Release History
Requirements

Introduction

Quick onboard

Deployment

Data Modeling

Connecting

Write data

Migration

Query

Operations and Maintenance

Performance Tuning

Troubleshooting

Reference Guide

SQL Reference

FAQ

Connection and Authentication Parameters

This document describes the system configuration parameters in the Connection and Authentication category.

Note!
To ensure system stability and security, manually modifying these parameters should be done with caution.


Connection Settings

bonjour

Enables or disables Bonjour advertising in the database.

Data Type Default Value Setting Scope
boolean off segments; system; restart

bonjour_name

Specifies the Bonjour service name.

  • By default, the computer name is used. An empty string indicates no name is set.
  • This option is ignored if the server does not support Bonjour.
Data Type Default Value Setting Scope
string segments; system; restart

gp_connection_send_timeout

Timeout (in seconds) for sending data to unresponsive YMatrix database client connections during query processing.

  • A value of 0 disables the timeout, causing YMatrix to wait indefinitely for the client.
  • The default is 3600, or 1 hour.
  • After the timeout, the query is canceled with the message: Could not send data to client: Connection timed out..
Data Type Default Value Setting Scope
int 3600 segments; system; reload

listen_addresses

Specifies the TCP/IP addresses on which the server listens for client connections — a comma-separated list of hostnames and/or numeric IP addresses.

  • The special entry '*' corresponds to all available IP interfaces. If the list is empty, only UNIX domain sockets can be used for connections.
Data Type Default Value Setting Scope
string * segments; system; restart

max_connections

Maximum number of concurrent connections to the database server.

  • In YMatrix, client connections are established only through the Master instance.
  • When running a Standby, this parameter must be set equal to or higher than on the Master; otherwise, queries cannot run on the Standby.
  • The number of connections on Segment instances should be 5 to 10 times that of the Master.
  • Increasing this parameter may require increasing max_prepared_transactions.
  • Increasing max_connections may cause YMatrix to request more shared memory. For information about shared memory buffers in YMatrix server instances, see shared_buffers.
Data Type Default Value Valid Range Setting Scope
int 300 10 ~ 262143 segments; system; restart

port

Port number on which the database instance listens in YMatrix.

  • The Master and each Segment have their own port.
  • This value must be synchronized in gp_segment_configuration.
  • This parameter can only be set at server startup. You must shut down the YMatrix database system before changing the port number.
Data Type Default Value Setting Scope
int 5432 segments; system; restart

superuser_reserved_connections

Number of connections reserved for superusers in YMatrix.

  • At any time, the maximum number of active concurrent connections is max_connections minus superuser_reserved_connections.
Data Type Default Value Valid Range Setting Scope
int 10 1 ~ 262143 segments; system; restart

unix_socket_directories

UNIX domain socket directories where the server listens for client connections.

  • Multiple directories, separated by commas, can be specified to create multiple sockets.
  • An empty value disables listening on any UNIX domain socket; only TCP/IP connections will be allowed.
  • In addition to the socket file itself (named .s.PGSQL.nnnn, where nnnn is the server's port), a regular file named .s.PGSQL.nnnn.lock is created in each unix_socket_directories directory. Do not manually remove these files.
  • This parameter can only be set at server startup. Not available on Windows.
Data Type Default Value Setting Scope
string /tmp segments; system; restart

unix_socket_group

Sets the group ownership of UNIX domain sockets.

  • By default, this is an empty string, which uses the default group of the current user.
  • This parameter can only be set at server startup. Not available on Windows.
Data Type Default Value Valid Range Setting Scope
string UNIX group name segments; system; restart

unix_socket_permissions

Sets access permissions for UNIX domain sockets.

  • UNIX domain sockets use standard UNIX file system permissions.
  • This parameter must begin with 0 and be specified in octal notation.
  • For UNIX domain sockets, only write permission matters.
  • The default is 0777, meaning anyone can connect. Reasonable alternatives are 0770 (accessible only by user and group) and 0700 (accessible only by user). These are numeric UNIX file permission modes (as accepted by the chmod system call or the umask command).
Data Type Default Value Valid Range Setting Scope
int 0777 0000 ~ 0777 segments; system; restart

tcp_keepalives_count

Number of TCP keepalive probes that can be lost before the server considers the client connection dead.

