Proxy Access

Overview

Use this access method if you want to

Have users use a single login to access all databases

Multi-factor access to resources

Role based access to resources

On Demand access to resources

Allow use of native database tools without direct DB access

The Mamori server has built-in proxies for HTTP/S, SSH and database connections. It is recommended that you first use the web console to configure and verify resource access, and then try the proxy access.

If a user has issues accessing a resource via a proxy, then first confirm they can access that resource via the web portal.

Configuration Steps

Prerequisites

Opened proxy ports

Configured resources and provisioned access

Step 1 - Confirm connections from client

Typically application database connections are only routed through the Mamori server if you want to implement gobal masking rules or apply SQL injection prevention policies.

If this is required for a critial application, then have one HA Mamori server for the application traffic and another for the ad hoc traffic

Database Access Controls

The Mamori proxies handle native connections for the 5 main database wire protocols (Oracle, MySQL, Postgres, MS SQL Server & MongoDB). Any database that uses the same wire protocol are also supported. For example, greenplum, redshift and cockroach DB are supported because they use the postgres wire protocol.

Databases, like teradata and impala, are supported via the Mamori client jdbc and odbc driver.

Configuration Steps

Step 1 - Login to the web portal & verify you have access to the target database via WebSQL

Step 2 - Verify connection to the target database from desired client tools

Client tool connection settings

To connect via the Mamori server from your database tools update the connection strings as per the table below

Connection Without Mamori Via Mamori
Host the database ip the Mamori server ip
Port the database listener the Mamori proxy port. See Ports
Database the database name the alias in Mamori for the database
Authentication database credentials Mamori SSO + 2FA

Connection	Without Mamori	Via Mamori
Host	the database ip	the Mamori server ip
Port	the database listener	the Mamori proxy port. See Ports
Database	the database name	the alias in Mamori for the database
Authentication	database credentials	Mamori SSO + 2FA

Download Database Client Tool Login Guide

Some SQL Server tools do not have a database field in their connection dialog. For these tools append the Mamori datasource name to the username.

For example, myadlogin@mydatasource

Proxy Workflow

SSH Logins

SSH connections via the proxy only supports connecting to SSH logins configured to use public key authentication. Each user must upload their private key that will be verified on an SSH login request. Shared public keys across user accounts is not permitted.

Ideally setup sudo and non-sudo ssh logins, and then make the sudo ssh login available only via an access on-demand request.

Connecting

To ssh via Mamori you need ensure you have added a public ssh key to your Mamori account. Follow the instructions below to add your public ssh key.

Login to the Mamori portal

Click on your login name to see your profile menu

Click SSH & SERVER ACCESS

Click PUBLIC SSH KEY

Set the properties

Field Description
Name Your reference for the key
Public Key Paste in your public key

Click ADD KEY

Make an ssh connection from a terminal or tool
 ssh -p sshproxyport thesshlogin@mamoriserver
 -- example
 ssh -p 1122 prodserver@mymamoriserver

Field	Description
Name	Your reference for the key
Public Key	Paste in your public key

click here for instructions on how to view your current SSH proxy port.