Settings
Philter has many options to control how it operates. The options and how to configure them are described below.
The configuration for the types of sensitive information that Philter identifies are defined in filter profiles outside of Philter's general configuration properties described here.
Philter’s settings file is application.properties. This file is located in Philter’s installation directory, which is most likely /opt/philter. All changes to this files requires Philter to be restarted for the changes to take affect. To restart Philter execute the command:
sudo systemctl restart philter
These values configure the general operation operation of Philter. These settings do not typically need modified.
Setting | Description | Allowed Values | Default Value |
| The port Philter’s REST API listens on. | Any available port. |
|
| The directory in which to look for filter profiles. | Any valid directory path. |
|
| Overrides Philter’s log level. |
|
|
These values configure how Philter reports metrics during its operations. For more information on the metrics collected and reported see Metrics.
Philter writes metrics to standard out every 5 minutes. Additionally, Philter can report metrics via JMX, Datadog, and Amazon CloudWatch. You may enable any combination of metrics services, or none of them to disable metrics reporting.
Setting | Description | Allowed Values | Default Value |
| Enables metrics reporting via JMX. |
|
|
Metrics will be published to Datadog every 60 seconds when enabled.
Setting | Description | Allowed Values | Default Value |
| Enables metrics reporting via Datadog. |
|
|
| Your Datadog API key. | Any valid Datadog API key. |
|
If either or both of the metrics.cloudwatch.access.key or metrics.cloudwatch.secret.key properties are blank, Philter will attempt to automatically retrieve credentials from other places in the default AWS credentials chain, such as environment variables, system properties, and the EC2 instance's IAM role when publishing the metrics.
Metrics will be published to CloudWatch every 60 seconds when enabled.
The IAM user or role being used should have PutMetricData permissions.
{"Version": "2012-10-17","Statement": [{"Sid": "VisualEditor0","Effect": "Allow","Action": ["cloudwatch:PutMetricData"],"Resource": "*"}]}
Setting | Description | Allowed Values | Default Value |
| Enables metrics reporting via AWS CloudWatch. |
|
|
| The AWS CloudWatch region. | Any valid AWS region name. |
|
| The AWS CloudWatch access key. Leave blank to use IAM roles. | An AWS access key. | No default value. |
| The AWS CloudWatch secret key. Leave blank to use IAM roles. | An AWS secret key. | No default value. |
| The AWS CloudWatch namespace for the metrics. | Any valid CloudWatch Metrics namespace name. |
|
Philter's API can be configured to listen over SSL connections. When Philter is deployed via the AWS Marketplace, Windows Azure Marketplace or other third-party cloud marketplace, SSL will already be enabled via a self-signed certificate. It is recommended you replace this self-signed certificate with a valid certificate for your organization. When configured, the SSL listener will be available on the port defined by server.port.
Setting | Description | Allowed Values | Default Value |
| The type of keystore. |
| No default value. |
| Full path to the keystore file. | File path. | No default value. |
| The keystore’s password. | A valid password. | No default value. |
| The certificate alias in the keystore. | A valid alias. | No default value. |
| Whether or not SSL is enabled. |
|
|
An example configuration to enable SSL is shown below:
# SSL certificate settingsserver.ssl.key-store-type=PKCS12server.ssl.key-store=/opt/philter/ssl/philter.p12server.ssl.key-store-password=Password123!server.ssl.key-alias=philtersecurity.require-ssl=true
The command that generated the self-signed certificate referenced by the above configuration is:
keytool -genkeypair -keypass Password123! -dname "CN=philter, O=philter, C=US\ -alias philter -keyalg RSA -keysize 4096 -storepass Password123! -storetype PKCS12 -keystore /opt/philter/ssl/philter.p12 -validity 3650
The anonymization cache service is required to use consistent anonymization. The anonymization cache service stores sensitive information and its replacement values for future reference and replacement across documents and contexts.
The anonymization cache will contain sensitive information. It is important that you take the necessary precautions to secure the cache and all communication between Philter and the cache.
Setting | Description | Allowed Values | Default Value |
| Specifies the type of anonymization cache service. |
|
|
| The hostname or IP address of the Redis cache. | Any valid Redis endpoint. |
|
| The Redis cache port. | Any valid port. |
|
| Whether or not to use SSL for communication with the Redis cache. |
|
|
Philter can integrate with a Filter Profile Registry to provide centralized management of filter profiles. Usage of a Filter Profile Registry can be enabled by providing a value for the filter.profile.registry.endpoint property, and, similarly, can be disabled by not providing a value or by simply removing the property.
When a filter profile registry is used, filter profiles will first be looked for in the registry, and if not found, Philter will look for the filter profile locally in the location defined by filter.profiles.directory.
Setting | Description | Allowed Values | Default Value |
| The endpoint for the Filter Profile Registry. | A valid HTTP/s endpoint. | ​ |
The locations of sensitive information in text replaced by Philter can optionally be persisted to an Elasticsearch index. The Elasticsearch index can provide a historical reference of how the text was processed. The following settings control if this functionality is enabled and the connection details of the Elasticsearch instance.
This store will not contain sensitive information. It will only contain locations (character start and character end positions) in the input text that Philter identified as sensitive information.
Setting | Description | Allowed Values | Default Value |
| Whether or not to utilize the backend store for replaced values. |
|
|
| The name of the Elasticsearch index to use. | An index name. |
|
| The hostname or IP address of the Elasticsearch instance. | A hostname or IP address. | ​ |
| The protocol to use to connect to Elasticsearch. |
|
|
| The Elasticsearch port. | A valid port number. |
|
