# Configuration file for the pepserver
#
# ----------------------------
# Application configuration
# ----------------------------
[application]
# Directory where the pepserver saves its temporary files etc.
workingdir = ./
# Directory where token elements are stored.
tokenelementdir = ./tokenelements
# Execute this program/script after the policy has been successfully updated in shared memory.
# Can be used to distribute a policy to multiple nodes/destinations.
# If nothing is set no execute is done.
#postdeploy = <path/script>
# Specifies the communication id to use. Default 0
# Teradata : Configurable.
# SQLServer : Must be set to 0.
# Oracle : Configurable. Must match the value specified in 'createobjects.sql'
# DB2 : Configurable.
# Valid values are in the range 0 to 255.
communicationid = 0
# Add the PEP Server's IP Address to request headers.
# This is needed when the PEP Server is communicating with ESA via a proxy.
addipaddressheader = yes
# ---------------------------------
# Logging configuration
# ---------------------------------
[logging]
# Logging level for pepserver application logs: OFF - No logging, SEVERE, WARNING, INFO, CONFIG, ALL
level = WARNING
# Set the output type for protections logs. Set to either tcp or stdout.
# tcp = (default) Logs are sent to fluent-bit using tcp
# stdout = Logs are sent to stdout
output = tcp
# Fluentbit host and port values (mostly localhost) where logs will be forwarded from the protector.
host = 127.0.0.1
port = 15780
# In case that connection to the fluentbit is lost, set how logs must be handled.
# This setting is only for the protector logs and not application logs, sent from pepserver
# drop = (default) Protector throws logs away if connection to the fluentbit is lost
# error = Protector returns error without protecting/unprotecting data if connection to the fluentbit is lost
mode = drop
# Intervall in seconds, on how often we send logs from protector to logforwarder. ( Default 1 sec )
# It can be set to a maximum of 86400 ( i.e. 24 hours ).
logsendinterval = 1
# -----------------------------
# Policy management
# -----------------------------
[policymanagement]
# The base URL to the HubController service.
url = https://10.10.100.5:8443
# Path to the CA certificate.
cafile = ./CA.pem
# Path to the certificate.
certfile = ./cert.pem
# Path to the private key for the certificate.
certkeyfile = ./cert.key
# Path to the credential file used to decrypt the private key.
keycredentialfile = ./certkeyup.bin
# Number of seconds between checks to refresh policy from ESA.
# Specify a value in the range 30 to 86400 seconds (default is 60 seconds). If this
# value is set to be larger than 300 then the node status might not be proper on ESA.
# Some random bias will be added to this value to spread the load from multiple pep servers.
policyrefreshinterval = 60
# Define what value to return if data to protect is an empty string
# null = Return a null value (Default)
# encrypt = Return an encrypted value
# empty = Return an empty string
emptystring = null
# -----------------------------------
# Application Protector configuration
# -----------------------------------
[applicationprotector]
# Listener port for Application Protector Client/Server.
#listener = tcp, 15910/127.0.0.1
# ----------------------------
# Administration configuration
# ----------------------------
[administration]
# Listener port for the administration interface.
# Only accessible on localhost.
listener = tcp, 16700
# The URI to the authentication API.
# Base URL and certificates is taken from policymanagement section
uri = /api/v1/auth/login/checkcredentials
# -----------------------------
# Member management
# -----------------------------
[member]
# Specifies how policy users are checked against policy
# yes = (The default) policy users are treated in case sensitive manner
# no = policy users are treated in case insensitive manner.
case-sensitive = yes
# -----------------------------
# Shared Memory management
# -----------------------------
# This section appears only for the DSG. For other protectors, you must add the section manually.
[sharedmemory]
groupname = dsggroup
worldreadable = no
The following table helps you to understand the usage of the parameters listed in the pepserver.cfg configuration file.
Important: It is recommended that only the parameters listed in the following table are edited as per your requirement.
Appliance/Protectors | Section | Parameter Name | Description |
---|---|---|---|
All Protectors | Application configuration | postdeploy | Set the path of any script that must be executed after the policy is deployed. |
Logging configuration | level | Specifies the logging level set. The log level set in this parameter how the data protection logs appear in the ESA forensics. | |
host | Set the host IP of the Log Forwarder, generally localhost, where the protector will send the logs. | ||
port | Set the port number of the Log Forwarder, generally localhost, where the protector will send the logs. | ||
mode | Set how the logs must be handled in a situation where the connection to the Log Forwarder in the protector is lost.Important: The default value is drop.
For the MS SQL Database Protector, if you update the value of mode setting in the pepserver.cfg file, then the changes are not reflected unless you restart the MS SQL Server or recreate the MS SQL server objects. | ||
output | Set the output type for the aggregated security logs.
