Syncplicity Support

Follow

DLP Connector setup and management

The Syncplicity On-premises DLP Connector is server software that runs as a virtual machine. It connects the Syncplicity orchestration layer in the cloud and a third-party data loss prevention (DLP) solution to your on-premises storage endpoint. You should review About Syncplicity StorageVaults before reading further.

Prerequisites

The storage endpoint should already be configured with at least two Syncplicity Storage Connectors. If you have not configured your storage for this, see Hybrid Cloud Storage and Deploying Syncplicity On-Premises Storage Connector to setup your storage endpoint for Syncplicity.

The following topics describe the prerequisites for installing the on-premises DLP Connector.

Hardware requirements

The DLP Connector requires:

  • A minimum of two virtual machines hosted on VMware vSphere Hypervisor (ESXi) 6.0 or later.
  • Each virtual machine must have 8 gigabytes of random access memory, 8 virtual cores and a hard disk drive (HDD) of at least 50 GB.

See the next topic about network configuration for the network hardware requirements, which includes an externally addressable SSL offloading load balancer, two or more Storage Connectors, and a storage backend that supports a standard NFS v3 or s3 interfaces.

Network configuration

The DLP Connector is supplied as an OVA file and installed on a virtual machine. The DLP Connector requires the following:

  • Each DLP Connector requires a dedicated virtual machine hosted on VMware vSphere Hypervisor.
  • At least two DLP Connectors, but you can deploy more for scalability and high availability.
  • Deployment of an externally addressable SSL offloading load balancer in front of all virtual machines, configured with an SSL certificate signed by a certificate authority (CA). Do not use a self-signed certificate.
  • Ensure TLS1.2 is used, by disabling TLS1.0 and TLS1.1, and SSLv3 is disabled. SSLv3 is disabled by default from the JDK.

dlp_graphic.PNG

As shown in the diagram, a typical example is with the storage layer in the private area of the corporate network. The Storage Connector and DLP Connector virtual machines are in the semi-private area. The SSL offloading load balancer is in the DMZ

Inbound port requirements

To enable the Syncplicity clients to connect to the DLP Connector from the Internet, the following inbound ports must be open.

Connection Port

Protocol

From the Internet to the SSL offloading load balancer in the DMZ.

443

HTTPS

From the SSL offloading load balancer to the DLP Connector virtual machines

9001

HTTP

 

Atmos storage requirements

To enable the DLP Connector to connect to an EMC Atmos storage backend, the following inbound ports must be open.

Connection

Port

Protocol

From the DLP Connector to the Atmos load balancer

443 if SSL is used
80 if SSL is not used

HTTP or HTTPS

From the DLP Connector in the DMZ to the Network Time Protocol (NTP) server

123

UDP

 

Elastic Cloud Storage (ECS) requirements

To enable the DLP Connector to connect to an ECS storage backend, the following inbound ports must be open.

Connection

Port

Protocol

From the DLP Connector to the ECS load balancer

9021 if SSL is used
9020 if SSL is not used

HTTP or HTTPS

From the DLP Connector in the DMZ to the NTP server

123

UDP

 

NFS v3-based storage

To enable connections from the DLP Connector virtual machines to the NFS storage backend, the following inbound ports must be open. This includes EMC Isilon storage.

Port

Protocol

Type of Traffic

53

TCP

DNS for SmartConnect (Isilon only)

111

TCP

SUN Remote Procedure Call

111

UDP

SUN Remote Procedure Call

300

TCP

NFS mount daemon

300

UDP

NFS mount daemon

302

TCP

NFS stat daemon

302

UDP

NFS stat daemon

304

TCP

NFS lock daemon

304

UDP

NFS lock daemon

2049

TCP

NFS server daemon

2049

UDP

NFS server daemon

 

Outbound port requirements

In general, traffic outbound to external hosts on port 443 should be allowed. If for some reason this is not so, at least the following should be allowed.

