How to configure Secure ICAP on a DLP Hardware or Virtual Appliance Network Prevent for Web detection server?
search cancel

How to configure Secure ICAP on a DLP Hardware or Virtual Appliance Network Prevent for Web detection server?


Article ID: 184607


Updated On:


Data Loss Prevention Network Prevent for Web Virtual Appliance


When configuring Secure ICAP integration with BlueCoat ProxySG on an on-premises Network Prevent for Web detection server, one of the points is to generate a self-signed certificate and keystore on Web Prevent using keytool. 

However, this action is not possible to perform on an Appliance Web Prevent detection server, because the Appliance does not permit standard command-line or bash level access - you can only connect to the server with Putty to run pre-defined commands using the Symantec Common Operating Environment (COE). It's not possible to run keytool from COE and generate the keystore and certificate directly on the detection server.


The following process needs to be followed to configure Secure ICAP on an Appliance Web Prevent detection server:

1) On another machine with keytool - can be Enforce or an on-premises detection server - run keytool to generate a keystore with a self-signed certificate:

keytool -genkey -alias sicap -keyalg RSA -dname “CN=VAFQDN” -keystore secureicap.jks -validity 1095 -keysize 2048

VAFQDN should be replaced with the Appliance's FQDN or IP address to ensure the subject on the certificate is matching the Appliance's address. Validity is specific in days, and in the example above the certificate will be valid for 3 years. 

2) Change the password on keystore and certificate so that they are both the same:

keytool –keypasswd –alias sicap –keystore secureicap.jks

keytool –storepasswd –keystore secureicap.jks

3) Log in to the Enforce console and go to the System -> Servers and Detectors -> Overview section, then select the Appliance Web Prevent detector. Click on Configure

4) In the ICAP tab, use the Upload keystore option to upload the created secureicap.jks keystore to the Appliance detector. Below, enter the Keystore password which has been configured in point 2. Save the configuration. 

5) Reboot the Appliance - this is a required step to start the TLS listener on the detector.

5.1) Sometimes during the Appliance reboot, the servers do not start and show a blank screen. In that case, restart the virtual machine and wait until it starts (if the same issue appears, repeat the restart of the VM process).
Observation: If the certificate is removed and the appliance is rebooted, it starts up much quicker.

 Note: When applied a SICAP (Secure ICAP) certificate and then rebooted, the appliance may take up to 15-20 minutes aprox. (in some cases) and few reboots. When just restarted the Enforce and Detector services manually on the VM appliance command line interface, the server appears green on the proxies very quickly. The commands used are:

dlp enforce-connector-service restart
dlp detection-service restart

6) Export the self-signed certificate from the secureicap.jks and use it to configure Secure ICAP on the web proxy.

keytool -export -alias sicap -file certificate.crt -keystore secureicap.jks

Refer to the BlueCoat ProxySG documentation for details.