# Database GUI Clients This guide describes how to configure popular graphical database clients to work with Teleport. If you are using Teleport Connect to access your database, you can follow the instructions in the app to connect your GUI client. See [Using Teleport Connect](https://goteleport.com/docs/connect-your-client/teleport-clients/teleport-connect.md#connecting-to-a-database). ## Prerequisites - A running Teleport cluster. If you want to get started with Teleport, [sign up](https://goteleport.com/signup) for a free trial or [set up a demo environment](https://goteleport.com/docs/get-started/deploy-community.md). - The `tsh` client tool. Visit [Installation](https://goteleport.com/docs/installation.md) for instructions on downloading `tsh`. See the [Using Teleport Connect](https://goteleport.com/docs/connect-your-client/teleport-clients/teleport-connect.md) guide for a graphical desktop client that includes `tsh`. - To check that you can connect to your Teleport cluster, sign in with `tsh login`. For example: ``` $ tsh login --proxy=teleport.example.com --user=myuser@example.com ``` - The Teleport Database Service configured to access a database. See one of our [guides](https://goteleport.com/docs/enroll-resources/database-access/guides.md) for how to set up the Teleport Database Service for your database. ## How GUI clients access Teleport-protected databases In a typical setup, clients accessing a database protected by Teleport send traffic to the Teleport Proxy Service in the database's native protocol, and the Proxy Service forwards the traffic to and from the protected database. End users use TLS certificates to authenticate with Teleport-protected databases. GUI clients need to present a certificate to the Teleport Database Service and check the database server certificate issued by a Teleport-protected database. There are three ways to do this: - **Authenticated tunnel (recommended):** `tsh` or Teleport Connect starts a local proxy. A database GUI client establishes an unauthenticated connection with the local proxy. Before forwarding the connection to the Teleport-protected database, the local proxy automatically secures the connection with the Teleport user's client certificate. - **Unauthenticated local proxy:** `tsh` starts a local proxy that routes connections to the Teleport-protected database, but the proxy itself doesn't handle authentication. The user configures a database GUI client to provide the user certificate, private key, and CA certificate at paths printed by `tsh`. (Teleport Connect can start an authenticated tunnel but not an unauthenticated local proxy.) - **Using a remote host and port:** For self-hosted clusters with TLS multiplexing disabled on the Teleport Proxy Service, you can configure GUI clients to communicate with a port on the Proxy Service reserved for traffic in the protected database's protocol. We recommend TLS multiplexing for a typical Teleport cluster, and it is enabled by default on Teleport Cloud. To access a Teleport-protected database with a GUI client, you will need to retrieve connection information to pass to your client. Determine the database to access by listing databases you can connect to: ``` $ tsh db ls Name ------------------- database-name ``` Replace database-name with the name of the database you want to connect to. ### Authenticated tunnel To start the local authenticated tunnel, run the following command, ``` $ tsh proxy db --tunnel database-name Started authenticated tunnel for the database "database-name" in cluster "" on 127.0.0.1:62652. ``` Starting the local database proxy with the `--tunnel` flag will create an authenticated tunnel that you can use to connect to your database instances. You can optionally specify the database name and the user to use by default when connecting to the database: ``` $ tsh proxy db --db-user=my-database-user --db-name=my-schema --tunnel database-name ``` Now, you can connect to the address the proxy command returns. In our example it is `127.0.0.1:62652`. ### Local proxy server Use the `tsh proxy db` command to start a local TLS proxy your GUI database client will be connecting to. Run a command similar to the following: ``` $ tsh proxy db database-name Started DB proxy on 127.0.0.1:61740 Use following credentials to connect to the