[KL] Kaspersky Labs

Статьи по установке, настройке и решению проблем с Kaspersky Secure Mobile Management.

KSMM Architecture (KSC + Gateways)

Subsections of [KL] Kaspersky Labs

KSMM Certificates

Articles

General Schema of certificates storage and flows

The following schema is used in the KSMM architecture with KSC server in LAN, Network Agents in DMZ with Gateway and iOS Server roles, plus a corporate apps (Self-Service) portal is used. Client devices include Android, iOS/iPadOS and Windows desktops. KSMM/KSC Certificate general schema KSMM/KSC Certificate general schema

Important Notes

  • By default, certificate-based authentication of KES devices is disabled. Certificates are NOT checked by KSC, until registry key is created (see link on enabling certificate-based auth above). Use default behaviour for test and proof of concept projects only;

  • PKI SSL protocol is used by KSC to transfer only Mail and VPN. After configuring PKI integration and choosing the CA template, check Mail or VPN certificate settings. Next, manually create a certificate in the Certificates tab. Choose creation of certificates on KSC - this will in reality activate creation of the certificate on CA via the new integration. Certificate is first created manually, then auto-renewed by KSC;

  • SCEP / NDES protocol schema not only requires CA to be exposed for device access. The certificate request (CSR) on stage 1 of protocol exchange is also done using plain text HTTP. This poses risk of man-in-the-middle attacks, use only in closed environments with extreme caution;

  • Current version of KSC Web console (NWC) does NOT allow usage of manual certificates. Only self-signed certificates from KSC may be created. This is due to absence of an internal encryption mechanism for certificates and passwords in the web console code. Use MMC console or OpenAPI methods instead;

  • Manual change of certificates in folders of KSC for Win server and iOS Server is prohibited! Certificates have references to them in the database, so change of file will lead to breaking in functionality of components. Use provided utilities (see schema and links above);

  • Corp App Portal certificate is a file in a folder, but changing it manually is not recommended: potential side effects are not explored. Use Windows Uninstaller to Change certificate:

Subsections of KSMM Certificates

PKI Integration

Integration Schema

PKI Integration is done using native Microsoft Active Directory domain services.

Warning

MS CA server must be in Enterprise Mode of operation. To install CA in Enterprise mode, Enterprise Admin account is needed. CA in Enterprise Mode is installed on forest level! This means Domain Controllers will have links to this CA, even if it is installed in a subdomain.

graph TD
KSC[KSC for Win] -->|1. CSR| WIN[Win Server in AD Domain]
WIN -->|2. Enrolment Agent| CA[Microsoft CA in AD Domain]
KSC -->|4. User Cert| A[Android]
CA -->|3. User Cert| KSC
KSC -->|4. User Cert| I[iOS Profile]
CA --> AD[/Active Directory\]

Create Agent Account

On AD Domain Controller:

  • Create a service account for Agent (example: “agentca”);

Add a Service Account on the CA

Open the Certificate Authority (CA):

  • Launch the Certification Authority Console from the Administrative Tools in Windows.
  • In the left pane, select (+) to expand the CA directory;
  • Right-click the name of the CA and select Properties. The CA Properties dialog box displays.
  • Click the Security tab;
  • Click Add. The Select Users, Computers, Service Accounts, or Groups dialog box displays;
  • Click within the Enter the object names to select field and type the name of the service account (e.g., Ima Service);
  • Click OK. The CA Properties dialog box displays;
  • Select the service account you added in the previous step (e.g., Ima Service) from the Group or user names list;
  • Select the Read, the Issue and Manage Certificates, and the Request Certificates checkboxes to assign permissions to the service account. Click OK.

Create the Restricted Enrolment Agent Certificate Template

Open the Certificate Authority (CA):

  • Expand the CA Name, Right click Certificate Templates, and select Manage;
  • Right click the Enrollment Agent (Computer) template and select Duplicate Template (Do not choose Enrollment Agent user cert!). Name it per your preference;
  • Select Windows Server 2008+ Enterprise;
  • On the Request Handling tab, select Allow Private Key to be Exported;
  • In the Subject Name tab, make sure Build from this Active Directory Information is activated and Subject Name format is set to Fully distinguished name. Click OK;
  • Navigate back to the CA, right click Certificate Templates, select New, and select Certificate Template to Issue;
  • Select the duplicate copy of the template created in the previous step. Click OK.

Create the User Certificate Template

Open the Certificate Authority (CA):

  • Open the CA (certsrv) window.
  • In the left pane, select (+) to expand the CA directory.
  • Right-click the Certificate Template folder and select Manage. The Certificate Templates Console window displays.
  • Select the desired template (User) under Template Display Name, and right-click Duplicate Template. The Duplicate Template dialog box displays.
    Tip

    For Wi-Fi, VPN, or Exchange Active Sync (EAS) client authentication select User template.

  • Select the Windows Server that represents the oldest enterprise version being used within the domain to ensure backward compatibility of the certificate that was issued.
  • Click OK. The Properties of New Template dialog box displays.
Edit User Template Properties
  • Click the General tab;
  • Type the name of the template displayed to users in the Template display name field. The Template name field auto-fills with the template display name without spaces;
  • Select the desired length of time for the certificate to be active from the Validity period entry field/drop-down menu. Click Apply;
  • Click the Request Handling tab;
  • Select the appropriate client authentication method from the Purpose: drop-down menu. This selection might be based on the application of the certificate being issued, although for general purpose client authentication, select Signature and Encryption;
  • Select the Allow private key to be exported checkbox;
    Warning

    For a certificate to be installed on an iOS device, this checkbox MUST be selected.

  • Click Apply;
  • Select the Subject Name tab;
  • Select Supply in the request or Build from this Active Directory.

