This page provides a guide to Establishing a Connection to PostgreSQL in CData Cloud, as well as information on the available resources, and a reference to the available connection properties.

Connecting to PostgreSQL

Establishing a Connection shows how to authenticate to PostgreSQL and configure any necessary connection properties to create a database in CData Cloud

Accessing Data from CData Cloud Services

Accessing data from PostgreSQL through the available standard services and CData Cloud administration is documented in further details in the CData Cloud Documentation.

Connect to PostgreSQL by selecting the corresponding icon in the Database tab. Required properties are listed under Settings. The Advanced tab lists connection properties that are not typically required.

Connecting to PostgreSQL

The following connection properties are usually required to connect to PostgreSQL.

• Server: The host name or IP of the server hosting the PostgreSQL database.
• User: The user which will be used to authenticate with the PostgreSQL server.

You can also optionally set the following:

• Database: The database to connect to when connecting to the PostgreSQL Server. If this is not set, the user's default database will be used.
• Port: The port of the server hosting the PostgreSQL database. 5432 by default.

Standard

Unless you select another scheme, Password is the default authentication mechanism the Cloud uses to connect to PostgreSQL Server.

To use standard authentication, set the AuthScheme to Password to connect to PostgreSQL with login credentials.

Then, to authenticate, set the Password associated with the authenticating user.

pg_hba.conf Auth Schemes

There are subtypes of the Password authentication scheme supported by the Cloud which must be enabled in the pg_hba.conf file on the PostgreSQL server.

See the PostgreSQL documentation for more information about authentication setup on the PostgreSQL Server.

MD5

The Cloud can authenticate by verifying the password with MD5. This authentication method must be enabled by setting the auth-method in the pg_hba.conf file to md5.

SASL

The Cloud can authenticate by verifying the password with SASL (particularly, SCRAM-SHA-256). This authentication method must be enabled by setting the auth-method in the pg_hba.conf file to scram-sha-256.

Azure

Methods available for connecting to PostgreSQL with Microsoft Azure include:

• Azure Active Directory OAuth
• Azure Active Directory Password
• Azure Active Directory MSI

Azure AD

Azure AD is Microsoft’s multi-tenant, cloud-based directory and identity management service. It is user-based authentication that requires that you set AuthScheme to AzureAD.

Note: Azure PostgreSQL Flexible servers are not supported. Only Azure PostgreSQL Single Server instances are supported.

Ensure that an Active Directory admin has been set in the Azure PostgreSQL instance (Active Directory admin -> Set admin).

Next, set the following to connect:

• User: Set this to the Azure Active Directory user you granted access to the Azure PostgreSQL server.
• AzureTenant: Set this to the Directory (tenant) ID, found on the Overview page of the OAuth app used to authenticate to PostgreSQL on Azure.
• Server: Set this to the Server name of the Azure PostgreSQL server, found on the Overview page of the Azure PostgreSQL instance.
• Database: Set this to the database you'd like to connect to on the Azure PostgreSQL instance.
• Port: The port of the server hosting the PostgreSQL database. 5432 by default.
• OAuthClientId: Set this to the Application (client) ID, found on the Overview page of the OAuth app used to authenticate to PostgreSQL on Azure.
• OAuthClientSecret: Set this to the Value of the client secret, generated at the Certificates and secrets page of the authenticating OAuth app.
• CallbackURL: Set this to the Redirect URI you specified during the creation of your OAuth app.

EC2 Instances

Set AuthScheme to AwsEC2Roles.

If you are using the Cloud from an EC2 Instance and have an IAM Role assigned to the instance, you can use the IAM Role to authenticate. Since the Cloud automatically obtains your IAM Role credentials and authenticates with them, it is not necessary to specify AWSAccessKey and AWSSecretKey.

If you are also using an IAM role to authenticate, you must additionally specify the following:

• AWSRoleARN: Specify the Role ARN for the role you'd like to authenticate with. This will cause the Cloud to attempt to retrieve credentials for the specified role.
• AWSExternalId (optional): Only required if you are assuming a role in another AWS account.

IMDSv2 Support

The PostgreSQL Cloud now supports IMDSv2. Unlike IMDSv1, the new version requires an authentication token. Endpoints and response are the same in both versions.

In IMDSv2, the PostgreSQL Cloud first attempts to retrieve the IMDSv2 metadata token and then uses it to call AWS metadata endpoints. If it is unable to retrieve the token, the Cloud reverts to IMDSv1.

Azure Password

Set AuthScheme to AzurePassword.

To connect using your Azure credentials directly, specify the following connection properties:

• AuthScheme: Set this to AzurePassword.
• User: Set this to your user account you use to connect to Azure.
• Password: Set this to the password you use to connect to Azure.
• AzureTenant: Set this to the Directory (tenant) ID, found on the Overview page of the OAuth app used to authenticate to PostgreSQL on Azure.
• Server: Set this to the Server name of the Azure PostgreSQL server, found on the Overview page of the Azure PostgreSQL instance.
• Database: Set this to the database you'd like to connect to on the Azure PostgreSQL instance.
• Port: The port of the server hosting the PostgreSQL database. 5432 by default.

