This is list of options regarding Admin section, these options can be set from admin tab.
These options are saved inside heimdall.conf file.
⚠️ Note: You can use SHIFT with mouse scroll to scroll horizontally!
Small Sections
Sections that are small are in this general section with their Section specified.
Key
Section
Requirements
Conf File field
Description
Possible values
Default
Registered ID
Account Information
-
accountInformation.registeredID
Provided from Customer Support to verify enrollment
String
-
Send alerts through notification
Alerts
-
alertsConfig.sendAlertsViaNotification
If this option is checked, every alert which message doesn't match any added pattern, will be sent through notification.
Boolean
false
Exclude Proxy Logins
Login History
-
- (Non-persistent / GUI only)
Unchecking 'Exclude proxy logins' will result with adding proxy logins to the list.
Boolean
true
Security Tag
Security Tags
-
(Elements of availableSecurityTags)
This section allows for the management of security tags, which can be applicable in the database browser section.
String
-
Auth Provider
SAML Configuration
-
samlAuthProvider
Identity provider (AWS IAM Identity Center, Okta, Other)
String (AWS IAM (...), Okta, Other)
-
IdP Metadata URL
SAML Configuration
-
metadataUrl
The URL pointing to the Identity Provider’s metadata.
String
-
AWS Identity Store ID
SAML Configuration
Auth Provider = AWS IAM Identity Center
identityStoreId
Since AWS provides groups as UUIDs, this setting enables mapping those UUIDs to their display names by connecting to the appropriate Identity Store. The mappings are stored in a temporary internal cache for up to 1 hours. If a group is renamed in AWS, click the Commit button to refresh the configuration and clear the cache. If you leave this field blank, group UUIDs will be shown instead of names. Users can manually map UUIDs to the corresponding names in the Datasource tab using the Group Mapping feature for proper role-base session requesting in the portal. For more details, see the Group Mapping section.
String
-
Name
Password Policy
-
passwordPolicies.name
Name of the policy that will be enforced.
String
-
Value
Password Policy
Name = (maximum/minimum) of characters OR Name = custom regex matching
passwordPolicies.params.value
Used by some policies to set minimum or maximum characters or custom regex.
String
-
( type )
Password Policy
Name = (maximum/minimum) of characters OR Name = custom regex matching
passwordPolicies.params.type
Filled by heimdall. Used by some policies. Type of the value used by the policy.
String
-
( name )
Password Policy
Name = (maximum/minimum) of characters OR Name = custom regex matching
passwordPolicies.params.name
Filled by heimdall. Short name of the policy that determines what type of policy it is.
String
-
Heimdall Environmental options
This list is also a set of options regarding Admin section. They are set in Config Management subsection, but they are stored in /etc/heimdall.conf, while rest of the admin section configuration is stored under /opt/heimdall, or custom directory specified in installation process.
Key
Requirements
Conf File field
Description
Possible values
Default
hdRole
-
hdRole
It can be used to control if this environment is a central manager or a proxy
String
-
hdHost
-
hdHost
Hostname of management server
String
heimdallmanager
hdPort
-
hdPort
Port of the management server, generally 8087 or 8443
Integer
8087
hdUser
-
hdUser
Login username for the management server, can be admin
String
admin
hdPassword
Secret (Config Management) = false
hdPassword
Login password for the management server
String
heimdall (on premise)
Secret (hdPassword)
-
useSecretForVdbCredentials
Determines if the secret will be used
Boolean
false
Secrets Manager (hdPassword)
Secret (Config Management) = true
secretsManagerConfigName
Secrets Manager Configuration that will be used. Depending on secrets manager used it will write needed fields into the file.
String
-
vdbCredentialsSecretName
Secret (Config Management) = true
vdbCredentialsSecretName
Secret name
String
-
hdSecretKey*
-
hdSecretKey
In AWS, use this as the name of an AWS Secret to store the configuration, protecting included passwords from being written to disk.
