PrivX Settings

Scope
Section
Property
DescriptionRequires Restart
AUTHdbMaximum Connection Idle Time (Seconds)Maximum amount of time a connection may be idle. Set 0 to keep the idle connections open from lazily closed.true
AUTHdbMaximum Connection Lifetime (Seconds)Maximum amount of time a connection may be reused. Set 0 to reuse the connection forever.true
AUTHdbMaximum Idle ConnectionsMaximum number of idle database connections. Set 0 to lazily remove all idle connections.true
AUTHdbMaximum Open ConnectionsMaximum number of open connections to the database. Set 0 to use unlimited number of open connections.true
AUTHloggingLog LevelService log level. Set to DEFAULT to use the environment valuefalse
AUTHloggingTrace LevelService trace level. Set to -1 to use the environment valuefalse
AUTHloginratelimitEnable username limitWhen enabled, login attempts are limited per username + IP pair.true
AUTHloginratelimitUsername Attempts Burst SizeMaximum number of failed logins per user + IP pair.true
AUTHloginratelimitUsername Attempts Per MinuteMaximum number of login attempts per user + IP pair per minute.true
AUTHloginratelimitEnable subnet limitWhen enabled, login attempts are limited per IP subnet.true
AUTHloginratelimitSubnet Attempts Burst SizeMaximum number of failed logins per subnet.true
AUTHloginratelimitSubnet Attempts Per MinuteMaximum number of login attempts per subnet per minute.true
AUTHloginratelimitRemote IP WhitelistWhitelist of remote IP addresses.true
AUTHloginmethodsEnable passkey loginEnable passkey login and credential registration.true
AUTHloginmethodsEnable single sign-on (SSO)Enable user to log in using single sign-on (SSO).true
AUTHauditeventsExclusion ListComma-separated list of audit-event codes or code ranges, e.g. 1,10,20-30. Specified audit events are not saved to PrivX database, but only logged to syslog.true
AUTHORIZERdbMaximum Connection Idle Time (Seconds)Maximum amount of time a connection may be idle. Set 0 to keep the idle connections open from lazily closed.true
AUTHORIZERdbMaximum Connection Lifetime (Seconds)Maximum amount of time a connection may be reused. Set 0 to reuse the connection forever.true
AUTHORIZERdbMaximum Idle ConnectionsMaximum number of idle database connections. Set 0 to lazily remove all idle connections.true
AUTHORIZERdbMaximum Open ConnectionsMaximum number of open connections to the database. Set 0 to use unlimited number of open connections.true
AUTHORIZERloggingLog LevelService log level. Set to DEFAULT to use the environment valuefalse
AUTHORIZERloggingTrace LevelService trace level. Set to -1 to use the environment valuefalse
AUTHORIZERcertificate_templatesSSH Certificate Templatestrue
AUTHORIZERca_settingsAdd Security ID extension to RDP X.509 certificatesfalse
AUTHORIZERauditeventsExclusion ListComma-separated list of audit-event codes or code ranges, e.g. 1,10,20-30. Specified audit events are not saved to PrivX database, but only logged to syslog.true
CONNECTION-MANAGERdbMaximum Connection Idle Time (Seconds)Maximum amount of time a connection may be idle. Set 0 to keep the idle connections open from lazily closed.true
CONNECTION-MANAGERdbMaximum Connection Lifetime (Seconds)Maximum amount of time a connection may be reused. Set 0 to reuse the connection forever.true
CONNECTION-MANAGERdbMaximum Idle ConnectionsMaximum number of idle database connections. Set 0 to lazily remove all idle connections.true
CONNECTION-MANAGERdbMaximum Open ConnectionsMaximum number of open connections to the database. Set 0 to use unlimited number of open connections.true
CONNECTION-MANAGERloggingLog LevelService log level. Set to DEFAULT to use the environment valuefalse
CONNECTION-MANAGERloggingTrace LevelService trace level. Set to -1 to use the environment valuefalse
CONNECTION-MANAGERhousekeepingHousekeeping Interval (Minutes)Interval for connection status housekeeping, in minutes.true
CONNECTION-MANAGERhousekeepingConnection Metadata Retention (Days)Retention period for connection metadata, in days. Set to -1 to disable metadata removal.true
CONNECTION-MANAGERhousekeepingTrail Housekeeping Interval (Hours)Interval for trail housekeeping, in hours.true
CONNECTION-MANAGERhousekeepingCheck trail integrity during trail housekeepingEnable to verify the integrity of recorded trails during housekeeping.true
CONNECTION-MANAGERhousekeepingUse SHA-256 checksum for trail integrity checkerEnable to use SHA-256 checksums when verifying integrity of recorded trails.true
CONNECTION-MANAGERauditeventsExclusion ListComma-separated list of audit-event codes or code ranges, e.g. 1,10,20-30. Specified audit events are not saved to PrivX database, but only logged to syslog.true
GLOBALauditConnection Timeout When No Connection Manager (Minutes)Set to 0 to disable timeout and keep connections open.true
GLOBALauditData FolderFolder for audit trail data.true
GLOBALauditTrail Expiration (Days)Set to -1 to disable trail removal.true
GLOBALauditTrail Transferred Files Expiration (Days)Set to -1 to disable downloaded/uploaded file removal.true
GLOBALauditTrail File Timestamp ObfuscationEnable trail file and directory timestamp obfuscation.true
GLOBALaudit_rate_limitingRate limiting interval (Seconds)Time interval to ignore new events for verbose audit events. Set to 0 to emit all events. Audit events affected: "Host-modified", "RoleContext-usage-alert", "Directory-authentication-failed".false
