For DLP/AV Connector 2.x and higher, the configuration parameters that the DLP/AV connector uses are stored in one configuration file on the DLP Connector virtual machine - /etc/syncp-das/syncp-das.yml
.
For DLP Connector 1.2.x, configuration parameters are stored in two configuration files. The two files handle the different aspecs of the connections that the DLP server needs. The parameters related to the StorageVaults connections are stored in a /etc/syncp-das/syncp-das.conf
file, while the parameters related to the DLP server are stored in a /etc/syncp-das/syncp-das.yml
file.
List of configuration properties
The following table contain detailed descriptions of the properties that are stored in these files.
DLP or AV activation
Setting in DLP/AV Connector 2.0 and newer | Availability in DLP Connector 1.2.x | Description | Default Value | Type | Required |
---|---|---|---|---|---|
spring.profiles.active | Y | Sets active Spring profiles. For DLP/AV Connector, the value of this parameter can be NOTE: For DLP Connector 1.2.x, only DLP can be activated if the value as set as | Text | Yes |
Secure key ecnryption
Setting in DLP/AV Connector 2.0 and newer | Availability in DLP Connector 1.2.x | Description | Default Value | Type | Required |
---|---|---|---|---|---|
syncplicity.crypto.compression | Y | Sets the type of compression used for the storage endpoint. Valid values:BZIP2 ZIP ZLIB NONE | ZLIB | Text | No |
syncplicity.crypto.encryption | Y | Sets the type of the encryption algorithm configured for the storage endpoint. Valid values:AES256 NONE | AES256 | Text | No |
syncplicity.crypto.keyStore.enforced | Y | Determines whether secure credentials are enforced. If set to true , secure credentials are retrieved from the keystore. | true | Boolean | No |
syncplicity.crypto.keyStore.file | Y | Sets the path to the keystore file. The path must be absolute, relative paths are not supported. | /etc/syncp-storage/keyStore.p12 | Text | Yes |
syncplicity.crypto.keyStore.password | Y | When syncplicity.crypto.keyStore.enforced is false , this setting holds the keystore unlock password. | Text/hidden | No | |
syncplicity.crypto.keyStore.type | Y | Sets the type of the keystore file. Valid values areJCEKS JKS DKS PKCS11 PKCS12 | PKCS12 | Text | No |
DLP Configuration parameters
Setting in DLP/AV Connector 2.0 and newer | Availability in DLP Connector 1.2.x | Description | Default Value | Type | Required |
---|---|---|---|---|---|
syncplicity.das.dlp.actionmq.url | Y | The URL of the ActionMQ instance. For companies in the US PrivacyRegion, enter https://amq.syncplicity.com/api/v1/ For companies in the EU PrivacyRegion, enter https://amq.eu.syncplicity.com/api/v1/ | https://amq.syncplicity.com/api/v1/ | Text (URL) | Yes |
syncplicity.das.dlp.actionmq.queueName | Y | The name of the queue for getting messages. The queue is created once the DLP feature is enabled for the StorageVault. The queue name is constructed using the following pattern: "1.file.<storagevault_id>". The <storagevault_id> portion of this string is what you collected in Step 4, and should be entered without the dashes in the string. | Text | Yes | |
syncplicity.das.dlp.actionmq.batchSize | syncplicity.das.dlp.manager.batchSize | The number of messages for each batch request to ActionMQ. The minimum is 1 and the maximum is 100 messages. | 100 | Number | No |
syncplicity.das.dlp.actionmq.keyAlias | Y | The alias for the private key in keystore. | actionMQKey | Text | Yes |
syncplicity.das.dlp.actionmq.keyPassword | Y | Password for the private key in keystore. | N/A | Text | No |
syncplicity.das.dlp.actionmq.jwtTokenValidityPeriod | Y | Time (in seconds) the JWT is valid. This should be not be set to a value greater than the same parameter on ActionMQ side. That mechanism strictly requires Time synchronization on DLP node. | 1800 | Number | No |
syncplicity.das.dlp.actionmq.jwtTokenSkew | Y | Time (in seconds) before the token expires and a new token is generated. For example, if the token is valid until 10:15:27 with skew parameter = 10, it is replaced with a new token at 10:15:17. This is needed to eliminate request rejections because of token expiration. | 10 | Number | No |
syncplicity.das.dlp.actionmq.jwtIssuer | Y | The StorageVault ID that the DLP Connector is working against. Enter the <storagevault_id> you collected in Step 4, and should be entered without the dashes in the string. | Text | Yes | |
syncplicity.das.dlp.actionmq.readTimeout | Y | Time in seconds, after which the read operation will time out. | 30000 | Number | No |
syncplicity.das.dlp.actionmq.connectionTimeout | Y | Time in seconds, after which the connection will time out. | 5000 | Number | No |
syncplicity.das.dlp.actionmq.sleepTime | syncplicity.das.dlp.manager.sleepTime | Timeout in seconds between requests to ActionMQ if the previous request returned 0 messages (the queue is empty). | 30 | Number | No |
syncplicity.das.dlp.manager.workersCount | Y | This parameter specifies the number of worker threads in the pool that are processing incoming messages in parallel. The minimum value is 1 worker. | 250 | Number | No |
