This section explains how to establish connection with Kaspersky Industrial CyberSecurity for Networks.
Overview
To make API calls, you must establish a connection with Kaspersky Industrial CyberSecurity for Networks (gRPC server). This connection is secure and uses certificates for authentication.
About certificates
To establish connections to the gRPC server, a client must use the following certificates and keys:
product_facade_grpc_server.crt)This certificate is generated for the gRPC server host name by a system administrator and is used by a client to authenticate the server.
product_facade_grpc_ca.crt)This certificate is generated for the gRPC server host name and is used by the gRPC server to check client certificates.
This certificate can be bundled into the client.crt file or distributed separately.
client.crt)The client certificate is generated for a client host name and is used by a client for authentication. The system administrator can distribute this file as a certificate or as a certificate bundle. The certificate bundle contains the client certificate generated for the client host name and all the intermediate certificates up to the root certificate product_facade_grpc_ca.crt.
It is assumed that this file contains a certificate bundle. If this file contains only the client certificate, you must create the certificate bundle yourself by grouping the client certificate, all the intermediate certificates (if any), and the gRPC server CA certificate into one file. The order of certificates in this file must form a certificate chain starting from the client certificate and up to the gRPC server CA certificate.
client.key)This is a private key for the client certificate.
Please contact your system administrator to obtain these files. All the certificates and keys must be in PEM format.
The certificates are generated for a specific host name. In this section, it is assumed that server certificates are generated for the kics4net.example.com host name and client certificates are generated for the client.example.com host name.
Establishing a secure connection to the gRPC server
To establish a connection to Kaspersky Industrial CyberSecurity for Networks, create a gRPC secure channel using the provided certificates and keys and provide this channel as a parameter when creating stubs.
The following example demonstrates establishing a secure connection to the gRPC server located at kics4net.example.com:13522 and creating an event stub that uses this channel.
with open('./certs/product_facade_grpc_server.crt', 'rt') as f: root_crt = f.read() with open('./certs/client.key', 'rt') as f: key = f.read() with open('./certs/client.crt', 'rt') as f: chain = f.read() channel_credentials = grpc.ssl_channel_credentials(root_crt, key, chain) channel = grpc.secure_channel('kics4net.example.com:13522', channel_credentials)
eventStub = event_provider_service_pb2_grpc.EventProviderStub(channel) |
Creating a secure port for connections from the gRPC server
To handle tag change events, you must run a service that accepts incoming connections from the Kaspersky Industrial CyberSecurity for Networks gRPC server. This service must use the same certificates and keys that are used for establishing connections to the gRPC server. The client certificate and key are used as server certificates (so that gRPC server can authenticate this service). The gRPC server certificate is used by this service to authenticate connections from the gRPC server.
The following example demonstrates how to create a secure port for listening to incoming connections from the gRPC server:
with open('./certs/product_facade_grpc_server.crt', 'rt') as f: root_crt = f.read() with open('./certs/client.key', 'rt') as f: key = f.read() with open('./certs/client.crt', 'rt') as f: chain = f.read()
server_credentials = grpc.ssl_server_credentials( private_key_certificate_chain_pairs=[(key, chain,)], root_certificates=root_crt, require_client_auth=True)
server.add_secure_port(address, server_credentials) |