GLOBALldapconnectionsConnection Timeout (Seconds)The duration in seconds before the LDAP query connection should timeout.true
GLOBALldapconnectionsConnection Retry AttemptsThe number of times to retry if the LDAP query connection times out.true
GLOBALldapconnectionsUse custom root certificatesSpecify if PrivX should use custom root certificates.true
GLOBALldapconnectionsUse system certificates poolSpecify if PrivX should use the system certificates pool.true
GLOBALldapconnectionsCustom Root Certificate (PEM)Specify a custom root certificate in PEM format, which will be added to the certificate pool for LDAP connections. Note that the custom root certificates setting must be enabled to use this.true
GLOBALdisclaimerDisclaimerstrue
GLOBALapplication_switcherUniversal SSH Key Manager URLEnter the URL of the Universal SSH Key Manager web UI.true
GLOBALrdp_commonHost Certificate Trust AnchorSpecify RDP host certificate trust anchor PEM certificates.true
GLOBALrdp_commonAllow access to hosts using plain text VNCtrue
GLOBALssh_commonSend SSH events to audit logEnable sending SSH events to audit log.true
GLOBALssh_commonEvents to AuditSupported SSH event types to audit.true
GLOBALicapFile transfer scans for SSH ProxyConfigure whether PrivX performs virus scanning for transferred files.true
GLOBALicapFile transfer scans for SSH BastionConfigure whether PrivX performs virus scanning for transferred files via native SSH.true
GLOBALicapFile transfer scans for RDP ProxyConfigure whether PrivX performs virus scanning for transferred files for RDP and Web Access Gateways.true
GLOBALicapICAP Server HostnameHostname for ICAP proxy server.true
GLOBALicapICAP Server PortPort number for ICAP proxy server.true
GLOBALicapICAP RESPMOD URLSend a response modification with http request headers, using this url.true
GLOBALicapICAP REQMOD URLSend a request modification instead of response modification, using this url.true
GLOBALicapICAP Preview Size in BytesMaximum preview data size in bytes. Set to 0 to disable preview.true
GLOBALicapICAP Service NameOptional ICAP service name.true
GLOBALlive_monitoringSSHtrue
GLOBALlive_monitoringRDPtrue
GLOBALlive_monitoringVNCtrue
GLOBALlive_monitoringWebtrue
GLOBALinvalidated_session_cacheSession Cache SizeSet a positive size for the invalidated session cache. The size determines the number of invalidated sessions that it can hold before eviction.true
GLOBALwatermarkingHeadingfalse
GLOBALwatermarkingWatermarkfalse
GLOBALmobile_gwUse static IPsStatic IPs are used when there is a need for whitelisting outgoing traffic from PrivX.true
DB-PROXYdbMaximum Connection Idle Time (Seconds)Maximum amount of time a connection may be idle. Set 0 to keep the idle connections open from lazily closed.true
DB-PROXYdbMaximum Connection Lifetime (Seconds)Maximum amount of time a connection may be reused. Set 0 to reuse the connection forever.true
DB-PROXYdbMaximum Idle ConnectionsMaximum number of idle database connections. Set 0 to lazily remove all idle connections.true
DB-PROXYdbMaximum Open ConnectionsMaximum number of open connections to the database. Set 0 to use unlimited number of open connections.true
DB-PROXYloggingLog LevelService log level. Set to DEFAULT to use the environment valuefalse
DB-PROXYloggingTrace LevelService trace level. Set to -1 to use the environment valuefalse
DB-PROXYdbproxy_internalReauthorization Interval (Seconds)Reauthorization interval, in seconds.true
DB-PROXYcertificatesKey TypeThe Database Proxy server's key pair used to generate dynamic tls certificate for database connections.true
DB-PROXYcertificatesRSA Key SizeRSA Key Size (Bits)true
DB-PROXYcertificatesECDSA Key SizeECDSA Key Size (Bits)true
DB-PROXYcertificatesCache SizeCache size of dynamically generated tls certificates.true
DB-PROXYhost_trust_anchorsHost Certificate Trust AnchorsSpecify host certificate trust anchor PEM certificates.true
DB-PROXYauditeventsExclusion ListComma-separated list of audit-event codes or code ranges, e.g. 1,10,20-30. Specified audit events are not saved to PrivX database, but only logged to syslog.true
EXTENDER-SERVICEdbMaximum Connection Idle Time (Seconds)Maximum amount of time a connection may be idle. Set 0 to keep the idle connections open from lazily closed.true
EXTENDER-SERVICEdbMaximum Connection Lifetime (Seconds)Maximum amount of time a connection may be reused. Set 0 to reuse the connection forever.true
EXTENDER-SERVICEdbMaximum Idle ConnectionsMaximum number of idle database connections. Set 0 to lazily remove all idle connections.true
EXTENDER-SERVICEdbMaximum Open ConnectionsMaximum number of open connections to the database. Set 0 to use unlimited number of open connections.true
EXTENDER-SERVICEloggingLog LevelService log level. Set to DEFAULT to use the environment valuefalse
EXTENDER-SERVICEloggingTrace LevelService trace level. Set to -1 to use the environment valuefalse
EXTENDER-SERVICEserviceListener Address ModeListener address resolution mode.true
EXTENDER-SERVICEserviceListener AddressesList of IP addresses or IP subnet CIDRs used for resolving extender listener addresses.true
EXTENDER-SERVICEserviceListener Port MinPort range start for extender listeners.true
EXTENDER-SERVICEserviceListener Port MaxPort range end for extender listeners.true
EXTENDER-SERVICEserviceUDP Listener Port MinUDP port range start for extender listeners.true
EXTENDER-SERVICEserviceUDP Listener Port MaxUDP port range end for extender listeners.true
