Global application settings are available under the Settings item of the main navigation menu.
The Settings page has the following sections:
- Git Repository Settings
- SMTP Email Settings
- SSL Credentials
- SAML Single Sign-On
- Global Keywords
Note: Application settings can only be accessed when logged in as the DataMasque admin user.
Git Repository Settings
DataMasque allows you to manage ruleset YAML files by pushing them to and pulling them from a remote Git repository. Configure these settings and upload your SSH private key file to enable these functions.
Note: DataMasque only supports connecting to the remote Git repository over SSH.
You can configure your remote Git repository details by clicking the button. You will be presented with a form to provide your configuration (see Git Repository Parameters below for details):
Git Repository Parameters
|The remote Git SSH URL to push ruleset to or pull ruleset from. Example:
|The target branch name to push ruleset to or pull ruleset from.
|The directory path to push ruleset to or pull ruleset from. Leave it blank to specify the root directory of the repository.
SMTP Email Settings
DataMasque can be configured to send emails over SMTP for the purposes of providing 'Forgotten Password' account recovery and critical system notifications. This will also be used to send support and usage information to DataMasque.
Note: Emails will be sent to firstname.lastname@example.org in addition to registered users. Please ensure the SMTP server is capable of sending emails to registered users, as well as outbound emails to email@example.com.
You can configure your SMTP server details by clicking the button. You will be presented with a form to provide your configuration (see SMTP Parameters below for details):
You may opt in to receive a copy of any automated outbound emails that are sent to DataMasque HQ. This can be done by enabling the setting shown below.
|The email address that your DataMasque instance will send emails from
|The hostname or IP address of your SMTP server (must be accessible from your DataMasque instance)
|The port used by your SMTP server
|The security protocol used by your SMTP server
|The username used to authenticate with your SMTP server (requires SSL or TLS)
|The password used to authenticate with your SMTP server (requires SSL or TLS)
You can test saved SMTP server configurations by clicking the SEND TEST EMAIL button. This will send a test email to the email address associated with your user account to test connectivity to the specified SMTP server from DataMasque.
Note: Most non-relay SMTP servers that require SSL/TLS security protocol and SMTP credentials will rewrite the
Fromheader in messages to the corresponding SMTP account to secure the credentials of the sender. In that case, it is recommended to configure the SMTP credentials and DataMasque
Senderwith the same email address (for consistency).
By default, DataMasque is configured with an auto-generated self-signed SSL certificate. The self-signed certificate must be accepted in the browser by a user when accessing DataMasque.
To ensure a secure SSL connection, it is recommended to install a certificate that has been signed by a trusted CA whose root certificate is installed on client machines.
Active SSL Credentials
The SSL Credentials panel contains details of the SSL credentials currently in use by DataMasque, including the certificate and private key files and the SHA-1 fingerprint of the certificate:
Installing SSL Credentials
You are able to install your own SSL credentials using the "SSL Credentials" settings panel.
Note: DataMasque accepts X.509 SSL certificates in PEM format. Other formats are not supported.
Note: When generating an SSL certificate for DataMasque, it is recommended to correctly set the "Common Name" field to match the hostname of the DataMasque instance but also include SAN (Subject Alternative Name) entries that cover the potential IP addresses at which DataMasque may be accessed. In a Cohesity environment, this would include the IP address for each cluster node. This ensures that DataMasque can always be accessed using a secure connection.
New SSL certificate and private key files can be installed by clicking on each file and selecting replacements to upload. Before proceeding, ensure that any critical data stored in DataMasque is backed up. In the event that invalid or incorrect credentials are installed DataMasque may become inaccessible.
Once you are satisfied that you have backed up any important data, click the 'Save' button to update DataMasque with the selected credentials. After successful installation, your page will be refreshed to ensure that your browser is initialised with the new credentials.
If at any point you wish to revert to using the default self-signed SSL certificate, you may do so by clicking the "Reset Default" button.
DataMasque must be configured with the hostnames and IP addresses that will be used to access the application. It is strongly recommended to include the DataMasque instance IP address in this configuration as well as hostname to avoid losing access to the application. Currently, only IPv4 addresses are supported.
Hostnames can be added and deleted using this interface, however deleting the hostname that is currently in use to access DataMasque is disallowed.
Each DataMasque instance has a randomly generated instance secret to protect against attackers replicating deterministic masking on a different instance (see the deterministic masking guide for details). You can rotate the instance secret from the Settings page by clicking the Rotate Instance Secret button. After rotating the instance secret, subsequent deterministic masking will be based on a new instance secret, and existing rulesets will produce different masking results.
SAML Single Sign-On
The SAML Single Sign-On settings panel can be used to configure DataMasque for single sign-on (SSO). See the SAML Single Sign-On user guide for details about how SAML SSO works with DataMasque.
The following parameters can be configured for SAML SSO:
|IdP metadata XML
|The SAML metadata XML file obtained from your identity provider.
|Disable local logins
|When SAML SSO is configured, enabling this will disable login of all local users (except the DataMasque admin user).
You can provide DataMasque with Global Custom Data Classification keywords.
Column names are matched to Global Custom Data Classification keywords in addition to the built-in data discovery keywords.
Custom Data Classification keywords can be delimited by any number of spaces
You can also provide DataMasque with Ignored keywords. Column names that match Ignored keywords are excluded from Sensitive Data Discovery reports.
Keywords can be added and deleted under the Global Keywords section on the Settings Page.
regex:^street|postal, which matches any column name beginning with
For more information please refer to our user guide on regular expressions
Patterns such as
schema.table are also supported for Custom Data Classification keywords and Ignored keywords,
but are not supported when prefixed by
. can also be used in regular expressions.
Wildcards are also supported by using the
* character, for example you can discover or ignore all columns in any table by specifying