PrivX Settings

Scope NameSection NameProperty NameProperty Description
AUTHdbMaximum Connection Idle Time (Seconds)Maximum amount of time a connection may be idle. Set 0 to keep the idle connections open from lazily closed.
AUTHdbMaximum Connection Lifetime (Seconds)Maximum amount of time a connection may be reused. Set 0 to reuse the connection forever.
AUTHdbMaximum Idle ConnectionsMaximum number of idle database connections. Set 0 to lazily remove all idle connections.
AUTHdbMaximum Open ConnectionsMaximum number of open connections to the database. Set 0 to use unlimited number of open connections.
AUTHloginratelimitEnable username limitWhen enabled, login attempts are limited per username + IP pair.
AUTHloginratelimitUsername Attempts Burst SizeMaximum number of failed logins per user + IP pair.
AUTHloginratelimitUsername Attempts Per MinuteMaximum number of login attempts per user + IP pair per minute.
AUTHloginratelimitEnable subnet limitWhen enabled, login attempts are limited per IP subnet.
AUTHloginratelimitSubnet Attempts Burst SizeMaximum number of failed logins per subnet.
AUTHloginratelimitSubnet Attempts Per MinuteMaximum number of login attempts per subnet per minute.
AUTHloginratelimitRemote IP WhitelistWhitelist of remote IP addresses.
AUTHloginmethodsEnable passkey loginEnable passkey login and credential registration.
AUTHloginmethodsEnable single sign-on (SSO)Enable user to log in using single sign-on (SSO).
AUTHauditeventsExclusion ListComma-separated list of audit-event codes or code ranges, e.g. 1,10,20-30. Specified audit events are not saved to PrivX database, but only logged to syslog.
AUTHORIZERdbMaximum Connection Idle Time (Seconds)Maximum amount of time a connection may be idle. Set 0 to keep the idle connections open from lazily closed.
AUTHORIZERdbMaximum Connection Lifetime (Seconds)Maximum amount of time a connection may be reused. Set 0 to reuse the connection forever.
AUTHORIZERdbMaximum Idle ConnectionsMaximum number of idle database connections. Set 0 to lazily remove all idle connections.
AUTHORIZERdbMaximum Open ConnectionsMaximum number of open connections to the database. Set 0 to use unlimited number of open connections.
AUTHORIZERcertificate_templatesSSH Certificate Templates
AUTHORIZERauditeventsExclusion ListComma-separated list of audit-event codes or code ranges, e.g. 1,10,20-30. Specified audit events are not saved to PrivX database, but only logged to syslog.
CONNECTION-MANAGERdbMaximum Connection Idle Time (Seconds)Maximum amount of time a connection may be idle. Set 0 to keep the idle connections open from lazily closed.
CONNECTION-MANAGERdbMaximum Connection Lifetime (Seconds)Maximum amount of time a connection may be reused. Set 0 to reuse the connection forever.
CONNECTION-MANAGERdbMaximum Idle ConnectionsMaximum number of idle database connections. Set 0 to lazily remove all idle connections.
CONNECTION-MANAGERdbMaximum Open ConnectionsMaximum number of open connections to the database. Set 0 to use unlimited number of open connections.
CONNECTION-MANAGERhousekeepingHousekeeping Interval (Minutes)Interval for connection status housekeeping, in minutes.
CONNECTION-MANAGERhousekeepingConnection Metadata Retention (Days)Retention period for connection metadata, in days. Set to -1 to disable metadata removal.
CONNECTION-MANAGERhousekeepingTrail Housekeeping Interval (Hours)Interval for trail housekeeping, in hours.
CONNECTION-MANAGERhousekeepingCheck trail integrity during trail housekeepingEnable to verify the integrity of recorded trails during housekeeping.
CONNECTION-MANAGERhousekeepingUse SHA-256 checksum for trail integrity checkerEnable to use SHA-256 checksums when verifying integrity of recorded trails.
CONNECTION-MANAGERauditeventsExclusion ListComma-separated list of audit-event codes or code ranges, e.g. 1,10,20-30. Specified audit events are not saved to PrivX database, but only logged to syslog.
GLOBALauditConnection Timeout When No Connection Manager (Minutes)Set to 0 to disable timeout and keep connections open.
GLOBALauditData FolderFolder for audit trail data.
GLOBALauditTrail Expiration (Days)Set to -1 to disable trail removal.
GLOBALauditTrail Transferred Files Expiration (Days)Set to -1 to disable downloaded/uploaded file removal.
GLOBALauditTrail File Timestamp ObfuscationEnable trail file and directory timestamp obfuscation.
GLOBALldapconnectionsConnection Timeout (Seconds)The duration in seconds before the LDAP query connection should timeout.
