Syncplicity Support

Follow

DLP Connector setup and management

The Syncplicity On-premises DLP Connector is server software that runs as a virtual machine. It connects the Syncplicity orchestration layer in the cloud and a third-party Data Loss Prevention (DLP) solution to your on-premises storage endpoint. You should review About Syncplicity StorageVaults and on-premise storage before reading further.

The DLP administration topic describes how to manage settings and policies in the administrator console for DLP.

 

Prerequisites

The storage endpoint should already be configured with at least two Syncplicity Storage Connectors. If you have not configured your storage for this, see Hybrid Cloud Storage and Deploying Syncplicity On-Premise Storage Connector to setup your storage endpoint for Syncplicity.

The following topics describe the prerequisites for installing the on-premises DLP Connector.

Hardware requirements

The DLP Connector requires:

  • A minimum of two virtual machines hosted on VMware vSphere Hypervisor (ESXi) 6.0 or later.
  • Each virtual machine must have 8 gigabytes of random access memory, 8 virtual cores and a hard disk drive (HDD) of at least 50 GB.

See the next topic about network configuration for the network hardware requirements, which include two or more Storage Connectors and a storage backend that supports standard NFS v3 or s3 interfaces.

Network configuration

The DLP Connector is supplied as an OVA file and installed on a virtual machine. The DLP Connector requires the following:

  • Each DLP Connector requires a dedicated virtual machine hosted on VMware vSphere Hypervisor.
  • At least two DLP Connectors, but you can deploy more for scalability and high availability.
  • At least two Storage Connectors
  • Ensure TLS1.2 is used, by disabling TLS1.0 and TLS1.1, and SSLv3 is disabled. SSLv3 is disabled by default from the JDK.

DLP_Connector_diagram.png

As shown in the diagram, a typical example is with the storage layer in the private area of the corporate network. The Storage Connector and DLP Connector virtual machines are in the semi-private area. Note that the SSL offloading load balancer in the DMZ is for Storage Connectors only.

Inbound port requirements

Atmos storage requirements

To enable the DLP Connector to connect to an EMC Atmos storage backend, the following inbound ports must be open.

Connection

Port

Protocol

From the DLP Connector to the Atmos load balancer

443 if SSL is used
80 if SSL is not used

HTTP or HTTPS

From the DLP Connector in the DMZ to the Network Time Protocol (NTP) server

123

UDP


Elastic Cloud Storage (ECS) requirements

To enable the DLP Connector to connect to an ECS storage backend, the following inbound ports must be open.

Connection

Port

Protocol

From the DLP Connector to the ECS load balancer

9021 if SSL is used
9020 if SSL is not used

HTTP or HTTPS

From the DLP Connector in the DMZ to the NTP server

123

UDP


NFS v3-based storage

To enable connections from the DLP Connector virtual machines to the NFS storage backend, the following inbound ports must be open. This includes EMC Isilon storage.

Port

Protocol

Type of Traffic

53

TCP

DNS for SmartConnect (Isilon only)

111

TCP

SUN Remote Procedure Call

111

UDP

SUN Remote Procedure Call

300

TCP

NFS mount daemon

300

UDP

NFS mount daemon

302

TCP

NFS stat daemon

302

UDP

NFS stat daemon

304

TCP

NFS lock daemon

304

UDP

NFS lock daemon

2049

TCP

NFS server daemon

2049

UDP

NFS server daemon

 

Service accessibility check

To enable checking for DLP Connector service accessibility from external hosts, the following should be allowed.

Connection

Port

Protocol

From external hosts to the DLP Connector virtual machines

9002

HTTP

Outbound port requirements

In general, traffic outbound to external hosts on port 443 should be allowed. If for some reason this is not so, at least the following should be allowed.

Connection

Port

Protocol

From the DLP Connector virtual machines to:
xml.syncplicity.com 
xml.eu.syncplicity.com 
api.syncplicity.com 
api.eu.syncplicity.com 
health.syncplicity.com 
health.eu.syncplicity.com

443

HTTPS

From the DLP Connector virtual machines to the NTP servers 123 UDP

From the DLP Connector virtual machines to centos.org, fedoraproject.org

Note: Only required during the upgrade procedure or installation of separate packages to allow for RPM dependency checking.

80

HTTP

 

Configure Isilon storage

If you are not using Isilon storage, skip this section. 

