Configuring the integration of Kaspersky Anti Targeted Attack Platform with Kaspersky Endpoint Agent

This section contains information on configuring the integration of Kaspersky Anti Targeted Attack Platform with Kaspersky Endpoint Agent. You must follow the steps both on the Kaspersky Anti Targeted Attack Platform side using the web interface and program administrator menu and on the Kaspersky Endpoint Agent side using the KSC Administration Console.

Configuring the trusted connection of Kaspersky Anti Targeted Attack Platform with Kaspersky Endpoint Agent

You must configure a trusted connection of Kaspersky Anti Targeted Attack Platform with Kaspersky Endpoint Agent both on the Kaspersky Anti Targeted Attack Platform side using the web interface and program administrator menu and on the Kaspersky Endpoint Agent side using the KSC Administration Console.

You can use one of the following options to configure a trusted connection:

1. Using a TLS certificate of Kaspersky Anti Targeted Attack Platform. Without validating the Kaspersky Endpoint Agent TLS certificate on the Kaspersky Anti Targeted Attack Platform side.
   1. Configuring the connection with the Central Node server without validating the TLS certificate of Kaspersky Endpoint Agent in Kaspersky Anti Targeted Attack Platform.

      Kaspersky Endpoint Agent establishes a trusted connection with Kaspersky Anti Targeted Attack Platform using the TLS certificate of the Central Node server. Kaspersky Anti Targeted Attack Platform does not validate the TLS certificate of Kaspersky Endpoint Agent when Kaspersky Endpoint Agent tries to connect.

   2. Configuring the connection with the Sensor server without validating the TLS certificate of Kaspersky Endpoint Agent in Kaspersky Anti Targeted Attack Platform.

      Traffic redirection to the Sensor server is configured in Kaspersky Anti Targeted Attack Platform. Kaspersky Endpoint Agent establishes a trusted connection with Kaspersky Anti Targeted Attack Platform using the TLS certificate of the Sensor server. Kaspersky Anti Targeted Attack Platform does not validate the TLS certificate of Kaspersky Endpoint Agent when Kaspersky Endpoint Agent tries to connect.

2. Using TLS certificates of Kaspersky Anti Targeted Attack Platform and Kaspersky Endpoint Agent. Validating the Kaspersky Endpoint Agent TLS certificate on the Kaspersky Anti Targeted Attack Platform side.
   1. Configuring the connection with the Central Node server with validation of the TLS certificate of Kaspersky Endpoint Agent in Kaspersky Anti Targeted Attack Platform.

      Kaspersky Endpoint Agent establishes a trusted connection with Kaspersky Anti Targeted Attack Platform using the TLS certificate of the Central Node server. Additional security of the connection is configured in Kaspersky Endpoint Agent and the TLS certificate of Kaspersky Endpoint Agent is uploaded. Kaspersky Anti Targeted Attack Platform validates the TLS certificate of Kaspersky Endpoint Agent when Kaspersky Endpoint Agent tries to connect.

   2. Configuring the connection with the Sensor server with validation of the TLS certificate of Kaspersky Endpoint Agent in Kaspersky Anti Targeted Attack Platform.

      Traffic redirection to the Sensor server is configured in Kaspersky Anti Targeted Attack Platform. Kaspersky Endpoint Agent establishes a trusted connection with Kaspersky Anti Targeted Attack Platform using the TLS certificate of the Sensor server. Additional security of the connection is configured in Kaspersky Endpoint Agent and the TLS certificate of Kaspersky Endpoint Agent is uploaded. Kaspersky Anti Targeted Attack Platform validates the TLS certificate of Kaspersky Endpoint Agent when Kaspersky Endpoint Agent tries to connect.

Configuring the connection with the Central Node server without validating the TLS certificate of Kaspersky Endpoint Agent in Kaspersky Anti Targeted Attack Platform.