GLOBALldapconnectionsConnection Retry AttemptsThe number of times to retry if the LDAP query connection times out.
GLOBALldapconnectionsUse custom root certificatesSpecify if PrivX should use custom root certificates.
GLOBALldapconnectionsUse system certificates poolSpecify if PrivX should use the system certificates pool.
GLOBALldapconnectionsCustom Root Certificate (PEM)Specify a custom root certificate in PEM format, which will be added to the certificate pool for LDAP connections. Note that the custom root certificates setting must be enabled to use this.
GLOBALdisclaimerDisclaimers
GLOBALapplication_switcherUniversal SSH Key Manager URLEnter the URL of the Universal SSH Key Manager web UI.
GLOBALrdp_commonHost Certificate Trust AnchorSpecify RDP host certificate trust anchor PEM certificates.
GLOBALrdp_commonAllow access to hosts using plain text VNC
GLOBALssh_commonSend SSH events to audit logEnable sending SSH events to audit log.
GLOBALssh_commonEvents to AuditSupported SSH event types to audit.
GLOBALicapFile transfer scans for SSH ProxyConfigure whether PrivX performs virus scanning for transferred files.
GLOBALicapFile transfer scans for SSH BastionConfigure whether PrivX performs virus scanning for transferred files via native SSH.
GLOBALicapFile transfer scans for RDP ProxyConfigure whether PrivX performs virus scanning for transferred files for RDP and Web Access Gateways.
GLOBALicapICAP Server HostnameHostname for ICAP proxy server.
GLOBALicapICAP Server PortPort number for ICAP proxy server.
GLOBALicapICAP RESPMOD URLSend a response modification with http request headers, using this url.
GLOBALicapICAP REQMOD URLSend a request modification instead of response modification, using this url.
GLOBALicapICAP Preview Size in BytesMaximum preview data size in bytes. Set to 0 to disable preview.
GLOBALicapICAP Service NameOptional ICAP service name.
GLOBALlive_monitoringSSH
GLOBALlive_monitoringRDP
GLOBALlive_monitoringVNC
GLOBALlive_monitoringWeb
GLOBALinvalidated_session_cacheSession Cache SizeSet a positive size for the invalidated session cache. The size determines the number of invalidated sessions that it can hold before eviction.
GLOBALwatermarkingHeading
GLOBALwatermarkingWatermark
GLOBALmobile_gwUse static IPs
DB-PROXYdbMaximum Connection Idle Time (Seconds)Maximum amount of time a connection may be idle. Set 0 to keep the idle connections open from lazily closed.
DB-PROXYdbMaximum Connection Lifetime (Seconds)Maximum amount of time a connection may be reused. Set 0 to reuse the connection forever.
DB-PROXYdbMaximum Idle ConnectionsMaximum number of idle database connections. Set 0 to lazily remove all idle connections.
DB-PROXYdbMaximum Open ConnectionsMaximum number of open connections to the database. Set 0 to use unlimited number of open connections.
DB-PROXYdbproxy_internalReauthorization Interval (Seconds)Reauthorization interval, in seconds.
DB-PROXYcertificatesKey TypeThe Database Proxy server's key pair used to generate dynamic tls certificate for database connections.
DB-PROXYcertificatesRSA Key SizeRSA Key Size (Bits)
DB-PROXYcertificatesECDSA Key SizeECDSA Key Size (Bits)
DB-PROXYcertificatesCache SizeCache size of dynamically generated tls certificates.
DB-PROXYhost_trust_anchorsHost Certificate Trust AnchorsSpecify host certificate trust anchor PEM certificates.
DB-PROXYauditeventsExclusion ListComma-separated list of audit-event codes or code ranges, e.g. 1,10,20-30. Specified audit events are not saved to PrivX database, but only logged to syslog.
EXTENDER-SERVICEdbMaximum Connection Idle Time (Seconds)Maximum amount of time a connection may be idle. Set 0 to keep the idle connections open from lazily closed.
EXTENDER-SERVICEdbMaximum Connection Lifetime (Seconds)Maximum amount of time a connection may be reused. Set 0 to reuse the connection forever.
EXTENDER-SERVICEdbMaximum Idle ConnectionsMaximum number of idle database connections. Set 0 to lazily remove all idle connections.
EXTENDER-SERVICEdbMaximum Open ConnectionsMaximum number of open connections to the database. Set 0 to use unlimited number of open connections.
EXTENDER-SERVICEserviceListener Address ModeListener address resolution mode.
EXTENDER-SERVICEserviceListener AddressesList of IP addresses or IP subnet CIDRs used for resolving extender listener addresses.
EXTENDER-SERVICEserviceListener Port MinPort range start for extender listeners.
EXTENDER-SERVICEserviceListener Port MaxPort range end for extender listeners.
