Identity and Access Manager in Kaspersky Security Center Web Console

This section provides information about Identity and Access Manager (also referred to as IAM).

About Identity and Access Manager

Identity and Access Manager (also referred to as IAM) is a Kaspersky Security Center Web Console component that enables you to use a single sign-on (SSO) between Kaspersky Security Center Web Console and Kaspersky Industrial CyberSecurity for Networks web interface. IAM uses the OAuth 2.0 protocol to ensure authorization of Kaspersky Industrial CyberSecurity for Networks in Kaspersky Security Center Web Console.

In this case, the Kaspersky Industrial CyberSecurity for Networks, which you get access to via Kaspersky Security Center Web Console, is referred to as a resource server, and Kaspersky Security Center Web Console and Kaspersky Industrial CyberSecurity for Networks web interface are referred to as OAuth 2.0 clients. A resource server is a program that works with multiple users and requires authorization. The client uses a token for authorization on the resource server. A token is a unique sequence of bytes. When a token expires, it is automatically reissued. IAM acts a single authorization server for multiple OAuth 2.0 clients.

You can install IAM when installing Kaspersky Security Center Web Console. You can enable it later at any time in the Kaspersky Security Center Web Console settings. If a Kaspersky Industrial CyberSecurity Server or a Kaspersky Industrial CyberSecurity web interface is installed on a device that is managed by the same Administration Server, IAM detects this program and a notification is displayed in Kaspersky Security Center Web Console informing you about this. You can register Kaspersky Industrial CyberSecurity for Networks and later use SSO for both Kaspersky Security Center Web Console and Kaspersky Industrial CyberSecurity for Networks web interface.

If you sign out of Kaspersky Security Center Web Console, your session in Kaspersky Industrial CyberSecurity for Networks web interface will end and you will have to log in to Kaspersky Security Center Web Console again.

Enabling Identity and Access Manager: scenario

Prerequisites

Before you start, make sure that you have access to Kaspersky Industrial CyberSecurity for Networks version 3.1 or later.

Stages

Enabling Identity and Access Manager (also referred to as IAM) proceeds in stages:

1. Checking the necessary ports

   Make sure that ports 3333, 4004, and 4444 are opened on the device where Kaspersky Security Center Web Console is installed. These ports are needed for using OAuth 2.0. If you want, you can change the default port numbers in the Kaspersky Security Center Web Console settings window.

   Besides the ports 3333, 4004, and 4444, Kaspersky Security Center Web Console also uses ports 4445, 2444, and 2445 for various purposes.

2. Installing Identity and Access Manager

   During the Kaspersky Security Center Web Console installation, specify that you want to install Identity and Access Manager. If you did not do so, run the Kaspersky Security Center Web Console Setup Wizard again.

3. Configuring Identity and Access Manager

   In the Kaspersky Security Center Web Console settings window, make sure that the Identity and Access Manager (IAM) toggle button is enabled. Also, specify DNS name of the device where Kaspersky Security Center Web Console is installed: the client applications will connect to this device.

4. Specifying the token settings

   In the Kaspersky Security Center Web Console settings window, specify lifetime of tokens and authorization timeout that Identity and Access Manager will use. You can use the default values, or you can specify your own values according to your needs.

5. Granting certificates

   If you prefer to use the certificates generated by the Administration Server, then in the Kaspersky Security Center Web Console settings window, download the root certificates for the ports used by IAM and distribute them to the Kaspersky Security Center Web Console users' workstations. Otherwise, the users' browsers will display error messages when trying to connect to Kaspersky Security Center Web Console.

6. Registering the Kaspersky Industrial CyberSecurity for Networks Servers and Kaspersky Industrial CyberSecurity for Networks web interfaces

   When IAM is installed, Kaspersky Security Center Web Console displays a message saying that an Industrial CyberSecurity for Networks Server (or multiple Servers) and one or more Kaspersky Industrial CyberSecurity for Networks web interfaces are waiting to be registered. Click this message to register your Kaspersky Industrial CyberSecurity for Networks Server (or multiple Servers) and web interface (or multiple web interfaces).

Results

After you complete this scenario, you will be able to use SSO and IAM for Kaspersky Industrial CyberSecurity for Networks and Kaspersky Security Center Web Console.

Configuring Identity and Access Manager in Kaspersky Security Center Web Console

To configure Identity and Access Manager according to your needs:

1. In Kaspersky Security Center Web Console, go to the Console settings → Integration section.
2. In the Identity and Access Manager section, make sure that Identity and Access Manager is enabled.
3. Click the Settings link in the Identity and Access Manager device network name line.
4. Specify DNS name of the device on which you installed Identity and Access Manager. Client applications will connect to this device.
5. If you want, change the default token settings, certificate settings, and port numbers by clicking the Settings link under the relevant group of settings.

Identity and Access Manager is enabled and working according to your needs.

Registering Kaspersky Industrial CyberSecurity for Networks application in Kaspersky Security Center Web Console

To start working with Kaspersky Industrial CyberSecurity for Networks application via Kaspersky Security Center Web Console, you must first register it in Kaspersky Security Center Web Console.

To register Kaspersky Industrial CyberSecurity for Networks application:

1. Make sure that the following is done:
   • You have downloaded and installed the Kaspersky Industrial CyberSecurity for Networks web plug-in.

     However, you can do it later while waiting for the Kaspersky Industrial CyberSecurity for Networks Server to synchronize with the Administration Server.

