Manager options:
This is list of options regarding Admin section, these options can be set from admin tab.
These options are saved inside heimdall.conf file.
⚠️ Note: You can use SHIFT with mouse scroll to scroll horizontally!
Small Sections
Sections that are small are in this general section with their Section specified.
| Key | Section | Requirements | Conf File field | Description | Possible values | Default |
|---|---|---|---|---|---|---|
| Registered ID | Account Information | - | accountInformation.registeredID | Provided from Customer Support to verify enrollment | String | - |
| Send alerts through notification | Alerts | - | alertsConfig.sendAlertsViaNotification | If this option is checked, every alert which message doesn't match any added pattern, will be sent through notification. | Boolean | false |
| Exclude Proxy Logins | Login History | - | - (Non-persistent / GUI only) | Unchecking 'Exclude proxy logins' will result with adding proxy logins to the list. | Boolean | true |
| Security Tag | Security Tags | - | (Elements of availableSecurityTags) | This section allows for the management of security tags, which can be applicable in the database browser section. | String | - |
| Auth Provider | SAML Configuration | - | samlAuthProvider | Identity provider (AWS IAM Identity Center, Okta, Other) | String (AWS IAM (...), Okta, Other) | - |
| IdP Metadata URL | SAML Configuration | - | metadataUrl | The URL pointing to the Identity Provider’s metadata. | String | - |
| AWS Identity Store ID | SAML Configuration | Auth Provider = AWS IAM Identity Center | identityStoreId | AWS Identity Store ID, for mapping UUID groups on AWS Identity Center into the group names. If not configured, the group mapping can be configured manually on the datasource tab. | String | - |
| Name | Password Policy | - | passwordPolicies.name | Name of the policy that will be enforced. | String | - |
| Value | Password Policy | Name = (maximum/minimum) of characters OR Name = custom regex matching | passwordPolicies.params.value | Used by some policies to set minimum or maximum characters or custom regex. | String | - |
| ( type ) | Password Policy | Name = (maximum/minimum) of characters OR Name = custom regex matching | passwordPolicies.params.type | Filled by heimdall. Used by some policies. Type of the value used by the policy. | String | - |
| ( name ) | Password Policy | Name = (maximum/minimum) of characters OR Name = custom regex matching | passwordPolicies.params.name | Filled by heimdall. Short name of the policy that determines what type of policy it is. | String | - |
Special Manager Options
This list is also a set of options regarding Admin section. They are set in Config Management subsection, but they are stored in /etc/heimdall.conf, while rest of the admin section configuration is stored under /opt/heimdall, or custom directory specified in installation process.
| Key | Requirements | Conf File field | Description | Possible values | Default |
|---|---|---|---|---|---|
| hdRole | - | hdRole | It can be used to control if this environment is a central manager or a proxy | String | - |
| hdHost | - | hdHost | Hostname of management server | String | heimdallmanager |
| hdPort | - | hdPort | Port of the management server, generally 8087 or 8443 | Integer | 8087 |
| hdUser | - | hdUser | Login username for the management server, can be admin | String | admin |
| hdPassword | Secret (Config Management) = false | hdPassword | Login password for the management server | String | heimdall (on premise) |
| Secret (hdPassword) | - | useSecretForVdbCredentials | Determines if the secret will be used | Boolean | false |
| Secrets Manager (hdPassword) | Secret (Config Management) = true | secretsManagerConfigName | Secrets Manager Configuration that will be used. Depending on secrets manager used it will write needed fields into the file. | String | - |
| vdbCredentialsSecretName | Secret (Config Management) = true | vdbCredentialsSecretName | Secret name | String | - |
| hdSecretKey | - | hdSecretKey | In AWS, use this as the name of an AWS Secret to store the configuration, protecting included passwords from being written to disk. | String | - |
| cloudDetection | - | cloudDetection | If the manager should detect cloud services on startup | Boolean | true |