GCP Service Account

To authenticate to your PostgreSQL Google SQL Cloud Instance using a service account, you must create a new service account and have a copy of the accounts certificate. If you do not already have a service account, you can create one by following the procedure in Creating a Custom OAuth Application. For a JSON file, set these properties:

• AuthScheme: Set this to GCPServiceAccount.
• InitiateOAuth: Set this to GETANDREFRESH.
• OAuthJWTCertType: Set this to GOOGLEJSON.
• OAuthJWTCert: Set this to the path to the .json file provided by Google.
• OAuthJWTSubject: (optional) Only set this value if the service account is part of a GSuite domain and you want to enable delegation. The value of this property should be the email address of the user whose data you want to access.

For a PFX file, set these properties instead:

• AuthScheme: Set this to GCPServiceAccount.
• InitiateOAuth: Set this to GETANDREFRESH.
• OAuthJWTCertType: Set this to PFXFILE.
• OAuthJWTCert: Set this to the path to the .pfx file provided by Google.
• OAuthJWTCertPassword: (optional) Set this to the .pfx file password. In most cases you must provide this since Google encrypts PFX certificates.
• OAuthJWTCertSubject: (optional) Set this only if you are using a OAuthJWTCertType which stores multiple certificates. Should not be set for PFX certificates generated by Google.
• OAuthJWTIssuer: Set this to the email address of the service account. This address will usually include the domain iam.gserviceaccount.com.
• OAuthJWTSubject: (optional) Only set this value if the service account is part of a GSuite domain and you want to enable delegation. The value of this property should be the email address of the user whose data you want to access.

Managed Service Identity (MSI)

If you are running PostgreSQL on an Azure VM and want to leverage MSI to connect, set AuthScheme to AzureMSI.

User-Managed Identities

To obtain a token for a managed identity, use the OAuthClientId property to specify the managed identity's "client_id".

When your VM has multiple user-assigned managed identities, you must also specify OAuthClientId.

Amazon Web Services

Obtain AWS Keys

To obtain the credentials for an IAM user:

1. Sign into the IAM console.
2. In the navigation pane, select Users.
3. To create or manage the access keys for a user, select the user and then go to the Security Credentials tab.

To obtain the credentials for your AWS root account:

1. Sign into the AWS Management console with the credentials for your root account.
2. Select your account name or number.
3. In the menu that displays, select My Security Credentials.
4. To manage or create root account access keys, click Continue to Security Credentials and expand the "Access Keys" section.

AWS IAM Roles

Set AuthScheme to AwsIAMRoles.

In many situations, it may be preferable to use an IAM role for authentication instead of the direct security credentials of an AWS root user. If you are specifying the AWSAccessKey and AWSSecretKey of an AWS root user, you may not use roles.

To authenticate as an AWS role, set these properties:

• AuthScheme: Set this to AwsIAMRoles.
• User: Set this to the AWS-hosted PostgreSQL user that you granted the aws_iam role to. This user should map to an AWS user that has a role containing a policy which includes the rds-db:connect permission.
• AWSRoleARN: Specify the Role ARN for the role attached to the authenticating IAM user. This will cause the Cloud to attempt to retrieve credentials for the specified role.
• AWSAccessKey: The access key of the authenticating IAM user.
• AWSSecretKey: The secret key of the authenticating IAM user.

Kerberos

The authentication with Kerberos is initiated by PostgreSQL Server when the CData Cloud is trying to connect to it. You should setup Kerberos on the PostgreSQL Server to activate this authentication method. Once you have Kerberos authentication setup on the PostgreSQL Server, see Using Kerberos for details on how to authenticate with Kerberos by the Cloud.

Kerberos

Authenticating to PostgreSQL via Kerberos requires you to define authentication properties and to choose how Kerberos should retrieve authentication tickets.

Retrieve Kerberos Tickets

Kerberos tickets are used to authenticate the requester's identity. The use of tickets instead of formal logins/passwords eliminates the need to store passwords locally or send them over a network. Users are reauthenticated (tickets are refreshed) whenever they log in at their local computer or enter kinit USER at the command prompt.

The Cloud provides three ways to retrieve the required Kerberos ticket, depending on whether or not the KRB5CCNAME and/or KerberosKeytabFile variables exist in your environment.

MIT Kerberos Credential Cache File

This option enables you to use the MIT Kerberos Ticket Manager or kinit command to get tickets. With this option there is no need to set the User or Password connection properties.

This option requires that KRB5CCNAME has been created in your system.

To enable ticket retrieval via MIT Cerberos Credential Cache Files:

1. Ensure that the KRB5CCNAME variable is present in your environment.
2. Set KRB5CCNAME to a path that points to your credential cache file. (For example, C:\krb_cache\krb5cc_0 or /tmp/krb5cc_0.) The credential cache file is created when you use the MIT Kerberos Ticket Manager to generate your ticket.
3. To obtain a ticket:
   1. Open the MIT Kerberos Ticket Manager application.
   2. Click Get Ticket.
   3. Enter your principal name and password.
   4. Click OK.

