DLP Connector setup and management


The Syncplicity On-premises DLP Connector is server software that runs as a virtual machine. It connects the Syncplicity orchestration layer in the cloud and a third-party Data Loss Prevention (DLP) solution to your on-premises storage endpoint. You should review About Syncplicity StorageVaults and private storage before reading further.

The DLP administration topic describes how to manage settings and policies in the administrator console for DLP.

Prerequisites

The storage endpoint should already be configured with at least two Syncplicity Storage Connectors. If you have not configured your storage for this, see Hybrid Cloud Storage and Deploying Syncplicity On-Premises Storage Connector to setup your storage endpoint for Syncplicity.

The following topics describe the prerequisites for installing the on-premises DLP Connector.

Hardware requirements

The DLP Connector requires:

  • A minimum of two virtual machines hosted on VMware vSphere Hypervisor (ESXi) 6.0 or later.
  • Each virtual machine must have 8 gigabytes of random access memory, 8 virtual cores and a hard disk drive (HDD) of at least 50 GB.

See the next topic about network configuration for the network hardware requirements, which include two or more Storage Connectors and a storage backend that supports standard NFS v3 or s3 interfaces.

Network configuration

The DLP Connector is supplied as an OVA file and installed on a virtual machine. The DLP Connector requires the following:

  • Each DLP Connector requires a dedicated virtual machine hosted on VMware vSphere Hypervisor.
  • At least two DLP Connectors, but you can deploy more for scalability and high availability.
  • At least two Storage Connectors
  • Ensure TLS1.2 is used, by disabling TLS1.0 and TLS1.1, and SSLv3 is disabled. SSLv3 is disabled by default from the JDK.

As shown in the diagram, a typical example is with the storage layer in the private area of the corporate network. The Storage Connector and DLP Connector virtual machines are in the semi-private area. Note that the SSL offloading load balancer in the DMZ is for Storage Connectors only.

Inbound port requirements

Atmos storage requirements

To enable the DLP Connector to connect to an EMC Atmos storage backend, the following inbound ports must be open.

Connection

Port

Protocol

From the DLP Connector to the Atmos load balancer

443 if SSL is used
80 if SSL is not used

HTTP or HTTPS

From the DLP Connector in the DMZ to the Network Time Protocol (NTP) server

123

UDP

Elastic Cloud Storage (ECS) requirements

To enable the DLP Connector to connect to an ECS storage backend, the following inbound ports must be open.

Connection

Port

Protocol

From the DLP Connector to the ECS load balancer

9021 if SSL is used
9020 if SSL is not used

HTTP or HTTPS

From the DLP Connector in the DMZ to the NTP server

123

UDP

NFS v3-based storage

To enable connections from the DLP Connector virtual machines to the NFS storage backend, the following inbound ports must be open. This includes EMC Isilon storage.

Port

Protocol

Type of Traffic

53

TCP

DNS for SmartConnect (Isilon only)

111

TCP

SUN Remote Procedure Call

111

UDP

SUN Remote Procedure Call

300

TCP

NFS mount daemon

300

UDP

NFS mount daemon

302

TCP

NFS stat daemon

302

UDP

NFS stat daemon

304

TCP

NFS lock daemon

304

UDP

NFS lock daemon

2049

TCP

NFS server daemon

2049

UDP

NFS server daemon

Service accessibility check

To enable checking for DLP Connector service accessibility from external hosts, the following should be allowed.

Connection

Port

Protocol

From external hosts to the DLP Connector virtual machines

9002

HTTP

Outbound port requirements

In general, traffic outbound to external hosts on port 443 should be allowed. If for some reason this is not so, at least the following should be allowed.

Connection

Port

Protocol

From the DLP Connector virtual machines to:
xml.syncplicity.com
xml.eu.syncplicity.com
api.syncplicity.com
api.eu.syncplicity.com
health.syncplicity.com
health.eu.syncplicity.com

443

HTTPS

From the DLP Connector virtual machines to the NTP servers 123 UDP

From the DLP Connector virtual machines to centos.org, fedoraproject.org

Note: Only required during the upgrade procedure or installation of separate packages to allow for RPM dependency checking.

80

HTTP

Configure Isilon storage

If you are not using Isilon storage, skip this section. 

Isilon storage requires the following additional configuration steps. 

