PrivX Settings
Scope | Section | Property | Description | Requires Restart |
|---|---|---|---|---|
| AUTH | db | Maximum Connection Idle Time (Seconds) | Maximum amount of time a connection may be idle. Set 0 to keep the idle connections open from lazily closed. | true |
| AUTH | db | Maximum Connection Lifetime (Seconds) | Maximum amount of time a connection may be reused. Set 0 to reuse the connection forever. | true |
| AUTH | db | Maximum Idle Connections | Maximum number of idle database connections. Set 0 to lazily remove all idle connections. | true |
| AUTH | db | Maximum Open Connections | Maximum number of open connections to the database. Set 0 to use unlimited number of open connections. | true |
| AUTH | logging | Log Level | Service log level. Set to DEFAULT to use the environment value | false |
| AUTH | logging | Trace Level | Service trace level. Set to -1 to use the environment value | false |
| AUTH | loginratelimit | Enable username limit | When enabled, login attempts are limited per username + IP pair. | true |
| AUTH | loginratelimit | Username Attempts Burst Size | Maximum number of failed logins per user + IP pair. | true |
| AUTH | loginratelimit | Username Attempts Per Minute | Maximum number of login attempts per user + IP pair per minute. | true |
| AUTH | loginratelimit | Enable subnet limit | When enabled, login attempts are limited per IP subnet. | true |
| AUTH | loginratelimit | Subnet Attempts Burst Size | Maximum number of failed logins per subnet. | true |
| AUTH | loginratelimit | Subnet Attempts Per Minute | Maximum number of login attempts per subnet per minute. | true |
| AUTH | loginratelimit | Remote IP Whitelist | Whitelist of remote IP addresses. | true |
| AUTH | loginmethods | Enable passkey login | Enable passkey login and credential registration. | true |
| AUTH | loginmethods | Enable single sign-on (SSO) | Enable user to log in using single sign-on (SSO). | true |
| AUTH | auditevents | Exclusion List | Comma-separated list of audit-event codes or code ranges, e.g. 1,10,20-30. Specified audit events are not saved to PrivX database, but only logged to syslog. | true |
| AUTHORIZER | db | Maximum Connection Idle Time (Seconds) | Maximum amount of time a connection may be idle. Set 0 to keep the idle connections open from lazily closed. | true |
| AUTHORIZER | db | Maximum Connection Lifetime (Seconds) | Maximum amount of time a connection may be reused. Set 0 to reuse the connection forever. | true |
| AUTHORIZER | db | Maximum Idle Connections | Maximum number of idle database connections. Set 0 to lazily remove all idle connections. | true |
| AUTHORIZER | db | Maximum Open Connections | Maximum number of open connections to the database. Set 0 to use unlimited number of open connections. | true |
| AUTHORIZER | logging | Log Level | Service log level. Set to DEFAULT to use the environment value | false |
| AUTHORIZER | logging | Trace Level | Service trace level. Set to -1 to use the environment value | false |
| AUTHORIZER | certificate_templates | SSH Certificate Templates | true | |
| AUTHORIZER | ca_settings | Add Security ID extension to RDP X.509 certificates | false | |
| AUTHORIZER | auditevents | Exclusion List | Comma-separated list of audit-event codes or code ranges, e.g. 1,10,20-30. Specified audit events are not saved to PrivX database, but only logged to syslog. | true |
| CONNECTION-MANAGER | db | Maximum Connection Idle Time (Seconds) | Maximum amount of time a connection may be idle. Set 0 to keep the idle connections open from lazily closed. | true |
| CONNECTION-MANAGER | db | Maximum Connection Lifetime (Seconds) | Maximum amount of time a connection may be reused. Set 0 to reuse the connection forever. | true |
| CONNECTION-MANAGER | db | Maximum Idle Connections | Maximum number of idle database connections. Set 0 to lazily remove all idle connections. | true |
| CONNECTION-MANAGER | db | Maximum Open Connections | Maximum number of open connections to the database. Set 0 to use unlimited number of open connections. | true |
| CONNECTION-MANAGER | logging | Log Level | Service log level. Set to DEFAULT to use the environment value | false |
| CONNECTION-MANAGER | logging | Trace Level | Service trace level. Set to -1 to use the environment value | false |
| CONNECTION-MANAGER | housekeeping | Housekeeping Interval (Minutes) | Interval for connection status housekeeping, in minutes. | true |
| CONNECTION-MANAGER | housekeeping | Connection Metadata Retention (Days) | Retention period for connection metadata, in days. Set to -1 to disable metadata removal. | true |
| CONNECTION-MANAGER | housekeeping | Trail Housekeeping Interval (Hours) | Interval for trail housekeeping, in hours. | true |
| CONNECTION-MANAGER | housekeeping | Check trail integrity during trail housekeeping | Enable to verify the integrity of recorded trails during housekeeping. | true |
| CONNECTION-MANAGER | housekeeping | Use SHA-256 checksum for trail integrity checker | Enable to use SHA-256 checksums when verifying integrity of recorded trails. | true |
| CONNECTION-MANAGER | auditevents | Exclusion List | Comma-separated list of audit-event codes or code ranges, e.g. 1,10,20-30. Specified audit events are not saved to PrivX database, but only logged to syslog. | true |
| GLOBAL | audit | Connection Timeout When No Connection Manager (Minutes) | Set to 0 to disable timeout and keep connections open. | true |
| GLOBAL | audit | Data Folder | Folder for audit trail data. | true |
| GLOBAL | audit | Trail Expiration (Days) | Set to -1 to disable trail removal. | true |
| GLOBAL | audit | Trail Transferred Files Expiration (Days) | Set to -1 to disable downloaded/uploaded file removal. | true |
| GLOBAL | audit | Trail File Timestamp Obfuscation | Enable trail file and directory timestamp obfuscation. | true |
| GLOBAL | audit_rate_limiting | Rate limiting interval (Seconds) | Time interval to ignore new events for verbose audit events. Set to 0 to emit all events. Audit events affected: "Host-modified", "RoleContext-usage-alert", "Directory-authentication-failed". | false |