Connection

Port

Protocol

From the DLP Connector virtual machines to:
xml.syncplicity.com
xml.eu.syncplicity.com
api.syncplicity.com
api.eu.syncplicity.com
health.syncplicity.com
health.eu.syncplicity.com

443

HTTPS

From the DLP Connector virtual machines to centos.org, fedoraproject.org

Note: Only required during the upgrade OS procedure or separate packages.

80

HTTP

 

Configure Isilon storage

If you are not using Isilon storage, skip this section. If you have already configured your Isilon cluster for your Storage Connectors, skip to step 3.

Isilon storage requires the following additional configuration steps.

  1. Create a directory on EMC Isilon cluster where you want to store the Syncplicity data. This should be done via an ssh session to the Isilon cluster. Example: /ifs/syncp-data

  2. Configure the permissions on the directory via an ssh session to the Isilon cluster.

    chown 498:499 /ifs/syncp-data
    chmod 770 /ifs/syncp-data

    These commands lock security access, specifically for the syncp user.

  3. Create an NFS Export via the WebUI. The following screen shows the basic export settings that lock the export to only the connected Storage and DLP Connectors. Add the IP addresses of the DLP Connectors in the following fields: Clients, Always Read-Write Clients and Root Clients. The values 10.111.158.3 and 10.111.158.4 are example IP addresses of the Storage Connectors. Your IP addresses are different. All other export settings should be left as the defaults and not change.

    add_an_NFS_export_old.PNG

  4. If the DLP Connector is in the DMZ (Internet side of the firewall) and Isilon storage is inside the firewall, you must verify specific ports are opened on the firewall to allow access via NFS from the DLP Connectors to the Isilon storage. This does not apply if the Isilon storage is not behind a firewall.

  5. See Task 6: Prepare for NFS mounted storage later in this topic to check the NFS mount to the Isilon storage.

This completes the basic configuration of the EMC Isilon storage for the on-premises DLP Connector.

Install connector

Deployment of the DLP Connector Open Virtual Appliance (OVA) file is similar to the Storage Connector OVA deployment described in Installing the Storage Connector.

The on-premises DLP Connector is delivered as a virtual machine image, in OVA format, to simplify the deployment. The image is based on the CentOS 7.3 Linux operating system. It includes the necessary Syncplicity software.

After the initial installation, you must maintain the operating system on the VM, which includes staying current with updates and bug fixes.

The following tasks describe installing the DLP Connector.

Task 1: Provision virtual machine

You must download the software and connect the DLP Connector software to a VMware ESXi server.

To provision a VM, download the DLP Connector OVA file from http://www.syncplicity.com/xDLPConnectorOVFDownload.

Connect to the VMware ESXi server using VMware vSphere Client.

Perform the remaining tasks for each DLP Connector server deployed. At least two are required.

Task 2: Deploy OVF template

You must use the vSphere Client's built-in support for OVF/OVA packages to create a DLP Connector virtual machine instance.

To deploy the OVF template:

  1. Click File > Deploy OVF Template... to initiate the process.

  2. Accept the EULA.

  3. Configure the amount of memory, CPU cores and disk space to allocate to the virtual machine. See hardware requirements in the Prerequisites section of this topic.

  4. Start the deployed DLP Connector virtual machine.

Task 3: Log in and change your password

An administrative account with sudo privileges called syncp already is in the virtual machine. The initial password is onprem. For increased security, change this password, adhering to the minimum password requirements, which are:

  • At least 14 characters.
  • At least one of each of the following: lowercase letter, uppercase letter, number and symbol.
  • Cannot reuse the last 5 passwords.
  • Must contain at least 5 characters that are different from the previous password.

Task 4: Configure network connection

The server listens for incoming connections on TCP port 22 for SSH connections. You must configure the DLP Connector servers with correct static IP addresses.

