How To Install SSL Certificate In Tableau Server: A Comprehensive Guide


A Secure Sockets Layer (SSL) certificate is used to establish an encrypted connection between a server and a browser on a user’s computer. These certificates are part of the cryptographic system, called the public key infrastructure (PKI). 

Tableau server can be configured to use SSL on all external HTTP traffic. With access to the Tableau Server, these SSL certificates ensure that sensitive and private information is secure. 

Preparing for SSL Installation

The steps to follow for SSL installation are briefed below. However, it is important to acquire a certificate from a trusted authority. Afterward, you can proceed to import certificate files into the Tableau Server. 

a. System Requirements

The first requirement is to get an Apache SSL certificate from a trusted entity,  such as Thawte, Verisign, or GoDaddy. Or, you can use an internal certificate from your own company. 

Once you’ve acquired an SSL certificate, you need to ensure they meet certain requirements, which include:

  • Certificate files: Must be valid PEM-encoded X509 certificates with .crt extension.

  • Encryption: Utilize SHA-2 (256 or 512 bit) SSL certificate for compatibility with modern browsers.

  • Key file: Acquire the corresponding RSA or DSA private key file (.key extension) alongside the certificate file.

  • Key file compatibility: Verify cryptographic algorithm supported by Tableau Server version and OpenSSL.

  • SSL certificate chain: Required for Tableau Desktop and Prep Builder on Mac and Windows, and also for Tableau Mobile if the server certificate isn't trusted by mobile OS.

  • Domain verification: Ensure domain/host/IP is included in Subject Alternative Names (SAN) field for secure connections.

b. Certificate Types: Self-signed vs. CA Signed

Certificate Type

Self-Signed

CA-Signed

Issuer

Issued by the server itself

Issued by a trusted Certificate Authority (CA)

Verification

Not verified by a third-party CA

Verified by a trusted CA

Trust

Limited trust, not automatically trusted by browsers

Automatically trusted by most browsers

Security

Lower security due to lack of third-party verification

Higher security due to third-party verification

Use Case

Suitable for testing or internal use

Essential for public-facing websites and ecommerce

Cost

Typically free

Usually involves a fee for issuance and maintenance

Installation

Easy to generate and install

Requires submission of CSR and validation process

Initial Setup

Once you receive the SSE certificate from your Certificate Authority (CA) of choice, it’s time to move on to the next steps. 

a. Accessing Tableau Server

Here’s how to access and setup everything:

  • Open Tableau Server Manager: Access the Tableau Server Manager interface through your web browser.

  • Navigate to Configuration Tab: Within the Tableau Server Manager interface, go to the Configuration Tab.

  • Enable External SSL: Under Security settings, choose External SSL and select "Enable SSL for server communication".

  • Upload SSL Files: Upload the SSL certificate, private key, and CA bundle as prompted. Provide the necessary files: SSL certificate (.crt), private key (.key), and CA bundle (.crt).

  • Save and Apply Changes: Save the changes made and apply them. Click "Save Pending Changes," then "Pending Changes," and finally "Apply Changes and Restart".

  • Verify SSL Installation: Use SSL tools to verify SSL certificate installation, ensuring secure communication between Tableau Server and its clients.

Generating Certificate Signing Request (CSR)

Here’s how to create a CSR:

  • Step 1: Set OpenSSL Configuration Environment Variable (Optional): Optionally configure the OpenSSL environment variable for streamlined procedures.

  • Step 2: Generate a Key: Navigate to the Tableau Server Apache directory in Command Prompt and create a key file using OpenSSL.

  • Step 3: Create a Certificate Signing Request (CSR): Use the key file to generate a CSR. Input necessary information.

  • Step 4: Send CSR to Certificate Authority (CA): Transmit the generated CSR to a commercial CA to obtain the SSL certificate.

  • Step 5: Use Key and Certificate to Configure Tableau Server: Once the SSL certificate is acquired, configure Tableau Server to utilize SSL encryption.