| GLOBAL | ldapconnections | Connection Timeout (Seconds) | The duration in seconds before the LDAP query connection should timeout. | true |
| GLOBAL | ldapconnections | Connection Retry Attempts | The number of times to retry if the LDAP query connection times out. | true |
| GLOBAL | ldapconnections | Use custom root certificates | Specify if PrivX should use custom root certificates. | true |
| GLOBAL | ldapconnections | Use system certificates pool | Specify if PrivX should use the system certificates pool. | true |
| GLOBAL | ldapconnections | Custom Root Certificate (PEM) | Specify a custom root certificate in PEM format, which will be added to the certificate pool for LDAP connections. Note that the custom root certificates setting must be enabled to use this. | true |
| GLOBAL | disclaimer | Disclaimers | true | |
| GLOBAL | application_switcher | Universal SSH Key Manager URL | Enter the URL of the Universal SSH Key Manager web UI. | true |
| GLOBAL | rdp_common | Host Certificate Trust Anchor | Specify RDP host certificate trust anchor PEM certificates. | true |
| GLOBAL | rdp_common | Allow access to hosts using plain text VNC | true | |
| GLOBAL | ssh_common | Send SSH events to audit log | Enable sending SSH events to audit log. | true |
| GLOBAL | ssh_common | Events to Audit | Supported SSH event types to audit. | true |
| GLOBAL | icap | File transfer scans for SSH Proxy | Configure whether PrivX performs virus scanning for transferred files. | true |
| GLOBAL | icap | File transfer scans for SSH Bastion | Configure whether PrivX performs virus scanning for transferred files via native SSH. | true |
| GLOBAL | icap | File transfer scans for RDP Proxy | Configure whether PrivX performs virus scanning for transferred files for RDP and Web Access Gateways. | true |
| GLOBAL | icap | ICAP Server Hostname | Hostname for ICAP proxy server. | true |
| GLOBAL | icap | ICAP Server Port | Port number for ICAP proxy server. | true |
| GLOBAL | icap | ICAP RESPMOD URL | Send a response modification with http request headers, using this url. | true |
| GLOBAL | icap | ICAP REQMOD URL | Send a request modification instead of response modification, using this url. | true |
| GLOBAL | icap | ICAP Preview Size in Bytes | Maximum preview data size in bytes. Set to 0 to disable preview. | true |
| GLOBAL | icap | ICAP Service Name | Optional ICAP service name. | true |
| GLOBAL | live_monitoring | SSH | true | |
| GLOBAL | live_monitoring | RDP | true | |
| GLOBAL | live_monitoring | VNC | true | |
| GLOBAL | live_monitoring | Web | true | |
| GLOBAL | invalidated_session_cache | Session Cache Size | Set a positive size for the invalidated session cache. The size determines the number of invalidated sessions that it can hold before eviction. | true |
| GLOBAL | watermarking | Heading | false | |
| GLOBAL | watermarking | Watermark | false | |
| GLOBAL | mobile_gw | Use static IPs | Static IPs are used when there is a need for whitelisting outgoing traffic from PrivX. | true |
| DB-PROXY | db | Maximum Connection Idle Time (Seconds) | Maximum amount of time a connection may be idle. Set 0 to keep the idle connections open from lazily closed. | true |
| DB-PROXY | db | Maximum Connection Lifetime (Seconds) | Maximum amount of time a connection may be reused. Set 0 to reuse the connection forever. | true |
| DB-PROXY | db | Maximum Idle Connections | Maximum number of idle database connections. Set 0 to lazily remove all idle connections. | true |
| DB-PROXY | db | Maximum Open Connections | Maximum number of open connections to the database. Set 0 to use unlimited number of open connections. | true |
| DB-PROXY | logging | Log Level | Service log level. Set to DEFAULT to use the environment value | false |
| DB-PROXY | logging | Trace Level | Service trace level. Set to -1 to use the environment value | false |
| DB-PROXY | dbproxy_internal | Reauthorization Interval (Seconds) | Reauthorization interval, in seconds. | true |
| DB-PROXY | certificates | Key Type | The Database Proxy server's key pair used to generate dynamic tls certificate for database connections. | true |
| DB-PROXY | certificates | RSA Key Size | RSA Key Size (Bits) | true |
| DB-PROXY | certificates | ECDSA Key Size | ECDSA Key Size (Bits) | true |
| DB-PROXY | certificates | Cache Size | Cache size of dynamically generated tls certificates. | true |
| DB-PROXY | host_trust_anchors | Host Certificate Trust Anchors | Specify host certificate trust anchor PEM certificates. | true |
| DB-PROXY | auditevents | Exclusion List | Comma-separated list of audit-event codes or code ranges, e.g. 1,10,20-30. Specified audit events are not saved to PrivX database, but only logged to syslog. | true |
| EXTENDER-SERVICE | db | Maximum Connection Idle Time (Seconds) | Maximum amount of time a connection may be idle. Set 0 to keep the idle connections open from lazily closed. | true |
| EXTENDER-SERVICE | db | Maximum Connection Lifetime (Seconds) | Maximum amount of time a connection may be reused. Set 0 to reuse the connection forever. | true |
| EXTENDER-SERVICE | db | Maximum Idle Connections | Maximum number of idle database connections. Set 0 to lazily remove all idle connections. | true |
| EXTENDER-SERVICE | db | Maximum Open Connections | Maximum number of open connections to the database. Set 0 to use unlimited number of open connections. | true |
| EXTENDER-SERVICE | logging | Log Level | Service log level. Set to DEFAULT to use the environment value | false |
| EXTENDER-SERVICE | logging | Trace Level | Service trace level. Set to -1 to use the environment value | false |
| EXTENDER-SERVICE | service | Listener Address Mode | Listener address resolution mode. | true |
| EXTENDER-SERVICE | service | Listener Addresses | List of IP addresses or IP subnet CIDRs used for resolving extender listener addresses. | true |
| EXTENDER-SERVICE | service | Listener Port Min | Port range start for extender listeners. | true |