Create Enrolment Agent Certificate

On KSC server:

  • Login as Administrator user. Go to Local Server Policies, find “Run as service” and add the “agentca” account to this role (SeServiceLogonRight permission);
  • Give Local Administrator permission to “agentca” (needed for saving certs in MMC);
    Warning

    Service user account, which is used by KSMM to create a certificate request, must be a domain account and have enough permissions to access Windows certificate store. Standard user will not work. Local admin rights on the computer is a simple solution.

  • Login as “agentca” to the Windows server with KSC;
  • Launch Certificate snap-in (certmgr.mmc);
  • Expand Certificates (Local Computer), double click Personal, right click Certificates, select All Tasks, and select Request New Certificate. Click Next;
  • In the Wizard, Active Directory Registration Policy list, choose Enrolment Agent template. Choose its’ Options: Private key tab, choose Make private key exportable;
  • Move the created certificate in Local Computer certificate storage;
  • Give “agentca” permissions to read the certificate private key: right-click on the certificate, choose All Tasks -> Manage Private Keys…, click Add and choose the “agentca” account. Choose Full Control. Click Apply.

Create PKI Integration

On KSC MMC Console:

  • Go to Mobile Device Management -> Certificates section;
  • Click Integrate with public key infrastructure button;
  • In the window choose Integration with PKI section, enter the “agentca” service account login and password. Choose the User Template created earlier from CA in the drop-down list to use as default;
  • Go to Issuance of mail certificates and Issuance of VPN certificates sections. In the Certificate Source drop-down list choose PKI. Do not change the default template, choose auto-renewal time period in days. Click Apply;
    Warning

    Do NOT change the Mobile Certificate Issuance - this may severe the KSC - Agent communication protocol.

Issue a certificate to a mobile device

On KSC MMC Console:

  • Go to Mobile Device Management -> Certificates section;
  • Choose the Add certificate button;
  • In the wizard chose Mail or VPN certificate, Next, choose iOS or Android mobile devices, Next;
  • Choose user account, who is a mobile device (controlled by KSMM) owner, for whom to issue a certificate;
  • Choose Issue certificate using Kaspersky Security Center - this will launch the request procedure using the configured PKI integration.

Troubleshooting

Error

0x80094806 описана у MS https://learn.microsoft.com/en-us/windows/win32/com/com-error-codes-4 - CERTSRV_E_BAD_RENEWAL_SUBJECT 0x80094806  The request was made on behalf of a subject other than the caller. The certificate template must be configured to require at least one signature to authorize the request.

Solution

Add signatures in User Certificate Template:

KSMM Gateways LB

Architecture

graph LR  
SS1[Device 00001] -->|TCP13292| A(HAProxy)
SS2[Device 00002] -->|TCP13292| A
SS3[Device 00003] -->|TCP13292| A
SS4[Device 00004] -->|TCP13292| A
SS5[Device 50000] -->|TCP13292| A
A -->|TCP13292| S1[NAgent 1]
A -->|TCP13292| S2[NAgent 2]
A -->|TCP13292| S3[NAgent 3]
A -->|TCP13292| S4[NAgent 4]
A -->|TCP13292| S5[NAgent 5]
S1 <-->|TCP13000| KSC[KSC Linux]
S2 <-->|TCP13000| KSC
S3 <-->|TCP13000| KSC
S4 <-->|TCP13000| KSC
S5 <-->|TCP13000| KSC
KSC <-->|TCP5432| P[(PostgreSQL)]

Gateway Config

Configure load balancer shared name in Web-Server Options of KSC, Certificate and in Gateway properties:

HAProxy Config

HAProxy config with IP Sticktables strategy:

defaults
log global
mode tcp
option tcplog
option dontlognull
timeout connect 5000
timeout client 50000
timeout server 50000
  
#frontend1
#---------------------------------
frontend front
mode tcp
bind *:13292
default_backend back
  
#sticky sessions
#---------------------------------
peers sticktables
bind :10000
server 10.0.0.10
table sticky-sessions type ip size 1m
  
#backend1
#---------------------------------
backend back
balance leastconn
mode tcp
stick match src table sticktables/sticky-sessions
stick store-request src table sticktables/sticky-sessions
server gw1 10.0.0.101:13292 check
server gw2 10.0.0.102:13292 check
server gw3 10.0.0.103:13292 check
server gw4 10.0.0.104:13292 check
server gw5 10.0.0.105:13292 check

