Support

Support for business applications

Kaspersky CyberTrace

Administrator guides

Using Kaspersky CyberTrace in High Availability mode

Checking HTTPS certificates
Kaspersky CyberTrace
Нет результатов
Online Help
FAQ System requirements Download Contact support Recovery tools Product videos

Checking HTTPS certificates

April 11, 2024

ID 234888

When establishing an HTTPS connection with CyberTrace instances, Balancer checks if the certificate received from CyberTrace matches the reference certificate located in the directory specified in CertDirPath parameter of the kl_balancer.conf configuration file.

Checking certificates is possible only under Rest API, for only Rest API deals with https. This section does not refer to detecting.

If the reference certificate of the CyberTrace instance is not available in the directory, or the directory does not exist, Balancer performs the following:

  1. Saves the certificate received from CyberTrace in the %CERT_PATH%/%INSTANCE%_%CT_PORT%.pem file, where:
    • CERT_PATH is a directory specified in the CertDirPath parameter of the kl_balancer.conf configuration file.
    • INSTANCE is a host name/IP value specified in the Instances > Instance element for a certain CyberTrace instance.
    • CT_PORT is a port value specified in the matching_port attribute of the Instances > Instance element for a certain CyberTrace instance.
  2. Continues establishing HTTPS connection using the certificate received.

If the CyberTrace certificate does not match the reference certificate, Balancer performs the following:

  1. Stops establishing HTTPS connection with the CyberTrace instance.
  2. Returns status code 500 with the following error information:
    • IP/host name of the CyberTrace instance.
    • Port number of the CyberTrace instance.
    • Problem description: HTTPS connection with the CyberTrace instance has not been established, since the server certificate does not match the one expected.

If the host name/IP, or the port of a CyberTrace instance used in High Availability deployment is changed, the reference certificate of the instance will be saved again. The old certificate will not be automatically removed. Removal of unused certificates is under responsibility of CyberTrace administrator.

Changing CyberTrace certificate

Certificate changing on the side of CyberTrace requires manual certificate changing on the side of Balancer.

To change the CyberTrace certificate:

  1. Stop the CyberTrace instance service.

    sc stop cybertrace (in Windows)

    systemctl stop cybertrace.service (in Linux)

  2. Change the certificate of the CyberTrace instance.
  3. Start the CyberTrace instance service.

    sc start cybertrace (in Windows)

    systemctl start cybertrace.service (in Linux)

  4. Stop the Balancer service.

    sc stop KasperskyBalancerService (in Windows)

    systemctl stop cybertrace_balancer.service (in Linux)

  5. On the side of Balancer, change the certificate for the CyberTrace instance.

    On the side of CyberTrace, copy the httpsrv\kl_feed_service_cert.pem file to the %CERT_PATH% directory on the Balancer side, and rename it to the %INSTANCE%_%CT_PORT%.pem file.

  6. Start the Balancer service.

    sc start KasperskyBalancerService (in Windows)

    systemctl start cybertrace_balancer.service (in Linux)

For more information on changing certificates, see section Generating SSL certificates for Kaspersky CyberTrace Web.

Checking certificate settings

To check certificate settings of the CyberTrace instance selected:

  1. Stop the Balancer service.

    sc stop KasperskyBalancerService (in Windows)

    systemctl stop cybertrace_balancer.service (in Linux)

  2. For all CyberTrace instances, except for the selected instance, specify enabled = "false" in the Instances section of the kl_balancer.conf configuration file.
  3. Start the Balancer service.

    sc start KasperskyBalancerService (in Windows)

    systemctl start cybertrace_balancer.service (in Linux)

  4. Send any request outlined in the AllowedRequests section (for example, GET/api/v.1.1/suppliers) to the Balancer port (specified in api_port).
  5. Ensure that the response holding status 200, as well as the list of sources used, are received.
  6. Stop the Balancer service.

    sc stop KasperskyBalancerService (in Windows)

    systemctl stop cybertrace_balancer.service (in Linux)

  7. For all CyberTrace instances from step 2, specify enabled = "true" in the Instances section of the kl_balancer.conf configuration file.
  8. Start the Balancer service.

    sc start KasperskyBalancerService (in Windows)

    systemctl start cybertrace_balancer.service (in Linux)

Did you find this article helpful?
What can we do better?
Thank you for your feedback! You're helping us improve.
Thank you for your feedback! You're helping us improve.