Configuration of ICAP support within Reverse Proxy

Edit online

The configuration of ICAP support within Reverse Proxy is flexible and allows only those transactions that require the ICAP intervention to be sent to the ICAP servers.

An Administrator can configure and control the applications that require ICAP processing. Configuration of ICAP support within Reverse Proxy consists of two parts:

  • Configuration file: Used to define ICAP servers.
  • Protected Object Policy (POP): Used to define the resources that trigger a call to the ICAP servers.

Configuration file

A stanza entry called [ICAP: <resource>] is added to the configuration file. The stanza entry is used to define the different ICAP resources. Each resource consists of:

  • A URL for the ICAP server, which defines the ICAP server's address and whether TCP or SSL is used for the connection. When an SSL connection is defined, the system uses the keystore that is configured in the [junction] stanza if it exists. If not, the system uses the keystore that is configured in the [ssl] stanza.
  • A transaction list that defines whether the ICAP server is used in processing the HTTP request or response.
  • A timeout value that defines the maximum length of time (in seconds) that Reverse Proxy waits for a response from the ICAP server.
  • An optional SSL keyfile label that defines the certificate to be used if client certificate authentication is required.

For more information, see [ICAP:<resource>] stanza.

Note: The <resource> in the stanza name corresponds to the name of the resource in the POP. Multiple resources might be specified in the configuration file.

Example

[ICAP:resource_a]
URL = icap://icap_svr.tivoli.com:1344/
transaction = req
timeout = 120
[ICAP:resource_b]
URL = icap://icap_svr.tivoli.com:1344/
transaction = rsp
timeout = 120
Note: The preceding example establishes a TCP connection to the ICAP server. If you want to use an SSL connection to the ICAP server, use icaps:// instead of icap://. You can also specify an SSL keyfile label that defines the certificate to be used if client certificate authentication is required.
[ICAP:resource_a]
URL = icaps://icap_svr.tivoli.com:1345/
transaction = req
timeout = 120
[ICAP:resource_b]
URL = icaps://icap_svr.tivoli.com:1345/
transaction = rsp
timeout = 120
ssl-keyfile-label = my_certificate

Protected Object Policy (POP)

A Protected Object Policy (POP) is used to enable the pre-defined ICAP resource for appropriate parts of the object space. This mechanism provides full control over which resources incur the additional impact of the ICAP processing. The POP must have:
  • An extended attribute created with the name 'ICAP', and
  • A value that matches the name of one of the configured ICAP resources.
Multiple attributes of the same name can be created if multiple ICAP servers are required to handle the processing of a particular object or request.

The following example shows what the POP might look like:

pdadmin sec_master> pop show ICAPPop attribute ICAP
    ICAP
        resource_a
        resource_b
Note: resource_a and resource_b correspond to the following configuration stanzas: [ICAP:resource_a] and [ICAP:resource_b].