Settings
Philter has many options to control how it operates. The options and how to configure them are described below.
The configuration for the types of sensitive information that Philter identifies are defined in filter profiles outside of Philter's configuration properties described on this page.
Philter’s settings file is application.properties. This file is located in Philter’s installation directory, which is most likely /opt/philter. All changes to this files requires Philter to be restarted for the changes to take affect. To restart Philter execute the following commands:
sudo systemctl restart philter.servicesudo systemctl restart philter-ner.service
Properties set via environment variables take precedence over properties set in Philter's settings file.
All of the following properties can also be set as environment variables by prepending PHILTER_ to the property name and changing periods to underscores. For example, the property filter.profiles.directory can be set using the environment variable PHILTER_FILTER_PROFILES_DIRECTORY by:
export PHILTER_FILTER_PROFILES_DIRECTORY=/profiles/
Setting or changing an environment variable requires Philter to be restarted. To restart Philter execute the following commands:
sudo systemctl restart philter.servicesudo systemctl restart philter-ner.service
Using environment variables to configure Philter instead of using Philter's settings file can allow for easier configuration management when deploying Philter.
Setting | Description | Allowed Values | Default Value |
| The directory in which to look for filter profiles. | Any valid directory path. |
|
These values configure Philter's span disambiguation feature to determine the most appropriate type of sensitive information when duplicate spans are identified. In a deployment of multiple Philter instances, you must enable the cache service for span disambiguation to work as expected.
​ | Description | Allowed Values | Default Value |
| Whether or not to enable span disambiguation. |
|
|
These values configure the authentication for Philter's API. For more information on Philter's API authentication see the API Authentication.
Setting | Description | Allowed Values | Default Value |
| Whether or not Philter's API requires authentication. |
|
|
| The API token. | Any alphanumeric string. | None |
These values configure how Philter reports metrics during its operations. For more information on the metrics collected and reported see Metrics. Philter can report metrics via JMX, Datadog, and Amazon CloudWatch. You may enable any combination of metrics services, or none of them to disable metrics reporting.
Setting | Description | Allowed Values | Default Value |
| A value used to prefix metric names. | Any value |
|
| A means for differentiating metrics across multiple instances of Philter. | Any value | None |
Setting | Description | Allowed Values | Default Value |
| Enables metrics reporting via JMX. |
|
|
Metrics will be published to Datadog every 60 seconds when enabled.
Setting | Description | Allowed Values | Default Value |
| Enables metrics reporting via Datadog. |
|
|
| Your Datadog API key. | Any valid Datadog API key. | None |
Metrics will be published to CloudWatch every 60 seconds when enabled. The value of metrics.hostname will be used as a dimension for the metrics.
Setting | Description | Allowed Values | Default Value |
| Enables metrics reporting via AWS CloudWatch. |
|
|
| The AWS CloudWatch region. | Any valid AWS region name. |
|
| The AWS CloudWatch namespace for the metrics. | Any valid CloudWatch Metrics namespace name. | None |
Philter will look for AWS credentials following the default AWS credentials chain (environment variables, default credentials file, instance profile credentials). When running in AWS using an instance profile via an IAM role is the preferred method. When not possible, using environment variables is recommended and can be set as shown below:
export AWS_ACCESS_KEY_ID="your-access-key"export AWS_SECRET_ACCESS_KEY="your-secret-key"
The IAM user or role being used must have PutMetricData permissions. An example policy is shown below.
{"Version": "2012-10-17","Statement": [{"Sid": "VisualEditor0","Effect": "Allow","Action": ["cloudwatch:PutMetricData"],"Resource": "*"}]}
Philter's API can be configured to listen over SSL connections. When Philter is deployed via the AWS Marketplace, Windows Azure Marketplace or other third-party cloud marketplace, SSL will already be enabled via a self-signed certificate. It is recommended you replace this self-signed certificate with a valid certificate for your organization. When configured, the SSL listener will be available on the port defined by server.port. To enable Philter's SSL listener, provide the following properties:
Setting | Description | Allowed Values | Default Value |
| The type of keystore. |
| None |
| Full path to the keystore file. | File path. | None |
| The keystore’s password. | A valid password. | None |
| The certificate alias in the keystore. | A valid alias. | None |
An example configuration to enable SSL is shown below:
# SSL certificate settingsserver.ssl.key-store-type=PKCS12server.ssl.key-store=/opt/philter/ssl/philter.p12server.ssl.key-store-password=Password123!server.ssl.key-alias=philtersecurity.require-ssl=true
The command that generated the self-signed certificate referenced by the above configuration is:
keytool -genkeypair -keypass Password123! -dname "CN=philter, O=philter, C=US\ -alias philter -keyalg RSA -keysize 4096 -storepass Password123! -storetype PKCS12 -keystore /opt/philter/ssl/philter.p12 -validity 3650
The cache service is required to use consistent anonymization and filter profiles stored in Amazon S3. Philter supports Redis as the backend cache. When Redis is not used, an in-memory cache is used instead. The in-memory cache is not recommended because all contents will be stored in memory on the local Philter instance.
The cache will contain sensitive information. It is important that you take the necessary precautions to secure the cache itself and all communication between Philter and the cache.
Setting | Description | Allowed Values | Default Value |
| Whether or not to use Redis as the cache. |
|
|
| The hostname or IP address of the Redis cache. | Any valid Redis endpoint. | None |
| The Redis cache port. | Any valid port. |
|
| The Redis auth token. | Any valid token. | None |
| Whether or not to use SSL for communication with the Redis cache. |
|
|
The following Redis settings are only required when using a self-signed SSL certificate.
Setting | Description | Allowed Values | Default Value |
| The path to the trust store. | Any valid file path. | None |
| The trust store password. | Any valid file path. | None |
| The path to the keystore. | Any valid file path. | None |
| The keystore password. | Any valid file path. | None |
The locations of sensitive information in text replaced by Philter can optionally be persisted to an Elasticsearch index. The Elasticsearch index can provide a historical reference of how the text was processed. The following settings control if this functionality is enabled and the connection details of the Elasticsearch instance.
This store will not contain sensitive information. It will only contain locations (character start and character end positions) in the input text that Philter identified as sensitive information.
Setting | Description | Allowed Values | Default Value |
| Whether or not to utilize the backend store for replaced values. |
|
|
| The name of the Elasticsearch index to use. | An index name. |
|
| The hostname or IP address of the Elasticsearch instance. | A hostname or IP address. | None |
| The protocol to use to connect to Elasticsearch. |
|
|
| The Elasticsearch port. | A valid port number. |
|