CAUTION: | ||
Do not set the output=stdout setting in a production environment. This setting must be used only for debugging. If the output=stdout setting is configured, then the aggregated logs are not sent to Insight. | |||
logsendinterval | Set to configure the time interval after which the logs are sent from the Protector to the Log Forwarder. | ||
The default value is 1 second. | |||
Policy management | emptystring | Defines the behavior when the data to protect is an empty string. | |
The default value is null. The following are the possible values:
| |||
For more information about empty string handling by protectors, refer to the section Empty String Handling by Protectors in the Protection Methods Reference 9.2.0.0. | |||
Member management | case-sensitive | If this parameter is set to no, then the PEP Server considers the policy user names that are case insensitive. If this parameter is set to yes or if it is commented in the file, then the PEP Server considers the policy user names that are case-sensitive. The default value is yes. | |
Shared Memory management This section is seen in the pepserver.cfg for DSG. For other protectors, you must add the section to the pepserver.cfg file. For more information about the Shared Memory management in Big Data Protector, refer to section Updating the Configuration Parameters for the BDP PEP Service in an Open Hadoop Network. |
The default value is null. The following are the possible values:
Note: For more information about empty string handling by protectors, refer to the section Appendix C: Empty String Handling by Protectors in the Protection Methods Reference Guide 9.1.0.0.
| |Member management|case-sensitive|If this parameter is set to no, then the PEP Server considers the policy user names that are case insensitive.
If this parameter is set to yes or if it is commented in the file, then the PEP Server considers the policy user names that are case-sensitive. The default value is yes.
| |Shared Memory managementNote: This section is seen in the pepserver.cfg for DSG.
For other protectors, you must add the section to the pepserver.cfg file.
For more information about the Shared Memory management in Big Data Protector, refer to section Updating the Configuration Parameters for the BDP PEP Service in an Open Hadoop Network.
|groupname|Set the group name. For DSG, this is set to dsggroup.
| |worldreadable|Set to no as default.| |DSG|Policy management|shufflecodebooks|Set to yes when codebook reshuffling must be enabled. The default value is no.Note: Enabling this parameter requires careful consideration.
For more information about codebook reshuffling, refer to 4.3.1 Codebook Re-shuffling in the PEP Server in the Data Security Gateway User Guide 3.0.0.0.
| |randomfile|Path to the file that contains the random bytes for shuffling codebooks.| |PKCS#11 configurationImportant: You must edit values under this section only if shufflecodebooks is enabled.
|provider_library|Path to the PKCS#11 provider library.Note: For more information about codebook reshuffling, refer to 4.3.1 Codebook Re-shuffling in the PEP Server in the Data Security Gateway User Guide 3.0.0.0.
| |slot|The slot number to use on the HSM.Note: For more information about codebook reshuffling, refer to 4.3.1 Codebook Re-shuffling in the PEP Server in the Data Security Gateway User Guide 3.0.0.0.
| |userpin|The scrambled user pin file.Note: For more information about codebook reshuffling, refer to 4.3.1 Codebook Re-shuffling in the PEP Server in the Data Security Gateway User Guide 3.0.0.0.
| |Application Protector|Shared Memory managementNote: This section is seen in the pepserver.cfg for Application Protector.
|groupname|Set the group name.For Application Protector, the group name must be the same as that of the user who is authorized to perform the data security operations.
| |worldreadable|By default, this parameter is set to yes, i.e., shared memory segment permissions are set to 666, which is world-readable. Set this parameter to no, to make it non world-readable. As a result, the permissions are changed to 660.| |Database Protector|Shared Memory managementNote: This section is seen in the pepserver.cfg file for Database Protector.
Note: To modify the Shared Memory management settings, perform the following steps in sequence:
For example,
```
groupname = oinstall worldreadable = Yes ```
Here, oinstall is the authorized group name to perform the data security operations in Database Protector.
Remove the shared memories and the semaphores using the following commands.
ipcrm -M OxOOObedaO ipcrm -M 0x000abba4 ipcrm -M OxOOOfaffa ipcrm -M OxOOOdadaO ipcrm -M 0x000c0de4 ipcrm -S 0x000c0de4 ipcrm -S OxOOOdadaO ipcrm -S OxOOOfaffa ipcrm -S 0x000abba4 ipcrm -S OxOOObedaO ```
|groupname|Set the group name.For Database Protector, the group name must be the same as that of the user who is authorized to perform the data security operations.
| |worldreadable|By default, this parameter is set to yes, i.e., shared memory permissions are set to 666, which is world-readable. Set this parameter to no, to make it non world-readable. As a result, the permissions are changed to 660.|
Last modified January 21, 2025