String
-
cloudDetection
-
cloudDetection
If the manager should detect cloud services on startup
Boolean
true
cloudOption
cloudDetection = false
cloudOption
For heimdall running on premise to allow using cloud services, initializes on startup. One of: none, aws, azure, gcp, oracle
String
-
javaOptions
-
javaOptions
Any arbitrary options desired to be set
String
-
hdSecretKey *note: This option is supported only by the default Secrets Manager from the same Region/Account as the instance. To use, proper permissions must be set on the IAM role. This option provides two major benefits. First is that all passwords are stored in AWS Secrets, in an encrypted format. Second is that redeployment of a management server can be done with a configuration pre-populated, so there is no need to back up and restore configurations to account for failures. Simply terminate the old instance and a new instance with the same user-data will be created with the same configuration as the original.
Send login events to AWS CloudTrail. Use the Channel ARN, not the Event data store ARN. Proper IAM role has to be configured.
Boolean
false
Cloud Trail Lake Channel ARN
Cloud Logs
Send login entries to CloudTrail
cloudTrailUserLoginConfig.cloudTrailChannelArn
CloudTrail Lake Channel ARN, in the format: arn:aws:cloudtrail:<region>:<account-id>:channel/<channel-id>. Can be found on AWS with path CloudTrail → Lake → Integrations
String
-
Enable Manager CloudWatch Logging
Cloud Logs
-
enableManagerCloudWatchLogging
Allows us to configure whether manager logs should be sent to AWS CloudWatch. (!) May inccur additional AWS charges.
CloudWatch namespace used for Manager CloudWatch Logging
String
HEIMDALL-mgmt
S3 Bucket Name
Cloud Logs
-
s3UploadConfiguration.bucketName
You can specify the S3 Bucket Name where the logs should be saved. This enables centralized and durable storage of manager logs in AWS S3.
String
upload.heimdalldata.com
Force Upload to S3 On Logs Rolling
Cloud Logs
-
s3UploadConfiguration.forceOnLogsRotationUpload
This option allows to force upload to S3 on logs rolling. Enabling this option will make log rotation take significantly more time.
Boolean
false
Log Events To Console
Log Server Properties
-
serverProperties.logToConsole
For debugging or container use, log ALL events to the stdout console of management server
Boolean
false
Max Log Age
Log Server Properties
-
serverProperties.maxLogAge
Sets the maximum age in days of log files and log records
Integer
14
Reserved Disk Space
Log Server Properties
-
serverProperties.reservedDiskSpace
Specifies the percentage of disk space that should remain free on the log filesystem.
Double (0-1)
0.1
Log Rotation Interval
Log Server Properties
-
serverProperties.logRotationInterval
A period between log rotation (in minutes), requires manager restart to take effect
Positive Integer
-
Server Properties
Key
Section
Conf File field
Description
Possible values
Default
Enable Portal Mode
Server Properties
serverProperties.enablePortalMode
Value that indicates if after successful login central manager or portal mode will be used
Boolean
false
Disable Cert Validation
Server Properties
serverproperties.disableTLSCertValidation
Disable TLS certificate validation for software downloads
Boolean
false
Password Validation
Server Properties
serverproperties.passwordPolicy
Validate new users password along with provided rules
Boolean
false
Redirect Config Fetches
Server Properties
serverproperties.redirectConfigEndpoints
Value that indicates if server should redirect all HTTP config requests to HTTPS Tomcat port
Boolean
false
Verbose Debug Mode
Server Properties
serverproperties.verboseDebugMode
On the server, enable verbose debug mode
Boolean
false
Minimum free disk space %
Server Properties
serverproperties.freeDiskSpacePercentage
Configures how much space needs to be free for any configuration saves to occur. Defaults to 1 for 1%. This helps prevent configuration loss if not enough space is available to successfully save the full configuration.
