Contents x
Enable ICAP
    • PDF
    Contents

    Enable ICAP

      • PDF
      Article summary

      ICAP Server

      Get Started with ICAP Server

      • The ICAP Server in the OVA is configured with 31344 as an open port and MTLS on port 31345. This is because the default 1344 and 11344 ports do not fall under the NodePort range of 30000 to 32767 in Kubernetes.
      • By default mtls is not configured and only open port works. To configure mtls in ICAP server, please follow the steps below.

      Deployment with MTLS

      1. Create a set of client and server mtls certificates along with a CA certificate. The server certificates will be used in the ICAP server and the client certificates will be used in a client application such as a Proxy or a Firewall.

      2. SSH to the Halo Virtual Machine created from the OVA.

      3. Save the cdrplatform-secrets k8s secret to a file.

      kubectl get secret cdrplatform-secrets -o yaml > cdrp-secrets.yaml
      1. Edit the cdrp-secrets.yaml file and add 3 keys, tls-cafile, tls-server-cert and tls-server-key under the data section.
      apiVersion: v1
data:
  <existing secrets>
  <existing secrets>
  tls-cafile: <base64-encoded-tls-cafile>
  tls-server-cert: <base64-encoded-tls-server-cert>
  tls-server-key: <base64-encoded-tls-server-key>
kind: Secret
      1. Apply the edited cdrp-secrets.yaml.
      kubectl apply -f cdrp-secrets.yaml
      1. Create acr-secret to authenticate to glasswallhub container registry. The token_ID and token will be provided by the Glasswall.
      kubectl create secret docker-registry acr-secret -n cdrplatform \
  --docker-server="glasswallhub.azurecr.io" --docker-username="${token_ID}" --docker-password="${token}"
      1. Pull the ICAP Server Helm chart.
      helm pull oci://glasswallhub.azurecr.io/helm/icap-server --version 1.2.7 --untar --untardir .
      1. Redeploy ICAP Server with mtls enabled.
      helm upgrade --install icap-server icap-server --atomic \
  --set service.type=NodePort \
  --set cloud_provider=local \
  --set image.tag="132089" \
  --set image.pullPolicy=IfNotPresent \
  --set secretsFromRef[3].DATABASE__ConnectionString.secretName="mongodb-cdrplatform-cdrp-user" \
  --set secretsFromRef[3].DATABASE__ConnectionString.key="connectionString.standard" \
  --set configuration.ENABLE_MTLS=yes \
  --set configuration.HALO__Version="2.7.4" \
  -f icap-server/values.yaml
      1. Once the command is successful, the ICAP server will listen on mtls port 31345 (in OVA) along with the open port (31344).
      • When connecting to the ICAP Server through a secure connection the URI Scheme submitted in the ICAP Client request should be icaps. This indicates that a secure connection is expected. Example Secure-ICAP url:
      icaps://gw-icap-server.net:31345/resp-cdr-service
      Was this article helpful?
      What's Next