Contents x
Enable ICAP
    • PDF
    Contents

    Enable ICAP

      • PDF
      Article summary

      ICAP Server

      Get Started with ICAP Server

      • The ICAP Server in the OVA is configured with 31344 as an open port and MTLS on port 31345. This is because the default 1344 and 11344 ports do not fall under the NodePort range of 30000 to 32767 in Kubernetes.
      • The ICAP server is disabled by default, but you can follow the steps below to enable it.

      Enable ICAP Server

      Enable ICAP server

      bash ~/enable_icap_server.sh

      Enable MTLS

      By default, mTLS is not configured, and only the open port is active. To enable mTLS on the ICAP server, follow the steps below.

      • Create a set of client and server mtls certificates along with a CA certificate. The server certificates will be used in the ICAP server and the client certificates will be used in a client application such as a Proxy or a Firewall.
      • SSH to the Halo Virtual Machine created from the OVA.
      • Save the cdrplatform-secrets k8s secret to a file
      kubectl get secret cdrplatform-secrets -o yaml > cdrp-secrets.yaml
      • Edit the cdrp-secrets.yaml file and add 3 keys, tls-cafile, tls-server-cert and tls-server-key under the data section.
      apiVersion: v1
data:
  <existing secrets>
  <existing secrets>
  tls-cafile: <base64-encoded-tls-cafile>
  tls-server-cert: <base64-encoded-tls-server-cert>
  tls-server-key: <base64-encoded-tls-server-key>
kind: Secret
      • Apply the edited cdrp-secrets.yaml
      kubectl apply -f cdrp-secrets.yaml
      • Create acr-secret to authenticate to glasswallhub container registry. The token_ID and token will be provided by the Glasswall.
      kubectl create secret docker-registry acr-secret -n cdrplatform \
  --docker-server="glasswallhub.azurecr.io" --docker-username="${token_ID}" --docker-password="${token}"
      • Pull the ICAP Server Helm chart
      helm pull oci://glasswallhub.azurecr.io/helm/icap-server --version 1.2.9 --untar --untardir .
      • Redeploy ICAP Server with mtls enabled
      helm upgrade --install icap-server icap-server --atomic \
  --set service.type=NodePort \
  --set cloud_provider=local \
  --set image.tag="136002" \
  --set image.repository=glasswallhub.azurecr.io/icap-server \
  --set image.pullPolicy=IfNotPresent \
  --set secretsFromRef[3].DATABASE__ConnectionString.secretName="mongodb-cdrplatform-cdrp-user" \
  --set secretsFromRef[3].DATABASE__ConnectionString.key="connectionString.standard" \
  --set configuration.ENABLE_MTLS=yes \
  --set configuration.HALO__Version="2.9.0" \
  -f icap-server/values.yaml
      • Once the above command is successful, the ICAP server will listen on mtls port 31345 (in OVA) along with the open port (31344).
      • When connecting to the ICAP Server through a secure connection the URI Scheme submitted in the ICAP Client request should be icaps. This indicates that a secure connection is expected. Example Secure-ICAP url:
      icaps://gw-icap-server.net:31345/resp-cdr-service

      Disable ICAP server

      To disable the ICAP server, please run the command below:

      bash ~/disable_icap_server.sh
      Was this article helpful?
      What's Next