  • This parameter is supported only on systems that support TCP_KEEPCNT or equivalent socket options. On other systems (e.g., Windows), it must be zero. It is ignored and always reads as zero for sessions connected via UNIX domain sockets.
  • This parameter applies to all connections except those between Primary and Mirror.
  • Default value 0 uses the system default.
Data Type Default Value Valid Range Setting Scope
int 0 0 ~ INT_MAX segments; system; restart

tcp_keepalives_idle

Time (in seconds) after which TCP sends a keepalive message to the client if the connection is idle.

  • Supported only on systems that support TCP_KEEPIDLE or equivalent socket options, or on Windows. On other systems, it must be zero. Ignored and always reads as zero for UNIX domain socket connections.
  • On Windows, setting 0 sets this parameter to 2 hours, as Windows does not support reading system defaults.
  • Applies to all connections except those between Primary and Mirror.
  • Default value 0 uses the system default.
Data Type Default Value Valid Range Setting Scope
int 0 0 ~ INT_MAX segments; system; restart

tcp_keepalives_interval

Interval (in seconds) between retransmissions of unacknowledged TCP keepalive messages.

  • Supported only on systems that support TCP_KEEPINTVL or equivalent socket options, or on Windows. On other systems, it must be zero. Ignored and always reads as zero for UNIX domain socket connections.
  • On Windows, setting 0 sets this parameter to 1 second, as Windows does not support reading system defaults.
  • Applies to all connections except those between Primary and Mirror.
  • Default value 0 uses the system default.
Data Type Default Value Valid Range Setting Scope
int 0 0 ~ INT_MAX segments; system; restart

tcp_user_timeout

Time (in milliseconds) that transmitted data may remain unacknowledged before the TCP connection is forcibly closed.

  • Supported only on systems that support TCP_USER_TIMEOUT; otherwise, it must be zero. Ignored and always reads as zero for UNIX domain socket connections.
  • Not supported on Windows and must be zero.
  • Default value 0 uses the system default.
Data Type Default Value Valid Range Setting Scope
int 0 0 ~ INT_MAX segments; system; restart


Authentication

authentication_timeout

Maximum time (in seconds) allowed for a client to complete authentication.

  • If a client fails to complete the authentication protocol within this time, the server closes the connection to prevent malfunctioning clients from holding connections indefinitely.
Data Type Default Value Valid Range Setting Scope
int 60 1 ~ 600 segments; system; restart

db_user_namespace

Enables per-database user names.

  • This parameter is off by default and can only be set in the postgresql.conf file or on the server command line.
  • When enabled, users should be created in the form username@dbname. When a client connection specifies username, @ and dbname are appended to the username, and the server looks up the database-specific user. Note that in SQL environments, usernames containing @ must be enclosed in quotes.
  • Global users can still be created when this parameter is enabled. To specify such a user from a client, simply append @, e.g., joe@. The @ part is stripped before the server looks up the username.
  • db_user_namespace causes client and server username representations to differ. Authentication checks always use the server's representation, so authentication methods must be configured for server usernames, not client usernames. Because the md5 method uses the username as salt on both client and server, md5 cannot be used with db_user_namespace.
  • This feature is intended as a temporary measure until a complete solution is available. This option will be removed once a full solution is implemented.
Data Type Default Value Setting Scope
boolean off master; system; restart

krb_caseins_users

Determines whether Kerberos usernames are case-insensitive.

  • Default is case-sensitive.
Data Type Default Value Setting Scope
boolean off segments; system; restart

krb_server_keyfile

Specifies the location of the Kerberos server key file.

Data Type Default Value Setting Scope
string segments; system; restart

password_encryption

Determines the algorithm used to encrypt passwords specified in CREATE ROLE or ALTER ROLE.

  • Note: Older clients may lack support for the SCRAM authentication mechanism and thus cannot use passwords encrypted with SCRAM-SHA-256. See Password Authentication for details.
Data Type Default Value Valid Values Setting Scope
enum md5(on) md5(on) / scram-sha-256 segments; session; reload


SSL

ssl

Enables or disables SSL connections.

Data Type Default Value Setting Scope
boolean off segments; system; restart

ssl_ca_file

Specifies the filename containing the SSL certificate authority (CA) certificates.