| EXTENDER-SERVICE | service | Listener Port Max | Port range end for extender listeners. | true |
| EXTENDER-SERVICE | service | UDP Listener Port Min | UDP port range start for extender listeners. | true |
| EXTENDER-SERVICE | service | UDP Listener Port Max | UDP port range end for extender listeners. | true |
| EXTENDER-SERVICE | service | UDP Listener Reconnect Count | Reconnection attempts to extender for UDP listeners. | true |
| EXTENDER-SERVICE | service | WebSocket Keepalive Interval (Seconds) | WebSocket keepalive interval, in seconds. | true |
| EXTENDER-SERVICE | auditevents | Exclusion List | Comma-separated list of audit-event codes or code ranges, e.g. 1,10,20-30. Specified audit events are not saved to PrivX database, but only logged to syslog. | true |
| HOST-STORE | db | Maximum Connection Idle Time (Seconds) | Maximum amount of time a connection may be idle. Set 0 to keep the idle connections open from lazily closed. | true |
| HOST-STORE | db | Maximum Connection Lifetime (Seconds) | Maximum amount of time a connection may be reused. Set 0 to reuse the connection forever. | true |
| HOST-STORE | db | Maximum Idle Connections | Maximum number of idle database connections. Set 0 to lazily remove all idle connections. | true |
| HOST-STORE | db | Maximum Open Connections | Maximum number of open connections to the database. Set 0 to use unlimited number of open connections. | true |
| HOST-STORE | logging | Log Level | Service log level. Set to DEFAULT to use the environment value | false |
| HOST-STORE | logging | Trace Level | Service trace level. Set to -1 to use the environment value | false |
| HOST-STORE | health-check-options | Health checks enabled | Configure whether PrivX performs network connectivity health checks for services. | true |
| HOST-STORE | health-check-options | Health Check Interval (Seconds) | Interval between health check runs, in seconds. | true |
| HOST-STORE | health-check-options | Maximum Requests Per Second | Maximum service health check requests per second per worker. | true |
| HOST-STORE | health-check-options | Maximum Workers | Maximum concurrent service health requests. | true |
| HOST-STORE | host-house-keeping | Housekeeping Interval (Hours) | Interval between housekeeping runs, in hours. Housekeeping expunges deleted hosts from the database once hosts have been deleted for longer than the configured expunction delay. Set to 0 to disable housekeeping. | true |
| HOST-STORE | host-house-keeping | Deleted Host Expunction Delay (Hours) | The delay (in hours) between when a host has been deleted to when it will be permanently removed. | true |
| HOST-STORE | initial-host-service-options-ssh | Shell | true | |
| HOST-STORE | initial-host-service-options-ssh | File Transfer | true | |
| HOST-STORE | initial-host-service-options-ssh | Exec | true | |
| HOST-STORE | initial-host-service-options-ssh | Tunnels | true | |
| HOST-STORE | initial-host-service-options-ssh | X11 Forwarding | true | |
| HOST-STORE | initial-host-service-options-ssh | Other | true | |
| HOST-STORE | initial-host-service-options-rdp | File Transfer | true | |
| HOST-STORE | initial-host-service-options-rdp | Audio | true | |
| HOST-STORE | initial-host-service-options-rdp | Clipboard | true | |
| HOST-STORE | initial-host-service-options-vnc | File Transfer | true | |
| HOST-STORE | initial-host-service-options-vnc | Clipboard | true | |
| HOST-STORE | initial-host-service-options-web | File Transfer | true | |
| HOST-STORE | initial-host-service-options-web | Audio | true | |
| HOST-STORE | initial-host-service-options-web | Clipboard | true | |
| HOST-STORE | auditevents | Exclusion List | Comma-separated list of audit-event codes or code ranges, e.g. 1,10,20-30. Specified audit events are not saved to PrivX database, but only logged to syslog. | true |
| LICENSE-MANAGER | db | Maximum Connection Idle Time (Seconds) | Maximum amount of time a connection may be idle. Set 0 to keep the idle connections open from lazily closed. | true |
| LICENSE-MANAGER | db | Maximum Connection Lifetime (Seconds) | Maximum amount of time a connection may be reused. Set 0 to reuse the connection forever. | true |
| LICENSE-MANAGER | db | Maximum Idle Connections | Maximum number of idle database connections. Set 0 to lazily remove all idle connections. | true |
| LICENSE-MANAGER | db | Maximum Open Connections | Maximum number of open connections to the database. Set 0 to use unlimited number of open connections. | true |
| LICENSE-MANAGER | logging | Log Level | Service log level. Set to DEFAULT to use the environment value | false |
| LICENSE-MANAGER | logging | Trace Level | Service trace level. Set to -1 to use the environment value | false |
| LICENSE-MANAGER | auditevents | Exclusion List | Comma-separated list of audit-event codes or code ranges, e.g. 1,10,20-30. Specified audit events are not saved to PrivX database, but only logged to syslog. | true |
| MONITOR-SERVICE | db | Maximum Connection Idle Time (Seconds) | Maximum amount of time a connection may be idle. Set 0 to keep the idle connections open from lazily closed. | true |
| MONITOR-SERVICE | db | Maximum Connection Lifetime (Seconds) | Maximum amount of time a connection may be reused. Set 0 to reuse the connection forever. | true |
| MONITOR-SERVICE | db | Maximum Idle Connections | Maximum number of idle database connections. Set 0 to lazily remove all idle connections. | true |
| MONITOR-SERVICE | db | Maximum Open Connections | Maximum number of open connections to the database. Set 0 to use unlimited number of open connections. | true |
| MONITOR-SERVICE | logging | Log Level | Service log level. Set to DEFAULT to use the environment value | false |
| MONITOR-SERVICE | logging | Trace Level | Service trace level. Set to -1 to use the environment value | false |
| MONITOR-SERVICE | housekeeping | Housekeeping Interval (Hours) | Interval between housekeeping runs, in hours. Set to 0 to disable housekeeping. | true |