database-name proxy: ca_file=/Users/r0mant/.tsh/keys/root.gravitational.io/certs.pem cert_file=/Users/r0mant/.tsh/keys/root.gravitational.io/alice-db/root/database-name-x509.pem key_file=/Users/r0mant/.tsh/keys/root.gravitational.io/alice ``` Use the displayed local proxy host/port and credentials paths when configuring your GUI client below. When entering the hostname, use `localhost` rather than `127.0.0.1`. ### Remote host and port If you are self-hosting Teleport and not using [TLS routing](https://goteleport.com/docs/zero-trust-access/deploy-a-cluster/tls-routing.md), run the following command to see the database connection information: ``` View configuration for the database you're logged in to. $ tsh db config View configuration for the specific database when you're logged into multiple. $ tsh db config example ``` It will display the path to your locally cached certificate and key files: ``` Name: example Host: teleport.example.com Port: 3080 User: postgres Database: postgres CA: /Users/alice/.tsh/keys/teleport.example.com/certs.pem Cert: /Users/alice/.tsh/keys/teleport.example.com/alice-db/root/example-x509.pem Key: /Users/alice/.tsh/keys/teleport.example.com/alice ``` The displayed `CA`, `Cert`, and `Key` files are used to connect through pgAdmin 4, MySQL Workbench, and other graphical database clients that support mutual TLS authentication. ## MongoDB Compass [Compass](https://www.mongodb.com/products/compass) is the official MongoDB graphical client. On the "New Connection" panel, click on "Fill in connection fields individually". ![MongoDB Compass new connection](/docs/assets/images/compass-new-connection@2x-c371b2d90aad337b729f8ed16e154284.png) On the "Hostname" tab, enter the hostname and port of the proxy you will use to access the database (see [Get connection information](https://goteleport.com/docs/connect-your-client/third-party/gui-clients.md#how-gui-clients-access-teleport-protected-databases)). Leave "Authentication" as None. ![MongoDB Compass hostname](/docs/assets/images/compass-hostname@2x-e6ef4c1fc10d27b3592c1ceb9cdf0fcc.png) On the "More Options" tab, set SSL to "Client and Server Validation" and set the CA as well as the client key and certificate. Note that a CA path must be provided and be able to validate the certificate presented by your Teleport Proxy Service's web endpoint. ![MongoDB Compass more options](/docs/assets/images/compass-more-options@2x-f01e514f90713417d1fc5e38094b925b.png) The following fields in the More Options tab must correspond to paths printed by the `tsh proxy db` command you ran earlier: | Field | Path | | --------------------- | ----------- | | Certificate Authority | `ca_file` | | Client Certificate | `cert_file` | | Client Private Key | `key_file` | Click on the "Connect" button. ## MySQL DBeaver Right-click in the "Database Navigator" menu in the main view and select Create > Connection: ![DBeaver Add Server](/docs/assets/images/dbeaver-add-server-3ff12106b710549d79713d464853fa20.png) In the search bar of the "Connect to a database" window that opens up, type "mysql", select the MySQL driver, and click "Next": ![DBeaver Select Driver](/docs/assets/images/dbeaver-select-driver-2a56dd0402e70903c60079b2cc0a7a97.png) In the newly-opened "Connection Settings" tab, use the Host as `localhost` and Port as the one returned by the proxy command (`62652` in the example above): ![DBeaver Select Configure Server](/docs/assets/images/dbeaver-configure-server-6dcaef7996eef2bc9b5e853237e17f49.png) In that same tab, set the username to match the one that you are connecting to using Teleport and uncheck the "Save password locally" box: ![DBeaver Select Configure User](/docs/assets/images/dbeaver-configure-user-b7aeb2635a43b0ccd2200cafb393a6a9.png) Click the "Edit Driver Settings" button on the "Main" tab, check the "No Authentication" box, and click "Ok" to save: ![DBeaver Driver Settings](/docs/assets/images/dbeaver-driver-settings-5973ddffe8a149a03825cf8accae55d2.png) Once you are back in the "Connection Settings" window, click "Ok" to finish and DBeaver should connect to the remote MySQL server automatically. ## MySQL Workbench [MySQL Workbench](https://www.mysql.com/products/workbench/) is a GUI application that provides comprehensive MySQL administration and SQL development tools. In the MySQL Workbench "Setup New Connection" dialog, fill out "Connection Name", "Hostname", "Port", and "Username": ![MySQL Workbench Parameters](/docs/assets/images/workbench-parameters@2x-a84e7176b51917f9112364fcbab2c7be.png) In the "SSL" tab, set "Use SSL" to `Require and Verify Identity` and enter the paths to your CA, certificate, and private key files (see [Get connection information](https://goteleport.com/docs/connect-your-client/third-party/gui-clients.md#how-gui-clients-access-teleport-protected-databases)): ![MySQL Workbench SSL](/docs/assets/images/workbench-ssl@2x-a5e655882be08a88bba3f8794c95e27a.png) The following fields in the SSL tab must correspond to paths printed by the `tsh proxy db` command you ran earlier: | Field | Path | | ------------- | ----------- | | SSL Key File | `key_file` | | SSL CERT File | `cert_file` | | SSL CA File | `ca_file` | Optionally, click "Test Connection" to verify connectivity: ![MySQL Workbench Test](/docs/assets/images/workbench-test@2x-ab6872e82d7664ef80fa21e7cd74179f.png) Save the connection and connect to the database. ## NoSQL Workbench From the NoSQL Workbench launch screen, click **Launch** next to **Amazon DynamoDB**. From the left-side menu select **Operation builder**, then **+ Add connection**. Choose the **DynamoDB local** tab, and point to your proxy's endpoint. This is `localhost:62652` in the example above. (See [Get connection information](https://goteleport.com/docs/connect-your-client/third-party/gui-clients.md#how-gui-clients-access-teleport-protected-databases) for more information.) ![DynamoDB local connection in NoSQL Workbench](/docs/assets/images/nosql-workbench-connection-d3ba15c4cf1440d624bc5356aebbfe7c.png) ## SQL Server with Azure Data Studio In Azure Data Studio create a connection using your proxy's endpoint. This is `localhost,62652` in the example above. On a Windows machine, using an address in the format `127.0.0.1,62652` could be required instead of `localhost`. (See [Get connection information](https://goteleport.com/docs/connect-your-client/third-party/gui-clients.md#how-gui-clients-access-teleport-protected-databases) for more information.) Create a connection with Microsoft SQL Server with these settings: | Connection Detail | Value | | ------------------- | ------------------------------- | | Server | `host`,`port` of proxy endpoint | | Authentication Type | SQL Login | | Password | empty | | Encrypt | `False` | Example: ![Azure Data Studio connection options](/docs/assets/images/azure-data-studio-connection-036b4d2c5073e896b488ed2e0977ba57.png) Click **Connect** to connect. ## PostgreSQL DBeaver To connect to your PostgreSQL instance, use the authenticated proxy address. This is `127.0.0.1:62652` in the example above (see the “Authenticated Proxy” section on [Get connection information](https://goteleport.com/docs/connect-your-client/third-party/gui-clients.md#how-gui-clients-access-teleport-protected-databases) for more information). Use the "Database native" authentication with an empty password: ![DBeaver Postgres Configure Server](/docs/assets/images/dbeaver-pg-configure-server-abc54492204a62b7516eb8b6bdc80bb4.png) Clicking on "Test connection" should return a connection success message. Then, click on "Finish" to save the configuration. ## PostgreSQL pgAdmin 4 [pgAdmin 4](https://www.pgadmin.org/) is a popular graphical client for PostgreSQL servers. To configure a new connection, right-click on "Servers" in the main browser view and create a new server: ![pgAdmin Add Server](/docs/assets/images/pgadmin-add-server@2x-4713d87420203bb5973c71f15cf2f81d.png) In the "General" tab of the new server dialog, enter the server connection name: ![pgAdmin General](/docs/assets/images/pgadmin-general@2x-65531bd1c6b5eab24aed410f4b5a6c82.png) In the "Connection" tab, fill in the hostname, port, user and database name from the configuration above: ![pgAdmin Connection](/docs/assets/images/pgadmin-connection@2x-02e99d4d9e93cde75cc26ebaf8b9d3d0.png) In the "SSL" tab, set "SSL Mode" to `Verify-Full` and fill in paths for client certificate, key and root certificate from the configuration above: ![pgAdmin SSL](/docs/assets/images/pgadmin-ssl@2x-144e8b11c0e528adec7691e7f477577e.png) The following fields in the SSL tab must correspond to paths printed by the `tsh proxy db` command you ran earlier: | Field | Path | | ---------------------- | ----------- | | Client certificate | `cert_file` | | Client certificate key | `key_file` | | Root certificate | `ca_file` | Click "Save", and pgAdmin should immediately connect. If pgAdmin prompts you for password, leave the password field empty and click OK. ## Microsoft SQL Server Management Studio In Microsoft SQL Server Management Studio connect to a database engine using your proxy's endpoint. This is `localhost,62652` in the example above. Using the IP `127.0.0.1,62652` connection could be required on a Windows machine instead of `localhost`. (See [Get connection information](https://goteleport.com/docs/connect-your-client/third-party/gui-clients.md#how-gui-clients-access-teleport-protected-databases) for more information.) Create a connection with Microsoft SQL Server with these settings: | Connection Detail | Value | | ----------------- | ------------------------------- | | Server type | Database Engine | | Server name | `host`,`port` of proxy endpoint | | Authentication | SQL Server Authentication | | Password | empty | | Encryption | do not enable | Example: ![Microsoft SQL Server Management Studio connection options](/docs/assets/images/msft-sql-server-management-studio-connection-21c02527ed9652f5a7bc5f25a3de912a.png) Click Connect to connect. ## Redis Insight --- NOTE Teleport's Redis Insight integration only supports Redis standalone instances. --- After opening Redis Insight click `ADD REDIS DATABASE`. ![Redis Insight Startup Screen](/docs/assets/images/redisinsight-startup-3b0fc51d0f5e547bceb8e90f88598936.png) Now start a local proxy to your Redis instance: `tsh proxy db --db-user=alice redis-db-name`. Click `Add Database Manually`. Use `127.0.0.1` as the `Host`. Use the port printed by the `tsh` command you ran in [Get connection information](https://goteleport.com/docs/connect-your-client/third-party/gui-clients.md#how-gui-clients-access-teleport-protected-databases). Provide your Redis username as `Username` and password as `Password`. ![Redis Insight Configuration](/docs/assets/images/redisinsight-add-config-6a568a99860e06ab26f01c577809781b.png) Next, check the `Use TLS` and `Verify TLS Certificates` boxes. Copy the contents of the files at the paths returned by the `tsh proxy db` command you ran earlier and paste them into their corresponding fields. See the table below for the Redis Insight fields that correspond to each path: | Field | Path | | ------------------ | ----------- | | CA Certificate | `ca_file` | | Client Certificate | `cert_file` | | Private Key | `key_file` | Click `Add Redis Database`. ![Redis Insight TLS Configuration](/docs/assets/images/redisinsight-tls-config-9e0ccd49a5a84732a2bfe9a2ee9e21c5.png) Congratulations! You have just connected to your Redis instance. ![Redis Insight Connected](/docs/assets/images/redisinsight-connected-b9b8d8c7ec8d76808d0793d7b0f62189.png) ## Snowflake: DBeaver The Snowflake integration works only in the authenticated proxy mode. Start a local proxy for connections to your Snowflake database by using the command below: ``` tsh proxy db --tunnel --port 2000 snowflake ``` Add a new database by clicking the "add" icon in the top-left corner: ![DBeaver Main Screen](/docs/assets/images/dbeaver-main-screen-1ea402d2baa0fbbdd9261b5922aa5a99.png) In the search bar of the "Connect to a database" window that opens up, type "snowflake", select the Snowflake driver, and click "Next": ![DBeaver Select Database](/docs/assets/images/dbeaver-select-database-0ceabcc97c75b188e69724d6428b6fa1.png) Set "Host" to `localhost` and "Port" to the port returned by the `tsh proxy db` command you ran earlier (`2000` in the example above). In the "Authentication" section set the "Username" to match the database username passed to Teleport with `--db-user` and enter any value (e.g., "teleport") in the "Password" field (the value of "Password" will be ignored when establishing a connection but is required by DBeaver to register your database): ![DBeaver Main](/docs/assets/images/dbeaver-main-a1e02cc318965fbf818b7b93f7afab70.png) Next, click the "Driver properties" tab and set "account" to any value (e.g., "teleport"; as with "Password", the value of "account" will be ignored when establishing a connection but is required by DBeaver to register your database). In "User