Kaspersky Security Center Web Console installation parameters

For installing Kaspersky Security Center Web Console Server on devices running Linux, you must create a response file—a .json file that contains parameters for connecting Kaspersky Security Center Web Console to the Administration Server. You must name this file ksc-web-console-setup.json and place it in the /etc/ksc-web-console-setup.json directory.

The set of parameters of the response file depends on the version of the Administration Server to which the Kaspersky Security Center Web Console connects.

Administration Server version 16 or later
Administration Server version 16 or later includes Identity and Access Manager (IAM) that is provided domain authentication with single sign-on (SSO) in Kaspersky Security Center Web Console. For Kaspersky Security Center Web Console to connect to Administration Server, the response file must contain the parameters for interacting with the IAM component, even if you do not use single sign-on (SSO).

Example of the response file for installing Web Console that will connect to Administration Server version 16 or later. In this example, Web Console and Administration Server are installed on different devices:

{

"address": "ksc-web-console.example.com",

"port": 8080,

"defaultLangId": 1049,

"enableLog": true,

"trusted": {

"Administration Server v16": {

"iamHost": "ksc16.example.com",

"iamOAuthPort": 4444,

"iamProxyPort": 9050,

"iamCertPath": "/var/opt/kaspersky/klnagent_srv/iam/main_certificate.pem",

"iamPATPath": "/var/opt/kaspersky/klnagent_srv/iam/initial_token.txt",

"kscPort": 13299,

"kscCertPath": "/var/opt/kaspersky/klnagent_srv/1093/cert/klserver.cer"

}

"acceptEula": true,

"certPath": "/root/server.crt",

"keyPath": "/root/key-without-passphrase.pem",

"webConsoleAccount": "<Group1:User1>",

"managementServiceAccount": "<Group1:User2>",

"serviceWebConsoleAccount": "<Group1:User3>",

"pluginAccount": "<Group1:User4>",

"messageQueueAccount": "<Group1:User5>",

"natsMessageQueueAccount": "Group1:User6"

}
Administration Server version 15.4 or earlier
Administration Server 15.4 or earlier only supports authentication by specifying the name and password of the internal user or the domain user.

Example of the response file for installing Web Console that will connect to Administration Server version 15.4 or earlier:

{

"address": "ksc-web-console.example.com",

"port": 8080,

"defaultLangId": 1049,

"enableLog": true,

"trusted": {

"Administration Server v15.4": {

"kscHost": "ksc.example.com",

"kscPort": 13299,

"kscCertPath": "/var/opt/kaspersky/klnagent_srv/1093/cert/klserver.cer"

}

},

"acceptEula": true,

"certPath": "/root/server.crt",

"keyPath": "/root/key-without-passphrase.pem",

"webConsoleAccount": "<Group1:User1>",

"managementServiceAccount": "<Group1:User2>",

"serviceWebConsoleAccount": "<Group1:User3>",

"pluginAccount": "<Group1:User4>",

"messageQueueAccount": "<Group1:User5>",

"natsMessageQueueAccount": "<Group1:User6>"

}

The webConsoleAccount, managementServiceAccount, serviceWebConsoleAccount, pluginAccount, messageQueueAccount, natsMessageQueueAccount, certPath, and keyPath parameters are optional. You can omit these parameters in the response file.

If you want to use a custom certificate, specify both the certPath and keyPath parameters. If you do not specify the parameters or specify only one, the web browser keeps informing you that your connection is not private.

For security reasons, we do not recommend specifying the webConsoleAccount, managementServiceAccount, serviceWebConsoleAccount, pluginAccount, messageQueueAccount, and natsMessageQueueAccount parameters.
If you decide to specify these parameters, make sure that the custom user accounts belong to the same security group. When the parameters are not specified, the Kaspersky Security Center Web Console installer creates a default security group, and then creates user accounts with default names in this group.
The webConsoleAccount, managementServiceAccount, serviceWebConsoleAccount, pluginAccount, messageQueueAccount, and natsMessageQueueAccount parameters must not be used separately from each other: specify the values either for all of these parameters, or for none of them.

You can install the Kaspersky Security Center Web Console either on the same device as the Administration Server or on a separate device. When installing Kaspersky Security Center Web Console to an external device, the Kaspersky Security Center Web Console (specified by address) and Administration Server address (specified by iamHost or kscHost) are different, otherwise these parameters have the same values.