EXTENDER-SERVICEserviceUDP Listener Port MinUDP port range start for extender listeners.
EXTENDER-SERVICEserviceUDP Listener Port MaxUDP port range end for extender listeners.
EXTENDER-SERVICEserviceUDP Listener Reconnect CountReconnection attempts to extender for UDP listeners.
EXTENDER-SERVICEserviceWebSocket Keepalive Interval (Seconds)WebSocket keepalive interval, in seconds.
EXTENDER-SERVICEauditeventsExclusion ListComma-separated list of audit-event codes or code ranges, e.g. 1,10,20-30. Specified audit events are not saved to PrivX database, but only logged to syslog.
HOST-STOREdbMaximum Connection Idle Time (Seconds)Maximum amount of time a connection may be idle. Set 0 to keep the idle connections open from lazily closed.
HOST-STOREdbMaximum Connection Lifetime (Seconds)Maximum amount of time a connection may be reused. Set 0 to reuse the connection forever.
HOST-STOREdbMaximum Idle ConnectionsMaximum number of idle database connections. Set 0 to lazily remove all idle connections.
HOST-STOREdbMaximum Open ConnectionsMaximum number of open connections to the database. Set 0 to use unlimited number of open connections.
HOST-STOREhealth-check-optionsHealth checks enabledConfigure whether PrivX performs network connectivity health checks for services.
HOST-STOREhealth-check-optionsHealth Check Interval (Seconds)Interval between health check runs, in seconds.
HOST-STOREhealth-check-optionsMaximum Requests Per SecondMaximum service health check requests per second per worker.
HOST-STOREhealth-check-optionsMaximum WorkersMaximum concurrent service health requests.
HOST-STOREhost-house-keepingHousekeeping Interval (Hours)Interval between housekeeping runs, in hours. Housekeeping expunges deleted hosts from the database once hosts have been deleted for longer than the configured expunction delay. Set to 0 to disable housekeeping.
HOST-STOREhost-house-keepingDeleted Host Expunction Delay (Hours)The delay (in hours) between when a host has been deleted to when it will be permanently removed.
HOST-STOREinitial-host-service-options-sshShell
HOST-STOREinitial-host-service-options-sshFile Transfer
HOST-STOREinitial-host-service-options-sshExec
HOST-STOREinitial-host-service-options-sshTunnels
HOST-STOREinitial-host-service-options-sshX11 Forwarding
HOST-STOREinitial-host-service-options-sshOther
HOST-STOREinitial-host-service-options-rdpFile Transfer
HOST-STOREinitial-host-service-options-rdpAudio
HOST-STOREinitial-host-service-options-rdpClipboard
HOST-STOREinitial-host-service-options-vncFile Transfer
HOST-STOREinitial-host-service-options-vncClipboard
HOST-STOREinitial-host-service-options-webFile Transfer
HOST-STOREinitial-host-service-options-webAudio
HOST-STOREinitial-host-service-options-webClipboard
HOST-STOREauditeventsExclusion ListComma-separated list of audit-event codes or code ranges, e.g. 1,10,20-30. Specified audit events are not saved to PrivX database, but only logged to syslog.
LICENSE-MANAGERdbMaximum Connection Idle Time (Seconds)Maximum amount of time a connection may be idle. Set 0 to keep the idle connections open from lazily closed.
LICENSE-MANAGERdbMaximum Connection Lifetime (Seconds)Maximum amount of time a connection may be reused. Set 0 to reuse the connection forever.
LICENSE-MANAGERdbMaximum Idle ConnectionsMaximum number of idle database connections. Set 0 to lazily remove all idle connections.
LICENSE-MANAGERdbMaximum Open ConnectionsMaximum number of open connections to the database. Set 0 to use unlimited number of open connections.
LICENSE-MANAGERauditeventsExclusion ListComma-separated list of audit-event codes or code ranges, e.g. 1,10,20-30. Specified audit events are not saved to PrivX database, but only logged to syslog.
MONITOR-SERVICEdbMaximum Connection Idle Time (Seconds)Maximum amount of time a connection may be idle. Set 0 to keep the idle connections open from lazily closed.
MONITOR-SERVICEdbMaximum Connection Lifetime (Seconds)Maximum amount of time a connection may be reused. Set 0 to reuse the connection forever.
MONITOR-SERVICEdbMaximum Idle ConnectionsMaximum number of idle database connections. Set 0 to lazily remove all idle connections.
MONITOR-SERVICEdbMaximum Open ConnectionsMaximum number of open connections to the database. Set 0 to use unlimited number of open connections.
MONITOR-SERVICEhousekeepingHousekeeping Interval (Hours)Interval between housekeeping runs, in hours. Set to 0 to disable housekeeping.
