Masking sensitive information

You can mask sensitive information when logging in to your application by configuring the log4j1 utility to filter log messages. This prevents from logging of sensitive information such as CVV codes in the verbose log messages.

About this task

By default, the value of Secure Authentication Code is masked by adding the following logFilter properties:

filterset.paymentFilter.pattern.1=(SecureAuthenticationCode=)(["'][^"']+["'])
filterset.paymentFilter.pattern.2=(&secureAuthenticationCode=)([^&]+[&])
filterset.paymentFilter.pattern.3=(&secureAuthenticationCode=)([^&]+)$	
filterset.paymentFilter.replace.1=$1"***"
filterset.paymentFilter.replace.2=$1***
filterset.paymentFilter.replace.3=$1***

A default implementation is provided for log4j1 Layout and Filter.

The Layout implementation is com.sterlingcommerce.woodstock.util.frame.logex.SCIFilteredPatternLayout.class and the filter implementation is com.sterlingcommerce.woodstock.util.frame.logex.SCIPatternFilter.class.

The Layout implementation first delegates the log message to a normal PatternLayout (org.apache.log4j.PatternLayout.class) to get a formatted message. When the formatted message is received, it filters the results based on a set of configurable regular expressions, before finally returns a fixed string. A replace string can be provided for every regular expression pattern and in case it is not provided then the matched text is replaced by the default replacement string.

The Filter implementation enables you to match a message against a set of regular expressions and mask if it matches. Sterling Order Management System Software provides an out-of-the-box log4j1 configuration XML with various appender specifications.

Procedure

To mask sensitive information during login, complete the following steps:

Create a custom log4jconfig xml file. Copy the <INSTALL_DIR>/resources/log4jconfig.xml file as <INSTALL_DIR>/resources/log4jconfig.custom.xml.

Identify the right appender(s) for the concerned logging file(s) and change the layout class name to SCIFilteredPatternLayout and name a filter as follows:

<layout class="com.sterlingcommerce.woodstock.util.frame.logex.SCIFilteredPatternLayout">
	<param name="ConversionPattern" value="%d:%-7p:%t: %-60m[%X{AppUserId}]: %-25c{1}%n"/>
	<param name="FilterSet" value="<layout_filterSet_name>"/>
</layout>

Change the filter class name to SCIPatternFilter and name a filter as follows:

<filter class=”com.sterlingcommerce.woodstock.util.frame.logex.SCIPatternFilter” >
	<param name="FilterSet" value="<filter_filterSet_name>" />
</filter>

Define the filters by overriding the properties provided in the logfilter.properties file in the<INSTALL_DIR>/properties/customer_ overrides.properties file.
Sterling Order Management System Software provides logfilter.properties property file to define the filters as a set of named regular expressions. Each property is of the following form:
```
filterset.<layout_filterSet_name>.pattern.<num>=<pattern string>
filterset.<layout_filterSet_name>.replace.<num>=<replace string>
filterset.<filter_filterSet_name>.pattern.<num>=<pattern string>
```
The pattern property is a Java-style regular expression, and defines the regular expression against which you want to match the message string. The replace property is optional, and defines what to replace the matched expression with. If the replace property is not defined, the default replacement string, **FILTERED* is used. This property has no effect during a Filter operation.

Note: The filtering applies only to the messages logged using the log framework that is provided, which includes both YFCLogCategory and LogService. Messages logged through other methods, such as direct System.out or other log framework, are not affected.
Sterling Order Management System Software also provides following two additional properties which enables to default FilterSet names so that it is applicable to all the appenders referring to the out of the box Layout and Filter implementations.
```
default.layout.filterset=<defaut layout filterSet name>
default.filter.filterset=<default filter filterSet name>
```