   If the ticket is successfully obtained, the ticket information appears in Kerberos Ticket Manager and is stored in the credential cache file.

The Cloud uses the cache file to obtain the Kerberos ticket to connect to PostgreSQL.

Note: If you would prefer not to edit KRB5CCNAME, you can use the KerberosTicketCache property to set the file path manually. After this is set, the Cloud uses the specified cache file to obtain the Kerberos ticket to connect to PostgreSQL.

Keytab File

If your environment lacks the KRB5CCNAME environment variable, you can retrieve a Kerberos ticket using a Keytab File.

To use this method, set the User property to the desired username, and set the KerberosKeytabFile property to a file path pointing to the keytab file associated with the user.

User and Password

If your environment lacks the KRB5CCNAME environment variable and the KerberosKeytabFile property has not been set, you can retrieve a ticket using a user and password combination.

To use this method, set the User and Password properties to the user/password combination that you use to authenticate with PostgreSQL.

Enabling Cross-Realm Authentication

More complex Kerberos environments can require cross-realm authentication where multiple realms and KDC servers are used. For example, they might use one realm/KDC for user authentication, and another realm/KDC for obtaining the service ticket.

To enable this kind of cross-realm authentication, set the KerberosRealm and KerberosKDC properties to the values required for user authentication. Also, set the KerberosServiceRealm and KerberosServiceKDC properties to the values required to obtain the service ticket.

Customizing the SSL Configuration

By default, the Cloud attempts to negotiate SSL/TLS by checking the server's certificate against the system's trusted certificate store.

To specify another certificate, see the SSLServerCert property for the available formats to do so.

Client SSL Certificates

The PostgreSQL Cloud also supports setting client certificates. Set the following to connect using a client certificate.

• SSLClientCert: The name of the certificate store for the client certificate.
• SSLClientCertType: The type of key store containing the TLS/SSL client certificate.
• SSLClientCertPassword: The password for the TLS/SSL client certificate.
• SSLClientCertSubject: The subject of the TLS/SSL client certificate.

Connecting Through a Firewall or Proxy

Set the following properties:

• To use a proxy-based firewall, set FirewallType, FirewallServer, and FirewallPort.
• To tunnel the connection, set FirewallType to TUNNEL.
• To authenticate, specify FirewallUser and FirewallPassword.
• To authenticate to a SOCKS proxy, additionally set FirewallType to SOCKS5.

In addition to modeling data directly from PostgreSQL, the CData Cloud also includes a few built in stored procedures designed for assisting with OAuth connections against Azure hosted SQL Server. The stored procedures are listed here.

Data Type Mappings

The Cloud maps types from the data source to the corresponding data type available in the schema. The table below documents these mappings.

PostgreSQL	CData Schema
abstime	string
aclitem	string
bigint	long
bigserial	long
bit varying	string
bit	string
boolean	bool
box	string
bytea	binary
char	string
character varying	string
character	string
cid	string
cidr	string
circle	string
date	date
daterange	string
double precision	float
gtsvector	string
inet	string
int2vector	string
int4range	string
int8range	string
integer	int
json	string
jsonb	binary
line	string
lseg	string
macaddr8	string
macaddr	string
money	decimal
name	string
numeric	decimal
numrange	string
oid	string
oidvector	string
path	string
pg_dependencies	string
pg_lsn	string
pg_ndistinct	string
pg_node_tree	string
point	string
polygon	string
real	float
refcursor	string
regclass	string
regconfig	string
regdictionary	string
regnamespace	string
regoper	string
regoperator	string
regproc	string
regprocedure	string
regrole	string
regtype	string
reltime	string
serial	int
smallint	int
smallserial	int
smgr	string
text	string
tid	string
time with time zone	string
time without time zone	time
timestamp with time zone	datetime
timestamp without time zone	datetime
tinterval	string
tsquery	string
tsrange	string
tstzrange	string
tsvector	string
txid_snapshot	string
uuid	uuid
xid	string
xml	string

Stored procedures are function-like interfaces that extend the functionality of the Cloud beyond simple SELECT/INSERT/UPDATE/DELETE operations with PostgreSQL.

Stored procedures accept a list of parameters, perform their intended function, and then return any relevant response data from PostgreSQL, along with an indication of whether the procedure succeeded or failed.

CData Cloud - PostgreSQL Stored Procedures

Name	Description
GetAdminConsentURL	Gets the admin consent URL that must be opened separately by an admin of a given domain to grant access to your application. Only needed when using custom OAuth credentials.

Gets the admin consent URL that must be opened separately by an admin of a given domain to grant access to your application. Only needed when using custom OAuth credentials.

Input

Name	Type	Description
CallbackUrl	String	The URL the user will be redirected to after authorizing your application. This value must match the Reply URL in the Azure AD app settings.
State	String	The same value for state that you sent when you requested the authorization code.

