Configuring confidentiality policies on a Cloud Probe

To hide or delete sensitive information from the captured traffic data in a on-premises environment, you configure a confidentiality policy on a Collector. If you are using Application Performance Management as a service, you configure a confidentiality policy by modifying the scrubbing_rules.conf file on the Cloud Probe computer.

To configure a confidentiality policy on a Cloud Probe

  1. Stop the BMC Real User Cloud Probe service.
  2. Prevent the Cloud Probe agent from getting confidentiality policies from the Real User Collector:
    1. Open the probe_properties.conf file located on the Cloud Probe host in the <installationDirectory>/conf folder.

    2. Under the #Traffic section, set the value of SYSTEM.PROPERTIES.EPX.probe.conf-collector-policies-listener-interval parameter to “0”.

      Tip

      When you set the SYSTEM.PROPERTIES.EPX.probe.conf-collector-policies-listener-interval parameter to a non-zero value (for example, 30), the Cloud Probe will override the contents of the probe_properties.conf file with configuration from Real User Collector every 30 seconds.

      Now, the Cloud Probe takes the confidentiality policies configuration from the scrubbing_rules.conf file disregarding the configuration defined in the Real User Collector.

  3. Modify the scrubbing_rules.conf file located in the <installationDirectory>/conf folder to set confidentiality policies according to syntax reference.
  4. Start the BMC Real User Cloud Probe service.

The Cloud Probe starts using confidentiality policies from the configuration file.

Syntax reference

The system can hide or delete private data according to the rules that you configure for each of the following traffic elements:

  • Cookies
  • POST-params
  • URI query
  • URI path parameters

The following behaviors are observed:

  • KEEP — the field value is kept in the traffic data
  • HASH — the field value is hashed
  • DELETE_VALUE — the field value is deleted
  • DELETE — the field is deleted

At the end of each section, define the DEFAULT (catch-all) rule.

When specifying a field, use asterisk (*) to identify zero or more characters.

For example, user* mask will filter fields such as user, user1, userid, and so on.

Example of the scrubbing_rules.conf
############################
# Cookie scrubbing rules
COOKIE [jsessionid]=KEEP
COOKIE [aspsessi*]=KEEP
COOKIE [asp*sessionid]=HASH
COOKIE [*tltuid*]=DELETE
COOKIE [sid]=DELETE_VALUE
COOKIE [OAX]=DELETE
COOKIE [VISITOR_INFO1_LIVE]=DELETE_VALUE
COOKIE [PREF]=DELETE
COOKIE DEFAULT=KEEP
############################
# Post-Params scrubbing rules
POST_PARAMS [user*]=HASH
POST_PARAMS [password]=HASH
POST_PARAMS DEFAULT=HASH
############################
# URI-Query-Params scrubbing rules
URI_QUERY_PARAMS [user*]=HASH
URI_QUERY_PARAMS [password]=HASH
URI_QUERY_PARAMS DEFAULT=HASH
############################
# URI-Path-Params scrubbing rules
URI_PATH_PARAMS [user*]=HASH
URI_PATH_PARAMS [password]=HASH
URI_PATH_PARAMS DEFAULT=HASH
 
Warning

Rules priority

  • The higher the rule appears in the section, the higher its priority. For example, the aspsessionid cookie falls under two rules, COOKIE [aspsessi*]=KEEP and COOKIE [asp*sessionid]=HASH. So, this cookie will be kept because the KEEP rule stands higher than HASH.
  • The DEFAULT (catch-all) rule must appear at the end of each section.

Contents of the rules configuration file must end with an empty line.

Related topic

Configuring-a-confidentiality-policy-on-a-Collector

 

Tip: For faster searching, add an asterisk to the end of your partial query. Example: cert*