Tableau Server SSL Certificate Install
Installing an SSL certificate on Tableau Server allows you to access the server over HTTPS, which is the secure version of HTTP. With HTTPS, all traffic between the client and server is encrypted so that any sensitive information like usernames, passwords, or data is protected.
Tableau Server is a business intelligence and analytics platform that allows organizations to share interactive data visualizations and dashboards. As Tableau Server often contains sensitive data, it is important to secure it by enabling SSL (Secure Sockets Layer) encryption. SSL applies encryption between the server and client to ensure all data in transit remains private and integral.
To install an SSL certificate on Tableau Server, you need to procure a valid certificate, upload it to the server, bind it to the port, and configure HTTPS settings. This guide provides step-by-step instructions for installing SSL certificates on Tableau Server on both Windows and Linux. Follow the steps outlined to set up HTTPS encryption.
Pre-requisites
Before starting the installation process, ensure you have the following in place:
Tableau Server Version
This guide is applicable for Tableau Server version 2020.2 or later. Make sure your Tableau server is up to date before proceeding.
Domain Name
You must have a valid publicly resolvable domain name for your Tableau server (e.g. analytics.yourcompany.com). Self-signed or internal certificates will not be trusted by clients.
Server Administrator Access
You need administrator login credentials to access the Tableau Server administration interface and make configuration changes.
Root Access (Optional)
While not essential, root or administrator-level access to the server operating system can make some certificate management tasks easier.
SSL Certificate Files
You will need to obtain an SSL certificate from a trusted Certificate Authority (CA). Ensure you have the necessary certificate, private key and CA bundle files ready before starting the installation.
- A Heroku account
- The Heroku CLI installed on your local machine
- Ownership and control of a custom domain name (or subdomain) that points to your Heroku app
- Access to your domain name registrar’s control panel to configure DNS settings
- An SSL certificate issued by a trusted Certificate Authority (CA) like Let’s Encrypt, DigiCert, etc.
- If you don’t already have an SSL certificate, you can get a free one from Let’s Encrypt. Make sure the certificate includes your custom domain name.
A Step-by-Step Guide to Install SSL Certificate on Tableau Server
Installing an SSL certificate on Tableau Server involves a few key steps:
- Generate a Certificate Signing Request (CSR)
- Obtain SSL Certificate Files from Certificate Authority
- Backing Up Existing Server Configuration
- Importing the SSL Certificate on Tableau Server
- Enabling SSL on Tableau Server Interface
- Configuring Client Authentication
- Configuring SSL Offloading
- Testing the SSL Installation
Step 1: Generate a Certificate Signing Request (CSR)
The first step is to generate a Certificate Signing Request (CSR) which will be submitted to the CA. A CSR uniquely identifies your server and ties the certificate to your domain. Follow these steps:
- Log into your Tableau Server administration interface at https://server-address:8850. Go to Configuration > Server Settings.
- Scroll down to the Certificate section and click “Generate CSR”.
- Fill in the required fields like Company Name, Organization Unit, City, State etc. reflecting the identity of your organization.
- For the Common Name field, enter your fully qualified domain name (FQDN) like analytics.yourcompany.com.
- Select appropriate Key Type (RSA is most common) and Key Size (2048 bits is secure).
- Leave the Challenge Password field blank.
- Click “Generate” to create the CSR. Tableau Server will display the signed CSR that can now be submitted to a CA.
- Copy the entire CSR and save it in a text file for submitting to the CA. Some CAs also allow direct pasting or uploading of CSR.
Now your CSR is ready. Proceed to purchase an SSL certificate from your preferred CA and they will validate your identity and issue the certificate based on this CSR.
Step 2: Obtain SSL Certificate Files from Certificate Authority
Once your CA validates your identity, they will provide you with the following SSL certificate files via email:
- Primary Certificate File (domain.crt): The SSL certificate issued for your domain in PEM/DER format.
- Intermediate Certificate(s) (intermediate.crt): Optional intermediate certificate files to validate the trust chain.
- Certificate Authority Bundle (bundle.crt): Contains the intermediate and root certificates needed to establish trust.
- Private Key File (domain.key): The unencrypted private key file associated with your certificate.
Download and save all these files locally. You will need them for installation on your Tableau server. Make sure to keep your private key file secure.
Step 3: Backing Up Existing Server Configuration
As a best practice before making any changes, take a backup of your existing Tableau server configuration. This protects you in case any step fails during installation.
On your Tableau server, run the following commands as root/administrator:
tableau save backup /path/to/backup.twbx
This creates a backup archive of your entire server configuration that can be used for restore in case of issues. Store this file securely for future reference.
Step 4: Importing the SSL Certificate on Tableau Server
Now it’s time to import the SSL certificate files on your Tableau server:
- Log into your Tableau Server administration page https://server-address:8850.
- Click on Configuration tab and choose Security > SSL/TLS Certificates.
- Click “Import SSL Certificate” button.
- Drag and drop or browse to upload the primary certificate file (.crt) obtained from your CA.
