Syncplicity Support

Search our knowledgebase to get the help you need, today

Follow

DLP/AV configuration parameters

For DLP/AV Connector 2.x and higher, the configuration parameters that the DLP/AV connector uses are stored in one configuration file on the DLP Connector virtual machine - /etc/syncp-das/syncp-das.yml.

For DLP Connector 1.2.x, configuration parameters are stored in two configuration files. The two files handle the different aspecs of the connections that the DLP server needs. The parameters related to the StorageVaults connections are stored in a /etc/syncp-das/syncp-das.conf file, while the parameters related to the DLP server are stored in a /etc/syncp-das/syncp-das.yml file. 

List of configuration properties

The following table contain detailed descriptions of the properties that are stored in these files.

DLP or AV activation

Setting in DLP/AV Connector 2.0 and newer

Availability in DLP Connector 1.2.x

Description

Default Value

Type

Required

spring.profiles.activeY

Sets active Spring profiles. For DLP/AV Connector, the value of this parameter can be dlp or avs (lower-case letters). Enter the two values, separated by a comma, if you want to activate both DLP and AV.

NOTE: For DLP Connector 1.2.x, only DLP can be activated if the value as set as DLP (capital letters).


TextYes

Secure key ecnryption

Setting in DLP/AV Connector 2.0 and newer

Availability in DLP Connector 1.2.x

Description

Default Value

Type

Required

syncplicity.crypto.compressionYSets the type of compression used for the storage endpoint. Valid values:
BZIP2
ZIP
ZLIB
NONE
ZLIBTextNo
syncplicity.crypto.encryptionYSets the type of the encryption algorithm configured for the storage endpoint. Valid values:
AES256
NONE
AES256TextNo

syncplicity.crypto.keyStore.enforced

YDetermines whether secure credentials are enforced. If set to true, secure credentials are retrieved from the keystore.trueBooleanNo

syncplicity.crypto.keyStore.file

YSets the path to the keystore file. The path must be absolute, relative paths are not supported./etc/syncp-storage/keyStore.p12TextYes

syncplicity.crypto.keyStore.password

YWhen syncplicity.crypto.keyStore.enforced is false, this setting holds the keystore unlock password.
Text/hiddenNo

syncplicity.crypto.keyStore.type

YSets the type of the keystore file. Valid values are
JCEKS
JKS
DKS
PKCS11
PKCS12
PKCS12TextNo

DLP Configuration parameters

Setting in DLP/AV Connector 2.0 and newer

Availability in DLP Connector 1.2.x

Description

Default Value

Type

Required

syncplicity.das.dlp.actionmq.urlY

The URL of the ActionMQ instance.

For companies in the US PrivacyRegion, enter https://amq.syncplicity.com/api/v1/

For companies in the EU PrivacyRegion, enter https://amq.eu.syncplicity.com/api/v1/

https://amq.syncplicity.com/api/v1/Text (URL)Yes
syncplicity.das.dlp.actionmq.queueNameY

The name of the queue for getting messages. The queue is created once the DLP feature is enabled for the StorageVault.

The queue name is constructed using the following pattern: "1.file.<storagevault_id>". The <storagevault_id> portion of this string is what you collected in Step 4, and should be entered without the dashes in the string.


TextYes
syncplicity.das.dlp.actionmq.batchSizesyncplicity.das.dlp.manager.batchSizeThe number of messages for each batch request to ActionMQ. The minimum is 1 and the maximum is 100 messages.100NumberNo
syncplicity.das.dlp.actionmq.keyAliasYThe alias for the private key in keystore. actionMQKeyTextYes
syncplicity.das.dlp.actionmq.keyPasswordYPassword for the private key in keystore.N/ATextNo
syncplicity.das.dlp.actionmq.jwtTokenValidityPeriodYTime (in seconds) the JWT is valid. This should be not be set to a value greater than the same parameter on ActionMQ side. That mechanism strictly requires Time synchronization on DLP node.1800NumberNo
syncplicity.das.dlp.actionmq.jwtTokenSkewY

Time (in seconds) before the token expires and a new token is generated. For example, if the token is valid until 10:15:27 with skew parameter = 10, it is replaced with a new token at 10:15:17. This is needed to eliminate request rejections because of token expiration.

10NumberNo
syncplicity.das.dlp.actionmq.jwtIssuerYThe StorageVault ID that the DLP Connector is working against. Enter the <storagevault_id> you collected in Step 4, and should be entered without the dashes in the string.
TextYes
syncplicity.das.dlp.actionmq.readTimeoutYTime in seconds, after which the read operation will time out.30000NumberNo
syncplicity.das.dlp.actionmq.connectionTimeoutYTime in seconds, after which the connection will time out.5000NumberNo
syncplicity.das.dlp.actionmq.sleepTimesyncplicity.das.dlp.manager.sleepTimeTimeout in seconds between requests to ActionMQ if the previous request returned 0 messages (the queue is empty).30NumberNo
syncplicity.das.dlp.manager.workersCountY

This parameter specifies the number of worker threads in the pool that are processing incoming messages in parallel. The minimum value is 1 worker.

