Settings

Describes the settings available to configure Philter.

Philter has many options to control how it operates. The options and how to configure them are described below.

The configuration for the types of sensitive information that Philter identifies are defined in filter profiles outside of Philter's general configuration properties described here.

Settings File

Philter’s settings file is application.properties. This file is located in Philter’s installation directory, which is most likely /opt/philter. All changes to this files requires Philter to be restarted for the changes to take affect. To restart Philter execute the command:

sudo systemctl restart philter

General Settings

These values configure the general operation operation of Philter. These settings do not typically need modified.

Setting

Description

Allowed Values

Default Value

server.port

The port Philter’s REST API listens on.

Any available port.

8080

filter.profiles.directory

The directory in which to look for filter profiles.

Any valid directory path.

./profiles/

logging.level.root

Overrides Philter’s log level.

INFO, DEBUG, ERROR

INFO

Metrics

These values configure how Philter reports metrics during its operations. For more information on the metrics collected and reported see Metrics.

Philter writes metrics to standard out every 5 minutes. Additionally, Philter can report metrics via JMX, Datadog, and Amazon CloudWatch. You may enable any combination of metrics services, or none of them to disable metrics reporting.

JMX Metric Reporting

Setting

Description

Allowed Values

Default Value

metrics.jmx.enabled

Enables metrics reporting via JMX.

true, false

false

Datadog Metric Reporting

Metrics will be published to Datadog every 60 seconds when enabled.

Setting

Description

Allowed Values

Default Value

metrics.datadog.enabled

Enables metrics reporting via Datadog.

true, false

false

metrics.datadog.apikey

Your Datadog API key.

Any valid Datadog API key.

Philter

Amazon CloudWatch Metric Reporting

If either or both of the metrics.cloudwatch.access.key or metrics.cloudwatch.secret.key properties are blank, Philter will attempt to automatically retrieve credentials from other places in the default AWS credentials chain, such as environment variables, system properties, and the EC2 instance's IAM role when publishing the metrics.

Metrics will be published to CloudWatch every 60 seconds when enabled.

The IAM user or role being used should have PutMetricData permissions.

{
"Version": "2012-10-17",
"Statement": [
{
"Sid": "VisualEditor0",
"Effect": "Allow",
"Action": [
"cloudwatch:PutMetricData"
],
"Resource": "*"
}
]
}

Setting

Description

Allowed Values

Default Value

metrics.cloudwatch.enabled

Enables metrics reporting via AWS CloudWatch.

true, false

false

metrics.cloudwatch.region

The AWS CloudWatch region.

Any valid AWS region name.

us-east-1

metrics.cloudwatch.access.key

The AWS CloudWatch access key. Leave blank to use IAM roles.

An AWS access key.

No default value.

metrics.cloudwatch.secret.key

The AWS CloudWatch secret key. Leave blank to use IAM roles.

An AWS secret key.

No default value.

metrics.cloudwatch.namespace

The AWS CloudWatch namespace for the metrics.

Any valid CloudWatch Metrics namespace name.

Philter

API SSL

Philter's API can be configured to listen over SSL connections. When Philter is deployed via the AWS Marketplace, Windows Azure Marketplace or other third-party cloud marketplace, SSL will already be enabled via a self-signed certificate. It is recommended you replace this self-signed certificate with a valid certificate for your organization. When configured, the SSL listener will be available on the port defined by server.port.

Setting

Description

Allowed Values

Default Value

server.ssl.key-store-type

The type of keystore.

PKCS12 or JKS

No default value.

server.ssl.key-store

Full path to the keystore file.

File path.

No default value.

server.ssl.key-store-password

The keystore’s password.

A valid password.

No default value.

server.ssl.key-alias

The certificate alias in the keystore.

A valid alias.

No default value.

security.require-ssl

Whether or not SSL is enabled.

true or false

false

An example configuration to enable SSL is shown below:

# SSL certificate settings
server.ssl.key-store-type=PKCS12
server.ssl.key-store=/opt/philter/ssl/philter.p12
server.ssl.key-store-password=Password123!
server.ssl.key-alias=philter
security.require-ssl=true

The command that generated the self-signed certificate referenced by the above configuration is:

keytool -genkeypair -keypass Password123! -dname "CN=philter, O=philter, C=US\ -alias philter -keyalg RSA -keysize 4096 -storepass Password123! -storetype PKCS12 -keystore /opt/philter/ssl/philter.p12 -validity 3650

Anonymization Cache Service

The anonymization cache service is required to use consistent anonymization. The anonymization cache service stores sensitive information and its replacement values for future reference and replacement across documents and contexts.

The anonymization cache will contain sensitive information. It is important that you take the necessary precautions to secure the cache and all communication between Philter and the cache.

Setting

Description

Allowed Values

Default Value

anonymization.cache.service

Specifies the type of anonymization cache service.

local, redis

local

anonymization.cache.service.host

The hostname or IP address of the Redis cache.

Any valid Redis endpoint.

localhost

anonymization.cache.service.port

The Redis cache port.

Any valid port.

6379

anonymization.cache.service.ssl

Whether or not to use SSL for communication with the Redis cache.

true, false

true

Filter Profile Registry

Philter can integrate with a Filter Profile Registry to provide centralized management of filter profiles. Usage of a Filter Profile Registry can be enabled by providing a value for the filter.profile.registry.endpoint property, and, similarly, can be disabled by not providing a value or by simply removing the property.

When a filter profile registry is used, filter profiles will first be looked for in the registry, and if not found, Philter will look for the filter profile locally in the location defined by filter.profiles.directory.

Setting

Description

Allowed Values

Default Value

filter.profile.registry.endpoint

The endpoint for the Filter Profile Registry.

A valid HTTP/s endpoint.

Replacements Store

The locations of sensitive information in text replaced by Philter can optionally be persisted to an Elasticsearch index. The Elasticsearch index can provide a historical reference of how the text was processed. The following settings control if this functionality is enabled and the connection details of the Elasticsearch instance.

This store will not contain sensitive information. It will only contain locations (character start and character end positions) in the input text that Philter identified as sensitive information.

Setting

Description

Allowed Values

Default Value

store.enabled

Whether or not to utilize the backend store for replaced values.

true, false

false

store.elasticsearch.index

The name of the Elasticsearch index to use.

An index name.

philter

store.elasticsearch.host

The hostname or IP address of the Elasticsearch instance.

A hostname or IP address.

store.elasticsearch.scheme

The protocol to use to connect to Elasticsearch.

http or https

https

store.elasticsearch.port

The Elasticsearch port.

A valid port number.

443