Configure SSH and SSL
To make a connection to a database more secure, some services require SSH or SSL usage.
The following procedure describes the SSL configuration that suits most databases. For some databases, you need to use another approach for a successful connection. You can see configuration examples for Cassandra and Heroku Postgres in the DataGrip documentation.
Open data source properties. You can open data source properties by using one of the following options:
In the Database tool window (View | Tool Windows | Database) , click the Data Source Properties icon .
Press CtrlAltShift0S.
On the Data Sources tab, select a data source that you want to modify.
Click the SSH/SSL tab and select the Use SSL checkbox.
In the CA file field, navigate to the CA certificate file (for example, mssql.pem).
You can leave the certificate file fields empty and use a truststore to obtain a required certificate from the certificates that it contains. To do that, tick the Use truststore checkbox and select the truststore that you want to use.
IDE: Use the certificates that are accepted by the IDE. You can add new accepted certificates in Tools | Server Certificates.
JAVA: Use JAVA truststore certificates.
System: Use System truststore certificates.
In the Client certificate file field, navigate to the client certificate file (for example, client-cert.pem).
In the Client key file field, navigate to the client key file (for example, client-key.pem).
From the Mode list, select the verification mode:
Require
Verifies that the server recognizes the client certificate, if the certificate is provided.
Verify CA
Verifies that the server recognizes the client certificate, if the certificate is provided.
Verifies the server by checking the certificate chain up to the root certificate that is stored on the client.
Full Verification
Verifies that the server recognizes the client certificate, if the certificate is provided.
Verifies the server by checking the certificate chain up to the root certificate that is stored on the client.
Verifies the server host to ensure that it matches the name stored in the server certificate.
The SSL connection fails if either one of the certificates cannot be verified.
To ensure that the connection to the data source is successful, click Test Connection.
note
It is recommended to use PEM certificates.
note
With self-signed certificates and in some cases with certificates issued by the trusted root entity, you might experience errors when you use the latest JDBC driver version. The SSL connection might fail if your Java keystore does not accept the certificate chains. As a temporary solution, try to downgrade the JDBC driver (for example, for the MySQL connector, you need to switch to the 5.1.40 version.)
Open data source properties. You can open data source properties by using one of the following options:
In the Database tool window (View | Tool Windows | Database) , click the Data Source Properties icon .
Press CtrlAltShift0S.
On the Data Sources tab, select a data source that you want to modify.
Click the SSH/SSL tab and clear the Use SSL checkbox.
Click Apply.
If you configured SSL settings for one data source, you can copy them for another data source.
Open data source properties. You can open data source properties by using one of the following options:
In the Database tool window (View | Tool Windows | Database) , click the Data Source Properties icon .
Press CtrlAltShift0S.
On the Data Sources tab, select a data source that you want to modify.
Click the SSH/SSL tab and select the Use SSL checkbox.
Click the Copy from link and select the configuration that you want to copy.
Secure Shell or SSH is a network protocol that is used to encrypt a connection between a client and a server.
In PyCharm, you can create an SSH connection one of the following ways:
Using the PyCharm SSH tunnel. The IDE will create an SSH tunnel using the SSH configuration that you set.
Creating an SSH tunnel manually using PuTTy, Pageant, or ssh-client.
PyCharm can create an SSH tunnel based on the SSH configuration that you set. To access the SSH configuration settings, press CtrlAlt0S to open settings and select Tools | SSH Configuration.
To use an SSH tunnel for the data source, select the Use SSH tunnel checkbox in the SSH/SSL tab of Data Sources and Drivers dialog (CtrlAltShift0S) .
note
In most cases, you do not need to modify the General tab settings after setting the SSH configuration in SSH/SSL tab, as PyCharm will connect to the local end of the SSH tunnel. The exception is when you create an SSH tunnel manually, in that case you need to set
localhost
as Host on the General tab.Upon the connection, the SSH tunnel hostname is resolved on the machine with SSH server, as the server establishes connection to a database.
All created SSH connections are shared between all the data sources that you have in a project. If you do not want to share a connection between projects, select the Visible only for this project checkbox in the SSH connection settings.
Open data source properties. You can open data source properties by using one of the following options:
In the Database tool window (View | Tool Windows | Database) , click the Data Source Properties icon .
Press CtrlAltShift0S.
Select a data source profile where you want to change connection settings.