KSMM Network Ports

Network Troubleshooting Articles

Devices to KSMM/KSN

Sender Recipient Ports Description Port may be changed
(WAN/DMZ) Mobile Device with KES Agent (DMZ) NAgent +Gateway mode TCP13292, TCP13293 Mobile device connects to KSC via Gateway Yes - on KSC console
(WAN/DMZ) Mobile Device with KES Agent (DMZ/LAN) KSC TCP13292, TCP13293 Mobile device connects to KSC directly Yes - on KSC console
(DMZ/LAN) Device with KES Agent (DMZ/LAN) Activation Proxy-server on KSC klactprx TCP17000, TCP17100 License activation proxy for desktop devices (TCP17000) OR mobile devices (TCP17100) IF devices do not have internet connection Yes - on KSC console
(WAN/DMZ) iOS Device with Control Profile (DMZ) iOS MDM Server, kliosmdmservicesrv.exe TCP443 Sending data to iOS devices Yes - during iOS MDM Server installation
(WAN/DMZ) Browser on Device with KES Agent (DMZ) Corp Catalog, Apache Web Server TCP8071 User device downloads apps from Corp App Catalog component Yes - during installation
(WAN/DMZ/LAN) Desktop (Win/macOS/NIX) Device with KES Agent (WAN) KSN Cloud Proxy TCP13111, UDP15111 Access of controlled devices to Kaspersky Security Network (Cloud, optional) Yes - on KSC console
(WAN/DMZ) Desktop (Win/macOS/NIX) Device with KES Agent (DMZ) NAgent +Gateway mode TCP13000 Connection of NAgent from client desktop to NAgent Gateway proxy for data exchange with KSC Yes - on KSC console
(DMZ/LAN) Desktop (Win/macOS/NIX) Device with KES Agent (LAN) KSC TCP13000, UDP13000, TCP14000 Connection of NAgent from client desktop directly to KSC. UDP13000 needed for NAgent status update Yes - on KSC console
(WAN/DMZ) Desktop (Win/macOS/NIX) Device with KES Agent (DMZ) NAgent +Gateway mode TCP13295 PUSH-notifications to desktop machines Yes - on KSC console
(DMZ/LAN) Device with KES Agent (DMZ/LAN) KSC TCP8060(HTTP), TCP8061(HTTPS) Installation packets request and download directly from KSC (if Corp App Component is not available) Yes - on KSC console
(DMZ/LAN) OS Windows Device with KES Agent (DMZ/LAN) KSC Web Console - klsctunnel TCP19170 Remote desktop assist connection of tech support to user device Yes - on KSC console

KSMM to PUSH Cloud Services

Sender Recipient Ports Description Port may be changed
(DMZ/LAN) KSC Google Firebase Cloud Messaging (FCM) ASN15169 IP block: android.googleapis.com, play.google.com, android.clients.google.com, accounts.google.com, fonts.googleapis.com TCP5228, TCP5229, TCP5230 PUSH notifications for Android devices No
(DMZ) iOS MDM Server Apple Cloud APNs IP Block 17.0.0.0/8: gateway.push.apple.com, feedback.push.apple.com, mdmenrollment.apple.com, *.itunes.apple.com, *.mzstatic.com, *phobos.apple.com, *phobos.apple.com.edgesuite.net TCP2195, TCP2197 PUSH notifications for iOS No

KSMM to KSMM Components

Sender Recipient Ports Description Port may be changed?
(LAN) KSC (DMZ) NAgent +Gateway Mode TCP13000 Request to NAgent to establish tunnel session for connecting devices from WAN/DMZ Yes - in KSC Console
(DMZ) Corp App Catalog klakaut.exe (DMZ) NAgent +Gateway Mode TCP13000 Corp App Catalog connects via Gateway to KSC for data exchange with KSC Yes - during Corp App Catalog install
(DMZ) Subordinate KSC (LAN) Main KSC OR NAgent +Gateway Mode TCP13000 In cascade KSC Architecture, two KSC servers communicate between each other directly OR via NAgent Gateway Yes - in KSC Console
(LAN) MMC Admin Console (LAN) KSC TCP13291 Connection of remote MMC admin console to KSC Yes - in KSC Console
(DMZ/LAN) NAgent, NAgent +Gateway, KSC (DMZ/LAN) NAgent, NAgent +Gateway, KSC UDP15000 Installation packets, status update messages, NAgent discovery of other NAgents in broadcast domain Yes - in KSC Console
(LAN) Web Admin Console (New Web Console = NWC) (LAN) KSC TCP8080 Connection from browser to Web admin console https://ksc.local:8080 Yes - in KSC Web Console settings
(LAN) Third-party scripts, Web Admin Console (NWC) (LAN) KSC OpenAPI Interface TCP13299 KSC klserver component REST API port for OpenAPI commands Yes - in KSC Console

Subsections of KSMM Network Ports

Troubleshooting Ports

Network Agent + Connection Gateway

  • Network schema:
graph LR
K[KSC] --> |TCP13000| A[NAgent +Distr Point & Gateway];
A <--> |TCP13292| M[Mobile Device]

Listening service: klnagent.exe, opens TCP13000

  • Check open port:
netstat -napo tcp | find "13000" # port must be LISTENING
  • Check gateway function: Use klnagchk.exe tool (see link above), you should see This device is a connection gateway in output text.

  • Check gateway port:

netstat -napo tcp | find "13292" # port must be LISTENING
  • Check gateway certificate:
openssl s_client -connect ksmm.lab.local:13292
You should see certificate data with correct Subject CN.

iOS MDM Server

  • Network schema:
graph LR
I[iOS for MDM] <--> |TCP443| D[iOS Device];
I --> |TCP2197| A(((APNs Cloud, 17.0.0.0/8)))
A --> D

Listening service: kliosmdmservicesrv2.exe, opens TCP443

  • Check open port:
netstat -napo tcp | find "443" # port must be LISTENING
  • Check iOS MDM certificate:
openssl s_client -connect ksmm.lab.local:443

Corporate Apps Portal

  • Network schema:
graph LR
C[Corp Portal] --> |klakaut.exe TCP13291| K[KSC];
A[Admin] --> |TCP8070| C
U[User] --> |TCP8071| C
  • Check open port:
tasklist | find "klakaut" # => PID
netstat -napo tcp | find "PID" # port must be ESTABLISHED

KSMM SQL

Recommendations

  • MS SQL Express 2019 is embedded in the current version of KSC/KSMM. This is a limited version of SQL. It is not available in case of 10000+ device install and/or Program Control component enabled;

  • MySQL v8.0.20+ may be used for installations of <50000 devices (Program Control component NOT enabled);

  • MariaDB v10.3+ may be used for installations of <20000 devices (Program Control component NOT enabled);

MS SQL Express 2019 w/o CU12 update error

Symptom: very slow response from MMC console of KSC. Very high resources utilisation of KSC server.