  1. Create an NFS Export via the WebUI. The following screen shows the basic export settings that lock the export to only the connected Storage and DLP Connectors. Add the IP addresses of the DLP Connectors in the following fields: Clients, Always Read-Write Clients and Root Clients. The values 10.111.158.3 and 10.111.158.4 are example IP addresses of the Storage Connectors. Your IP addresses are different. All other export settings should be left as the defaults and not change.

    basic_export_settings.png

  2. If the DLP Connector is in the DMZ (Internet side of the firewall) and Isilon storage is inside the firewall, you must verify specific ports are opened on the firewall to allow access via NFS from the DLP Connectors to the Isilon storage. This does not apply if the Isilon storage is not behind a firewall.

  3. Refer to  Task 5: Prepare for NFS mounted storage  in order to mount a dedicated Syncplicity share for the Isilon storage .

This completes the basic configuration of the EMC Isilon storage for the on-premises DLP Connector.

Install connector

The on-premises DLP Connector is delivered as a virtual machine image, in OVA format, to simplify the deployment. The image is based on the CentOS 7.6 Linux operating system. It includes the necessary Syncplicity software.

After the initial installation, you must maintain the operating system on the VM, which includes staying current with updates and bug fixes.

The deployment of the DLP Connector Open Virtual Appliance (OVA) file is similar to the Storage Connector OVA deployment described in Install the On-Premise Storage Connector.

The installation of the DLP Connector consists of several tasks.

Task 1: Download the DLP Connector OVA

You must download the DLP Connector OVA and deploy it in a VMware ESXi server.

To download the DLP Connector OVA:

  1. Log in to my.syncplicity.com as a Global Administator user and navigate to Admin > Downloads .
  2. In the DLP Integration section, under Software, click Download.
  3. Save the OVA bundle to a location that is accessible from your ESXi sever.

Perform the remaining tasks for each DLP Connector server that you want to deploy. You must deploy at least two DLP sever instances in your environment.

Task 2: Deploy the DLP Connector OVA

You must use the built-in support for OVF/OVA packages of the vSphere Client to deploy a virtual machine instance for the DLP Connector.

To deploy the OVF template:

  1. Connect to your VMware ESXi server by using the VMware vSphere Client.
  2. Click File > Deploy OVF Template... to initiate the process.
  3. Accept the EULA.
  4. If required, adjust the amount of memory, CPU cores, and disk space to allocate to the virtual machine.
    Ensure that the virtual machine meets the following requirements.
    • 8 gigabytes of random access memory
    • 8 virtual cores
    • hard disk drive (HDD) of at least 50 GB
  5. Start the DLP Connector virtual machine that you deployed.

Task 3: Log in and change the default OVA password

By default, the virtual appliance is preconfigure with an administrative account with sudo privileges called  syncp . The default password is onprem. For increased security, change this password, adhering to the minimum password requirements listed below.

  • At least 14 characters.
  • At least one of each of the following: lowercase letter, uppercase letter, number and symbol.
  • Cannot reuse the last 5 passwords.
  • Must contain at least 5 characters that are different from the previous password.

Task 4: Configure the network connection

By default, the DLP Connector sever does not have a firewall turned on. DLP Connector listens for incoming SSH connections on TCP port 22. 

You must configure the DLP Connector servers in your environment with static IP addresses.

The next steps describe how to disable the DHCP on a DLP Connector OVA and assign a static IP address for the appliance.

  1. In the virtual appliance console, run the following command.
    sudo vi /etc/sysconfig/network-scripts/ifcfg-eth0

  2. Replace the following settings with your parameters:
    DNS2=<static-ip-address-dns-server2>
    DNS1=< static-ip-address-dns-server1>
    IPADDR=<static-ip-address-for-this-server>
    GATEWAY=<gateway_ip_address>
    IPV6_AUTOCONFIG=”yes”
    NETMASK=<network-mask>
    BOOTROTO=”static”
    DEVICE=”eth0”
    ONBOOT=”yes”
    IPV6INIT=”yes”

To turn on the networking and configure the host name and domain name, follow these steps: 

  1. In the virtual appliance console, run the following command.
    sudo vi /etc/sysconfig/network

  2. Set HOSTNAME and DOMAINNAME for the DLP server:
    NETWORKING=yes
    NETWORKING_IPV6=yes
    HOSTNAME =<hostname>
    DOMAINNAME==<domain_name>

To configure the Domain Name Service (DNS) servers, follow these steps: 

  1. In the virtual appliance console, run the following command.
    sudo vi /etc/resolv.conf

  2. Delete the content of the file.

  3. Add a line for the IP address or host name of each DNS server :
    nameserver <ip-address-or-host-name-of-name-server-1>
    nameserver <ip-address-or-host-name-of-name-server-2>
    nameserver <ip-address-or-host-name-of-name-server-3>

  4. Restart the network service with the following command:
    sudo systemctl restart network

The DLP server now listens for incoming SSH connections only. No other ports are open. 

