Support Center > Search Results > SecureKnowledge Details
Setting up the ICA Management Tool Technical Level
Solution
The ICA Management Tool lets you:
  • Manage certificates
  • Run searches
  • Recreate CRLs
  • Configure the ICA
  • Remove expired certificates
The ICA Management Tool is disabled by default.


Table of Contents:
  1. Setting up the ICA Management Tool connection
  2. Enabling the ICA Management Tool on the Security Management Server
  3. Importing the User Certificate on the Client
  4. Accessing the ICA Management Tool
  5. Related documentation
  6. Related solutions

 

(1) Setting up the ICA Management Tool connection (creating a Certificate user)

  1. Connect with SmartConsole to Security Management Server / Domain Management Server.

  2. Go to Permissions & AdministratorsAdministrators

  3. Click on New... button - select Administrator....

    • On General Properties pane:

      1. In the Login Name field - enter the user login name (e.g., John_Smith)

      2. In the Expiration Date field - verify that the date is set to a valid future date

      3. In the Permissions Profile field - select a profile that grants Read/Write All permissions (create such profile, if needed)

    • On Certificates pane:

      1. Click on the Generate and save button.

      2. A dialog box with the following message will be displayed:
        Check Point SmartDashboard The generation of the certificate for the user cannot be undone, unless you click Revoke. Ok to continue?

      3. Click on OK.

      4. In the Enter Password dialog box, enter the desired user password.

      5. Confirm the user password.

      6. Click on OK.

      7. In the dialog box Save Certificate File As, select the desired location to save the certificate file.

      8. Verify the user login name (e.g., John_Smith) is displayed in the File Name field.

      9. Verify that "Certificate Files (*.p12)" is selected in the Save as type drop-down list.

      10. Click on Save.

      11. Observe the information in the "DN" field, which should look something like this:
        CN=John_Smith,OU=users,O=saturn.detroit.com.k7ekvo

      Note: A password is required to protect the sensitive data contained in the certificate file. The certificate file contains the private key. Once the certificate is issued, save it to a file and supply the administrator with this file and the password. The certificate can then be used for authentication when logging in with a SmartConsole to the Security Management server.

  4. Click on OK to close the Administrator Properties window.

  5. In the Users and Administrators window, click on Actions... button - select Install....

  6. Click on Close.

  7. In SmartDashboard, go to File menu - click on Save.

  8. Transfer the saved *.p12 file (e.g., John_Smith.p12) to the Client that is connecting to the ICA Management Tool.

 

(2) Enabling the ICA Management Tool on the Security Management Server / Domain Management Server

  1. Connect to command line on Security Management Server / Multi-Domain Security Management Server.

  2. Log in to Expert mode.

  3. On Multi-Domain Security Management Server, switch to the context of the relevant Domain Management Server:

    [Expert@HostName:0]# mdsenv <Name of Domain Management Server>

  4. Enable the ICA Management Tool using the "Administrator DN" created in Part 1 above:

    cpca_client [-d] set_mgmt_tool on|off [-p <ca_port>] [-a|-u "administrator|user DN" ... ]

    Example:

    cpca_client set_mgmt_tool on -a "CN=John_Smith,OU=users,O=saturn.detroit.com.k7ekvo"

    Output should show:

    Successfully set the management tool. 

The authorized administrators: 
( 
	: ("CN=John_Smith,OU=users,O=saturn.detroit.com.k7ekvo") 
) 
The authorized users: 
()

    Notes:

    • Once the ICA Management Tool is started, the Security Management Server / Domain Management Server will be listening on TCP port 18265 (Check Point predefined service FW1_ica_mgmt_tools).
    • Having port 18265 open is not a vulnerability. The Management Tool Portal is secured and protected by SSL. In addition, only authorized administrators are allowed to access it using a certificate.

  5. Check the status of the ICA Management Tool:

    [Expert@HostName:0]# cpca_client set_mgmt_tool print

 

(3) Importing the User Certificate on the Client

  1. Right-click on the *.p12 file (e.g., John_Smith.p12) - click on Install PFX.

  2. Certificate Import Wizard opens.
    Click on Next button and follow the instructions on the screen.

  3. When prompted for the password, enter the user certificate password you used in Part 1 above.

    Notes:

    • Make sure to clear the check box "Enable strong private key protection"
    • Make sure to check the box "Mark this key as exportable"

  4. In the Certificate Store dialog box, select Place all certificates in the following store - click on Browse... button - select Personal - click on OK - click on Next.

  5. Click on Finish.

 

(4) Accessing the ICA Management Tool

  1. Connect to the ICA Management Tool with your browser over HTTPS:

    https://<Management_Machine_IP_Address>:18265

    where <Management_Machine_IP_Address> is the IP address of Security Management Server / of Domain Management Server.

    A dialog box with the following message will be displayed:

    Client Authentication 
Identification 
The Web site you want to view requests identification. 
Select the certificate to use when connecting.

  2. Select the appropriate certificate (e.g., John_Smith) for authenticating to the ICA Management Tool.

  3. Click on OK.

  4. In the Security Alert dialog box, click on Yes.

  5. You should now have access to the Internal CA Management Tool.

 

  • Security Management Server Administration Guide (R80.20, R80.40) - Chapter 'The ICA Management Tool'.

 

Give us Feedback
Please rate this document
[1=Worst,5=Best]
Comment