We recommend that you specify port numbers above 1024. If you want Kaspersky Security Center Web Console to work on ports below 1024, after installation you have to run the following command:

sudo setcap 'cap_net_bind_service=+ep' /var/opt/kaspersky/ksc-web-console/node

If you do not have the setcap utility, you can install it. Click this link to view the commands.

When you install Kaspersky Security Center Web Console on the Linux ALT operating system, you must specify a port number other than 8080, because port 8080 is used by the operating system.

The table below describes the parameters that can be specified in a response file.

Parameters for installing Kaspersky Security Center Web Console on devices running Linux

Parameter	Description	Available values
`address`	Address of the device (FQDN or host name) where Kaspersky Security Center Web Console is installed (required). If you install Kaspersky Security Center Web Console on Kaspersky Security Center Server, use the address that you specified when installing Kaspersky Security Center Linux. If you install Kaspersky Security Center Web Console on an external device, specify the device external address (FQDN or host name) to be used by the web browser for connecting to Kaspersky Security Center Web Console Server.	String value. Example: `"ksc.example.com"`
`port`	Port used by Kaspersky Security Center Web Console to receive connections from web browsers (required).	Numerical value. The recommended value is 8080 (except for the Linux ALT operating system).
`defaultLangId`	Language of user interface (by default, `1033`). If necessary, you can change the language of Kaspersky Security Center Web Console interface.	Numerical code of the language: German: `1031` English: `1033` Spanish: `1034` Spanish (Mexico): `2058` French: `1036` Italian: `1040` Japanese: `1041` Kazakh: `1087` Polish: `1045` Portuguese (Brazil): `1046` Russian: `1049` Turkish: `1055` Simplified Chinese: `2052` Traditional Chinese: `1028` If no value is specified, then English (en-US) language is used.
`enableLog`	Whether or not to enable Kaspersky Security Center Web Console trace logging. We recommend that you change the default value for the parameter only if a Kaspersky Technical Support specialist requests.	Boolean value: `true`—Logging is enabled. `false`—Logging is disabled (selected by default).
`trusted`	List of addresses of trusted Administration Servers that Kaspersky Security Center Web Console can connect to. You can add multiple Administration Servers of different versions to the list of trusted servers. For Administration Server version 16 or later: Administration Server name that will be displayed in the login window. `iamHost` is the address (FQDN or host name) of the Administration Server, which includes the IAM component (starting with Kaspersky Security Center Linux version 16), and to which Kaspersky Security Center Web Console connects. `iamOAuthPort` is the port that is used for exchanging authentication tokens over the OpenID Connect authentication protocol (default value is 4444). This port is used both for communication between Kaspersky Security Center Web Console Server and Administration Server, and between the browser (used with Kaspersky Security Center Web Console) and Administration Server. `iamProxyPort` is the port that is used for connecting Kaspersky Security Center Web Console Server to Administration Server (default value is 9050). `iamCertPath` is the path to the IAM certificate. The IAM certificate is created automatically the first time you run Administration Server. The certificate is located on the device where Administration Server is installed. The default path to the certificate: var/opt/kaspersky/klnagent_srv/iam/main_certificate.pem. The self-signed IAM certificate is rotated automatically. `iamPATPath` is the path to the token used for registration of Kaspersky Security Center Web Console as an OAuth-client in IAM. This file is generated automatically the first time you run Administration Server. The token is located on the device where Administration Server is installed. The default path to the token: /var/opt/kaspersky/klnagent_srv/iam/initial_token.txt. The token is valid indefinitely and does not require rotation. `kscPort` is the port that is used for connecting Kaspersky Security Center Web Console to Administration Server over OpenAPI (default value is 13299). `kscCertPath` is the path to the Administration Server certificate. The certificate is located on the device where Administration Server is installed. The default path to the certificate: /var/opt/kaspersky/klnagent_srv/1093/cert/klserver.cer. For Administration Server version 15.4 or earlier: Administration Server name that will be displayed in the login window. `kscHost` is the address (FQDN or host name) of the Administration Server that Kaspersky Security Center Web Console connects to. `kscPort` is the OpenAPI port that is used for connecting Kaspersky Security Center Web Console Server to Administration Server (default value is 13299). `kscCertPath` is the path to the Administration Server certificate. The certificate is located on the device where Administration Server is installed. The default path to the certificate: /var/opt/kaspersky/klnagent_srv/1093/cert/klserver.cer. When installing Kaspersky Security Center Web Console to an external device, copy the Administration Server certificate file (specified by `kscCertPath`), the IAM certificate file (specified by `iamCertPath`), and the token file (specified by `iamPATPath`) from the device with Administration Server installed to the external device. Specify the local path to these files in the response file for the Web Console installer.	