Settings
Airlock has settings to control how it operates. The settings and how to configure each are described below.
The configuration for the types of sensitive information that Airlock identifies are defined in policies outside of Airlock's configuration properties described on this page.
Configuring Airlock
The Airlock Settings File
Airlock’s settings file is application.properties. This file is located in Airlock’s installation directory, which is most likely /opt/airlock. All changes to this files requires Airlock to be restarted for the changes to take affect. To restart Airlock execute the following commands:
sudo systemctl restart airlock.service
sudo systemctl restart airlock-ner.service
Using Environment Variables
Properties set via environment variables take precedence over properties set in Airlock's settings file.
All following properties can also be set as environment variables by prepending PHILTER_ to the property name and changing periods to underscores. For example, the property filter.profiles.directory can be set using the environment variable PHILTER_FILTER_PROFILES_DIRECTORY by:
export PHILTER_FILTER_PROFILES_DIRECTORY=/profiles/
Setting or changing an environment variable requires Airlock to be restarted. To restart Airlock execute the following commands:
sudo systemctl restart airlock.service
sudo systemctl restart airlock-ner.service
Using environment variables to configure Airlock instead of using Airlock's settings file can allow for easier configuration management when deploying Airlock. {style="tip"}
Policies
| Setting | Description | Allowed Values | Default Value |
|---|---|---|---|
filter.policies.directory |
The directory in which to look for policies. | Any valid directory path. | ./policies/ |
Span Disambiguation
These values configure Airlock's span disambiguation feature to determine the most appropriate type of sensitive information when duplicate spans are identified. In a deployment of multiple Airlock instances, you must enable the cache service for span disambiguation to work as expected.
| Description | Allowed Values | Default Value | |
|---|---|---|---|
span.disambiguation.enabled |
Whether or not to enable span disambiguation. | true, false |
false |
Metrics
These values configure how Airlock reports metrics during its operations. For more information on the metrics collected and reported see Metrics. Airlock can report metrics via JMX, Prometheus, Datadog, and Amazon CloudWatch. You may enable any combination of metrics services, or none of them to disable metrics reporting.
| Setting | Description | Allowed Values | Default Value |
|---|---|---|---|
metrics.prefix |
A value used to prefix metric names. | Any value | airlock |
metrics.hostname |
A means for differentiating metrics across multiple instances of Airlock. | Any value | None |
JMX Metric Reporting
| Setting | Description | Allowed Values | Default Value |
|---|---|---|---|
metrics.jmx.enabled |
Enables metrics reporting via JMX. | true, false |
false |
Prometheus Metric Reporting
Metrics will be published to an HTTP endpoint when enabled. By default, the metrics endpoint is http://airlock-ip:9100/metrics. This path can be modified via the settings listed below.
| Setting | Description | Allowed Values | Default Value |
|---|---|---|---|
metrics.prometheus.enabled |
Enables metrics reporting via an HTTP endpoint. | true, false |
false |
metrics.prometheus.port |
The port on which the metrics HTTP server listens. | Any valid port number. | 9100 |
metrics.prometheus.metrics |
The context at which the metrics HTTP server listens. | Any valid HTTP context. | metrics |
Datadog Metric Reporting
Metrics will be published to Datadog when enabled.
| Setting | Description | Allowed Values | Default Value |
|---|---|---|---|
metrics.datadog.enabled |
Enables metrics reporting via Datadog. | true, false |
false |
metrics.datadog.apikey |
Your Datadog API key. | Any valid Datadog API key. | None |
Amazon CloudWatch Metric Reporting
Metrics will be published to CloudWatch when enabled. The value of metrics.hostname will be used as a dimension for the metrics.
| Setting | Description | Allowed Values | Default Value |
|---|---|---|---|
metrics.cloudwatch.enabled |
Enables metrics reporting via AWS CloudWatch. | true, false |
false |
metrics.cloudwatch.region |
The AWS CloudWatch region. | Any valid AWS region name. | us-east-1 |
metrics.cloudwatch.namespace |
The AWS CloudWatch namespace for the metrics. | Any valid CloudWatch Metrics namespace name. | None |
AWS CloudWatch Credentials
Airlock will look for AWS credentials following the default AWS credentials chain (environment variables, default credentials file, instance profile credentials). When running in AWS using an instance profile via an IAM role is the preferred method. When not possible, using environment variables is recommended and can be set as shown below:
export AWS_ACCESS_KEY_ID="your-access-key"
export AWS_SECRET_ACCESS_KEY="your-secret-key"
AWS IAM Role
The IAM user or role being used must have PutMetricData permissions. An example policy is shown below.
{
"Version": "2012-10-17",
"Statement": [
{
"Sid": "VisualEditor0",
"Effect": "Allow",
"Action": [
"cloudwatch:PutMetricData"
],
"Resource": "*"
}
]
}
SSL/TLS
By default, Airlock is pre-configured for two-way SSL/TLS connections to both Airlock's API and Airlock's UI. However, client certificates are "wanted" but not "required." This can be changed to require client certificates in Airlock's settings (described below under Two-Way SSL/TLS).
