SSH Tunnel Setup for Hosted Database Systems

when your it or security team does not want to whitelist/grantlist/safelist the dlh io ip addresses directly to your database, a secure alternative for databases that are not publicly accessible is a secure socket shell (ssh) connection which dlh io provides as an available connectivity option while we contend that an ssh connection is a security mechanism with great value, we believe safelisting/grantlisting our ip addresses is just as secure in most situations however, where ssh is fundamentally desired for your organization's requirements, we recognize that your customer hosted/enabled ssh server acts as the intermediary between the network/internet and your data source, and as such our enhanced dlh io security protocols are in place to support this connectivity please direct any questions or requests for assistanc eto our support team you can see from this diagram what the architecture flow looks like when working with ssh tunnels dlh io ssh tunneling option pre requisites & steps to setup your ssh server credentials the ssh setup and configuration applies to all hosted database connectors in dlh io unless otherwise listed below in this document currently dlh io enables the customer to incorporate their own private key and public key pair for configuring the database ssh server as part of their setup process for creating a source connector in dlh io this means that a customer can use an existing ssh user and private/public key pair the following would be the steps a customer would follow if they were creating an ssh server from scratch as such once established as a pre requisite the following information will needed during the database source connector configuration public ip address and port of the customer ssh server verified user name and private key to connect to the customer ssh server we suggest that you create a new ssh user (ex dlh ssh user and an new private and public key pair for this user database ip/dns address and port that the ssh server will route to once connected test from your local ide on a command line or via ide such as dbeaver, etc that you can connect to your database via an ssh tunnel without issues this proves there is no issue with your ssh server, your credentials (i e keys), or your database receiving requests from your ssh server steps to setup and configure a database source connector to an ssh server this section discusses the steps in general if your customer hosted ssh server is already running if you do not yet have an ssh server or need specific ssh or private/public key understanding for your ssh server hosted on a major cloud platform such as gcp, aws, azure, etc please contact dlh io support follow these steps to begin quickly integrating database as a source via your ssh server prepare the customer ssh server and have ready the ssh information per the pre requisites section whitelist/grantlist the dlh io ip addresses on the customer ssh server as described in our ip grantlist / whitelist docid\ ernsp9vcy4af88jk0uexc guide, based on your region, if applicable create a new dlh io ssh user on your ssh server specifically for any source connectors that will be connected on your hosted network and connected to via ssh server we suggest creating a group (create group first), called dlh ssh users , and a new user called dlh ssh user so in a linux terminal, on the ssh server, create a linux group named dlh ssh user sudo groupadd dlh ssh users view groups by using a command like cat /etc/group to see if your new group is added, and to view existing groups, where the newest group is usually shown toward the bottom of the list create a new linux user named dlh ss user sudo useradd m g dlh ssh users dlh ssh user view the list of users and confirm the dlh ssh user is in the list by running the command, cat /etc/passwd newest user additions are shown toward the bottom of the list create the private key create an empty file, in your working folder, so that the key when created can immediately by created into an existing and known path, touch dlh ssh user key you may wish to first create a temporary working folder such as mkdir /tmp keys , then run cd /tmp keys to switch into it confirm your dlh ssh user key file is in the working folder using ls run the command ssh keygen to initiate the private key generation in order to generate an openssh private key and give the public key a specific username or comment c that can be referencable amongst other potential keys, please use the following ssh keygen b 3072 t rsa o c "\<email address for key>" for example, ssh keygen b 3072 t rsa o c "our dlh io key for our database, devteam\@company com" if you want to create the file in specific location, such as direct to the file that you created using the touch command then use the f attribute which makes the creation of the key process faster, for example, ssh keygen b 3072 t rsa o f /dlh ssh user key c "\<email address for key>" if you did not use the f attribute above for the ssh keygen command you'll need to follow on here for the file in which to save the key, enter the path where you saved the dlh ssh user key file, ex /dlh ssh user key or the full pwd path if required, for example, /home/devteam/tmp keys/dlh ssh user key , then click the enter/return key to continue if asked to overwrite the file, enter y the click the enter/return key click the enter key twice to bypass entering a passphrase for your key this will generate an unencrypted private key it is safe to use a non encrypted private key if you need more stringent requirements please contact our support team to understand and align to your security needs currently ed25519 encryption is not supported if needing to encrypt after testing with no encryption password on your private key, you may run ssh keygen p f you should now have a non encrypted private key dlh ssh user key with no extension and a public key in the same path with a pub extension, dlh ssh user key pub the file without the pub extension is your private key, the one with pub is your public key please note that your private key will be in rsa (pkcs#1) format and have a header of begin openssh private key and a footer of end openssh private key , because you used the o attribute of ssh keygen print out to the terminal the private key created and copy it for your later retrieval/use cat dlh ssh user key print out to the terminal the public key created and copy it for your later retrieval/use cat dlh ssh user key pub switch to the new dlh ssh user user profile sudo su dlh ssh user create an ssh directory mkdir / ssh grant chmod access permissions on the directory chmod 700 / ssh change to the / ssh directory cd / ssh create the authorized keys file using touch, if it doesn't already exist touch authorized keys grant permissions on the authorized keys file chmod 600 authorized keys finally, import your public key, replacing \<public key> syntax here with your public key output copied from the step above into the / ssh/authorized keys file for the dlh ssh user echo "\<public key>" >> / ssh/authorized keys after you've run the command here, verify that the key is in the authorized keys file is on a single line and does not have any line breaks which would interrupt the key and cause it not to function cat / ssh/authorized keys you'll use your private key in the upcoming steps when setting up your dlh io database connector be sure to copy the text of the private key dlh ssh user key (the one without the pub extension) to have it available when setting up or updating the source connector configuration in dlh io navigate to dlh io and log in to your account navigate in dlh io to your project locate an existing database source connector or create a new one, for example select a sql server database source connector to be created next locate the section of the database connector labeled use ssh tunnel and select the yes, use ssh connection option choosing this option expands the ssh configuration options, which allows you to complete all of the required ssh fields ssh server/host this is your ssh server where you have whitelisted/grantlisted the dlh io ip addresses ssh port the port for your ssh server, default is 22 ssh user the username of the authorized keys folder login, i e dlh ssh user ssh private key the field where you will paste in the private key you created in the previous steps for the private key you can copy and past the full key including the header and the footer of the key, which you can read more about here, how to test a ssh tunnel connection save the connection by clicking on save & test the connection test will reveal if the ssh configuration was set up successfully if the connection test shows that it is successful if you have an error message or some indication that the connection is not succussful please confirm that your ssh key can work in standard sftp connection using a tool like transmit for mac os or winscp or filezilla, because the protocols are mainly the same contact support if you have persisting issues done once the connection is saved successfully with you ssh configuration, continue on with using dlh io such as creating a sync bridge ( what is a sync bridge (pipeline)? docid\ pa3 m vggtbr l7gpi7xk ), a target/destination ( what is a target connection? docid 3wx 24ml25noxc1atdbs4 ), etc database connectors not available for ssh configuration n/a there are no self hosted database connectors at this time that do not support ssh