Result Set Columns

Name	Type	Description
URL	String	The authorization URL, entered into a Web browser to obtain the verifier token and authorize your app.

The connection string properties are the various options that can be used to establish a connection. This section provides a complete list of the options you can configure in the connection string for this provider. Click the links for further details.

For more information on establishing a connection, see Establishing a Connection.

Authentication

---

Property	Description
AuthScheme	The scheme used for authentication. Accepted entries are Password, AzureAD, AzurePassword, AzureMSI, AwsIAMRoles, AwsEC2Roles, GCPServiceAccount.
Server	The host name or IP address of the server.
Database	The name of the PostgreSQL database.
User	The PostgreSQL user account used to authenticate.
Password	The password used to authenticate the user.
Port	The port number of the PostgreSQL server.
UseSSL	This field sets whether SSL is enabled.
Visibility	Visibility restrictions used to filter exposed metadata for tables with privileges granted to them for the current user.

AWS Authentication

---

Property	Description
AWSAccessKey	Your AWS account access key. This value is accessible from your AWS security credentials page.
AWSSecretKey	Your AWS account secret key. This value is accessible from your AWS security credentials page.
AWSRoleARN	The Amazon Resource Name of the role to use when authenticating.
AWSExternalId	A unique identifier that might be required when you assume a role in another account.

Azure Authentication

---

Property	Description
AzureTenant	The Microsoft Online tenant being used to access data. If not specified, your default tenant is used.

OAuth

---

Property	Description
OAuthGrantType	The grant type for the OAuth flow.

JWT OAuth

---

Property	Description
OAuthJWTCert	The JWT Certificate store.
OAuthJWTCertType	The type of key store containing the JWT Certificate.
OAuthJWTCertPassword	The password for the OAuth JWT certificate.
OAuthJWTCertSubject	The subject of the OAuth JWT certificate.

SSL

---

Property	Description
SSLServerCert	The certificate to be accepted from the server when connecting using TLS/SSL.

SSH

---

Property	Description
SSHAuthMode	The authentication method used when establishing an SSH Tunnel to the service.
SSHClientCert	A certificate to be used for authenticating the SSHUser.
SSHClientCertPassword	The password of the SSHClientCert key if it has one.
SSHClientCertSubject	The subject of the SSH client certificate.
SSHClientCertType	The type of SSHClientCert private key.
SSHServer	The SSH server.
SSHPort	The SSH port.
SSHUser	The SSH user.
SSHPassword	The SSH password.
SSHServerFingerprint	The SSH server fingerprint.
UseSSH	Whether to tunnel the PostgreSQL connection over SSH. Use SSH.

Logging

---

Property	Description
Verbosity	The verbosity level that determines the amount of detail included in the log file.

Schema

---

Property	Description
BrowsableSchemas	This property restricts the schemas reported to a subset of the available schemas. For example, BrowsableSchemas=SchemaA,SchemaB,SchemaC.
IgnoredSchemas	Visibility restriction filter which is used to hide schemas from the list of schemas obtained by querying metadata. For example, 'information_schema, pg_catalog'. Schema names are case sensitive.

Miscellaneous

---

Property	Description
AllowPreparedStatement	Prepare a query statement before its execution.
BrowsePartitions	By default the provider exposes the super table and its partitions by metadata. You may hide sub partitions by setting this property to false.
FetchResultSetMetadata	This field sets whether the provider retrieves metadata pertaining to the schema and table name for resultset columns returned by the server.
MaxRows	Limits the number of rows returned when no aggregation or GROUP BY is used in the query. This takes precedence over LIMIT clauses.
Timeout	The value in seconds until the timeout error is thrown, canceling the operation.
TimeZone	Sets the time zone the server will use to return datetime/timestamp columns.

This section provides a complete list of the Authentication properties you can configure in the connection string for this provider.

---

Property	Description
AuthScheme	The scheme used for authentication. Accepted entries are Password, AzureAD, AzurePassword, AzureMSI, AwsIAMRoles, AwsEC2Roles, GCPServiceAccount.
Server	The host name or IP address of the server.
Database	The name of the PostgreSQL database.
User	The PostgreSQL user account used to authenticate.
Password	The password used to authenticate the user.
Port	The port number of the PostgreSQL server.
UseSSL	This field sets whether SSL is enabled.
Visibility	Visibility restrictions used to filter exposed metadata for tables with privileges granted to them for the current user.

The scheme used for authentication. Accepted entries are Password, AzureAD, AzurePassword, AzureMSI, AwsIAMRoles, AwsEC2Roles, GCPServiceAccount.

