# Connect to Datasources This page provides instructions on how to configure everyday client applications (such as database clients) to connect to resources via StrongDM. ### Connection Process 1. Open StrongDM Desktop by clicking the **sdm** icon in the menu bar of your screen (macOS) or in the Windows taskbar. 2. If you are already logged in to StrongDM, the desktop app displays a list of available resources. Click the name of the desired resource in the list. {% hint style="info" %} If you wish to connect to a resource using the command-line interface (CLI) instead, open the command prompt or terminal and run `sdm connect `, being sure to replace the placeholder text with the actual resource name (for example, `sdm connect test-mysql-db`). {% endhint %} 3. In the desktop app, ensure there is a green lightning bolt next to the resource name, meaning a healthy connection exists. If you are using the CLI instead, run `sdm status` to ensure the resource is listed as `connected`. 4. Open your client application and enter the connection details. 1. Note that the connection values, such as hostname, username, password, and others, are different than usual because of the connection that StrongDM has already set up to your computer. 2. For most clients, the required hostname is `localhost` and the username and password fields can be left empty. 3. The known exceptions are described on this page. The reason for these exceptions is often that a graphical client's form validation requires fields to have some value in them, rather than be left empty, even if the fields are not actually used to make the connection. 5. Once you have filled in the appropriate connection details, if any, initiate the connection within your client and then interact with your resource as you normally would. ### Client Connection Details This section lists some of the clients that require connection values that differ from the defaults. When the indicated value for a given field is `empty`, leave the field empty. For `any string`, enter anything you want. The client's form validation requires *something* to be written in that field, but the contents do not actually matter because the value is not used to make the connection. #### Aurora MySQL, Clustrix, MariaDB, MySQL, SingleStore {% hint style="info" %} For some versions of MySQL, you may need to specify that you do not wish to use SSL if SSL/No SSL is asked for by the client. {% endhint %} | Client | Hostname | Username | Password | Initial DB | | --------------- | ----------- | ---------- | -------- | ---------------------- | | DBeaver | `localhost` | empty | empty | existing database name | | DbVisualizer | `localhost` | empty | empty | existing database name | | MySQL Workbench | `127.0.0.1` | any string | empty | empty | | Sequel Pro | `127.0.0.1` | empty | empty | empty | | SQLPro Studio | `localhost` | any string | empty | empty | | SQLyog | `localhost` | any string | empty | empty | | Tableau | `127.0.0.1` | empty | empty | empty | | TeamSQL | `localhost` | any string | empty | empty | #### Aurora PostgreSQL, Citus, Greenplum, PostgreSQL {% hint style="info" %} For DataGrip, the **Authentication** field should be set as `User & Password`, not `pgpass`. {% endhint %} | Client | Hostname | Username | Password | Initial DB | | --------------- | ----------- | ---------- | ---------- | ---------------------- | | DataGrip | `localhost` | empty | empty | empty | | Navicat (macOS) | `localhost` | any string | empty | empty | | pgAdmin | `127.0.0.1` | any string | empty | any string | | Postico | `localhost` | empty | empty | existing database name | | SQLPro Studio | `localhost` | any string | empty | empty | | Tableau | `localhost` | any string | empty | any string | | TablePlus | `localhost` | empty | empty | existing database name | | TeamSQL | `localhost` | any string | empty | any string | | SQL Workbench/J | `localhost` | any string | any string | empty | #### ClickHouse **ClickHouse (TCP)** For ClickHouse (TCP) resource types, if the ClickHouse client is used to connect, as in the following example, then TLS certificate verification must be skipped. ```bash clickhouse client --port 10092 --secure --config-file config/client-config.xml ``` If the above example is used, then the configuration file client-config.xml should look like the following: ```xml true true sslv2,sslv3 true none