Proxy Configuration options:
This is list of options for proxy configuration, the requirement to see these options is to set Access Mode != JDBC:
These options are inside given virtual database configuration file. For example: postgresTest-vdb_1.conf. The filename depends on the name of the vdb → nameOfVdb.conf.
⚠️ Note: You can use SHIFT with mouse scroll to scroll horizontally!
| Key | Requirements | Conf File field | Description | Possible values | Default |
|---|---|---|---|---|---|
| Local Proxy | - | mgmtProxyEnable | This option allows the management server to start and manage restarts of a proxy instance on the same server as the management server itself. This option is a great way to simplify the testing of Heimdall in limited environments. | Boolean | false |
| Run as Service | Local Proxy | runAsService | This option allows the management server to run a proxy as a linux service. It allows proxy to run even while management server is off. | Boolean | false |
| Address Binding Type | - | proxyAddress | Required. Options: Any: In this binding mode, all local IP addresses will be bound to, or more specifically, it binds to "0.0.0.0", localhost Only: When this option is set, the binding will be to the 127.0.0.1 IP only, specific IP: This allows a specific IP address to be bound for use. An example of this is to use 172.17.0.1 in a docker container when bridge mode is enabled, so that the proxy can bind for use by any other containers on the same host, without impacting any other proxies that may reside on another host. | String (see desc.) | 0.0.0.0 (Any) |
| Proxy Port(s) | - | proxyPort | The second required option. This specifies the value of the TCP port that the proxy will be listened to. If there is an error binding to a given port or IP, then a GUI alert will be issued when the proxy attempts to start. It is important that the ports do not conflict with other proxies being run on the same host or binding, as only one process can bind to a specific IP:port combination at once. This applies if installed on the same server as a database as well--if the database is on port 3306 for example, than the proxy can not use the same port. You can set: Single port by typing value of port (for example: 5433). Multiple ports by separate them by comma (for example: 5433, 5434, 5435). Range of ports by separate them by minus (for example: 5433-5435). Mix (for example: 5433, 5435-5436, 5450). | String | 5050 |
| Proxy Address | Address Binding Type = Specific IP | proxyAddress | Allows specific address, must use Specific Ip option from Address Binding Type. | String (IP) | - |
| Max Heap Size (MB) | Local Proxy | xmx | The setting for the Proxy java heap memory limit. Default is '600M' which with overhead, will generally consume up to about 1GB of total RAM. This will also result in the setting "Xms" to set the smallest heap size, so as to try to provide more consistency in the "free memory" graph on the dashboard and to ensure that the total memory is always available. Please note, that in distributed proxy mode, this setting has no effect--the java options need to be configured via the user data or heimdall.conf file on the remote instance. For more details of a file /etc/heimdall.conf, please see heimdall.conf configuration. |
Integer | 600 |
| Proxy GSS Support | Authentication Mode = Kerberos/GSSAPI AND PostgreSQL | gssEncEnabled | When enabled, and the client requests it, this option will enable GSS negotiation. | Boolean | false |
| Proxy GSS Required | Proxy GSS Support AND PostgreSQL AND !Proxy TLS Required | gssEncRequired | When enabled, this option will force all connections to connect only with GSS. Any attempt to connect without GSS will be rejected. This option can't work together with TLS required option. | Boolean | false |
| Proxy TLS Support | - | tlsEnable | When enabled, and the client requests it, this option will enable TLS negotiation. Initially, a self-signed certificate will be generated for the proxy, which can then be customized in the Java keystore file in the proxy install directory. | Boolean | false |
| Proxy TLS Required | Proxy TLS Support = true AND !Proxy GSS Required | tlsRequired | When TLS is enabled, this option will force all connections to connect only with TLS. Any attempt to connect without TLS will be rejected. For Postgres and MySQL, warnings will be provided to the client on the disconnect, with SQL Server, only an alert on the GUI will be presented. | Boolean | false |
| Enable Legacy TLS | Proxy TLS Support = true | tlsLegacy | Enables support for legacy TLS 1.0 and TLS 1.1.. | Boolean | false |