Possible Values

, Password, AzureAD, AzurePassword, AwsIAMRoles

Data Type

string

Default Value

""

Remarks

Together with Password and User, this field is used to authenticate against the server. Password is the default option. Use the following options to select your authentication scheme:

• Password: Set this to use your PostgreSQL Server Password.
• AzureAD: Set this to use Azure Active Directory OAuth authentication.
• AzurePassword: Set this to use Azure Active Directory Password authentication.
• AzureMSI: Set this to use Azure Active Directory MSI (Managed Service Identity) authentication.
• AwsIAMRoles: Set this to use Amazon Web Services IAM Roles to connect PostgreSQL Server in Amazon RDS instance.
• AwsEC2Roles: Set this to automatically use IAM Roles assigned to the EC2 machine the CData Cloud is currently running on.
• GCPServiceAccount: Set this to use Google Service Account to authenticate to your PostgreSQL Google SQL Cloud instance.

The host name or IP address of the server.

Data Type

string

Default Value

""

Remarks

The host name or IP of the server hosting the PostgreSQL Database. If not set, the default value "localhost" is used.

The name of the PostgreSQL database.

Data Type

string

Default Value

""

Remarks

The database to connect to when connecting to the PostgreSQL Server. If a database is not provided, the user's default database will be used.

The PostgreSQL user account used to authenticate.

Data Type

string

Default Value

""

Remarks

Together with Password, this field is used to authenticate against the PostgreSQL server.

The password used to authenticate the user.

Data Type

string

Default Value

""

Remarks

The User and Password are together used to authenticate with the server.

The port number of the PostgreSQL server.

Data Type

string

Default Value

"5432"

Remarks

The port number of the Server hosting the PostgreSQL Database. If not specified, the default port number (5432) is used.

This field sets whether SSL is enabled.

Data Type

bool

Default Value

false

Remarks

This field sets whether the Cloud will attempt to negotiate TLS/SSL connections to the server. By default, the Cloud checks the server's certificate against the system's trusted certificate store. To specify another certificate, set SSLServerCert.

Visibility restrictions used to filter exposed metadata for tables with privileges granted to them for the current user.

Data Type

string

Default Value

""

Remarks

By default, visibility filtering is not applied. Filtering values are case insensitive.

This section provides a complete list of the AWS Authentication properties you can configure in the connection string for this provider.

---

Property	Description
AWSAccessKey	Your AWS account access key. This value is accessible from your AWS security credentials page.
AWSSecretKey	Your AWS account secret key. This value is accessible from your AWS security credentials page.
AWSRoleARN	The Amazon Resource Name of the role to use when authenticating.
AWSExternalId	A unique identifier that might be required when you assume a role in another account.

Your AWS account access key. This value is accessible from your AWS security credentials page.

Data Type

string

Default Value

""

Remarks

Your AWS account access key. This value is accessible from your AWS security credentials page:

1. Sign into the AWS Management console with the credentials for your root account.
2. Select your account name or number and select My Security Credentials in the menu that is displayed.
3. Click Continue to Security Credentials and expand the Access Keys section to manage or create root account access keys.

Your AWS account secret key. This value is accessible from your AWS security credentials page.

Data Type

string

Default Value

""

Remarks

Your AWS account secret key. This value is accessible from your AWS security credentials page:

1. Sign into the AWS Management console with the credentials for your root account.
2. Select your account name or number and select My Security Credentials in the menu that is displayed.
3. Click Continue to Security Credentials and expand the Access Keys section to manage or create root account access keys.

The Amazon Resource Name of the role to use when authenticating.

Data Type

string

Default Value

""

Remarks

When authenticating outside of AWS, it is common to use a Role for authentication instead of your direct AWS account credentials. Entering the AWSRoleARN will cause the CData Cloud to perform a role based authentication instead of using the AWSAccessKey and AWSSecretKey directly. The AWSAccessKey and AWSSecretKey must still be specified to perform this authentication. You cannot use the credentials of an AWS root user when setting RoleARN. The AWSAccessKey and AWSSecretKey must be those of an IAM user.

A unique identifier that might be required when you assume a role in another account.

Data Type

string

Default Value

""

Remarks

A unique identifier that might be required when you assume a role in another account.

This section provides a complete list of the Azure Authentication properties you can configure in the connection string for this provider.

---

Property	Description
AzureTenant	The Microsoft Online tenant being used to access data. If not specified, your default tenant is used.

The Microsoft Online tenant being used to access data. If not specified, your default tenant is used.

Data Type

string

Default Value

""

Remarks

The Microsoft Online tenant being used to access data. For instance, contoso.onmicrosoft.com. Alternatively, specify the tenant Id. This value is the directory Id in the Azure Portal > Azure Active Directory > Properties.

Typically it is not necessary to specify the Tenant. This can be automatically determined by Microsoft when using the OAuthGrantType set to CODE (default). However, it may fail in the case that the user belongs to multiple tenants. For instance, if an Admin of domain A invites a user of domain B to be a guest user. The user will now belong to both tenants. It is a good practice to specify the Tenant, although in general things should normally work without having to specify it.

The AzureTenant is required when setting OAuthGrantType to CLIENT. When using client credentials, there is no user context. The credentials are taken from the context of the app itself. While Microsoft still allows client credentials to be obtained without specifying which Tenant, it has a much lower probability of picking the specific tenant you want to work with. For this reason, we require AzureTenant to be explicitly stated for all client credentials connections to ensure you get credentials that are applicable for the domain you intend to connect to.

