ALERT: Some images may not load properly within the Knowledge Base Article. If you see a broken image, please right-click and select 'Open image in a new tab'. We apologize for this inconvenience.

How to setup Secure ICAP in Network Prevent for Web using Third Party Certificates

book

Article ID: 186829

calendar_today

Updated On:

Products

Data Loss Prevention Network Prevent for Web

Issue/Introduction

Environment

Release : DLP 15.5+, Network Prevent for Web, Detection Server

Resolution

The steps below should allow you to complete the process:

Notes before you start:

1. Keytool.exe is located in the ServerJRE folder on the Detection server.

    • Default path for 15.5: \Symantec\DataLossPrevention\ServerJRE\1.8.0_181\bin
    • Default path for 15.8: \Program Files\AdoptOpenJRE\jdk8u262-b10-jre\bin\

 

2. The ICAP keystore location on your Detection server - where you will copy the completed keystore in the final step below -  is referenced in the file:
\Symantec\DataLossPrevention\DetectionServer\15.x\Protect\config\Protect.properties
The default value is: Icap.Keystore.Path = C:\ProgramData\Symantec\DataLossPrevention\DetectionServer\15.x\keystore\secureicap.jks
 
3. Any values in [square brackets] are example values you should substitute with your own. For the [Detection Server Name] you should enter the same format that the proxy will use to connect so that the certificate entry matches the connection.

4. Organizational details do not have to contain all of the elements shown in the example. If in doubt ask your CA administrator for advice on your organization's  conventions for that part.
 
5. All Windows commands should be entered on a single line
 

Steps:

1. Generate a new keystore called secureicap.jks: In a command line, change to the directory containing the keytool.exe and run the command:
keytool -genkey -alias sicap -keyalg RSA -keysize 2048 -keystore c:\temp\secureicap.jks -storepass [password] -dname "CN=[Detection Server Name], O=[Your company name], OU=[your div], L=[city], S=[state], C=[US/GB/DE]“
- Ignore the message to convert the keystore to PKCS12

2. Generate a certificate request from the new keystore (Note: -storepass and -keypass passwords must be the same):

keytool -certreq -keyalg RSA -keysize 2048 -alias sicap -keypass [password] -keystore c:\temp\secureicap.jks -file c:\temp\icaps.csr -storepass [password]
 
3. Have your CA administrator generate a .P7B file-type certificate file called 'sicap.p7b'  from the sicap.csr request file you made above

4. Copy the sicap.p7b file to the c:\temp folder on the Enforce server when you get it

5. Import the p7b certificate into the secureicap.jks keystore. Change directory to the folder containing the keytool.exe and run:

keytool -import -alias sicap -keystore c:\temp\secureicap.jks -trustcacerts -file c:\temp\sicap.p7b

6. Finally, copy the c:\temp\secureicap.jks keystore to the location validated in step 2 of the Notes section above
 
7. Restart the detection server service. Assuming that the proxy has also had the certificate generated above imported into its keystore, you should now see successful TLS connections logged to the FileReader logs on the detection server.

8. Repeat the process for other Network Prevent for Web Detection servers as neccessary