Kaspersky Endpoint Agent establishes a trusted connection with Kaspersky Anti Targeted Attack Platform using the TLS certificate of the Central Node server. Kaspersky Anti Targeted Attack Platform does not validate the TLS certificate of Kaspersky Endpoint Agent when Kaspersky Endpoint Agent tries to connect.

If you are using this alternative configuration for the trusted connection, the procedure is as follows:

1. Generate or upload an independently prepared TLS certificate of the Central Node server in the web interface of Central Node (if the TLS certificate of the Central Node is not created yet).
2. Downloading the TLS certificate of the Central Node server to your computer.
3. Uploading the TLS certificate of the Central Node server to Kaspersky Endpoint Agent using the KSC Administration Console.

Configuring the connection with the Sensor server without validating the TLS certificate of Kaspersky Endpoint Agent in Kaspersky Anti Targeted Attack Platform.

Traffic redirection to the Sensor server is configured in Kaspersky Anti Targeted Attack Platform. Kaspersky Endpoint Agent establishes a trusted connection with Kaspersky Anti Targeted Attack Platform using the TLS certificate of the Sensor server. Kaspersky Anti Targeted Attack Platform does not validate the TLS certificate of Kaspersky Endpoint Agent when Kaspersky Endpoint Agent tries to connect.

If you are using this alternative configuration for the trusted connection, the procedure is as follows:

1. Enabling traffic redirection from Kaspersky Endpoint Agent to the Sensor server.
2. Authorizing the Sensor component on the Central Node server.
3. Generating or uploading an independently prepared TLS certificate for the Sensor server in the administrator menu of the Sensor server.
4. Downloading the TLS certificate of the Sensor server to your computer.
5. Uploading the TLS certificate of the Sensor server to Kaspersky Endpoint Agent using the KSC Administration Console.

Configuring the connection with the Central Node server with validation of the TLS certificate of Kaspersky Endpoint Agent in Kaspersky Anti Targeted Attack Platform.

Kaspersky Endpoint Agent establishes a trusted connection with Kaspersky Anti Targeted Attack Platform using the TLS certificate of the Central Node server. Additional security of the connection is configured in Kaspersky Endpoint Agent and the TLS certificate of Kaspersky Endpoint Agent is uploaded. Kaspersky Anti Targeted Attack Platform validates the TLS certificate of Kaspersky Endpoint Agent when Kaspersky Endpoint Agent tries to connect.

If you are using this alternative configuration for the trusted connection, the procedure is as follows:

1. Generate or upload an independently prepared TLS certificate of the Central Node server in the web interface of Central Node (if the TLS certificate of the Central Node is not created yet).
2. Downloading the TLS certificate of the Central Node server to your computer.
3. Uploading the TLS certificate of the Central Node server to Kaspersky Endpoint Agent using the KSC Administration Console.
4. Enabling the validation of the Kaspersky Endpoint Agent TLS certificate in the web interface of Kaspersky Anti Targeted Attack Platform.
5. Generating and downloading the cryptographic container with the TLS certificate of Kaspersky Endpoint Agent or uploading an independently prepared TLS certificate of Kaspersky Endpoint Agent using the web interface of Kaspersky Anti Targeted Attack Platform.

   If you want to prepare the TLS certificate of Kaspersky Endpoint Agent on your own, you must create a PFX cryptographic container with your certificate. For details on managing TLS certificates, see the OpenSSL documentation.

6. Uploading the cryptographic container with Kaspersky Endpoint Agent certificate to Kaspersky Endpoint Agent using the KSC Administration Console.

Configuring the connection with the Sensor server with validation of the TLS certificate of Kaspersky Endpoint Agent in Kaspersky Anti Targeted Attack Platform.

Traffic redirection to the Sensor server is configured in Kaspersky Anti Targeted Attack Platform. Kaspersky Endpoint Agent establishes a trusted connection with Kaspersky Anti Targeted Attack Platform using the TLS certificate of the Sensor server. Additional security of the connection is configured in Kaspersky Endpoint Agent and the TLS certificate of Kaspersky Endpoint Agent is uploaded. Kaspersky Anti Targeted Attack Platform validates the TLS certificate of Kaspersky Endpoint Agent when Kaspersky Endpoint Agent tries to connect.

