Adding a key is optional and can be used to explicitly define privacy keys along with their (encrypted) value. This is normally only used when the Privacy Filter is running on a machine other than the Tealeaf CX server (on a Web server, for example) where the defined privacy keys are not directly accessible.
Entries in this section should be in the following format:
keyID=keydata
where:
keyID
is the name (ID) of the keykeydata
is the encrypted key value string
Through the SSL tab, you can upload SSL certificates in clear text .pem
format or password-protected .pfx
format for conversion to .ptl
for PCA use.
If you have access to the PCA software on the Linux™ server, you can drop SSL certificates into a specified directory for automatic conversion to .ptl
format.
Editing a private key
You can edit a private key to load a key, assign it a more meaningful label name, and enter the fully qualified path to the key file.
.pem
and .pfx
) converted to .ptl
formats are supported.To add a private key, complete the following steps.
- Select the Loaded radio button.
- Enter the domain name or IP address of the recipient in the Label field. The value entered in this field designates the label used to identify the key for display.
- In the File field, enter the name of the file that is containing the private key that the device must attempt to use to decode SSL sessions. This field must contain an absolute, fully qualified file name.
- Click Add.
- Click Save Changes at the bottom of the page.
- You can then edit, view, or delete the key by clicking the corresponding buttons.
Add/Edit Rules
To define a single condition (test), you can specify ReqField, ReqOp, and ReqVal in a Rule. For more complex conditions, use the Tests option and define the test conditions separately.
- Setting
- Description
Name
- Name of the rule
Description
- User-readable description of the rule, which also displayed in
privacy.cfg
. ReqField
- This option specifies the name of a field, the name portion of a name-value pair, in the request file. The value of this field is used for comparison. You can also apply one of following special field names:
TL_URLEXT
- The file extension portion of the URLTL_URLTAIL
- The tail of the URL, which includes the last/
in the URL and everything that is following itTL_VIRTUALDIR
- The virtual directory portion of the URL
ReqOp
- ReqOp defines the comparison operation that is performed by this rule between ReqField and ReqVal. Following are the valid values for this option:
EQ
or=
- True if the field value equals ReqVal. String comparison is case-insensitiveNE
or!=
- True if the field value does not equal ReqVal. String comparison is case-insensitiveGT
or>
- True if the field value is greater than ReqValLT
or<
- True if the field value is less than ReqValCONTAINS
- True if ReqVal is contained in the field valuePARTOF
- True if the field value is part of (contained in) ReqValPARTOFLIST
- True if the field value matches one of the values in ReqVal.The list of values in ReqVal can be delimited by semicolons or other delimiter specified by the ListDelimiter property.
ReqVal
- Literal value or field name (set
ReqValIsField=True
for field name). WhenReqOp=PARTOFLIST
, this setting must specify a list of values that are separated either by a semicolon or another delimiter (specified by usingListDelimiter
).- If
ReqField
is set toTL_URLEXT
, this field contains the extensions that are including periods.
- If
TestOp
- Logical operator to use when multiple tests are specified. Possible values are
AND
andOR
. If no value is specified,AND
is applied as the default value.- When
TestOp=AND
, all tests must returnTrue
for the actions to be processed. - If
TestOp=OR
, the actions are processed if any of the tests returnTrue
.
- When
List Delimiter
- The character used to separate list items in ReqVal when using the
ReqOp=PARTOFLIST
. The default is a semicolon (;
). Case Sensitive
True
orFalse
value that is indicating whether the searches for field names must be case-sensitive. Default isFalse
. Setting this toTrue
speeds up searches.ReqValIsField
True
orFalse
indicating whetherReqVal
contains a field name.Not
True
orFalse
value. IfTrue
, then the result of the test evaluation is inverted (logicalNOT
).Stop Processing
True
orFalse
value that is indicating whether to stop processing further rules if this rule evaluates toTrue
.Enabled
True
orFalse
Value which specifies whether this rule is active.Actions
- One or more action names which correspond to the names of action sections to process if this rule returns
True
. Tests
- One or more test names which correspond to the names of test sections. The specified tests are evaluated to determine whether the actions is ran for the rule. If no test is specified (and no embedded test specified as described below), then the actions are run for every hit.