AcceptCertificateHandler ``` **ClickHouse (HTTP)** For ClickHouse (HTTP) resource types, when HTTPS is configured, TLS certificate verification must be skipped, as in the following example. ```bash curl -G -d "query=SELECT%20303" https://127.0.0.1:10093 --insecure ``` #### Microsoft SQL Server | Client | Hostname | Username | Password | Initial DB | Additional Settings | | ---------------------------- | ---------------- | ---------- | ---------- | ---------- | -------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | | Access | `127.0.0.1` | any string | empty | empty | | | Alteryx Designer | `127.0.0.1` | any string | any string | empty | Use system ODBC connection and SQL Server 10.x driver | | Azure Data Studio | `127.0.0.1,port` | any string | empty | empty | **SDM port** should be separated by a comma with no spaces (for example, 127.0.0.1,11433); under *Advanced... > Security* set **Trust server certificate** to **true** | | Excel | `127.0.0.1` | any string | empty | empty | | | Navicat | `localhost` | any string | empty | empty | | | Power Pivot (Excel) | `127.0.0.1,port` | any string | empty | | SDM port should be separated by a comma with no spaces (for example, 127.0.0.1,11433); In Advanced Settings, change Provider to: **.NET Framework Data Provider for SQL Server** | | SQL Server Management Studio | `127.0.0.1` | any string | any string | empty | Change **Network Protocol** to **TCP/IP**; **Server Name** should be the IP address; **SDM port** should be separated by a comma with no spaces (for example, 127.0.0.1,11433) | | Tableau | `127.0.0.1` | any string | empty | empty | | #### Neptune | Client | Hostname | Additional Settings | | --------------- | ----------- | ----------------------------------------------------------------------------------------------------------- | | Gremlin Console | `localhost` | Configure the client **not** to use TLS. In addition, configure the client to use GraphSON instead of Gryo. | | Gremlin cURL | `localhost` | Configure the client **not** to use TLS. | | Gremlin SDK | `localhost` | Configure the client **not** to use TLS. In addition, configure the client to use GraphSON instead of Gryo. | | SPARQL cURL | `localhost` | Configure the client **not** to use TLS. | **Gremlin Console with Neptune** To use Gremlin Console with Neptune, edit a configuration file for Neptune (`neptune-remote-sdm-graphson.yaml`) to match the following: ```yaml hosts: [127.0.0.1] port: 18182 connectionPool: { enableSsl: false } serializer: { className: org.apache.tinkerpop.gremlin.driver.ser.GraphSONMessageSerializerV3d0 } ``` Then start Gremlin: ```bash bin/gremlin.sh ``` Use the edited config to connect via TinkerPop, and then open Gremlin Console: ``` gremlin> :remote connect tinkerpop.server neptune-remote-sdm-graphson.yaml gremlin> :remote console ``` #### Oracle For additional details, see the [connect-oracle](https://docs.strongdm.com/users/connect/connect-oracle "mention") guide. | Client | Hostname | Username | Password | | ------------- | ----------- | ---------- | ---------- | | DBeaver | `localhost` | any string | `password` | | SQL Developer | `localhost` | any string | `password` | | SQLPlus | `localhost` | any string | `password` | | Toad | `127.0.0.1` | any string | any string | #### Redshift {% hint style="info" %} See the [JDBC Drivers](#jdbc-drivers) section for information on how to use the Redshift JDBC driver. The connection string noted for Redshift is required to use Redshift via DataGrip. {% endhint %} | Client | Hostname | Username | Password | Initial DB | Additional Settings | | --------------- | ----------- | ---------- | ---------- | ---------- | ----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | | DataGrip | `localhost` | any string | any string | empty | Requires modification of the JDBC URL with the following specific parameters: `jdbc:redshift://localhost:port/any?ssl=false&UID=any&PWD=any`; see the Redshift entry in [JDBC Drivers](#jdbc-drivers) | | DbVisualizer | `localhost` | empty | empty | any string | none | | SQLPro Studio | `localhost` | any string | empty | empty | none | | SQL Workbench/J | `localhost` | any string | any string | empty | none | | Tableau | `localhost` | any string | any string | any string | none | #### Snowflake | Client | Hostname | Username | Password | Initial DB | Additional Settings | | -------- | ----------- | ---------- | ---------- | ---------- | ---------------------------------------------------------------------------------- | | DataGrip | `127.0.0.1` | any string | any string | empty | Set any string for **Account** and `false` for **SSL** under **Driver Properties** | | DBeaver | `127.0.0.1` | any string | any string | empty | Set any string for **Account** and `false` for **SSL** under **Driver Properties** | #### Db2 LUW | Client | Hostname | Username | Password | Initial DB | | ------------ | ----------- | ---------- | ---------- | ---------- | | DBeaver | `localhost` | any string | any string | any string | | DbVisualizer | `localhost` | any string | any string | any string | #### Db2i | Client | Hostname | Username | Password | Initial DB | Additional Settings | | ------------ | ----------- | ---------- | ---------- | ---------- | ------------------------------------------------------------------------------------------------------------------------------------------------------------------------------ | | DBeaver | `localhost` | any string | any string | any string | From the Driver Properties settings, **portNumber** must be set to the SDM port-override value. | | DbVisualizer | `localhost` | any string | any string | any string | Load a driver compatible with DB2 iseries, such as **jt400-10.4.jar**. Once added, go to the Driver Properties and set the **portNumber** to the StrongDM port-override value. | #### Sybase ASE, Sybase IQ The known exceptions to both sets of values are as shown: | Client | Hostname | Username | Password | Initial DB | | --------------- | --------- | ---------- | ---------- | ---------- | | DBArtisan | localhost | any string | any string | empty | | DataGrip | localhost | any string | any string | empty | | DBeaver | localhost | any string | any string | empty | | DBVisualizer | localhost | any string | any string | empty | | ERStudio | localhost | any string | any string | empty | | RapidSQL | 127.0.0.1 | any string | any string | empty | | SQL Workbench/J | localhost | any string | any string | empty | ### Command-line Clients | Database type | Sample connection string with port | Sample connection string with database | | --------------------------------------------------------- | ----------------------------------------------------------------------------------------------------------------------- | ---------------------------------------------------- | | BigQuery | `bq --api http://localhost:20000 --disable_ssl_validation ls` | | | Cassandra | `cqlsh localhost port` | | | DynamoDB | `dynamodb --endpoint-url http://localhost:port` | | | Microsoft SQL Server | `sqlcmd -s 127.0.0.1,port` | `sqlcmd -s 127.0.0.1 -d ` | | | `mssql-cli -S 127.0.0.1,port -U sdm -P sdm` | `mssql-cli -S 127.0.0.1 -U sdm -P sdm -d ` | | MongoDB | `mongo --host localhost --port port` | | | MySQL, Aurora MySQL, MariaDB, SingleStore | `mysql -h 127.0.0.1 -P port` | | | PostgreSQL, Aurora PostgreSQL, Citus, Greenplum, Redshift | `psql -h localhost -p port` | `psql -h localhost -d ` | | Redis | `redis-cli -h localhost -p port` | | | Snowflake | `SNOWSQL_PWD=none snowsql -u sdm -a sdm -d -s -w -h localhost -p port -D protocol=http` | | ### Database Overrides The SQL Server and PostgreSQL datasource types, as well as PostgreSQL derivatives like Greenplum and Redshift, have the option of **database overrides**. However, this option works differently between SQL Server and PostgreSQL. #### Database override enabled For PostgreSQL: * When a user connects to the datasource, they are unable to change databases from the database configured in the datasource. * If the user tries to change databases, the command appears to be successful but the user can only query the original datasource. * In this configuration, the user does not need to specify a database when connecting to the datasource via StrongDM. For SQL Server: * When a user connects to the datasource, they automatically connect to the database specified in the datasource configuration. * In this configuration, the user does not need to specify a database when connecting to the datasource via StrongDM. #### Database override disabled For PostgreSQL and SQL Server: * If the **Override Database** option is not enabled, the user will be able to change databases as normal. * In this configuration, the user *DOES* need to specify a database, that is, any database that is