Configuring Philter

Philter has many options to control how it operates. The options and how to configure them are described below.

Note that the configuration for the types of sensitive information that Philter identifies are defined in filter profiles outside of Philter’s configuration properties that are described on this page.

Configuring Philter

Settings File

Philter’s settings file is application.properties. This file is located in Philter’s installation directory, which is most likely /opt/philter. All changes to this files requires Philter to be restarted for the changes to take affect. To restart Philter execute the following commands:

sudo systemctl restart philter.service

Using Environment Variables

Important: Properties set via environment variables take precedence over properties set in Philter’s settings file.

All of the following properties can also be set as environment variables by prepending PHILTER_ to the property name and changing periods to underscores. For example, the property filter.profiles.directory can be set using the environment variable PHILTER_FILTER_PROFILES_DIRECTORY by:

export PHILTER_FILTER_PROFILES_DIRECTORY=/profiles/

Setting or changing an environment variable requires Philter to be restarted. To restart Philter execute the following commands:

sudo systemctl restart philter.service
sudo systemctl restart philter-ner.service

Using environment variables to configure Philter instead of using Philter’s settings file can allow for easier configuration management when deploying Philter.

Filter Profiles

These settings control how Philter loads filter profiles.

Setting Description Allowed Values Default Value
filter.profiles.directory The directory in which to look for filter profiles. Any valid directory path. ./profiles/

Span Disambiguation

These settings configure Philter’s span disambiguation feature to determine the most appropriate type of sensitive information when duplicate spans are identified. In a deployment of multiple Philter instances, you must enable the cache service for span disambiguation to work as expected.

Setting Description Allowed Values Default Value
span.disambiguation.enabled Whether or not to enable span disambiguation. true, false false

Metrics

These settings configure how Philter reports metrics during its operations. For more information on the metrics collected and reported see Metrics. Philter can report metrics via JMX, Datadog, and Amazon CloudWatch. You may enable any combination of metrics services, or none of them to disable metrics reporting.

Setting Description Allowed Values Default Value
metrics.prefix A value used to prefix metric names. Any value philter
metrics.hostname A means for differentiating metrics across multiple instances of Philter. Any value None

JMX Metric Reporting

These settings control metric reporting via JMX.

Setting Description Allowed Values Default Value
metrics.jmx.enabled Enables metrics reporting via JMX. true, false false

Prometheus Metric Reporting

Thee settings control metrics reporting via an HTTP endpoint. Metrics will only be available via an HTTP endpoint when enabled. By default, the metrics endpoint is http://philter-ip:9100/metrics. This path can be modified via the settings listed below.

Setting Description Allowed Values Default Value
metrics.prometheus.enabled Enables metrics reporting via an HTTP endpoint true, false false
metrics.prometheus.port The port on which the metrics HTTP server listens. Any valid port number. 9100
metrics.prometheus.metrics The context at which the metrics HTTP server listens. Any valid HTTP context. metrics

Datadog Metric Reporting

These settings control metric reporting via Datadog. Metrics will only be published to Datadog when enabled.

Setting Description Allowed Values Default Value
metrics.datadog.enabled Enables metrics reporting via Datadog. true, false false
metrics.datadog.apikey Your Datadog API key. A valid Datadog API key None

Amazon CloudWatch Metric Reporting

These settings control metric reporting via Amazon CloudWatch. Metrics will only be published to CloudWatch when enabled. The value of metrics.hostname will be used as a dimension for the metrics.

Setting Description Allowed Values Default Value
metrics.cloudwatch.enabled Enables metrics reporting via Amazon CloudWatch. true, false false
metrics.cloudwatch.region The Amazon CloudWatch region. Any valid AWS region name. us-east-1
metrics.cloudwatch.namespace The Amazon CloudWatch namespace for the metrics. Any valid Amazon CloudWatch Metrics namespace name. None

AWS CloudWatch Credentials

Philter will look for AWS credentials following the default AWS credentials chain (environment variables, default credentials file, instance profile credentials). When running in AWS using an instance profile via an IAM role is the preferred method. When not possible, using environment variables is recommended and can be set as shown below:

export AWS_ACCESS_KEY_ID="your-access-key"
export AWS_SECRET_ACCESS_KEY="your-secret-key"

AWS IAM Role

The IAM user or role being used must have PutMetricData permissions. An example policy is shown below.