Isilon storage requires the following additional configuration steps. 

  1. Create an NFS Export via the WebUI. The following screen shows the basic export settings that lock the export to only the connected Storage and DLP Connectors. Add the IP addresses of the DLP Connectors in the following fields: Clients, Always Read-Write Clients and Root Clients. The values 10.111.158.3 and 10.111.158.4 are example IP addresses of the Storage Connectors. Your IP addresses are different. All other export settings should be left as the defaults and not change.

    add_an_NFS_export_old.PNG 

  2. If the DLP Connector is in the DMZ (Internet side of the firewall) and Isilon storage is inside the firewall, you must verify specific ports are opened on the firewall to allow access via NFS from the DLP Connectors to the Isilon storage. This does not apply if the Isilon storage is not behind a firewall.
  3. Refer to Task 5: Prepare for NFS mounted storage later in this topic in order to mount a dedicated Syncplicity share for the Isilon storage.

This completes the basic configuration of the EMC Isilon storage for the on-premises DLP Connector.

Install connector

Deployment of the DLP Connector Open Virtual Appliance (OVA) file is similar to the Storage Connector OVA deployment described in Installing the Storage Connector.

The on-premises DLP Connector is delivered as a virtual machine image, in OVA format, to simplify the deployment. The image is based on the CentOS 7.6 Linux operating system. It includes the necessary Syncplicity software.

After the initial installation, you must maintain the operating system on the VM, which includes staying current with updates and bug fixes.

The following tasks describe installing the DLP Connector.

Task 1: Provision virtual machine

You must download the software and connect the DLP Connector software to a VMware ESXi server.

To provision a VM, download the DLP Connector OVA file from http://www.syncplicity.com/xDLPConnectorOVFDownload.

Connect to the VMware ESXi server using VMware vSphere Client.

Perform the remaining tasks for each DLP Connector server deployed. At least two are required.

Task 2: Deploy OVF template

You must use the vSphere Client's built-in support for OVF/OVA packages to create a DLP Connector virtual machine instance.

To deploy the OVF template:

  1. Click File > Deploy OVF Template... to initiate the process.
  2. Accept the EULA.
  3. If required, adjust the amount of memory, CPU cores and disk space to allocate to the virtual machine. Ensure that the virtual machine meets the requirements specified in the Hardware requirements subsection above. 
  4. Start the deployed DLP Connector virtual machine.

Task 3: Log in and change your password

An administrative account with sudo privileges called  syncp already is in the virtual machine. The initial password is onprem. For increased security, change this password, adhering to the minimum password requirements, which are:

  • At least 14 characters.
  • At least one of each of the following: lowercase letter, uppercase letter, number and symbol.
  • Cannot reuse the last 5 passwords.
  • Must contain at least 5 characters that are different from the previous password.

Task 4: Configure network connection

The server listens for incoming connections on TCP port 22 for SSH connections. You must configure the DLP Connector servers with correct static IP addresses.

The next steps describe how to disable DHCP on a DLP Connector in your network

  1. Type:
    sudo vi /etc/sysconfig/network-scripts/ifcfg-eth0 
  2. Replace the following settings with your parameters:

    DNS2=<static-ip-address-dns-server2>
    DNS1=< static-ip-address-dns-server1>
    IPADDR=<static-ip-address-for-this-server>
    GATEWAY=<gateway_ip_address>
    IPV6_AUTOCONFIG=”yes”
    NETMASK=<network-mask>
    BOOTROTO=”static”
    DEVICE=”eth0”
    ONBOOT=”yes”
    IPV6INIT=”yes”

To turn on networking and configure the host name and domain name, follow these steps:

  1. Type:
    sudo vi /etc/sysconfig/network 
  2. Set correct HOSTNAME and DOMAINNAME to this file:

    NETWORKING=yes 
    NETWORKING_IPV6=yes 
    HOSTNAME =<hostname> 
    DOMAINNAME==<domain_name>

To configure Domain Name Service (DNS) servers, follow these steps:

  1. Type:
    sudo vi /etc/resolv.conf 
  2. Delete the content of the file.
  3. Add a line for each DNS server's IP address or host name:
    nameserver <ip-address-or-host-name-of-name-server-1>
    nameserver <ip-address-or-host-name-of-name-server-2>
    nameserver <ip-address-or-host-name-of-name-server-3> 
  4. Restart the network service by typing the following command:
    sudo systemctl restart network

The server now listens for incoming SSH connections only. No other ports are open. By default, the DLP Connector does not have a firewall turned on.

