Guides
HomeEngagementOther resources
  1. Administration, Security, Privacy
  2. Security controls

Databases and secure connections

This guide explains how to protect personal data transmitted over the internet and imported into Bloomreach by setting up an SSL/TLS connection, an SSH tunnel, or both.

📘

Note

Keeping customer data secure is our priority. You must set up either an SSH tunnel or encrypted SSL/TLS communication — or both.

Prerequisites

Before you begin, open the correct port on your firewall:

  • Port 443 for an SSL/TLS connection.
  • Port 22 for an SSH connection. You can also use other ports for SSH tunnels.

Supported databases and connection types

Bloomreach supports secure connections for the following databases:

DatabaseSSL/TLSSSH tunnelStatic IPs
Azure SQL, MS SQLNot supportedSupportedNot supported
MySQLSupportedSupportedSupported
PostgreSQLSupportedSupportedSupported
Amazon RedshiftSupportedSupportedSupported

Create a database integration

Every database integration uses the same configuration form. Fill in the following fields:

  • Hostname: The public IP or hostname of your database (for example, 28.783.11.22 or db.exponea.com).
  • Port: The TCP destination port for your database (for example, 1433).
  • Username: The name of the user with access to your local database (for example, exponea). For MS Azure SQL, use the format username@hostname (for example, [email protected]).
  • Password: The password for the user with access to your local database.
  • Database name: The name of the database you want to access.
Database integration configuration form with hostname, port, username, password, and database name fields

The database integration configuration form.

Configure secure connections

Bloomreach offers two options for securing communication between your server and the application: SSL/TLS encryption and SSH tunnels. You can enable one or both at the same time.

Enable SSL/TLS encryption

  1. Click Enable to turn on the SSL/TLS connection.
  2. Import your SSL/TLS certification authority certificate (load the SSL/TLS CA file).
  3. Import your SSL/TLS certificate (load the SSL/TLS Cert file).
  4. Import the private key of your server (load the SSL/TLS Key file).
SSL/TLS configuration panel showing options to import CA certificate, client certificate, and private key.

The SSL/TLS configuration panel.

For an example of how to enable SSL/TLS with MySQL, see How to configure SSL/TLS for MySQL on Ubuntu 16.04.

Set up an SSH tunnel

SSH tunnels have their own configuration window. Access it via Project settings > SSH tunnels. Only users with Dev tools permissions can configure SSH tunnels. For details on roles and permissions, see Access management.

SSH tunnel configuration window showing hostname, username, host key, and authentication fields.

The SSH tunnel configuration window in Project settings.

Fill in the following fields:

  • Hostname: The hostname of your SSH server and its port, separated by a colon.
  • Username: The username for identifying the SSH user.
  • Host key: The fingerprint of your server's public key, used to verify the server's identity. You can find this in the known_hosts file on any device that has successfully connected to your server via SSH. For more details, see WinSCP's guide to host keys.
🚧

Important

Host keys verify that you're connecting to the correct remote server. Without them, your connection is vulnerable to attacks such as DNS spoofing.

Find host key

If this is your first time connecting to your SSH server, start by establishing an initial connection:

  1. Connect to the SSH server:
   ssh user_name@server_ip_address

Replace user_name with your username and server_ip_address with your server's IP address. Once connected, type exit to close the session.

Alternatively, if SSH doesn't work due to unsupported key encryption formats, connect using an FTP client such as FileZilla or CyberDuck. Try multiple clients if needed.

  1. On your local machine, navigate to the .ssh directory:
   cd ~/.ssh

Open the known_hosts file. Each line follows this format:

   server_ip_address server_host_key

Copy the host key that matches your server's IP address and paste it into the Host key field.

Alternatively, if the host key isn't in known_hosts, navigate to the .putty directory:

   cd ~/.putty

Open the sshhostkeys file and find the host key in the same format. Copy and paste it into the Host key field.

If the host key still doesn't work, contact your hosting admin or support team. Note that OpenSSH manages SSH connections — the OpenSSH version on your local machine must support the encryption protocol used by the server, otherwise OpenSSH KeyGen won't display the host key in the correct format.

For Authentication, choose one of the following:

  • SSH key: Generate a new key pair and import the public key to your SSH server.
  • Password: Enter the password for your SSH server.

Assign SSH to a database integration

All supported integrations include the option to enable SSH. When you enable SSH integration, select an active SSH tunnel to assign to that database.

Database integration panel with SSH integration enabled and an active SSH tunnel selected.

Assigning an active SSH tunnel to a database integration.

Updated 14 days ago

© Bloomreach, Inc. All rights reserved.