• How to enable TLS Secure channel between  "RSA DLP ICAP" & your "Proxy server". 

Authentication Between the ICAP Server and Your Proxy:

• To enable a Secure link for ICAP server; this  can be achieved  by using TLS for authentication and by encrypting communication link interconnecting your RSA DLP ICAP server and your Proxy server.
• Policies and events remain on the ICAP servers and are not exposed on the Proxy server.

 To configure authentication between"RSA DLP ICAP" & your "Proxy Server":

1. Enable “TLS” feature  on the EM GUI.
2. Configure authentication on the ICAP server.
3. Configure authentication on the Proxy  Server.

First: DLP ICAP Server Configuration:

• Use either the self-signed server certificate on the ICAP server, or use your own-certificate to configure the authentication on the ICAP server.

1.1 DLP ICAP Self-Signed Certificate:
If you want to use the ICAP self-signed certificate, you do not have to do anything else. The certificate is located in the file path:  "/opt/tablus/config/ssl/server.pem".

1.2 Company’s Own Certificate:
If you want to use your own certificate, you must:

• Install the certificate on the ICAP Server in .pem format.
• Convert the Certificate Authority (CA) certificate from PKCS-12 format to .pem format using the openssl tool on the ICAP server:

“openssl pkcs12 -in <cert.pem> -inkey <key.pem> -out cred.p12”

• Choose to not export the private key.

Second: Proxy  Server Configuration:

 Use one of two methods to configure authentication on the Proxy  Server:

• Configure the trusted Certificate Authority (CA) chain certificate on the proxy Server. RSA recommends method as it is the most typical way to configure  authentication.
•   Use the Configure the fingerprint (thumb print) of the ICAP server certificate in the <fingerprint> field. This method is slightly easier to use and is probably most helpful for those companies choosing not to use their own certificate.

 Method I—Recommended:

1. Configure the trusted CA chain of the server certificate in the local computer  certificate store on the proxy  server.

a. Use the Windows Certification Authority MMC Snap-In.
Refer to http://technet.microsoft.com/en-us/library/cc770355.aspx  for detailed information on the Windows Certificate Authority Snap-In.

b. Convert the CA certificate to PKCS-12 format to .pem format Use the openssl tool on the ICAP server, and choose not to export the private key.
“openssl pkcs12 -in <cert.pem> -inkey <key.pem> -out cred.p12”

 2. After configuring the CA chain on the Proxy  Server, configure the  <commonName> of the <ContentAnalyzer> to match the common name in the server certificate.
Note: The commonName is usually the host name or IP address of the ICAP server.

Method II:
1. Compute a SHA-512 fingerprint of the server certificate installed on the ICAP Server.

Use the command: "openssl X509 -sha512 -in cert.pem -noout -fingerprint"

2. Put the fingerprint of the server certificate in the <fingerprint> field of the dlptransportagent.xml file.
Refer to http://msdn.microsoft.com/en-us/library/ms734695.aspx  for instructions on how to configure the thumbprint.
Note: The ICAP server uses SHA-512. SHA-512 is required for user-generated certificates.