By default the DLP Connector OVA image uses pool.ntp.org for time synchronization. If you want to use a different network time protocol (NTP) server, you need to edit the /etc/chrony.conf file or use chronyc in order to set the desired NTP server to which the DLP Connector machines can connect. If you use Atmos storage, make sure that both DLP Connector machines and Atmos connect to the same NTP servers.

Task 5: Prepare for NFS mounted storage

If your storage backend of choice is Atmos/Google Cloud Storage or is using the s3 protocol, you can skip the following tasks.

Set NFS to read-only access

DLP connector doesn't write any data on backend storage. We recommend to set read-only access to NFS on DLP node.

Configure Isilon

If your storage backend is Isilon, you must mount the dedicated Syncplicity share to the server at /mnt/syncp. Use the NFS file system type. To make sure the Isilon share is mounted automatically at system startup:

  1. Type:
    sudo vi /etc/fstab 
  2. Add the following line to the file:

    <Isilon_cluster_name_or_IP_address>:/<Syncplicity_data_directory> <mount_point>  nfs  rw 

    Where <mount_point> is the value you have set for the key rootdir for the platform section (Isilon, VNX, fs) in the configuration file /etc/syncp-das/syncp-das.conf. Do not include the addr=<server> option since this can cause connectivity issues to Isilon.

    Example: dlp.mycompany.com:/ifs/syncp-data  /mnt/syncdata  nfs  rw 
  3. Type:
    sudo mount <mount_point>

For production environments, ensure the Isilon cluster name (used in the NFS mount entry in /etc/fstab) is a SmartConnect DNS name for the Isilon cluster and the SmartConnect settings are configured for dynamic IP addresses. This ensures the DLP Connectors can leverage the high availability features of the EMC Isilon architecture. Configuring the mount options to access a SmartConnect zone also maximizes performance to the EMC Isilon cluster.

The Isilon storage should have a directory created specifically for Syncplicity data. This directory must have its permissions and NFS export configured for the DLP Connectors, as described in the Configure Isilon Storage subsection above.

Configure standard NFS v3 storage

If your storage backend of choice uses a standard NFS v3 interface, excluding Isilon, you must mount a dedicated Syncplicity share to the server at /mnt/syncp. Make sure to use the NFS file system type.

To verify the NFS share is mounted at system startup:

  1. Type:
    sudo vi /etc/fstab 
  2. Add the following line to the file:

<NFS_server_name_or_IP>:/<Syncplicity_data_directory>  /<mount_point>  nfs  rw

Where <mount_point> is the value you have set for the key rootdir for the platform section (Isilon, VNX, fs) in the configuration file /etc/syncp-das/syncp-das.conf.

Example: dlp.mycompany.com:/syncp-data /mnt/syncdata  nfs  rw

Configure connector

To complete installation, you must edit the DLP Connector software configuration files. However, you first must obtain the access key.

Retrieve access key

Before editing the configuration files, you need to retrieve the access key. To do this, browse to  https://my.syncplicity.com  and log in as a Global Administrator. Then click on the  Settings  tab of the administrative console and then select  Manage StorageVaults  at the bottom of the page. A list of configured StorageVaults and their associated access keys can be found here. Select the storage vault you have configured with the Syncplicity Storage Connectors and copy the access key. This should be the same access key you are using for the Storage Connectors configured for this StorageVault. If no StorageVaults are listed, click the  Add StorageVault  button to create one. At the completion of a wizard, the access key is displayed. For detailed instructions on defining a StorageVault, see the Configuring and managing StorageVaults article.

