Upgrading Kaspersky Security Center Web Console

Expand all | Collapse all

This article describes how to upgrade Kaspersky Security Center Web Console Server (also referred to as Kaspersky Security Center Web Console) on devices running the Linux operating system.

If you need to upgrade Kaspersky Security Center Web Console on Astra Linux in the closed software environment mode, follow the instructions specific for Astra Linux.

Use one of the following installation files that corresponds to the Linux distribution installed on your device:

• For Debian: ksc-web-console-<build_number>.x86_64.deb
• For RPM-based operating systems: ksc-web-console-<build_number>.x86_64.rpm
• For ALT 8 SP: ksc-web-console-<build_number>-alt8p.x86_64.rpm

You receive the installation file by downloading it from the Kaspersky website.

To upgrade Kaspersky Security Center Web Console:

1. Make sure that the device on which you want to upgrade Kaspersky Security Center Web Console is running one of the supported Linux distributions.

2. Read and accept the End User License Agreement (EULA). If the Kaspersky Security Center Linux distribution kit does not include a TXT file with the text of the EULA, you can download the file from the Kaspersky website. If you do not accept the terms of the License Agreement, do not upgrade Kaspersky Security Center Web Console by using the installation file.
3. Use the same response file that you prepared before installing Kaspersky Security Center Web Console. The response file name is ksc-web-console-setup.json, and the file location is /etc/ksc-web-console-setup.json.

   If when installing Kaspersky Security Center Web Console you specified the values for the webConsoleAccount, managementServiceAccount, serviceWebConsoleAccount, pluginAccount, messageQueueAccount, and natsMessageQueueAccount parameters, make sure that all these parameters are specified in the response file.

   If the response file does not exist, create a new response file that contains the parameters for connecting Kaspersky Security Center Web Console to Administration Server. Name the file ksc-web-console-setup.json, and then place it in the /etc directory.

   The set of parameters of the response file depends on the version of the Administration Server to which the Kaspersky Security Center Web Console connects.

   • Administration Server version 16 or later

     Example of a response file with the minimum set of parameters for signing in to Administration Server version 16 or later:

     {

     "address": "ksc-web-console.example.com",

     "port": 8080,

     "trusted": {

     "Administration Server with SSO": {

     "iamHost": "ksc-iam.example.com",

     "iamOAuthPort": 4444,

     "iamProxyPort": 9050,

     "iamCertPath": "/var/opt/kaspersky/klnagent_srv/iam/main_certificate.pem",

     "iamPATPath": "/var/opt/kaspersky/klnagent_srv/iam/initial_token.txt",

     "kscPort": 13299,

     "kscCertPath": "/var/opt/kaspersky/klnagent_srv/1093/cert/klserver.cer"

     }

     },

     "acceptEula": true

     }

   • Administration Server version 15.4 or earlier

     Example of a response file with the minimum set of parameters for signing in to Administration Server version 15.4 or earlier:

     {

     "address": "ksc-web-console.example.com",

     "port": 8080,

     "trusted": {

     "Administration Server without SSO": {

     "kscHost": "ksc.example.com",

     "kscPort": 13299,

     "kscCertPath": "/var/opt/kaspersky/klnagent_srv/1093/cert/klserver.cer"

     }

     },

     "acceptEula": true

     }

   You can install the Kaspersky Security Center Web Console either on the same device as the Administration Server or on a separate device. When installing Kaspersky Security Center Web Console to an external device, the Kaspersky Security Center Web Console (specified by address) and Administration Server address (specified by iamHost or kscHost) are different. Otherwise, these parameters have the same values.

   You can add multiple Administration Servers of different versions to the list of trusted servers. In this case, the Servers may use different authentication methods.

   If you want to upgrade Kaspersky Security Center Web Console connected to Administration Server installed on the Kaspersky Security Center Linux failover cluster nodes, in the response file, specify the trusted installation parameter to allow the Kaspersky Security Center Linux failover cluster to connect to Kaspersky Security Center Web Console.

