Known Limitations

some limitations while working with DSG.

Protegrity data protection

  • Data element configuration: During runtime Protegrity Data Protection action rules will be validating the input against restrictions imposed by the Data Element configuration. For example, Data Element may be configured to handle a certain type or format of data (i.e. date, textual, binary, etc). Input mismatching these restrictions will result in an error.

  • Input length: Input length restrictions is subject to Data Element configuration as well. Tokenization of alphanumeric input is limited to ~4 KB while encryption is limited to ~2 GB. More information can be found in ESA and policy management documentation.

  • Null values: Payload structures such as JSON and XML can reference empty and null values. Extraction and transformation of Null or empty values are not supported currently.

Hardware sizing

When calculating memory sizing for a DSG node one has to take into consideration the maximum payload size expected to be handled. To determine the minimum RAM required, the max payload size should be multiplied by the number of rules and the number of CPU cores, times two. For example a 32 core CPU machine with 128 GB of RAM would be able handle execution of up to 25 rules back to back to process a 20 MB payload message for upto 200 concurrent connections.

Max Payload = (Total RAM -(3 GB + (500 MB * CPU Cores))) / (Concurrent Users * Rules Count)

where,

3 GB represents base system operation including OS and its supporting services. 500 MB represents a worker process which is executed for each CPU Core available. Concurrent Users represents maximum concurrent connections. Rules Count represent rules in the rules which will be engaged during runtime to process the payload.

Ideal configuration where only warning and errors are logged should be well within the minimum hardware requirements of 320 GB of disk space. This however may not be enough for certain diagnostics scenarios where learn mode log files would be keeping a copy of every rules’ input/output payload. Learn mode will shut off automatically should free disk space cross the minimum threshold of 1 GB.

Network

  • The DSG uses software based SSL termination. The cost of which is 10% CPU overhead relative to using a clear communication channel.
  • SFTP commands in DSG also have some limitations.
    • Commands such as chgrp and chown are not yet supported through the gateway.
    • A warning log is generated for every outbound SFTP connection. This is due to the outbound host key trust/caching list not yet persistent.
    • SFTP session negotiation is expected to be initiated within 10 seconds. Client applications which queue open a SFTP connection but delay the session negotiation process may suffer connection termination due to timeout. This timeout is yet to be configurable.

Ruleset engine

For XML payload extractor, the order of XML tag attributes may change. The CDATA tag and closing tags may be optimized by the internal libxml library used to parse XML payload. Thus, output XML structure may be structured differently compared to the input it is sourced from.

Last modified February 7, 2025