EXTENDER-SERVICEserviceUDP Listener Reconnect CountReconnection attempts to extender for UDP listeners.true
EXTENDER-SERVICEserviceWebSocket Keepalive Interval (Seconds)WebSocket keepalive interval, in seconds.true
EXTENDER-SERVICEauditeventsExclusion ListComma-separated list of audit-event codes or code ranges, e.g. 1,10,20-30. Specified audit events are not saved to PrivX database, but only logged to syslog.true
HOST-STOREdbMaximum Connection Idle Time (Seconds)Maximum amount of time a connection may be idle. Set 0 to keep the idle connections open from lazily closed.true
HOST-STOREdbMaximum Connection Lifetime (Seconds)Maximum amount of time a connection may be reused. Set 0 to reuse the connection forever.true
HOST-STOREdbMaximum Idle ConnectionsMaximum number of idle database connections. Set 0 to lazily remove all idle connections.true
HOST-STOREdbMaximum Open ConnectionsMaximum number of open connections to the database. Set 0 to use unlimited number of open connections.true
HOST-STOREloggingLog LevelService log level. Set to DEFAULT to use the environment valuefalse
HOST-STOREloggingTrace LevelService trace level. Set to -1 to use the environment valuefalse
HOST-STOREhealth-check-optionsHealth checks enabledConfigure whether PrivX performs network connectivity health checks for services.true
HOST-STOREhealth-check-optionsHealth Check Interval (Seconds)Interval between health check runs, in seconds.true
HOST-STOREhealth-check-optionsMaximum Requests Per SecondMaximum service health check requests per second per worker.true
HOST-STOREhealth-check-optionsMaximum WorkersMaximum concurrent service health requests.true
HOST-STOREhost-house-keepingHousekeeping Interval (Hours)Interval between housekeeping runs, in hours. Housekeeping expunges deleted hosts from the database once hosts have been deleted for longer than the configured expunction delay. Set to 0 to disable housekeeping.true
HOST-STOREhost-house-keepingDeleted Host Expunction Delay (Hours)The delay (in hours) between when a host has been deleted to when it will be permanently removed.true
HOST-STOREinitial-host-service-options-sshShelltrue
HOST-STOREinitial-host-service-options-sshFile Transfertrue
HOST-STOREinitial-host-service-options-sshExectrue
HOST-STOREinitial-host-service-options-sshTunnelstrue
HOST-STOREinitial-host-service-options-sshX11 Forwardingtrue
HOST-STOREinitial-host-service-options-sshOthertrue
HOST-STOREinitial-host-service-options-rdpFile Transfertrue
HOST-STOREinitial-host-service-options-rdpAudiotrue
HOST-STOREinitial-host-service-options-rdpClipboardtrue
HOST-STOREinitial-host-service-options-vncFile Transfertrue
HOST-STOREinitial-host-service-options-vncClipboardtrue
HOST-STOREinitial-host-service-options-webFile Transfertrue
HOST-STOREinitial-host-service-options-webAudiotrue
HOST-STOREinitial-host-service-options-webClipboardtrue
HOST-STOREauditeventsExclusion ListComma-separated list of audit-event codes or code ranges, e.g. 1,10,20-30. Specified audit events are not saved to PrivX database, but only logged to syslog.true
LICENSE-MANAGERdbMaximum Connection Idle Time (Seconds)Maximum amount of time a connection may be idle. Set 0 to keep the idle connections open from lazily closed.true
LICENSE-MANAGERdbMaximum Connection Lifetime (Seconds)Maximum amount of time a connection may be reused. Set 0 to reuse the connection forever.true
LICENSE-MANAGERdbMaximum Idle ConnectionsMaximum number of idle database connections. Set 0 to lazily remove all idle connections.true
LICENSE-MANAGERdbMaximum Open ConnectionsMaximum number of open connections to the database. Set 0 to use unlimited number of open connections.true
LICENSE-MANAGERloggingLog LevelService log level. Set to DEFAULT to use the environment valuefalse
LICENSE-MANAGERloggingTrace LevelService trace level. Set to -1 to use the environment valuefalse
LICENSE-MANAGERauditeventsExclusion ListComma-separated list of audit-event codes or code ranges, e.g. 1,10,20-30. Specified audit events are not saved to PrivX database, but only logged to syslog.true
MONITOR-SERVICEdbMaximum Connection Idle Time (Seconds)Maximum amount of time a connection may be idle. Set 0 to keep the idle connections open from lazily closed.true
MONITOR-SERVICEdbMaximum Connection Lifetime (Seconds)Maximum amount of time a connection may be reused. Set 0 to reuse the connection forever.true
MONITOR-SERVICEdbMaximum Idle ConnectionsMaximum number of idle database connections. Set 0 to lazily remove all idle connections.true
MONITOR-SERVICEdbMaximum Open ConnectionsMaximum number of open connections to the database. Set 0 to use unlimited number of open connections.true
MONITOR-SERVICEloggingLog LevelService log level. Set to DEFAULT to use the environment valuefalse
MONITOR-SERVICEloggingTrace LevelService trace level. Set to -1 to use the environment valuefalse
MONITOR-SERVICEhousekeepingHousekeeping Interval (Hours)Interval between housekeeping runs, in hours. Set to 0 to disable housekeeping.true
MONITOR-SERVICEhousekeepingAudit Event Data Retention Period (Days)Number of days that audit events must be kept in the database. Set to -1 to disable audit event removal.true
MONITOR-SERVICEhousekeepingStatus Check Interval (Seconds)Interval between status checks, in seconds. Set to 0 to disable checks.true
MONITOR-SERVICEhousekeepingSystem Health Check Interval (Hours)Interval between system health check, in hours. Set to 0 to disable checks.true