{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Sid": "VisualEditor0",
            "Effect": "Allow",
            "Action": [
                "cloudwatch:PutMetricData"
            ],
            "Resource": "*"
        }
    ]
}

SSL/TLS

By default, Philter is pre-configured for two-way SSL/TLS connections to both Philter’s API and Philter’s UI. However, client certificates are “wanted” but not “required.” This can be changed to require client certificates in Philter’s settings (described below under Two-Way SSL/TLS).

One-Way SSL/TLS

In one-way SSL/TLS, Philter’s API is configured to accept connections only over SSL/TLS. This can help prevent a man-in-the-middle attack.
When Philter is deployed via the AWS Marketplace, Microsoft Azure Marketplace, or Google Cloud Marketplace, one-way SSL/TLS will be enabled by default with a self-signed certificate. It is recommended you replace this self-signed certificate with a valid certificate for your organization. When configured, the SSL/TLS listener will be available on the port defined by server.port , which is 8080 by default.

To enable Philter’s SSL/TLS listener, provide the following properties:

Setting Description Allowed Values Default Value
server.ssl.key-store-type The type of keystore. PKCS12 or JKS None
server.ssl.key-store Full path to the keystore file. File path. None
server.ssk.key-store-password The keystore’s password. A valid password. None
server.ssl.key-alias The certificate alias in the keystore. A valid alias. None

An example configuration to enable SSL is shown below:

# SSL certificate settings
security.require-ssl=true
server.ssl.key-store-type=PKCS12
server.ssl.key-store=/opt/philter/ssl/philter.p12
server.ssl.key-store-password=Password123!
server.ssl.key-alias=philter
server.ssl.client-auth=none

The command that generated the self-signed certificate referenced by the above configuration is:

keytool -genkeypair -keypass Password123! -dname "CN=philter, O=philter, C=US\ -alias philter -keyalg RSA -keysize 4096 -storepass Password123! -storetype PKCS12 -keystore /opt/philter/ssl/philter.p12 -validity 3650

Two-Way SSL/TLS

In two-way SSL/TLS connections, both the client and the server verify each other’s identity. A certificate authority (CA) generates a server certificate and a client certificate along with the corresponding private keys.

To configure Philter to use two-way SSL/TLS, set the configuration to set server.ssl.client-auth to need and to specify the location of the trust store and the trust store password. (Please contact us for assistance with creating self-signed certificates.)

# SSL certificate settings
security.require-ssl=true
server.ssl.key-store-type=PKCS12
server.ssl.key-store=/opt/philter/ssl/philter.p12
server.ssl.key-store-password=Password123!
server.ssl.key-alias=philter
server.ssl.client-auth=need
server.ssl.trust-store=/path/to/truststure.jks
server.ssl.trust-store-password=changeit

All clients of the Philter API must now present a valid certificate signed by the same CA as the server certificate to be granted access to Philter’s API.

In the example curl command below to filter text, we are providing the client certificate and the client private key in the API request.

curl -vvvv -k --cert client.crt --key client.key -H "Content-type: text/plain" "https://localhost:8080/api/filter" --data "George Washington was president and his ssn was 123-45-6789."

Cache Service

The cache service is required to use consistent anonymization and filter profiles stored in Amazon S3. Philter supports Redis as the backend cache. When Redis is not used, an in-memory cache is used instead. The in-memory cache is not recommended because all contents will be stored in memory on the local Philter instance.

Important: The cache will contain sensitive information. It is important that you take the necessary precautions to secure the cache itself and all communication between Philter and the cache.

Setting Description Allowed Values Default Value
cache.redis.enabled Whether or not to use Redis as the cache. true, false false
cache.redis.host The hostname or IP address of the Redis cache. Any valid Redis endpoint. None
cache.redis.port The Redis cache port. Any valid port. 6379
cache.redis.auth.token The Redis auth token. A valid token. None
cache.redis.ssl Whether or not to use SSL for communication with the Redis cache. true, false false

The following Redis settings are only required when using a self-signed SSL certificate.

Setting Description Allowed Values Default Value
cache.redis.trust.store The path to the trust store. A valid file path. None
cache.redis.truststore.password The trust store password. A valid file path. None
cache.redis.keystore The path to the keystore. A valid file path. None
cache.redis.keystore.password The keystore password. A valid file path. None

Advanced Settings

In most cases the settings below do not need changed. Contact us for more information on any of these settings.

Setting Description Allowed Values Default Value
ner.timeout.sec Controls the timeout in seconds when performing name entity recognition. Longer text may require longer processing times. An integer value. 600