Data Protection (DLP) - Additional ICAP Authentication support for the Data Protection (DLP) ICAP Agent

Document ID : KB000021852
Last Modified Date : 14/02/2018
Show Technical Document Details

Issue: 

The CA DLP ICAP Agent parses an ICAP header to retrieve a user id that the Policy Engine (PE) can use to determine which policy to apply. In the General Availability (GA) release of CA DLP r12.5 the ICAP Agent is unable to determine policy for any user id format other than LDAP.

 

Resolution:

IMPORTANT: This article contains information about modifying the registry.

Before you modify the registry, make sure to create a back up of the registry and ensure that you understand how to restore the registry if a problem may occur.

For more information about how to back up, restore, and edit the registry, please review the relevant Microsoft Knowledge Base articles on support.microsoft.com

 

FIX:RO36933 adds support for additional ICAP authentication methods which can be configured as necessary using the following registry key.

 

Key: HKEY_LOCAL_MACHINE\Software\ComputerAssociates\CA DLP\CurrentVersion\

 

ICAP Value: AuthenticatedUserType

 

This registry value specifies what type of user information is included in the AuthenticatedUserHeader x-header. Policy engines use this user type information to determine the user policy to use when processing the data. Supported values are "auto" (default), "DN ", "user", and "SMTP"

 

Type: REG_DZ

 

auto

The ICAP agent tries to detect the format automatically and extract the user information. The agent can detect distinguished names, domain\user names and SMTP email addresses.

 

The agent detects user information prefixed with any of the following Blue Coat ProxySG prefixes: LDAP, WinNT, and unknown .

 

For example;

LDAP://10.0.8.50/CN=Spencer Rimmel,CN=Users,DC=rimmel,DC=com

WinNT://unipraxis/srimmel

unknown://srimmel@unipraxis.com     

 

The agent also detects user information without the prefixes listed above. 

For example;

10.0.8.50/CN=Spencer Rimmel,CN=Users,DC=rimmel,DC=com

unipraxis/srimmel

srimmel@unipraxis.com 

 

DN

DN is for Blue Coat ProxySG servers that use LDAP authentication. DN indicates that AuthenticatedUserHeader is populated with the user's DN entry in the LDAP directory.

 

For example;

LDAP://10.0.8.50/CN=Spencer Rimmel,CN=Users,DC=rimmel,DC=com

10.0.8.50/CN=Spencer Rimmel,CN=Users,DC=rimmel,DC=com

unknown://CN=Spencer Rimmel,CN=Users,DC=rimmel,DC=com

CN=Spencer Rimmel,CN=Users,DC=rimmel,DC=com

 

user 

user is for Blue Coat ProxySG servers that populate the AuthenticatedUserHeader with prefixed 'domain\user' user credentials. The Blue Coat IWA and Windows SSO authentication methods generate these credentials.

 

For example;

unknown://unipraxis\srimmel

unknown://unipraxis/srimmel

unipraxis\srimmel

unipraxis/srimmel     

 

SMTP

SMTP is for Blue Coat ProxySG servers that populate the AuthenticatedUserHeader with prefixed SMTP email addresses. The Blue Coat Policy Substitution authentication method generates these addresses.

 

For example;

unknown://srimmel@unipraxis.com

srimmel@unipraxis.com

 

FIX: RO36933 is available to download from the CA Support Portal (Support.ca.com)