| MONITOR-SERVICE | housekeeping | Audit Event Data Retention Period (Days) | Number of days that audit events must be kept in the database. Set to -1 to disable audit event removal. | true |
| MONITOR-SERVICE | housekeeping | Status Check Interval (Seconds) | Interval between status checks, in seconds. Set to 0 to disable checks. | true |
| MONITOR-SERVICE | housekeeping | System Health Check Interval (Hours) | Interval between system health check, in hours. Set to 0 to disable checks. | true |
| MONITOR-SERVICE | housekeeping | Database Cache Removal Interval (Seconds) | Interval for removing expired keys from the database cache, in seconds. Set to 0 to disable database cache removal. | true |
| MONITOR-SERVICE | housekeeping | Monitored Storage Locations | A list of PrivX instance storage mount locations and warning thresholds to be periodically checked for low disk space. Example: "/:5GB,/var/log:5GB,/var/privx/audit:10GB" | true |
| MONITOR-SERVICE | housekeeping | Inactive Status Expunction Delay (Hours) | The delay (in hours) before an inactive component's status permanently removed when housekeeping runs. | true |
| MONITOR-SERVICE | housekeeping | Max threshold for components status (Seconds) | Max threshold for component's status before marked as error if no data received, in seconds | true |
| MONITOR-SERVICE | housekeeping | Database Certificate Check Interval (Hours) | Interval for checking database certificate validity. Set to 0 to disable the check. | true |
| MONITOR-SERVICE | auditevents | Exclusion List | Comma-separated list of audit-event codes or code ranges, e.g. 1,10,20-30. Specified audit events are not saved to PrivX database, but only logged to syslog. | true |
| NETWORK-ACCESS-MANAGER | db | Maximum Connection Idle Time (Seconds) | Maximum amount of time a connection may be idle. Set 0 to keep the idle connections open from lazily closed. | true |
| NETWORK-ACCESS-MANAGER | db | Maximum Connection Lifetime (Seconds) | Maximum amount of time a connection may be reused. Set 0 to reuse the connection forever. | true |
| NETWORK-ACCESS-MANAGER | db | Maximum Idle Connections | Maximum number of idle database connections. Set 0 to lazily remove all idle connections. | true |
| NETWORK-ACCESS-MANAGER | db | Maximum Open Connections | Maximum number of open connections to the database. Set 0 to use unlimited number of open connections. | true |
| NETWORK-ACCESS-MANAGER | logging | Log Level | Service log level. Set to DEFAULT to use the environment value | false |
| NETWORK-ACCESS-MANAGER | logging | Trace Level | Service trace level. Set to -1 to use the environment value | false |
| NETWORK-ACCESS-MANAGER | service | Housekeeping Interval (Seconds) | Interval between housekeeping runs, in minutes, for removing dead sessions from PrivX router. | true |
| NETWORK-ACCESS-MANAGER | service | Router Session Removal Max Retries | Maximum number retries for PrivX router session removal. | true |
| NETWORK-ACCESS-MANAGER | service | Reauthorization Interval (Seconds) | Reauthorization interval, in seconds. | true |
| NETWORK-ACCESS-MANAGER | service | Connection Message Timeout (Seconds) | Timeout interval (seconds) for connection message reply. Default: 5 seconds. | true |
| NETWORK-ACCESS-MANAGER | service | Metadata Update Interval (Seconds) | Interval for metadata updates to connection manager (seconds) | true |
| NETWORK-ACCESS-MANAGER | service | Connection-Manager Timeout (Minutes) | Timeout for network target sessions when no connection to connection manager (minutes) | true |
| NETWORK-ACCESS-MANAGER | service | Extender Connect Timeout (Seconds) | Connect timeout for extender target connections (seconds) | true |
| NETWORK-ACCESS-MANAGER | router | Routers | true | |
| NETWORK-ACCESS-MANAGER | auditevents | Exclusion List | Comma-separated list of audit-event codes or code ranges, e.g. 1,10,20-30. Specified audit events are not saved to PrivX database, but only logged to syslog. | true |
| RDP-MITM | db | Maximum Connection Idle Time (Seconds) | Maximum amount of time a connection may be idle. Set 0 to keep the idle connections open from lazily closed. | true |
| RDP-MITM | db | Maximum Connection Lifetime (Seconds) | Maximum amount of time a connection may be reused. Set 0 to reuse the connection forever. | true |
| RDP-MITM | db | Maximum Idle Connections | Maximum number of idle database connections. Set 0 to lazily remove all idle connections. | true |
| RDP-MITM | db | Maximum Open Connections | Maximum number of open connections to the database. Set 0 to use unlimited number of open connections. | true |
| RDP-MITM | logging | Log Level | Service log level. Set to DEFAULT to use the environment value | false |
| RDP-MITM | logging | Trace Level | Service trace level. Set to -1 to use the environment value | false |
| RDP-MITM | rdp_mitm | Public Addresses | RDP Bastion public addresses. | true |
| RDP-MITM | rdp_mitm | Reauthorization Interval (Seconds) | Reauthorization interval, in seconds. | true |
| RDP-MITM | rdp_mitm | Extender enabled | Enable to allow remote PrivX Extender client connections for tunneling RDP traffic inside VPC networks. | true |
| RDP-MITM | rdp_mitm | Allow role IP restrictions | Enable to enforce role context IP limitation checks. | true |
| RDP-MITM | rdp_mitm | FFmpeg Parameters | Video encoding parameters to be passed to FFmpeg library. | true |
| RDP-MITM | rdp_mitm | Video Generator Workers | Number of workers that encode video simultaneously. | true |
| RDP-MITM | rdp_mitm | Video Generator Temporary Directory | Directory where temporary video files are generated before stored as part of trail. | true |
| RDP-MITM | rdp_mitm | Connection Message Timeout (Seconds) | Timeout interval (seconds) for connection message reply. Default: 5 seconds. | true |
| RDP-MITM | certificates | Renewal Period (Months) | Certificate renewal period in months. | true |
| RDP-MITM | certificates | Renewal Period (Days) | Certificate renewal period in days. | true |
| RDP-MITM | certificates | Update automatically | Configure whether certificates should be updated automatically. | true |
