Strategy One

Connect to an On-Premises Database Using the Secure Data Service

Strategy One (March 2026) introduces the Secure Data Service (SDS), a secure connectivity solution that enables Intelligence server instances in Strategy MCE to access on-premises data warehouse servers while all data warehouse login credentials remain in your network and do not pass to MCE.

Deployed on a machine or container within your on-premises network, SDS uses Strategy Data Gateway technologies to establish secure, on-demand communication channels via a Data Gateway Server, eliminating the need for dedicated private links or VPNs. SDS uses TLS-encrypted channels, initiated by one or more (when clustered) SDS agents in your environment, to send warehouse query results from your network to your Strategy MCE environment without exposing inbound access or forwarding arbitrary traffic to other internal systems. It relies on Library REST APIs for connection as well as authentication, and supports locally stored RSA-encrypted database credentials and direct retrieval from Vault servers, so sensitive credentials are not stored in Strategy's cloud. SDS consists of two components, SDS Agent and DGS Agent. In the following documentation, the term SDS refers to both the SDS and DGS agent.

Using SDS may cause some performance degradation compared to connecting directly to the warehouse database locally, due to the additional network hop. To mitigate degradation, Strategy suggests using In-Memory Intelligent Cubes. For more information on product constraints and supported configurations, see SDS Limitations and Troubleshooting.

Deploy SDS

  • Installer in Linux
  • Container in Linux
  • Container in Windows

Prerequisites

  • Note the Library URL for your MCE environment.

  • Ensure Data Gateway Server (DGS) is enabled. To enable DGS, contact your cloud support administrator.

  • Ensure you have a Red Hat Enterprise Linux 9.x machine with at least 8 vCPUs, 32 GB of RAM, and 20GB of disk free space. The machine must reside in the same private network as the Warehouse database. The machine must also be able to reach the Library REST API server hosted on MCE, which is typically exposed through a load balancer. Strategy recommends a dedicated machine for SDS.

  • SDS provides a web UI on ports 8080 (HTTP) and 8443 (HTTPS) on the Linux server. If the server has a desktop environment, open a web browser and access the UI locally. If you want to use a browser from another machine, ensure it can reach the Linux server on ports 8080 or 8443, and update your firewall settings, if needed.

  • Ports 8080 (HTTP), 8443 (HTTPS), and 55555 must be available and not in use on the Linux machine.

You can also deploy SDS using Docker containers on Linux and Windows.

Install SDS

  1. In Strategy Community, in the Federated Data Connectors category, download the Linux Installer for Secure Data Service (SDS).

  2. Copy the downloaded zip file to the target machine where SDS will be deployed.

  3. SDS must be installed in the /opt directory. Create the directory, if it does not already exist.

  4. Extract the .zip file into /opt:

    Copy 
    sudo mkdir -p /opt
    sudo unzip secure-data-service-linux.zip -d /opt
    sudo chmod +x /opt/mstr/dgs-sds-service.sh

  5. Register and start SDS as a service by running the following commands:

    The command should complete in under one minute.

    Copy 
    cd /opt/mstr
    sudo ./dgs-sds-service.sh install
    sudo ./dgs-sds-service.sh start

  6. To check the status of the SDS service (the SDS agent and the DGS agent), run the following command:

    Copy 
    sudo ./dgs-sds-service.sh status

This starts SDS as a web server listening on ports 8080 (HTTP) and 8443 (HTTPS) by default. These ports expose the web UI used for configuration, as described in the following steps. To customize the ports, edit the following section in /opt/mstr/dgsagent/config/application.properties and restart SDS:

Copy 
# HTTPS port
server.port=8443
# HTTP port
server.http.port=8080

sudo ./dgs-sds-service.sh restart

Note that the script also supports stopping and uninstalling SDS using the following commands:

Copy 
sudo ./dgs-sds-service.sh stop
sudo ./dgs-sds-service.sh uninstall

Deploy SDS as a Container in Linux

SDS can be deployed as a container on Linux operation systems.

Prerequisites

Before you can deploy SDS as a container on Linux, you must prepare a virtual machine that meets the following criteria:

  • A dedicated machine for SDS.

  • At least 8 vCPUS, 32GB of RAM, and 30GB of disk free space.

  • A Red Hat Enterprise Linux (RHEL) 9.x operating system.

  • SDS provides a web UI on ports 8080 (HTTP) and 8443 (HTTPS) on the Linux server. If the server has a desktop environment, use a web browser. If you want to use a browser from another machine, ensure it can communicate with the Linux server on ports 8080 or 8443 and update the firewall settings, if needed.

