Configure SSL for External HTTP Traffic to and from Tableau Server
You can configure Tableau Server to use Secure Sockets Layer (SSL) encrypted communications on all external HTTP traffic. Setting up SSL ensures that access to Tableau Server is secure and that sensitive information passed between the server and Tableau clients—such as Tableau Desktop, the REST API, and so on—is protected. Steps on how to configure the server for SSL are described this topic; however, you must first acquire a certificate from a trusted authority, and then import the certificate files into Tableau Server.
Mutual SSL authentication is not supported on Tableau Mobile.
Acquire an Apache SSL certificate from a trusted authority (for example, Verisign, Thawte, Comodo, GoDaddy). You can also use an internal certificate issued by your company. Wildcard certificates, which allow you to use SSL with many host names within the same domain, are also supported.
When you acquire an SSL certificate for external communication to and from Tableau Server, follow these guidelines and requirements:
If your organization issues certificates with a local PKI, or if you are using certificates that are not issued by a trusted certificate authority, you’ll need a certificate authority (CA) certificate file to identify the trusted CA.
The CA certificate file must be a valid PEM-encoded X509 certificate with the extension
.crt. If you have multiple trusted certificate authorities, you can copy and paste the entire contents of each CA certificate, including the "BEGIN CERTIFICATE" and "END CERTIFICATE" lines, into a new file, and then save the file as
Use a SHA-2 (256 or 512 bit) SSL certificate. Most browsers no longer connect to a server that presents an SHA-1 certificate.
In addition to the certificate file, you must also acquire a corresponding SSL certificate key file. The key file must be a valid RSA or DSA private key file (with the extension
You can choose to passphrase-protect the key file. The passphrase you enter during configuration will be encrypted while at rest. However, if you want to use the same certificate for SSL and SAML, you must use a key file that is not passphrase protected.
A certificate chain file is required for Tableau Desktop on the Mac. The chain file is a concatenation of all of the certificates that form the certificate chain for the server certificate. All certificates in the file must be x509 PEM-encoded and the file must have a
For multiple sub-domains, Tableau Server supports wildcard certificates.
Tableau Server supports certificates that list multiple domains, IP addresses, or host names in the Subject Alternative Names (SAN) field.
Note: If you plan to configure Tableau Server for single-sign on using SAML, see About the certificate and key files in the SAML requirements to help determine whether to use the same certificate files for both SSL and SAML.
You can configure a Tableau Server cluster to use SSL. If the initial node is the only one running the gateway process (which it does by default), you need to configure SSL only on that node, using the steps described in this topic.
SSL with multiple gateways
A highly available Tableau Server cluster can include multiple gateways, fronted by a load balancer. If you are configuring this type of cluster for SSL, you have the following choices:
Configure the load balancer for SSL: Traffic is encrypted from the client web browsers to the load balancer. Traffic from the load balancer to the Tableau Server gateway processes is not encrypted. No SSL configuration in Tableau Server is required by you. It’s all handled by the load balancer.
Configure Tableau Server for SSL: Traffic is encrypted from the client web browsers to the load balancer, and from the load balancer to the Tableau Server gateway processes. For more information, continue to the following section.
Additional configuration information for Tableau Server cluster environments
When you want to use SSL on all Tableau Server nodes that run a gateway process, you complete the following steps.
Configure the external load balancer for SSL passthrough.
Or if you want to use a port other than 443, you can configure the external load balancer to terminate the non-standard port from the client. In this scenario, you would then configure the load balancer to connect to Tableau Server over port 443. For assistance, refer to the documentation provided for the load balancer.
Make sure the SSL certificate is issued for the load balancer’s host name.
Configure the initial Tableau Server node for SSL.
If you are using mutual SSL, place the SSL CA certificate file in the same location on all computers that run a gateway process.
You do not need to do any additional configuration on the subsequent nodes.
Say you have a cluster that includes an initial Tableau Server node and three additional nodes, with gateway processes running on the initial, node2 and node3. In this situation, you configure the initial Tableau Server for SSL, and then copy the same SSL certificate and key files to node2 and node3, to the same location as on the initial node.
When you get the certificate files from the CA, save them to a location accessible by Tableau Server, and note the names of the certificate .crt and .key files and the location where you save them. You’ll need to provide this information to Tableau Server when you enable SSL.
A common practice is to place a copy of the certificate files in a location that’s within the Tableau Server directory tree. For example:
Name the directory whatever is appropriate depending on whether you’ll use the certificate files only for SSL or also for configuring SAML authentication.
Note: If you think you might want to use the same certificate for SSL and SAML, see the Certificate and identity provider (IdP) requirements in the SAML Requirements topic.
Use the method you’re most comfortable with.
Open TSM in a browser:
https://<tsm-computer-name>:8850. For more information, see Sign in to Tableau Services Manager Web UI.
On the Configuration tab, select Security > External SSL.
Under External web server SSL, select Enable SSL for server communication.
Upload the certificate and key files, and if required for your environment, upload the chain file and enter the passphrase key:
Click Save Pending Changes.
Click Pending Changes at the top of the page:
Click Apply Changes and Restart.
After you have copied the certificate files to the local computer, run the following commands:
tsm security external-ssl enable --cert-file <path-to-file.crt> --key-file <path-to-file.key>
tsm pending-changes apply
See the command reference at tsm security external-ssl enable to determine whether you want to include additional options for
external-ssl enable. Tableau has specific recommendations for the
external-ssl enable command imports the information from the .crt and .key files. If you run this command on a node in a Tableau Server cluster, it also distributes the information to any other gateway node.
pending-changes apply command displays a prompt to let you know this will restart Tableau Server if the server is running. The prompt displays even if the server is stopped, but in that case there is no restart. You can suppress the prompt using the
--ignore-prompt option, but this does not change the restart behavior. For more information, see tsm pending-changes apply.
After the server has been configured for SSL, it accepts requests to the non-SSL port (default is port 80) and automatically redirects to the SSL port 443.
Note: Tableau Server supports only port 443 as the secure port. It cannot run on a computer where another application is using port 443.
SSL errors are logged in the at the following location. Use this log to troubleshoot validation and encryption issues:
Add SSL port to the local firewall
If you are running a local firewall, you must add the SSL port to the firewall on Tableau Server. The example below describes how to configure the firewall running on RHEL/CentOS distributions. The example uses Firewalld, which is the default firewall on CentOS.
sudo systemctl start firewalld
Add port 443 for SSL:
sudo firewall-cmd --permanent --add-port=443/tcp
Reload the firewall and verify the settings:
sudo firewall-cmd --reload
sudo firewall-cmd --list-all