| cloudOption | cloudDetection = false | cloudOption | For heimdall running on premise to allow using cloud services, initializes on startup | String | - |
| javaOptions | - | javaOptions | Any arbitrary options desired to be set | String | - |
Log Management Options
| Key | Requirements | Conf File field | Description | Possible values | Default |
|---|---|---|---|---|---|
| Use external database for logging | - | logDatabaseConfiguration.useExternalSource | Allows setting external database for logging. | Boolean | false |
| Data Source | Use external database for logging | logDatabaseConfiguration.sourceName | Data source to set for external logging. | String | (Using: Embedded database (HSQL)) |
| Send login entries to CloudTrail | - | cloudTrailUserLoginConfig.sendEntriesToCloudTrailLake | Send login events to AWS CloudTrail. | Boolean | false |
| Cloud Trail Lake Channel ARN | Send login entries to CloudTrail | cloudTrailUserLoginConfig.cloudTrailChannelArn | CloudTrail Lake Channel ARN, in the format: arn:aws:cloudtrail:<region>:<account-id>:channel/<channel-id>. Can be found on AWS with path CloudTrail → Lake → Integrations |
String | - |
| Enable Manager CloudWatch Logging | - | enableManagerCloudWatchLogging | Allows us to configure whether manager logs should be sent to AWS CloudWatch. (!) May inccur additional AWS charges | Boolean | false |
| CloudWatch namespace | Enable Manager CloudWatch Logging | serverProperties.managerCloudWatchLoggingNamespace | CloudWatch namespace used for Manager CloudWatch Logging | String | HEIMDALL-mgmt |
| S3 Bucket Name | - | s3UploadConfiguration.bucketName | You can specify the S3 Bucket Name where the logs should be saved. This enables centralized and durable storage of manager logs in AWS S3. | String | upload.heimdalldata.com |
| Force Upload to S3 On Logs Rolling | - | s3UploadConfiguration.forceOnLogsRotationUpload | This option allows to force upload to S3 on logs rolling. Enabling this option will make log rotation take significantly more time | Boolean | false |
| Log Events To Console | - | serverProperties.logToConsole | For debugging or container use, log ALL events to the stdout console of management server | Boolean | false |
| Max Log Age | - | serverProperties.maxLogAge | Sets the maximum age in days of log files and log records | Integer | 14 |
| Reserved Disk Space | - | serverProperties.reservedDiskSpace | Sets the amount of FREE memory to maintain on the log filesystem | Double | 0.1 |
| Log Rotation Interval | - | serverProperties.logRotationInterval | A period between log rotation (in minutes), requires manager restart to take effect | Positive Integer | - |
Server Properties
| Key | Conf File field | Description | Possible values | Default |
|---|---|---|---|---|
| Enable Portal Mode | serverProperties.enablePortalMode | Value that indicates if after successful login central manager or portal mode will be used | Boolean | false |
| Disable Cert Validation | serverproperties.disableTLSCertValidation | Disable TLS certificate validation for software downloads | Boolean | false |
| Password Validation | serverproperties.passwordPolicy | Validate new users password along with provided rules | Boolean | false |
| Redirect Config Fetches | serverproperties.redirectConfigEndpoints | Value that indicates if server should redirect all HTTP config requests to HTTPS Tomcat port | Boolean | false |
| Verbose Debug Mode | serverproperties.verboseDebugMode | Enable verbose debug mode to trace processing | Boolean | false |
| Minimum free disk space % | serverproperties.freeDiskSpacePercentage | Percentage of minimal free disk space to update configuration | Double | 1.0 |
| Max Config Backups | serverproperties.maxConfigBackups | Value that indicates how many server configuration backups to keep. Should be greater than 1 | Integer | 10 |
| DNS Port | serverproperties.dnsPort | Value that indicates what port should heimdall manager listen on for DNS queries for proxy auto-scaling | Integer | - |
| Session Timeout | serverproperties.sessionTimeout | Controls HttpSession idle-timeout expiration. Must be between 5 minutes and 24 hours. It's saved as minutes in the configuration file | Integer (5 - 1440) | 30 |
| Enable Billing Reporting | serverproperties.enableBillingReporting | Value that indicates if the billing reports should be sent to the HeimdallBilling service | Boolean | true |