Add/Edit Actions
At the top of the Action Details page, you can review the name of the action and the rules in which it is referenced, as well as the currently configured properties.
- Setting
- Description
Name
- The name of the action.
Description
- User-readable description of the action, which also displayed in
privacy.cfg
. Invert Action
True
orFalse
value that is indicating whether to invert the action (perform the action on all fields or Value Names EXCEPT the ones specified).- If Value Name is specified, then all except the name(s) specified in Value Name are processed.
- If Value Name is not specified, then the name(s) specified for Field is/are excepted from the action.
Note: This can only be used with
Block
,Encrypt
, andReplace
actions.Start Pattern
andStart Pattern RE
cannot be used with an Invert action.
Action
- The action to take. This can be one of the following value:
Block
- Blocks the matched data using the specified strike character.Encrypt
- Encrypts the matched data and masks it with the specified strike character.Replace
- Replaces the matched data with a specified text string.DropHit
- Drops the current hit (no further action is taken).DropResponse
- Drops the response from the current hit.ReqSet
- Sets or replaces the value for the specified name/value pair in the request. Creates the name/value pair if it doesn't exist. Also creates the specified section if is doesn't exist.ReqAppend
- Appends to the value of the specified name/value pair in the request. Creates the name/value pair if it doesn't exist. Also creates the specified section if it doesn't exist.ReqDelete
- Removes the specified name/value pair completely from the request. This does not remove the section, even if empty.
Key
- key ID to use for encryption if
Action=Encrypt
. Section
- The section name of the data to act upon. If this is set to
response
, then the response is processed. This can also be one of the following reserved names:urlfield
- Performs the action for the specified Value Name(s) (or all if Value Name is omitted) for values in the urlfield section,QUERY_STRING
, query string in RawRequest (if present) and the query string in HTTP_REFERER and the Referer request header and request body in RawRequest (if present).cookies
- Performs the action for the specified Value Name(s) (or all if Value Name is omitted) for values in the[cookies]
section,HTTP_COOKIE
andHTTP_SET_COOKIE
name-value pairs, Set-Cookies headers in the ResponseHeader section (if present), Set-Cookie headers in the response, and the[cookies]
header in the RawRequest section (if present).Note: If a Section is not specified in an action, then the entire request buffer (REQ) is used.
Field
- One or more optional field names (name portion of the name-value pair). If both
Field
andValue Name
are omitted, then the entire section is blocked/encrypted. This can also be one of the following reserved names:body
- IfSection=response
. then this specifies the response body as the target. IfSection=RawRequest
. then the request body (if present) is processed.
Value Name
- One or more names of values (in multi-value name-value pairs, such as HTTP_COOKIE) or the names of items when
Section=urlfield
orSection=cookies
. Start Pattern
- The starting string pattern to search for within the specified data. The data immediately following the matching pattern is processed. If
Start Pattern
is used, then you must also specify eitherEnd Pattern
orStrike Length
, unless you setInclusive=True
. If set, then theStart Pattern
and optionalEnd Pattern
are blocked/encrypted as well. This is useful for blocking or encrypting a constant data string. Start Pattern RE
- Regular expression version of
Start Pattern
. This can be used to specify a standard regular expression to define the starting pattern to find. You can use eitherStart Pattern
orStart Pattern RE
, but not both. End Pattern
- The string pattern which signals the end of the data that is matched by a
Start Pattern
. The data up to, but not including, theEnd Pattern
is processed (unlessInclusive=True
). End Pattern RE
- Regular expression version of
End Pattern
. This can be used to specify a standard regular expression to define the ending pattern to find. You can use eitherEnd Pattern
orEnd Pattern RE
, but not both. Strike Character
- The character that is used to replace the original data that is blocked or encrypted. This can be any alphanumeric character or symbol not included in the following list:
- . (period)
- , (comma)
- / (forward slash)
- \ (backslash)
- [(left square bracket)
- ] (right square bracket)
- | (pipe)
- ' (single quote)
- " (double quote)
Strike Length
- Optional length (in bytes) of strike data. This is the number of Strike Character characters that are used to replace the original data (if
Action=Block
orAction=Encrypt
).- If
Strike Length
is longer than the original data length, then more strike characters are added. - If
Strike Length
is shorter than the original data length, thenStrike Length
characters are replaced with theStrike Character
and the remaining data is removed. - If
Strike Length
is a negative number, then the number of characters represented by the absolute value ofStrike Length
is left as-is. For example, to leave the last four characters or a value untouched, setStrike Length=-4
. (see Blocking Mask for more flexible blocking options.)