The next steps describe how to disable DHCP on a DLP Connector in your network

  1. Type: sudo vi /etc/sysconfig/network-scripts/ifcfg-eth0

  2. Replace the following settings with your parameters:

    DNS2=<static-ip-address-dns-server2>
    DNS1=< static-ip-address-dns-server1>
    IPADDR=<static-ip-address-for-this-server>
    GATEWAY=<gateway_ip_address>
    IPV6_AUTOCONFIG=”yes”
    NETMASK=<network-mask>
    BOOTROTO=”static”
    DEVICE=”eth0”
    ONBOOT=”yes”
    IPV6INIT=”yes”

To turn on networking and configure the host name, follow these steps:

  1. Type: sudo vi /etc/sysconfig/network

  2. Set correct HOSTNAME and DOMAINNAME to this file:

    NETWORKING=yes
    NETWORKING_IPV6=yes
    HOSTNAME =<hostname>
    DOMAINNAME==<domain_name>

To configure the IP addresses for the name server, follow these steps:

  1. Type: sudo vi /etc/resolv.conf

  2. Delete the content of the file.

  3. Add a line for each name server's IP address or host name:

    nameserver <ip-address-of-name-server-1>
    nameserver <ip-address-of-name-server-2>

  4. Restart the server by typing the following command: sudo systemctl restart network

The server now listens for incoming SSH connections only. No other ports are open. By default, the DLP Connector does not have a firewall turned on.

By default the DLP Connector OVA image uses pool.ntp.org for time synchronization. If you want to use a different network time protocol (NTP) server, edit /etc/cron.hourly/ntpdate file and change pool.ntp.org to the desired NTP server.

Task 5: Configure SSL

You must deploy a load balancer in front of your DLP Connectors and configure it to perform SSL offloading. Ensure the SSL offloading load balancer uses a correctly chained certificate issued by a certificate authority (CA).

A certificate chain consists of all certificates needed to certify the subject identified by the end certificate. In practice this includes the end certificate, the certificates of intermediate CAs, and the certificate of a root CA trusted by all parties in the chain. Every intermediate CA in the chain holds a certificate issued by the CA one level above it in the trust hierarchy. The root CA issues a certificate for itself.

If you want to create a proper chain, you must use a text editor of your choice, such as Notepad or vi, to copy and paste each of the two or three (if there is an intermediate root) certificates into one text file in the following order:

  • Server (DLP Connector) public key certificate; for example, dlp_connector_node.pem.
  • Intermediate root certificate (if there is one); for example, Intermediate_Root.pem.
  • Certificate authority (VeriSign, Thawte, Entrust) root certificate; for example, CA_Root.pem.

You can contact the CA that signed the DLP Connector node public key certificate to provide the additional intermediate root certificate and the CA root certificate.

Your externally addressable SSL offloading load balancer must load balance Syncplicity client traffic across all DLP Connectors. The specific instructions may vary based on the type of your load balancer.

Configure your load balancer to offload SSL traffic on a port (for example, 443). Load balance this traffic across the IP addresses of all DLP Connectors on port 9000.

Task 6: Prepare for NFS mounted storage

If your storage backend of choice is Atmos or is using the s3 protocol, you can skip the following tasks.

Set NFS to read-only access

DLP connector doesn't write any data on backend storage. We recommend to set read-only access to NFS on DLP node.

Configure Isilon

If your storage backend is Isilon, you must mount the dedicated Syncplicity share to the server at /mnt/syncp. Use the NFS file system type. To make sure the Isilon share is mounted automatically at system startup:

  1. Type: sudo vi /etc/fstab

  2. Add the following line to the file:

    <Isilon_cluster_name_or_IP_address>:/<Syncplicity_data_directory> <mount_point> nfs rw

    Where <mount_point> is the value you have set for the key rootdir for the platform section (Isilon, VNX, fs) in the configuration file /etc/syncp-dlp/syncp-dlp.conf. Do not include the addr=<server> option since this can cause connectivity issues to Isilon.