MONITOR-SERVICEhousekeepingAudit Event Data Retention Period (Days)Number of days that audit events must be kept in the database. Set to -1 to disable audit event removal.
MONITOR-SERVICEhousekeepingStatus Check Interval (Seconds)Interval between status checks, in seconds. Set to 0 to disable checks.
MONITOR-SERVICEhousekeepingSystem Health Check Interval (Hours)Interval between system health check, in hours. Set to 0 to disable checks.
MONITOR-SERVICEhousekeepingDatabase Cache Removal Interval (Seconds)Interval for removing expired keys from the database cache, in seconds. Set to 0 to disable database cache removal.
MONITOR-SERVICEhousekeepingExternal Component Low Disk Space Warning Threshold (GB)External component low disk space warning threshold, in GB. Set to 0 to disable external component low disk space warning.
MONITOR-SERVICEhousekeepingInactive Status Expunction Delay (Hours)The delay (in hours) before an inactive component's status permanently removed when housekeeping runs.
MONITOR-SERVICEhousekeepingDatabase Certificate Check Interval (Hours)Interval for checking database certificate validity. Set to 0 to disable the check.
MONITOR-SERVICEauditeventsExclusion ListComma-separated list of audit-event codes or code ranges, e.g. 1,10,20-30. Specified audit events are not saved to PrivX database, but only logged to syslog.
NETWORK-ACCESS-MANAGERdbMaximum Connection Idle Time (Seconds)Maximum amount of time a connection may be idle. Set 0 to keep the idle connections open from lazily closed.
NETWORK-ACCESS-MANAGERdbMaximum Connection Lifetime (Seconds)Maximum amount of time a connection may be reused. Set 0 to reuse the connection forever.
NETWORK-ACCESS-MANAGERdbMaximum Idle ConnectionsMaximum number of idle database connections. Set 0 to lazily remove all idle connections.
NETWORK-ACCESS-MANAGERdbMaximum Open ConnectionsMaximum number of open connections to the database. Set 0 to use unlimited number of open connections.
NETWORK-ACCESS-MANAGERserviceHousekeeping Interval (Seconds)Interval between housekeeping runs, in minutes, for removing dead sessions from PrivX router.
NETWORK-ACCESS-MANAGERserviceRouter Session Removal Max RetriesMaximum number retries for PrivX router session removal.
NETWORK-ACCESS-MANAGERserviceReauthorization Interval (Seconds)Reauthorization interval, in seconds.
NETWORK-ACCESS-MANAGERserviceConnection Message Timeout (Seconds)Timeout interval (seconds) for connection message reply. Default: 5 seconds.
NETWORK-ACCESS-MANAGERserviceMetadata Update Interval (Seconds)Interval for metadata updates to connection manager (seconds)
NETWORK-ACCESS-MANAGERserviceConnection-Manager Timeout (Minutes)Timeout for network target sessions when no connection to connection manager (minutes)
NETWORK-ACCESS-MANAGERserviceExtender Connect Timeout (Seconds)Connect timeout for extender target connections (seconds)
NETWORK-ACCESS-MANAGERrouterRouters
NETWORK-ACCESS-MANAGERauditeventsExclusion ListComma-separated list of audit-event codes or code ranges, e.g. 1,10,20-30. Specified audit events are not saved to PrivX database, but only logged to syslog.
RDP-MITMdbMaximum Connection Idle Time (Seconds)Maximum amount of time a connection may be idle. Set 0 to keep the idle connections open from lazily closed.
RDP-MITMdbMaximum Connection Lifetime (Seconds)Maximum amount of time a connection may be reused. Set 0 to reuse the connection forever.
RDP-MITMdbMaximum Idle ConnectionsMaximum number of idle database connections. Set 0 to lazily remove all idle connections.
RDP-MITMdbMaximum Open ConnectionsMaximum number of open connections to the database. Set 0 to use unlimited number of open connections.
RDP-MITMrdp_mitmPublic AddressesRDP Bastion public addresses.
RDP-MITMrdp_mitmReauthorization Interval (Seconds)Reauthorization interval, in seconds.
RDP-MITMrdp_mitmExtender enabledEnable to allow remote PrivX Extender client connections for tunneling RDP traffic inside VPC networks.
RDP-MITMrdp_mitmAllow role IP restrictionsEnable to enforce role context IP limitation checks.
RDP-MITMrdp_mitmFFmpeg ParametersVideo encoding parameters to be passed to FFmpeg library.
RDP-MITMrdp_mitmVideo Generator WorkersNumber of workers that encode video simultaneously.
RDP-MITMrdp_mitmVideo Generator Temporary DirectoryDirectory where temporary video files are generated before stored as part of trail.