Obtaining SSL Certificate

a. Uploading CSR to Certificate Authority

To obtain your SSL certificate, begin by uploading the Certificate Signing Request (CSR) generated in the previous step to your chosen Certificate Authority (CA). The CA will use this CSR to issue your SSL certificate.

b. Receiving Certificate

Once the Certificate Authority (CA) processes your CSR, you will receive your SSL certificate. This certificate is essential for configuring secure communication between your Tableau Server and clients. Ensure that you securely store the received SSL certificate for future use in configuring Tableau Server.

Installing SSL Certificate on Tableau Server

a. Importing Certificate

After acquiring the certificate, you need to obtain the necessary files for installation on your server. Extract the content from the Zipped folder sent to you by your CA. 

You'll need the primary SSL certificate (in PEM format with .crt extension), root and intermediate certificates (in the CA Bundle), and the private key file (with .key extension) generated during CSR creation. 

b. Configuring SSL Settings

To configure your settings, simply navigate to the Security > External SSL tab. This is where you can configure the SSL settings for your server. 

Verifying Certificate Installation

To verify certificate installation (for Windows or Mac) follow these steps:

1. For Windows:

  • Copy the certificate file (.crt) to the computer.

  • Double-click the certificate file and install it.

  • Select "Trusted Root Certification Authorities" as the destination.

  • Verify SSL Certificate Chain File in Tableau Server.

  • Check for duplicate Tableau Server certificates and delete any.

  • Repeat steps 4 and 5 for certificates in Intermediate Certification Authorities.

2. For Mac:

  • Copy the certificate file (.crt) to the computer.

  • Double-click the certificate file and install it.

  • Select "Trusted Root Certification Authorities" as the destination.

  • Verify SSL Certificate Chain File in Tableau Server.

  • Check for duplicate Tableau Server certificates and delete any.

  • Repeat steps 4 and 5 for certificates in Intermediate Certification Authorities.

Configuring SSL Renewal

a. Setting Up Renewal Notifications

  • Check the expiration date of the SSL certificate using online tools or browser certificate information.
  • Enable email notifications for SSL certificate expiration.
  • Specify recipient email addresses to receive renewal notifications.
  • Set the frequency of renewal notifications (e.g., weekly, monthly).

b. Automating Renewal Process

  • Generate a new certificate signing request (CSR) on the web server.
  • Submit the CSR to the certificate authority (CA) for validation and issuance of a new certificate.
  • Download the new certificate from the CA.
  • Install the new certificate on the web server by replacing the old certificate file and updating configuration settings.

Troubleshooting SSL Installation Issues

a. SSL handshake failed

This error occurs when the server and browser fail to establish a secure connection. Here’s how you can fix it:

  • Update system date and time 
  • Check SSL certificate validity 
  • Configure the browser for the latest SSL/TLS protocol support 
  • Verify server's support for Server Name Indication 
  • Ensure cipher suites match

b. SSL handshake exception

This error happens due to issues with untrusted root Certificate Authority, expired certificate, mismatched certificate, or incorrect hostname/IP. You can try these solutions to fix the problem: 

  • Ensure the certificate is from a Trusted CA 
  • Check SSL validity and hostname match 
  • Verify IP/hostname

c. SSL peer shut down incorrectly

This error arises from security protocol issues or incorrect connection shutdown by the remote host. Suggested solutions include:

  • Verify functional connections between class and node agent 
  • Confirm the correct IP/hostname for the WC admin host 
  • Secure XML index server port 
  • Remove confusing addresses from the serve

d. SSL certificate expired

Occurs when the SSL certificate validity period ends. Try these solutions to fix the problem:

  • Manage certificates effectively 
  • Obtain new CSR and re-issue certificate

e. SSL bad record Mac alert

This issue is often related to client-side problems such as outdated OS or browser, HTTPS Inspection settings, Killer Control Center settings, router issues, etc. Try these solutions to fix the bad record alert:

  • Update OS and browser 
  • Adjust antivirus settings
  • Disable 'Stream Detect' in Killer Control Center 
  • Fix router configuration

f. HTTPS redirects

Issue arises when HTTPS is not enabled on the website, leading to improper redirection. You can try these to solve the problem:

  • Enable HTTPS on the website 
  • Properly configure DNS records

g. Mixed content error 

Issue arises when HTTPS is not enabled on the website, leading to improper redirection. Try this:

  • Ensure all resources are requested via HTTPS 
  • Fix hardcoded HTTP URLs

h. Common name mismatch 

Occurs when the SSL certificate's domain name does not match the URL being accessed, usually due to an incorrect certificate installation or a mismatched domain/subdomain. To fix this issue, ensure SSL certificate covers correct domain/subdomain

Best Practices for SSL Management

  • Automate SSL Certificate Lifecycle Management

    Use automated tools for SSL certificate management to save time and ensure efficient handling. This helps to reduce manual errors and promote timely renewals. 