  • Ports 8080 (HTTP), 8442 (HTTPS), and 55555 must be available and not in use on the Linux machine.

  • The docker compose command is available. If it is not available, install the Docker Engine using the Docker Documentation. Ensure that you install the Docker Compose v2 CLI plugin (docker compose), and not docker-compose (with a hyphen), which is the legacy v1 standalone binary.

Install SDS as a Container in Linux

  1. In Strategy Community, in the Federated Data Connectors category, download the Container Package for Secure Data Service (SDS).

  2. Copy the downloaded zip file to the target machine where SDS will be deployed.

  3. Extract the .zip file into a target folder, such as /home/admin/secure-data-service:

    Copy 
    mkdir -p /home/admin/secure-data-service
    unzip secure-data-service-container.zip -d /home/admin/secure-data-service

  4. Go to the target directory and run the command to set up and start the SDS container:

    The command should complete in under one minute.

    Copy 
    cd /home/admin/secure-data-service
    ./dgs-sds-container.sh start

    This command uses Docker Compose to deploy the container. If the command fails, run it with sudo privileges or complete the Linux post-installation steps for Docker Engine before trying again.

  5. After the SDS container is deployed, run one of the following commands to check the status:

    Option 1:

    Copy 
    ./dgs-sds-container.sh status

    Option 2:

    Copy 
    docker compose ps -a

  6. To verify the SDS container is running correctly, open a web browser and go to http://<docker-vm-hostname>:8080/ or https://<docker-vm-hostname>:8443/, where <docker-vm-hostname> is the host name or IP address of the Linux virtual machine. The browser should display similar to the following when the SDS is running correctly:

    If you are accessing SDS from a different machine, ensure the SDS host firewall allows inbound connections on port 8080 and/or 8443. This is typically required when the Linux host is accessed remotely.

    When accessing the HTTPS endpoint, your browser may display a Your connection is not private warning. To resolve this issue, see Fix the Connection Not Private Web Browser Error.

  7. Optionally, modify the host port numbers by modifying the value before ":" in the relevant ports entries in the docker-compose.yml file. In the following example, the HTTP port updates from 8080 to 8081 and the HTTPS port updates from 8443 to 8444:

    Copy 
        ports:
          - "55555:55555"
          - "26214-26313:26214-26313"
          - "8081:8080"
          - "8444:8443"

  8. If you modify the port numbers, restart the SDS using one of the following commands:

    Option 1:

    Copy 
    ./dgs-sds-container.sh restart

    Option 2:

    Copy 
    docker compose up -d

SDS can be deployed as a container on Windows. However, because this option requires additional virtualization on the Windows host and may introduce performance overhead, Strategy does not recommend this option, unless deployment on Linux is not possible.

Prerequisites

Before you can deploy SDS as a container on Windows, ensure the following prerequisites:

  • Strategy recommends a bare-metal (physical) machine. If you are using a virtual machine, it must support nested virtualization. In all cases, SDS should run on a dedicated machine.

  • A Microsoft Windows 11 or Windows Server 2025 system with a minimum of 8 vCPUS, 32GB of RAM, and 50GB of disk free space.

  • Ports 8080 (HTTP), 8442 (HTTPS), and 55555 must be available and not in use on the machine.

  • Docker Desktop or Rancher Desktop is installed on the Windows host. You may also need to install Windows Subsystem for Linux before installing Docker or Rancher Desktop.

Install SDS as a Container in Windows

  1. In Strategy Community, in the Federated Data Connectors category, download the Container Package for Secure Data Service (SDS).

  2. Copy the downloaded zip file to the target machine where SDS will be deployed.

  3. Extract the .zip file into a target folder, such as C:\SDS\ folder.

  4. Go to the PowerShell terminal, navigate to the target folder, and run the command to start the SDS container:

    The command should complete in under one minute.

    Copy 
    .\dgs-sds-container.ps1 start

    If a PSSecurityException error occurs, you may need to bypass the execution policy ( for example, by running powershell.exe -ExecutionPolicy Bypass) before re-running the scripts.

  5. After the SDS container is deployed, run one of the following commands to check the status:

    Option 1:

    Copy 
    .\dgs-sds-container.ps1 status

    Option 2:

    Copy 
    docker compose ps -a

  6. To verify the SDS container is running correctly, open a web browser and go to http://<docker-vm-hostname>:8080/ or https://<docker-vm-hostname>:8443/, where <docker-vm-hostname> is the host name or IP address of the Linux Windows machine. The browser should display similar to the following when the SDS is running correctly:

    When accessing the HTTPS endpoint, your browser may display a Your connection is not private warning. To resolve this issue, see Fix the Connection Not Private Web Browser Error.