If you are using this alternative configuration for the trusted connection, the procedure is as follows:

1. Enabling traffic redirection from Kaspersky Endpoint Agent to the Sensor server.
2. Authorizing the Sensor component on the Central Node server.
3. Generating or uploading an independently prepared TLS certificate for the Sensor server in the administrator menu of the Sensor server.
4. Downloading the TLS certificate of the Sensor server to your computer.
5. Uploading the TLS certificate of the Sensor server to Kaspersky Endpoint Agent using the KSC Administration Console.
6. Enabling the validation of the Kaspersky Endpoint Agent TLS certificate in the web interface of Kaspersky Anti Targeted Attack Platform.
7. Generating and downloading the cryptographic container with the TLS certificate of Kaspersky Endpoint Agent or uploading an independently prepared TLS certificate of Kaspersky Endpoint Agent using the web interface of Kaspersky Anti Targeted Attack Platform.

   If you want to prepare the TLS certificate of Kaspersky Endpoint Agent on your own, you must create a PFX cryptographic container with your certificate. For details on managing TLS certificates, see the OpenSSL documentation.

8. Uploading the cryptographic container with Kaspersky Endpoint Agent certificate to Kaspersky Endpoint Agent using the KSC Administration Console.

Downloading the TLS certificate of the Central Node server

To download the TLS certificate of the server:

1. In the window of the program web interface, select the Settings section, Certificates subsection.
2. In the Server certificate section, click Download.

The server certificate file will be saved in the downloads folder of the browser.

Generating a TLS certificate for the Central Node server in the web interface of Kaspersky Anti Targeted Attack Platform

If you are already using a Central Node server TLS certificate, generating a new certificate causes the currently used certificate to be removed and replaced with the newly generated certificate.

You must enter the data of the new certificate everywhere the old certificate was used.

If you replace the TLS certificate, you will need to:

• Reauthorize mail sensors (KSMG, KLMS) on Central Node.
• Reconfigure the connection of Central Node, PCN, and SCN to Sandbox.
• Reconfigure traffic forwarding from Endpoint Agent to Sensor and trusted connection with Endpoint Agent.
• Upload a new certificate to Active Directory (if you are using Active Directory).

Please delete all Endpoint Agent host isolation rules. Connection with the isolated hosts and control over them will be lost.

To generate a TLS certificate for a Central Node server:

1. Sign in to the Kaspersky Anti Targeted Attack Platform web interface with the administrator credentials.
2. In the window of the program web interface, select the Settings section, Certificates subsection.
3. In the Server certificate section, click Generate.

   This opens the action confirmation window.

4. Click Yes.

Kaspersky Anti Targeted Attack Platform generates a new TLS certificate. The page is automatically refreshed.

Uploading an independently prepared TLS certificate for the Central Node server using the web interface of Kaspersky Anti Targeted Attack Platform.

You can choose to prepare the TLS certificate on your own and upload it using the Kaspersky Anti Targeted Attack Platform web interface.

The TLS certificate file prepared for upload must satisfy the following requirements:

• The file must contain the certificate itself and a private encryption key for the connection.
• The file must be in PEM format.

  The application does not support other formats of certificates.

  If you have prepared a certificate in a different format, you must convert it to the PEM format.

• The private key length must be 2048 bits or longer.

For more details on preparing TLS certificates for import, please refer to the documentation on Open SSL.

If you are already using a Central Node server TLS certificate, uploading a new certificate causes the currently used certificate to be removed and replaced with the uploaded certificate.

You must enter the data of the new certificate everywhere the old certificate was used.

If you replace the TLS certificate, you will need to:

• Reauthorize mail sensors (KSMG, KLMS) on Central Node.
• Reconfigure the connection of Central Node, PCN, and SCN to Sandbox.
• Reconfigure traffic forwarding from Endpoint Agent to Sensor and trusted connection with Endpoint Agent.
• Upload a new certificate to Active Directory (if you are using Active Directory).