This section provides a complete list of the OAuth properties you can configure in the connection string for this provider.

---

Property	Description
OAuthGrantType	The grant type for the OAuth flow.

The grant type for the OAuth flow.

Possible Values

CODE, CLIENT

Data Type

string

Default Value

"CODE"

Remarks

The following options are available: CODE,CLIENT

This section provides a complete list of the JWT OAuth properties you can configure in the connection string for this provider.

---

Property	Description
OAuthJWTCert	The JWT Certificate store.
OAuthJWTCertType	The type of key store containing the JWT Certificate.
OAuthJWTCertPassword	The password for the OAuth JWT certificate.
OAuthJWTCertSubject	The subject of the OAuth JWT certificate.

The JWT Certificate store.

Data Type

string

Default Value

""

Remarks

The name of the certificate store for the client certificate.

The OAuthJWTCertType field specifies the type of the certificate store specified by OAuthJWTCert. If the store is password protected, specify the password in OAuthJWTCertPassword.

OAuthJWTCert is used in conjunction with the OAuthJWTCertSubject field in order to specify client certificates. If OAuthJWTCert has a value, and OAuthJWTCertSubject is set, a search for a certificate is initiated. Please refer to the OAuthJWTCertSubject field for details.

Designations of certificate stores are platform-dependent.

The following are designations of the most common User and Machine certificate stores in Windows:

MY	A certificate store holding personal certificates with their associated private keys.
CA	Certifying authority certificates.
ROOT	Root certificates.
SPC	Software publisher certificates.

In Java, the certificate store normally is a file containing certificates and optional private keys.

When the certificate store type is PFXFile, this property must be set to the name of the file. When the type is PFXBlob, the property must be set to the binary contents of a PFX file (i.e. PKCS12 certificate store).

The type of key store containing the JWT Certificate.

Data Type

string

Default Value

"PEMKEY_BLOB"

Remarks

This property can take one of the following values:

USER	For Windows, this specifies that the certificate store is a certificate store owned by the current user. Note: This store type is not available in Java.
MACHINE	For Windows, this specifies that the certificate store is a machine store. Note: this store type is not available in Java.
PFXFILE	The certificate store is the name of a PFX (PKCS12) file containing certificates.
PFXBLOB	The certificate store is a string (base-64-encoded) representing a certificate store in PFX (PKCS12) format.
JKSFILE	The certificate store is the name of a Java key store (JKS) file containing certificates. Note: this store type is only available in Java.
JKSBLOB	The certificate store is a string (base-64-encoded) representing a certificate store in Java key store (JKS) format. Note: this store type is only available in Java.
PEMKEY_FILE	The certificate store is the name of a PEM-encoded file that contains a private key and an optional certificate.
PEMKEY_BLOB	The certificate store is a string (base64-encoded) that contains a private key and an optional certificate.
PUBLIC_KEY_FILE	The certificate store is the name of a file that contains a PEM- or DER-encoded public key certificate.
PUBLIC_KEY_BLOB	The certificate store is a string (base-64-encoded) that contains a PEM- or DER-encoded public key certificate.
SSHPUBLIC_KEY_FILE	The certificate store is the name of a file that contains an SSH-style public key.
SSHPUBLIC_KEY_BLOB	The certificate store is a string (base-64-encoded) that contains an SSH-style public key.
P7BFILE	The certificate store is the name of a PKCS7 file containing certificates.
PPKFILE	The certificate store is the name of a file that contains a PPK (PuTTY Private Key).
XMLFILE	The certificate store is the name of a file that contains a certificate in XML format.
XMLBLOB	The certificate store is a string that contains a certificate in XML format.
GOOGLEJSON	The certificate store is the name of a JSON file containing the service account information. Only valid when connecting to a Google service.
GOOGLEJSONBLOB	The certificate store is a string that contains the service account JSON. Only valid when connecting to a Google service.

The password for the OAuth JWT certificate.

Data Type

string

Default Value

""

Remarks

If the certificate store is of a type that requires a password, this property is used to specify that password in order to open the certificate store.

This is not required when using the GOOGLEJSON OAuthJWTCertType. Google JSON keys are not encrypted.

The subject of the OAuth JWT certificate.

Data Type

string

Default Value

"*"

Remarks

When loading a certificate the subject is used to locate the certificate in the store.

If an exact match is not found, the store is searched for subjects containing the value of the property.

If a match is still not found, the property is set to an empty string, and no certificate is selected.

The special value "*" picks the first certificate in the certificate store.

The certificate subject is a comma separated list of distinguished name fields and values. For instance "CN=www.server.com, OU=test, C=US, [email protected]". Common fields and their meanings are displayed below.

Field	Meaning
CN	Common Name. This is commonly a host name like www.server.com.
O	Organization
OU	Organizational Unit
L	Locality
S	State
C	Country
E	Email Address

If a field value contains a comma it must be quoted.