syncplicity.das.dlp.manager.shutdownTimeout | Y | Timeout in seconds for a graceful shutdown of the DLP Connector by stopping syncp-das service. After this timeout all working threads are killed. | 60 | Number | No |
syncplicity.das.dlp.processors.alias | Y | The alias for DLP Server processors. This value is a sequence of mappings. You can have more that one processor alias. The values for the .processors.uri, .processors.proxy, and .processors.target that follow an - alias property apply to that property. See Sequence of Mappings in the Collections section of the YAML specification. | Text | Yes | |
syncplicity.das.dlp.processors.uri | Y | The URL to the ICAP server interface presented by the DLP Engine for the preceding alias. Example: icap://<DLP Engine Url>:1344/response | Text (URL) | Yes | |
N/A | syncplicity.das.dlp.processors.proxy | Disabled by default. Enables and specifies the proxy to the DLP Engine for the preceding alias. This is necessary when there is no direct connection between the DLP Connector and the ICAP server for the DLP Engine, and network traffic is going through a proxy. Example value: http://10.250.240.235:3128 For DLP/AV Connector 2.x, this setting is broken down into multiple ones (see directly below). | Text (URL) | No | |
syncplicity.das.dlp.processors.proxy.enabled | N | Enables the proxy to the DLP Engine for the preceding alias. This is necessary when there is no direct connection between the DLP Connector and the ICAP server for the DLP/AV Engine, and network traffic is going through a proxy. | false | Text | No |
syncplicity.das.dlp.processors.proxy.host | N | Specifies the host of the proxy to the DLP Engine for the preceding alias. | Text | No | |
syncplicity.das.dlp.processors.proxy.port | N | The port used for the proxy to the DLP Engine for the preceding alias. | 3128 | Number | No |
syncplicity.das.dlp.processors.proxy.type | N | Specifies the proxy type for the DLP engine for the preceding alias. | http | Text | No |
syncplicity.das.dlp.processors.target | Y | The header name in the response from the DLP server, where the ICAP client can get the reason of blocking. The value from selected header is saved as description of ScanResult. Header names differ for different DLP engines. For example:
The list above is not definitive, as these headers are also configurable for some of the DLP servers. Please check with your DLP server administrator which header to use. Detailed description of each header can be found in ICAP specification: https://tools.ietf.org/html/draft-stecher-icap-subid-00 | Text | No |
AVS configuration parameters
This is only available for DPL/AV connector 2.x and higher.
Setting in DLP/AV Connector 2.0 and newer | Availability in DLP Connector 1.2.x | Description | Default Value | Type | Required |
---|---|---|---|---|---|
syncplicity.das.avs.actionmq.url | N | The URL of the ActionMQ instance. For companies in the US PrivacyRegion, enter https://amq.syncplicity.com/api/v1/ For companies in the EU PrivacyRegion, enter https://amq.eu.syncplicity.com/api/v1/ | https://amq.syncplicity.com/api/v1/ | Text (URL) | Yes |
syncplicity.das.avs.actionmq.queueName | N | The name of the queue for getting messages. The queue is created once the AVS feature is enabled for the StorageVault. The queue name is constructed using the following pattern: "6.file.<storagevault_id>". The <storagevault_id> portion of this string is what you collected in Step 4, and should be entered without the dashes in the string. | Text | Yes | |
syncplicity.das.avs.actionmq.batchSize | N | The number of messages for each batch request to ActionMQ. The minimum is 1 and the maximum is 100 messages. | 100 | Number | No |
syncplicity.das.avs.actionmq.keyAlias | N | The alias for the private key in keystore. | actionMQKey | Text | Yes |
syncplicity.das.avs.actionmq.keyPassword | N | Password for the private key in keystore. | N/A | Text | No |
syncplicity.das.avs.actionmq.jwtTokenValidityPeriod | N | Time (in seconds) the JWT is valid. This should be not be set to a value greater than the same parameter on ActionMQ side. That mechanism strictly requires Time synchronization on AVS node. | 1800 | Number | No |
syncplicity.das.avs.actionmq.jwtTokenSkew | N | Time (in seconds) before the token expires and a new token is generated. For example, if the token is valid until 10:15:27 with skew parameter = 10, it is replaced with a new token at 10:15:17. This is needed to eliminate request rejections because of token expiration. | 10 | Number | No |
syncplicity.das.avs.actionmq.jwtIssuer | N | The StorageVault ID that the DLP/AV Connector is working against. Enter the <storagevault_id> you collected in Step 4, and should be entered without the dashes in the string. | Text | Yes | |
syncplicity.das.avs.actionmq.readTimeout | N | Time in seconds, after which the read operation will time out. | 30000 | Number | No |
syncplicity.das.avs.actionmq.connectionTimeout | N | Time in seconds, after which the connection will time out. | 5000 | Number | No |