MONITOR-SERVICEhousekeepingDatabase Cache Removal Interval (Seconds)Interval for removing expired keys from the database cache, in seconds. Set to 0 to disable database cache removal.true
MONITOR-SERVICEhousekeepingMonitored Storage LocationsA list of PrivX instance storage mount locations and warning thresholds to be periodically checked for low disk space. Example: "/:5GB,/var/log:5GB,/var/privx/audit:10GB"true
MONITOR-SERVICEhousekeepingInactive Status Expunction Delay (Hours)The delay (in hours) before an inactive component's status permanently removed when housekeeping runs.true
MONITOR-SERVICEhousekeepingMax threshold for components status (Seconds)Max threshold for component's status before marked as error if no data received, in secondstrue
MONITOR-SERVICEhousekeepingDatabase Certificate Check Interval (Hours)Interval for checking database certificate validity. Set to 0 to disable the check.true
MONITOR-SERVICEauditeventsExclusion ListComma-separated list of audit-event codes or code ranges, e.g. 1,10,20-30. Specified audit events are not saved to PrivX database, but only logged to syslog.true
NETWORK-ACCESS-MANAGERdbMaximum Connection Idle Time (Seconds)Maximum amount of time a connection may be idle. Set 0 to keep the idle connections open from lazily closed.true
NETWORK-ACCESS-MANAGERdbMaximum Connection Lifetime (Seconds)Maximum amount of time a connection may be reused. Set 0 to reuse the connection forever.true
NETWORK-ACCESS-MANAGERdbMaximum Idle ConnectionsMaximum number of idle database connections. Set 0 to lazily remove all idle connections.true
NETWORK-ACCESS-MANAGERdbMaximum Open ConnectionsMaximum number of open connections to the database. Set 0 to use unlimited number of open connections.true
NETWORK-ACCESS-MANAGERloggingLog LevelService log level. Set to DEFAULT to use the environment valuefalse
NETWORK-ACCESS-MANAGERloggingTrace LevelService trace level. Set to -1 to use the environment valuefalse
NETWORK-ACCESS-MANAGERserviceHousekeeping Interval (Seconds)Interval between housekeeping runs, in minutes, for removing dead sessions from PrivX router.true
NETWORK-ACCESS-MANAGERserviceRouter Session Removal Max RetriesMaximum number retries for PrivX router session removal.true
NETWORK-ACCESS-MANAGERserviceReauthorization Interval (Seconds)Reauthorization interval, in seconds.true
NETWORK-ACCESS-MANAGERserviceConnection Message Timeout (Seconds)Timeout interval (seconds) for connection message reply. Default: 5 seconds.true
NETWORK-ACCESS-MANAGERserviceMetadata Update Interval (Seconds)Interval for metadata updates to connection manager (seconds)true
NETWORK-ACCESS-MANAGERserviceConnection-Manager Timeout (Minutes)Timeout for network target sessions when no connection to connection manager (minutes)true
NETWORK-ACCESS-MANAGERserviceExtender Connect Timeout (Seconds)Connect timeout for extender target connections (seconds)true
NETWORK-ACCESS-MANAGERrouterRouterstrue
NETWORK-ACCESS-MANAGERauditeventsExclusion ListComma-separated list of audit-event codes or code ranges, e.g. 1,10,20-30. Specified audit events are not saved to PrivX database, but only logged to syslog.true
RDP-MITMdbMaximum Connection Idle Time (Seconds)Maximum amount of time a connection may be idle. Set 0 to keep the idle connections open from lazily closed.true
RDP-MITMdbMaximum Connection Lifetime (Seconds)Maximum amount of time a connection may be reused. Set 0 to reuse the connection forever.true
RDP-MITMdbMaximum Idle ConnectionsMaximum number of idle database connections. Set 0 to lazily remove all idle connections.true
RDP-MITMdbMaximum Open ConnectionsMaximum number of open connections to the database. Set 0 to use unlimited number of open connections.true
RDP-MITMloggingLog LevelService log level. Set to DEFAULT to use the environment valuefalse
RDP-MITMloggingTrace LevelService trace level. Set to -1 to use the environment valuefalse
RDP-MITMrdp_mitmPublic AddressesRDP Bastion public addresses.true
RDP-MITMrdp_mitmReauthorization Interval (Seconds)Reauthorization interval, in seconds.true
RDP-MITMrdp_mitmExtender enabledEnable to allow remote PrivX Extender client connections for tunneling RDP traffic inside VPC networks.true
RDP-MITMrdp_mitmAllow role IP restrictionsEnable to enforce role context IP limitation checks.true
RDP-MITMrdp_mitmFFmpeg ParametersVideo encoding parameters to be passed to FFmpeg library.true
RDP-MITMrdp_mitmVideo Generator WorkersNumber of workers that encode video simultaneously.true
RDP-MITMrdp_mitmVideo Generator Temporary DirectoryDirectory where temporary video files are generated before stored as part of trail.true
RDP-MITMrdp_mitmConnection Message Timeout (Seconds)Timeout interval (seconds) for connection message reply. Default: 5 seconds.true
RDP-MITMcertificatesRenewal Period (Months)Certificate renewal period in months.true
RDP-MITMcertificatesRenewal Period (Days)Certificate renewal period in days.true
RDP-MITMcertificatesUpdate automaticallyConfigure whether certificates should be updated automatically.true
RDP-MITMauditeventsExclusion ListComma-separated list of audit-event codes or code ranges, e.g. 1,10,20-30. Specified audit events are not saved to PrivX database, but only logged to syslog.true
RDP-PROXYdbMaximum Connection Idle Time (Seconds)Maximum amount of time a connection may be idle. Set 0 to keep the idle connections open from lazily closed.true