RDP-MITMrdp_mitmConnection Message Timeout (Seconds)Timeout interval (seconds) for connection message reply. Default: 5 seconds.
RDP-MITMcertificatesRenewal Period (Months)Certificate renewal period in months.
RDP-MITMcertificatesRenewal Period (Days)Certificate renewal period in days.
RDP-MITMcertificatesUpdate automaticallyConfigure whether certificates should be updated automatically.
RDP-MITMauditeventsExclusion ListComma-separated list of audit-event codes or code ranges, e.g. 1,10,20-30. Specified audit events are not saved to PrivX database, but only logged to syslog.
RDP-PROXYdbMaximum Connection Idle Time (Seconds)Maximum amount of time a connection may be idle. Set 0 to keep the idle connections open from lazily closed.
RDP-PROXYdbMaximum Connection Lifetime (Seconds)Maximum amount of time a connection may be reused. Set 0 to reuse the connection forever.
RDP-PROXYdbMaximum Idle ConnectionsMaximum number of idle database connections. Set 0 to lazily remove all idle connections.
RDP-PROXYdbMaximum Open ConnectionsMaximum number of open connections to the database. Set 0 to use unlimited number of open connections.
RDP-PROXYrdp_proxyReauthorization Interval (Seconds)Reauthorization interval, in seconds.
RDP-PROXYrdp_proxyExtender enabledEnable to allow remote PrivX Extender client connections for tunneling RDP traffic inside VPC networks.
RDP-PROXYrdp_proxyWeb proxy enabledEnable to allow remote web proxy (Squid) to authorize web connections via PrivX web proxy server.
RDP-PROXYrdp_proxySmart card authentication enabledConfigure whether RDP smart card authentication is enabled.
RDP-PROXYrdp_proxySmart card login failure workaround disabledDisable RDP smart card login failure workaround.
RDP-PROXYrdp_proxyAllow connecting to local addressAllow target connections to local interface addresses.
RDP-PROXYrdp_proxyAllow connecting to loopback addressAllow target connections to loopback addresses.
RDP-PROXYrdp_proxyEnable wallpaperEnable desktop wallpaper for target hosts. Disabling this makes screen updates faster.
RDP-PROXYrdp_proxyEnable font smoothingEnable font smoothing. Enabling this usually improves the text quality.
RDP-PROXYrdp_proxyShared DirectoryRDP shared directory.
RDP-PROXYrdp_proxyTarget BlacklistA comma separated list of IP addresses or subnets (CIDR) of prohibited RDP targets.
RDP-PROXYrdp_proxyConnectivity Test Timeout (Seconds)Connection timeout while check a target is reachable, in seconds.
RDP-PROXYrdp_proxyWebSocket Keepalive Interval (Seconds)WebSocket keepalive interval, in seconds.
RDP-PROXYrdp_proxyConnection Message Timeout (Seconds)Timeout interval (seconds) for connection message reply. Default: 5 seconds.
RDP-PROXYcertificatesRenewal Period (Months)Certificate renewal period in months.
RDP-PROXYcertificatesRenewal Period (Days)Certificate renewal period in days.
RDP-PROXYcertificatesUpdate automaticallyConfigure whether certificates should be updated automatically.
RDP-PROXYauditeventsExclusion ListComma-separated list of audit-event codes or code ranges, e.g. 1,10,20-30. Specified audit events are not saved to PrivX database, but only logged to syslog.
ROLE-STOREdbMaximum Connection Idle Time (Seconds)Maximum amount of time a connection may be idle. Set 0 to keep the idle connections open from lazily closed.
ROLE-STOREdbMaximum Connection Lifetime (Seconds)Maximum amount of time a connection may be reused. Set 0 to reuse the connection forever.
ROLE-STOREdbMaximum Idle ConnectionsMaximum number of idle database connections. Set 0 to lazily remove all idle connections.
ROLE-STOREdbMaximum Open ConnectionsMaximum number of open connections to the database. Set 0 to use unlimited number of open connections.
ROLE-STOREauthorizedkeysExpired Keys Purge Interval (Hours)Expired authorized keys purge interval in hours. Set to 0 to disable automatic deletion of expired authorized keys.
ROLE-STOREauthorizedkeysMaximum Validity Period (Days)Authorized key maximum validity period length in days. Valid values are 1-7300 days.
ROLE-STOREauthorizedkeysMinimum RSA Key Size (Bits)Minimum key size in bits for ssh-rsa keys.
ROLE-STOREauthorizedkeysSupported Key TypesSpecify the supported authorized key types for logging in to PrivX with user specific authorized keys.
ROLE-STOREawsAWS support enabledSpecify whether AWS support is enabled.
ROLE-STOREawsDefault RegionDefault AWS region to use for API access.