    Example: dlp.mycompany.com:/ifs/syncp-data /mnt/syncdata nfs rw

  3. Type: sudo mount <mount_point>

For production environments, ensure the Isilon cluster name (used in the NFS mount entry in /etc/fstab) is a SmartConnect DNS name for the Isilon cluster and the SmartConnect settings are configured for dynamic IP addresses. This ensures the DLP Connectors can leverage the high availability features of the EMC Isilon architecture. Configuring the mount options to access a SmartConnect zone also maximizes performance to the EMC Isilon cluster.

The Isilon storage should have a directory created specifically for Syncplicity data. This directory must have its permissions and NFS export configured for the DLP Connectors, as described in the configuring Isilon storage topic in the Prerequisites section of this topic.

Configure standard NFS v3 storage

If your storage backend of choice uses a standard NFS v3 interface, excluding Isilon, you must mount a dedicated Syncplicity share to the server at /mnt/syncp. Make sure to use the NFS file system type.

To verify the NFS share is mounted at system startup:

  1. Type: sudo vi /etc/fstab

  2. Add the following line to the file:

<NFS_server_name_or_IP>:/<Syncplicity_data_directory> /<mount_point> nfs rw

Where <mount_point> is the value you have set for the key rootdir for the platform section (Isilon, VNX, fs) in the configuration file /etc/syncp-dlp/syncp-dlp.conf.

Example: dlp.mycompany.com:/syncp-data /mnt/syncdata nfs rw

Configure connector

To complete installation, you must edit the DLP Connector software configuration files. However, you first must obtain the access key.

Retrieve access key

To retrieve the access key, go to click the Settings tab of the Syncplicity administrative console and select Manage StorageVaults at the bottom of the page. A list of configured storage vaults and their associated access keys is displayed. Select the storage vault you have configured with the Syncplicity Storage Connectors and copy the access key. This should be the same access key you are using for the Storage Connectors configured for this StorageVault. If you have no storage vaults, see Configuring and managing StorageVaults.

Configure storage settings

  1. At the virtual machine, edit the following file using the vi editor by typing sudo vi /etc/syncp-dlp/syncp-dlp.conf

  2. In the syncplicity.ws section of the syncp-dlp.conf file, replace <syncplicity access key> with the access key that you retrieved from the Manage StorageVault Settings. For example, accesskey: "d4jJDpO7erZEmrlKab6w"

  3. If your company is using the EU PrivacyRegion, the on-premises DLP Connector must be configured with the following settings:

    ws.url: “https://xml.eu.syncplicity.com/1.1
    syncplicity.ws.external.url: “https://api.eu.syncplicity.com
    syncplicity.health.url: “https://health.eu.syncplicity.com/v1

  4. If using a proxy, set the enable flag to true and specify the proxy host and port in the proxy section.

    syncplicity.ws {
    proxy {
    enable: true
    host: "my_proxy.mycompany.com"
    port: 8080
    }
    }

  5. In the syncplicity.storage section of the syncp-dlp.conf file, replace <storage type> with atmos for EMC Atmos systems, s3 for AWS s3 buckets or EMC ECS systems, isilon for EMC Isilon systems, vnx for EMC VNX systems, or fs for generic NFS v3 systems. For example, type atmos

  6. If type is atmos, configure your Atmos storage settings. Under the atmos section of the syncp-dlp.conf file, set url to the URL and port to the port the Atmos installation listens. Explicitly include the port number. Set token to your Atmos authentication token and set secret to your Atmos secret key. For example:

    syncplicity.storage.atmos {
    url: "https://atmos.internal:443"
    token: "7ce21bbh56ek8feg0a7c23f343ad8df99/tenant"
    secret: "poSq7g5123t1TEQp5PlWhv4SAxk="
    }