Double
1.0
Max Config Backups
Server Properties
serverproperties.maxConfigBackups
Value that indicates how many server configuration backups to keep. Should be greater than 1
Integer
10
DNS Port
Server Properties
serverproperties.dnsPort
Value that indicates what port should heimdall manager listen on for DNS queries for proxy auto-scaling. The queries should ask for a domain that starts with VDB name being used. For more information see Advanced Features.
Integer
-
Session Timeout
Server Properties
serverproperties.sessionTimeout
Controls HttpSession idle-timeout expiration for GUI users. Must be between 5 minutes and 24 hours. It's saved as minutes in the configuration file
Integer (5 - 1440)
30
Enable Billing Reporting
Server Properties
serverproperties.enableBillingReporting
Value that indicates if the billing reports should be sent to the HeimdallBilling service
Boolean
true
Proxy Host
HTTP Proxy Settings
serverproperties.proxyHost
The hostname or IP address of the proxy server to use when accessing the internet
String
-
Proxy Port
HTTP Proxy Settings
serverproperties.proxyPort
The port number on which the proxy server is listening.
Integer
3128
Proxy User
HTTP Proxy Settings
serverproperties.proxyUser
Proxy user for proxy authentication
String
-
Proxy Password
HTTP Proxy Settings
serverproperties.proxyPassword
Proxy password for proxy authentication
String
-
Secrets Manager Configuration
AWS Secrets Manager
Key
Requirements
Conf File field
Description
Possible values
Default
Endpoint
Secrets Manager = AWS Secrets Manager
secretsManagerConfigs.endpoint
(optional) Alternate endpoint for Secrets Manager service.
String
-
Region
Secrets Manager = AWS Secrets Manager
secretsManagerConfigs.region
(optional) Override the region which should be used (ex. us-east-1).
String
-
Access Key
Secrets Manager = AWS Secrets Manager
secretsManagerConfigs.accessKey
(optional) Override the access key used to authorize requests to the Secrets Manager.
String
-
Secret Key
Secrets Manager = AWS Secrets Manager
secretsManagerConfigs.secretKey
(optional) Override the secret key used to authorize requests to the Secrets Manager
String
-
Use STS Role
Secrets Manager = AWS Secrets Manager
secretsManagerConfigs.useSTSRole
(optional) If checked, use STS to assume a role with the specified ARN.
Boolean
false
STS Role ARN
Use STS Role
secretsManagerConfigs.stsRoleArn
(required, when using STS Role) ARN of the role to assume when using STS.
String
-
STS External ID
Use STS Role
secretsManagerConfigs.stsExternalId
(optional) External ID to uniquely associate with the role.
String
-
STS Session Name
Use STS Role
secretsManagerConfigs.stsSessionName
(optional) Name to use for the STS session. Defaults to heimdall-STS-session string.
String
-
CyberArk Conjur
Key
Requirements
Conf File field
Description
Possible values
Default
Applicance URL
Secrets Manager = CyberArk Conjur
secretsManagerConfigs.applianceUrl
The URL of the Conjur instance you are connecting to. When connecting to Conjur Enterprise configured for high availability, this should be the URL of the master load balancer (if performing read and write operations) or the URL of a follower load balancer (if performing read-only operations).
String
-
Account
Secrets Manager = CyberArk Conjur
secretsManagerConfigs.account
Conjur account that you are connecting to. This value is set during Conjur deployment.
String
-
Authn Login
Secrets Manager = CyberArk Conjur
secretsManagerConfigs.authnLogin
User/host identity.
String
-
Authn API Key
Secrets Manager = CyberArk Conjur
secretsManagerConfigs.authnApiKey
User/host API key (or password). Write-only field! Can be edited, but it cannot be viewed.