USE KAV  
GO  
ALTER DATABASE SCOPED CONFIGURATION SET TSQL_SCALAR_UDF_INLINING = OFF 
GO

“KAV” - database default name. Change if using another name for the database.

  • After completing the SQL query above, restart the SQL Server (SQLEXPRESS) service using Sql Server Configuration Manager.

KSMM Windows Desktops

Windows Desktop Management

Desktop management is done using scripts. Scripts are packed into “Installation packs”: Entry point for an installation pack is a “.BAT”, “.EXE” or “.MSI/.MSP” file. A BAT-file may be used to launch Powershell, Python or any other type of scripts.

Scripts are launched using Scheduled Tasks of Remote App Install type:

Python script launch

Example of entry-point BAT-file runpy.bat running Python script and then logging a success in a text file:

c:\python3\python.exe testpy.py
@echo SCRIPT RUN SUCCESS>%SYSTEMDRIVE%\LOG.txt

Python testpy.py payload script to create a file needs to be placed in the same installation pack:

if __name__ == "__main__":
    text = "File write"
    file1 = open("c:\\testFile.txt", "w")
    file1.write(text)
    file1.close() 

Powershell script launch

Example of entry-point BAT-file runps.bat running Powershell script and then logging a success in a text file:

Powershell.exe -executionpolicy remotesigned -File certinstall.ps1
@echo CERT INSTALL SUCCESS>%SYSTEMDRIVE%\LOG.txt

Powershell payload script certinstall.ps1 to decrypt and install a PFX certificate test2.pfx provided in the installation pack in the Windows certificate store (Local Machine store):

$Pass = ConvertTo-SecureString -String '12345' -Force -AsPlainText
$User = "lab\administrator"
$Cred = New-Object -TypeName "System.Management.Automation.PSCredential" -ArgumentList $User, $Pass
Import-PfxCertificate -FilePath test2.pfx -CertStoreLocation Cert:\LocalMachine\My -Password $Cred.Password

Parameters transfer

Parameters can be transferred using the UI, parameter section in the installation pack: Parameters are sent to the entry-point file (BAT-file) and should be handled there. Example of the certinstall.bat BAT-file running Powershell and transferring a “seconds” parameter in %1:

Powershell.exe -executionpolicy remotesigned -File timeout.ps1 -sec %1 > c:\PSLOG.txt

Powershell script payload timeout.ps1 to insert a value of seconds in the Windows registry, for the system to timeout (default of 120sec in case parameter is not provided) and lock screen in case of inactivity (restart needed for registry parameter to be applied):

param([Int32]$sec=120)

Write-Host 'Current timeout value: '

Get-ItemPropertyValue 'HKLM:\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System' 'InactivityTimeoutSecs' 

Set-ItemProperty -Path 'HKLM:\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System' -Name  InactivityTimeoutSecs -Value $sec

Write-Host 'New timeout value: '

Get-ItemPropertyValue 'HKLM:\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System' 'InactivityTimeoutSecs'

Restart-Computer -Force

OpenAPI

Warning

KlAkOAPI Python Package is a wrapper over the regular REST API calls. I do NOT recommend its’ usage, because it does not cover all classes, parameters and attributes available.

Articles

Config / Auth

Access with OpenAPI requires 2 auth elements:

  • Local technical user account login/password (Basic Auth method)
  • KSC Server certificate verification (optional)

For KSC for Windows, server certificate is located at path: %ProgramData%\KasperskyLab\adminkit\1093\cert\klserver.cer Certificate needs to be copied to the machine, from which a script is run.

Login example

REST API Classic login:

import requests
import base64
import json
import urllib3
from pprint import pprint

urllib3.disable_warnings(urllib3.exceptions.InsecureRequestWarning)

ksc_server = "https://ksmm.demo.local:13299"
url = ksc_server + "/api/v1.0/login"
user = "user_api"
password = "P@ssw0rd"
data = {}

user = base64.b64encode(user.encode('utf-8')).decode("utf-8")
password = base64.b64encode(password.encode('utf-8')).decode("utf-8")
session = requests.Session()

auth_headers = {
    'Authorization': 'KSCBasic user="' + user + '", pass="' + password + '", internal="1"',
    'Content-Type': 'application/json',
}

response = session.post(url=url, headers=auth_headers, data=data, verify=False)
print(f'Server response = {response.status_code}')

KlAkOAPI Python Package Login:

import socket
import uuid
import datetime
from sys import platform
from KlAkOAPI.Params import KlAkArray, paramBinary, strToBin, dateTimeToStr
from KlAkOAPI.AdmServer import KlAkAdmServer

def GetServer():
    server_address = 'ksmm.demo.local'
    server_port = 13299
    server_url = 'https://' + server_address + ':' + str(server_port)
    
    username = 'user_api'
    password = 'P@ssw0rd'
    SSLVerifyCert = 'C:\\Lab\\klserver.cer'

    server = KlAkAdmServer.Create(server_url, username, password, verify = SSLVerifyCert)
    return server

# Call server login function:
server = GetServer()

Subsections of OpenAPI

OpenAPI - Certificates

Send a certificate created on KSC

This is a programmatic way to do Create Certificate -> Mail or VPN certificate (placed in User Certificate Store) -> Self-Signed Certificate from KSC. The certificate is generated on the KSC and send to a user and his device - to the device, where the specific user is the owner. User is chosen by his unique ID, ul_binId parameter. See List Users page for details on how to get unique user IDs.

