How to setup Secure ICAP in Network Prevent for Web using Third Party Certificates

Products

Data Loss Prevention Network Prevent for Web

Issue/Introduction

You wish to set up secure ICAP connectivity between the proxy server and DLP Network Prevent for Web detection servers using a third party certificate.
You need additional information to cover step 3 'Obtain a certificate', published in the Configuring a secure ICAP keystore for Network Prevent for Web help files.

Environment

Network Prevent for Web

Resolution

The steps below should allow you to complete the process:

Notes before you start:

1. Keytool.exe is located in the ServerJRE folder on the Detection server.

- Default path for 15.5: \Symantec\DataLossPrevention\ServerJRE\1.8.0_181\bin
- Default path for 15.8: \Program Files\AdoptOpenJRE\jdk8u262-b10-jre\bin\

2. The ICAP keystore location on your Detection server - where you will copy the completed keystore in the final step below - is referenced in the file:

\Symantec\DataLossPrevention\DetectionServer\15.x\Protect\config\Protect.properties

The default value is: Icap.Keystore.Path = C:\ProgramData\Symantec\DataLossPrevention\DetectionServer\15.x\keystore\secureicap.jks

3. Any values in [square brackets] are example values you should substitute with your own. For the [Detection Server Name] you should enter the same format that the proxy will use to connect so that the certificate entry matches the connection.

4. Organizational details do not have to contain all of the elements shown in the example. If in doubt, ask your CA administrator for advice on your organization's conventions for that part.

5. All Windows commands should be entered on a single line

Steps:

1. Generate a new keystore called secureicap.jks: In a command line, change to the directory containing the keytool.exe and run the command:

keytool -genkey -alias sicap -keyalg RSA -keysize 2048 -keystore c:\temp\secureicap.jks -storepass [password] -dname "CN=[Detection Server Name], O=[Your company name], OU=[your div], L=[city], S=[state], C=[US/GB/DE]"

- Ignore the message to convert the keystore to PKCS12

2. Generate a certificate request from the new keystore (Note: -storepass and -keypass passwords must be the same):


keytool -certreq -keyalg RSA -keysize 2048 -alias sicap -keypass [password] -keystore c:\temp\secureicap.jks -file c:\temp\icaps.csr -storepass [password]

3. Have your CA administrator generate a .P7B file-type certificate file called 'sicap.p7b' from the sicap.csr request file you made above

4. Copy the sicap.p7b file to the c:\temp folder on the Network Prevent for Web Detection server when you get it

5. Import the p7b certificate into the secureicap.jks keystore. Change directory to the folder containing the keytool.exe and run:


keytool -import -alias sicap -keystore c:\temp\secureicap.jks -trustcacerts -file c:\temp\sicap.p7b

6. Finally, copy the c:\temp\secureicap.jks keystore to the location validated in step 2 of the "Notes before you start" section above

7. Enable secure ICAP in the UI by selecting the 'enable secure icap' checkbox on the icap tab of the server configuration and entering the password in the newly available password box.

8. Restart the detection server service. Assuming that the proxy has also had the certificate generated above imported into its keystore, you should now see successful TLS connections logged to the FileReader logs on the detection server.

9. Repeat the process for other Network Prevent for Web Detection servers as necessary

Additional Information

When the original certificate expires, you can renew the expired certificate by following step 2-5 above to generate the csr, obtain the new signed cert from your CA and import the new certificate into the keystore.