250NumberNo
syncplicity.das.dlp.manager.shutdownTimeoutYTimeout in seconds for a graceful shutdown of the DLP Connector by stopping syncp-das service. After this timeout all working threads are killed.60NumberNo
syncplicity.das.dlp.processors.aliasYThe alias for DLP Server processors. This value is a sequence of mappings. You can have more that one processor alias. The values for the .processors.uri, .processors.proxy, and .processors.target that follow an - alias property apply to that property. See Sequence of Mappings in the Collections section of the YAML specification.
TextYes
syncplicity.das.dlp.processors.uriYThe URL to the ICAP server interface presented by the DLP Engine for the preceding alias. Example: icap://<DLP Engine Url>:1344/response
Text (URL)Yes
N/Asyncplicity.das.dlp.processors.proxy

Disabled by default.

Enables and specifies the proxy to the DLP Engine for the preceding alias. This is necessary when there is no direct connection between the DLP Connector and the ICAP server for the DLP Engine, and network traffic is going through a proxy.

Example value: http://10.250.240.235:3128

For DLP/AV Connector 2.x, this setting is broken down into multiple ones (see directly below).


Text (URL)No
syncplicity.das.dlp.processors.proxy.enabledN

Enables the proxy to the DLP Engine for the preceding alias. This is necessary when there is no direct connection between the DLP Connector and the ICAP server for the DLP/AV Engine, and network traffic is going through a proxy.

falseTextNo
syncplicity.das.dlp.processors.proxy.hostNSpecifies the host of the proxy to the DLP Engine for the preceding alias. 

Text
(URL)

No
syncplicity.das.dlp.processors.proxy.portNThe port used for the proxy to the DLP Engine for the preceding alias. 3128NumberNo
syncplicity.das.dlp.processors.proxy.typeNSpecifies the proxy type for the DLP engine for the preceding alias.httpTextNo
syncplicity.das.dlp.processors.targetY

The header name in the response from the DLP server, where the ICAP client can get the reason of blocking. The value from selected header is saved as description of ScanResult.

Header names differ for different DLP engines. For example:

  • DigitalGuardian: "X-Virus-ID" or "X-Infection-Found" or "X-Violations-Found"
  • McAfee: "X-Infection-Found" or "X-Violations-Found"
  • Symantec: "X-Infection-Found" or "X-Violations-Found"

The list above is not definitive, as these headers are also configurable for some of the DLP servers. Please check with your DLP server administrator which header to use.

Detailed description of each header can be found in ICAP specification: https://tools.ietf.org/html/draft-stecher-icap-subid-00


TextNo

AVS configuration parameters

This is only available for DPL/AV connector 2.x and higher. 


Setting in DLP/AV Connector 2.0 and newer

Availability in DLP Connector 1.2.x

Description

Default Value

Type

Required

syncplicity.das.avs.actionmq.urlN

The URL of the ActionMQ instance.

For companies in the US PrivacyRegion, enter https://amq.syncplicity.com/api/v1/

For companies in the EU PrivacyRegion, enter https://amq.eu.syncplicity.com/api/v1/

https://amq.syncplicity.com/api/v1/Text (URL)Yes
syncplicity.das.avs.actionmq.queueNameN

The name of the queue for getting messages. The queue is created once the AVS feature is enabled for the StorageVault.

The queue name is constructed using the following pattern: "6.file.<storagevault_id>". The <storagevault_id> portion of this string is what you collected in Step 4, and should be entered without the dashes in the string.


TextYes
syncplicity.das.avs.actionmq.batchSizeNThe number of messages for each batch request to ActionMQ. The minimum is 1 and the maximum is 100 messages.100NumberNo
syncplicity.das.avs.actionmq.keyAliasNThe alias for the private key in keystore. actionMQKeyTextYes
syncplicity.das.avs.actionmq.keyPasswordNPassword for the private key in keystore.N/ATextNo
syncplicity.das.avs.actionmq.jwtTokenValidityPeriodNTime (in seconds) the JWT is valid. This should be not be set to a value greater than the same parameter on ActionMQ side. That mechanism strictly requires Time synchronization on AVS node.1800NumberNo
syncplicity.das.avs.actionmq.jwtTokenSkewN

Time (in seconds) before the token expires and a new token is generated. For example, if the token is valid until 10:15:27 with skew parameter = 10, it is replaced with a new token at 10:15:17. This is needed to eliminate request rejections because of token expiration.

10NumberNo
syncplicity.das.avs.actionmq.jwtIssuerNThe StorageVault ID that the DLP/AV Connector is working against. Enter the <storagevault_id> you collected in Step 4, and should be entered without the dashes in the string.
TextYes
syncplicity.das.avs.actionmq.readTimeoutNTime in seconds, after which the read operation will time out.30000NumberNo
syncplicity.das.avs.actionmq.connectionTimeoutNTime in seconds, after which the connection will time out.5000NumberNo
syncplicity.das.avs.actionmq.sleepTimeNTimeout in seconds between requests to ActionMQ if the previous request returned 0 messages (the queue is empty).30NumberNo
syncplicity.das.avs.manager.workersCountN

This parameter specifies the number of worker threads in the pool that are processing incoming messages in parallel. The minimum value is 1 worker.

