Proxy Access

Overview


Use this access method if you want to
Have users use a single login to access all databases
Multi-factor access to resources
Role based access to resources
On Demand access to resources
Allow use of native database tools without direct DB access


The Mamori server has built-in proxies for HTTP/S, SSH and database connections. It is recommended that you first use the web console to configure and verify resource access, and then try the proxy access.

If a user has issues accessing a resource via a proxy, then first confirm they can access that resource via the web portal.

Configuration Steps

Prerequisites

Step 1 - Confirm connections from client

Typically application database connections are only routed through the Mamori server if you want to implement gobal masking rules or apply SQL injection prevention policies.

If this is required for a critial application, then have one HA Mamori server for the application traffic and another for the ad hoc traffic




Database Access Controls

The Mamori proxies handle native connections for the 5 main database wire protocols (Oracle, MySQL, Postgres, MS SQL Server & MongoDB). Any database that uses the same wire protocol are also supported. For example, greenplum, redshift and cockroach DB are supported because they use the postgres wire protocol.



Databases, like teradata and impala, are supported via the Mamori client jdbc and odbc driver.

Configuration Steps

Step 1 - Login to the web portal & verify you have access to the target database via WebSQL

Step 2 - Verify connection to the target database from desired client tools

Client tool connection settings

To connect via the Mamori server from your database tools update the connection strings as per the table below

ConnectionWithout MamoriVia Mamori
Hostthe database ipthe Mamori server ip
Portthe database listenerthe Mamori proxy port. See Ports
Databasethe database namethe alias in Mamori for the database
Authenticationdatabase credentialsMamori SSO + 2FA
Some SQL Server tools do not have a database field in their connection dialog. For these tools append the Mamori datasource name to the username.

For example, myadlogin@mydatasource

Proxy Workflow


SSH Logins

SSH connections via the proxy only supports connecting to SSH logins configured to use public key authentication. Each user must upload their private key that will be verified on an SSH login request. Shared public keys across user accounts is not permitted.

Ideally setup sudo and non-sudo ssh logins, and then make the sudo ssh login available only via an access on-demand request.



Connecting

To ssh via Mamori you need ensure you have added a public ssh key to your Mamori account. Follow the instructions below to add your public ssh key.

Login to the Mamori portal

Click on your login name to see your profile menu

Click SSH & SERVER ACCESS

Click PUBLIC SSH KEY

Set the properties

FieldDescription
NameYour reference for the key
Public KeyPaste in your public key

Click ADD KEY

Make an ssh connection from a terminal or tool

 ssh -p sshproxyport thesshlogin@mamoriserver
 -- example
 ssh -p 1122 prodserver@mymamoriserver

click here for instructions on how to view your current SSH proxy port.

Edit this page on GitHub Updated at Wed, Mar 13, 2024