syncplicity.das.avs.actionmq.sleepTime | N | Timeout in seconds between requests to ActionMQ if the previous request returned 0 messages (the queue is empty). | 30 | Number | No |
syncplicity.das.avs.manager.workersCount | N | This parameter specifies the number of worker threads in the pool that are processing incoming messages in parallel. The minimum value is 1 worker. | 250 | Number | No |
syncplicity.das.avs.manager.shutdownTimeout | N | Timeout in seconds for a graceful shutdown of the DLP/AV Connector by stopping syncp-das service. After this timeout all working threads are killed. | 60 | Number | No |
syncplicity.das.avs.processors.alias | N | The alias for AVS Server processors. This value is a sequence of mappings. You can have more that one processor alias. The values for the .processors.uri, .processors.proxy, and .processors.target that follow an - alias property apply to that property. See Sequence of Mappings in the Collections section of the YAML specification. | Text | Yes | |
syncplicity.das.avs.processors.uri | N | The URL to the ICAP server interface presented by the DLP/AV Engine for the preceding alias. Example: icap://<DLP Engine Url>:1344/response | Text (URL) | Yes | |
syncplicity.das.avs.processors.proxy.enabled | N | Enables the proxy to the DLP/AV Engine for the preceding alias. This is necessary when there is no direct connection between the DLP Connector and the ICAP server for the DLP/AV Engine, and network traffic is going through a proxy. | false | Text | No |
syncplicity.das.avs.processors.proxy.host | N | Specifies the host of the proxy to the DLP/AV Engine for the preceding alias. | Text | No | |
syncplicity.das.avs.processors.proxy.port | N | The port used for the proxy to the DLP/AV Engine for the preceding alias. | 3128 | Number | No |
syncplicity.das.avs.processors.proxy.type | N | Specifies the proxy type for the DLP/AV engine for the preceding alias. | http | Text | No |
syncplicity.das.avs.processors.target | N | The header name in the response from the DLP/AV server, where the ICAP client can get the reason of blocking. The value from selected header is saved as description of ScanResult. Header names differ for different DLP engines. For example:
The list above is not definitive, as these headers are also configurable for some of the DLP servers. Please check with your DLP server administrator which header to use. Detailed description of each header can be found in ICAP specification: https://tools.ietf.org/html/draft-stecher-icap-subid-00 | Text | No | |
syncplicity.das.avs.processors.thumbprint | N | Value of the thumbprint of the ICAP processor certificate, if user wants to use ICAP over SSL connection (icaps://). This needs to be set up in cases, where connection cannot be established due to the DLP/AV connector not trusting the certificate. | Text | No |
Storage configuration
The parameters used for storage configuration in the /etc/syncp-das/syncp-das.yml
file are exactly the same as the ones in the Storage connector. See the Storage configuration section in Storage Connector configuration parameters for more information.
ICAP configuration
Setting in DLP/AV Connector 2.0 and newer | Availability in DLP Connector 1.2.x | Description | Default Value | Type | Required |
---|---|---|---|---|---|
syncplicity.das.icap.client.maxContentLengthToScan | syncplicity.das.dlp.icap.client.maxContentLengthToScan | Maximum content length in bytes to scan; if set to 0 the content length is not limited. The default value is 26214400 (25 MB). If the DLP Engine has a configuration option to scan only first X bytes of the file (e.g. 'FileReader.MaxFileSize' option for Symantec DLP Engine), the value of this parameter should match the value set in the DLP engine configuration. |
| Number | Yes |
syncplicity.das.icap.client.includeFileName | syncplicity.das.dlp.icap.client.includeFileName | Name of the file sent to be scanned. | Text | No | |
syncplicity.das.icap.client.includeMIMEType | syncplicity.das.dlp.icap.client.includeMIMEType | MIME type of the file sent to be scanned. | Text | No | |
syncplicity.das.icap.client.socket.receiveBufferSize | syncplicity.das.dlp.icap.client.socket.receiveBufferSize | Indicates the size of the underlying buffers used by the platform for incoming network I/O. | 0 | Number | No |
syncplicity.das.icap.client.socket.sendBufferSize | syncplicity.das.dlp.icap.client.socket.sendBufferSize | Indicates the size of the underlying buffers used by the platform for outgoing network I/O. | 0 | Number | No |
syncplicity.das.icap.client.socket.soTimeout | syncplicity.das.dlp.icap.client.socket.soTimeout | Timeout (in seconds) on blocking Socket operations. | DLP 1.2.x - 30000 DLP/AV 2.x - 180000 | Number | No |
syncplicity.das.icap.client.socket.connectTimeout | syncplicity.das.dlp.icap.client.socket.connectTimeout | Socket connection timeout (in seconds). | 3000 | Number | No |
syncplicity.das.icap.client.socket.tcpNoDelay | syncplicity.das.dlp.icap.client.socket.tcpNoDelay | When enabled, written data to the network is not buffered pending acknowledgement of previously written data. | true | Boolean | No |