| RDP-MITM | auditevents | Exclusion List | Comma-separated list of audit-event codes or code ranges, e.g. 1,10,20-30. Specified audit events are not saved to PrivX database, but only logged to syslog. | true |
| RDP-PROXY | db | Maximum Connection Idle Time (Seconds) | Maximum amount of time a connection may be idle. Set 0 to keep the idle connections open from lazily closed. | true |
| RDP-PROXY | db | Maximum Connection Lifetime (Seconds) | Maximum amount of time a connection may be reused. Set 0 to reuse the connection forever. | true |
| RDP-PROXY | db | Maximum Idle Connections | Maximum number of idle database connections. Set 0 to lazily remove all idle connections. | true |
| RDP-PROXY | db | Maximum Open Connections | Maximum number of open connections to the database. Set 0 to use unlimited number of open connections. | true |
| RDP-PROXY | logging | Log Level | Service log level. Set to DEFAULT to use the environment value | false |
| RDP-PROXY | logging | Trace Level | Service trace level. Set to -1 to use the environment value | false |
| RDP-PROXY | rdp_proxy | Reauthorization Interval (Seconds) | Reauthorization interval, in seconds. | true |
| RDP-PROXY | rdp_proxy | Extender enabled | Enable to allow remote PrivX Extender client connections for tunneling RDP traffic inside VPC networks. | true |
| RDP-PROXY | rdp_proxy | Web proxy enabled | Enable to allow remote web proxy (Squid) to authorize web connections via PrivX web proxy server. | true |
| RDP-PROXY | rdp_proxy | Smart card authentication enabled | Configure whether RDP smart card authentication is enabled. | true |
| RDP-PROXY | rdp_proxy | Smart card login failure workaround disabled | Disable RDP smart card login failure workaround. | true |
| RDP-PROXY | rdp_proxy | Allow connecting to local address | Allow target connections to local interface addresses. | true |
| RDP-PROXY | rdp_proxy | Allow connecting to loopback address | Allow target connections to loopback addresses. | true |
| RDP-PROXY | rdp_proxy | Enable wallpaper | Enable desktop wallpaper for target hosts. Disabling this makes screen updates faster. | true |
| RDP-PROXY | rdp_proxy | Enable font smoothing | Enable font smoothing. Enabling this usually improves the text quality. | true |
| RDP-PROXY | rdp_proxy | Shared Directory | RDP shared directory. | true |
| RDP-PROXY | rdp_proxy | Target Blacklist | A comma separated list of IP addresses or subnets (CIDR) of prohibited RDP targets. | true |
| RDP-PROXY | rdp_proxy | Connectivity Test Timeout (Seconds) | Connection timeout while check a target is reachable, in seconds. | true |
| RDP-PROXY | rdp_proxy | WebSocket Keepalive Interval (Seconds) | WebSocket keepalive interval, in seconds. | true |
| RDP-PROXY | rdp_proxy | Connection Message Timeout (Seconds) | Timeout interval (seconds) for connection message reply. Default: 5 seconds. | true |
| RDP-PROXY | rdp_proxy | Implicit Secret Checkout Release Delay (Seconds) | Delay (seconds) for releasing the implicit secret checkout after login to RDP target. | true |
| RDP-PROXY | certificates | Renewal Period (Months) | Certificate renewal period in months. | true |
| RDP-PROXY | certificates | Renewal Period (Days) | Certificate renewal period in days. | true |
| RDP-PROXY | certificates | Update automatically | Configure whether certificates should be updated automatically. | true |
| RDP-PROXY | auditevents | Exclusion List | Comma-separated list of audit-event codes or code ranges, e.g. 1,10,20-30. Specified audit events are not saved to PrivX database, but only logged to syslog. | true |
| ROLE-STORE | db | Maximum Connection Idle Time (Seconds) | Maximum amount of time a connection may be idle. Set 0 to keep the idle connections open from lazily closed. | true |
| ROLE-STORE | db | Maximum Connection Lifetime (Seconds) | Maximum amount of time a connection may be reused. Set 0 to reuse the connection forever. | true |
| ROLE-STORE | db | Maximum Idle Connections | Maximum number of idle database connections. Set 0 to lazily remove all idle connections. | true |
| ROLE-STORE | db | Maximum Open Connections | Maximum number of open connections to the database. Set 0 to use unlimited number of open connections. | true |
| ROLE-STORE | logging | Log Level | Service log level. Set to DEFAULT to use the environment value | false |
| ROLE-STORE | logging | Trace Level | Service trace level. Set to -1 to use the environment value | false |
| ROLE-STORE | authorizedkeys | Expired Keys Purge Interval (Hours) | Expired authorized keys purge interval in hours. Set to 0 to disable automatic deletion of expired authorized keys. | true |
| ROLE-STORE | authorizedkeys | Maximum Validity Period (Days) | Authorized key maximum validity period length in days. Valid values are 1-7300 days. | true |
| ROLE-STORE | authorizedkeys | Minimum RSA Key Size (Bits) | Minimum key size in bits for ssh-rsa keys. | true |
| ROLE-STORE | authorizedkeys | Supported Key Types | Specify the supported authorized key types for logging in to PrivX with user specific authorized keys. | true |
| ROLE-STORE | aws | AWS support enabled | Specify whether AWS support is enabled. | true |
| ROLE-STORE | aws | Default Region | Default AWS region to use for API access. | true |
| ROLE-STORE | aws | Assume role enabled | Enable assume-role temporary session credentials. These credentials can be used to give PrivX users temporary access to AWS API via AWS CLI or scripting. | true |
| ROLE-STORE | aws | Assume Role Credential Expiration (Seconds) | Expiration time in seconds for assume-role temporary credentials. AWS service limits are minimum 900 (15 min), maximum 43200 (12 hours). Values above 3600 seconds require modifying the AWS target role config or token grants will fail. | true |
| ROLE-STORE | aws | Federation tokens enabled | Enable federation token access. These credentials can be used to give SSH PrivX users temporary access to AWS API via AWS roles. If both assume-role and federated role tokens are enabled, assume-role will be used. | true |