accessible in the datasource, when connecting to the datasource via StrongDM. ### JDBC Drivers Some JDBC drivers have very specific connection string requirements. When using the following JDBC drivers, we recommend entering the connection string directly. Replace **\** with the configured port. Where it says **any** you can replace with any string, but a string must be there for proper functionality. | Driver | Connection string | Notes | | --------------------------------------- | ----------------------------------------------------------------------------------------------------------------------------------------------------------- | ------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------ | | Athena (driver versions 2.0.5, 2.0.6) | `jdbc:awsathena://UseResultsetStreaming=0;ProxyHost=localhost;ProxyPort=;Protocol=http;AwsRegion=us-any-1;UID=any;PWD=any;S3OutputLocation=s3://any/` | | | Athena (driver versions 3.0.0 to 3.0.6) | `jdbc:athena://ProxyHost=http://127.0.0.1;ProxyPort=;Region=us-east-1;UID=any;PWD=any;OutputLocation=s3://any;ConnectionTest=FALSE` | | | Databricks | `jdbc:databricks://localhost:;HttpPath=/sql/1.0/warehouses/test;SSL=0` | Must include `HttpPath` even if it points to a non-existing warehouse. The StrongDM driver connects to the resource configured in StrongDM. SSL must be set to `0` because the driver serves connections over a non-SSL protocol. See the **Databricks connection properties** section for additional information. | | jTDS | `jdbc:jtds:sqlserver://localhost:/any;user=any;password=any;ssl=request` | | | Redis | `jdbc:redis:localhost:` | | | Redis Cluster | `jdbc:redis:localhost:` | Must specify `jdbc:redis:` instead of `jdbc:redis:cluster:`; must specify `verifyConnectionMode: false` | | Redshift | `jdbc:redshift://localhost:/any?ssl=false&UID=any&PWD=any` | | | Snowflake | `jdbc:snowflake://localhost:/?account=any&SSL=FALSE` | | {% hint style="info" %} To connect to Athena using JDBC v3 clients, a StrongDM certificate is required. This certificate can be provided by a StrongDM admin for your organization. See the [User Connection With JDBC v3](https://app.gitbook.com/s/F7eka9SH5TT8nJm2ZfWj/resources/datasources/athena#user-connection-with-jdbc-v3) section for more details. {% endhint %} {% hint style="info" %} When connecting to Redis Cluster resources, do not use any client options for configuring cluster mode or connecting to clusters specifically. The StrongDM resource type handles cluster routing internally. The client should treat the connection through StrongDM as it would a single node Redis resource. {% endhint %} **Databricks connection properties** When configuring a client that requires explicit connection parameters (for example, certain JDBC or BI tools), use the following values: ``` Host=localhost Port=10037 HTTPPath=/sql/1.0/warehouses/test SSL=0 ThriftTransport=2 AuthMech=3 UID=token PWD=test ``` {% hint style="info" %} These values are required by some clients for validation purposes. The host and port must match the values assigned by StrongDM for the resource (for example, the local port shown in `sdm connect` or the configured port in your StrongDM client). StrongDM handles the actual authentication and routing, so other values (such as UID and PWD) may not correspond to real credentials. {% endhint %} ### REST API Connections Some database types allow REST API access. Druid requires it. To connect to these databases, replace the host and port in the URL with `localhost` and the configured port of your resource in StrongDM. For example, with Druid use `http://localhost:18090/druid/indexer/v1/task`. If you have trouble connecting with your database client, try the default values (hostname `localhost` and an empty username and password). If that does not work, check the tables on this page for specific values for your client. --- # Agent Instructions: Querying This Documentation If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question. Perform an HTTP GET request on the current page URL with the `ask` query parameter: ``` GET https://docs.strongdm.com/users/connect/connect-databases.md?ask= ``` The question should be specific, self-contained, and written in natural language. The response will contain a direct answer to the question and relevant excerpts and sources from the documentation. Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.