Delete all Endpoint Agent host isolation rules. The connection with isolated hosts is severed and you cannot manage them.

To upload an independently prepared TLS certificate using the Kaspersky Anti Targeted Attack Platform web interface:

1. Sign in to the Kaspersky Anti Targeted Attack Platform web interface with the administrator credentials.
2. In the window of the program web interface, select the Settings section, Certificates subsection.
3. In the Server certificate section, click Upload.

   This opens the file selection window.

4. Select a TLS certificate file to download and click the Open button.

   This closes the file selection window.

• The TLS certificate is added to Anti Targeted Attack Platform. Reconfigure traffic forwarding from Endpoint Agent to Sensor and trusted connection with Endpoint Agent.
• Upload a new certificate to Active Directory (if you are using Active Directory).

Please delete all Endpoint Agent host isolation rules. Connection with the isolated hosts and control over them will be lost.

Uploading a TLS certificate of the Central Node server or Sensor to Kaspersky Endpoint Agent

To upload a TLS certificate of the Central Node server or Sensor to Kaspersky Endpoint Agent

1. Open the KSC Console.
2. In the console tree, open the Policies folder.
3. In the Kaspersky Endpoint Agent policy section, select the required policy and double-click it to open its properties.

   The properties of the selected policy are displayed.

4. In the KATA integration section, select the KATA integration settings subsection.

5. Select the Enable KATA integration check box.
6. In the Address field, enter the address of the Central Node server of the Kaspersky Anti Targeted Attack Platform program that you want to configure integration with, and select a port to use for the connection. Port 443 is used by default.
7. Select the Use pinned certificate to secure connection check box.
8. Click Add a TLS certificate....

   This opens the Adding TLS certificate window.

9. To add a TLS certificate previously created on the Kaspersky Anti Targeted Attack Platform side and downloaded, do one of the following:
   • Add a certificate file. To do so, click Browse...; in the window that is displayed, select a certificate file and click Open.
   • Paste the content of the certificate file to the Paste TLS certificate data: field.

   Kaspersky Endpoint Agent can store only one TLS certificate for the Kaspersky Anti Targeted Attack Platform server. If you have added a TLS certificate before and are adding a TLS certificate again, only the last added certificate is used.

   If you have configured traffic redirection to the server with the Sensor component, you must download the TLS certificate of the Sensor server and then upload it here.

10. Click Add.

    Information about the added TLS certificate is displayed in the section for integration with Kaspersky Anti Targeted Attack Platform.

11. Make sure the toggle switch in the upper right corner of the group of settings is in the Under policy position.
12. Click OK.

The TLS certificate of the Central Node server is downloaded to Endpoint Agent.

Enabling the validation of the Kaspersky Endpoint Agent TLS certificate in the web interface of Kaspersky Anti Targeted Attack Platform

To enable trusted connection with Kaspersky Endpoint Agent:

1. Sign in to the Kaspersky Anti Targeted Attack Platform web interface with the administrator credentials.
2. In the Kaspersky Anti Targeted Attack Platform web interface window, select the Settings section, Certificates subsection.
3. In the Endpoint Agent certificates section, turn on the Validate Endpoint Agent TLS certificates switch.

Kaspersky Anti Targeted Attack Platform will check TLS certificate data when Kaspersky Endpoint Agent attempts to connect to Kaspersky Anti Targeted Attack Platform.

Generating a TLS certificate of Kaspersky Endpoint Agent in the web interface of Kaspersky Anti Targeted Attack Platform and downloading a cryptographic container

To generate a TLS certificate for the connection of Kaspersky Anti Targeted Attack Platform with Kaspersky Endpoint Agent:

1. Sign in to the Kaspersky Anti Targeted Attack Platform web interface with the administrator credentials.
2. In the Kaspersky Anti Targeted Attack Platform web interface window, select the Settings section, Certificates subsection.
3. In the Endpoint Agent certificates section, click Generate.