properties", set "ssl" to `off`: ![DBeaver Driver](/docs/assets/images/dbeaver-driver-10cc6ba6a9dc5f16dc51ebeb724d9a1d.png) Teleport ignores the provided password and the account name as internally it uses values from the Database Agent configuration. SSL set to `off` disables only encryption on local machine. Connection to Snowflake is encrypted by Teleport. Now you can click on "Test Connection..." in the bottom-left corner: ![DBeaver Success](/docs/assets/images/dbeaver-success-e1a4cde9ebd437f8c1e8974b371c8c21.png) Congratulations! You have just connected to your Snowflake instance. ## Snowflake: JetBrains (IntelliJ, Goland, DataGrip, PyCharm, etc.) The Snowflake integration works only in the authenticated proxy mode. Start a local proxy for connections to your Snowflake database by using the command below: ``` tsh proxy db --tunnel --port 2000 snowflake ``` In "Database Explorer" click the "add" button, pick "Data Source", and then pick "Snowflake": ![JetBrains Add Database](/docs/assets/images/jetbrains-add-database-6dd6c73b866c853a0d18039925df2b3b.png) Next, set "Host" to `localhost` and "Port" to the port returned by the `tsh proxy db` command you ran earlier (`2000` in the example above). Set the "Username" to match the one that you are assuming when you connect to Snowflake via Teleport and enter any value (e.g., "teleport") in the "Password" field (the value of "Password" will be ignored but is required to create a data source in your IDE): ![JetBrains General](/docs/assets/images/jetbrains-general-ce1dc9d0ce83a1c2ca19a9f6b5dff6aa.png) Switch to the "Advanced" tab, set any value (e.g., "teleport") for "account", and add a new record named `ssl` with value `off` (as with "Password", "account" is ignored while establishing the connection but required by your IDE): ![JetBrains Advanced](/docs/assets/images/jetbrains-advanced-936c463b7219ae23f294a978dfc82c75.png) Teleport ignores the provided password and the account name as internally it uses values from the Database Agent configuration. Setting "SSL" to `off` only disables encryption on your local machine. The connection to Snowflake is encrypted by Teleport. Now you can click "Test Connection" to check your configuration. ![JetBrains Success](/docs/assets/images/jetbrains-success-08f211cd0a9ee96f826f11130a410a2c.png) Congratulations! You have just connected to your Snowflake instance. ## SQL Server DataGrip In the DataGrip connection configuration menu, use your proxy's endpoint. This is `localhost:4242` in the example below. (See [Get connection information](https://goteleport.com/docs/connect-your-client/third-party/gui-clients.md#how-gui-clients-access-teleport-protected-databases) for more information.) Select the "User & Password" authentication option and keep the "Password" field empty: ![DataGrip connection options](/docs/assets/images/datagrip-connection@2x-dd83e79101c1034ab977b24b58b3f830.png) Click "OK" to connect. ## SQL Server DBeaver In the DBeaver connection configuration menu, use your proxy's endpoint. This is `localhost:62652` in the example above. (See [Get connection information](https://goteleport.com/docs/connect-your-client/third-party/gui-clients.md#how-gui-clients-access-teleport-protected-databases) for more information.) Use the SQL Server Authentication option and keep the Password field empty: ![DBeaver connection options](/docs/assets/images/dbeaver-connection@2x-53752e35434571ea9e144d8506d71aa9.png) Click OK to connect. ## Cloud Spanner DataGrip The Cloud Spanner integration works only in the local proxy tunnel mode. Start a local proxy tunnel for connections to your Spanner database by using the command below: ``` $ tsh proxy db --tunnel --port 1443 spanner --db-user= --db-name= ``` The database user specified in `--db-user` should be the name of a GCP service account that can access the Spanner database. The name of the service account should be everything before the "@" of the service account email address, e.g. the name for `llama@example-project-123456.iam.gserviceaccount.com` is just "llama". --- TIP This command uses the local port 1443, but you can choose any port, or let `tsh` pick a local port at random if you omit the `--port` flag. You should specify a port to avoid the need to reconfigure your GUI client again later. --- From the DataGrip