  7. If type is s3 for AWS s3 storage, configure your AWS storage settings under the s3 section of the syncp-dlp.conf file. Enter the name of the bucket you created and its region, the access key and secret. For AWS, the secret was generated when you created the IAM user. For example:

    syncplicity.storage.s3 {
    access: "put access key here"
    secret: "put secret key here"
    data.bucket: "cec-euw-sync-data"
    region: "eu-central-1"
    s3_signature_version: "v4"
    }
  8. If type is s3 for EMC ECS storage, configure your EMC ECS storage settings under the s3 section of the syncp-dlp.conf file by providing the following information:

    • Full url of the ECS storage, including the port. Refer to your ECS Storage administrator for the exact ports being used. Default ports are 9020 for HTTP and 9021 for HTTPS.
    • Name of the bucket you created.
    • Access key used for authentication, which is generated by the ECS administrator. With ECS, the access key is typically an email address.
    • Secret used for authentication, which is generated by the ECS administrator.

      For example:

      syncplicity.storage.s3 {
      access: "syncplicity@mycompany.com"
      secret: "put secret key here"
      url: "http://10.1.1.1:9020"
      bucket: "MyStorageVault_bucket"
      }

    When an IP address is used in the URL, the Base URL (fully qualified URL) must be defined in the ECS admin console. The Base URL should correspond to the URL you use in the syncp-dlp.conf file. The Base URL is used by ECS as part of the object address where virtual host style addressing is used and enables ECS to know which part of the address refers to the bucket and, optionally, name space. To avoid upload errors, such as the one following, make sure to add the Base URL in the ViPR console for all VDCs.

    The request signature we calculated does not match the signature you provided. Check your secret access key and signing method. For more information, see REST authentication and SOAP authentication for details.

  9. If type is isilon, configure your Isilon storage settings. Under the isilon section of the syncp-dlp.conf file, set rootdir to the mount point of your Isilon cluster on this server. For example:

    syncplicity.storage.isilon {
    rootdir: "/mnt/syncdata"
    }

    Make sure the syncp-dlp:syncp-dlp user owns the mount point. To set the ownership of the mount point, type the following command: chown –R syncp-dlp:syncp-dlp <mount_point>

  10. If type is vnx, configure your VNX storage settings. Under the vnx section of the syncp-dlp.conf file, set the rootdir of your VNX system on this server. The directory below the mount point (for example, data) must exist before proceeding. If this directory does not exist, create it now. For example:

    syncplicity.storage.vnx {
    rootdir: "/mnt/syncdata/data"
    }

    Make sure the rootdir is one level below the mount point for VNX storage systems. For example, if the mount point is /mnt/syncdata, the rootdir value must be /mnt/syncdata/data. Also, make sure the syncp-dlp:syncp-dlp user owns the mount point. To set ownership of the mount point, type the following command: chown –R syncp-dlp:syncp-dlp <mount_point>

  11. If type is fs for generic NFS v3 storage, configure your NFS storage settings. In the syncplicity.storage section of the syncp-dlp.conf file, add the following FS configuration and set rootdir to the mount point of your NFS v3 server on this server. If the following lines are in the syncp-dlp.conf file, edit the lines. For example:

    syncplicity.storage.fs {
    rootdir: “/mnt/syncdata”
    }

    Make sure the syncp-dlp:syncp-dlp user owns the mount point. To set ownership of the mount point, type the following command: chown –R syncp-dlp:syncp-dlp <mount_point>

  12. Verify the dlp.configPath property in the syncplicity section contains valid path to the dlp.yml config file. Typically, this file is in the same directory. For example, dlp.configPath: /etc/syncp-dlp/dlp.yml

Configure DLP settings

  1. Create or use an existing keystore named dlpKeyStore and generate keys by typing the following command:

    keytool -genkey -keyalg RSA -alias actionMQkey -keystore dlpKeyStore

    You are prompted to enter passwords for the key and keystore. The storepass value specifies the keystore password. The keypass value specifies a password for the private key about to be generated. You need this password to access the keystore entry containing that key. If you are creating a keystore using the preceding keystore command, you are prompted for your distinguished-name information (name, organization, and so on.)