| Certificate | Proxy TLS Support = true | certificateAlias | Certificate assigned to Virtual Database for TLS connections. | String (global_use_certificate, tomcat) | - |
| Case Sensitive Usernames | Access mode = SQL Server Proxy | userCaseSensitive | Use this option if you want SQL Server username to be case sensitive | Boolean | false |
| Authentication mode | - | authMode | This dropdown allows selecting of the proxy authentication mechanisms. Please see the Theory->Proxy Authentication page for more information on authentication. Possible values are: Passthrough, Proxy Configured Users, SQL Driven, Active Directory/LDAP, Kerberos/GSSAPI | String (options in desc.) | - |
| user | Authentication mode = Proxy Configured Users | users.user | User required for proxy connections. | String | - |
| password | Authentication mode = Proxy Configured Users | users.password | Password for proxy user. | String | - |
| Admin User | Authentication mode = SQL Driven OR Synchronize Db Authentication | syncUser | Privileged Database User | String | - |
| Admin Password | Authentication mode = SQL Driven OR Synchronize Db Authentication | syncPassword | Privileged Database Password | String | - |
| Sync Command | Synchronize Db Authentication | syncCommand | Synchronization command, use ${user}, ${password} and ${ldapgroups} as placeholders. | String | - |
| Auth Cache Expiration Time | Synchronize Db Authentication | authenticationCacheExpirationTime | Determines how long (in ms) that data will stay in Authentication Cache. | Long | - |
| Authorization Query | Authentication mode = SQL Driven | authorizationQuery | Query to retrieve data for authorization. | String | select * from heimdall.pg_hba where enabled = true order by line_number asc |
| Dual Authentication Mode | Access mode = SQL Server Proxy AND Authentication mode = Kerberos/GSSAPI | dualAuthMode | Facilitates the use of Kerberos Authentication alongside passthrough authentication. However, there's a condition: users must adhere to a single authentication method and cannot switch between them interchangeably. | Boolean | false |
| Keytab Location | Authentication mode = Kerberos/GSSAPI | keytabLocation | Location to keytab file that stores secret keys for service principal (proxy). | String | - |
| Service Principals | Authentication mode = Kerberos/GSSAPI | kerberosServicePrincipals | Specifies if synchronization of users and groups should be performed. Moreover, it allows configuring how long that data will stay in Authentication Cache (Auth Cache Expiration Time). Note: The username and password can be stored in the Secrets Manager. More information about DB authentication synchronization can be found in** DB authentication synchronization | String | - |
| Synchronize Db Authentication | Authentication mode != None OR Passthrough | synchAuthentication | Synchronize Users & Groups. | Boolean | false |
| Tokenized Authentication | Synchronize Db Authentication AND Authentication mode != Kerberos/GSSAPI | tokenizedAuthentication | Tokenized authentication is security feature which uses token instead of the database password. This ensures that the proxy will not be bypassed and the database password will not be exposed. This option is available for Proxy Configured Users, SQL Driven and LDAP authentication modes. When using Tokenized authentication with multiple proxies, it is essential to enable an external cache like Redis or Hazelcast. This ensures that all proxies are synchronized and Tokenized authentication works smoothly on all proxies. | Boolean | false |
| Allow Portal User To Log In | Portal Mode is enabled | allowPortalUsersToLogIn | This option is available when Portal Mode is enabled. If selected, before each proxy authentication (for all authentication types except Kerberos), the system will check whether the user is a session user in the portal. If they are and the credentials are valid, they will be authenticated. If the user is not a portal user, authentication will proceed according to the mode selected in authentication mode. | Boolean | true |
Authentication Test
It's an option to test authentication. Requirements to see this subsection: Authentication mode must be one of: Proxy Configured Users, SQL Driven, Active Directory/LDAP
| Key | Description | Possible values |
|---|---|---|
| Test User | Test Password | String |
| Test Password | Test User | String |
| Test IP Address | Taken from Data Source by default. If JDBC URL there contains ${host} this field has to be provided. | String (IP) |
| Test Database | Taken from Data Source by default. If JDBC URL there contains ${database} this field has to be provided. | String |
| UseSSL | Should SSL be used for authentication test. | Boolean |