Configure storage settings

  1. At the virtual machine, edit the following file using the vi editor by typing:
    sudo vi /etc/syncp-das/syncp-das.conf 
  2. In the syncplicity.ws section of the syncp-das.conf file, replace <syncplicity access key> with the access key that you retrieved from the Manage StorageVault Settings. For example, accesskey: "d4jJDpO7erZEmrlKab6w"
  3. If your company is using the EU PrivacyRegion, the on-premises DLP Connector must be configured with the following settings:

    syncplicity.ws.url: “https://xml.eu.syncplicity.com/1.1 
    syncplicity.ws.external.url: “https://api.eu.syncplicity.com 
    syncplicity.health.url: “https://health.eu.syncplicity.com/v1 
  4. If using a proxy, set the enable flag to true and specify the proxy host and port in the proxy section.

    syncplicity.ws {
      proxy {
            enable: true
            host: "my_proxy.mycompany.com"
            port: 8080
      }
    }
  5. In the syncplicity.storage section of the syncp-das.conf file, replace <storage type> with:

    • atmos for EMC Atmos systems
    • azure for Azure storage blobs
    • google for Google Cloud Storage (GCS)
    • isilon for EMC Isilon systems
    • fs for generic NFS v3 systems
    • s3 for EMC ECS systems or AWS s3 buckets
    • vnx for EMC VNX systems

    For example, if you are configuring for Azure blob storage, enter:

    syncplicity.storage {
      type: "azure"
    }
  6. If type is atmos, configure your Atmos storage settings. Under the atmos section of the syncp-das.conf file, set url to the URL and port to the port the Atmos installation listens. Explicitly include the port number. Set token to your Atmos authentication token and set secret to your Atmos secret key. For example:

    syncplicity.storage.atmos {
      url: "https://atmos.internal:443"
      token: "7ce21bbh56ek8feg0a7c23f343ad8df99/tenant"
      secret: "poSq7g5123t1TEQp5PlWhv4SAxk="
    }
  7. If type is s3 for AWS s3 storage, configure your AWS storage settings under the s3 section of the syncp-das.conf file. Enter the name of the bucket you created and its region, the access key and secret. For AWS, the secret was generated when you created the IAM user. For example:

    syncplicity.storage.s3 {
       bucket: "put bucket name here"
       region: "put region here"
       access: "put access key here"
       secret: "put secret key here"
       enableV4: true
     }
  8. If type is s3 for EMC ECS storage, configure your EMC ECS storage settings under the s3 section of the syncp-das.conf file by providing the following information:

    • Full url of the ECS storage, including the port. Refer to your ECS Storage administrator for the exact ports being used. Default ports are 9020 for HTTP and 9021 for HTTPS.
    • Name of the bucket you created.
    • Access key used for authentication, which is generated by the ECS administrator. With ECS, the access key is typically an email address.
    • Secret used for authentication, which is generated by the ECS administrator. For example:

      syncplicity.storage.s3 {
        access: "syncplicity@mycompany.com"
        secret: "put secret key here"
        url: "http://10.1.1.1:9020"
        bucket: "MyStorageVault_bucket"
      }

    Note: When an IP address is used in the URL, the Base URL (fully qualified URL) must be defined in the ECS admin console. The Base URL should correspond to the URL you use in the syncp-das.conf file. The Base URL is used by ECS as part of the object address where virtual host style addressing is used and enables ECS to know which part of the address refers to the bucket and, optionally, name space. To avoid upload errors, such as the one following, make sure to add the Base URL in the ViPR console for all VDCs.

    The request signature we calculated does not match the signature you provided. Check your secret access key and signing method. For more information, see REST authentication and SOAP authentication for details. 

  9. If type is isilon, configure your Isilon storage settings. Under the isilon section of the syncp-das.conf file, set rootdir to the mount point of your Isilon cluster on this server. For example:

    syncplicity.storage.isilon {
      rootdir: "/mnt/syncdata"
    }


    Make sure the syncp-das:syncp-das user owns the mount point. To set the ownership of the mount point, type the following command:

    sudo chown –R syncp-das:syncp-das <mount_point> 

  10. If type is vnx, configure your VNX storage settings. Under the vnx section of the syncp-das.conf file, set the rootdir of your VNX system on this server. The directory below the mount point (for example, data) must exist before proceeding. If this directory does not exist, create it now. For example:

    syncplicity.storage.vnx {
       rootdir: "/mnt/syncdata/data"
    }


    Make sure the rootdir is one level below the mount point for VNX storage systems. For example, if the mount point is /mnt/syncdata, the rootdir value must be /mnt/syncdata/data. Also, make sure the syncp-das:syncp-das user owns the mount point. To set ownership of the mount point, type the following command:

    sudo chown –R syncp-das:syncp-das <mount_point> 

  11. If type is fs for generic NFS v3 storage, configure your NFS storage settings. In the syncplicity.storage section of the syncp-das.conf file, add the following FS configuration and set rootdir to the mount point of your NFS v3 server on this server. If the following lines are in the syncp-das.conf file, edit the lines. For example:

    syncplicity.storage.fs {
       rootdir: “/mnt/syncdata”
    }


    Make sure the syncp-das:syncp-das user owns the mount point. To set ownership of the mount point, type the following command:

    sudo chown –R syncp-das:syncp-das  <mount_point> 

  12. If type is  azure, configure your Azure storage settings under the azure section of the syncp-das.conf file. Enter the Azure storage account name, the storage account key and the name of the Azure blob storage container. For example:

    syncplicity.storage.azure {
      # Storage account name
      accountName: "MyStorageVault"
      # Storage account secret key
      accountKey: "put secret key here"
      # Azure blob storage container name
      container: "MyStorageVault_blob"
    }

    Note: When configuring the DLP Connector to utilize Azure blob storage, the DLP Connector servers should be hosted in the Azure VPC to minimize latency between the DLP Connector and the storage.

  13. If type is google, configure your GCS settings under the  google  section of the syncp-das.conf file. Enter the name of the bucket you created, and the JSON string with authentication credentials provided in a downloadable file when your service account key is generated (see GCS documentation). For example:

    syncplicity.storage.google {
      # name of the bucket
      bucket: "put bucket name here"
      # the authentication credentials JSON for the service account
      authJson: "put JSON string here"
    }

Configure DLP settings

  1. Create or use an existing keystore named keyStore.p12 and generate keys by typing the following command:

    keytool -genkey -keyalg RSA -alias actionMQKey -keystore keyStore.p12 -storetype PKCS12 

    You are prompted to enter passwords for the key and keystore. The storepass value specifies the keystore password. The keypass value specifies a password for the private key about to be generated. You need this password to access the keystore entry containing that key. If you are creating a keystore using the preceding keystore command, you are prompted for your distinguished-name information (name, organization, and so on.)
  2. Export the public key by typing the following commands:

    keytool -importkeystore -srckeystore keyStore.p12 -destkeystore dlpKeyStore.p12 -deststoretype PKCS12 -destkeypass <destPass> -deststorepass <destPass> 

    Where <destPass> is any valid password.  The destination pkcs12 keystore can't have different storepass and keypass.  

    openssl pkcs12 -in dlpKeyStore.p12 -nocerts -out private.key 

    The user is prompted for <destPass> 

    openssl rsa -in private.key -pubout > public.key 

    The user is prompted for <destPass>.
  3. Enter the public key on the Manage StorageVault Settings page for your StorageVault

    Login to the MySite as an administrator, and navigate to the Manage StorageVaults page. Then select the StorageVault that you are using to integrate with your DLP engine. This will navigate to the Manage StorageVault Settings page. Scroll to the bottom of the page and enter your public key.

    DLP_add_public_key_page.jpg 


    DLP_add_public_key_dialog.jpg 
  4. Save the StorageVault ID, which can be found on the Manage StorageVault Settings page. The StorageVault ID, with the dashes "-" removed, will be used during the DLP configuration steps and in the Troubleshooting steps. The following is an example of where to retreive the StorageVault ID.

    Retrieve_StorageVault_ID.png 

  5. Customize the settings for the DLP connector by editing the DLP config file. This config file is in YAML format (http://yaml.org/).

    For DLP Connector 1.0.0-1.1.1, type:

    sudo vi /etc/syncp-dlp/dlp.yml

    For DLP Connector 1.2.0 or newer, type:

    sudo vi /etc/syncp-das/syncp-das.yml

    The following is an example of the DLP config file.

    /etc/syncp-dlp/dlp.yml (DLP Connector 1.0.0-1.1.1 ) /etc/syncp-das/syncp-das.yml (DLP Connector 1.2.0 or newer)

    dlp: 
       actionmq: 
         url: https: //amq.syncplicity.com/api/v1/ 
         queueName:  1.file.a38e8fd78e93481698a6e58a01b7f357 
         batchSize:  10 
         keyStorePath: /etc/syncp-dlp/dlpKeyStore 
         keyStorePassword: password 
         keyPassword: keyPassword 
         keyAlias: actionMQKey 
         jwtTokenValidityPeriod:  60 
         jwtTokenSkew:  5 
         jwtIssuer: a38e8fd78e93481698a6e58a01b7f357 
       workers: 
         count: 250 
       manager: 
         sleepTime:  30 
         shutdownTimeout:  60 
       processors: 
         - alias: DigitalGuardian 
           uri: icap://10.250.240.230:1344/response 
           proxy: http: //10.250.240.235:3128 
           target: X-Virus-ID

