Connect to Datasources

This page provides instructions on how to configure everyday client applications (such as database clients) to connect to resources via StrongDM.

Connection Process

1. Open StrongDM Desktop by clicking the sdm icon in the menu bar of your screen (macOS) or in the Windows taskbar.

2. If you are already logged in to StrongDM, the desktop app displays a list of available resources. Click the name of the desired resource in the list.

1. In the desktop app, ensure there is a green lightning bolt next to the resource name, meaning a healthy connection exists. If you are using the CLI instead, run sdm status to ensure the resource is listed as connected.

2. Open your client application and enter the connection details.

   1. Note that the connection values, such as hostname, username, password, and others, are different than usual because of the connection that StrongDM has already set up to your computer.

   2. For most clients, the required hostname is localhost and the username and password fields can be left empty.

   3. The known exceptions are described on this page. The reason for these exceptions is often that a graphical client's form validation requires fields to have some value in them, rather than be left empty, even if the fields are not actually used to make the connection.

3. Once you have filled in the appropriate connection details, if any, initiate the connection within your client and then interact with your resource as you normally would.

Client Connection Details

This section lists some of the clients that require connection values that differ from the defaults. When the indicated value for a given field is empty, leave the field empty. For any string, enter anything you want. The client's form validation requires something to be written in that field, but the contents do not actually matter because the value is not used to make the connection.

Aurora MySQL, Clustrix, MariaDB, MySQL, SingleStore

Aurora PostgreSQL, Citus, Greenplum, PostgreSQL

ClickHouse

ClickHouse (TCP)

For ClickHouse (TCP) resource types, if the ClickHouse client is used to connect, as in the following example, then TLS certificate verification must be skipped.

clickhouse client --port 10092 --secure --config-file config/client-config.xml

If the above example is used, then the configuration file client-config.xml should look like the following:

<config>
    <openSSL>
        <client>
            <loadDefaultCAFile>true</loadDefaultCAFile>
            <cacheSessions>true</cacheSessions>
            <disableProtocols>sslv2,sslv3</disableProtocols>
            <preferServerCiphers>true</preferServerCiphers>
            <verificationMode>none</verificationMode>
            <invalidCertificateHandler>
                <name>AcceptCertificateHandler</name>
            </invalidCertificateHandler>
        </client>
    </openSSL>
</config>

ClickHouse (HTTP)

For ClickHouse (HTTP) resource types, when HTTPS is configured, TLS certificate verification must be skipped, as in the following example.

curl -G -d "query=SELECT%20303" https://127.0.0.1:10093 --insecure

Microsoft SQL Server

Neptune

Gremlin Console with Neptune

To use Gremlin Console with Neptune, edit a configuration file for Neptune (neptune-remote-sdm-graphson.yaml) to match the following:

hosts: [127.0.0.1]
port: 18182
connectionPool: { enableSsl: false }
serializer: { className: org.apache.tinkerpop.gremlin.driver.ser.GraphSONMessageSerializerV3d0 }

Then start Gremlin:

bin/gremlin.sh

Use the edited config to connect via TinkerPop, and then open Gremlin Console:

gremlin> :remote connect tinkerpop.server neptune-remote-sdm-graphson.yaml
gremlin> :remote console

Oracle

For additional details, see the Oracle User Guide guide.

Redshift

Snowflake

Db2 LUW

Db2i

Sybase ASE, Sybase IQ

The known exceptions to both sets of values are as shown:

Command-line Clients

Database Overrides

The SQL Server and PostgreSQL datasource types, as well as PostgreSQL derivatives like Greenplum and Redshift, have the option of database overrides. However, this option works differently between SQL Server and PostgreSQL.

Database override enabled

For PostgreSQL:

• When a user connects to the datasource, they are unable to change databases from the database configured in the datasource.

• If the user tries to change databases, the command appears to be successful but the user can only query the original datasource.

• In this configuration, the user does not need to specify a database when connecting to the datasource via StrongDM.

For SQL Server:

• When a user connects to the datasource, they automatically connect to the database specified in the datasource configuration.

• In this configuration, the user does not need to specify a database when connecting to the datasource via StrongDM.

Database override disabled

For PostgreSQL and SQL Server:

• If the Override Database option is not enabled, the user will be able to change databases as normal.

• In this configuration, the user DOES need to specify a database, that is, any database that is accessible in the datasource, when connecting to the datasource via StrongDM.

JDBC Drivers

Some JDBC drivers have very specific connection string requirements. When using the following JDBC drivers, we recommend entering the connection string directly. Replace <PORT> with the configured port. Where it says any you can replace with any string, but a string must be there for proper functionality.

REST API Connections

Some database types allow REST API access. Druid requires it. To connect to these databases, replace the host and port in the URL with localhost and the configured port of your resource in StrongDM.

For example, with Druid use http://localhost:18090/druid/indexer/v1/task.

If you have trouble connecting with your database client, try the default values (hostname localhost and an empty username and password). If that does not work, check the tables on this page for specific values for your client.