RDP-PROXYdbMaximum Connection Lifetime (Seconds)Maximum amount of time a connection may be reused. Set 0 to reuse the connection forever.true
RDP-PROXYdbMaximum Idle ConnectionsMaximum number of idle database connections. Set 0 to lazily remove all idle connections.true
RDP-PROXYdbMaximum Open ConnectionsMaximum number of open connections to the database. Set 0 to use unlimited number of open connections.true
RDP-PROXYloggingLog LevelService log level. Set to DEFAULT to use the environment valuefalse
RDP-PROXYloggingTrace LevelService trace level. Set to -1 to use the environment valuefalse
RDP-PROXYrdp_proxyReauthorization Interval (Seconds)Reauthorization interval, in seconds.true
RDP-PROXYrdp_proxyExtender enabledEnable to allow remote PrivX Extender client connections for tunneling RDP traffic inside VPC networks.true
RDP-PROXYrdp_proxyWeb proxy enabledEnable to allow remote web proxy (Squid) to authorize web connections via PrivX web proxy server.true
RDP-PROXYrdp_proxySmart card authentication enabledConfigure whether RDP smart card authentication is enabled.true
RDP-PROXYrdp_proxySmart card login failure workaround disabledDisable RDP smart card login failure workaround.true
RDP-PROXYrdp_proxyAllow connecting to local addressAllow target connections to local interface addresses.true
RDP-PROXYrdp_proxyAllow connecting to loopback addressAllow target connections to loopback addresses.true
RDP-PROXYrdp_proxyEnable wallpaperEnable desktop wallpaper for target hosts. Disabling this makes screen updates faster.true
RDP-PROXYrdp_proxyEnable font smoothingEnable font smoothing. Enabling this usually improves the text quality.true
RDP-PROXYrdp_proxyShared DirectoryRDP shared directory.true
RDP-PROXYrdp_proxyTarget BlacklistA comma separated list of IP addresses or subnets (CIDR) of prohibited RDP targets.true
RDP-PROXYrdp_proxyConnectivity Test Timeout (Seconds)Connection timeout while check a target is reachable, in seconds.true
RDP-PROXYrdp_proxyWebSocket Keepalive Interval (Seconds)WebSocket keepalive interval, in seconds.true
RDP-PROXYrdp_proxyConnection Message Timeout (Seconds)Timeout interval (seconds) for connection message reply. Default: 5 seconds.true
RDP-PROXYrdp_proxyImplicit Secret Checkout Release Delay (Seconds)Delay (seconds) for releasing the implicit secret checkout after login to RDP target.true
RDP-PROXYcertificatesRenewal Period (Months)Certificate renewal period in months.true
RDP-PROXYcertificatesRenewal Period (Days)Certificate renewal period in days.true
RDP-PROXYcertificatesUpdate automaticallyConfigure whether certificates should be updated automatically.true
RDP-PROXYauditeventsExclusion ListComma-separated list of audit-event codes or code ranges, e.g. 1,10,20-30. Specified audit events are not saved to PrivX database, but only logged to syslog.true
ROLE-STOREdbMaximum Connection Idle Time (Seconds)Maximum amount of time a connection may be idle. Set 0 to keep the idle connections open from lazily closed.true
ROLE-STOREdbMaximum Connection Lifetime (Seconds)Maximum amount of time a connection may be reused. Set 0 to reuse the connection forever.true
ROLE-STOREdbMaximum Idle ConnectionsMaximum number of idle database connections. Set 0 to lazily remove all idle connections.true
ROLE-STOREdbMaximum Open ConnectionsMaximum number of open connections to the database. Set 0 to use unlimited number of open connections.true
ROLE-STOREloggingLog LevelService log level. Set to DEFAULT to use the environment valuefalse
ROLE-STOREloggingTrace LevelService trace level. Set to -1 to use the environment valuefalse
ROLE-STOREauthorizedkeysExpired Keys Purge Interval (Hours)Expired authorized keys purge interval in hours. Set to 0 to disable automatic deletion of expired authorized keys.true
ROLE-STOREauthorizedkeysMaximum Validity Period (Days)Authorized key maximum validity period length in days. Valid values are 1-7300 days.true
ROLE-STOREauthorizedkeysMinimum RSA Key Size (Bits)Minimum key size in bits for ssh-rsa keys.true
ROLE-STOREauthorizedkeysSupported Key TypesSpecify the supported authorized key types for logging in to PrivX with user specific authorized keys.true
ROLE-STOREawsAWS support enabledSpecify whether AWS support is enabled.true
ROLE-STOREawsDefault RegionDefault AWS region to use for API access.true
ROLE-STOREawsAssume role enabledEnable assume-role temporary session credentials. These credentials can be used to give PrivX users temporary access to AWS API via AWS CLI or scripting.true
ROLE-STOREawsAssume Role Credential Expiration (Seconds)Expiration time in seconds for assume-role temporary credentials. AWS service limits are minimum 900 (15 min), maximum 43200 (12 hours). Values above 3600 seconds require modifying the AWS target role config or token grants will fail.true
ROLE-STOREawsFederation tokens enabledEnable federation token access. These credentials can be used to give SSH PrivX users temporary access to AWS API via AWS roles. If both assume-role and federated role tokens are enabled, assume-role will be used.true
ROLE-STOREawsFederation Token Expiration (Seconds)Expiration time in seconds for federated tokens. AWS service limits are minimum 900 (15 min), maximum 129600 (36 hours).true
ROLE-STOREawsMaximum number of AWS rolesMaximum number of AWS role to fetch. This restriction is applied after role path or role name filtering is done.true
