Checking HTTPS certificates
April 11, 2024
ID 234888
When establishing an HTTPS connection with CyberTrace instances, Balancer checks if the certificate received from CyberTrace matches the reference certificate located in the directory specified in CertDirPath
parameter of the kl_balancer.conf
configuration file.
Checking certificates is possible only under Rest API, for only Rest API deals with https. This section does not refer to detecting.
If the reference certificate of the CyberTrace instance is not available in the directory, or the directory does not exist, Balancer performs the following:
- Saves the certificate received from CyberTrace in the
%CERT_PATH%/%INSTANCE%_%CT_PORT%.pem
file, where:CERT_PATH
is a directory specified in theCertDirPath
parameter of thekl_balancer.conf
configuration file.INSTANCE
is a host name/IP value specified in theInstances
>Instance
element for a certain CyberTrace instance.CT_PORT
is a port value specified in thematching_port
attribute of theInstances
>Instance
element for a certain CyberTrace instance.
- Continues establishing HTTPS connection using the certificate received.
If the CyberTrace certificate does not match the reference certificate, Balancer performs the following:
- Stops establishing HTTPS connection with the CyberTrace instance.
- Returns status code 500 with the following error information:
- IP/host name of the CyberTrace instance.
- Port number of the CyberTrace instance.
- Problem description: HTTPS connection with the CyberTrace instance has not been established, since the server certificate does not match the one expected.
If the host name/IP, or the port of a CyberTrace instance used in High Availability deployment is changed, the reference certificate of the instance will be saved again. The old certificate will not be automatically removed. Removal of unused certificates is under responsibility of CyberTrace administrator.
Changing CyberTrace certificate
Certificate changing on the side of CyberTrace requires manual certificate changing on the side of Balancer.
To change the CyberTrace certificate:
- Stop the CyberTrace instance service.
sc stop cybertrace
(in Windows)systemctl stop cybertrace.service
(in Linux) - Change the certificate of the CyberTrace instance.
- Start the CyberTrace instance service.
sc start cybertrace
(in Windows)systemctl start cybertrace.service
(in Linux) - Stop the Balancer service.
sc stop KasperskyBalancerService
(in Windows)systemctl stop cybertrace_balancer.service
(in Linux) - On the side of Balancer, change the certificate for the CyberTrace instance.
On the side of CyberTrace, copy the
httpsrv\kl_feed_service_cert.pem
file to the%CERT_PATH%
directory on the Balancer side, and rename it to the%INSTANCE%_%CT_PORT%.pem
file. - Start the Balancer service.
sc start KasperskyBalancerService
(in Windows)systemctl start cybertrace_balancer.service
(in Linux)
For more information on changing certificates, see section Generating SSL certificates for Kaspersky CyberTrace Web.
Checking certificate settings
To check certificate settings of the CyberTrace instance selected:
- Stop the Balancer service.
sc stop KasperskyBalancerService
(in Windows)systemctl stop cybertrace_balancer.service
(in Linux) - For all CyberTrace instances, except for the selected instance, specify
enabled = "false"
in theInstances
section of thekl_balancer.conf
configuration file. - Start the Balancer service.
sc start KasperskyBalancerService
(in Windows)systemctl start cybertrace_balancer.service
(in Linux) - Send any request outlined in the AllowedRequests section (for example,
GET/api/v.1.1/suppliers
) to the Balancer port (specified inapi_port
). - Ensure that the response holding status 200, as well as the list of sources used, are received.
- Stop the Balancer service.
sc stop KasperskyBalancerService
(in Windows)systemctl stop cybertrace_balancer.service
(in Linux) - For all CyberTrace instances from step 2, specify
enabled = "true"
in theInstances
section of thekl_balancer.conf
configuration file. - Start the Balancer service.
sc start KasperskyBalancerService
(in Windows)systemctl start cybertrace_balancer.service
(in Linux)