Protect Sensitive Data (Microsoft RMS)

File Content Extraction has the capability to decrypt files that are protected by the Microsoft Rights Management Service (RMS). It can also resolve Microsoft Information Protection (MIP) Label identifiers into human-readable names. For information about configuring File Content Extraction to integrate with RMS, see Microsoft Rights Management Service Protected Files.

This section provides some information that can help you secure sensitive data related to processing RMS-protected files.

When you enable decryption of file content, protect the secrets (tenant ID, client ID, and client secret) that you pass to File Content Extraction. File Content Extraction creates a database file to store authentication tokens. You can configure the path of this file in the [Rms] section of formats.ini, by setting the parameter OauthDatastoreConnectionstring. OpenText recommends that you restrict access to this file.

When you enable MSIP label name resolution (see Resolve MSIP Label Names), you can improve security by protecting the following data:

  • API credentials. The files oauth.cfg, metadatacryptographyservices.cfg, and oauth2_sites.bin all contain data used to access Microsoft APIs (for example the private key password for your client certificate, and OAuth access tokens). After running the OAuth configuration tool, you can delete oauth.cfg (though be aware you might need to run the OAuth tool again if your OAuth tokens expire). The other files contain information required by File Content Extraction for making requests to Microsoft APIs. OpenText recommends restricting access to these files.

  • MSIP Label Name Cache. To reduce the number of requests to the Microsoft API, File Content Extraction downloads and caches information that can be used to map label GUIDs to names. This cache will contain all of the MSIP label names in use in your domain. File Content Extraction stores this cache in the following default location:

    <bin>/CryptographyServices_MsGraph/msgraphdb.db

    ...where <bin> is the File Content Extraction bin directory. If you want to change this path you can configure it in metadatacryptographyservices.cfg as follows:

    datastoreDir=path\to\datastore\

    OpenText recommends restricting access to this datastore file.

Finally, be aware that when you configure these features File Content Extraction can access the content of any RMS-encrypted file in your domain, and resolve the names of all of your MSIP labels. A user who does not have access to a document through Microsoft endpoints might be able to use File Content Extraction to bypass authorization, unless your application prevents this. OpenText also recommends that you secure the temporary directory used by File Content Extraction, because it might contain sensitive data. For more information, see the security best practices.