| Proxy Host | serverproperties.proxyHost | Proxy host for code updates checks and downloads | String | - |
| Proxy Port | serverproperties.proxyPort | Proxy port | Integer | 3128 |
| Proxy User | serverproperties.proxyUser | Proxy user for proxy authentication | String | - |
| Proxy Password | serverproperties.proxyPassword | Proxy password for proxy authentication | String | - |
Secrets Manager Configuration
| Key | Requirements | Conf File field | Description | Possible values | Default |
|---|---|---|---|---|---|
| Enable | - | secretsManagerConfigs.enabled | Is the currect secrects configuration enabled. | Boolean | true |
| Secrets Manager | - | secretsManagerConfigs.secretsManagerConfigstype | Secrets Manager to be used: AWS Secrets Manager, CyberArk Conjur, Hashicorp Vault | String | - |
| Secret (Secrets Manager) | Secrets Manager != AWS Secrets Manager | secretsManagerConfigs.useSecretForWholeConfig | Determines if the secret will be used for whole configuration | Boolean | false |
| AWS Secret Name (Secrets Manager) | Secret (Secrets Manager) = true AND Secrets Manager != AWS Secrets Manager | secretsManagerConfigs.useSecretForWholeConfig | Name used to retrieve the whole config from the AWS Secrets Manager | String | - |
| Endpoint | Secrets Manager = AWS Secrets Manager | secretsManagerConfigs.endpoint | (optional) Alternate endpoint for Secrets Manager service. | String | - |
| Region | Secrets Manager = AWS Secrets Manager | secretsManagerConfigs.region | (optional) Override the region which should be used (ex. us-east-1). | String | - |
| Access Key | Secrets Manager = AWS Secrets Manager | secretsManagerConfigs.accessKey | (optional) Override the access key used to authorize requests to the Secrets Manager. | String | - |
| Secret Key | Secrets Manager = AWS Secrets Manager | secretsManagerConfigs.secretKey | (optional) Override the secret key used to authorize requests to the Secrets Manager | String | - |
| Applicance URL | Secrets Manager = CyberArk Conjur | secretsManagerConfigs.applianceUrl | The URL of the Conjur instance you are connecting to. | String | - |
| Account | Secrets Manager = CyberArk Conjur | secretsManagerConfigs.account | Conjur account that you are connecting to. | String | - |
| Authn Login | Secrets Manager = CyberArk Conjur | secretsManagerConfigs.authnLogin | User/host identity. | String | - |
| Authn API Key | Secrets Manager = CyberArk Conjur | secretsManagerConfigs.authnApiKey | User/host API key (or password). Write-only field! Can be edited, but it cannot be viewed. | String | - |
| Secret (Authn API Key) | Secrets Manager = CyberArk Conjur | secretsManagerConfigs.useSecretForAuthnApiKey | Determines if the secret will be used | Boolean | false |
| AWS Secret Name (Authn API Key) | Secrets Manager = CyberArk Conjur AND Secret (Authn API Key) | secretsManagerConfigs.authnApiKeySecretName | Name used to retrieve the Auth API Key from the AWS Secrets Manager | String | - |
| Authn URL | Secrets Manager = CyberArk Conjur | secretsManagerConfigs.authnUrl | (optional) Alternate authentication endpoint. By default, the client uses the standard <applianceUrl>/authn for generic username and API key login flow. |
String | ( applianceUrl/authn ) |
| Vault URL | Secrets Manager = Hashicorp Vault | secretsManagerConfigs.url | The Vault server base URL. | String | - |
| Auth method | Secrets Manager = Hashicorp Vault | secretsManagerConfigs.authConfig.authMethod | Allows to select what authentication method should be used by Heimdall to connect to Hashicorp Vault instance. Currently supported methods are Token, Username & Password and AppRole. | String (see desc.) | - |
| Auth mount path | Auth Method != Token | secretsManagerConfigs.authConfig.authPath | (Optional) Alternate authentication method mount path to be used. Default value depends on Auth method. | String | userpass or approle |
| Token | Auth Method = Token | secretsManagerConfigs.authConfig.token | Token used for authentication to Vault server. | String | - |
| Secret (Token) | Auth Method = Token | secretsManagerConfigs.authConfig.useSecretForToken | Determines if secret will be used for token. | Boolean | false |
| AWS Secret Name (Token) | Secret (Token) | secretsManagerConfigs.authConfig.tokenSecretName | Aws secret name used to retrive the | String | - |