  2. Export the public key by typing the following commands:

    keytool -importkeystore -srckeystore dlpKeyStore -destkeystore dlpKeyStore.p12 -deststoretype PKCS12 -destkeypass <destPass> -deststorepass <destPass>

    Where <destPass> is any valid password. The destination pkcs12 keystore can't have different storepass and keypass.

    openssl pkcs12 -in dlpKeyStore.p12 -nocerts -out private.key

    The user is prompted for <destPass>.

    openssl rsa -in private.key -pubout > public.key

    The user is prompted for <destPass>.

  3. Enter the public key on the Manage StorageVault Settings page for your StorageVault

    Login to the MySite as an administrator, and navigate to the Manage StorageVaults page. Then select the StorageVault that you are using to integrate with your DLP engine. This will navigate to the Manage StorageVault Settings page. Scroll to the bottom of the page and enter your public key.

    DLP_add_public_key_page.jpg

    DLP_add_public_key_dialog.jpg
  4. Save the StorageVault ID, which can be found on the Manage StorageVault Settings page. The StorageVault ID, with the dashes "-" removed, will be used during the DLP configuration steps and in the Troubleshooting steps. The following is an example of where to retrieve the StorageVault ID.

    Retrieve_StorageVault_ID.png

  5. Customize the settings for the DLP connector by editing the DLP config file. This config file is in YAML format (http://yaml.org/).

    sudo vi /etc/syncp-dlp/dlp.yml

    The following is an example of the dlp.yml config file.

    dlp_yml_config_file.PNG

    Description of each parameter

    Name Type Required Default Value Description
    dlp.actionmq.url String (URL) Yes https://amq.syncplicity.com/api/v1/

    The URL of the ActionMQ instance.

    For companies in the US PrivacyRegion, enter https://amq.syncplicity.com/api/v1/

    For companies in the EU PrivacyRegion, enter https://amq.eu.syncplicity.com/api/v1/

    dlp.actionmq.queueName String Yes  

    The name of the queue for getting messages. The queue is created once the DLP feature is enabled for the StorageVault.

    The queue name is constructed using the following pattern: "1.file.<storagevault_id>". The <storagevault_id> portion of this string is what you collected in Step 4, and should be entered without the dashes in the string.

    dlp.actionmq.batchSize Integer No 10 The number of messages for each batch request to ActionMQ. The minimum is 1 and the maximum is 100 messages.
    dlp.actionmq.keyStorePath String (path) No /etc/syncp-dlp/dlpKeyStore The path to the keystore (in JKS format) with the private key to generate JWT for ActionMQ access.
    dlp.actionmq.keyStorePassword String Yes   The password for the keystore.
    dlp.actionmq.keyPassword String Yes   The password for the specific private key.
    dlp.actionmq.keyAlias String Yes   The alias for the private key in keystore. This value is configured during Step 1.
    dlp.actionmq.jwtTokenValidityPeriod Integer (seconds) No 1800 Time (in seconds) the JWT is valid. This should be not be set to a value greater than the same parameter on ActionMQ side. That mechanism strictly requires Time synchronization on DLP node.
    dlp.actionmq.jwtTokenSkew Integer (seconds) No 10

    Time (in seconds) before the token expires and a new token is generated. For example, if the token is valid until 10:15:27 with skew parameter = 10, it is replaced with a new token at 10:15:17. This is needed to eliminate request rejections because of token expiration.

    dlp.actionmq.jwtIssuer String Yes   The StorageVault ID that the DLP Connector is working against. Enter the <storagevault_id> you collected in Step 4, and should be entered without the dashes in the string.
    dlp.workers.count Integer No 250

    This parameter specifies the number of worker threads in the pool that are processing incoming messages in parallel. The minimum value is 1 worker.