This section provides a complete list of the SSL properties you can configure in the connection string for this provider.

---

Property	Description
SSLServerCert	The certificate to be accepted from the server when connecting using TLS/SSL.

The certificate to be accepted from the server when connecting using TLS/SSL.

Data Type

string

Default Value

""

Remarks

If using a TLS/SSL connection, this property can be used to specify the TLS/SSL certificate to be accepted from the server. Any other certificate that is not trusted by the machine is rejected.

This property can take the following forms:

Description	Example
A full PEM Certificate (example shortened for brevity)	-----BEGIN CERTIFICATE----- MIIChTCCAe4CAQAwDQYJKoZIhv......Qw== -----END CERTIFICATE-----
A path to a local file containing the certificate	C:\cert.cer
The public key (example shortened for brevity)	-----BEGIN RSA PUBLIC KEY----- MIGfMA0GCSq......AQAB -----END RSA PUBLIC KEY-----
The MD5 Thumbprint (hex values can also be either space or colon separated)	ecadbdda5a1529c58a1e9e09828d70e4
The SHA1 Thumbprint (hex values can also be either space or colon separated)	34a929226ae0819f2ec14b4a3d904f801cbb150d

If not specified, any certificate trusted by the machine is accepted.

Use '*' to signify to accept all certificates. Note that this is not recommended due to security concerns.

This section provides a complete list of the SSH properties you can configure in the connection string for this provider.

---

Property	Description
SSHAuthMode	The authentication method used when establishing an SSH Tunnel to the service.
SSHClientCert	A certificate to be used for authenticating the SSHUser.
SSHClientCertPassword	The password of the SSHClientCert key if it has one.
SSHClientCertSubject	The subject of the SSH client certificate.
SSHClientCertType	The type of SSHClientCert private key.
SSHServer	The SSH server.
SSHPort	The SSH port.
SSHUser	The SSH user.
SSHPassword	The SSH password.
SSHServerFingerprint	The SSH server fingerprint.
UseSSH	Whether to tunnel the PostgreSQL connection over SSH. Use SSH.

The authentication method used when establishing an SSH Tunnel to the service.

Possible Values

None, Password, Public_Key

Data Type

string

Default Value

"Password"

Remarks

• None: No authentication is performed. The current User value is ignored, and the connection is logged in as anonymous.
• Password: The Cloud uses the values of User and Password to authenticate the user.
• Public_Key: The Cloud uses the values of User and SSHClientCert to authenticate the user. SSHClientCert must have a private key available for this authentication method to succeed.

A certificate to be used for authenticating the SSHUser.

Data Type

string

Default Value

""

Remarks

SSHClientCert must contain a valid private key in order to use public key authentication. A public key is optional, if one is not included then the Cloud generates it from the private key. The Cloud sends the public key to the server and the connection is allowed if the user has authorized the public key.

The SSHClientCertType field specifies the type of the key store specified by SSHClientCert. If the store is password protected, specify the password in SSHClientCertPassword.

Some types of key stores are containers which may include multiple keys. By default the Cloud will select the first key in the store, but you can specify a specific key using SSHClientCertSubject.

The password of the SSHClientCert key if it has one.

Data Type

string

Default Value

""

Remarks

This property is only used when authenticating to SFTP servers with SSHAuthMode set to PublicKey and SSHClientCert set to a private key.

The subject of the SSH client certificate.

Data Type

string

Default Value

"*"

Remarks

When loading a certificate the subject is used to locate the certificate in the store.

If an exact match is not found, the store is searched for subjects containing the value of the property.

If a match is still not found, the property is set to an empty string, and no certificate is selected.

The special value "*" picks the first certificate in the certificate store.

The certificate subject is a comma separated list of distinguished name fields and values. For instance "CN=www.server.com, OU=test, C=US, [email protected]". Common fields and their meanings are displayed below.

Field	Meaning
CN	Common Name. This is commonly a host name like www.server.com.
O	Organization
OU	Organizational Unit
L	Locality
S	State
C	Country
E	Email Address

If a field value contains a comma it must be quoted.

The type of SSHClientCert private key.

Possible Values

USER, MACHINE, PFXFILE, PFXBLOB, JKSFILE, JKSBLOB, PEMKEY_FILE, PEMKEY_BLOB, PPKFILE, PPKBLOB, XMLFILE, XMLBLOB

Data Type

string

Default Value

"PEMKEY_FILE"

Remarks

This property can take one of the following values:

Types	Description	Allowed Blob Values
MACHINE/USER		Blob values are not supported.
JKSFILE/JKSBLOB		base64-only
PFXFILE/PFXBLOB	A PKCS12-format (.pfx) file. Must contain both a certificate and a private key.	base64-only
PEMKEY_FILE/PEMKEY_BLOB	A PEM-format file. Must contain an RSA, DSA, or OPENSSH private key. Can optionally contain a certificate matching the private key.	base64 or plain text. Newlines may be replaced with spaces when providing the blob as text.
PPKFILE/PPKBLOB	A PuTTY-format private key created using the puttygen tool.	base64-only
XMLFILE/XMLBLOB	An XML key in the format generated by the .NET RSA class: RSA.ToXmlString(true).	base64 or plain text.

