Getting Started
For added security with your database server, you can connect using an SSH tunnel. To use this option, you need an SSH tunnel server that has access to your database port. You’ll need to create an SSH user for Savant and the tunnel server's SSH port needs to be accessible to Savant’s IPs.
You can check that your database is accessible from the proxy machine by trying to connect to the host:port from the proxy machine. Here is an example using netcat on the proxy machine:
nc -w 10 -t -v <server> <port>
You also need to open port 22 of the proxy machine to Savant's IP. The Savant gateway IPs are listed below for each geo.
Worldwide App (non-EU):
35.188.163.165
35.188.99.19
3.20.192.126
3.136.174.242
3.21.111.255
EU App:
34.22.229.169
34.79.28.74
34.251.112.30
54.220.36.32
63.32.243.56
SSH Tunnel Setup
These steps take you through basic database connection setup. You will need to complete setup by choosing one of three SSH tunnel connection methods.
Create SSH User
On your SSH tunnel server, do the following to create an SSH user for Savant:
Create group:
sudo groupadd savant |
Create user:
sudo useradd -m -g savant savant |
Switch to the Savant user:
sudo su - savant |
Create .ssh directory:
mkdir ~/.ssh |
Set permissions for the .ssh directory:
chmod 700 ~/.ssh |
Switch to the .ssh directory:
cd ~/.ssh |
Create an authorized key file:
touch authorized_keys |
Set permissions for the authorized key file:
chmod 600 authorized_keys |
Verify SSH Tunnel
On your SSH tunnel server, you can use putty or the ssh command line to verify that the savant user can ssh into the tunneling server. If an error message is returned, then there is a configuration issue with your SSH tunnel server.
Verify access to the shell and home directory:
ssh savant@{ssh_tunnel_server} |
Create a reverse tunnel:
ssh -R 8080:localhost:11111 user@{ssh_tunnel_server} |
Test the reverse tunnel:
nc -v 127.0.0.1 8080 |
Configure Savant
In your Savant workspace, do the following to connect to your SSH tunnel:
Go to the Systems page and click Add System
Select your data warehouse connector and click Next
Enter your Server for SSH
This is the host name or IP address of the SSH server
Enter the Port for SSH
This is generally 22
Enter the Username for SSH
This is the user created on the SSH server
Click Use SSL
Click SSH Tunnel
Complete one of the credentials methods
Click Authenticate and then Confirm
Authentication Option #1: Password
This method uses a username and password to connect Savant to your SSH tunnel.
Select the Password option
Enter the password of the SSH tunnel user created for Savant
Passwords are encrypted before saving to Savant. The encryption key is not accessible by Savant employees and rotated regularly.
Authentication Option #2: Public Key
This method uses a public key from Savant to authenticate with the SSH tunnel server.
Select the Savant Public Key option
On the SSH tunnel server, go to the home directory for the Savant user
Open file $HOME/.ssh/authorized_keys
Create the text file if it does not exist
Paste the public key copied from Savant UI to the file as a new line
Authentication Option #3: Private Key
This method uses your own private key to authenticate Savant with the SSH tunnel server.
Select the Savant Private Key option
On the SSH tunnel server, use the ssh-keygen command to create a new key pair
A paraphrase is recommended, but not required
Write down the public and private keys
Go to the home directory for the Savant user
Open file $HOME/.ssh/authorized_keys
Create the text file if it does not exist
Paste the generated public key to the file as a new line
Paste the generated private key to Savant
Enter the passphrase, if any, used to generate the new key pair
Private keys are encrypted before saving to Savant. The encryption key is not accessible by Savant employees and rotated regularly.