Kaspersky Anti Targeted Attack Platform generates a new TLS certificate. The page is automatically refreshed.

The cryptographic container fine with the Kaspersky Endpoint Agent certificate in the PFX format is downloaded to the browser downloads folder on your local computer.

You can use the cryptographic container to configure the validation of Kaspersky Endpoint Agent TLS certificate by the Central Node server when attempting to connect to Kaspersky Anti Targeted Attack Platform.

By default, the cryptographic container is not password-protected. You can protect the cryptographic container with a password. For details on managing TLS certificates, see the OpenSSL documentation.

The cryptographic container contains only the certificate file, but not the private key file. Kaspersky Anti Targeted Attack Platform does not store private keys for the TLS encryption of the connection.

Uploading an independently prepared TLS certificate of Kaspersky Endpoint Agent using the web interface of Kaspersky Anti Targeted Attack Platform.

You can choose to prepare the TLS certificate on your own and upload it using the Kaspersky Anti Targeted Attack Platform web interface.

The TLS certificate file prepared for upload must satisfy the following requirements:

• The file must contain the certificate itself and a private encryption key for the connection.
• The file must be in PEM format.
• The private key length must be 2048 bits or longer.

For more details on preparing TLS certificates for import, please refer to the documentation on Open SSL.

If you want to prepare the TLS certificate of Kaspersky Endpoint Agent on your own, you must create a PFX cryptographic container with your certificate and upload the cryptographic container to Kaspersky Endpoint Agent.

You can use the cryptographic container to configure the validation of Kaspersky Endpoint Agent TLS certificate by the Central Node server when attempting to connect to Kaspersky Anti Targeted Attack Platform.

For details on managing TLS certificates, see the OpenSSL documentation.

The cryptographic container must contain only the certificate file, but not the private key file. Kaspersky Anti Targeted Attack Platform does not store private keys for the TLS encryption of the connection.

To upload a manually prepared TLS certificate of Kaspersky Endpoint Agent using the web interface of Kaspersky Anti Targeted Attack Platform:

1. Sign in to the Kaspersky Anti Targeted Attack Platform web interface with the administrator credentials.
2. In the Kaspersky Anti Targeted Attack Platform web interface window, select the Settings section, Certificates subsection.
3. In the Endpoint Agent certificates section, click Upload.

   This opens the file selection window.

4. Select a TLS certificate file to download and click the Open button.

   This closes the file selection window.

The TLS certificate is added to the Kaspersky Anti Targeted Attack Platform.

Viewing the table of Kaspersky Endpoint Agent TLS certificates in the web interface of Kaspersky Anti Targeted Attack Platform

To view the list of TLS certificates for connection with Kaspersky Endpoint Agent using the Kaspersky Anti Targeted Attack Platform web interface:

1. Sign in to the Kaspersky Anti Targeted Attack Platform web interface with the administrator credentials.
2. In the Kaspersky Anti Targeted Attack Platform web interface window, select the Settings section, Certificates subsection.
3. The Endpoint Agent certificates section displays a list of TLS certificate with the following details for each certificate:
   • TLS certificate – Fingerprint of the certificate.
   • Serial number —Serial number of the certificate.
   • Expires —Expiration date of the certificate.

Filtering and searching Kaspersky Endpoint Agent TLS certificates in the web interface of Kaspersky Anti Targeted Attack Platform

You can filter TLS certificate displayed in the table by one or both columns (TLS certificate and Serial number) or enter search criteria to search TLS certificates by these columns.

To filter and search TLS certificates in the table:

1. Sign in to the Kaspersky Anti Targeted Attack Platform web interface with the administrator credentials.
2. In the Kaspersky Anti Targeted Attack Platform web interface window, select the Settings section, Certificates subsection.
3. The Endpoint Agent certificates section displays a list of TLS certificate with the following details for each certificate:
   • TLS certificate – Fingerprint of the certificate.
   • Serial number —Serial number of the certificate.
   • Expires —Expiration date of the certificate.
4. If you want to filter or search TLS certificates by certificate fingerprint:
   1. Click the TLS certificate link to open the filter configuration window.
   2. In the TLS certificate text box, enter a few characters of the certificate fingerprint.
   3. Click Apply.
5. If you want to filter or search TLS certificates by serial number:
   1. Click the Serial number link to open the filter configuration window.
   2. In the Serial number text box, enter a few characters of the serial number.
   3. Click Apply.

The table displays only those TLS certificates that match the filter criteria you have set.

To clear the filter for one or more filtering criteria:

Click to the right of the header of the table column for which you want to clear the filter conditions.

If you want to clear several filter conditions, perform the necessary actions to clear each filter condition.

The selected filters are cleared.

Deleting Kaspersky Endpoint Agent TLS certificates in the web interface of Kaspersky Anti Targeted Attack Platform

To delete one or more TLS certificates for connection with Kaspersky Endpoint Agent using the Kaspersky Anti Targeted Attack Platform web interface:

1. Sign in to the Kaspersky Anti Targeted Attack Platform web interface with the administrator credentials.
2. In the Kaspersky Anti Targeted Attack Platform web interface window, select the Settings section, Endpoint Agent certificates subsection.

   The Endpoint Agent certificates section displays a list of TLS certificates.

3. Select check boxes next to one or more TLS certificates that you want to delete.
4. Click Delete.

   This opens the action confirmation window.

5. Click Yes.

The selected TLS certificates are deleted.

Configuring the validation of the Kaspersky Endpoint Agent TLS certificate by the Central Node server and uploading a cryptographic container to Kaspersky Endpoint Agent

To configure the validation of Kaspersky Endpoint Agent TLS certificate by the Central Node server and upload the cryptographic container with the Kaspersky Endpoint Agent certificate to Kaspersky Endpoint Agent:

1. Open the KSC Console.
2. In the console tree, open the Policies folder.
3. In the Kaspersky Endpoint Agent policy section, select the required policy and double-click it to open its properties.

   The properties of the selected policy are displayed.

4. In the KATA integration section, select the KATA Central Node subsection.

5. Click Configure additional security.
6. In the window that opens, select the Secure the connection with client certificate check box.
7. Click Download.

   This opens the file selection window on your local computer.

8. Select the cryptographic container file of the Kaspersky Endpoint Agent certificate that was generated on the Kaspersky Anti Targeted Attack Platform server and downloaded to the hard drive of your computer.
9. Click OK.

   The window closes.

10. Make sure the toggle switch in the upper right corner of the group of settings is in the Under policy position.
11. Click OK.

The cryptographic container with the Kaspersky Endpoint Agent certificate is uploaded to Kaspersky Endpoint Agent. Kaspersky Anti Targeted Attack Platform now validates the TLS certificate of Kaspersky Endpoint Agent when it tries to connect.

Configuring traffic redirection from Kaspersky Endpoint Agent to the Sensor server

You can use the server hosting the Sensor component as a proxy server during data exchange between the Kaspersky Endpoint Agent program and the Central Node component to decrease the load on the Central Node component.

When configuring the traffic redirection, keep in mind the following limitations:

• The maximum incoming traffic volume for the Sensor component should not exceed 1 Gbit/s.
• The recommended channel capacity between servers hosting the Central Node and Sensor components should be 15% of the SPAN port traffic.
• The maximum allowed packet loss between servers hosting the Sensor and Central Node components should be 10% with a packet delay up to 100 ms.

You can only use the Sensor component as a proxy server if the Sensor and Central Node components are located on different servers.

If you are using the Sensor component as a proxy server, make sure to enter the IP address of the Sensor component instead of the IP address of Central Node when configuring the integration of Kaspersky Anti Targeted Attack Platform with Kaspersky Endpoint Agent on the Kaspersky Endpoint Agent side.

Enabling traffic redirection from Kaspersky Endpoint Agent to the Sensor server

To enable the use of the Sensor component as a proxy server for communication between Kaspersky Endpoint Agent and the Central Node component, do the following in the administrator menu of the server with the Sensor component:

1. In the main window of the administrator menu, select Program settings.
2. Press ENTER.

   This opens the next window of the administrator menu.

3. Select Configure Central Node.
4. Press ENTER.

   This opens a window with information about the current state of connection of the Sensor component to the Central Node component.

5. Click Change.
6. In the Input Central Node IP address window, enter the IP address of the server hosting the Central Node component.
7. Click Ok.

   This opens a window containing information on the Central Node component certificate.

8. Make sure that the displayed certificate matches the Central Node component certificate.
9. Click Ok.

   This opens a window with information about the current state of connection of the Sensor component to the Central Node component.

10. Click Cancel.

Using the Sensor component as a proxy server will be enabled after authorization confirmation on the server hosting the Central Node component.

Authorizing the Sensor component on a Central Node server

To authorize the Sensor component on the Central Node server, do the following in the web interface under the local administrator account:

1. Select the Sensor servers section in the window of the program web interface.

   The Server list table displays the already connected Sensor components, and connection requests.

2. Select the IP address of the server hosting the Sensor component, the request for authorization of which you want to confirm or reject.
3. Do one of the following:
   • If you want to authorize the selected server hosting the Sensor component, click Accept.
   • If you want to reject the authorization of the selected server hosting the Sensor component, click Reject.

The authorization request will be accepted or rejected.

Generating a TLS certificate for the Sensor server in the administrator menu of the Sensor server

To create a TLS certificate for the server with the Sensor component, do the following in the administrator menu of the Sensor server:

1. In the main window of the administrator menu, select Program settings.
2. Press ENTER.

   This opens the next window of the administrator menu.

3. Select Manage server certificate.
4. Press ENTER.

   This opens the Certificate management window.

5. In the lower part of the window, select New.
6. Press ENTER.

   This opens a window containing information about the new certificate.

7. Click Continue.

   This opens the action confirmation window.

8. Click Generate.

   Creation of the certificate starts.

9. After creation of the certificate is completed, press ENTER.

   This opens a window containing information about the installed certificate.

10. Click Continue.

    This opens the action confirmation window.

11. Click Ok.

The certificate will be created. The data of previously installed certificates will be overwritten.

Uploading an independently prepared TLS certificate for the Sensor server in the administrator menu of the Sensor server

You can independently prepare a TLS certificate and upload it to the server with the Sensor component via the SCP protocol. For more details on the methods for uploading files via the SCP protocol, see the documentation for the operating system installed on the computer from which you want to upload the TLS certificate.

The TLS certificate file prepared for upload to the server must satisfy the following requirements:

• The file must contain the certificate itself and a private encryption key for the connection.
• The file must be in PEM format.
• The file name must be kata.pem.
• The private key length must be 2048 bits or longer.

For more details on preparing TLS certificates for import, please refer to the documentation on Open SSL.

To upload an independently prepared TLS certificate to the server with the Sensor component via the SCP protocol, perform the following actions in your computer's interface used for working over the SCP protocol (using the Linux operating system as an example):

1. Run the following command: scp kata.pem admin@<IP address of the server with the Sensor component>:
2. At the password prompt, enter the administrator password for working in the administrator menu of the server with the Sensor component that was set during installation.

The TLS certificate is uploaded to the server with the Sensor component.

To apply the uploaded TLS certificate on the server with the Sensor component, do the following in the administrator menu of the Sensor server:

1. In the main window of the administrator menu, select Program settings.
2. Press ENTER.

   This opens the next window of the administrator menu.

3. Select Manage server certificate.
4. Press ENTER.

   This opens the Certificate management window.

5. In the lower part of the window, select kata.pem.
6. Press ENTER.

   This opens the Uploaded certificate window.

7. Select Install certificate.
8. Press ENTER.

   This opens the action confirmation window.

9. Click Yes.

   This opens a window containing information about the certificate.

10. Click Continue.

    This opens the action confirmation window.

11. Click Install.

    Installation of the certificate starts.

12. After installation of the certificate is completed, press ENTER.

    This opens a window containing information about the applied certificate.

13. Click Continue.

    This opens the action confirmation window.

14. Click Ok.

The certificate will be applied. The data of previously installed certificates will be overwritten.

Downloading the TLS certificate of the Sensor server to your computer

You can download a TLS certificate from the Sensor server to any computer that can connect to the Sensor server over the SCP protocol. For more details on the methods for uploading files via the SCP protocol, see the documentation for the operating system installed on the computer to which you want to download the TLS certificate.

To download the TSL certificate from the server with the Sensor component over the SCP protocol, do the following in your computer's interface used for working over the SCP protocol (using the Linux operating system as an example):

1. Run the following command: scp admin@<IP address of the server with the Sensor component>:ssl/kata.crt.
2. At the password prompt, enter the administrator password for working in the administrator menu of the server with the Sensor component that was set during installation.

The TLS certificate is downloaded from the server with the Sensor component to the current directory.

Configuring the integration and trusted connection with Kaspersky Anti Targeted Attack Platform on the Kaspersky Endpoint Agent side

To configure integration with Kaspersky Anti Targeted Attack Platform on the Kaspersky Endpoint Agent side:

1. Open the KSC Console.
2. In the console tree, open the Policies folder.
3. In the Kaspersky Endpoint Agent policy section, select the required policy and double-click it to open its properties.

   The properties of the selected policy are displayed.

4. In the KATA integration section, select the KATA integration settings subsection.

5. Select the Enable KATA integration check box.
6. In the Address field, enter the address of the Central Node server of the Kaspersky Anti Targeted Attack Platform program that you want to configure integration with, and select a port to use for the connection. Port 443 is used by default.
7. Select the Use pinned certificate to secure connection check box.
8. Click Add a TLS certificate....

   This opens the Adding TLS certificate window.

9. To add a TLS certificate previously created on the Kaspersky Anti Targeted Attack Platform side and downloaded, do one of the following:
   • Add a certificate file. To do so, click Browse...; in the window that is displayed, select a certificate file and click Open.
   • Paste the content of the certificate file to the Paste TLS certificate data: field.

   Kaspersky Endpoint Agent can store only one TLS certificate for the Kaspersky Anti Targeted Attack Platform server. If you have added a TLS certificate before and are adding a TLS certificate again, only the last added certificate is used.

   If you have configured traffic redirection to the server with the Sensor component, you must download the TLS certificate of the Sensor server and then upload it here.

10. Click Add.

    Information about the added TLS certificate is displayed in the section for integration with Kaspersky Anti Targeted Attack Platform.

11. Click Add client certificate....
12. In the window that is displayed, select the Secure with client certificate check box.
13. Click Download.

    This opens the file selection window on your local computer.

14. Select the cryptographic container file of the Kaspersky Endpoint Agent certificate that was generated on the Kaspersky Anti Targeted Attack Platform server and downloaded to the hard drive of your computer.
15. Click OK.

    The window closes.

16. In the Timeout period (sec.): field, enter the maximum response timeout of the Kaspersky Anti Targeted Attack Platform Central Node server in seconds.
17. In the Send sync request to KATA server every (min.) field, enter the period in minutes.
18. If you do not want Kaspersky Endpoint Agent to send information about repeated running of processes to the Kaspersky Anti Targeted Attack Platform server, select the Apply TTL period for events transmission check box. If the process is started after the next TTL period expires, Kaspersky Endpoint Agent does not consider this a repeated start of the process.
19. If you have set the "Apply TTL period for events transmission" check box, specify the time in the TTL period (min.) field.
20. Make sure the toggle switch in the upper right corner of the group of settings is in the Under policy position.
21. Click OK.

The integration with Kaspersky Anti Targeted Attack Platform on the Kaspersky Endpoint Agent side is configured.