| ROLE-STORE | aws | Federation Token Expiration (Seconds) | Expiration time in seconds for federated tokens. AWS service limits are minimum 900 (15 min), maximum 129600 (36 hours). | true |
| ROLE-STORE | aws | Maximum number of AWS roles | Maximum number of AWS role to fetch. This restriction is applied after role path or role name filtering is done. | true |
| ROLE-STORE | caching | Caching enabled | Specify whether caching of user role memberships, rule evaluation results, user settings and AWS role descriptions is enabled. Additionally, it is used to define the size of cache used for storing deleted roles. Disabling the setting is not recommended. | true |
| ROLE-STORE | caching | Rule evaluation cache enabled | Specify whether role rule evaluation results should be cached. Enabling this setting is recommended. | true |
| ROLE-STORE | caching | Local LRU Cache Size | Maximum entries in the local LRU cache. If cache exceeds this size, the least recently used entries are purged. The minimum size of cache should be greater than the number of active PrivX users + total PrivX role rule count. | true |
| ROLE-STORE | caching | Local Cache Sync Interval (Seconds) | Local cache periodic synchronization interval in seconds. Should be a relatively small value (default is 60 seconds). Set to 0 to disable synchronization. This setting should be enabled in HA environments. | true |
| ROLE-STORE | caching | Cache TTL (Seconds) | Cache TTL in seconds. Should be set to a relatively small value (few minutes). However setting this too low (e.g less than 3 seconds) might cause synchronization issues when running multiple instances of the same service. | true |
| ROLE-STORE | caching | User Cache TTL (Seconds) | Cache TTL for user caching in seconds. If user data in the user cache has been refreshed more recently than the User Cache TTL setting, then it won't be reloaded from the user directory. Value of 0 disables the cache. Note that disabling the cache forces fetching user data from the user directory every time user roles are resolved. Disabling the setting is NOT recommended. | true |
| ROLE-STORE | caching | Role Membership Count Cache TTL (Seconds) | Caching the count of role members (both implicit and explicit) on the role details page and in the API response. This only affects the displayed member count. The actual memberships remain unaffected. | true |
| ROLE-STORE | caching | Deleted Roles Cache Size | Size of the cache that stores deleted roles in memory. Minimum value is 1000 and maximum value is 10000000 (10M). Default value is 1000000 (1M) | true |
| ROLE-STORE | directory | Blacklisted Host Tag Prefixes | When the "Import host instance tags from the directory" setting is enabled for a host directory, all host tags will be imported to PrivX except tags starting with these prefixes. | true |
| ROLE-STORE | housekeeping | SCIM Role Cleanup Interval (Minutes) | Interval between housekeeping runs, in minutes, for clearing up unused roles created by SCIM directories. Set to 0 to disable housekeeping. | true |
| ROLE-STORE | housekeeping | User Active Interval (Seconds) | Interval where user is considered as active from last login. If the user is not logged in in this interval, the user will be considered as inactive. Therefore, house-keeping will be applied to this user (it includes deleting usersettings, user explicit role mappings, authorized keys, OIDC user data). Note that this behavior is not applied for Local users and API-Clients. | true |
| ROLE-STORE | ldap | Nested groups enabled | Enable nested groups for role mappings. Enables LDAP_MATCHING_RULE_IN_CHAIN (1.2.840.113556.1.4.1941) filter for role queries against user directories. This option affects only role mappings. AD directory settings are not affected by this setting. | true |
| ROLE-STORE | ldap | Default Cache TTL (Seconds) | Default LDAP cache TTL in seconds. Used if no TTL is specified for an LDAP directory. If you have many users or very slow LDAP servers, set the TTL to a higher value. | true |
| ROLE-STORE | ldap | LDAP Query Pagination Size | LDAP query pagination size. The default maximum for Active Directory is 1000. Use as high of a value as possible for maximum performance. | true |
| ROLE-STORE | ldap | LDAP Attributes Filter | Specifies which attributes to fetch from LDAP for caching. Leaving this empty will fetch all attributes for LDAP objects. Filtering out unused attributes will make the memory consumption smaller and improve query times. Note that only the specified attributes can be used for LDAP query filters and role source rules. The recommended attributes filter is: objectClass cn dn distinguishedName whenCreated whenChanged name userPrincipalName givenName company departmentNumber mail email mobile sAMAccountName uid memberOf entryDN displayName userAccountControl groupType servicePrincipalName objectCategory objectGUID objectSID | true |
| ROLE-STORE | ldap | Default User Filter | Default pre-filter to use when searching users. Not required, but allows using shorter LDAP search strings. Use this to filter out non-user objects. Directory level user filters override this default setting. Leaving user filter empty increases memory consumption. The recommended attributed filter is: ( | (objectClass=user)(objectClass=person)(objectClass=inetOrgPerson)) |
| ROLE-STORE | ldap | Global AD User Filter | Automatically append this filter to Active Directory requests when fetching users or mapping roles. The recommended AD user filter to filter out disabled users, is: (!userAccountControl:1.2.840.113556.1.4.803:=2) | true |
| ROLE-STORE | scanning | Host Scanning Delay After Startup (Seconds) | Host scanning delay after starting the service, in seconds. | true |
| ROLE-STORE | scanning | AWS Role Scanning Delay After Startup (Seconds) | AWS role scanning delay after starting the service, in seconds. | true |
| ROLE-STORE | scanning | Host Scanning Interval (Seconds) | Default interval between host scanning runs, in seconds. | true |