ROLE-STOREcachingCaching enabledSpecify whether caching of user role memberships, rule evaluation results, user settings and AWS role descriptions is enabled. Additionally, it is used to define the size of cache used for storing deleted roles. Disabling the setting is not recommended.true
ROLE-STOREcachingRule evaluation cache enabledSpecify whether role rule evaluation results should be cached. Enabling this setting is recommended.true
ROLE-STOREcachingLocal LRU Cache SizeMaximum entries in the local LRU cache. If cache exceeds this size, the least recently used entries are purged. The minimum size of cache should be greater than the number of active PrivX users + total PrivX role rule count.true
ROLE-STOREcachingLocal Cache Sync Interval (Seconds)Local cache periodic synchronization interval in seconds. Should be a relatively small value (default is 60 seconds). Set to 0 to disable synchronization. This setting should be enabled in HA environments.true
ROLE-STOREcachingCache TTL (Seconds)Cache TTL in seconds. Should be set to a relatively small value (few minutes). However setting this too low (e.g less than 3 seconds) might cause synchronization issues when running multiple instances of the same service.true
ROLE-STOREcachingUser Cache TTL (Seconds)Cache TTL for user caching in seconds. If user data in the user cache has been refreshed more recently than the User Cache TTL setting, then it won't be reloaded from the user directory. Value of 0 disables the cache. Note that disabling the cache forces fetching user data from the user directory every time user roles are resolved. Disabling the setting is NOT recommended.true
ROLE-STOREcachingRole Membership Count Cache TTL (Seconds)Caching the count of role members (both implicit and explicit) on the role details page and in the API response. This only affects the displayed member count. The actual memberships remain unaffected.true
ROLE-STOREcachingDeleted Roles Cache SizeSize of the cache that stores deleted roles in memory. Minimum value is 1000 and maximum value is 10000000 (10M). Default value is 1000000 (1M)true
ROLE-STOREdirectoryBlacklisted Host Tag PrefixesWhen the "Import host instance tags from the directory" setting is enabled for a host directory, all host tags will be imported to PrivX except tags starting with these prefixes.true
ROLE-STOREhousekeepingSCIM Role Cleanup Interval (Minutes)Interval between housekeeping runs, in minutes, for clearing up unused roles created by SCIM directories. Set to 0 to disable housekeeping.true
ROLE-STOREhousekeepingUser Active Interval (Seconds)Interval where user is considered as active from last login. If the user is not logged in in this interval, the user will be considered as inactive. Therefore, house-keeping will be applied to this user (it includes deleting usersettings, user explicit role mappings, authorized keys, OIDC user data). Note that this behavior is not applied for Local users and API-Clients.true
ROLE-STOREldapNested groups enabledEnable nested groups for role mappings. Enables LDAP_MATCHING_RULE_IN_CHAIN (1.2.840.113556.1.4.1941) filter for role queries against user directories. This option affects only role mappings. AD directory settings are not affected by this setting.true
ROLE-STOREldapDefault Cache TTL (Seconds)Default LDAP cache TTL in seconds. Used if no TTL is specified for an LDAP directory. If you have many users or very slow LDAP servers, set the TTL to a higher value.true
ROLE-STOREldapLDAP Query Pagination SizeLDAP query pagination size. The default maximum for Active Directory is 1000. Use as high of a value as possible for maximum performance.true
ROLE-STOREldapLDAP Attributes FilterSpecifies which attributes to fetch from LDAP for caching. Leaving this empty will fetch all attributes for LDAP objects. Filtering out unused attributes will make the memory consumption smaller and improve query times. Note that only the specified attributes can be used for LDAP query filters and role source rules. The recommended attributes filter is: objectClass cn dn distinguishedName whenCreated whenChanged name userPrincipalName givenName company departmentNumber mail email mobile sAMAccountName uid memberOf entryDN displayName userAccountControl groupType servicePrincipalName objectCategory objectGUID objectSIDtrue
ROLE-STOREldapDefault User FilterDefault pre-filter to use when searching users. Not required, but allows using shorter LDAP search strings. Use this to filter out non-user objects. Directory level user filters override this default setting. Leaving user filter empty increases memory consumption. The recommended attributed filter is: ((objectClass=user)(objectClass=person)(objectClass=inetOrgPerson))
ROLE-STOREldapGlobal AD User FilterAutomatically append this filter to Active Directory requests when fetching users or mapping roles. The recommended AD user filter to filter out disabled users, is: (!userAccountControl:1.2.840.113556.1.4.803:=2)true
ROLE-STOREscanningHost Scanning Delay After Startup (Seconds)Host scanning delay after starting the service, in seconds.true
ROLE-STOREscanningAWS Role Scanning Delay After Startup (Seconds)AWS role scanning delay after starting the service, in seconds.true
ROLE-STOREscanningHost Scanning Interval (Seconds)Default interval between host scanning runs, in seconds.true