ROLE-STOREawsAssume role enabledEnable assume-role temporary session credentials. These credentials can be used to give PrivX users temporary access to AWS API via AWS CLI or scripting.
ROLE-STOREawsAssume Role Credential Expiration (Seconds)Expiration time in seconds for assume-role temporary credentials. AWS service limits are minimum 900 (15 min), maximum 43200 (12 hours). Values above 3600 seconds require modifying the AWS target role config or token grants will fail.
ROLE-STOREawsFederation tokens enabledEnable federation token access. These credentials can be used to give SSH PrivX users temporary access to AWS API via AWS roles. If both assume-role and federated role tokens are enabled, assume-role will be used.
ROLE-STOREawsFederation Token Expiration (Seconds)Expiration time in seconds for federated tokens. AWS service limits are minimum 900 (15 min), maximum 129600 (36 hours).
ROLE-STOREawsMaximum number of AWS rolesMaximum number of AWS role to fetch. This restriction is applied after role path or role name filtering is done.
ROLE-STOREcachingCaching enabledSpecify whether caching of user role memberships, rule evaluation results, user settings and AWS role descriptions is enabled. Additionally, it is used to define the size of cache used for storing deleted roles. Disabling the setting is not recommended.
ROLE-STOREcachingCache TypeCache type. Local caching uses an in-memory LRU cache. Cache type "Local" is recommended for security reasons.
ROLE-STOREcachingRule evaluation cache enabledSpecify whether role rule evaluation results should be cached. Enabling this setting is recommended.
ROLE-STOREcachingLocal LRU Cache SizeMaximum entries in the local LRU cache. If cache exceeds this size, the least recently used entries are purged. The minimum size of cache should be greater than the number of active PrivX users + total PrivX role rule count.
ROLE-STOREcachingLocal Cache Sync Interval (Seconds)Local cache periodic synchronization interval in seconds. Should be a relatively small value (default is 60 seconds). Set to 0 to disable synchronization. This setting should be enabled in HA environments.
ROLE-STOREcachingCache TTL (Seconds)Cache TTL in seconds. Should be set to a relatively small value (few minutes). However setting this too low (e.g less than 3 seconds) might cause synchronization issues when running multiple instances of the same service.
ROLE-STOREcachingUser Cache TTL (Seconds)Cache TTL for user caching in seconds. If user data in the user cache has been refreshed more recently than the User Cache TTL setting, then it won't be reloaded from the user directory. Value of 0 disables the cache. Note that disabling the cache forces fetching user data from the user directory every time user roles are resolved. Disabling the setting is NOT recommended.
ROLE-STOREcachingDeleted Roles Cache SizeSize of the cache that stores deleted roles in memory. Minimum value is 1000 and maximum value is 10000000 (10M). Default value is 1000000 (1M)
ROLE-STOREdirectoryBlacklisted Host Tag PrefixesWhen the "Import host instance tags from the directory" setting is enabled for a host directory, all host tags will be imported to PrivX except tags starting with these prefixes.
ROLE-STOREhousekeepingSCIM Role Cleanup Interval (Minutes)Interval between housekeeping runs, in minutes, for clearing up unused roles created by SCIM directories. Set to 0 to disable housekeeping.
ROLE-STOREhousekeepingUser Active Interval (Seconds)Interval where user is considered as active from last login. If the user is not logged in in this interval, the user will be considered as inactive. Therefore, house-keeping will be applied to this user (it includes deleting usersettings, user explicit role mappings, authorized keys, OIDC user data). Note that this behavior is not applied for Local users and API-Clients.
ROLE-STOREldapNested groups enabledEnable nested groups for role mappings. Enables LDAP_MATCHING_RULE_IN_CHAIN (1.2.840.113556.1.4.1941) filter for role queries against user directories. This option affects only role mappings. AD directory settings are not affected by this setting.
ROLE-STOREldapDefault Cache TTL (Seconds)Default LDAP cache TTL in seconds. Used if no TTL is specified for an LDAP directory. If you have many users or very slow LDAP servers, set the TTL to a higher value.
ROLE-STOREldapLDAP Query Pagination SizeLDAP query pagination size. The default maximum for Active Directory is 1000. Use as high of a value as possible for maximum performance.
