Skip to main content
Version: 2.15.0

Enable ICAP

Glasswall ICAP Server

  • The ICAP Server in the OVA is configured with 31344 as an open port and MTLS on port 31345. This is because the default 1344 and 11344 ports do not fall under the NodePort range of 30000 to 32767 in Kubernetes.
  • The ICAP server is disabled by default, but you can follow the steps below to enable it.

Enable ICAP Server

bash ~/enable_icap_server.sh

Enable mTLS

By default, mTLS is not configured, and only the open port is active. To enable mTLS on the ICAP server, follow the steps below.

  1. Create a set of client and server mTLS certificates along with a CA certificate. The server certificates will be used in the ICAP server and the client certificates will be used in a client application such as a proxy or a firewall.

  2. SSH to the Halo Virtual Machine created from the OVA.

  3. Save the cdrplatform-secrets Kubernetes secret to a file.

kubectl get secret cdrplatform-secrets -o yaml > cdrp-secrets.yaml
  1. Edit the cdrp-secrets.yaml file and add 3 keys, tls-cafile, tls-server-cert and tls-server-key under the data section.
apiVersion: v1
data:
 <existing secrets>
 <existing secrets>
 tls-cafile: <base64-encoded-tls-cafile>
 tls-server-cert: <base64-encoded-tls-server-cert>
 tls-server-key: <base64-encoded-tls-server-key>
kind: Secret
  1. Apply the edited cdrp-secrets.yaml.
kubectl apply -f cdrp-secrets.yaml
  1. Create acr-secret to authenticate to glasswallhub container registry. The token_ID and token will be provided by the Glasswall.
kubectl create secret docker-registry acr-secret -n cdrplatform \
 --docker-server="glasswallhub.azurecr.io" --docker-username="${token_ID}" --docker-password="${token}"
  1. Pull the ICAP Server Helm chart:
helm pull oci://glasswallhub.azurecr.io/helm/icap-server --version 1.4.0 --untar --untardir .
  1. Redeploy ICAP Server with mTLS enabled:
helm upgrade --install icap-server icap-server --atomic \
 --set service.type=NodePort \
 --set cloud_provider=local \
 --set image.tag="159564" \
 --set image.repository=glasswallhub.azurecr.io/icap-server \
 --set image.pullPolicy=IfNotPresent \
 --set secretsFromRef[3].DATABASE__ConnectionString.secretName="mongodb-cdrplatform-cdrp-user" \
 --set secretsFromRef[3].DATABASE__ConnectionString.key="connectionString.standard" \
 --set configuration.ENABLE_MTLS=yes \
 --set configuration.HALO__Version="2.15.0" \
 -f icap-server/values.yaml

Once the above command is successful, the ICAP server will listen on mTLS port 31345 (in OVA) along with the open port (31344).

When connecting to the ICAP Server through a secure connection the URI Scheme submitted in the ICAP Client request should be icaps. This indicates that a secure connection is expected. Example Secure-ICAP url:

icaps://gw-icap-server.net:31345/resp-cdr-service

Disable ICAP Server

To disable the ICAP server, please run the command below:

bash ~/disable_icap_server.sh
Last updated on