    spring.profiles.active: DLP

    syncplicity.das: 
      dlp: 
        actionmq: 
          url: https: //amq.syncplicity.com/api/v1/ 
          queueName: 1 .file.a38e8fd78e93481698a6e58a01b7f357 
          keyAlias: actionMQKey 
          keyPassword: keyPassword 
          jwtIssuer: a38e8fd78e93481698a6e58a01b7f357 
          jwtTokenValidityPeriod: 60 
          jwtTokenSkew: 5

        manager: 
          workersCount: 250 
          batchSize: 10 
          sleepTime: 30 
          shutdownTimeout: 60
        processors: 
          - alias: DigitalGuardian 
            uri: icap: //10.250.240.230:1344/response 

            proxy: http://10.250.240.235:3128 
            target: X-Virus-ID


        icap.client.maxContentLengthToScan: 26214400


    Description of each parameter

    Name

    (versions 1.0.0 - 1.1.1)

    Name (version 1.2.0 or newer) Type Required Default Value Description
    Not available spring.profiles.active Text Yes DLP Sets active Spring profiles. For DLP Connector, the value of this parameter should always be 'DLP'.
    dlp.actionmq.url syncplicity.das.dlp.actionmq.url Text (URL) Yes https://amq.syncplicity.com/api/v1/

    The URL of the ActionMQ instance.

    For companies in the US PrivacyRegion, enter https://amq.syncplicity.com/api/v1/

    For companies in the EU PrivacyRegion, enter https://amq.eu.syncplicity.com/api/v1/

    dlp.actionmq.queueName syncplicity.das.dlp.actionmq.queueName Text Yes  

    The name of the queue for getting messages. The queue is created once the DLP feature is enabled for the StorageVault.

    The queue name is constructed using the following pattern: "1.file.<storagevault_id>". The <storagevault_id> portion of this string is what you collected in Step 4, and should be entered without the dashes in the string.

    dlp.actionmq.keyAlias syncplicity.das.dlp.actionmq.keyAlias Text Yes   The alias for the private key in keystore. This value is configured during Step 1.
    dlp.actionmq.keyPassword syncplicity.das.dlp.actionmq.keyPassword Text Yes   The password for the specific private key.
    dlp.actionmq.jwtIssuer syncplicity.das.dlp.actionmq.jwtIssuer Text Yes   The StorageVault ID that the DLP Connector is working against. Enter the <storagevault_id> you collected in Step 4, and should be entered without the dashes in the string.
    dlp.actionmq.jwtTokenValidityPeriod syncplicity.das.dlp.actionmq.jwtTokenValidityPeriod Number No 1800 Time (in seconds) the JWT is valid. This should be not be set to a value greater than the same parameter on ActionMQ side. That mechanism strictly requires Time synchronization on DLP node.
    dlp.actionmq.jwtTokenSkew syncplicity.das.dlp.actionmq.jwtTokenSkew Number No 10

    Time (in seconds) before the token expires and a new token is generated. For example, if the token is valid until 10:15:27 with skew parameter = 10, it is replaced with a new token at 10:15:17. This is needed to eliminate request rejections because of token expiration.

    dlp.workers.count syncplicity.das.dlp.manager.workersCount Number No 250

    This parameter specifies the number of worker threads in the pool that are processing incoming messages in parallel. The minimum value is 1 worker.

    dlp.actionmq.batchSize syncplicity.das.dlp.manager.batchSize Number No 10 The number of messages for each batch request to ActionMQ. The minimum is 1 and the maximum is 100 messages.
    dlp.manager.sleepTime syncplicity.das.dlp.manager.sleepTime Number No 30 Timeout in seconds between requests to ActionMQ if the previous request returned 0 messages (the queue is empty).
    dlp.manager.shutdownTimeout syncplicity.das.dlp.manager.shutdownTimeout Number No 60 Timeout in seconds for a graceful shutdown of the DLP Connector by stopping syncp-das service. After this timeout all working threads are killed.
    dlp.processors.alias syncplicity.das.dlp.processors.alias Text Yes   The alias for DLP Server.
    dlp.processors.uri syncplicity.das.dlp.processors.uri Text (URL) Yes   The URL to the ICAP server interface presented by the DLP Engine. Example: icap://<DLP Engine Url>:1344/response
    dlp.processors.proxy syncplicity.das.dlp.processors.proxy Text (URL) No   The proxy to the DLP Engine. This is necessary when there is no direct connection between the DLP Connector and the ICAP server for the DLP Engine, and network traffic is going through a proxy.
    dlp.processors.target syncplicity.das.dlp.processors.target Text Yes  