   • You have completed the Single Sign-On (SSO) technology usage preparations scenario.
   • The necessary settings in the Kaspersky Industrial CyberSecurity for Networks web interface are specified on Kaspersky Security Center page. For details, please refer to the Kaspersky Industrial CyberSecurity for Networks Online Help.
   • You are logged in Kaspersky Security Center Web Console under an administrator account.
   • IAM is configured.
2. Move the device where Kaspersky Industrial CyberSecurity for Networks Server is installed from the Unassigned devices group to the Managed devices group:
   1. In the main menu, go to DISCOVERY & DEPLOYMENT → UNASSIGNED DEVICES.
   2. Select the check box next to the device where Kaspersky Industrial CyberSecurity for Networks Server is installed.
   3. Click the Move to group button.
   4. In the hierarchy of administration groups, select the check box next to the Managed devices group.
   5. Click the Move button.
3. Proceed to the properties of the device where the Kaspersky Industrial CyberSecurity for Networks Server is installed.
4. On the device properties page, in the General section, select the Do not disconnect from the Administration Server option, and then click the Save button.
5. On the device properties page, select the Applications section.
6. In the Applications section, select Kaspersky Network Agent.
7. If the current status of the application is Stopped, wait until it changes to Running.

   This may take up to 15 minutes. If you have not yet install the Kaspersky Industrial CyberSecurity for Networks web plug-in, you can do it now, while you are waiting.

8. In the main menu, go to the Console settings → Integration section.

   In the Registration requests field, one pending request is displayed.

9. Click the Settings link under the Registration requests field.
10. In the list of registered clients that opens, select the check box next to the name of the Kaspersky Industrial CyberSecurity for Networks Server, that has the Pending status, and then click the Approve button.

    If you do not want to register the Kaspersky Industrial CyberSecurity for Networks Server, you can click the Decline button and get back to this list later.

    After you click the Approve button, the status changes to Approved, and then to Ready. If the status does not change, you can click the Refresh button.

11. Close the list of registered clients and make sure that the value in the Registered clients field has increased.
12. To add the Kaspersky Industrial CyberSecurity for Networks widget on the dashboard:
    1. MONITORING & REPORTING DASHBOARD.
    2. On the dashboard, click the Add or restore web widget button.
    3. In the widget menu that opens, select Other.
    4. Select the Kaspersky Industrial CyberSecurity for Networks widget.

    You can now proceed to the Kaspersky Industrial CyberSecurity for Networks web interface using the link in the widget.

After you complete the registration procedure, a new button, Kaspersky Security Center, appears on the login page of the Kaspersky Industrial CyberSecurity for Networks web interface. You can click this button to log in to Kaspersky Industrial CyberSecurity for Networks web interface under your Kaspersky Security Center credentials.

Lifetime of tokens and authorization timeout for Identity and Access Manager

When configuring Identity and Access Manager (also referred to as IAM), you must specify the settings for the token lifetime and authorization timeout. The default settings are designed to reflect both the security standards and the server load. However, you can change these settings according to your organization's policies.

IAM automatically re-issues a token when it is about to expire.

The table below lists the default token lifetime settings.

Token lifetime settings

The table below lists the timeouts for auth_code and login_consent_request.

Authorization timeout settings

For more information about tokens, see the OAuth website.

Downloading and distributing the IAM certificates

By default, Identity and Access Manager uses the certificates generated by the Administration Server to grant browsers access to Kaspersky Security Center Web Console. However, If you want, you can use custom certificates. Whatever certificate you use, you must make sure that all workstations from which Kaspersky Security Center Web Console users access Kaspersky Security Center Web Console trust this certificate.

To download and distribute certificates:

1. In Kaspersky Security Center Web Console, go to the Console settings → Integration section.
2. For each certificate, click the Settings link under the relevant group of settings, and then do one of the following:
   • If you want to use the certificate that the Administration Server generated during the installation of Kaspersky Security Center Web Console:
     1. Select Certificate generated by Administration Server in the certificate properties window that opens.
     2. Click the Download button to download the certificate.
     3. Distribute the downloaded certificate to all workstations from which Kaspersky Security Center Web Console users access Kaspersky Security Center Web Console.
   • If you have a certificate that you want to use:
     1. Select Custom TLS certificate in the certificate properties window that opens.
     2. Select the certificate file and the private key.
     3. Click the OK button.
     4. Distribute the certificate to all workstations from which users access Kaspersky Security Center Web Console or Kaspersky Industrial CyberSecurity Console.

The certificates grant users access to Kaspersky Security Center Web Console and Kaspersky Industrial CyberSecurity Console.

You have to re-issue all the certificates timely. The certificates generated by the Administration Server must be re-generated manually. The certificates generated by the Kaspersky Security Center Web Console installer must be re-generated by using the installer.

Disabling Identity and Access Manager

If you want, you can disable Identity and Access Manager (also referred to as IAM).

To disable IAM,

In the Kaspersky Security Center Web Console settings window, switch the IAM toggle button to disabled.

You can enable IAM any time later.

If you update Kaspersky Security Center Web Console via the installer and specify that you do not want to install IAM, then Kaspersky Security Center Web Console will be upgraded and IAM will not be installed. All the information about integration with Kaspersky Industrial CyberSecurity for Networks will be deleted from your computer, as well as IAM configuration files and log files.