String
-
Secret (Authn API Key)
Secrets Manager = CyberArk Conjur
secretsManagerConfigs.useSecretForAuthnApiKey
Determines if the secret will be used
Boolean
false
AWS Secret Name (Authn API Key)
Secrets Manager = CyberArk Conjur AND Secret (Authn API Key)
secretsManagerConfigs.authnApiKeySecretName
Name used to retrieve the Auth API Key from the AWS Secrets Manager
String
-
Authn URL
Secrets Manager = CyberArk Conjur
secretsManagerConfigs.authnUrl
(optional) Alternate authentication endpoint. By default, the client uses the standard <applianceUrl>/authn for generic username and API key login flow.
Allow HTTPS communication with Vault server without verifying certificate. By default it is disabled, it is not recommended to use this in production.
Boolean
false
Auth method
Secrets Manager = Hashicorp Vault
secretsManagerConfigs.authConfig.authMethod
Allows to select what authentication method should be used by Heimdall to connect to Hashicorp Vault instance. Currently supported methods are Token, Username & Password and AppRole. Selecting one of these unlocks additional configuration options.
String (see desc.)
-
Auth mount path
Auth Method != Token
secretsManagerConfigs.authConfig.authPath
(Optional) Alternate authentication method mount path to be used. Default value depends on Auth method.
Name used to retrieve Role ID and Secret ID from the AWS Secrets Manager
String
-
General Secrets Manager Options
Key
Requirements
Conf File field
Description
Possible values
Default
Enable
-
secretsManagerConfigs.enabled
Is the currect secrects configuration enabled.
Boolean
true
Secrets Manager
-
secretsManagerConfigs.secretsManagerConfigstype
Secrets Manager to be used: AWS Secrets Manager, CyberArk Conjur, Hashicorp Vault
String
-
Secret (Secrets Manager)
Secrets Manager != AWS Secrets Manager
secretsManagerConfigs.useSecretForWholeConfig
Determines if the secret will be used for whole configuration
Boolean
false
AWS Secret Name (Secrets Manager)
Secret (Secrets Manager) = true
secretsManagerConfigs.useSecretForWholeConfig
Name used to retrieve the whole config from the AWS Secrets Manager
String
-
( name )
-
secretsManagerConfigs.name
Name of the secret manager configuration.
String
-
( type )
-
secretsManagerConfigs.type
Type of the secrets manager used. Used only in file, without representing field in GUI. Values can be: HASHICORP_VAULT, CYBERARK_CONJUR, AWS
String (see desc.)
(Depends on secrets manager used)
SMTP Configuration
Key
Requirements
Conf File field
Description
Possible values
Default
Sender User/Email
-
smtpConfiguration.senderAddress
The email address used as the sender
String
false
Sender Password
Secret (SMTP) = false
smtpConfiguration.senderPassword
Authentication credentials for the sender email
String
false
Secret (Sender Password)
-
smtpConfiguration.useSecrets
Determines if secret will be used for SMTP's sender password.
Boolean
false
Secrets Manager (Sender Password)
Secret (SMTP) = true
smtpConfiguration.secretsManagerConfigName
Specify the Secrets Manager Configuration that will be used for this secret. List values are secrets managers configured in heimdall.
String
-
Secret Name (Sender Password)
Secret (SMTP) = true
smtpConfiguration.secretName
Specify a Secret name
String
-
Host
-
smtpConfiguration.smtpHost
Hostname of the SMTP server
String
smtp.gmail.com
Port
-
smtpConfiguration.smtpPort
Port used to connect to the SMPT server
Integer
587
Smtp Auth
-
smtpConfiguration.smtpAuth
Indicates if SMTP authentication will be used
Boolean
true
START_TLS Enabled
-
smtpConfiguration.startTLSEnabled
Requests the SMTP server to upgrade the connection to TLS encryption
Boolean
true
SMTP Properties
-
smtpConfiguration.properties
Allows specifying additional SMTP configuration options. Case sensitive. Available properties can be found here: https://javaee.github.io/javamail/docs/api/com/sun/mail/smtp/package-summary.html