userID = 'YbTpoXJ4XkSxzy5hcXm75w=='

url = ksc_server + "/api/v1.0/MdmCertCtrlApi.SetCertificateAsync2"
# "NSDomain" - Domain Auth 
# "CPKES" - certificate for OS Android
# "CTMail" - Mail certificate type
# "ul_binId" - paramBinary complex data with base64-encoded unique user ID

data = {'pAuthType':{'NSDomain': True},'pCertificate':{'CPKES':True, 'CTMail':True}, "pRecipient":{"ul_binId":{"type":"binary","value":userID}}}

response = session.post(url=url, headers=common_headers, data=json.dumps(data), verify=False)
wstrIteratorId = json.loads(response.text)

paramBinary

This is a complex data type with base64 encoded string data. Example:

import base64
paramBinary = {"type": "binary", "value": "c29tZXRleHQ="}
print(base64.b64decode("c29tZXRleHQ=")) # b'sometext'

This paramBinary type is used for transferring certificate PEM data, certificate password data etc. Note: although PFX container is supported in documentation, using it raises “cannot be JSON serialised” errors.

OpenAPI - List Data

List Data

SrvView Class, ResetIterator function is used to query and list inventory elements from KSC:

  • Choose a “view” type = which data to query (SrvView Views list link above). “GlobalUsersListSrvViewName” was chosen in the code below to query users and their unique IDs;
  • Choose which fields should be shown for the chosen View (for “GlobalUsersListSrvViewName”, available fields are listed in Users and groups list section). Display names (ul_wstrDisplayName) and unique IDs (ul_binId) are chosen fotr the example;
  • Get the record count - how many records are there to show. Use SrvView Class, GetRecordCount function for this;
  • Get the records themselves: Use SrvView Class, GetRecordRange function to provide the final records counting from the first record to the last, which was provided in the previous step.
data = {}

# CHOOSE VIEW TYPE, DATA FILEDS
url = ksc_server + "/api/v1.0/SrvView.ResetIterator"
data = {"wstrViewName": "GlobalUsersListSrvViewName", "vecFieldsToReturn": ["ul_wstrDisplayName","ul_binId"], "lifetimeSec": 3600}
response = session.post(url=url, headers=common_headers, data=json.dumps(data), verify=False)
wstrIteratorId = json.loads(response.text)['wstrIteratorId']

# FIGURE OUT THE NUMBER OF RECORDS AVAILABLE IN THE DATABASE
url = ksc_server + "/api/v1.0/SrvView.GetRecordCount"
data = {"wstrIteratorId": wstrIteratorId}
response = session.post(url=url, headers=common_headers, data=json.dumps(data), verify=False)
count = json.loads(response.text)
NUMBER_OF_RECORDS = int(count['PxgRetVal'])

# GET THE DATA ITSELF WITH ALL THE RESTRICTIONS PROVIDED EARLIER
url = ksc_server + "/api/v1.0/SrvView.GetRecordRange"
data = {"wstrIteratorId": wstrIteratorId, "nStart": 0, "nEnd": NUMBER_OF_RECORDS}
response = session.post(url=url, headers=common_headers, data=json.dumps(data), verify=False)
pRecords = json.loads(response.text)['pRecords']['KLCSP_ITERATOR_ARRAY']

# LIST THE DATA, FILTERING OUT EXTRA SYNTAX
for record in pRecords:
    print(f"{record['value']['ul_wstrDisplayName']} : {record['value']['ul_binId']['value']}" ) 

TLS Ciphers

KSC for Win 14.x

SrvUseStrictSslSettings

Switch the supported versions of TLS and cipher suites is done using SrvUseStrictSslSettings flag:

klscflag -fset -pv ".core/.independent" -s Transport -n SrvUseStrictSslSettings -v <value> -t d

Flag SrvUseStrictSslSettings has values from 0 to 5:

0 - allow all TLS versions and cipher suites; 1 - SSL v2 turned OFF; 2 - SSL v2 + SSL v3 turned OFF; 3 - ONLY TLS v1.2; 4 - ONLY TLS v1.2, and ONLY a group of cipher suites with TLS_RSA_WITH_AES_256_GCM_SHA384 - used by default; 5 - ONLY TLS v1.2 and ONLY a selected group of cipher suites;

Options 0 - 3 are NOT recommended, used for compatibility purposes only.

SrvUseStrictSslSettings = 0

| Hexcode | Cipher Suite Name (OpenSSL) | KeyExch Encryption Bits | Cipher Suite Name |(IANA/RFC) |

TLS 1 xc014 ECDHE-RSA-AES256-SHA ECDH 521 AES 256 TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA x35 AES256-SHA RSA AES 256 TLS_RSA_WITH_AES_256_CBC_SHA x84 CAMELLIA256-SHA RSA Camellia 256 TLS_RSA_WITH_CAMELLIA_256_CBC_SHA xc013 ECDHE-RSA-AES128-SHA ECDH 521 AES 128 TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA x2f AES128-SHA RSA AES 128 TLS_RSA_WITH_AES_128_CBC_SHA x96 SEED-SHA RSA SEED 128 TLS_RSA_WITH_SEED_CBC_SHA x41 CAMELLIA128-SHA RSA Camellia 128 TLS_RSA_WITH_CAMELLIA_128_CBC_SHA x07 IDEA-CBC-SHA RSA IDEA 128 TLS_RSA_WITH_IDEA_CBC_SHA

TLS 1.1 xc014 ECDHE-RSA-AES256-SHA ECDH 521 AES 256 TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA x35 AES256-SHA RSA AES 256 TLS_RSA_WITH_AES_256_CBC_SHA x84 CAMELLIA256-SHA RSA Camellia 256 TLS_RSA_WITH_CAMELLIA_256_CBC_SHA xc013 ECDHE-RSA-AES128-SHA ECDH 521 AES 128 TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA x2f AES128-SHA RSA AES 128 TLS_RSA_WITH_AES_128_CBC_SHA x96 SEED-SHA RSA SEED 128 TLS_RSA_WITH_SEED_CBC_SHA x41 CAMELLIA128-SHA RSA Camellia 128 TLS_RSA_WITH_CAMELLIA_128_CBC_SHA x07 IDEA-CBC-SHA RSA IDEA 128 TLS_RSA_WITH_IDEA_CBC_SHA