  • Relative paths are relative to the data directory.
  • Default is empty, indicating no CA file is loaded and client certificate verification is not performed.
Data Type Default Value Setting Scope
string segments; system; restart

ssl_cert_file

Specifies the filename containing the SSL server certificate.

  • Relative paths are relative to the data directory.
Data Type Default Value Setting Scope
string server.crt segments; system; restart

ssl_ciphers

Specifies a list of SSL ciphers to use for secure connections.

Data Type Default Value Setting Scope
string HIGH:MEDIUM:+3DES:!aNULL segments; system; restart

ssl_crl_file

Specifies the filename containing the SSL certificate revocation list (CRL).

  • Relative paths are relative to the data directory.
  • Default is empty, indicating no CRL file is loaded.
Data Type Default Value Setting Scope
string segments; system; restart

ssl_dh_params_file

Specifies the filename containing Diffie-Hellman parameters for temporary DH key exchange in SSL.

  • Default is empty, in which case built-in default DH parameters are used. Custom DH parameters reduce the risk of attackers exploiting well-known built-in parameters. Use command openssl dhparam -out dhparams.pem 2048 to generate your own DH parameters file.
Data Type Default Value Setting Scope
string segments; system; restart

ssl_ecdh_curve

Specifies the curve name to use for ECDH key exchange.

  • Must be supported by all connecting clients.
  • Does not need to match the curve used by the server's elliptic curve key.
  • Can only be set in the postgresql.conf file or on the server command line.
  • OpenSSL names common curves: prime256v1 (NIST P-256), secp384r1 (NIST P-384), secp521r1 (NIST P-521). The openssl ecparam -list_curves command displays a full list, though not all are available for TLS.
Data Type Default Value Setting Scope
string prime256v1 segments; system; restart

ssl_key_file

Specifies the filename containing the SSL server private key.

  • Relative paths are relative to the data directory.
Data Type Default Value Setting Scope
string server.key segments; system; restart

ssl_max_protocol_version

Sets the maximum SSL/TLS protocol version to use.

  • Valid versions are the same as ssl_min_protocol_version.
  • Setting a maximum protocol version is mainly useful for testing compatibility with newer protocols.
  • Default is an empty string, meaning all versions are allowed.
Data Type Default Value Setting Scope
enum segments; system; restart; superuser

ssl_min_protocol_version

Sets the minimum SSL/TLS protocol version to use.

  • Available versions: TLSv1, TLSv1.1, TLSv1.2, TLSv1.3. Older OpenSSL libraries may not support all values and will raise an error if an unsupported version is selected. SSL versions 2 and 3 (prior to TLS 1.0) are disabled.
  • Default is TLSv1, primarily to support older OpenSSL libraries. If all components support newer versions, consider setting a higher value.
Data Type Default Value Setting Scope
enum TLSv1 segments; system; restart

ssl_passphrase_command

Specifies an external command to call when a passphrase (e.g., for decrypting a private key) is required for SSL files.

  • By default, this is empty, meaning the built-in prompt mechanism is used.
  • The command must print the passphrase to stdout and exit with code 0. In the parameter value, % is replaced with a prompt string (to get literal %, write %%). Note the prompt may contain spaces, so proper quoting is essential. A trailing newline in the output is stripped.
  • The command does not necessarily need to prompt the user. It may read from a file, retrieve from a keychain, etc. It is the user's responsibility to ensure the chosen mechanism is secure.
Data Type Default Value Setting Scope
string segments; system; restart

ssl_passphrase_command_supports_reload

Determines whether the command set by ssl_passphrase_command is called during configuration reload if a key file requires a passphrase.

  • If set to off (default), ssl_passphrase_command is ignored during reload, and SSL configuration will not be reloaded if a passphrase is needed.
  • This is suitable for commands requiring a TTY (which may not be available when the server is running). If the passphrase is read from a file, setting this to on may be appropriate.
Data Type Default Value Setting Scope
boolean off segments; system; restart

ssl_prefer_server_ciphers

Specifies whether the server's SSL cipher preferences should be used instead of the client's.

  • This setting is mainly for backward compatibility. Using the server's preferences is generally better, as the server is more likely to be properly configured.
Data Type Default Value Setting Scope
boolean on segments; system; restart
← Previous
File locations
Next →
Client connection defaults