| Username | Auth Method = Username & Password | secretsManagerConfigs.authConfig.username | Username used for authentication to Vault server. | String | - |
| Password | Auth Method = Username & Password AND Secret (Username) = false | secretsManagerConfigs.authConfig.password | Password used for authentication to Vault server. | String | - |
| Secret (Username and Password) | Auth Method = Username & Password | secretsManagerConfigs.authConfig.useSecretForCredentials | Determines if secret will be used for Username. | Boolean | false |
| AWS Secret Name (Username and Password) | Secret (Username) | secretsManagerConfigs.authConfig.credentialsSecretName | Name used to retrieve the credentials from the AWS Secrets Manager | String | - |
| Role ID | Auth Method = AppRole | secretsManagerConfigs.authConfig.roleId | The semi-secret identifier for the role that will authenticate to Vault. Think of this as the username portion of an authentication pair. | String | - |
| Secret ID | Auth Method = AppRole AND Secret (Username) = false | secretsManagerConfigs.authConfig.secretId | The secret identifier for the role that will authenticate to Vault. Think of this as the password portion of an authentication pair. | String | - |
| Secret (Role and Secret ID) | Auth Method = AppRole | secretsManagerConfigs.authConfig.useSecretForAppRole | Determines if secret will be used for Role ID. | Boolean | false |
| AWS Secret Name (Role and Secret ID) | Secret (Role ID) | secretsManagerConfigs.authConfig. | Name used to retrieve Role ID and Secret ID from the AWS Secrets Manager | String | - |
| ( name ) | - | secretsManagerConfigs.name | Name of the secret manager configuration. | String | - |
| ( type ) | - | secretsManagerConfigs.type | Type of the secrets manager used. Used only in file, without representing field in GUI. Values can be: HASHICORP_VAULT, CYBERARK_CONJUR, AWS | String (see desc.) | (Depends on secrets manager used) |
SMTP Configuration
| Key | Requirements | Conf File field | Description | Possible values | Default |
|---|---|---|---|---|---|
| Sender User/Email | - | smtpConfiguration.senderAddress | The email address used as the sender | String | false |
| Sender Password | Secret (SMTP) = false | smtpConfiguration.senderPassword | Authentication credentials for the sender email | String | false |
| Secret (Sender Password) | - | smtpConfiguration.useSecrets | Determines if secret will be used for SMTP's sender password. | Boolean | false |
| Secrets Manager (Sender Password) | Secret (SMTP) = true | smtpConfiguration.secretsManagerConfigName | Specify the Secrets Manager Configuration that will be used for this secret. List values are secrets managers configured in heimdall. | String | - |
| Secret Name (Sender Password) | Secret (SMTP) = true | smtpConfiguration.secretName | Specify a Secret name | String | - |
| Host | - | smtpConfiguration.smtpHost | Hostname of the SMTP server | String | smtp.gmail.com |
| Port | - | smtpConfiguration.smtpPort | Port used to connect to the SMPT server | Integer | 587 |
| Smtp Auth | - | smtpConfiguration.smtpAuth | Indicates if SMTP authentication will be used | Boolean | true |
| START_TLS Enabled | - | smtpConfiguration.startTLSEnabled | Requests the SMTP server to upgrade the connection to TLS encryption | Boolean | true |
| SMTP Properties | - | smtpConfiguration.properties | Allows specifying additional SMTP configuration options. Case sensitive. Available properties can be found here: https://javaee.github.io/javamail/docs/api/com/sun/mail/smtp/package-summary.html | List | - |
AWS endpoints
| Key | Conf File field | Description | Possible values | Default |
|---|---|---|---|---|
| CloudWatch Endpoint | awsEndpoints.cloudWatchEndpoint | Alternate endpoint for CloudWatch | String | - |
| CloudWatch Logs Endpoint | awsEndpoints.cloudWatchLogsEndpoint | Alternate endpoint for CloudWatch Logs | String | - |
| ElasticCache Endpoint | awsEndpoints.elasticCacheEndpoint | Alternate endpoint for ElasticCache | String | - |
| RDS Endpoint | awsEndpoints.rdsEndpoint | Alternate endpoint for RDS | String | - |
| SNS Endpoint | awsEndpoints.snsEndpoint | Alternate endpoint for SNS | String | - |
| CloudTrail Endpoint | awsEndpoints.cloudTrailEndpoint | Alternate endpoint for CloudTrail | String | - |
| Identity Store Endpoint | awsEndpoints.identityStoreEndpoint | Alternate endpoint for Identity Store | String | - |