NOTE: By default, the DLP Connector OVA image uses pool.ntp.org for time synchronization.

  • If you want to use a different network time protocol (NTP) server, edit the /etc/chrony.conf file or use chronyc to set the desired NTP server to which the DLP Connector machines can connect.
  • If you use Atmos storage, make sure that both DLP Connector machines and Atmos connect to the same NTP servers. Otherwise, the DLP connector will not operate as expected with the S3 storage.

Task 5: Configure the DLP Connector server for an NFS mounted storage

If your storage backend of choice is Atmos/Google Cloud Storage, or is using the s3 protocol, you can skip this section.

Set NFS to read-only access

The DLP Connector does not write any data on the backend storage. Set read-only access to the NFS storage on the DLP Connector virtual appliance.

Configure Isilon

If your storage backend is Isilon, you must mount the dedicated Syncplicity share to the server at /mnt/syncp. Use the NFS file system type. To make sure the Isilon share is mounted automatically at system startup:

  1. Run the following command in the virtual appliance console.
    sudo vi /etc/fstab

  2. Add the following line to the file.

    <Isilon_cluster_name_or_IP_address>:/<Syncplicity_data_directory> <mount_point>  nfs  rw

    Where <mount_point> is the value you have set for the key rootdir for the platform section (Isilon, VNX, fs) in the configuration file /etc/syncp-das/syncp-das.conf. Do not include the addr=<server> option since this can cause connectivity issues to Isilon.

    Example: dlp.mycompany.com:/ifs/syncp-data  /mnt/syncdata  nfs  rw

  3. Run the following command.
    sudo mount <mount_point>

For production environments, ensure the Isilon cluster name used in the NFS mount entry in /etc/fstab is a SmartConnect DNS name for the Isilon cluster, and the SmartConnect settings are configured for dynamic IP addresses. This ensures the DLP Connectors can leverage the high availability features of the EMC Isilon architecture. Configuring the mount options to access a SmartConnect zone also maximizes performance to the EMC Isilon cluster.

The Isilon storage should have a directory created specifically for Syncplicity data. This directory must have its permissions and NFS export configured for the DLP Connectors, as described in the Configure Isilon Storage subsection above.

Configure standard NFS v3 storage

If your storage backend of choice uses a standard NFS v3 interface, excluding Isilon, you must mount a dedicated Syncplicity share to the server at /mnt/syncp. Make sure to use the NFS file system type.

To verify the NFS share is mounted at system startup:

  1. Run the following command in the virtual appliance console.
    sudo vi /etc/fstab

  2. Add the following line to the file.

<NFS_server_name_or_IP>:/<Syncplicity_data_directory>  /<mount_point>  nfs  rw

Where <mount_point> is the value you have set for the key rootdir for the platform section (Isilon, VNX, fs) in the configuration file /etc/syncp-das/syncp-das.conf.

Example: dlp.mycompany.com:/syncp-data /mnt/syncdata  nfs  rw

Configure the DLP Connector

To complete the installation, you must obtain the access key for the StorageVault to which you want to enable DLP, and edit the configuration files on the DLP Connector appliances.

Retrieve the StorageVault access key

Before editing the configuration files, you need to retrieve the access key for the StorageVault for which you want to enable DLP.

  1. Log in to  https://my.syncplicity.com as a Global Administrator.
  2. Click Admin > Settings .
  3. At the bottom of the page, select  Manage StorageVaults .
    The list of configured StorageVaults and their associated access keys opens.
  4. Select the StorageVault for which you want to configure DLP and copy the access key.
    This should be the same access key you are using for the Storage Connectors configured for this StorageVault.
  5. If no StorageVaults are listed, click the  Add StorageVault  button to create one.
    When you complete the wizard, the access key is displayed. For detailed instructions on defining a StorageVault, see
    Adding and Editing StorageVaults .

