SSH Tunnel Setup for Hosted Database Systems
When your IT or Security team does not want to whitelist/grantlist/safelist the DLH.io IP addresses directly to your database, a secure alternative for databases that are not publicly accessible is a Secure Socket Shell (SSH) connection which DLH.io provides as an available connectivity option.
While we contend that an SSH connection is a security mechanism with great value, we believe safelisting/grantlisting our IP addresses is just as secure in most situations. However, where SSH is fundamentally desired for your organization's requirements, we recognize that your Customer hosted/enabled SSH server acts as the intermediary between the network/Internet and your data source, and as such our enhanced DLH.io security protocols are in place to support this connectivity.
Please direct any questions or requests for assistanc eto our support team.
You can see from this diagram what the architecture flow looks like when working with SSH tunnels:
The SSH setup and configuration applies to all hosted Database connectors in DLH.io unless otherwise listed below in this document. Currently DLH.io enables the Customer to incorporate their own Private Key and Public Key pair for configuring the database SSH server as part of their setup process for creating a Source connector in DLH.io. This means that a Customer can use an existing SSH user and private/public key pair. The following would be the steps a Customer would follow if they were creating an SSH Server from scratch as such once established as a pre-requisite the following information will needed during the database source connector configuration:
- Public IP Address and Port of the Customer SSH Server
- Verified User name and Private Key to connect to the Customer SSH Server
- We suggest that you create a new SSH user (ex: dlh_ssh_user and an new private and public key pair for this user
- Database IP/DNS Address and Port that the SSH Server will route to once connected
- Test from your local IDE on a command line or via IDE such as DBeaver, etc. that you can connect to your database via an SSH Tunnel without issues. This proves there is no issue with your SSH Server, your credentials (i.e.: keys), or your database receiving requests from your SSH server.
This section discusses the steps in general if your Customer hosted SSH Server is already running. If you do not yet have an SSH server or need specific SSH or Private/Public Key understanding for your SSH Server hosted on a major cloud platform such as GCP, AWS, Azure, etc. please contact DLH.io support.
Follow these steps to begin quickly integrating database as a source via your SSH Server:
- Prepare the Customer SSH Server and have ready the SSH information per the pre-requisites section
- Whitelist/Grantlist the DLH.io IP Addresses on the Customer SSH Server as described in Our IP Grantlist / Whitelist guide, based on your region, if applicable
- Create a new DLH.io SSH User on your SSH server specifically for any source connectors that will be connected on your hosted network and connected to via SSH server. We suggest creating a group and a user called dlh_ssh_user. So in a Linux terminal, on the SSH server,
- Create a linux group named dlh_ssh_user:
- sudo groupadd dlh_ssh_user
- Create a linux user named dlh_ss_user:
- sudo useradd -m -g dlh_ssh_user
- Create the Private Key
- Create an empty file so the key when created can immediately by created into an existing path, touch dlh_ssh_user
- Run the command to initiate the private key generation, ssh-keygen
- Click the enter key twic to bypass entering a passphrase for your key. This will be an unencrypted private key
- For the enter file in which to save the key, enter the path where you saved the dlh_ssh_user file, ex: ./dlh_ssh_user or the full pwd path if required
- You should now have a private key dlh_ssh_user with no extension and a public key in the same path with a .pub extension, dlh_ssh_user.pub
- Print out to ther terminal the key created and copy it for your later retrieval/use
- cat dlh_ssh_user
- Print out to ther terminal the public key created and copy it for your later retrieval/use
- cat dlh_ssh_user.pub
- Switch to the new dlh_ssh_user user profile
- sudo - su - dlh_ssh_user
- Create an .ssh directory
- mkdir ~/.ssh
- Grant chmod access permissions on the directory
- chmod 700 ~/.ssh
- Change to the ~/.ssh directory
- cd ~/.ssh
- Create the authorized_keys file using touch, if it doesn't already exist:
- touch authorized_keys
- Grant permissions on the authorized_keys file
- chmod 600 authorized_keys
- Finally, import your Public Key, replacing <PUBLIC_KEY> syntax here with your public key output copied from the step above into the ~/.ssh/authorized_keys file for the dlh_ssh_user.
- echo "<PUBLIC KEY>" >> ~/.ssh/authorized_keys
- After you've run the command here, verify that the key is in the authorized_keys file is on a single line and does not have any line breaks which would interrupt the key and cause it not to function
- cat ~/.ssh/authorized_keys
- You'll use your Private Key in the upcoming steps when setting up your DLH.io database connector. Be sure to copy or get the private key dlh_ssh_user (the one without the .pub extension) to have it available when updating the source connector configuration.
- Navigate to DLH.io and log in to your account
- Navigate in DLH.io to your Project
- Locate an existing database source connector or create a new one, for example select a SQL Server database source connector to be created.
- Next locate the section of the database connector labeled Use SSH Tunnel and select the Yes, Use SSH Connection option.
Use SSH Tunnel option
- Choosing this option expands the SSH configuration options.
SSH Options
- Enter the correct information regarding your SSH server in hese fields:
- SSH Server/Host : This is your SSH server where you have whitelisted/grantlisted the DLH.io IP Addresses
- SSH Port : The port for your SSH server, default is 22
- SSH Private Key : The field where you will paste in your private key you created in the previous steps
- Save the connection and the connection test will reveal if the SSH configuration was set up successfully if the connection test is successful.
- Done. Continue on with using DLH.io such as creating a Sync Bridge (What is a Sync Bridge (Pipeline)?), etc.
N/A - There are no self-hosted database connectors at this time that do not support SSH.
