Enable ICAP

Prev Next

ICAP Server

Get Started with ICAP Server

  • The ICAP Server in the OVA is configured with 31344 as an open port and MTLS on port 31345. This is because the default 1344 and 11344 ports do not fall under the NodePort range of 30000 to 32767 in Kubernetes.
  • The ICAP server is disabled by default, but you can follow the steps below to enable it.

Enable ICAP Server

Enable ICAP server

bash ~/enable_icap_server.sh

Enable MTLS

By default, mTLS is not configured, and only the open port is active. To enable mTLS on the ICAP server, follow the steps below.

  • Create a set of client and server mtls certificates along with a CA certificate. The server certificates will be used in the ICAP server and the client certificates will be used in a client application such as a Proxy or a Firewall.
  • SSH to the Halo Virtual Machine created from the OVA.
  • Save the cdrplatform-secrets k8s secret to a file
kubectl get secret cdrplatform-secrets -o yaml > cdrp-secrets.yaml
  • Edit the cdrp-secrets.yaml file and add 3 keys, tls-cafile, tls-server-cert and tls-server-key under the data section.
apiVersion: v1
data:
  <existing secrets>
  <existing secrets>
  tls-cafile: <base64-encoded-tls-cafile>
  tls-server-cert: <base64-encoded-tls-server-cert>
  tls-server-key: <base64-encoded-tls-server-key>
kind: Secret
  • Apply the edited cdrp-secrets.yaml
kubectl apply -f cdrp-secrets.yaml
  • Create acr-secret to authenticate to glasswallhub container registry. The token_ID and token will be provided by the Glasswall.
kubectl create secret docker-registry acr-secret -n cdrplatform \
  --docker-server="glasswallhub.azurecr.io" --docker-username="${token_ID}" --docker-password="${token}"
  • Pull the ICAP Server Helm chart
helm pull oci://glasswallhub.azurecr.io/helm/icap-server --version 1.3.0 --untar --untardir .
  • Redeploy ICAP Server with mtls enabled
helm upgrade --install icap-server icap-server --atomic \
  --set service.type=NodePort \
  --set cloud_provider=local \
  --set image.tag="150306" \
  --set image.repository=glasswallhub.azurecr.io/icap-server \
  --set image.pullPolicy=IfNotPresent \
  --set secretsFromRef[3].DATABASE__ConnectionString.secretName="mongodb-cdrplatform-cdrp-user" \
  --set secretsFromRef[3].DATABASE__ConnectionString.key="connectionString.standard" \
  --set configuration.ENABLE_MTLS=yes \
  --set configuration.HALO__Version="2.12.0" \
  -f icap-server/values.yaml
  • Once the above command is successful, the ICAP server will listen on mtls port 31345 (in OVA) along with the open port (31344).
  • When connecting to the ICAP Server through a secure connection the URI Scheme submitted in the ICAP Client request should be icaps. This indicates that a secure connection is expected. Example Secure-ICAP url:
icaps://gw-icap-server.net:31345/resp-cdr-service

Disable ICAP server

To disable the ICAP server, please run the command below:

bash ~/disable_icap_server.sh