    dlp.manager.sleepTime Integer (seconds) No 30 Timeout in seconds between requests to ActionMQ if the previous request returned 0 messages (the queue is empty).
    dlp.manager.shutdownTimeout Integer No 60 Timeout in seconds for a graceful shutdown of the DLP Connector by stopping syncp-dlp service. After this timeout all working threads are killed.
    dlp.processors.alias String Yes   The alias for DLP Server.
    dlp.processors.uri String (URL) Yes   The URL to the ICAP server interface presented by the DLP Engine.
    dlp.processors.proxy String (URL) No   The proxy to the DLP Engine. This is necessary when there is no direct connection between the DLP Connector and the ICAP server for the DLP Engine, and network traffic is going through a proxy.
    dlp.processors.target String Yes  

    The header name in the response from the DLP server, where the ICAP client can get the reason of blocking. The value from selected header is saved as description of ScanResult.

    Header names differ for different DLP engines. For example:

    • DigitalGuardian: "X-Virus-ID" or "X-Infection-Found" or "X-Violations-Found"
    • McAfee: "X-Infection-Found" or "X-Violations-Found"
    • Symantec: "X-Infection-Found" or "X-Violations-Found"

    Detailed description of each header can be found in ICAP specification: https://tools.ietf.org/html/draft-stecher-icap-subid-00

     

  6. Make sure the dlpKeyStore, dlp.yml and syncp-dlp.conf files have read access for syncp-dlp user. Y ou can set the owner for these files using the following command:

    chown syncp-dlp:syncp-dlp /etc/syncp-dlp/dlpKeyStore /etc/syncp-dlp/dlp.yaml /etc/syncp-dlp/syncp-dlp.conf

Customize logging options

The DLP Connector writes error, warning and info messages to a log file in /var/log/syncp-dlp/. The log settings can be customized to change the log level, the retention of log files and the name of the log file. This is useful in improving the usability of reviewing logs from multiple DLP Connectors consolidated by a log shipping tool (example: logstash).

  1. To customize the name of the log file, edit /etc/syncp-dlp/logger.xml and modify the <appender><rollingPolicy><fileNamePattern> xml element.

    The default logfile name and format is: /var/log/syncp-dlp/${HOSTNAME}-dlp-$d{yyy-MM-dd}.log.gz

    You can hard code a name in place of ${HOSTNAME} or set this environment variable on your system using a persistent method (such as using /etc/environment/). For example:

    <fileNamePattern>/var/log/syncp-dlp/TEST-ENV-${HOSTNAME}-dlp-%d{yyyy-MM-dd}.log.gz</fileNamePattern>

  2. To change the log retention period, edit /etc/syncp-dlp/logger.xml and modify the <maxHistory> setting to the number of days to keep archived log files. The default setting is 30 days. For example, to change the log retention period to 7 days:

    <maxHistory>7</maxHistory>

  3. The log level can be set to one of the following: ERROR, WARN, INFO, DEBUG, TRACE, ALL, OFF. The default logging level is INFO, which provides a moderate level of logged data covering ERROR, WARN and INFO messages. To change the log level, edit /etc/syncp-dlp/logger.xml and modify the level setting for the application logger. For example:

    <logger name=”application” level=”DEBUG” />

  4. Any time you change the settings in logger.xml you must restart the DLP Connector service for the changes to take effect. To restart the syncp-dlp service, type the following command:

    sudo systemctl restart syncp-dlp

Start connector

  1. Start the DLP Connector service on each of the DLP Connectors you have configured with this command:

    sudo systemctl start syncp-dlp

  2. After starting the syncp-dlp service, check the logs to make sure there is no error in the configuration and the service started without any problem. The Syncplicity software logs its activity under /var/log/syncp-dlp. To list log files run the command:

    sudo ls -la /var/log/syncp-dlp

The base software installation process has been completed.

Verify installation

To confirm the DLP Connector is configured and running correctly, review and execute the following tasks on each DLP Connector.

Confirm service is running

On each DLP Connector server, type the following command to confirm that the DLP Connector is running correctly:

sudo systemctl status syncp-dlp.service

If the service is running correctly the output contains active (running) state of Active property.