ROLE-STOREscanningRole Membership Count Update EnabledWhether or not the role membership counts are automatically updated on the background. Enabling this feature on large environments may cause slowness issues, so proceed carefully. Even if disabled, the individual role member counts can still be viewed.true
ROLE-STOREscanningRole Membership Count Update Interval (Seconds)Frequency for resolving granted membership counts for roles, in seconds.true
ROLE-STOREscimMax ResultsMax Results page size for SCIM get requests.true
ROLE-STOREprincipal_keysAdd on role creationWhen True, Principal keys get created at the time of role creation. Defaults to Falsetrue
ROLE-STOREauditeventsExclusion ListComma-separated list of audit-event codes or code ranges, e.g. 1,10,20-30. Specified audit events are not saved to PrivX database, but only logged to syslog.true
SSH-MITMdbMaximum Connection Idle Time (Seconds)Maximum amount of time a connection may be idle. Set 0 to keep the idle connections open from lazily closed.true
SSH-MITMdbMaximum Connection Lifetime (Seconds)Maximum amount of time a connection may be reused. Set 0 to reuse the connection forever.true
SSH-MITMdbMaximum Idle ConnectionsMaximum number of idle database connections. Set 0 to lazily remove all idle connections.true
SSH-MITMdbMaximum Open ConnectionsMaximum number of open connections to the database. Set 0 to use unlimited number of open connections.true
SSH-MITMloggingLog LevelService log level. Set to DEFAULT to use the environment valuefalse
SSH-MITMloggingTrace LevelService trace level. Set to -1 to use the environment valuefalse
SSH-MITMssh_mitmPublic AddressesSSH Bastion public addresses.true
SSH-MITMssh_mitmReauthorization Interval (Seconds)Reauthorization interval, in seconds.true
SSH-MITMssh_mitmExtender enabledEnable to allow remote PrivX Extender client connections for tunneling SSH traffic inside VPC networks.true
SSH-MITMssh_mitmAllow role IP restrictionsEnable to enforce role context IP limitation checks.true
SSH-MITMssh_mitmAllow connecting to local addressAllow target connections to local interface addresses.true
SSH-MITMssh_mitmAllow connecting to loopback addressAllow target connections to loopback addresses.true
SSH-MITMssh_mitmHostkey AlgorithmsSupported hostkey algorithms.true
SSH-MITMssh_mitmTarget BlacklistA comma separated list of IP addresses or subnets (CIDR) of prohibited SSH targets.true
SSH-MITMssh_mitmMetadata Update Interval (Seconds)Interval for metadata updates to connection manager, in seconds.true
SSH-MITMssh_mitmWebSocket Keepalive Interval (Seconds)WebSocket keepalive interval, in seconds.true
SSH-MITMssh_mitmSSH exec connection idle timeout (Seconds)SSH exec connection idle timeout, in seconds.true
SSH-MITMssh_mitmConnection Message Timeout (Seconds)Timeout interval (seconds) for connection message reply. Default: 5 seconds.true
SSH-MITMauditeventsExclusion ListComma-separated list of audit-event codes or code ranges, e.g. 1,10,20-30. Specified audit events are not saved to PrivX database, but only logged to syslog.true
SSH-PROXYdbMaximum Connection Idle Time (Seconds)Maximum amount of time a connection may be idle. Set 0 to keep the idle connections open from lazily closed.true
SSH-PROXYdbMaximum Connection Lifetime (Seconds)Maximum amount of time a connection may be reused. Set 0 to reuse the connection forever.true
SSH-PROXYdbMaximum Idle ConnectionsMaximum number of idle database connections. Set 0 to lazily remove all idle connections.true
SSH-PROXYdbMaximum Open ConnectionsMaximum number of open connections to the database. Set 0 to use unlimited number of open connections.true
SSH-PROXYloggingLog LevelService log level. Set to DEFAULT to use the environment valuefalse
SSH-PROXYloggingTrace LevelService trace level. Set to -1 to use the environment valuefalse
SSH-PROXYssh_proxyReauthorization Interval (Seconds)Reauthorization interval, in seconds.true
SSH-PROXYssh_proxyExtender enabledEnable to allow remote PrivX Extender client connections for tunneling SSH traffic inside VPC networks.true
SSH-PROXYssh_proxyForwarder enabledEnable to allow forwarding of SSH connections from the PrivX agent.true
SSH-PROXYssh_proxyAllow connecting to local addressAllow target connections to local interface addresses.true
SSH-PROXYssh_proxyAllow connecting to loopback addressAllow target connections to loopback addresses.true
SSH-PROXYssh_proxyTarget BlacklistA comma separated list of IP addresses or subnets (CIDR) of prohibited SSH targets.true
SSH-PROXYssh_proxyMetadata Update Interval (Seconds)Interval for metadata updates to connection manager, in seconds.true
SSH-PROXYssh_proxySSH Keepalive Interval (Seconds)Target ssh connection keepalive interval, in seconds.true
SSH-PROXYssh_proxyWebSocket Keepalive Interval (Seconds)WebSocket keepalive interval, in seconds.true
SSH-PROXYssh_proxyConnection Message Timeout (Seconds)Timeout interval (seconds) for connection message reply. Default: 5 seconds.true
SSH-PROXYauditeventsExclusion ListComma-separated list of audit-event codes or code ranges, e.g. 1,10,20-30. Specified audit events are not saved to PrivX database, but only logged to syslog.true
TRAIL-INDEXdbMaximum Connection Idle Time (Seconds)Maximum amount of time a connection may be idle. Set 0 to keep the idle connections open from lazily closed.true
TRAIL-INDEXdbMaximum Connection Lifetime (Seconds)Maximum amount of time a connection may be reused. Set 0 to reuse the connection forever.true
