Support Center > Search Results > SecureKnowledge Details
Setting up the ICA Management Tool Technical Level
Solution
The ICA Management Tool lets you:
  • Manage certificates
  • Run searches
  • Recreate CRLs
  • Configure the ICA
  • Remove expired certificates
The ICA Management Tool is enabled by default, but with no authorized administrators or users configured, which is necessary in order to access the tool.


Table of Contents:
  1. Setting up the ICA Management Tool connection
  2. Enabling the ICA Management Tool on the Security Management Server
  3. Importing the User Certificate on the Client
  4. Accessing the ICA Management Tool
  5. Related documentation
  6. Related solutions

 

(1) Setting up the ICA Management Tool connection (creating a Certificate user)

  1. Connect with SmartConsole to Security Management Server / Domain Management Server.

  2. Go to Permissions & AdministratorsAdministrators

  3. Click New > Administrator

    • In the General Properties pane:

      1. In the Login Name field - enter the user login name (e.g., John_Smith).

      2. In the Expiration Date field - verify that the date is set to a valid future date.

      3. In the Permissions Profile field - select a profile that grants Read/Write All permissions (create such profile, if needed).

    • In the Certificates pane:

      1. Click the Generate and save button.

      2. A dialog box with this message is displayed:
        Check Point SmartDashboard The generation of the certificate for the user cannot be undone, unless you click Revoke. Ok to continue?

      3. Click OK.

      4. In the Enter Password dialog box, enter the required user password.

      5. Confirm the user password.

      6. Click OK.

      7. In the dialog box Save Certificate File As, select the required location to save the certificate file.

      8. Verify the user login name (e.g., John_Smith) is displayed in the File Name field.

      9. Verify that "Certificate Files (*.p12)" is selected in the Save as type drop-down list.

      10. Click Save.

      11. Observe the information in the "DN" field, which should look something like this:
        CN=John_Smith,OU=users,O=saturn.detroit.com.k7ekvo

      Note - A password is required to protect the sensitive data contained in the certificate file. The certificate file contains the private key. Once the certificate is issued, save it to a file and supply the administrator with this file and the password. The certificate can then be used for authentication when logging in with SmartConsole to the Security Management server.

  4. Click OK to close the Administrator Properties window.

  5. In the Users and Administrators window, click Actions > Install.

  6. Click Close.

  7. In SmartDashboard, go to File menu - click Save.

  8. Transfer the saved *.p12 file (e.g., John_Smith.p12) to the Client that is connecting to the ICA Management Tool.

 

(2) Enabling the ICA Management Tool on the Security Management Server / Domain Management Server

  1. Connect to the command line on the Security Management Server / Multi-Domain Security Management Server.

  2. Log in to Expert mode.

  3. On the Multi-Domain Security Management Server, switch to the context of the relevant Domain Management Server:

    [Expert@HostName:0]# mdsenv <Name of Domain Management Server>
  4. Enable the ICA Management Tool using the "Administrator DN" created in Part 1 above:

    cpca_client [-d] set_mgmt_tool on|off [-p <ca_port>] [-a|-u "administrator|user DN" ... ]

    Example:

    cpca_client set_mgmt_tool on -a "CN=John_Smith,OU=users,O=saturn.detroit.com.k7ekvo"

    Output should show:

    Successfully set the management tool. 
    
    The authorized administrators: 
    ( 
    	: ("CN=John_Smith,OU=users,O=saturn.detroit.com.k7ekvo") 
    ) 
    The authorized users: 
    ()
    

    Notes:

    • After the ICA Management Tool is started, the Security Management Server / Domain Management Server will be listening on TCP port 18265 (Check Point predefined service FW1_ica_mgmt_tools).
    • Having port 18265 open is not a vulnerability. The Management Tool Portal is secured and protected by SSL. In addition, only authorized administrators are allowed to access it using a certificate.
  5. Check the status of the ICA Management Tool:

    [Expert@HostName:0]# cpca_client set_mgmt_tool print

 

(3) Importing the User Certificate on the Client

  1. Right-click the *.p12 file (e.g., John_Smith.p12), and click Install PFX.

  2. Certificate Import Wizard opens.
    Click Next and follow the instructions on the screen.

  3. When prompted for the password, enter the user certificate password you used in Part 1 above.

    Notes:

    • Make sure to clear this check box: Enable strong private key protection.
    • Make sure to check this check box Mark this key as exportable.
  4. In the Certificate Store dialog box, select Place all certificates in the following store - click BrowsePersonal, click OK, click Next.

  5. Click Finish.

 

(4) Accessing the ICA Management Tool

  1. Connect to the ICA Management Tool with your browser over HTTPS:

    https://<Management_Machine_IP_Address>:18265

    If the <Management_Machine_IP_Address> is the IP address of Security Management Server / of Domain Management Server.

    A dialog box with this message is displayed:

    Client Authentication 
    Identification 
    The Web site you want to view requests identification. 
    Select the certificate to use when connecting.
    
  2. Select the appropriate certificate (for example., John_Smith) for authenticating to the ICA Management Tool.

  3. Click OK.

  4. In the Security Alert dialog box, click Yes.

  5. You should now have access to the Internal CA Management Tool.

 

  • Security Management Administration Guide (R81) - Chapter 'The ICA Management Tool'.

 

Give us Feedback
Please rate this document
[1=Worst,5=Best]
Comment