Configuring Proxy Connections

You can configure the connector to connect through a proxy server instead of connecting directly to the Athena service. When connecting through a proxy server, the connector supports basic authentication and NTLM authentication.

You provide the configuration information to the connector in the connection URL. For more information about the syntax of the connection URL, see Building the Connection URL.

Important:

If you are connecting to Athena through a proxy server, make sure that the proxy server does not block port 444. The result set streaming API uses port 444 on the Athena server for outbound communications. For more information, see UseResultsetStreaming.

To configure aproxy connection:

  1. Set the ProxyHost property to the IP address or host name of your proxy server.
  2. Set the ProxyPort property to the number of the TCP port that the proxy server uses to listen for client connections.
  3. Optionally, to connect to certain hosts directly even when a proxy connection has been configured, set the NonProxyHosts property to a list of the hosts that you want to connect to directly.

    When specifying multiple hosts, each host must be separated by a pipe (|). You can specify patterns using asterisks (*) as wildcard characters. For example:

    NonProxyHosts=123.255.321.255|*.localhost|176.255.16.*

  4. If the proxy server requires authentication, do the following:
    1. Set the ProxyUID property to your user name for accessing the server.
    2. Set the ProxyPWD property to your password for accessing the server.
    3. To configure the connector to use the NTLM protocol, do the following:
      1. Set the ProxyDomain property to the Windows domain name of the server.
      2. Set the ProxyWorkstation property to the Windows workstation name of the server.
    4. To pre-emptively authenticate against the proxy server using basic authentication, set the PreemptiveBasicProxyAuth property to 1.

If the proxy server is configured to intercept SSL-encrypted connections, then in addition to setting the connection properties described above, you must also create a keystore containing the root certificate from the proxy server.

To create a keystore for SSL interception:

  1. From the proxy server, export the root certificate as a .cer file.
  2. On your client machine, use the Java Keytool to create a keystore containing the exported root certificate:
    1. In a command-line interface, type the following command, and then press ENTER:

      2. [JDKInstallDir]\bin\keytool.exe -import -file [RootCertPath] -keystore [KeystorePath] -alias proxy

      Where:

      • [JDKInstallDir] is the full path to the directory where the Java Development Kit is installed.
      • [RootCertPath] is the full path and name of the root certificate file that was exported from the proxy server.
      • [KeystorePath] is the full path and name of the keystore that you want to create.

      For example:

      C:\Program Files\Java\jdk1.8.0\bin\keytool.exe -import -file C:\Users\jsmith\Documents\Athena\ProxyRoot.cer -keystore C:\Users\jsmith\AthenaKeystores -alias proxy

    2. When you are prompted to provide a password, type a password for restricting access to the keystore and then press ENTER.
    3. When you are prompted to confirm your choices, type y and then press ENTER.
  3. Set the following Java system properties:

    javax.net.ssl.trustStore = [KeystorePath]

    javax.net.ssl.trustStorePassword = [KeystorePassword]

    Where:

    • [KeystorePath] is the full path and name of the keystore containing the exported root certificate.
    • [KeystorePassword] is the password for accessing the keystore.