    The header name in the response from the DLP server, where the ICAP client can get the reason of blocking. The value from selected header is saved as description of ScanResult.

    Header names differ for different DLP engines. For example:

    • DigitalGuardian: "X-Virus-ID" or "X-Infection-Found" or "X-Violations-Found"
    • McAfee: "X-Infection-Found" or "X-Violations-Found"
    • Symantec: "X-Infection-Found" or "X-Violations-Found"

    Detailed description of each header can be found in ICAP specification: https://tools.ietf.org/html/draft-stecher-icap-subid-00

    Not available syncplicity.das.dlp.icap.client.maxContentLengthToScan Number Yes 26214400 Maximum content length in bytes to scan; if set to 0 the content length is not limited. The default value is 26214400 (25 MB). If the DLP Engine has a configuration option to scan only first X bytes of the file (e.g. 'FileReader.MaxFileSize' option for Symantec DLP Engine), the value of this parameter should match the value set in the DLP engine configuration.
      The keystore specified in syncp-das.conf is used (e.g. syncplicity.storage.keyStore.file: "/etc/syncp-das/keyStore.p12") Text (path) No /etc/syncp-das/keyStore.p12 The path to the keystore (in JKS format) with the private key to generate JWT for ActionMQ access.
    dlp.actionmq.keyStorePassword The keystore password specified in syncp-das.conf is used (e.g. syncplicity.storage.keyStore.password: "<password>") Text Yes   The password for the keystore.
  6. Make sure the keyStore.p12, syncp-das.yml and syncp-das.conf files have read access for the syncp-das user. Y ou can set the owner for these files using the following command: 

    sudo chown syncp-das:syncp-das /etc/syncp-das/keyStore.p12 /etc/syncp-das/syncp-das.yml /etc/syncp-das/syncp-das.conf

Edit the DLP Connector log settings (optional)

The DLP Connector writes error, warning and info messages to a log file in /var/log/syncp-das/. Log settings can be customized including the log level, retention of log files and the name of the log file (to improve the usability of reviewing logs from multiple systems).

Note: Any time you change the settings in the logger.xml file you must restart the DLP Connector service for the changes to take effect. To restart the syncp-das service, type the following command:
sudo systemctl restart syncp-das

Customizing the name of the log file

  1. Edit /etc/syncp-das/logger.xml
    sudo vi etc/syncp-das/logger.xml
  2. Modify the <appender> <rollingPolicy> <fileNamePattern> xml element to change the log location path or filename pattern. The default value and formatting for naming is:
    /var/log/syncp-das/storage-%d{yyyy-MM-dd}.log.gz
  3. It is possible to add an environment variable (such as HOSTNAME) to the log file name, like this:
    <fileNamePattern>/var/log/syncp-das/${HOSTNAME}-storage-%d{yyyy-MM-dd}.log.gz</fileNamePattern>

Changing the log retention period

  1. Edit /etc/syncp-das/logger.xml
    sudo vi etc/syncp-das/logger.xml
  2. Modify the <maxHistory> setting to the number of archive files to keep (the default is 7 days). Note that the rollover period is determined by the format in <fileNamePattern>.
    <maxHistory>7</maxHistory>

Starting the DLP Connector service

  1. Once you have configured the DLP Connector service and log settings, it is time to start the DLP Connector service. Start the DLP Connector software on each of the DLP Connectors you have configured with this command: 
    sudo systemctl start syncp-das 
  2. After starting the syncp-das service, check the logs to make sure there is no error in the configuration and the service started without any problem. The Syncplicity software logs its activity under /var/log/syncp-das. To list log files run the command
    sudo ls -la /var/log/syncp-das

The base software installation process has been completed.

