Contents x
TLS Support
    • PDF
    Contents

    TLS Support

      • PDF
      Article summary

      Glasswall ICAP now makes use of Mutual Transport Layer Security (mTLS) to encrypt the traffic between your proxy and the ICAP server. This feature is also known as Secure ICAP (S-ICAP).

      Supported TLS versions:

      • 1.2
      • 1.3

      Secure-ICAP will be enabled by default by the ICAP Server as long as a TLS certificate is installed. Port 11344 will be opened, with the server ready to accept secure connections.

      When connecting to the ICAP Server through a secure connection the URI Scheme submitted in the ICAP Client request should be icaps. This indicates that a secure connection is expected.

      Example Secure-ICAP url:

      icaps://gw-icap-server.net/resp-cdr-service

      Configuring certificate chain verification flags

      The ICAP server can be configured with verification flags dictating the conditions under which the certificate chain verification is performed.

      For information on the configuration and on changing the verification flags, please see the ICAP server section in Configuration Changes. The config item is CERTIFICATE__VefificationFlags.

      Installing certificates

      TLS certificates are mounted to the ICAP server from External Secrets.

      First time setup

      For first time TLS setup during installation of Glasswall ICAP, ensure the relevant Create secrets deployment step is followed and the certificates have been added to your External Secrets secret manager - For example, in an AKS environment, Step 3 - Add secrets in Key Vault.

      Please ensure your proxy or ICAP client has access to corresponding certificates and a root certificate signed by the same Certificate Authority (CA) as the ICAP server.

      Updating certificates

      To update an existing certificate chain, locate the secrets in your environment's secret manager (from the create secrets deployment step) and update the following fields:

      • tls-cafile - the Certificate Authority (CA) root certificate. The rest of the certificates must correspond to this CA root certificate.
      • tls-server-cert - the ICAP server's signed certificate.
      • tls-server-key - the ICAP server's private key.

      Please ensure your proxy or ICAP client has access to updated certificates signed by the same Certificate Authority (CA) as the ICAP server.

      Note: the ICAP server should detect a change in its certificate configuration instantly, there may be a delay of 60 seconds however, while Kubernetes refreshes the volume attached to the server's pod.

      Was this article helpful?
      What's Next