Recipient applications obtain access to application functions by using the Kaspersky Industrial CyberSecurity for Networks API after establishing encrypted connections over the HTTPS protocol. Connections are secured by using certificates issued by the Kaspersky Industrial CyberSecurity for Networks Server. The Server issues certificates for the connectors that are used by recipient applications to connect to the Server.
A separate certificate must be created for each recipient application. A connection can be established through a connector only by using the specific certificate that was issued by the Server and saved in the communication data package for that connector. A connection cannot be established if a recipient application uses a certificate from a different connector or different Kaspersky Industrial CyberSecurity for Networks Server, or a certificate that is used for other connections (such as a sensor certificate).
After establishing an encrypted connection, the recipient application must request an authentication token for the connector that will be indicated by the recipient application in requests sent to the REST API server. Before issuing an authentication token, the Server verifies the current state of the application user account that was indicated when the connector was created. The Server will not issue an authentication token if the application user account has been deleted or blocked.
The authentication token is valid for 10 hours after being issued by the Server. If a token needs to be used for a longer period, the recipient application must request a time extension before the token expires.
For information on the requests and methods provided in the Kaspersky Industrial CyberSecurity for Networks Server API, please refer to the documentation for the Kaspersky Industrial CyberSecurity for Networks API.
When the Server receives requests from the recipient application during the validity period of the authentication token, the Server verifies the existence and current access rights of the application user account that was indicated when the connector was created. A method indicated in a request from a recipient application is not executed if the user account is not found (has been deleted from the application), or if the user account does not have sufficient rights to perform the operation (the user account role does not match the performed operation).
When processing requests from recipient applications, the application uses the audit log to store information about attempts to perform the following operations: