- Kaspersky Security for Virtualization 6.2 Light Agent Help
- About Kaspersky Security for Virtualization 6.2 Light Agent
- Solution functions
- Distribution kit
- Hardware and software requirements
- Requirements for Kaspersky Security Center components
- Requirements for installing a Windows-based Integration Server
- Requirements for installing a Linux-based Integration Server
- Requirements for the virtual infrastructure
- Requirements for SVM resources
- Virtual machine requirements for installing Light Agent
- Supported versions of applications in Light Agent mode
- What’s new
- Solution architecture
- Preparing to install the solution
- Files required for installing the solution
- Downloading SVM images using the wizard
- Configuring the ports to use
- Accounts for installing and using the solution
- Configuring the use of secure cryptographic algorithms, ciphers, and protocols
- Configuring rules for moving virtual machines to administration groups
- Installing the Kaspersky Security solution
- Installing a Windows-based Integration Server
- Installing the Linux-based Integration Server
- Installing Kaspersky Security web plug-ins
- Installing Kaspersky Security MMC plug-ins
- SVM deployment using the Integration Server Web Console
- Connecting the Integration Server and the virtual infrastructure
- Creating and running an SVM deployment task
- Selecting infrastructure for SVM deployment
- Selecting the SVM image
- Selecting the number of SVMs for deployment (infrastructures based on OpenStack)
- Specifying SVM settings
- Specifying SVM settings (infrastructures based on OpenStack)
- Configuring SVM network settings (infrastructures based on OpenStack)
- Configuring IP address settings for SVM
- Specifying Kaspersky Security Center connection settings
- Creating the configuration password and the root account password
- Start task for SVM deployment
- Starting an SVM deployment task (OpenStack-based infrastructure)
- Viewing information about task execution
- Deploying SVMs using the Integration Server Console
- Selecting an action
- Selecting infrastructure for SVM deployment
- Selecting the SVM image
- Selecting the number of SVMs for deployment (infrastructures based on OpenStack)
- Specifying SVM settings
- Specifying SVM settings (infrastructures based on OpenStack)
- Configuring SVM network settings (infrastructures based on OpenStack)
- Configuring IP address settings for SVM
- Specifying Kaspersky Security Center connection settings
- Creating the configuration password and the root account password
- Starting SVM deployment
- Starting SVM deployment (infrastructures based on OpenStack)
- SVM deployment
- Finishing SVM deployment
- Automatically creating tasks and a default policy for the Protection Server
- Preparing the Protection Server for operation
- Installing Light Agents and Network Agent
- About installing Kaspersky Security Center Network Agent on virtual machines
- About installing Light Agent for Linux
- About installing Light Agent for Windows
- Installing Light Agent on a template for non-persistent virtual machines
- Compatibility of Light Agent for Windows with virtualization solutions
- Preparing Light Agents for operation
- Displaying virtual machines and SVMs in Kaspersky Security Center
- Viewing the list of SVMs connected to the Integration Server
- Updating Kaspersky Security from the previous version
- Removing the Kaspersky Security solution
- Application management framework
- About managing the solution using Kaspersky Security Center
- About Kaspersky Security management plug-ins
- Starting and closing Kaspersky Security Center Web Console
- Managing the solution using Kaspersky Security Center policies
- Managing the solution using tasks
- About access rights to the settings of policies and tasks in Kaspersky Security Center
- About Integration Server Console
- Connecting to the Integration Server via Integration Server Console
- About the Integration Server Web Console
- Connecting to the Integration Server via Integration Server Web Console
- Licensing Kaspersky Security for Virtualization 6.2 Light Agent
- About the End User License Agreement
- About data provision
- About the license
- About the License Certificate
- About license key
- About the activation code
- About the key file
- About subscription
- License-specific solution functionality
- About activating Kaspersky Security for Virtualization 6.2 Light Agent
- Procedure for activating the solution
- Renewing a license
- Renewing subscription
- Viewing information about the license keys used in Kaspersky Security Center
- View information about the license on a secure virtual machine
- Starting and stopping Kaspersky Security
- Virtual machine protection status
- Connecting SVMs and Light Agents to the Integration Server
- Connecting Light Agents to SVMs
- Protecting large infrastructures
- Updating Kaspersky Security databases and application modules
- Using Kaspersky Security Network
- Additional Protection Server settings
- Reports and notifications
- SVM reconfiguration
- Reconfiguring SVMs using Integration Server Web Console
- Selecting SVM for reconfiguration
- Entering the configuration password
- Editing SVM network settings
- Changing SVM IP settings
- Changing Kaspersky Security Center connection settings
- Changing the configuration password and root account settings
- Start task for SVM reconfiguration
- Start task for SVM reconfiguration (OpenStack)
- SVM reconfiguration using the Integration Server Console
- Selecting an action
- Selecting SVM for reconfiguration
- Entering the configuration password
- Editing SVM network settings
- Editing SVM network settings (infrastructures based on OpenStack)
- Changing SVM IP settings
- Changing Kaspersky Security Center connection settings
- Changing the configuration password and root account settings
- Starting SVM reconfiguration
- Starting SVM reconfiguration (infrastructures based on OpenStack)
- SVM reconfiguration
- Finishing SVM reconfiguration
- Reconfiguring SVMs using Integration Server Web Console
- Configuring Integration Server settings
- Changing passwords of Integration Server accounts
- Changing the settings for connecting to the virtual infrastructure in the Integration Server Web Console
- Changing the settings for connecting to the virtual infrastructure in the Integration Server Console
- Deleting the settings for connection of the Integration Server to the virtual infrastructure
- Replacing the Integration Server and SVM certificates
- Using a backup copy of the database and the Integration Server settings
- SNMP monitoring of SVM status
- Checking the integrity of solution components
- Using Kaspersky Security for Virtualization 6.2 Light Agent in multitenancy mode
- Deploying a tenant protection infrastructure
- Configuring the Integration Server connection settings to the Kaspersky Security Center Administration Server
- Creating a tenant and virtual Administration Server
- Configuring SVM location and Protection Server settings
- Configuring settings for SVM discovery by Light Agents and general tenant protection settings
- Installing a Light Agent on tenant virtual machines
- Registering tenant virtual machines
- Activating a tenant
- Registering existing tenants and their virtual machines
- Enabling and disabling tenant protection
- Getting information about tenants
- Getting tenant protection reports
- Removing virtual machines from the protected infrastructure
- Removing tenants
- Using Integration Server REST API in multi-tenancy scenarios
- Deploying a tenant protection infrastructure
- Contacting Technical Support
- How to get technical support
- Technical Support via Kaspersky CompanyAccount
- Getting information for Technical Support
- Protection Server and Light Agent dump files
- Trace files of the Kaspersky Security Components Installation Wizard
- Trace files of the Integration Server and Integration Server Console
- Trace files of the tool for managing Integration Server and SVM certificates
- Trace files of SVMs, Light Agents and Kaspersky Security management plug-ins
- The SVM Management Wizard log
- Using the utilities and scripts from the Kaspersky Security distribution kit
- Appendices
- Using the klconfig script API to define SVM configuration settings
- Executing configuration commands
- Using the SVM first startup script
- Configuring SVM configuration settings
- Description of commands
- accept_eula_and_privacypolicy
- apiversion
- checkconfig
- connectorlang
- dhcp
- dhcprenew
- dns
- dnslookup
- dnssearch
- dnsshow
- getdnshostname
- gethypervisordetails
- hostname
- listpatches
- manageservices
- nagent
- network
- ntp
- passwd
- permitrootlogin
- productinstall
- reboot
- resetnetwork
- rollbackpatch
- setsshkey
- settracelevel
- test
- timezone
- version
- Settings in the ScanServer.conf file
- Object ID values for SNMP
- How to remove duplicate virtual machines from the list of managed devices in Kaspersky Security Center
- Using the klconfig script API to define SVM configuration settings
- Sources of information about the solution
- Glossary
- Activation code
- Active key
- Administration Server
- Application activation
- Backup
- Backup copy of a file
- Compound file
- Database of malicious web addresses
- Database of phishing web addresses
- Desktop key
- End User License Agreement
- Heuristic Analysis
- Integration Server
- Kaspersky CompanyAccount
- Kaspersky Security databases
- Kaspersky Security Network (KSN)
- Key file
- Key with a limitation on the number of processor cores
- Key with a limitation on the number of processors
- Keylogger
- License
- License certificate
- License key (key)
- Light Agent
- OLE object
- Phishing
- Protected virtual machine
- Reserve key
- Server key
- Signature Analysis
- Startup objects
- SVM
- SVM Management Wizard
- Update source
- Information about third-party code
- Trademark notices
Replacing the Integration Server and SVM certificates
The Kaspersky Security distribution kit includes a certificate management utility for managing Integration Server certificates and SVM certificates. The Integration Server SSL certificate is used when establishing a secure connection with the Integration Server and for encrypting the communication channel between the Protection Server and Light Agent. The SSL certificate of an SVM is used to encrypt the communication channel between Light Agent and the Protection Server.
The certificate management tool lets you:
- Create an Integration Server certificate.
- Replace the self-signed Integration Server certificate installed during solution deployment.
When the Integration Server certificate is replaced, the SVM certificate is automatically replaced. A new SVM certificate is created based on the Integration Server certificate.
Certificates may need to be replaced in the following cases:
- When upgrading the solution in order to replace a previously installed certificate with a more secure one.
- If the used certificate has expired or has been compromised.
- If the IP address or domain name of the device on which the Integration Server is installed has changed.
You can replace the Integration Server certificate with a new certificate created using the tool or using third-party tools. If you want to use an Integration Server certificate created using third-party tools, make sure that the new certificate meets the tool's certificate requirements.
The Integration Server certificate must meet the following requirements:
- PFX format.
- The certificate contains the private key.
- The certificate is password protected.
- The "Subject alternative name" field contains the following values:
- IP Address – external and local IP addresses of the Integration Server;
- DNS Name – external and local IP addresses, as well as the domain name (FQDN) of the Integration Server.
- Key Usage:
- KeyEncipherment;
- DigitalSignature;
- DataEncipherment;
- KeyCertSign.
- Enhanced Key Usage:
- Server Authentication (1.3.6.1.5.5.7.3.1);
- Client Authentication (1.3.6.1.5.5.7.3.2).
- The certificate expiration date is later than the current date.
- Key algorithm: RSA (1.2.840.113549.1.1.1).
- Key size: 4096 bits.
- Allowed signature algorithms:
- Sha256WithRSA (1.2.840.113549.1.1.11);
- Sha384WithRSA (1.2.840.113549.1.1.12);
- Sha512WithRSA (1.2.840.113549.1.1.13).
The certificate management tool can work with the Linux-based Integration Server and with the Windows-based Integration Server. The tool is located on the device where the Integration Server is installed. Depending on the operating system of the device, the utility is located at one the following paths:
- /opt/kaspersky/viis/bin/certificate_manager.sh – on devices with Linux operating systems
- %ProgramFiles(x86)%\Kaspersky Lab\Kaspersky VIISLA\certificate_manager.exe – on devices with Windows operating systems
To use the utility in the Linux operating system, the user account must be in the sudoers group. To use the utility in the Windows operating system, Administrator rights in the operating system are required.
How to use the utility to create a certificate for the Linux-based Integration Server
On the device where the Integration Server is installed, run the command:
sudo /opt/kaspersky/viis/bin/certificate_manager.sh create-self-signed-certs --outputFolder <path to the directory with the certificate> [--keySize <2048 or 4096>] [--quiet]
where:
<path to the directory with the certificate>– path to the directory where the created certificate will be placed. The directory must be located on the device where the Integration Server is installed.--keySize <2048 or 4096>is the certificate key length. Optional parameter. If this parameter is not specified, 4096 is used by default.--quietis an optional parameter. If the parameter is specified, the utility will run in silent mode: nothing will be output to the console.
The command will cause the utility to create an Integration Server certificate (viis.pfx file) and place it in the specified directory.
It is recommended to protect the certificate from unauthorized access. For example, you can place the certificate in a secure directory.
How to use the utility to create a certificate for the Windows-based Integration Server
On the device where the Integration Server is installed, run the command:
%ProgramFiles(x86)%\Kaspersky Lab\Kaspersky VIISLA\certificate_manager.exe create-self-signed-certs --outputFolder <path to the folder with the certificate> [--keySize <2048 or 4096>] [--quiet]
where:
<path to the folder with the certificate>is the path to the folder where the created certificate will be placed. The folder must be located on the device where the Integration Server is installed.--keySize <2048 or 4096>is the certificate key length. Optional parameter. If this parameter is not specified, 4096 is used by default.--quietis an optional parameter. If this parameter is specified, the input console window is closed after the command is executed, otherwise the console window remains open.
The command will cause the utility to create an Integration Server certificate (viis.pfx file) and place it in the specified folder.
It is recommended to protect the certificate from unauthorized access. For example, you can place the certificate in a secure folder.
How to replace the Linux-based Integration Server certificate and SVM certificate
On the device where the Integration Server is installed, run the command:
sudo /opt/kaspersky/viis/bin/certificate_manager.sh replace --certificatePath <path to certificate> [--quiet]
where:
<path to certificate>is the path to the Integration Server certificate (viis.pfx file).--quietis an optional parameter. If the parameter is specified, the utility will run in silent mode: nothing will be output to the console.
As a result of executing the command, the tool performs the following actions:
- Creates an SVM certificate based on the certificate located in the specified folder.
- Replaces the previously installed Integration Server certificate and SVM certificate with new ones.
- Restarts the Integration Server service.
How to replace the Windows-based Integration Server certificate and SVM certificate
On the device where the Integration Server is installed, run the command:
% ProgramFiles (x86)%\Kaspersky Lab\Kaspersky VIISLA\certificate_manager.exe replace --certificatePath <path to certificate>
where <path to certificate> is the path to the Integration Server certificate (viis.pfx file).
As a result of executing the command, the tool performs the following actions:
- Creates an SVM certificate based on the certificate located in the specified folder.
- Replaces the previously installed Integration Server certificate and SVM certificate with new ones.
- Restarts the Integration Server service.
After replacing the Integration Server certificate and SVM certificate, you need to update all Light Agent policies and Protection Server policies to send the public key of the new certificate to the policies.
Trace files may be created while the certificate management tool is running.