- If
Inclusive
True
orFalse
value that is indicating whether theStart Pattern
(orStart Pattern RE
) and (optional)End Pattern
(orEnd Pattern RE
) are blocked or encrypted. Default isFalse
.Repeat Count
- This can be used for actions that have a
Start Pattern
orStart Pattern RE
to specify how many instances of data that is matching the pattern are processed. Blocking Mask
- An optional regular expression that specifies which characters in the found data are replaced with the strike character (does not apply to Replace action). All character within a group (defined by parentheses) in the regular expression is replaced with the strike character.
- Characters that match part of the pattern outside of a group are not replaced. For example, the following mask would block just the numbers in a Social Security Number, leaving the dashes visible:
BlockingMask=([0-9]{3})-([0-9]{2})-([0-9]{4})
This example would leave the first four digits of a credit card number visible:
BlockingMask=[0-9]{4}([0-9]*)
Blocking Mask is used in lieu of Strike Length. You can use one or the other, but not both.
Note: Be careful when you use Blocking Mask. If the data does not match the regular expression that is specified for Blocking Mask, then the data is not blocked or encrypted.
- Characters that match part of the pattern outside of a group are not replaced. For example, the following mask would block just the numbers in a Social Security Number, leaving the dashes visible:
Replace String
- The string that is used to replace the original data when
Action=Replace
. Length (bytes)
- Used in lieu of an
End Pattern
orEnd Pattern RE
, this value specifies the length of the data (in bytes) to process following a matchedStart Pattern
(or Start Pattern RE). Case Sensitive
True
orFalse
value that is indicating whether the searches for field names and/or patterns must be case-sensitive. Default isFalse
. Setting this toTrue
speeds up searches.Ignore Special
True
orFalse
value that is indicating whether to ignore special handling whenurlfield
orcookies
is specified for the Section. Setting toTrue
allowsStart Pattern
orStart Pattern RE
to be used in theurlfield
orcookies
sections. Default isFalse
.ReqSetSection
- Specifies the section for the name-value pair for a
ReqSet
,ReqAppend
, orReqDelete
action.ReqSetSection
is required for these three actions. ReqSetField
- Specifies the name of a name-value pair for a
ReqSet
,ReqAppend
, orReqDelete
action.ReqSetField
is required for these three actions. ReqSetResult
- This option is used with
Start Pattern RE
to produce a formatted value for aReqSet
orReqAppend
action. TheStart Pattern RE
expression must contain one or more "groups", defined by parentheses within the regular expression.ReqSetResult
is a string that is containing literal text and placeholders for the data that is captured byStart Pattern RE
. For example:StartPatternRE=name="(.*?)" value="(.*?)" ReqSetResult=Field {g1} value: {g2}
The code might give following result:
Field name value: Bob
The first placeholder, {g1}, is replaced with the value from the first group in the regular expression. {g2} gets the second value, and so on. The result string is then used as the value for the
ReqSet
orReqAppend
action.
Add/Edit Keys
Privacy keys can be generated within Tealeaf for use in the encryption and decryption of sensitive data as needed throughout the system. Encryption and decryption is managed by the Privacy Filter, which is available in the PCA and in the Windows™ pipeline.
Privacy keys that are used for encryption and decryption of sensitive data for use throughout Tealeaf must be added to the PCA Web Console.
You can add privacy keys for the PCA to use during encryption operations by the Privacy filter in the PCA. To make a privacy key available for PCA use, enter the key name and the generated key in this section.
You can copy a key value that is generated from Search Server configuration and paste it into the listed Key Details fields.
Logging changes
Privacy changes: When changes are made in the Rules tab that apply to privacy.cfg
, a backup version of the old file is saved in the following format: privacy.cfg.X
, where X
is a version number.
By default, a maximum of five versions are retained at any time.
Diff logging: In addition to logging privacy changes, differences in all web console changes are logged in the conf_changelog.cfg
file.