Configure the StorageVault settings

  1. At the virtual machine, edit the following file using the vi editor:
    sudo vi /etc/syncp-das/syncp-das.conf

  2. In the syncplicity.ws section of the syncp-das.conf file, replace <syncplicity access key> with the access key that you retrieved from the Manage StorageVault Settings. For example, accesskey: "d4jJDpO7erZEmrlKab6w"

  3. If your company is using the EU PrivacyRegion, the on-premises DLP Connector must be configured with the following settings:

    syncplicity.ws.url: “https://xml.eu.syncplicity.com/1.1
    syncplicity.ws.external.url: “https://api.eu.syncplicity.com
    syncplicity.health.url: “https://health.eu.syncplicity.com/v1

  4. If using a proxy, set the enable flag to true and specify the proxy host and port in the proxy section.

    syncplicity.ws {
      proxy {
            enable: true
            host: "my_proxy.mycompany.com"
            port: 8080  
      }
    }
  5. In the syncplicity.storage section of the syncp-das.conf file, replace <storage type> with:

    • atmos for EMC Atmos systems
    • azure for Azure storage blobs
    • google for Google Cloud Storage (GCS)
    • isilon for EMC Isilon systems
    • fs for generic NFS v3 systems
    • s3 for EMC ECS systems or AWS s3 buckets
    • vnx for EMC VNX systems

    For example, if you are configuring for Azure blob storage, enter:

    syncplicity.storage {
      type: "azure"
    }
  6. If type is atmos, configure your Atmos storage settings. Under the atmos section of the syncp-das.conf file, set url to the URL and port to the port the Atmos installation listens. Explicitly include the port number. Set token to your Atmos authentication token and set secret to your Atmos secret key. For example:

    syncplicity.storage.atmos {
      url: "https://atmos.internal:443"
      token: "7ce21bbh56ek8feg0a7c23f343ad8df99/tenant"
      secret: "poSq7g5123t1TEQp5PlWhv4SAxk="
    }
  7. If type is s3 for AWS s3 storage, configure your AWS storage settings under the s3 section of the syncp-das.conf file. Enter the name of the bucket you created and its region, the access key and secret. For AWS, the secret was generated when you created the IAM user. For example:

    syncplicity.storage.s3 {
       bucket: "put bucket name here"
       region: "put region here"
       access: "put access key here"
       secret: "put secret key here"
       enableV4: true
     }
  8. If type is s3 for EMC ECS storage, configure your EMC ECS storage settings under the s3 section of the syncp-das.conf file by providing the following information:

    • Full url of the ECS storage, including the port. Refer to your ECS Storage administrator for the exact ports being used. Default ports are 9020 for HTTP and 9021 for HTTPS.
    • Name of the bucket you created.
    • Access key used for authentication, which is generated by the ECS administrator. With ECS, the access key is typically an email address.
    • Secret used for authentication, which is generated by the ECS administrator. For example:

      syncplicity.storage.s3 {
        access: "syncplicity@mycompany.com"
        secret: "put secret key here"
        url: "http://10.1.1.1:9020"
        bucket: "MyStorageVault_bucket"
      }

    Note: When an IP address is used in the URL, the Base URL (fully qualified URL) must be defined in the ECS admin console. The Base URL should correspond to the URL you use in the syncp-das.conf file. The Base URL is used by ECS as part of the object address where virtual host style addressing is used and enables ECS to know which part of the address refers to the bucket and, optionally, name space. To avoid upload errors, such as the one following, make sure to add the Base URL in the ViPR console for all VDCs.

    The request signature we calculated does not match the signature you provided. Check your secret access key and signing method. For more information, see REST authentication and SOAP authentication for details.

  9. If your storage type is isilon, configure the Isilon storage settings. Under the isilon section of the syncp-das.conf file, set rootdir to the mount point of your Isilon cluster on this server. For example:

    syncplicity.storage.isilon {
      rootdir: "/mnt/syncdata"
    }


    Make sure the syncp-das:syncp-das user owns the mount point. To set the ownership of the mount point, type the following command:

    sudo chown –R syncp-das:syncp-das <mount_point>

  10. If type is vnx, configure your VNX storage settings. Under the vnx section of the syncp-das.conf file, set the rootdir of your VNX system on this server. The directory below the mount point (for example, data) must exist before proceeding. If this directory does not exist, create it now. For example:

    syncplicity.storage.vnx {
       rootdir: "/mnt/syncdata/data"
    }


    Make sure the rootdir is one level below the mount point for VNX storage systems. For example, if the mount point is /mnt/syncdata, the rootdir value must be /mnt/syncdata/data. Also, make sure the syncp-das:syncp-das user owns the mount point. To set ownership of the mount point, type the following command:

    sudo chown –R syncp-das:syncp-das <mount_point>

  11. If type is fs for generic NFS v3 storage, configure your NFS storage settings. In the syncplicity.storage section of the syncp-das.conf file, add the following FS configuration and set rootdir to the mount point of your NFS v3 server on this server. If the following lines are in the syncp-das.conf file, edit the lines. For example:

    syncplicity.storage.fs {
       rootdir: “/mnt/syncdata”
    }


    Make sure the syncp-das:syncp-das user owns the mount point. To set ownership of the mount point, type the following command:

    sudo chown –R syncp-das:syncp-das  <mount_point>

  12. If type is  azure , configure your Azure storage settings under the azure section of the syncp-das.conf file. Enter the Azure storage account name, the storage account key and the name of the Azure blob storage container. For example:

    syncplicity.storage.azure {
      # Storage account name
      accountName: "MyStorageVault"
      # Storage account secret key
      accountKey: "put secret key here"
      # Azure blob storage container name
      container: "MyStorageVault_blob"
    }

    Note: When configuring the DLP Connector to utilize Azure blob storage, the DLP Connector servers should be hosted in the Azure VPC to minimize latency between the DLP Connector and the storage.

  13. If type is google, configure your GCS settings under the  google  section of the syncp-das.conf file. Enter the name of the bucket you created, and the JSON string with authentication credentials provided in a downloadable file when your service account key is generated (see GCS documentation). For example: 

    syncplicity.storage.google {
      # name of the bucket
      bucket: "put bucket name here"
      # the authentication credentials JSON for the service account
      authJson: "put JSON string here"
    }

Configure the DLP settings

  1. Create or use an existing keystore named keyStore.p12 and generate keys by typing the following command:

    keytool -genkey -keyalg RSA -alias actionMQKey -keystore keyStore.p12 -storetype PKCS12

    You are prompted to enter passwords for the key and keystore. The storepass value specifies the keystore password. The keypass value specifies a password for the private key about to be generated. You need this password to access the keystore entry containing that key. If you are creating a keystore using the preceding keystore command, you are prompted for your distinguished-name information (name, organization, and so on.)

  2. Export the public key by typing the following commands:

    keytool -importkeystore -srckeystore keyStore.p12 -destkeystore dlpKeyStore.p12 -deststoretype PKCS12 -destkeypass <destPass> -deststorepass <destPass>

    Where <destPass> is any valid password.  The destination pkcs12 keystore can't have different storepass and keypass. 

    openssl pkcs12 -in dlpKeyStore.p12 -nocerts -out private.key

    The user is prompted for <destPass>

    openssl rsa -in private.key -pubout > public.key

    The user is prompted for <destPass>.

  3. Enter the public key on the Manage StorageVault Settings page for the StorageVault on which you want to to enable DLP.
    1. Login to the MySite as an administrator, and navigate to the Manage StorageVaults page.
    2. Select the StorageVault that you are using to integrate with your DLP engine.
      The Manage StorageVault Settings page opens.
    3. Scroll to the bottom of the page and enter your public key.






  4. Save the StorageVault ID, which can be found on the Manage StorageVault Settings page.
    The StorageVault ID, with the dashes "-" removed, is used during the DLP configuration steps and for Troubleshooting.
    The following is an example of where to retreive the StorageVault ID.



  5. Customize the settings for the DLP connector by editing the DLP configuration file. This file is in YAML format (http://yaml.org/).

    For DLP Connector 1.0.0-1.1.1, type:

    sudo vi /etc/syncp-dlp/dlp.yml

    For DLP Connector 1.2.x, type:

    sudo vi /etc/syncp-das/syncp-das.yml

    The following is an example fragment of the /etc/syncp-das/syncp-das.yml file.

    /etc/syncp-dlp/dlp.yml (DLP Connector 1.1.1 or earlier ) /etc/syncp-das/syncp-das.yml (DLP Connector 1.2.x)

    dlp:
       actionmq:
         url: https: //amq.syncplicity.com/api/v1/
         queueName:  1 .file.a38e8fd78e93481698a6e58a01b7f357
         batchSize:  10
         keyStorePath: /etc/syncp-dlp/dlpKeyStore
         keyStorePassword: password
         keyPassword: keyPassword
         keyAlias: actionMQKey
         jwtTokenValidityPeriod:  60
         jwtTokenSkew:  5
         jwtIssuer: a38e8fd78e93481698a6e58a01b7f357
       workers:
         count: 250
       manager:
         sleepTime:  30
         shutdownTimeout:  60
       processors:
         - alias: DigitalGuardian
           uri: icap: //10.250.240.230:1344/response
           proxy: http: //10.250.240.235:3128
           target: X-Virus-ID