TLS 1.2 xc030 ECDHE-RSA-AES256-GCM-SHA384 ECDH 521 AESGCM 256 TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384 xc028 ECDHE-RSA-AES256-SHA384 ECDH 521 AES 256 TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384 xc014 ECDHE-RSA-AES256-SHA ECDH 521 AES 256 TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA xcca8 ECDHE-RSA-CHACHA20-POLY1305 ECDH 521 ChaCha20 256 TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256 xc077 ECDHE-RSA-CAMELLIA256-SHA384 ECDH 521 Camellia 256 TLS_ECDHE_RSA_WITH_CAMELLIA_256_CBC_SHA384 x9d AES256-GCM-SHA384 RSA AESGCM 256 TLS_RSA_WITH_AES_256_GCM_SHA384 xc0a1 AES256-CCM8 RSA AESCCM8 256 TLS_RSA_WITH_AES_256_CCM_8 xc09d AES256-CCM RSA AESCCM 256 TLS_RSA_WITH_AES_256_CCM x3d AES256-SHA256 RSA AES 256 TLS_RSA_WITH_AES_256_CBC_SHA256 x35 AES256-SHA RSA AES 256 TLS_RSA_WITH_AES_256_CBC_SHA xc0 CAMELLIA256-SHA256 RSA Camellia 256 TLS_RSA_WITH_CAMELLIA_256_CBC_SHA256 x84 CAMELLIA256-SHA RSA Camellia 256 TLS_RSA_WITH_CAMELLIA_256_CBC_SHA xc051 ARIA256-GCM-SHA384 RSA ARIAGCM 256 TLS_RSA_WITH_ARIA_256_GCM_SHA384 xc061 ECDHE-ARIA256-GCM-SHA384 ECDH 521 ARIAGCM 256 TLS_ECDHE_RSA_WITH_ARIA_256_GCM_SHA384 xc02f ECDHE-RSA-AES128-GCM-SHA256 ECDH 521 AESGCM 128 TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256 xc027 ECDHE-RSA-AES128-SHA256 ECDH 521 AES 128 TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256 xc013 ECDHE-RSA-AES128-SHA ECDH 521 AES 128 TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA xc0a0 AES128-CCM8 RSA AESCCM8 128 TLS_RSA_WITH_AES_128_CCM_8 xc09c AES128-CCM RSA AESCCM 128 TLS_RSA_WITH_AES_128_CCM xc076 ECDHE-RSA-CAMELLIA128-SHA256 ECDH 521 Camellia 128 TLS_ECDHE_RSA_WITH_CAMELLIA_128_CBC_SHA256 x9c AES128-GCM-SHA256 RSA AESGCM 128 TLS_RSA_WITH_AES_128_GCM_SHA256 x3c AES128-SHA256 RSA AES 128 TLS_RSA_WITH_AES_128_CBC_SHA256 x2f AES128-SHA RSA AES 128 TLS_RSA_WITH_AES_128_CBC_SHA xba CAMELLIA128-SHA256 RSA Camellia 128 TLS_RSA_WITH_CAMELLIA_128_CBC_SHA256 x96 SEED-SHA RSA SEED 128 TLS_RSA_WITH_SEED_CBC_SHA x41 CAMELLIA128-SHA RSA Camellia 128 TLS_RSA_WITH_CAMELLIA_128_CBC_SHA xc050 ARIA128-GCM-SHA256 RSA ARIAGCM 128 TLS_RSA_WITH_ARIA_128_GCM_SHA256 xc060 ECDHE-ARIA128-GCM-SHA256 ECDH 521 ARIAGCM 128 TLS_ECDHE_RSA_WITH_ARIA_128_GCM_SHA256

SrvUseStrictSslSettings = 1

| Hexcode | Cipher Suite Name (OpenSSL) | KeyExch Encryption Bits | Cipher Suite Name |(IANA/RFC) |

TLS 1 xc014 ECDHE-RSA-AES256-SHA ECDH 521 AES 256 TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA x35 AES256-SHA RSA AES 256 TLS_RSA_WITH_AES_256_CBC_SHA xc013 ECDHE-RSA-AES128-SHA ECDH 521 AES 128 TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA x2f AES128-SHA RSA AES 128 TLS_RSA_WITH_AES_128_CBC_SHA

TLS 1.1 xc014 ECDHE-RSA-AES256-SHA ECDH 521 AES 256 TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA x35 AES256-SHA RSA AES 256 TLS_RSA_WITH_AES_256_CBC_SHA xc013 ECDHE-RSA-AES128-SHA ECDH 521 AES 128 TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA x2f AES128-SHA RSA AES 128 TLS_RSA_WITH_AES_128_CBC_SHA