  7. Optionally, modify the host port numbers by modifying the value before ":" in the relevant ports entries in the docker-compose.yml file. In the following example, the HTTP port updates from 8080 to 8081 and the HTTPS port updates from 8443 to 8444:

    Copy 
        ports:
          - "55555:55555"
          - "26214-26313:26214-26313"
          - "8081:8080"
          - "8444:8443"

  8. If you modify the port numbers, restart the SDS using the following command:

    Copy 
    docker compose up -d

SDS Configuration

SDS Connection to MCE Environment

Before the Intelligence server can use SDS to query the Warehouse database, SDS must be connected to the MCE environment and configured with the database login credentials (for example, username and password). To do this, the connection from SDS to MCE must be established using the Library SDS web interface:

  1. Using a web browser, open the SDS web using the following URL templates: http://<sds-agent-host>:8080/ or https://<sds-agent-host>:8443/.

    If you access the UI from a different machine, ensure that the SDS host firewall allows inbound connections on port 8080 and/or 8443. This is typically required when the Linux host has no graphical interface and is accessed remotely (for example, using a terminal session).

    When accessing the HTTPS endpoint, your browser may display a Your connection is not private warning. To resolve this issue, see Fix the Connection Not Private Web Browser Error.

  2. In SDS, click Add New.

  3. Enter values in the following fields:

    • Environment URL: Enter the Library REST URL for your MCE environment.

    • Display Name: Type a descriptive name for your environment.

    • Support OAuth: Choose Yes only if your Library supports OIDC (OpenID Connect) or SAML.

      If you choose Yes, follow the steps starting in 4a. in Configure the Connection.

  4. Click Continue and enter your credentials.

  5. Toggle on Enable Agent.

Database Warehouse Login Setup in SDS

SDS must be configured with the database login credentials used to access the Warehouse. This configuration enables secure database access without storing sensitive credential information in the Strategy MCE environment. The following example uses a database login credential called PostgresSDS-DBLogin.

  1. Open SDS, go to Database Logins, and click Add.

  2. SDS store database login credential locally. Enter values in the following fields:

    You can also configure SDS to retrieve credentials from secret vaults. For more information, see Configure Secret Vaults for SDS.

    • Name: Type the name of the database login. For example, PostgresSDS-DBLogin.

    • Description: Optionally add additional information about the login.

    • Username: The username used to connect to the warehouse database.

    • Password: Type your associated password.

  3. Click Save.

Configure Intelligence Server-to-SDS Connection in Workstation

Create a Database Login

Create a database login that maps the database login created in SDS, as described in the previous section:

  1. Open Workstation and connect to the MCE environment that contains the Intelligence server.

  2. In the left Navigation pane, click Data Sources.

  3. Click the Database Logins tab and click Add New Database Login.

  4. Enter values in the following fields:

    • Use Vault: Disable this option.

    • Name: Type the same database login name you used above. For example, PostgresSDS-DBLogin.

    • Username: Enter any placeholder value. This value is ignored.

    • Password: Enter any placeholder value. This value is ignored.

  5. Click Save.

Create a Database Connection

Create a database connection that uses the login you created above:

SDS only supports DSN-less database connections. If you connection is currently configured using a DSN, convert it to a DSN-less connection. For more information, see Convert a DSN Data Source to DSN-Less.

  1. In the Workstation left Navigation pane, click Data Sources.

  2. Click the Database Logins tab and click Add New Database Connection.

  3. Enter values in the following fields:

    • Name: Type a name for the database connection.

    • Driver: Expand the drop-down list and choose ODBC or JDBC.

    • Host Name: Enter the host name or IP address of your warehouse database.

    • Gateway Agent: Expand the drop-down list and choose the host where SDS is installed.

      If a Data Gateway Agent (DGS) was previously connected to your MCE environment, you may see two agent with the same name. Do not choose the agent that displays (offline). Choose the active (non-offline) agent that corresponds to the SDS agent.

    • Authentication Mode: Expand the drop-down list and choose Standard.

    • Default Database Login: Expand the drop-down list and choose the database login you created above. For example, PostgresSDS-DBLogin.

    • Port Number: Enter the port number for your warehouse data.

    • Database: Enter your database name for your warehouse data.

  4. Click Test.

  5. Click Save.

    The database connection is ready to use in your Strategy workflows such as using dashboards, publishing cubes, and more.

If you need to enable SDS for database access in Mosaic Studio, see Use SDS for Mosaic Models.