TRAIL-INDEXdbMaximum Idle ConnectionsMaximum number of idle database connections. Set 0 to lazily remove all idle connections.true
TRAIL-INDEXdbMaximum Open ConnectionsMaximum number of open connections to the database. Set 0 to use unlimited number of open connections.true
TRAIL-INDEXloggingLog LevelService log level. Set to DEFAULT to use the environment valuefalse
TRAIL-INDEXloggingTrace LevelService trace level. Set to -1 to use the environment valuefalse
TRAIL-INDEXhousekeepingHousekeeping Interval (Minutes)Interval between housekeeping runs, in minutes, for clearing up expired audit trail files. Set to 0 to disable housekeeping.true
TRAIL-INDEXworkersNumber of WorkersMaximum audit trail indexing concurrency.true
TRAIL-INDEXauditeventsExclusion ListComma-separated list of audit-event codes or code ranges, e.g. 1,10,20-30. Specified audit events are not saved to PrivX database, but only logged to syslog.true
USER-STOREdbMaximum Connection Idle Time (Seconds)Maximum amount of time a connection may be idle. Set 0 to keep the idle connections open from lazily closed.true
USER-STOREdbMaximum Connection Lifetime (Seconds)Maximum amount of time a connection may be reused. Set 0 to reuse the connection forever.true
USER-STOREdbMaximum Idle ConnectionsMaximum number of idle database connections. Set 0 to lazily remove all idle connections.true
USER-STOREdbMaximum Open ConnectionsMaximum number of open connections to the database. Set 0 to use unlimited number of open connections.true
USER-STOREloggingLog LevelService log level. Set to DEFAULT to use the environment valuefalse
USER-STOREloggingTrace LevelService trace level. Set to -1 to use the environment valuefalse
USER-STOREauditeventsExclusion ListComma-separated list of audit-event codes or code ranges, e.g. 1,10,20-30. Specified audit events are not saved to PrivX database, but only logged to syslog.true
VAULTdbMaximum Connection Idle Time (Seconds)Maximum amount of time a connection may be idle. Set 0 to keep the idle connections open from lazily closed.true
VAULTdbMaximum Connection Lifetime (Seconds)Maximum amount of time a connection may be reused. Set 0 to reuse the connection forever.true
VAULTdbMaximum Idle ConnectionsMaximum number of idle database connections. Set 0 to lazily remove all idle connections.true
VAULTdbMaximum Open ConnectionsMaximum number of open connections to the database. Set 0 to use unlimited number of open connections.true
VAULTloggingLog LevelService log level. Set to DEFAULT to use the environment valuefalse
VAULTloggingTrace LevelService trace level. Set to -1 to use the environment valuefalse
VAULTsecretsSecret Schema DefinitionsSpecify secret schemas in JSON format as an array of schema objects, as shown in the example.true
VAULTauditeventsExclusion ListComma-separated list of audit-event codes or code ranges, e.g. 1,10,20-30. Specified audit events are not saved to PrivX database, but only logged to syslog.true
WORKFLOW-ENGINEdbMaximum Connection Idle Time (Seconds)Maximum amount of time a connection may be idle. Set 0 to keep the idle connections open from lazily closed.true
WORKFLOW-ENGINEdbMaximum Connection Lifetime (Seconds)Maximum amount of time a connection may be reused. Set 0 to reuse the connection forever.true
WORKFLOW-ENGINEdbMaximum Idle ConnectionsMaximum number of idle database connections. Set 0 to lazily remove all idle connections.true
WORKFLOW-ENGINEdbMaximum Open ConnectionsMaximum number of open connections to the database. Set 0 to use unlimited number of open connections.true
WORKFLOW-ENGINEloggingLog LevelService log level. Set to DEFAULT to use the environment valuefalse
WORKFLOW-ENGINEloggingTrace LevelService trace level. Set to -1 to use the environment valuefalse
WORKFLOW-ENGINEhousekeepingRequests Housekeeping Interval (Hours)Interval for requests housekeeping, in hours.true
WORKFLOW-ENGINEauditeventsExclusion ListComma-separated list of audit-event codes or code ranges, e.g. 1,10,20-30. Specified audit events are not saved to PrivX database, but only logged to syslog.true
SECRETS-MANAGERdbMaximum Connection Idle Time (Seconds)Maximum amount of time a connection may be idle. Set 0 to keep the idle connections open from lazily closed.true
SECRETS-MANAGERdbMaximum Connection Lifetime (Seconds)Maximum amount of time a connection may be reused. Set 0 to reuse the connection forever.true
SECRETS-MANAGERdbMaximum Idle ConnectionsMaximum number of idle database connections. Set 0 to lazily remove all idle connections.true
SECRETS-MANAGERdbMaximum Open ConnectionsMaximum number of open connections to the database. Set 0 to use unlimited number of open connections.true
SECRETS-MANAGERloggingLog LevelService log level. Set to DEFAULT to use the environment valuefalse
SECRETS-MANAGERloggingTrace LevelService trace level. Set to -1 to use the environment valuefalse
SECRETS-MANAGERwinrmWinRM Host Certificate Trust AnchorSpecify WinRM host certificate trust anchor PEM certificates.true
SECRETS-MANAGERtargetdomainsAuto Onboarding LimitMaximum number of new target domain accounts scanned at a time that can be auto onboarded.false
SECRETS-MANAGERtargetdomainsAccount Removal Housekeeping IntervalInterval for deleting target domain accounts with the "removed" status, in minutes.false
SETTINGSloggingLog LevelService log level. Set to DEFAULT to use the environment valuefalse
SETTINGSloggingTrace LevelService trace level. Set to -1 to use the environment valuefalse

Was this page helpful?