Verify installation

To confirm the DLP Connector is configured and running correctly, review and execute the following tasks on each DLP Connector.

Confirm service is running

On each DLP Connector server, type the following command to confirm that the DLP Connector is running correctly:

sudo systemctl status syncp-das.service

If the service is running correctly the output contains  active (running)  state of Active property.

Confirm service is accessible

Note: starting from version 1.2.0, the port number in the URL and command below is 9002 instead of 9001.

For each DLP Connector server, type the following URL in a browser to confirm the service is accessible:

http://<hostname_or_IP_address_of_dlp_connector_server>:9002/ping

If the service is accessible, the following message appears in the browser:

pong

If unable to access the service in a browser, on each connector server type the following command:

curl http://<dlp_connector_host_or_IP>:9002/ping

If the service is accessible, the following message displays:

pong

Check ActionMQ connection

To verify the connection to the ActionMQ, navigate to the Admin | Settings | Data Loss Prevention (DLP) page. Scroll down to the StorageVaults section, select the radio button for Selective StorageVaults, and enter the URL for your DLP Connector. Then scroll to the Scanning Status section and hit the Refresh status link. If the stats for the Current Queue and Historical Queue refresh without any errors then the ActionMQ has been created correctly. Once you have started uploading files to be scanned by the DLP Engine you should start to see the statistics update on this page. Here is an example:

DLP_Verify_Queue.png

Troubleshooting

The following are guidelines for troubleshooting errors.

Error #1

Can't get messages from the queue. com.syncplicity.dlp.queue.QueueException: Can't get messages

Description

The DLP Connector cannot retrieve messages from ActionMQ.

Solution

Check the DLP Connector configuration file /etc/syncp-das/syncp-das.yml to ensure that all syncplicity.das.dlp.actionmq.* properties are configured correcty. Refer to the Configure DLP Settings section of this document. Specifically:

url matches the the correct ActionMQ in the PrivacyRegion URL for your company.

queueName value matches the format "1.file.<storagevault_id>", where <storagevault_id> is the correct string (taken from the Manage StorageVault Settings page) with the "-" removed.

jwtIssuer value matches the format "<storagevault_id>", where <storagevault_id> is the correct string (taken from the  Manage StorageVault Settings  page) with the "-" removed.

If you updated any of these settings in the syncp-das.yml file, make sure to restart the DLP Connector service by entering

sudo systemctl status syncp-das.service

If all of these values are entered correctly, and you've restarted the DLP Connector service, and you are still getting this error, please contact Syncplicity Technical Support.

Error #2

Can't generate JWT token java.io .FileNotFoundException: Can't find keystore

Description

Can't generate the JWT token due to issue with communication with the Java keystore.

Solution

Check the DLP Connector configuration file /etc/syncp-das/syncp-das.conf to ensure that the location of the keyStore.p12 is configured correctly. Refer to the Configure DLP Settings section of this document.

Check that the Java keystore has read access for the syncp-das user.  For example, you can set the owner for keystore: 

sudo chown syncp-das:syncp-das /etc/syncp-das/keyStore.p12

Error #3

Cannot connect to ICAP server: 10.250.240.230:1344 for message id=11360750.203942046 com.syncplicity.dlp.icap.Icap
CantConnectException: Cannot connect to ICAP server: 10.250.240.230:1344

Note: 10.250.240.230 is an example IP address.

Description

The DLP Connector cannot communicate with the ICAP server of the DLP Engine.

Solution

Check the DLP Connector configuration file /etc/syncp-das/syncp-das.yml to ensure that the syncplicity.das.dlp.processors.uri property is configured correcty. Refer to the Configure DLP Settings section of this document.

Verify that the ICAP server for the DLP Engine is running and that the internal firewall rules are not blocking traffic between the DLP Connector and the ICAP server.

Error #4

Orchestration response: 403 Unauthorized Storage Endpoint

Description

The Access Key configured for this DLP Connector does not match the Access Key for this StorageVault, or is invalid.

Solution

Check the DLP Connector configuration file /etc/syncp-das/syncp-das.conf to ensure that the syncplicity.ws.accesskey property is configured correctly. Refer to the Configure DLP Settings section of this document.

Error #5

The syncp-das service not started

Solution

If the syncp-das service is not running you can quickly review errors for details with the following commands:

systemctl status syncp-das.service

journalctl -xe

Powered by Zendesk