TLS 1.2 xc030 ECDHE-RSA-AES256-GCM-SHA384 ECDH 521 AESGCM 256 TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384 xc028 ECDHE-RSA-AES256-SHA384 ECDH 521 AES 256 TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384 xc014 ECDHE-RSA-AES256-SHA ECDH 521 AES 256 TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA xcca8 ECDHE-RSA-CHACHA20-POLY1305 ECDH 521 ChaCha20 256 TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256 x9d AES256-GCM-SHA384 RSA AESGCM 256 TLS_RSA_WITH_AES_256_GCM_SHA384 x3d AES256-SHA256 RSA AES 256 TLS_RSA_WITH_AES_256_CBC_SHA256 x35 AES256-SHA RSA AES 256 TLS_RSA_WITH_AES_256_CBC_SHA xc02f ECDHE-RSA-AES128-GCM-SHA256 ECDH 521 AESGCM 128 TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256 xc027 ECDHE-RSA-AES128-SHA256 ECDH 521 AES 128 TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256 xc013 ECDHE-RSA-AES128-SHA ECDH 521 AES 128 TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA x9c AES128-GCM-SHA256 RSA AESGCM 128 TLS_RSA_WITH_AES_128_GCM_SHA256 x3c AES128-SHA256 RSA AES 128 TLS_RSA_WITH_AES_128_CBC_SHA256 x2f AES128-SHA RSA AES 128 TLS_RSA_WITH_AES_128_CBC_SHA

SrvUseStrictSslSettings = 2

| Hexcode | Cipher Suite Name (OpenSSL) | KeyExch Encryption Bits | Cipher Suite Name |(IANA/RFC) |

TLS 1 xc014 ECDHE-RSA-AES256-SHA ECDH 256 AES 256 TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA x35 AES256-SHA RSA AES 256 TLS_RSA_WITH_AES_256_CBC_SHA x84 CAMELLIA256-SHA RSA Camellia 256 TLS_RSA_WITH_CAMELLIA_256_CBC_SHA xc013 ECDHE-RSA-AES128-SHA ECDH 256 AES 128 TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA x2f AES128-SHA RSA AES 128 TLS_RSA_WITH_AES_128_CBC_SHA x41 CAMELLIA128-SHA RSA Camellia 128 TLS_RSA_WITH_CAMELLIA_128_CBC_SHA

TLS 1.1 xc014 ECDHE-RSA-AES256-SHA ECDH 256 AES 256 TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA x35 AES256-SHA RSA AES 256 TLS_RSA_WITH_AES_256_CBC_SHA x84 CAMELLIA256-SHA RSA Camellia 256 TLS_RSA_WITH_CAMELLIA_256_CBC_SHA xc013 ECDHE-RSA-AES128-SHA ECDH 256 AES 128 TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA x2f AES128-SHA RSA AES 128 TLS_RSA_WITH_AES_128_CBC_SHA x41 CAMELLIA128-SHA RSA Camellia 128 TLS_RSA_WITH_CAMELLIA_128_CBC_SHA

TLS 1.2 xc030 ECDHE-RSA-AES256-GCM-SHA384 ECDH 256 AESGCM 256 TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384 xc028 ECDHE-RSA-AES256-SHA384 ECDH 256 AES 256 TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384 xc014 ECDHE-RSA-AES256-SHA ECDH 256 AES 256 TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA xcca8 ECDHE-RSA-CHACHA20-POLY1305 ECDH 253 ChaCha20 256 TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256 xc077 ECDHE-RSA-CAMELLIA256-SHA384 ECDH 256 Camellia 256 TLS_ECDHE_RSA_WITH_CAMELLIA_256_CBC_SHA384 x9d AES256-GCM-SHA384 RSA AESGCM 256 TLS_RSA_WITH_AES_256_GCM_SHA384 xc0a1 AES256-CCM8 RSA AESCCM8 256 TLS_RSA_WITH_AES_256_CCM_8 xc09d AES256-CCM RSA AESCCM 256 TLS_RSA_WITH_AES_256_CCM x3d AES256-SHA256 RSA AES 256 TLS_RSA_WITH_AES_256_CBC_SHA256 x35 AES256-SHA RSA AES 256 TLS_RSA_WITH_AES_256_CBC_SHA xc0 CAMELLIA256-SHA256 RSA Camellia 256 TLS_RSA_WITH_CAMELLIA_256_CBC_SHA256 x84 CAMELLIA256-SHA RSA Camellia 256 TLS_RSA_WITH_CAMELLIA_256_CBC_SHA xc051 ARIA256-GCM-SHA384 RSA ARIAGCM 256 TLS_RSA_WITH_ARIA_256_GCM_SHA384 xc061 ECDHE-ARIA256-GCM-SHA384 ECDH 253 ARIAGCM 256 TLS_ECDHE_RSA_WITH_ARIA_256_GCM_SHA384 xc02f ECDHE-RSA-AES128-GCM-SHA256 ECDH 256 AESGCM 128 TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256 xc027 ECDHE-RSA-AES128-SHA256 ECDH 256 AES 128 TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256 xc013 ECDHE-RSA-AES128-SHA ECDH 256 AES 128 TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA xc0a0 AES128-CCM8 RSA AESCCM8 128 TLS_RSA_WITH_AES_128_CCM_8 xc09c AES128-CCM RSA AESCCM 128 TLS_RSA_WITH_AES_128_CCM xc076 ECDHE-RSA-CAMELLIA128-SHA256 ECDH 256 Camellia 128 TLS_ECDHE_RSA_WITH_CAMELLIA_128_CBC_SHA256 x9c AES128-GCM-SHA256 RSA AESGCM 128 TLS_RSA_WITH_AES_128_GCM_SHA256 x3c AES128-SHA256 RSA AES 128 TLS_RSA_WITH_AES_128_CBC_SHA256 x2f AES128-SHA RSA AES 128 TLS_RSA_WITH_AES_128_CBC_SHA xba CAMELLIA128-SHA256 RSA Camellia 128 TLS_RSA_WITH_CAMELLIA_128_CBC_SHA256 x41 CAMELLIA128-SHA RSA Camellia 128 TLS_RSA_WITH_CAMELLIA_128_CBC_SHA xc050 ARIA128-GCM-SHA256 RSA ARIAGCM 128 TLS_RSA_WITH_ARIA_128_GCM_SHA256 xc060 ECDHE-ARIA128-GCM-SHA256 ECDH 253 ARIAGCM 128 TLS_ECDHE_RSA_WITH_ARIA_128_GCM_SHA256

