How to enable TLS Secure channel between "RSA DLP ICAP" & your "Proxy server".
Authentication Between the ICAP Server and Your Proxy:
To enable a Secure link for ICAP server; this can be achieved by using TLS for authentication and by encrypting communication link interconnecting your RSA DLP ICAP server and your Proxy server.
Policies and events remain on the ICAP servers and are not exposed on the Proxy server.
To configure authentication between"RSA DLP ICAP" & your "Proxy Server":
Enable “TLS” feature on the EM GUI.
Configure authentication on the ICAP server.
Configure authentication on the Proxy Server.
First:DLPICAP Server Configuration:
Use either the self-signed server certificate on the ICAP server, or use your own-certificate to configure the authentication on the ICAP server.
1.1 DLP ICAP Self-Signed Certificate: If you want to use the ICAP self-signed certificate, you do not have to do anything else. The certificate is located in the file path: "/opt/tablus/config/ssl/server.pem".
1.2 Company’s Own Certificate: If you want to use your own certificate, you must:
Install the certificate on the ICAP Server in .pem format.
Convert the Certificate Authority (CA) certificate from PKCS-12 format to .pem format using the openssl tool on the ICAP server:
Use one of two methods to configure authentication on the Proxy Server:
Configure the trusted Certificate Authority (CA) chain certificate on the proxy Server. RSA recommends method as it is the most typical way to configure authentication.
Use the Configure the fingerprint (thumb print) of the ICAP server certificate in the <fingerprint> field. This method is slightly easier to use and is probably most helpful for those companies choosing not to use their own certificate.
1. Configure the trusted CA chain of the server certificate in the local computer certificate store on the proxy server.
b. Convert the CA certificate to PKCS-12 format to .pem format Use the openssl tool on the ICAP server, and choose not to export the private key. “openssl pkcs12 -in <cert.pem> -inkey <key.pem> -out cred.p12”
2. After configuring the CA chain on the Proxy Server, configure the <commonName> of the <ContentAnalyzer> to match the common name in the server certificate. Note: The commonName is usually the host name or IP address of the ICAP server.
Method II: 1. Compute a SHA-512 fingerprint of the server certificate installed on the ICAP Server.
Use the command: "openssl X509 -sha512 -in cert.pem -noout -fingerprint"
2. Put the fingerprint of the server certificate in the <fingerprint> field of the dlptransportagent.xml file. Refer to http://msdn.microsoft.com/en-us/library/ms734695.aspx for instructions on how to configure the thumbprint. Note: The ICAP server uses SHA-512. SHA-512 is required for user-generated certificates.