    spring.profiles.active: DLP

    syncplicity.das:
      dlp:
        actionmq:
          url: https: //amq.syncplicity.com/api/v1/
          queueName: 1 .file.a38e8fd78e93481698a6e58a01b7f357
          keyAlias: actionMQKey
          keyPassword: keyPassword  
          jwtIssuer: a38e8fd78e93481698a6e58a01b7f357  
          jwtTokenValidityPeriod: 60
          jwtTokenSkew: 5

        manager:
          workersCount: 250   
          batchSize: 10  
          sleepTime: 30
          shutdownTimeout: 60
        processors:
          - alias: DigitalGuardian
            uri: icap: //10.250.240.230:1344/response
     
            proxy: http://10.250.240.235:3128
            target: X-Virus-ID


        icap.client.maxContentLengthToScan: 26214400

    See DLP configuration parameters for detailed desctiptions of all parameters in the YML file.

  6. Make sure the keyStore.p12, syncp-das.yml and syncp-das.conf files have read access for the syncp-das user. You can set the owner for these files by running the following command:

    sudo chown syncp-das:syncp-das /etc/syncp-das/keyStore.p12 /etc/syncp-das/syncp-das.yml /etc/syncp-das/syncp-das.conf

(Optional) Edit the DLP Connector log settings

The DLP Connector writes error, warning and info messages to a log file in /var/log/syncp-das/. Log settings can be customized including the log level, retention of log files and the name of the log file (to improve the usability of reviewing logs from multiple systems).

Any time you change the settings in the logger.xml file you must restart the DLP Connector service for the changes to take effect. To restart the syncp-das service, type the following command:
sudo systemctl restart syncp-das

Customizing the name of the log file

  1. Edit /etc/syncp-das/logger.xml
    sudo vi etc/syncp-das/logger.xml
  2. Modify the <appender> <rollingPolicy> <fileNamePattern> xml element to change the log location path or filename pattern. The default value and formatting for naming is:
    /var/log/syncp-das/storage-%d{yyyy-MM-dd}.log.gz
  3. It is possible to add an environment variable (such as HOSTNAME) to the log file name, like this:
    <fileNamePattern>/var/log/syncp-das/${HOSTNAME}-storage-%d{yyyy-MM-dd}.log.gz</fileNamePattern>

Changing the log retention period

  1. Edit /etc/syncp-das/logger.xml
    sudo vi etc/syncp-das/logger.xml
  2. Modify the <maxHistory> setting to the number of archive files to keep (the default is 7 days). Note that the rollover period is determined by the format in <fileNamePattern>.
    <maxHistory>7</maxHistory>

Starting the DLP Connector service

  1. Once you have configured the DLP Connector service and log settings, it is time to start the DLP Connector service. Start the DLP Connector software on each of the DLP Connectors you have configured with this command:
    sudo systemctl start syncp-das

  2. After starting the syncp-das service, check the logs to make sure there is no error in the configuration and the service started without any problem. The Syncplicity software logs its activity under /var/log/syncp-das. To list log files run the command
    sudo ls -la /var/log/syncp-das

The base software installation process has been completed.

Verify installation

To confirm the DLP Connector is configured and running correctly, review and execute the following tasks on each DLP Connector.

Confirm service is running

On each DLP Connector server, type the following command to confirm that the DLP Connector is running correctly:

sudo systemctl status syncp-das.service

If the service is running correctly the output contains  active (running)  state of Active property.

Confirm service is accessible

Note that starting from version 1.2.0, the port number in the URL and command below is 9002 instead of 9001.

For each DLP Connector server, type the following URL in a browser to confirm the service is accessible:

http://<hostname_or_IP_address_of_dlp_connector_server>:9002/ping

If the service is accessible, the following message appears in the browser:

pong

If unable to access the service in a browser, on each connector server type the following command:

curl http://<dlp_connector_host_or_IP>:9002/ping

If the service is accessible, the following message displays:

pong

Check ActionMQ connection

To verify the connection to the ActionMQ, navigate to the Admin | Settings | Data Loss Prevention (DLP) page. Scroll down to the StorageVaults section, select the radio button for Selective StorageVaults, and enter the URL for your DLP Connector. Then scroll to the Scanning Status section and hit the Refresh status link. If the stats for the Current Queue and Historical Queue refresh without any errors then the ActionMQ has been created correctly. Once you have started uploading files to be scanned by the DLP Engine you should start to see the statistics update on this page. Here is an example:

Troubleshooting the Data Loss Prevention Connector

Related Links