SrvUseStrictSslSettings = 3

| Hexcode | Cipher Suite Name (OpenSSL) | KeyExch Encryption Bits | Cipher Suite Name |(IANA/RFC) |

TLS 1.2 xc030 ECDHE-RSA-AES256-GCM-SHA384 ECDH 256 AESGCM 256 TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384 xc028 ECDHE-RSA-AES256-SHA384 ECDH 256 AES 256 TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384 xc014 ECDHE-RSA-AES256-SHA ECDH 256 AES 256 TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA xcca8 ECDHE-RSA-CHACHA20-POLY1305 ECDH 253 ChaCha20 256 TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256 xc077 ECDHE-RSA-CAMELLIA256-SHA384 ECDH 256 Camellia 256 TLS_ECDHE_RSA_WITH_CAMELLIA_256_CBC_SHA384 x9d AES256-GCM-SHA384 RSA AESGCM 256 TLS_RSA_WITH_AES_256_GCM_SHA384 xc0a1 AES256-CCM8 RSA AESCCM8 256 TLS_RSA_WITH_AES_256_CCM_8 xc09d AES256-CCM RSA AESCCM 256 TLS_RSA_WITH_AES_256_CCM x3d AES256-SHA256 RSA AES 256 TLS_RSA_WITH_AES_256_CBC_SHA256 x35 AES256-SHA RSA AES 256 TLS_RSA_WITH_AES_256_CBC_SHA xc0 CAMELLIA256-SHA256 RSA Camellia 256 TLS_RSA_WITH_CAMELLIA_256_CBC_SHA256 x84 CAMELLIA256-SHA RSA Camellia 256 TLS_RSA_WITH_CAMELLIA_256_CBC_SHA xc051 ARIA256-GCM-SHA384 RSA ARIAGCM 256 TLS_RSA_WITH_ARIA_256_GCM_SHA384 xc061 ECDHE-ARIA256-GCM-SHA384 ECDH 253 ARIAGCM 256 TLS_ECDHE_RSA_WITH_ARIA_256_GCM_SHA384 xc02f ECDHE-RSA-AES128-GCM-SHA256 ECDH 256 AESGCM 128 TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256 xc027 ECDHE-RSA-AES128-SHA256 ECDH 256 AES 128 TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256 xc013 ECDHE-RSA-AES128-SHA ECDH 256 AES 128 TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA xc0a0 AES128-CCM8 RSA AESCCM8 128 TLS_RSA_WITH_AES_128_CCM_8 xc09c AES128-CCM RSA AESCCM 128 TLS_RSA_WITH_AES_128_CCM xc076 ECDHE-RSA-CAMELLIA128-SHA256 ECDH 256 Camellia 128 TLS_ECDHE_RSA_WITH_CAMELLIA_128_CBC_SHA256 x9c AES128-GCM-SHA256 RSA AESGCM 128 TLS_RSA_WITH_AES_128_GCM_SHA256 x3c AES128-SHA256 RSA AES 128 TLS_RSA_WITH_AES_128_CBC_SHA256 x2f AES128-SHA RSA AES 128 TLS_RSA_WITH_AES_128_CBC_SHA xba CAMELLIA128-SHA256 RSA Camellia 128 TLS_RSA_WITH_CAMELLIA_128_CBC_SHA256 x41 CAMELLIA128-SHA RSA Camellia 128 TLS_RSA_WITH_CAMELLIA_128_CBC_SHA xc050 ARIA128-GCM-SHA256 RSA ARIAGCM 128 TLS_RSA_WITH_ARIA_128_GCM_SHA256 xc060 ECDHE-ARIA128-GCM-SHA256 ECDH 253 ARIAGCM 128 TLS_ECDHE_RSA_WITH_ARIA_128_GCM_SHA256

SrvUseStrictSslSettings = 4 (default)

| Hexcode | Cipher Suite Name (OpenSSL) | KeyExch Encryption Bits | Cipher Suite Name |(IANA/RFC) |

TLS 1.2 xc030 ECDHE-RSA-AES256-GCM-SHA384 ECDH 256 AESGCM 256 TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384 xc028 ECDHE-RSA-AES256-SHA384 ECDH 256 AES 256 TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384 xcca8 ECDHE-RSA-CHACHA20-POLY1305 ECDH 256 ChaCha20 256 TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256 x9d AES256-GCM-SHA384 RSA AESGCM 256 TLS_RSA_WITH_AES_256_GCM_SHA384 xc02f ECDHE-RSA-AES128-GCM-SHA256 ECDH 256 AESGCM 128 TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256 xc027 ECDHE-RSA-AES128-SHA256 ECDH 256 AES 128 TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256

SrvUseStrictSslSettings = 5

| Hexcode | Cipher Suite Name (OpenSSL) | KeyExch Encryption Bits | Cipher Suite Name |(IANA/RFC) |

TLS 1.2 xc030 ECDHE-RSA-AES256-GCM-SHA384 ECDH 256 AESGCM 256 TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384 xc028 ECDHE-RSA-AES256-SHA384 ECDH 256 AES 256 TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384 xcca8 ECDHE-RSA-CHACHA20-POLY1305 ECDH 256 ChaCha20 256 TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256 xc02f ECDHE-RSA-AES128-GCM-SHA256 ECDH 256 AESGCM 128 TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256 xc027 ECDHE-RSA-AES128-SHA256 ECDH 256 AES 128 TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256