Confirm service is accessible

For each DLP Connector server, type the following URL in a browser to confirm the service is accessible:

http://<hostname_or_IP_address_of_dlp_connector_server>:9001/ping

If the service is accessible, the following message displays: pong

If unable to access the service in a browser, on each connector server type the following command:

curl http://<dlp_connector_host_or_IP>:9001/ping;echo

If the service is accessible, the following message displays: pong

Check ActionMQ connection

To verify the connection to the ActionMQ, navigate to the Admin | Settings | Data Loss Prevention (DLP) page. Scroll down to the StorageVaults section, select the radio button for Selective StorageVaults, and enter the URL for your DLP Connector. Then scroll to the Scanning Status section and hit the Refresh status link. If the stats for the Current Queue and Historical Queue refresh without any errors then the ActionMQ has been created correctly. Once you have started uploading files to be scanned by the DLP Engine you should start to see the statistics update on this page. Here is an example:

DLP_Verify_Queue.png

Troubleshooting

The following are guidelines for troubleshooting errors.

Error

Can't get messages from the queue. com.syncplicity.dlp.queue.QueueException: Can't get messages

Description

The DLP Connector cannot retrieve messages from ActionMQ.

Solution

Check the DLP Connector configuration file /etc/syncp-dlp/dlp.yml to ensure that all dlp.actionmq.* properties are configured correcty. Refer to the Configure DLP Settings section of this document. Specifically:

url matches the the correct ActionMQ in the PrivacyRegion URL for your company.

queueName value matches the format "1.file.<storagevault_id>", where <storagevault_id> is the correct string (taken from the Manage StorageVault Settings page) with the "-" removed.

jwtIssuer value matches the format "<storagevault_id>", where <storagevault_id> is the correct string (taken from the Manage StorageVault Settings page) with the "-" removed.

If you updated any of these settings in the dlp.yaml file, make sure to restart the DLP Connector service by entering

sudo systemctl status syncp-dlp.service

If all of these values are entered correctly, and you've restarted the DLP Connector service, and you are still getting this error, please contact Syncplicity Technical Support.

Error

Can't generate JWT token java.io .FileNotFoundException: Can't find keystore

Description

Can't generate the JWT token due to issue with communication with the Java keystore.

Solution

Check the DLP Connector configuration file /etc/syncp-dlp/dlp.yaml to ensure that the dlp.actionmq.keyStorePath property is configured correctly. Refer to the Configure DLP Settings section of this document.

Check that the Java keystore has read access for the syncp-dlp user. For example, you can set the owner for keystore:

chown syncp-dlp:syncp-dlp /etc/syncp-dlp/dlpKeyStore

Error

Cannot connect to ICAP server: 10.129.105.245:1344 for message id=11360750.203942046 com.syncplicity.dlp.icap.Icap
CantConnectException: Cannot connect to ICAP server: 10.129.105.245:1344

Description

The DLP Connector cannot communicate with the ICAP server of the DLP Engine.

Solution

Check the DLP Connector configuration file /etc/syncp-dlp/dlp.yml to ensure that the dlp.processors.uri property is configured correcty. Refer to the Configure DLP Settings section of this document.

Verify that the ICAP server for the DLP Engine is running and that the internal firewall rules are not blocking traffic between the DLP Connector and the ICAP server.

Error

Orchestration response: 403 Unauthorized Storage Endpoint

Description

The Access Key configured for this DLP Connector does not match the Access Key for this StorageVault, or is invalid.

Solution

Check the DLP Connector configuration file /etc/syncp-dlp/dlp.yml to ensure that the syncplicity.ws.accesskey property is configured correctly. Refer to the Configure DLP Settings section of this document.

Error

The syncp-dlp service not started

Solution

If the syncp-dlp service is not running you can quickly review errors for details with the following commands:

systemctl status syncp-dlp.service

journalctl -xe

 

Powered by Zendesk