Engine in HTTP mode, do the following:
Open kavhttpd.xml for editing.
Add https:// to the value in the <ConnectionString> element:
Uncomment the <TlsCertificateKeyFile> and <TlsCertificateFile> elements:
If you want to deploy Kaspersky Scan Engine in Kubernetes, uncomment the elements marked "For Kubernetes integration".
If you do not want to deploy Kaspersky Scan Engine in Kubernetes, uncomment the elements marked "For Docker integration".
Save and close kavhttpd.xml.
Generate the certificate and the private key, as described in HTTPS connections.
Do one of the following:
If you want to deploy Kaspersky Scan Engine in Kubernetes, put kavhttpd.key and kavhttpd.cert in a directory that does not contain Kaspersky Scan Engine configuration files.
If you do not want to deploy Kaspersky Scan Engine in Kubernetes, put kavhttpd.key and kavhttpd.cert in a directory that contains Kaspersky Scan Engine configuration files.
If you enabled Kaspersky Scan Engine GUI, do the following:
Create a symbolic link to klScanEngineUI.xml from the /etc/ directory, for example:
Encrypt the user name and password of the user that you will use to connect to the kavebase database.
To encrypt the credentials, use the kav_encrypt utility. This utility also automatically writes the encrypted user name and password to klScanEngineUI.xml.
Run the kav_encrypt utility with the following options:
-d %username%:%password%
Create a directory that will hold the configuration files (further referred to as %CONFIGURATION_FILES_DIRECTORY%).
If you want to use Kaspersky Scan Engine in Kubernetes or Docker Swarm, this directory must be located in the local network where you will create Kubernetes deployments.
Copy the klScanEngineUI.xml configuration file to %CONFIGURATION_FILES_DIRECTORY%.
Copy the Kaspersky Scan Engine configuration file to %CONFIGURATION_FILES_DIRECTORY%.
For HTTP mode, copy the kavhttpd.xml file.
If needed, change the port at which the HTTP service will be available in the ServerSettings > ConnectionString element. In case you want to use Kaspersky Scan Engine in Kubernetes, you will also need to change the corresponding port in the containers > ports > containerPort and ports > targetPort elements of the kaspersky_httpd_kubernetes.yaml configuration file.
For ICAP mode, copy the kavicapd.xml file.
If needed, change the port at which the ICAP service will be available in the ICAPSettings > Port element. In case you want to use Kaspersky Scan Engine in Kubernetes, you will also need to change the corresponding port in the containers > ports > containerPort and ports > targetPort elements of the kaspersky_icapd_kubernetes.yaml configuration file.
If you want to use KSN, do one of the following:
For HTTP mode, add '| KAV_SHT_ENGINE_KSN' to the ServerSettings > Flags element of kavhttpd.xml.
For ICAP mode, specify 1 in the KSNSettings > UseKSN element of kavicapd.xml.
Create a directory that will hold the key file or activation code (further referred to as %LICENSE_FILE_DIRECTORY%).
This directory must be located in the local network where you will create your Kubernetes or Docker Swarm deployments.
Do one of the following:
If you want to use the key file, copy it to %LICENSE_FILE_DIRECTORY%.
If you want to use the activation code, do the following:
Create a file named license at any location.
Copy your activation code to it.
Copy the license file to %LICENSE_FILE_DIRECTORY%.
In the configuration file (kavhttpd.xml for HTTP mode and kavicapd.xml for ICAP mode), for the LicensingMode element, specify 2.
If Kaspersky Scan Engine connects to Kaspersky Security Network (KSN) and the anti-virus database through a proxy server, encrypt the username and password for proxy authentication:
Make sure the /opt/kaspersky/ScanEngine/httpsrv directory contains the kl_scanengine_db.key file. If this file does not exist, prepare it for use.
You need an encryption key to encrypt data (usernames and passwords) with the kav_encrypt utility.
Make sure all users have read permissions to the kl_scanengine_db.key file.
If you use the kse_docker_control.sh script to run containers, open kse_docker_control.sh for editing, and then specify the path to kl_scanengine_db.key in the KEY_FILE_DIRECTORY parameter.
If you do not use the kse_docker_control.sh script, you need to specify the parameter for mounting kl_scanengine_db.key to the /opt/kaspersky/ScanEngine/httpsrv directory inside the container each time you run the container.
Here, %USERNAME% and %PASSWORD% are the username and password used for proxy authentication.
If you enabled Kaspersky Scan Engine GUI, do the following:
Put kl_scanengine_db.key in a directory that does not contain Kaspersky Scan Engine configuration files (further referred to as %KEY_FILE_DIRECTORY%). If this file does not exist, prepare it for use.
You need an encryption key to encrypt data (usernames and passwords) with the kav_encrypt utility.
Make sure all users have read permissions to the kl_scanengine_db.key file.
If you use the kse_docker_control.sh script to run containers, open kse_docker_control.sh for editing, and then specify the path to kl_scanengine_db.key in the KEY_FILE_DIRECTORY parameter.
If you do not use the kse_docker_control.sh script, you need to specify the parameter for mounting kl_scanengine_db.key to the /opt/kaspersky/ScanEngine/httpsrv directory inside the container each time you run the container.
If you want to use your own certificate and private key for connecting with Kaspersky Scan Engine GUI, put kl_scanengine_cert.pem, and kl_scanengine_private.pem in %KEY_FILE_DIRECTORY%.
If you want to deploy Kaspersky Scan Engine in Kubernetes, specify the full path to these files when configuring Kubernetes.