To add a private key, complete the following steps.

1. Select the Loaded radio button.
2. Enter the domain name or IP address of the recipient in the Label field. The value entered in this field designates the label used to identify the key for display.
3. In the File field, enter the name of the file that is containing the private key that the device must attempt to use to decode SSL sessions. This field must contain an absolute, fully qualified file name.
4. Click Add.
5. Click Save Changes at the bottom of the page.
6. You can then edit, view, or delete the key by clicking the corresponding buttons.

Setting

Description

Name

Name of the rule

Description

User-readable description of the rule, which also displayed in privacy.cfg.

ReqField

This option specifies the name of a field, the name portion of a name-value pair, in the request file. The value of this field is used for comparison. You can also apply one of following special field names:

• TL_URLEXT - The file extension portion of the URL
• TL_URLTAIL - The tail of the URL, which includes the last / in the URL and everything that is following it
• TL_VIRTUALDIR - The virtual directory portion of the URL

ReqOp

ReqOp defines the comparison operation that is performed by this rule between ReqField and ReqVal. Following are the valid values for this option:

• EQ or = - True if the field value equals ReqVal. String comparison is case-insensitive
• NE or != - True if the field value does not equal ReqVal. String comparison is case-insensitive
• GT or > - True if the field value is greater than ReqVal
• LT or < - True if the field value is less than ReqVal
• CONTAINS - True if ReqVal is contained in the field value
• PARTOF - True if the field value is part of (contained in) ReqVal
• PARTOFLIST - True if the field value matches one of the values in ReqVal.

  The list of values in ReqVal can be delimited by semicolons or other delimiter specified by the ListDelimiter property.

ReqVal

Literal value or field name (set ReqValIsField=True for field name). When ReqOp=PARTOFLIST, this setting must specify a list of values that are separated either by a semicolon or another delimiter (specified by using ListDelimiter).

• If ReqField is set to TL_URLEXT, this field contains the extensions that are including periods.

TestOp

Logical operator to use when multiple tests are specified. Possible values are AND and OR. If no value is specified, AND is applied as the default value.

• When TestOp=AND, all tests must return True for the actions to be processed.
• If TestOp=OR, the actions are processed if any of the tests return True.

List Delimiter

The character used to separate list items in ReqVal when using the ReqOp=PARTOFLIST. The default is a semicolon (;).

Case Sensitive

True or False value that is indicating whether the searches for field names must be case-sensitive. Default is False. Setting this to True speeds up searches.

ReqValIsField

True or False indicating whether ReqVal contains a field name.

Not

True or False value. If True, then the result of the test evaluation is inverted (logical NOT).

Stop Processing

True or False value that is indicating whether to stop processing further rules if this rule evaluates to True.

Enabled

True or False Value which specifies whether this rule is active.

Actions

One or more action names which correspond to the names of action sections to process if this rule returns True.

Tests

One or more test names which correspond to the names of test sections. The specified tests are evaluated to determine whether the actions is ran for the rule. If no test is specified (and no embedded test specified as described below), then the actions are run for every hit.

Setting

Description

Name

The name of the action.

Description

User-readable description of the action, which also displayed in privacy.cfg.

Invert Action

True or False value that is indicating whether to invert the action (perform the action on all fields or Value Names EXCEPT the ones specified).

• If Value Name is specified, then all except the name(s) specified in Value Name are processed.
• If Value Name is not specified, then the name(s) specified for Field is/are excepted from the action.
  Note: This can only be used with Block, Encrypt, and Replace actions. Start Pattern and Start Pattern RE cannot be used with an Invert action.

Action

The action to take. This can be one of the following value:

• Block - Blocks the matched data using the specified strike character.
• Encrypt - Encrypts the matched data and masks it with the specified strike character.
• Replace - Replaces the matched data with a specified text string.
• DropHit - Drops the current hit (no further action is taken).
• DropResponse - Drops the response from the current hit.
• ReqSet - Sets or replaces the value for the specified name/value pair in the request. Creates the name/value pair if it doesn't exist. Also creates the specified section if is doesn't exist.
• ReqAppend - Appends to the value of the specified name/value pair in the request. Creates the name/value pair if it doesn't exist. Also creates the specified section if it doesn't exist.
• ReqDelete - Removes the specified name/value pair completely from the request. This does not remove the section, even if empty.

Key

key ID to use for encryption if Action=Encrypt.

Section

The section name of the data to act upon. If this is set to response, then the response is processed. This can also be one of the following reserved names:

• urlfield - Performs the action for the specified Value Name(s) (or all if Value Name is omitted) for values in the urlfield section, QUERY_STRING, query string in RawRequest (if present) and the query string in HTTP_REFERER and the Referer request header and request body in RawRequest (if present).
• cookies - Performs the action for the specified Value Name(s) (or all if Value Name is omitted) for values in the [cookies] section, HTTP_COOKIE and HTTP_SET_COOKIE name-value pairs, Set-Cookies headers in the ResponseHeader section (if present), Set-Cookie headers in the response, and the [cookies] header in the RawRequest section (if present).
  Note: If a Section is not specified in an action, then the entire request buffer (REQ) is used.

Field

One or more optional field names (name portion of the name-value pair). If both Field and Value Name are omitted, then the entire section is blocked/encrypted. This can also be one of the following reserved names:

• body - If Section=response. then this specifies the response body as the target. If Section=RawRequest. then the request body (if present) is processed.