menu, click "File > New > Data Source from URL", then copy and paste the JDBC URL that was output by `tsh proxy db`: ![Create DataGrip Spanner Data Source From JDBC URL](/docs/assets/images/datagrip-data-source-from-jdbc-url@2x-aa7dc1db65c81309a36588e73fe50bbd.png) The "Google Cloud Spanner" driver should be automatically selected. Click "Ok". DataGrip does not need GCP credentials - those are already provided by Teleport. On the "General" tab of the new data source, select the "Authentication" dropdown setting and choose "No auth": ![Choose No Auth For DataGrip Spanner Data Source](/docs/assets/images/datagrip-choose-no-auth@2x-d2590b713ad3d04979422bb7b8898d7f.png) Click "Test connection" to ensure the connection is configured correctly, then click "Ok" to create the data source. --- NOTE If you want to re-use this data source later, you must either use the same tsh local port (1443 in this example), or you must edit the driver URL to match the port that the tsh local proxy is listening on. --- ## Cloud Spanner DBeaver The Cloud Spanner integration works only in the local proxy tunnel mode. Start a local proxy tunnel for connections to your Spanner database by using the command below: ``` $ tsh proxy db --tunnel --port 1443 spanner --db-user= --db-name= ``` The database user specified in `--db-user` should be the name of a GCP service account that can access the Spanner database. The name of the service account should be everything before the "@" of the service account email address, e.g. the name for `llama@example-project-123456.iam.gserviceaccount.com` is just "llama". --- TIP This command uses the local port 1443, but you can choose any port, or let `tsh` pick a local port at random if you omit the `--port` flag. You should specify a port to avoid the need to reconfigure your GUI client again later. --- From the menu, click "Database > Driver Manager": ![Open DBeaver Driver Manager](/docs/assets/images/dbeaver-open-driver-manager@2x-4879d7475eeee3f8c1f2569e44ce49ad.png) Search for the "Google Cloud Spanner" driver, select it, and click the "Copy" button to make a custom driver configuration: ![Copy DBeaver Google Spanner Driver](/docs/assets/images/dbeaver-copy-spanner-driver@2x-76efd0d0afca2ab36504b4cc7788d657.png) Give the custom driver a name, e.g. "Teleport Spanner", then set "URL Template" to this pattern string: ``` jdbc:cloudspanner://127.0.0.1:{port}/projects/{server}/instances/{host}/databases/{database};usePlainText=true ``` ![Create Custom DBeaver Google Spanner Driver](/docs/assets/images/dbeaver-create-spanner-driver@2x-febb80dccd005329a770575e79639ce9.png) Click "Ok", then click "Close" From the menu, click "Database > New Connection from JDBC URL": Now copy the JDBC URL that was output by `tsh proxy db` and paste it: ![Create DBeaver Spanner Connection From JDBC URL](/docs/assets/images/dbeaver-connection-from-jdbc-url@2x-dc61c4e69aa8b927847fd489e75388d6.png) Click "Proceed", then click "Finish". --- NOTE If you want to re-use this data source later, you must either use the same tsh local port (1443 in this example), or you must edit the driver URL to match the port that the tsh local proxy is listening on. --- ## Oracle graphical clients The Oracle integration works only in the authenticated proxy mode. Start a local proxy for connections to your Oracle database by using the command below: ``` > tsh proxy db --tunnel --port 11555 --db-user= --db-name= oracle Started authenticated tunnel for the Oracle database "oracle" in cluster "teleport.example.com" on 127.0.0.1:11555. ``` --- TIP The command above uses the local port 11555, but you can choose any available port. Leaving `--port` empty will cause `tsh` to pick a random one. --- The local proxy supports TCP and TCPS modes. Different clients prefer different modes. TCP: - requires no username or password - generally easier to configure TCPS: - requires no username or password - depends on automatically created wallet - uses JDBC URL for configuration --- WARNING Teleport versions earlier than 17.2.0 support only a limited range of clients and only offer TCPS mode. `tsh` will automatically detect this situation and warn the user. We recommend updating to the latest version of Teleport to access full client support and additional connection options. --- ### Oracle SQL Developer (standalone) In "Connections" click the "+" button for a new database connection: ![Oracle SQL Developer Add Database Connection](/docs/assets/images/sql-developer-standalone-add-database-96c39a809044c32bbb9cf9815ef4cbef.png) Next, set the name and username from the `--db-user` parameter. Set connection type to "Custom JDBC" and set the "Custom JDBC URL" from the `tsh proxy db` command. ![Oracle SQL Developer](/docs/assets/images/sql-developer-standalone-conn-details-tcps-83c3d44802331ef2885273e98a1516dd.png) Now you can click "Test" to check your configuration. ![Oracle SQL Developer Success](/docs/assets/images/sql-developer-standalone-success-1e75e46eaac2bf36892d5a594ee5fbb8.png) ### Oracle SQL Developer (VS Code extension) Install the extension from [VS Code Marketplace](https://marketplace.visualstudio.com/items?itemName=Oracle.sql-developer). Both TCP and TCPS modes can be used. **TCP** Open the extension toolbar and click on "Create Connection" button. ![SQL Developer (VS Code) Start](/docs/assets/images/sql-developer-vscode-start@2x-1bddc05a1600951f00254678fd974dc9.png) Enter the following connection details: | Field | Value | | --------------- | ---------------------- | | Connection name | Choose unique name | | User name | `/` | | Password | `/` | | Save Password | Mark checkbox | | Connection type | Basic | | Host name | `localhost` | | Port number | `--port` flag value | | Type | Service Name | | Service name | `--db-name` flag value | Test and create the connection. ![SQL Developer (VS Code) Connection Details (basic)](/docs/assets/images/sql-developer-vscode-conn-details-basic@2x-5d32b404f2ee3be899d13a21476bc810.png) The new connection should appear on the list. ![SQL Developer (VS Code) Connected (basic)](/docs/assets/images/sql-developer-vscode-connected-basic@2x-92cd9898c42c13d9cacb0bfdac5b76c3.png) **TCPS** Open the extension toolbar and click on "Create Connection" button. ![SQL Developer (VS Code) Start](/docs/assets/images/sql-developer-vscode-start@2x-1bddc05a1600951f00254678fd974dc9.png) Enter the following connection details: | Field | Value | | --------------- | ------------------------------- | | Connection name | (choose per your preference) | | User name | `/` | | Password | `/` | | Save Password | Mark the checkbox | | Connection type | "Custom JDBC" | | Custom JDBC URL | Copy from `tsh proxy db` output | Test and create the connection. ![SQL Developer (VS Code) Connection Details (JDBC)](/docs/assets/images/sql-developer-vscode-conn-details-jdbc@2x-715004b127876766482c8fdd78b0bdd5.png) The new connection should appear on the list. ![SQL Developer (VS Code) Connected (JDBC)](/docs/assets/images/sql-developer-vscode-connected-jdbc@2x-dd21641a136824f98847ad95f6626793.png) ### Toad Add a new login record in the logins dialog. ![Toad Add Login Record](/docs/assets/images/toad-add-login-record@2x-8a602de3b5b7adb8a66ef32d492f86ca.png) Enter the connection details in "Direct" tab: | Field | Value | | --------------- | ---------------------------- | | Host name | `127.0.0.1` | | Port number | `--port` flag value | | Service name | `--db-name` flag value | | User name | `EXTERNAL` | | Password | (leave empty) | | Connection name | (choose per your preference) | Test the connection to verify the setup. ![Toad Add Login Tested](/docs/assets/images/toad-add-login-tested@2x-47b531bd8585395ad623670cd23e7944.png) The newly added login should appear on the login list. ![Toad Login List](/docs/assets/images/toad-login-list@2x-d8d42ca1e04d576cbd4b01e4afda142e.png) --- TIP You can also configure Toad to use an external Oracle client. Both native and external clients are supported. --- ### DBeaver Click on the "New Database Connection" button. ![DBeaver new connection button](/docs/assets/images/dbeaver-new-connection@2x-25dee2c6c4ce6fa30a1f91d6e6031d9c.png) Select "Oracle" from the driver list. You may use the search toolbar to narrow down the list. ![DBeaver connect to a database](/docs/assets/images/dbeaver-connect-to-a-database@2x-202f1888a442155000deacc5ddcf3bc1.png) Choose "Custom" connection type and paste the JDBC connection string printed by `tsh proxy db`. ![DBeaver JDBC details](/docs/assets/images/dbeaver-jdbc-details@2x-53d0ce4728abcab15db8a893c8276373.png) Test the connection to verify the setup. Finalize by clicking "Finish".