One-Way SSL/TLS
In one-way SSL/TLS, Airlock's API is configured to accept connections only over SSL/TLS. This can help prevent a man-in-the-middle attack.
When Airlock is deployed via the AWS Marketplace, Microsoft Azure Marketplace, or Google Cloud Marketplace, one-way SSL/TLS will be enabled by default with a self-signed certificate. It is recommended you replace this self-signed certificate with a valid certificate for your organization. When configured, the SSL/TLS listener will be available on the port defined by server.port , which is 8080 by default.
To enable Airlock's SSL/TLS listener, provide the following properties:
| Setting | Description | Allowed Values | Default Value |
|---|---|---|---|
server.ssl.key-store-type |
The type of keystore. | PKCS12 or JKS |
None |
server.ssl.key-store |
Full path to the keystore file. | File path. | None |
server.ssl.key-store-password |
The keystore’s password. | A valid password. | None |
server.ssl.key-alias |
The certificate alias in the keystore. | A valid alias. | None |
An example configuration to enable SSL is shown below:
# SSL certificate settings
security.require-ssl=true
server.ssl.key-store-type=PKCS12
server.ssl.key-store=/opt/airlock/ssl/airlock.p12
server.ssl.key-store-password=Password123!
server.ssl.key-alias=airlock
server.ssl.client-auth=none
The command that generated the self-signed certificate referenced by the above configuration is:
keytool -genkeypair -keypass Password123! -dname "CN=airlock, O=airlock, C=US\ -alias airlock -keyalg RSA -keysize 4096 -storepass Password123! -storetype PKCS12 -keystore /opt/airlock/ssl/airlock.p12 -validity 3650
Two-Way SSL/TLS
In two-way SSL/TLS connections, both the client and the server verify each other's identity. A certificate authority (CA) generates a server certificate and a client certificate along with the corresponding private keys.
To configure Airlock to use two-way SSL/TLS, set the configuration to set server.ssl.client-auth to need and to specify the location of the trust store and the trust store password. (Please contact us for assistance with creating self-signed certificates.)
# SSL certificate settings
security.require-ssl=true
server.ssl.key-store-type=PKCS12
server.ssl.key-store=/opt/airlock/ssl/airlock.p12
server.ssl.key-store-password=Password123!
server.ssl.key-alias=airlock
server.ssl.client-auth=need
server.ssl.trust-store=/path/to/truststure.jks
server.ssl.trust-store-password=changeit
All clients of the Airlock API must now present a valid certificate signed by the same CA as the server certificate to be granted access to Airlock's API.
In the example curl command below to filter text, we are providing the client certificate and the client private key in the API request.
curl -vvvv -k --cert client.crt --key client.key -H "Content-type: text/plain" "https://localhost:8080/api/filter" --data "George Washington was president and his ssn was 123-45-6789."
Cache Service
The cache service is required to use policies stored in Amazon S3. Airlock supports Redis as the backend cache. When Redis is not used, an in-memory cache is used instead. The in-memory cache is not recommended because all contents will be stored in memory on the local Airlock instance.
The cache will contain sensitive information. It is important that you take the necessary precautions to secure the cache itself and all communication between Airlock and the cache.
| Setting | Description | Allowed Values | Default Value |
|---|---|---|---|
cache.redis.enabled |
Whether or not to use Redis as the cache. | true, false |
false |
cache.redis.host |
The hostname or IP address of the Redis cache. | Any valid Redis endpoint. | None |
cache.redis.port |
The Redis cache port. | Any valid port. | 6379 |
cache.redis.auth.token |
The Redis auth token. | Any valid token. | None |
cache.redis.ssl |
Whether or not to use SSL for communication with the Redis cache. | true, false |
false |
The following Redis settings are only required when using a self-signed SSL certificate.
| Setting | Description | Allowed Values | Default Value |
|---|---|---|---|
cache.redis.truststore |
The path to the trust store. | Any valid file path. | None |
cache.redis.truststore.password |
The trust store password. | Any valid file path. | None |
cache.redis.keystore |
The path to the keystore. | Any valid file path. | None |
cache.redis.keystore.password |
The keystore password. | Any valid file path. | None |
Advanced Settings
In most cases the settings below do not need changed. Contact us for more information on any of these settings.
| Setting | Description | Allowed Values | Default Value |
|---|---|---|---|
ner.timeout.sec |
Controls the timeout in seconds when performing name entity recognition. Longer text may require longer processing times. | An integer value | 600 |
ner.max.idle.connections |
The maximum number of idle connections to maintain for the named entity recognition. More connections may improve performance in some cases. | An integer value. | 30 |
ner.keep.alive.duration.ms |
The amount of time in milliseconds to keep named entity recognition connections alive. Longer text may require longer processing times. | An integer value. | 60 |