- Now upload the intermediate certificate file(s) (.crt) and the certificate bundle file (.crt).
- For the private key file, browse and select the .key file you obtained while purchasing the certificate.
- Enter the key passphrase if there is one (leave it empty if not set during key generation).
- Click “Import”. Tableau will verify and import the SSL files.
Step 5: Enabling SSL on Tableau Server Interface
To enable secure HTTPS access on your Tableau server interface:
- Go to Configuration > Security > External SSL.
- Check the box for “Enable SSL for server communication”.
- Check the box “Enable HTTPS/Redirect to HTTPS” to redirect standard http traffic to HTTPS.
- For Server Domain, enter the fully qualified domain name of your Tableau server (e.g. analytics.yourcompany.com).
- Choose the imported certificate from Certificate drop-down and check “Enable OCSP Stapling” for certificate validation.
- Click “Apply” to save the settings. You may see a restart prompt.
- Restart your Tableau server using the restart command as administrator.
This will activate HTTPS on your Tableau server interface using the imported SSL certificate.
Step 6: Configuring Client Authentication
To configure your Tableau server to require HTTPS client certificate authentication:
- Go to Configuration > Security > SSL/TLS Settings.
- Enable “Require Client Certificate Authentication”.
- Set “HTTP Redirect” or “Fail HTTP Requests” depending on whether to redirect HTTP to HTTPS or reject HTTP traffic.
- Choose appropriate “SSL Protocol” like TLS v1.2 or higher.
- Select “Cipher Suite” as recommended by browsers like TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384.
- Save changes. Restart Tableau Server for changes to take effect.
Now all Tableau clients connecting must present a valid client certificate for authentication, ensuring an additional layer of security.
Step 7: Configuring SSL Offloading
For high traffic production deployments, consider offloading SSL handling to a reverse proxy for better performance:
- Install a reverse proxy server like Nginx or Apache HTTPD in front of your Tableau server.
- Configure it to terminate SSL at the proxy level and pass underlying requests via HTTP to Tableau server.
- On Tableau server, go to Configuration > Security and disable “Enable SSL for server communication”.
- Set “Server Domain” to the proxy’s domain not Tableau server’s direct domain.
- Save changes. Restart Tableau Server for new configuration to apply.
This provides benefits like reduced CPU usage on Tableau server at the cost of some additional proxy configuration.
Step 8: Testing the SSL Installation
To validate your SSL certificate installation:
- Open the Tableau server URL like https://analytics.yourcompany.com in a browser. You should see a green lock indicating secure connection.
- Check for no certificate warnings or errors and valid certificate details and issuer match the one expected.
- Try accessing server resources and views over HTTPS only. Login page and UI should load securely.
- Use SSL testing tools like SSL Labs and SSLLabs to scan your domain and check for any configuration issues.
- Try connecting Tableau Desktop/Web clients over HTTPS and test basic functionality.
Proper functioning over HTTPS after these validations confirms successful SSL installation on your Tableau server.
Conclusion
And with that your Tableau server is now fully secured with HTTPS! Installing an SSL/TLS certificate protects confidential data during transfers and safeguards privacy for users. HTTPS also boosts your online credibility and helps improve SEO rankings of your Tableau dashboard URLs. Overall this enhances the security posture of your Tableau implementation. Regular certificate renewal and configuration audits are recommended to maintain continuous protection.
FAQs
What is the purpose of installing an SSL certificate on Tableau Server?
Installing an SSL certificate on Tableau Server allows for encrypted connections between client browsers and the server, securing sensitive data transmitted over the network. SSL certificates also allow access to Tableau Server over HTTPS.
What types of SSL certificates can be used with Tableau Server?
Tableau Server supports standard SSL certificates like single domain, wildcard, and subject alternative name (SAN) certificates from trusted certificate authorities. Self-signed certificates can also be used but are not recommended.
How do I generate a CSR to request an SSL certificate for Tableau Server?
Use the openssl command to generate a certificate signing request (CSR) file containing server information to submit to the certificate authority when requesting an SSL certificate for Tableau Server.
Where do I install the SSL certificate files on the Tableau Server?
The SSL certificate files, including the .crt and .key files, should be copied to the /etc/tableau/tableau_server/certificates directory on the Tableau Server.
How do I configure Tableau Server to use the installed SSL certificate?
Update the /etc/tableau/tableau_server/config.rb file with the paths to the new SSL certificate and key files to configure Tableau Server to use them for HTTPS connections. Restart the server.
How do I renew an expired SSL certificate on a Tableau Server?
When an SSL certificate is nearing expiration, generate a new CSR, purchase an updated certificate from the CA, and replace the existing certificate files in the /etc/tableau/tableau_server/certificates directory.
What steps should I take after installing an SSL certificate to verify it is working properly?
Test HTTPS connections, confirm the certificate is trusted by browsers, and verify there are no certificate warnings to ensure the SSL certificate is properly installed and secured on the Tableau Server.