250NumberNo
syncplicity.das.avs.manager.shutdownTimeoutNTimeout in seconds for a graceful shutdown of the DLP/AV Connector by stopping syncp-das service. After this timeout all working threads are killed.60NumberNo
syncplicity.das.avs.processors.aliasNThe alias for AVS Server processors. This value is a sequence of mappings. You can have more that one processor alias. The values for the .processors.uri, .processors.proxy, and .processors.target that follow an - alias property apply to that property. See Sequence of Mappings in the Collections section of the YAML specification.
TextYes
syncplicity.das.avs.processors.uriNThe URL to the ICAP server interface presented by the DLP/AV Engine for the preceding alias. Example: icap://<DLP Engine Url>:1344/response
Text (URL)Yes
syncplicity.das.avs.processors.proxy.enabledN

Enables the proxy to the DLP/AV Engine for the preceding alias. This is necessary when there is no direct connection between the DLP Connector and the ICAP server for the DLP/AV Engine, and network traffic is going through a proxy.

falseTextNo
syncplicity.das.avs.processors.proxy.hostNSpecifies the host of the proxy to the DLP/AV Engine for the preceding alias. 

Text
(URL)

No
syncplicity.das.avs.processors.proxy.portNThe port used for the proxy to the DLP/AV Engine for the preceding alias. 3128NumberNo
syncplicity.das.avs.processors.proxy.typeNSpecifies the proxy type for the DLP/AV engine for the preceding alias.httpTextNo
syncplicity.das.avs.processors.targetN

The header name in the response from the DLP/AV server, where the ICAP client can get the reason of blocking. The value from selected header is saved as description of ScanResult.

Header names differ for different DLP engines. For example:

  • DigitalGuardian: "X-Virus-ID" or "X-Infection-Found" or "X-Violations-Found"
  • McAfee: "X-Infection-Found" or "X-Violations-Found"
  • Symantec: "X-Infection-Found" or "X-Violations-Found"

The list above is not definitive, as these headers are also configurable for some of the DLP servers. Please check with your DLP server administrator which header to use.

Detailed description of each header can be found in ICAP specification: https://tools.ietf.org/html/draft-stecher-icap-subid-00


TextNo
syncplicity.das.avs.processors.thumbprintNValue of the thumbprint of the ICAP processor certificate, if user wants to use ICAP over SSL connection (icaps://). This needs to be set up in cases, where connection cannot be established due to the DLP/AV connector not trusting the certificate.
TextNo

Storage configuration

The parameters used for storage configuration in the /etc/syncp-das/syncp-das.yml file are exactly the same as the ones in the Storage connector. See the Storage configuration section in Storage Connector configuration parameters for more information.

ICAP configuration

Setting in DLP/AV Connector 2.0 and newer

Availability in DLP Connector 1.2.x

Description

Default Value

Type

Required

syncplicity.das.icap.client.maxContentLengthToScansyncplicity.das.dlp.icap.client.maxContentLengthToScanMaximum content length in bytes to scan; if set to 0 the content length is not limited. The default value is 26214400 (25 MB). If the DLP Engine has a configuration option to scan only first X bytes of the file (e.g. 'FileReader.MaxFileSize' option for Symantec DLP Engine), the value of this parameter should match the value set in the DLP engine configuration.
  • 26214400 for DLP 1.2.x
  • 0 for DLP/AV 2.x
NumberYes
syncplicity.das.icap.client.includeFileNamesyncplicity.das.dlp.icap.client.includeFileNameName of the file sent to be scanned. 
TextNo
syncplicity.das.icap.client.includeMIMETypesyncplicity.das.dlp.icap.client.includeMIMETypeMIME type of the file sent to be scanned.
TextNo
syncplicity.das.icap.client.socket.receiveBufferSizesyncplicity.das.dlp.icap.client.socket.receiveBufferSize

Indicates the size of the underlying buffers used by the platform for incoming network I/O. 

0NumberNo
syncplicity.das.icap.client.socket.sendBufferSizesyncplicity.das.dlp.icap.client.socket.sendBufferSizeIndicates the size of the underlying buffers used by the platform for outgoing network I/O. 0NumberNo
syncplicity.das.icap.client.socket.soTimeoutsyncplicity.das.dlp.icap.client.socket.soTimeoutTimeout (in seconds) on blocking Socket operations.

DLP 1.2.x - 30000

DLP/AV 2.x - 180000

NumberNo
syncplicity.das.icap.client.socket.connectTimeoutsyncplicity.das.dlp.icap.client.socket.connectTimeoutSocket connection timeout (in seconds).3000NumberNo
syncplicity.das.icap.client.socket.tcpNoDelaysyncplicity.das.dlp.icap.client.socket.tcpNoDelayWhen enabled, written data to the network is not buffered pending acknowledgement of previously written data.trueBooleanNo

Powered by Zendesk