| ROLE-STORE | scanning | Role Membership Count Update Enabled | Whether or not the role membership counts are automatically updated on the background. Enabling this feature on large environments may cause slowness issues, so proceed carefully. Even if disabled, the individual role member counts can still be viewed. | true |
| ROLE-STORE | scanning | Role Membership Count Update Interval (Seconds) | Frequency for resolving granted membership counts for roles, in seconds. | true |
| ROLE-STORE | scim | Max Results | Max Results page size for SCIM get requests. | true |
| ROLE-STORE | principal_keys | Add on role creation | When True, Principal keys get created at the time of role creation. Defaults to False | true |
| ROLE-STORE | auditevents | Exclusion List | Comma-separated list of audit-event codes or code ranges, e.g. 1,10,20-30. Specified audit events are not saved to PrivX database, but only logged to syslog. | true |
| SSH-MITM | db | Maximum Connection Idle Time (Seconds) | Maximum amount of time a connection may be idle. Set 0 to keep the idle connections open from lazily closed. | true |
| SSH-MITM | db | Maximum Connection Lifetime (Seconds) | Maximum amount of time a connection may be reused. Set 0 to reuse the connection forever. | true |
| SSH-MITM | db | Maximum Idle Connections | Maximum number of idle database connections. Set 0 to lazily remove all idle connections. | true |
| SSH-MITM | db | Maximum Open Connections | Maximum number of open connections to the database. Set 0 to use unlimited number of open connections. | true |
| SSH-MITM | logging | Log Level | Service log level. Set to DEFAULT to use the environment value | false |
| SSH-MITM | logging | Trace Level | Service trace level. Set to -1 to use the environment value | false |
| SSH-MITM | ssh_mitm | Public Addresses | SSH Bastion public addresses. | true |
| SSH-MITM | ssh_mitm | Reauthorization Interval (Seconds) | Reauthorization interval, in seconds. | true |
| SSH-MITM | ssh_mitm | Extender enabled | Enable to allow remote PrivX Extender client connections for tunneling SSH traffic inside VPC networks. | true |
| SSH-MITM | ssh_mitm | Allow role IP restrictions | Enable to enforce role context IP limitation checks. | true |
| SSH-MITM | ssh_mitm | Allow connecting to local address | Allow target connections to local interface addresses. | true |
| SSH-MITM | ssh_mitm | Allow connecting to loopback address | Allow target connections to loopback addresses. | true |
| SSH-MITM | ssh_mitm | Hostkey Algorithms | Supported hostkey algorithms. | true |
| SSH-MITM | ssh_mitm | Target Blacklist | A comma separated list of IP addresses or subnets (CIDR) of prohibited SSH targets. | true |
| SSH-MITM | ssh_mitm | Metadata Update Interval (Seconds) | Interval for metadata updates to connection manager, in seconds. | true |
| SSH-MITM | ssh_mitm | WebSocket Keepalive Interval (Seconds) | WebSocket keepalive interval, in seconds. | true |
| SSH-MITM | ssh_mitm | SSH exec connection idle timeout (Seconds) | SSH exec connection idle timeout, in seconds. | true |
| SSH-MITM | ssh_mitm | Connection Message Timeout (Seconds) | Timeout interval (seconds) for connection message reply. Default: 5 seconds. | true |
| SSH-MITM | auditevents | Exclusion List | Comma-separated list of audit-event codes or code ranges, e.g. 1,10,20-30. Specified audit events are not saved to PrivX database, but only logged to syslog. | true |
| SSH-PROXY | db | Maximum Connection Idle Time (Seconds) | Maximum amount of time a connection may be idle. Set 0 to keep the idle connections open from lazily closed. | true |
| SSH-PROXY | db | Maximum Connection Lifetime (Seconds) | Maximum amount of time a connection may be reused. Set 0 to reuse the connection forever. | true |
| SSH-PROXY | db | Maximum Idle Connections | Maximum number of idle database connections. Set 0 to lazily remove all idle connections. | true |
| SSH-PROXY | db | Maximum Open Connections | Maximum number of open connections to the database. Set 0 to use unlimited number of open connections. | true |
| SSH-PROXY | logging | Log Level | Service log level. Set to DEFAULT to use the environment value | false |
| SSH-PROXY | logging | Trace Level | Service trace level. Set to -1 to use the environment value | false |
| SSH-PROXY | ssh_proxy | Reauthorization Interval (Seconds) | Reauthorization interval, in seconds. | true |
| SSH-PROXY | ssh_proxy | Extender enabled | Enable to allow remote PrivX Extender client connections for tunneling SSH traffic inside VPC networks. | true |
| SSH-PROXY | ssh_proxy | Allow connecting to local address | Allow target connections to local interface addresses. | true |
| SSH-PROXY | ssh_proxy | Allow connecting to loopback address | Allow target connections to loopback addresses. | true |
| SSH-PROXY | ssh_proxy | Target Blacklist | A comma separated list of IP addresses or subnets (CIDR) of prohibited SSH targets. | true |
| SSH-PROXY | ssh_proxy | Metadata Update Interval (Seconds) | Interval for metadata updates to connection manager, in seconds. | true |
| SSH-PROXY | ssh_proxy | SSH Keepalive Interval (Seconds) | Target ssh connection keepalive interval, in seconds. | true |
| SSH-PROXY | ssh_proxy | WebSocket Keepalive Interval (Seconds) | WebSocket keepalive interval, in seconds. | true |
| SSH-PROXY | ssh_proxy | Connection Message Timeout (Seconds) | Timeout interval (seconds) for connection message reply. Default: 5 seconds. | true |
| SSH-PROXY | auditevents | Exclusion List | Comma-separated list of audit-event codes or code ranges, e.g. 1,10,20-30. Specified audit events are not saved to PrivX database, but only logged to syslog. | true |
| TRAIL-INDEX | db | Maximum Connection Idle Time (Seconds) | Maximum amount of time a connection may be idle. Set 0 to keep the idle connections open from lazily closed. | true |
| TRAIL-INDEX | db | Maximum Connection Lifetime (Seconds) | Maximum amount of time a connection may be reused. Set 0 to reuse the connection forever. | true |
