Jump to: navigation, search

Security

This topic describes the security related configuration in DMS.

Enabling a TLS connection as a Windows Service (Optional)

Prerequisite: TLS 1.2 or higher

When DMS has Transport Layer Security (TLS) configured, either as a server on its ESP port, or as a client in its connection to Configuration Server, Interaction Server, Message Server, Chat Server, and UCS, follow these steps to enable it as a Windows Service:

  1. Select the Windows service related to DMS .
  2. Select the Log On tab. The default setting is Log on as local system account.
  3. Select Log on as this account and provide the login/password of a local host user.

Masking sensitive data in log files

Although values for sensitive data such as passwords are masked in key-value lists, these values are not masked when users view or modify the related configuration options.

You can use the internal log-filtering mechanism in DMS to properly mask these values, based on the logging-filter-default.json configuration file that you put into the directory where your DMS jar file resides. Specify the configuration file to use in the value for logging-filter-spec. Click here to download a sample for logging-filter-default.json.

First, define a set of filters that are applied to the server's log messages before they are passed to a logging system. The filters intercept the original message's content and produce new content (possibly empty values) for specific messages in a log file (for example, a message that has specific identification information).

There are three types of filter procedures:

  • Skip—Produces empty new content,
  • Hide—Produces standard placeholder as a new content,
  • Edit—Produces new content as a transformation of an original content.

The filter can modify content as part of a series of steps. For example, it can mask one category of information before masking a separate category.

Modification of content is based on a search-and-replace approach using regular expressions and replace expressions (“search” predicate and “replace” action). See the following links for more information:

You must extensively test regular expressions to ensure they perform as expected in all cases. The following tools might be useful for testing:

The following are examples and definitions of typical sensitive data:

Hiding Selected Data in Logs

This feature implements a Genesys standard detailed in the Genesys Security Deployment Guide. It enables you to hide selected key/value pairs in the Parameters and UserData attributes of log messages generated by DMS. You can choose to hide just the value itself by replacing it with a series of asterisks (*), or you can remove the whole key/value pair from the log output.

Configuring [log-filter] and [log-filter-data] sections

This feature is implemented by defining the following configuration options in the DMS Application object:

  • default-filter-type in the [log-filter] section defines the treatment for all KV pairs in the Parameters and User Data attributes.
    • This setting will be applied to the attributes of all KVList pairs in the attribute except those that are explicitly defined in the [log-filter-data] section.
  • One or more <key-name> options in the [log-filter-data] section define the treatment for specific keys in the log, overriding the default treatment specified by default-filter-type.
    • If no value is specified for this option, no additional processing of this data element is performed.
Important
The default settings of the options enable all data to be visible in the log.

You can get additional implementation samples in the Genesys Security Deployment Guide. For detailed descriptions of the configuration options used to configure this feature, refer to the Framework Configuration Options Reference Manual.

Supported Filters

Important
custom-filter options are not supported.
Filter Name Description
copy The keys and values of the KVList pairs are copied to the log.
hide The keys of the KVList pairs are copied to the log; the values are replaced with strings of asterisks.
skip The KVList pairs are not copied to the log.
This page was last edited on November 24, 2020, at 11:25.
Comments or questions about this documentation? Contact us for support!