   Components of the trusted installation parameter

   If you connect to the Kaspersky Security Center Linux failover cluster by using domain authentication with SSO, specify the trusted installation parameter as follows: If you connect Kaspersky Security Center Web Console to Administration Server version 16 or later, domain authentication with single sign-on (SSO) provided by Identity and Access Manager (IAM) will be used. In this case, specify the trusted installation parameter as follows:

   "trusted": {

   "<Administration Server name>": {

   "iamHost": "ksc-iam.example.com",

   "iamOAuthPort": 4444,

   "iamProxyPort": 9050,

   "iamCertPath": "<shared data folder>/iam/main_certificate.pem",

   "iamPATPath": "<shared data folder>/iam/initial_token.txt",

   "kscPort": 13299,

   "kscCertPath": "<shared data folder>/1093/cert/klserver.cer"

   }

   }

   where:

   • <Administration Server name> is the Kaspersky Security Center Linux failover cluster name that will be displayed in the login window of Kaspersky Security Center Web Console.
   • iamHost is the address of the device where Administration Server and IAM are installed. If you created a secondary network adapter when preparing the cluster nodes, use the FQDN or host name of the adapter as the Kaspersky Security Center Linux failover cluster address. Otherwise, specify the FQDN or host name of the third-party load balancer that you use.
   • iamOAuthPort is the port that is used for exchanging authentication tokens over the OpenID Connect authentication protocol (default value is 4444). This port is used both for communication between Kaspersky Security Center Web Console Server and Administration Server, and between the browser (used with Kaspersky Security Center Web Console) and Administration Server.
   • iamProxyPort is the port that is used for connecting Kaspersky Security Center Web Console Server to Administration Server (default value is 9050).
   • iamCertPath is the path to the certificate of IAM. The IAM certificate is created automatically the first time you run Administration Server. The certificate is located on the device where Administration Server is installed. The default path to the certificate is: <shared data folder>/iam/main_certificate.pem. The certificate is located in the shared data storage of the Kaspersky Security Center Linux failover cluster. The self-signed IAM certificate is rotated automatically.
   • iamPATPath is the path to the token used for registration of Kaspersky Security Center Web Console as an OAuth-client in IAM. This file is generated the first time you run Administration Server. The token is located on the device where Administration Server is installed. The default path to the token is: <shared data folder>/iam/initial_token.txt. The token is located in the shared data storage of the Kaspersky Security Center Linux failover cluster. The token is valid indefinitely and does not require rotation.
   • kscPort is the OpenAPI port that Kaspersky Security Center Web Console use to connect to Administration Server (default value is 13299).
   • kscCertPath is the Administration Server certificate that is located in the shared data storage of the Kaspersky Security Center Linux failover cluster. The default path to the certificate file is: <shared data folder>\1093\cert\klserver.cer.

     Copy the Administration Server certificate file (specified by kscCertPath), the IAM certificate file (specified by iamCertPath), and the token file (specified by iamPATPath) from the shared data storage to the device where you install Kaspersky Security Center Web Console. Specify the local path to the Administration Server certificate.

   If you connect Kaspersky Security Center Web Console to Administration Server version 15.4 or earlier, authentication by specifying the name and password of the domain user or the internal user will be used. In this case, specify the trusted installation parameter as follows:

   "trusted": {

   "<Administration Server name>": {

   "kscHost": "ksc.example.com",

   "kscPort": 13299,

   "kscCertPath": "<shared data folder>/1093/cert/klserver.cer"

   }

   }

   where:

   • <Administration Server name> is the Kaspersky Security Center Linux failover cluster name that will be displayed in the login window of Kaspersky Security Center Web Console.
   • kscHost is the Administration Server address (FQDN or host name). If you created a secondary network adapter when preparing the cluster nodes, use the address of the adapter as the Kaspersky Security Center Linux failover cluster address. Otherwise, specify the address of the third-party load balancer that you use.
   • kscPort is the OpenAPI port that Kaspersky Security Center Web Console uses to connect to Administration Server (default value is 13299).
   • kscCertPath is the Administration Server certificate that is located in the shared data storage of the Kaspersky Security Center Linux failover cluster. The default path to the certificate file is: <shared data folder>\1093\cert\klserver.cer. Copy the certificate file from the shared data storage to the device where you install Kaspersky Security Center Web Console. Specify the local path to the Administration Server certificate.

   Kaspersky Security Center Web Console cannot be upgraded by using the same .rpm installation file. If you want to change the settings in a response file and use this file to reinstall the application, you must first remove the application, and then install it again with the new response file.

4. Under an account with root privileges, use the command line to run the setup file with the .deb or .rpm extension, depending on your Linux distribution.

   To upgrade from a previous version of Kaspersky Security Center Web Console, run one of the following commands:

   • For devices running an RPM-based operating system:

     sudo rpm -Uvh --nodeps --force ksc-web-console-<build_number>.x86_64.rpm

   • For devices running a Debian-based operating system:

     sudo dpkg -i ksc-web-console-<build_number>.x86_64.deb

   This starts unpacking the setup file. Please wait until the installation is complete.

5. Restart all of the Kaspersky Security Center Web Console services by running the following command:

   sudo systemctl restart KSC*

When the upgrade is complete, you can use your browser to open and log in to Kaspersky Security Center Web Console.