How to configure Secure ICAP on a DLP Hardware or Virtual Appliance Network Prevent for Web detection server?

book

Article ID: 184607

calendar_today

Updated On:

Products

Data Loss Prevention Network Prevent for Web Virtual Appliance

Issue/Introduction

When configuring Secure ICAP integration with BlueCoat ProxySG on an on-premises Network Prevent for Web detection server, one of the points is to generate a self-signed certificate and keystore on Web Prevent using keytool. 

However, this action is not possible to perform on an Appliance Web Prevent detection server, because the Appliance does not permit standard command-line or bash level access - you can only connect to the server with Putty to run pre-defined commands using the Symantec Common Operating Environment (COE). It's not possible to run keytool from COE and generate the keystore and certificate directly on the detection server.

Resolution

The following process needs to be followed to configure Secure ICAP on an Appliance Web Prevent detection server:

1) On another machine with keytool - can be Enforce or an on-premises detection server - run keytool to generate a keystore with a self-signed certificate:

keytool -genkey -alias sicap -keyalg RSA -dname “CN=VAFQDN” -keystore secureicap.jks -validity 1095 -keysize 2048

VAFQDN should be replaced with the Appliance's FQDN or IP address to ensure the subject on the certificate is matching the Appliance's address. Validity is specific in days, and in the example above the certificate will be valid for 3 years. 

2) Change the password on keystore and certificate so that they are both the same:

keytool –keypasswd –alias sicap –keystore secureicap.jks

keytool –storepasswd –keystore secureicap.jks

3) Log in to the Enforce console and go to the System -> Servers and Detectors -> Overview section, then select the Appliance Web Prevent detector. Click on Configure

4) In the ICAP tab, use the Upload keystore option to upload the created secureicap.jks keystore to the Appliance detector. Below, enter the Keystore password which has been configured in point 2. Save the configuration. 

5) Reboot the Appliance - this is a required step to start the TLS listener on the detector.

6) Export the self-signed certificate from the secureicap.jks and use it to configure Secure ICAP on the web proxy.

keytool -export -alias sicap -file certificate.crt -keystore secureicap.jks

Refer to the BlueCoat ProxySG documentation for details.