ROLE-STOREldapLDAP Attributes FilterSpecifies which attributes to fetch from LDAP for caching. Leaving this empty will fetch all attributes for LDAP objects. Filtering out unused attributes will make the memory consumption smaller and improve query times. Note that only the specified attributes can be used for LDAP query filters and role source rules. The recommended attributes filter is: objectClass cn dn distinguishedName whenCreated whenChanged name userPrincipalName givenName company departmentNumber mail email mobile sAMAccountName uid memberOf entryDN displayName userAccountControl groupType servicePrincipalName objectCategory objectGUID objectSID
ROLE-STOREldapDefault User FilterDefault pre-filter to use when searching users. Not required, but allows using shorter LDAP search strings. Use this to filter out non-user objects. Directory level user filters override this default setting. Leaving user filter empty increases memory consumption. The recommended attributed filter is: ((objectClass=user)(objectClass=person)(objectClass=inetOrgPerson))
ROLE-STOREldapGlobal AD User FilterAutomatically append this filter to Active Directory requests when fetching users or mapping roles. The recommended AD user filter to filter out disabled users, is: (!userAccountControl:1.2.840.113556.1.4.803:=2)
ROLE-STOREscanningHost Scanning Delay After Startup (Seconds)Host scanning delay after starting the service, in seconds.
ROLE-STOREscanningAWS Role Scanning Delay After Startup (Seconds)AWS role scanning delay after starting the service, in seconds.
ROLE-STOREscanningHost Scanning Interval (Seconds)Default interval between host scanning runs, in seconds.
ROLE-STOREscanningRole Membership Count Update Interval (Seconds)Frequency for resolving granted membership counts for roles, in seconds.
ROLE-STOREscimMax ResultsMax Results page size for SCIM get requests.
ROLE-STOREprincipal_keysAdd on role creationWhen True, Principal keys get created at the time of role creation. Defaults to False
ROLE-STOREauditeventsExclusion ListComma-separated list of audit-event codes or code ranges, e.g. 1,10,20-30. Specified audit events are not saved to PrivX database, but only logged to syslog.
SSH-MITMdbMaximum Connection Idle Time (Seconds)Maximum amount of time a connection may be idle. Set 0 to keep the idle connections open from lazily closed.
SSH-MITMdbMaximum Connection Lifetime (Seconds)Maximum amount of time a connection may be reused. Set 0 to reuse the connection forever.
SSH-MITMdbMaximum Idle ConnectionsMaximum number of idle database connections. Set 0 to lazily remove all idle connections.
SSH-MITMdbMaximum Open ConnectionsMaximum number of open connections to the database. Set 0 to use unlimited number of open connections.
SSH-MITMssh_mitmPublic AddressesSSH Bastion public addresses.
SSH-MITMssh_mitmReauthorization Interval (Seconds)Reauthorization interval, in seconds.
SSH-MITMssh_mitmExtender enabledEnable to allow remote PrivX Extender client connections for tunneling SSH traffic inside VPC networks.
SSH-MITMssh_mitmAllow role IP restrictionsEnable to enforce role context IP limitation checks.
SSH-MITMssh_mitmAllow connecting to local addressAllow target connections to local interface addresses.
SSH-MITMssh_mitmAllow connecting to loopback addressAllow target connections to loopback addresses.
SSH-MITMssh_mitmHostkey AlgorithmsSupported hostkey algorithms.
SSH-MITMssh_mitmTarget BlacklistA comma separated list of IP addresses or subnets (CIDR) of prohibited SSH targets.
SSH-MITMssh_mitmMetadata Update Interval (Seconds)Interval for metadata updates to connection manager, in seconds.
SSH-MITMssh_mitmWebSocket Keepalive Interval (Seconds)WebSocket keepalive interval, in seconds.
SSH-MITMssh_mitmSSH exec connection idle timeout (Seconds)SSH exec connection idle timeout, in seconds.
SSH-MITMssh_mitmConnection Message Timeout (Seconds)Timeout interval (seconds) for connection message reply. Default: 5 seconds.
SSH-MITMauditeventsExclusion ListComma-separated list of audit-event codes or code ranges, e.g. 1,10,20-30. Specified audit events are not saved to PrivX database, but only logged to syslog.
SSH-PROXYdbMaximum Connection Idle Time (Seconds)Maximum amount of time a connection may be idle. Set 0 to keep the idle connections open from lazily closed.
SSH-PROXYdbMaximum Connection Lifetime (Seconds)Maximum amount of time a connection may be reused. Set 0 to reuse the connection forever.
SSH-PROXYdbMaximum Idle ConnectionsMaximum number of idle database connections. Set 0 to lazily remove all idle connections.
SSH-PROXYdbMaximum Open ConnectionsMaximum number of open connections to the database. Set 0 to use unlimited number of open connections.
SSH-PROXYssh_proxyReauthorization Interval (Seconds)Reauthorization interval, in seconds.
SSH-PROXYssh_proxyExtender enabledEnable to allow remote PrivX Extender client connections for tunneling SSH traffic inside VPC networks.
SSH-PROXYssh_proxyForwarder enabledEnable to allow forwarding of SSH connections from the PrivX agent.
SSH-PROXYssh_proxyAllow connecting to local addressAllow target connections to local interface addresses.
