The following pre-installation steps are required.
While preparing the environment, make sure that all users have the read
permission for all files that will be mounted to the container, such as configuration files, files related to licensing, private keys, and certificates. This is necessary because Kaspersky Scan Engine does not have root privileges when it runs inside the container.
To prepare your environment for installing Kaspersky Scan Engine:
/opt/kaspersky/ScanEngine
.kl_scanengine_db.key
from the existing installation. For more information about kl_scanengine_db.key
, see below.Make sure that pg_hba.conf
is configured in such a way that kavebase (Kaspersky Scan Engine database) is available from your Kaspersky Scan Engine containers.
Make sure to encrypt the user name and password of the user that will interact with the Kaspersky Scan Engine database, as described in the subsection "Enabling Kaspersky Scan Engine GUI". Using unencrypted credentials poses a serious security risk.
To do that, open klScanEngineUI.xml
, and then do the following:
doc/license.txt
.If you agree to the terms of the EULA, proceed to the next step. If you decline the terms of the EULA, cancel the installation.
klScanEngineUI.xml
file, change <Common>rejected</Common>
to <Common>accepted</Common>
.doc/ksn_license.txt
and contains the link to the Privacy Policy.<KSN>rejected</KSN>
to <KSN>accepted</KSN>
in klScanEngineUI.xml
.<Mode>
element, specify the mode that Kaspersky Scan Engine will work in:<Mode>httpd</Mode>
<Mode>icap</Mode>
<EnableUI>
element, specify whether you want to use Kaspersky Scan Engine GUI:1
in the <EnableUI>
element:<EnableUI>1</EnableUI>
0
in the <EnableUI>
element:<EnableUI>0</EnableUI>
DatabaseSettings > ConnectionString
element by using the format %IP%:%port%
.ServerSettings > ConnectionString
element. In this case, you will also need to change the corresponding port in the containers > ports > containerPort
and ports > targetPort
elements of the YAML configuration file:kaspersky_httpd_kubernetes.yaml
file.kaspersky_icapd_kubernetes.yaml
file.<SSLCertificatePath>
and <SSLPrivateKeyPath>
elements marked "For Kubernetes" and comment out the elements marked "For Docker".It is recommended to call your certificate kl_scanengine_cert.pem
and your private key kl_scanengine_private.pem
, otherwise you will need to change their names in the klScanEngineUI.xml
configuration file.
klScanEngineUI.xml
.kavhttpd.xml
for editing.https://
to the value in the <ConnectionString>
element:<ConnectionString>https://127.0.0.1:9998</ConnectionString>
Do not change the IP address.
<TlsCertificateKeyFile>
and <TlsCertificateFile>
elements:kavhttpd.xml
.kavhttpd.key
and kavhttpd.cert
in a directory that does not contain Kaspersky Scan Engine configuration files.kavhttpd.key
and kavhttpd.cert
in a directory that contains Kaspersky Scan Engine configuration files.klScanEngineUI.xml
from the /etc/
directory, for example:ln -s /opt/kaspersky/ScanEngine/etc/klScanEngineUI.xml /etc/klScanEngineUI.xml
kavebase
database.To encrypt the credentials, use the kav_encrypt
utility. This utility also automatically writes the encrypted user name and password to klScanEngineUI.xml
.
Run the kav_encrypt
utility with the following options:
-d %username%:%password%
%CONFIGURATION_FILES_DIRECTORY%
). If you want to use Kaspersky Scan Engine in Kubernetes or Docker Swarm, this directory must be located in the local network where you will create Kubernetes deployments.
klScanEngineUI.xml
configuration file to %CONFIGURATION_FILES_DIRECTORY%
. %CONFIGURATION_FILES_DIRECTORY%
.kavhttpd.xml
file.If needed, change the port at which the HTTP service will be available in the ServerSettings > ConnectionString
element. In case you want to use Kaspersky Scan Engine in Kubernetes, you will also need to change the corresponding port in the containers > ports > containerPort
and ports > targetPort
elements of the kaspersky_httpd_kubernetes.yaml
configuration file.
kavicapd.xml
file.If needed, change the port at which the ICAP service will be available in the ICAPSettings > Port
element. In case you want to use Kaspersky Scan Engine in Kubernetes, you will also need to change the corresponding port in the containers > ports > containerPort
and ports > targetPort
elements of the kaspersky_icapd_kubernetes.yaml
configuration file.
'| KAV_SHT_ENGINE_KSN'
to the ServerSettings > Flags
element of kavhttpd.xml
.1
in the KSNSettings > UseKSN
element of kavicapd.xml
.%LICENSE_FILE_DIRECTORY%
). This directory must be located in the local network where you will create your Kubernetes or Docker Swarm deployments.
%LICENSE_FILE_DIRECTORY%
.license
at any location.license
file to %LICENSE_FILE_DIRECTORY%
.kavhttpd.xml
for HTTP mode and kavicapd.xml
for ICAP mode), for the LicensingMode
element, specify 2
./opt/kaspersky/ScanEngine/httpsrv
directory contains the kl_scanengine_db.key
file. If this file does not exist, prepare it for use./opt/kaspersky/ScanEngine/tools/kav_encrypt -m %mode% -p %USERNAME%:%PASSWORD%
Here, %USERNAME%
and %PASSWORD%
are the username and password used for proxy authentication.
kl_scanengine_db.key
in a directory that does not contain Kaspersky Scan Engine configuration files (further referred to as %KEY_FILE_DIRECTORY%
). If this file does not exist, prepare it for use.kl_scanengine_cert.pem
, and kl_scanengine_private.pem
in %KEY_FILE_DIRECTORY%
.If you want to deploy Kaspersky Scan Engine in Kubernetes, specify the full path to these files when configuring Kubernetes.