000031349 - RSA DLP Network How to enable TLS Secure Channel between RSA DLP ICAP & your Proxy server

Document created by RSA Customer Support Employee on Jun 14, 2016Last modified by RSA Customer Support Employee on Apr 21, 2017
Version 2Show Document
  • View in full screen mode

Article Content

Article Number000031349
Applies ToRSA Product Set: DLP
RSA Product/Service Type: DLP Network
RSA Version/Condition: 9.6
Platform: Centos OS
  • How to enable TLS Secure channel between  "RSA DLP ICAP" & your "Proxy server". 

Authentication Between the ICAP Server and Your Proxy:

  • To enable a Secure link for ICAP server; this  can be achieved  by using TLS for authentication and by encrypting communication link interconnecting your RSA DLP ICAP server and your Proxy server.
  • Policies and events remain on the ICAP servers and are not exposed on the Proxy server.

 To configure authentication between"RSA DLP ICAP" & your "Proxy Server":

  1. Enable “TLS” feature  on the EM GUI.
  2. Configure authentication on the ICAP server.
  3. Configure authentication on the Proxy  Server.

First: DLP ICAP Server Configuration:

  • Use either the self-signed server certificate on the ICAP server, or use your own-certificate to configure the authentication on the ICAP server.

1.1 DLP ICAP Self-Signed Certificate:
If you want to use the ICAP self-signed certificate, you do not have to do anything else. The certificate is located in the file path:  "/opt/tablus/config/ssl/server.pem".

1.2 Company’s Own Certificate:
If you want to use your own certificate, you must:

  • Install the certificate on the ICAP Server in .pem format.
  • Convert the Certificate Authority (CA) certificate from PKCS-12 format to .pem format using the openssl tool on the ICAP server:

openssl pkcs12 -in <cert.pem> -inkey <key.pem> -out cred.p12

  • Choose to not export the private key.

Second: Proxy  Server Configuration:

 Use one of two methods to configure authentication on the Proxy  Server:

  • Configure the trusted Certificate Authority (CA) chain certificate on the proxy Server. RSA recommends method as it is the most typical way to configure  authentication.
  •   Use the Configure the fingerprint (thumb print) of the ICAP server certificate in the <fingerprint> field. This method is slightly easier to use and is probably most helpful for those companies choosing not to use their own certificate.

 Method I—Recommended:
1. Configure the trusted CA chain of the server certificate in the local computer  certificate store on the proxy  server.

a. Use the Windows Certification Authority MMC Snap-In.
Refer to http://technet.microsoft.com/en-us/library/cc770355.aspx  for detailed information on the Windows Certificate Authority Snap-In.

b. Convert the CA certificate to PKCS-12 format to .pem format Use the openssl tool on the ICAP server, and choose not to export the private key.
openssl pkcs12 -in <cert.pem> -inkey <key.pem> -out cred.p12

 2. After configuring the CA chain on the Proxy  Server, configure the  <commonName> of the <ContentAnalyzer> to match the common name in the server certificate.
Note: The commonName is usually the host name or IP address of the ICAP server.
Method II:
1. Compute a SHA-512 fingerprint of the server certificate installed on the ICAP Server.

Use the command: "openssl X509 -sha512 -in cert.pem -noout -fingerprint"

2. Put the fingerprint of the server certificate in the <fingerprint> field of the dlptransportagent.xml file.
Refer to http://msdn.microsoft.com/en-us/library/ms734695.aspx  for instructions on how to configure the thumbprint.
Note: The ICAP server uses SHA-512. SHA-512 is required for user-generated certificates.