The SSH server.

Data Type

string

Default Value

""

Remarks

The SSH server.

The SSH port.

Data Type

string

Default Value

"22"

Remarks

The SSH port.

The SSH user.

Data Type

string

Default Value

""

Remarks

The SSH user.

The SSH password.

Data Type

string

Default Value

""

Remarks

The SSH password.

The SSH server fingerprint.

Data Type

string

Default Value

""

Remarks

The SSH server fingerprint.

Whether to tunnel the PostgreSQL connection over SSH. Use SSH.

Data Type

bool

Default Value

false

Remarks

By default the Cloud will attempt to connect directly to PostgreSQL. When this option is enabled, the Cloud will instead establish an SSH connection with the SSHServer and tunnel the connection to PostgreSQL through it.

This section provides a complete list of the Logging properties you can configure in the connection string for this provider.

---

Property	Description
Verbosity	The verbosity level that determines the amount of detail included in the log file.

The verbosity level that determines the amount of detail included in the log file.

Data Type

string

Default Value

"1"

Remarks

The verbosity level determines the amount of detail that the Cloud reports to the Logfile. Verbosity levels from 1 to 5 are supported. These are detailed in the Logging page.

This section provides a complete list of the Schema properties you can configure in the connection string for this provider.

---

Property	Description
BrowsableSchemas	This property restricts the schemas reported to a subset of the available schemas. For example, BrowsableSchemas=SchemaA,SchemaB,SchemaC.
IgnoredSchemas	Visibility restriction filter which is used to hide schemas from the list of schemas obtained by querying metadata. For example, 'information_schema, pg_catalog'. Schema names are case sensitive.

This property restricts the schemas reported to a subset of the available schemas. For example, BrowsableSchemas=SchemaA,SchemaB,SchemaC.

Data Type

string

Default Value

""

Remarks

Listing the schemas from databases can be expensive. Providing a list of schemas in the connection string improves the performance.

Visibility restriction filter which is used to hide schemas from the list of schemas obtained by querying metadata. For example, 'information_schema, pg_catalog'. Schema names are case sensitive.

Data Type

string

Default Value

""

Remarks

By default, restrictions are not applied.

This section provides a complete list of the Miscellaneous properties you can configure in the connection string for this provider.

---

Property	Description
AllowPreparedStatement	Prepare a query statement before its execution.
BrowsePartitions	By default the provider exposes the super table and its partitions by metadata. You may hide sub partitions by setting this property to false.
FetchResultSetMetadata	This field sets whether the provider retrieves metadata pertaining to the schema and table name for resultset columns returned by the server.
MaxRows	Limits the number of rows returned when no aggregation or GROUP BY is used in the query. This takes precedence over LIMIT clauses.
Timeout	The value in seconds until the timeout error is thrown, canceling the operation.
TimeZone	Sets the time zone the server will use to return datetime/timestamp columns.

Prepare a query statement before its execution.

Data Type

bool

Default Value

true

Remarks

If the AllowPreparedStatement property is set to false, statements are parsed each time they are executed. Setting this property to false can be useful if you are executing many different queries only once.

If you are executing the same query repeatedly, you will generally see better performance by leaving this property set to the default, True. Preparing the query avoids recompiling the same query over and over. However, prepared statements also require the Cloud to keep the connection active and open while the statement is prepared.

By default the provider exposes the super table and its partitions by metadata. You may hide sub partitions by setting this property to false.

Data Type

bool

Default Value

true

Remarks

This property has an effect on servers running version 10 and later.

This field sets whether the provider retrieves metadata pertaining to the schema and table name for resultset columns returned by the server.

Data Type

bool

Default Value

false

Remarks

By default, the Cloud will not request that the server provides detailed information about resultset columns like the table name or schema name. It requires issuing additional metadata queries via Cloud , and it may affect query performance essentially in some scenarios. Consider setting this property to True when you need such detailed descriptive information for the resultset columns.

Limits the number of rows returned when no aggregation or GROUP BY is used in the query. This takes precedence over LIMIT clauses.

Data Type

int

Default Value

-1

Remarks

Limits the number of rows returned when no aggregation or GROUP BY is used in the query. This takes precedence over LIMIT clauses.

The value in seconds until the timeout error is thrown, canceling the operation.

Data Type

int

Default Value

30

Remarks

If Timeout = 0, operations do not time out. The operations run until they complete successfully or until they encounter an error condition.

If Timeout expires and the operation is not yet complete, the Cloud throws an exception.

Sets the time zone the server will use to return datetime/timestamp columns.

Data Type

string

Default Value

""

Remarks

The server stores time with time zone and timestamp with time zone in UTC. If the TimeZone property is not set, the provider uses the client's local time zone.

Setting this property can be useful when you need the server to convert to a specific time zone, which is different from the client's local time zone.