SSH-PROXYssh_proxyAllow connecting to loopback addressAllow target connections to loopback addresses.
SSH-PROXYssh_proxyTarget BlacklistA comma separated list of IP addresses or subnets (CIDR) of prohibited SSH targets.
SSH-PROXYssh_proxyMetadata Update Interval (Seconds)Interval for metadata updates to connection manager, in seconds.
SSH-PROXYssh_proxySSH Keepalive Interval (Seconds)Target ssh connection keepalive interval, in seconds.
SSH-PROXYssh_proxyWebSocket Keepalive Interval (Seconds)WebSocket keepalive interval, in seconds.
SSH-PROXYssh_proxyConnection Message Timeout (Seconds)Timeout interval (seconds) for connection message reply. Default: 5 seconds.
SSH-PROXYauditeventsExclusion ListComma-separated list of audit-event codes or code ranges, e.g. 1,10,20-30. Specified audit events are not saved to PrivX database, but only logged to syslog.
TRAIL-INDEXdbMaximum Connection Idle Time (Seconds)Maximum amount of time a connection may be idle. Set 0 to keep the idle connections open from lazily closed.
TRAIL-INDEXdbMaximum Connection Lifetime (Seconds)Maximum amount of time a connection may be reused. Set 0 to reuse the connection forever.
TRAIL-INDEXdbMaximum Idle ConnectionsMaximum number of idle database connections. Set 0 to lazily remove all idle connections.
TRAIL-INDEXdbMaximum Open ConnectionsMaximum number of open connections to the database. Set 0 to use unlimited number of open connections.
TRAIL-INDEXhousekeepingHousekeeping Interval (Minutes)Interval between housekeeping runs, in minutes, for clearing up expired audit trail files. Set to 0 to disable housekeeping.
TRAIL-INDEXworkersNumber of WorkersMaximum audit trail indexing concurrency.
TRAIL-INDEXauditeventsExclusion ListComma-separated list of audit-event codes or code ranges, e.g. 1,10,20-30. Specified audit events are not saved to PrivX database, but only logged to syslog.
USER-STOREdbMaximum Connection Idle Time (Seconds)Maximum amount of time a connection may be idle. Set 0 to keep the idle connections open from lazily closed.
USER-STOREdbMaximum Connection Lifetime (Seconds)Maximum amount of time a connection may be reused. Set 0 to reuse the connection forever.
USER-STOREdbMaximum Idle ConnectionsMaximum number of idle database connections. Set 0 to lazily remove all idle connections.
USER-STOREdbMaximum Open ConnectionsMaximum number of open connections to the database. Set 0 to use unlimited number of open connections.
USER-STOREauditeventsExclusion ListComma-separated list of audit-event codes or code ranges, e.g. 1,10,20-30. Specified audit events are not saved to PrivX database, but only logged to syslog.
VAULTdbMaximum Connection Idle Time (Seconds)Maximum amount of time a connection may be idle. Set 0 to keep the idle connections open from lazily closed.
VAULTdbMaximum Connection Lifetime (Seconds)Maximum amount of time a connection may be reused. Set 0 to reuse the connection forever.
VAULTdbMaximum Idle ConnectionsMaximum number of idle database connections. Set 0 to lazily remove all idle connections.
VAULTdbMaximum Open ConnectionsMaximum number of open connections to the database. Set 0 to use unlimited number of open connections.
VAULTsecretsSecret Schema DefinitionsSpecify secret schemas in JSON format as an array of schema objects, as shown in the example.
VAULTauditeventsExclusion ListComma-separated list of audit-event codes or code ranges, e.g. 1,10,20-30. Specified audit events are not saved to PrivX database, but only logged to syslog.
WORKFLOW-ENGINEdbMaximum Connection Idle Time (Seconds)Maximum amount of time a connection may be idle. Set 0 to keep the idle connections open from lazily closed.
WORKFLOW-ENGINEdbMaximum Connection Lifetime (Seconds)Maximum amount of time a connection may be reused. Set 0 to reuse the connection forever.
WORKFLOW-ENGINEdbMaximum Idle ConnectionsMaximum number of idle database connections. Set 0 to lazily remove all idle connections.
WORKFLOW-ENGINEdbMaximum Open ConnectionsMaximum number of open connections to the database. Set 0 to use unlimited number of open connections.
WORKFLOW-ENGINEauditeventsExclusion ListComma-separated list of audit-event codes or code ranges, e.g. 1,10,20-30. Specified audit events are not saved to PrivX database, but only logged to syslog.
SECRETS-MANAGERwinrmWinRM Host Certificate Trust AnchorSpecify WinRM host certificate trust anchor PEM certificates.

Was this page helpful?