A section of the JSON file in the following format: "trusted": { "Administration Server v16": { "iamHost": "ksc-iam.example.com", "iamOAuthPort": 4444, "iamProxyPort": 9050, "iamCertPath": "/var/opt/kaspersky/klnagent_srv/iam/main_certificate.pem", "iamPATPath": "/var/opt/kaspersky/klnagent_srv/iam/initial_token.txt", "kscPort": 13299, "kscCertPath": "/var/opt/kaspersky/klnagent_srv/1093/cert/klserver.cer" }, "Administration Server v15.4": { "kscHost": "ksc.example.com", "kscPort": 13299, "kscCertPath": "/var/opt/kaspersky/klnagent_srv/1093/cert/klserver.cer" } }
`acceptEula`	Whether or not you want to accept the terms of the End User License Agreement (EULA). The file containing the terms of the EULA is downloaded together with the installation file.	Boolean value: `true`—I confirm that I have fully read, understand, and accept the terms and conditions of this End User License Agreement. `false`—I do not accept the terms of the License Agreement (selected by default). If no value is specified, the Kaspersky Security Center Web Console installer shows you the EULA and asks whether or not you agree to accept the terms of the EULA.
`certDomain`	If you want to generate a new self-signed certificate, use this parameter to specify the FQDN for connecting web browser to Kaspersky Security Center Web Console.	String value.
`certPath`	Use the parameter to specify the path to the Kaspersky Security Center Web Console custom certificate that is trusted in your infrastructure and meets the requirements for custom certificates. You can specify only one private key (`keyPath`) for one certificate or for a certificate chain.	String value. Encrypted certificates are not supported by Kaspersky Security Center Web Console. On the device where Kaspersky Security Center Web Console is to be installed, specify the path to the certificate file in the PEM format. Example: `/root/server.crt`
`keyPath`	Use the parameter to specify the path to the private key associated with the Kaspersky Security Center Web Console custom certificate specified in `certPath` parameter.	String value. The file with the private key must not be encrypted. On the device where Kaspersky Security Center Web Console is to be installed, specify the path to key file in the PEM format. Example: `/root/key-without-passphrase.pem`
`webConsoleAccount`	Name of the account under which the Kaspersky Security Center Web Console service is run.	String value in the following format: `"<group name>:<user name>"`. Example: `"Group1:User1"`. If no value is specified, the Kaspersky Security Center Web Console installer creates a new account with the default name `user_management_%uid%`.
`managementServiceAccount`	Name of the account under which the Kaspersky Security Center Web Console Management Service is run.	String value in the following format: `"<group name>:<user name>"`. Example: `"Group1:User2"`. If no value is specified, the Kaspersky Security Center Web Console installer creates a new account with the default name `user_nodejs_%uid%`.
`serviceWebConsoleAccount`	Name of the account under which the Kaspersky Security Center Web Console service is run.	String value in the following format: `"<group name>:<user name>"`. Example: `"Group1:User3"`. If no value is specified, the Kaspersky Security Center Web Console installer creates a new account with the default name `user_svc_nodejs_%uid%`.
`pluginAccount`	Name of the account under which the Kaspersky Security Center Product Plugins service is run.	String value in the following format: `"<group name>:<user name>"`. Example: `"Group1:User4"`. If no value is specified, the Kaspersky Security Center Web Console installer creates a new account with the default name `user_web_plugin_%uid%`.
`messageQueueAccount`	Name of the account under which the Kaspersky Security Center Web Console Message Queue service is run.	String value in the following format: `"<group name>:<user name>"`. Example: `"Group1:User5"`. If no value is specified, the Kaspersky Security Center Web Console installer creates a new account with the default name `user_message_queue_%uid%`.
`natsMessageQueueAccount`	Name of the account under which the Kaspersky Security Center Web Console NATS service is run.	String value in the following format: `"<group name>:<user name>"`. Example: `"Group1:User6"`. If no value is specified, the Kaspersky Security Center Web Console installer creates a new account with the default name `user_message_queue_%uid%`.