Value Name

One or more names of values (in multi-value name-value pairs, such as HTTP_COOKIE) or the names of items when Section=urlfield or Section=cookies.

Start Pattern

The starting string pattern to search for within the specified data. The data immediately following the matching pattern is processed. If Start Pattern is used, then you must also specify either End Pattern or Strike Length, unless you set Inclusive=True. If set, then the Start Pattern and optional End Pattern are blocked/encrypted as well. This is useful for blocking or encrypting a constant data string.

Start Pattern RE

Regular expression version of Start Pattern. This can be used to specify a standard regular expression to define the starting pattern to find. You can use either Start Pattern or Start Pattern RE, but not both.

End Pattern

The string pattern which signals the end of the data that is matched by a Start Pattern. The data up to, but not including, the End Pattern is processed (unless Inclusive=True).

End Pattern RE

Regular expression version of End Pattern. This can be used to specify a standard regular expression to define the ending pattern to find. You can use either End Pattern or End Pattern RE, but not both.

Strike Character

The character that is used to replace the original data that is blocked or encrypted. This can be any alphanumeric character or symbol not included in the following list:

• . (period)
• , (comma)
• / (forward slash)
• \ (backslash)
• [(left square bracket)
• ] (right square bracket)
• | (pipe)
• ' (single quote)
• " (double quote)

Strike Length

Optional length (in bytes) of strike data. This is the number of Strike Character characters that are used to replace the original data (if Action=Block or Action=Encrypt).

• If Strike Length is longer than the original data length, then more strike characters are added.
• If Strike Length is shorter than the original data length, then Strike Length characters are replaced with the Strike Character and the remaining data is removed.
• If Strike Length is a negative number, then the number of characters represented by the absolute value of Strike Length is left as-is. For example, to leave the last four characters or a value untouched, set Strike Length=-4. (see Blocking Mask for more flexible blocking options.)

Inclusive

True or False value that is indicating whether the Start Pattern (or Start Pattern RE) and (optional) End Pattern (or End Pattern RE) are blocked or encrypted. Default is False.

Repeat Count

This can be used for actions that have a Start Pattern or Start Pattern RE to specify how many instances of data that is matching the pattern are processed.

Blocking Mask

An optional regular expression that specifies which characters in the found data are replaced with the strike character (does not apply to Replace action). All character within a group (defined by parentheses) in the regular expression is replaced with the strike character.

• Characters that match part of the pattern outside of a group are not replaced. For example, the following mask would block just the numbers in a Social Security Number, leaving the dashes visible:

  BlockingMask=([0-9]{3})-([0-9]{2})-([0-9]{4})

  This example would leave the first four digits of a credit card number visible:

  BlockingMask=[0-9]{4}([0-9]*)

  Blocking Mask is used in lieu of Strike Length. You can use one or the other, but not both.

  Note: Be careful when you use Blocking Mask. If the data does not match the regular expression that is specified for Blocking Mask, then the data is not blocked or encrypted.

Replace String

The string that is used to replace the original data when Action=Replace.

Length (bytes)

Used in lieu of an End Pattern or End Pattern RE, this value specifies the length of the data (in bytes) to process following a matched Start Pattern (or Start Pattern RE).

Case Sensitive

True or False value that is indicating whether the searches for field names and/or patterns must be case-sensitive. Default is False. Setting this to True speeds up searches.

Ignore Special

True or False value that is indicating whether to ignore special handling when urlfield or cookies is specified for the Section. Setting to True allows Start Pattern or Start Pattern RE to be used in the urlfield or cookies sections. Default is False.

ReqSetSection

Specifies the section for the name-value pair for a ReqSet, ReqAppend, or ReqDelete action. ReqSetSection is required for these three actions.

ReqSetField

Specifies the name of a name-value pair for a ReqSet, ReqAppend, or ReqDelete action. ReqSetField is required for these three actions.

ReqSetResult

This option is used with Start Pattern RE to produce a formatted value for a ReqSet or ReqAppend action. The Start Pattern RE expression must contain one or more "groups", defined by parentheses within the regular expression. ReqSetResult is a string that is containing literal text and placeholders for the data that is captured by Start Pattern RE. For example:

StartPatternRE=name="(.*?)" value="(.*?)"
ReqSetResult=Field
{g1} value: {g2}

The code might give following result:

Field name value: Bob

The first placeholder, {g1}, is replaced with the value from the first group in the regular expression. {g2} gets the second value, and so on. The result string is then used as the value for the ReqSet or ReqAppend action.

Privacy keys that are used for encryption and decryption of sensitive data for use throughout Tealeaf must be added to the PCA Web Console.

You can add privacy keys for the PCA to use during encryption operations by the Privacy filter in the PCA. To make a privacy key available for PCA use, enter the key name and the generated key in this section.

You can copy a key value that is generated from Search Server configuration and paste it into the listed Key Details fields.

Privacy changes: When changes are made in the Rules tab that apply to privacy.cfg, a backup version of the old file is saved in the following format: privacy.cfg.X, where X is a version number.

By default, a maximum of five versions are retained at any time.

Diff logging: In addition to logging privacy changes, differences in all web console changes are logged in the conf_changelog.cfg file.