| TRAIL-INDEX | db | Maximum Idle Connections | Maximum number of idle database connections. Set 0 to lazily remove all idle connections. | true |
| TRAIL-INDEX | db | Maximum Open Connections | Maximum number of open connections to the database. Set 0 to use unlimited number of open connections. | true |
| TRAIL-INDEX | logging | Log Level | Service log level. Set to DEFAULT to use the environment value | false |
| TRAIL-INDEX | logging | Trace Level | Service trace level. Set to -1 to use the environment value | false |
| TRAIL-INDEX | housekeeping | Housekeeping Interval (Minutes) | Interval between housekeeping runs, in minutes, for clearing up expired audit trail files. Set to 0 to disable housekeeping. | true |
| TRAIL-INDEX | workers | Number of Workers | Maximum audit trail indexing concurrency. | true |
| TRAIL-INDEX | auditevents | Exclusion List | Comma-separated list of audit-event codes or code ranges, e.g. 1,10,20-30. Specified audit events are not saved to PrivX database, but only logged to syslog. | true |
| USER-STORE | db | Maximum Connection Idle Time (Seconds) | Maximum amount of time a connection may be idle. Set 0 to keep the idle connections open from lazily closed. | true |
| USER-STORE | db | Maximum Connection Lifetime (Seconds) | Maximum amount of time a connection may be reused. Set 0 to reuse the connection forever. | true |
| USER-STORE | db | Maximum Idle Connections | Maximum number of idle database connections. Set 0 to lazily remove all idle connections. | true |
| USER-STORE | db | Maximum Open Connections | Maximum number of open connections to the database. Set 0 to use unlimited number of open connections. | true |
| USER-STORE | logging | Log Level | Service log level. Set to DEFAULT to use the environment value | false |
| USER-STORE | logging | Trace Level | Service trace level. Set to -1 to use the environment value | false |
| USER-STORE | auditevents | Exclusion List | Comma-separated list of audit-event codes or code ranges, e.g. 1,10,20-30. Specified audit events are not saved to PrivX database, but only logged to syslog. | true |
| VAULT | db | Maximum Connection Idle Time (Seconds) | Maximum amount of time a connection may be idle. Set 0 to keep the idle connections open from lazily closed. | true |
| VAULT | db | Maximum Connection Lifetime (Seconds) | Maximum amount of time a connection may be reused. Set 0 to reuse the connection forever. | true |
| VAULT | db | Maximum Idle Connections | Maximum number of idle database connections. Set 0 to lazily remove all idle connections. | true |
| VAULT | db | Maximum Open Connections | Maximum number of open connections to the database. Set 0 to use unlimited number of open connections. | true |
| VAULT | logging | Log Level | Service log level. Set to DEFAULT to use the environment value | false |
| VAULT | logging | Trace Level | Service trace level. Set to -1 to use the environment value | false |
| VAULT | secrets | Secret Schema Definitions | Specify secret schemas in JSON format as an array of schema objects, as shown in the example. | true |
| VAULT | auditevents | Exclusion List | Comma-separated list of audit-event codes or code ranges, e.g. 1,10,20-30. Specified audit events are not saved to PrivX database, but only logged to syslog. | true |
| WORKFLOW-ENGINE | db | Maximum Connection Idle Time (Seconds) | Maximum amount of time a connection may be idle. Set 0 to keep the idle connections open from lazily closed. | true |
| WORKFLOW-ENGINE | db | Maximum Connection Lifetime (Seconds) | Maximum amount of time a connection may be reused. Set 0 to reuse the connection forever. | true |
| WORKFLOW-ENGINE | db | Maximum Idle Connections | Maximum number of idle database connections. Set 0 to lazily remove all idle connections. | true |
| WORKFLOW-ENGINE | db | Maximum Open Connections | Maximum number of open connections to the database. Set 0 to use unlimited number of open connections. | true |
| WORKFLOW-ENGINE | logging | Log Level | Service log level. Set to DEFAULT to use the environment value | false |
| WORKFLOW-ENGINE | logging | Trace Level | Service trace level. Set to -1 to use the environment value | false |
| WORKFLOW-ENGINE | housekeeping | Requests Housekeeping Interval (Hours) | Interval for requests housekeeping, in hours. | true |
| WORKFLOW-ENGINE | auditevents | Exclusion List | Comma-separated list of audit-event codes or code ranges, e.g. 1,10,20-30. Specified audit events are not saved to PrivX database, but only logged to syslog. | true |
| SECRETS-MANAGER | db | Maximum Connection Idle Time (Seconds) | Maximum amount of time a connection may be idle. Set 0 to keep the idle connections open from lazily closed. | true |
| SECRETS-MANAGER | db | Maximum Connection Lifetime (Seconds) | Maximum amount of time a connection may be reused. Set 0 to reuse the connection forever. | true |
| SECRETS-MANAGER | db | Maximum Idle Connections | Maximum number of idle database connections. Set 0 to lazily remove all idle connections. | true |
| SECRETS-MANAGER | db | Maximum Open Connections | Maximum number of open connections to the database. Set 0 to use unlimited number of open connections. | true |
| SECRETS-MANAGER | logging | Log Level | Service log level. Set to DEFAULT to use the environment value | false |
| SECRETS-MANAGER | logging | Trace Level | Service trace level. Set to -1 to use the environment value | false |
| SECRETS-MANAGER | winrm | WinRM Host Certificate Trust Anchor | Specify WinRM host certificate trust anchor PEM certificates. | true |
| SECRETS-MANAGER | targetdomains | Auto Onboarding Limit | Maximum number of new target domain accounts scanned at a time that can be auto onboarded. | false |
| SECRETS-MANAGER | targetdomains | Account Removal Housekeeping Interval | Interval for deleting target domain accounts with the "removed" status, in minutes. | false |
| SETTINGS | logging | Log Level | Service log level. Set to DEFAULT to use the environment value | false |
| SETTINGS | logging | Trace Level | Service trace level. Set to -1 to use the environment value | false |