Click the SSH/SSL tab and select the Use SSH tunnel checkbox.
Click the Add SSH configuration button ().
In the SSH dialog, click the Add button.
If you do not want to share the configuration between projects, select the Visible only for this project checkbox.
In Host, Username, and Port fields, specify your connection details.
From the Authentication type list, you can select an authentication method:
Password: Access the host with a password. To save the password in PyCharm, select the Save password checkbox.
Key pair (OpenSSH or PuTTY): Use SSH authentication with a key pair. To apply this authentication method, you must have a private key on the client machine and a public key on the remote server. PyCharm supports private keys that are generated with the OpenSSH utility.
Specify the path to the file where your private key is stored and type the passphrase (if any) in the corresponding fields. To have PyCharm remember the passphrase, select the Save passphrase checkbox.
OpenSSH config and authentication agent: Use a credentials helper application that manages your SSH keys, such as ssh-agent.
Click OK to confirm the new SSH configuration settings.
In the Local port field of Data Sources and Drivers dialog, specify the local port number from which you want to forward the connection. Otherwise, PyCharm selects the port dynamically.
tip
For more information about working with SSH keys, refer to the Generating a new SSH key and adding it to the ssh-agent tutorial.
Open data source properties. You can open data source properties by using one of the following options:
In the Database tool window (View | Tool Windows | Database) , click the Data Source Properties icon .
Press CtrlAltShift0S.
Select a data source profile where you want to change connection settings.
Click the SSH/SSL tab and clear the Use SSH tunnel checkbox.
Click Apply.
Download and run the latest version of the PuTTY SSH and Telnet client (download the client from https://www.putty.org/).
In the PuTTY Configuration dialog, navigate to Connection | SSH | Auth.
In the Private key file for authentication field, specify the path to your private key file and click Open.
In the command line window, specify the username that you use for the SSH tunnel and press Enter. Do not close the command line window.
In the Database tool window (View | Tool Windows | Database) , click the Data Source Properties icon on the toolbar.
Select a data source profile where you want to change connection settings.
Click the SSH/SSL tab and select the Use SSH tunnel checkbox.
From the Auth type list, select OpenSSH config and authentication agent.
In Proxy host, Proxy user, and Port fields, specify connection details.
To ensure that the connection to the data source is successful, click Test Connection.
Pageant is an SSH authentication agent for PuTTY, PSCP, PSFTP, and Plink. Pageant stores your private key, and as long as it is running, it provides the unlocked private key to PuTTY or other tools like PyCharm. You can find the Pageant icon in the Windows taskbar.
Download the latest version of Pageant (download the client from https://www.putty.org/).
In the Windows taskbar, right-click the Pageant icon and select Add Key.
In the Select Private Key File dialog, navigate to the private key file (the PPK file) and click Open.
(Optional) Enter the private key passphrase and press Enter.
In the Database tool window (View | Tool Windows | Database) , click the Data Source Properties icon on the toolbar.
Select a data source profile where you want to change connection settings.
Click the SSH/SSL tab and select the Use SSH tunnel checkbox.
From the Auth type list, select OpenSSH config and authentication agent.
In Proxy host, Proxy user, and Port fields, specify connection details.
To ensure that the connection to the data source is successful, click Test Connection.
Run all commands for ssh-agent in the command line.
Ensure that ssh-agent is running.
ssh-agent
Add your key to the agent (in the following example, the key path is ~
/.ssh )./id_rsa ssh-add ~/.ssh/id_rsa
(Optional) On macOS, you can add
-K
option to thessh-add
command to store passphrases in your keychain. On macOS Sierra and later, you need to create the config file in ~/.ssh/ with the following text:Host * UseKeychain yes AddKeysToAgent yes IdentityFile ~/.ssh/id_rsa
If you have other private keys in the .ssh directory, add an
IdentityFile
line for each key. For example, if the second key has the id_ed25519 name, addIdentityFile ~/.ssh/id_ed25519
as an additional line for the second private key.List all added keys.
ssh-add -L
In the Database tool window (View | Tool Windows | Database) , click the Data Source Properties icon on the toolbar.
Select a data source profile where you want to change connection settings.
Click the SSH/SSL tab and select the Use SSH tunnel checkbox.
From the Auth type list, select OpenSSH config and authentication agent.
In Proxy host, Proxy user, and Port fields, specify connection details.
To ensure that the connection to the data source is successful, click Test Connection.