  • Rotate non-hardware-protected certificates

    Rotate non-HSM-protected certificates every 30 days to improve security. It reduces the window of vulnerability and dissolves the risks that come with compromised certificates. 

  • Rotate all computer leaf certificates

    Rotate HSM-backed computer leaf certificates every 90 days for security maintenance. This ensures the integrity of cryptographic operations and resists against any potential threats. 

  • Rotate all human certificates

    Rotate human certificates (e.g., YubiKeys, smart cards) every 1-2 years for adequate security. It also adapts to new threats and focuses on robust authentication mechanisms. 

  • Define and Educate on Policies and Procedures

    Establish clear policies and educate staff on certificate issuance, renewal, and storage guidelines for compliance. 

SSL Performance Optimization

Here are some techniques to help you accelerate performance and tune SSL configurations. 

technique

How to Use it

Hardware Acceleration

Utilize dedicated server hardware to speed up encryption/decryption

Session Caching

Reuse established secure connections for faster user requests

Offload SSL Termination

Consider load balancers or CDNs to handle SSL handshakes

Modern Cipher Suites

Choose efficient encryption algorithms for a balance between security and performance

Enable HSTS

Instruct browsers to always use HTTPS, reducing connection overhead

Understanding SSL Security Risks

SSL also contains some security risks. Let’s take a look. 

1. Incomplete certificate validation

SSL inspection software may fail to fully validate certificates, potentially exposing users to illegitimate sites.

2. Lack of validation relay to the client

Validation results may not be communicated to clients, leaving them unaware of potential security issues.

3. Overloaded CN field

Manipulating the CN field can confuse users and allow bypassing of certificate warnings.

4. Application-layer validity conveyance

Relaying certificate status through web content can lead to inconsistent SSL indicators and user confusion.

5. User-Agent header selective validation

Validation based on User-Agent header may result in some clients not receiving proper validation.

6. Communication before warning

Sending requests to the server before warning users may expose sensitive data to attackers.

7. Use of universal root CA certificate

Utilizing the same root CA certificate across installations risks private key exposure and unauthorized site signing.

Conclusion

Once you go through the entire installation process (from downloading to installation) it’s important that you regularly review your SSL certificates.

Apply the pending changes to restart Tableau Server services and restart all devices that use the SSL certificate. 

FAQ

A. What is an SSL certificate?

An SSL certificate verifies a website's identity and encrypts data transmission. 

B. How do I know if my Tableau Server needs SSL?

SSL is recommended for Tableau Server, especially when handling sensitive data. 

C. Can I use a self-signed certificate for Tableau Server?

While possible, self-signed certificates are not recommended for production environments because they can cause trust warnings due to lack of verification by a trusted third party.

D. What should I do if SSL installation fails?

If SSL installation on your Tableau Server fails, consult the Tableau documentation or support resources for assistance.

E. How often should I renew SSL certificates?

Renew your SSL certificates before they expire to maintain security and avoid potential interruptions.

F. Is SSL installation mandatory for Tableau Server?

While not strictly mandatory, SSL is highly recommended for Tableau Server to ensure secure communication. 

G. How does SSL impact Tableau Server performance?

SSL may introduce a slight performance overhead, but the security benefits of encrypted communication outweigh this impact.

H. Are there any security risks associated with SSL on Tableau Server?

SSL itself is a secure protocol, but improper certificate management, such as expired certificates, can introduce security vulnerabilities.

About the author

Youssef

Youssef is a Senior Cloud Consultant & Founder of ITCertificate.org

Leave a Reply

Your email address will not be published. Required fields are marked

{"email":"Email address invalid","url":"Website address invalid","required":"Required field missing"}

Related posts