Manage Server Secrets
Tableau Server needs to store a number of secrets it uses to perform various functions, typically securing internal communication, communicating with other applications or the operating system, or providing secure communication with clients. In this context, the term secret may refer to a password, a token, or other string that is used to authenticate one entity to another.
There are two categories of secrets that are required to run Tableau Server. They differ according to how the secrets are generated:
- Secrets that are generated by administrators. These include credentials and associated secrets for the Run As User account and the SMTP credentials used by Tableau Server.
- Secrets that are automatically generated by various processes in the system. For example, a secret is required to protect communication between the Cluster Controller and ZooKeeper processes. And a number of different passwords are required for each service and programmatic user that communicates with Postgres.
Most secrets are encrypted while at rest. When a secret is needed, it is decrypted at run time.
This topic describes how secrets storage works and what you need to do to properly manage storage of secrets on Tableau Server.
Understanding how secrets storage works
During installation Tableau Server generates and stores a master key in a Java keystore. The master key is used to encrypt a configuration encryption key that is used across the system.
Whenever a new secret is created or updated, the secret is encrypted with the configuration encryption key. The encrypted value is then stored with its corresponding configuration parameter in a YAML file on the server. Parameters that hold an encrypted value use the format,
ENC(<encrypted string>), where
<encrypted string> is a Base64-encoded encrypted string.
At run time, when a given secret needs to be accessed, the encrypted values are read into memory and decrypted with the configuration encryption key.
Tableau Server encrypts secrets using 256-bit AES in GCM mode. The keys used for secure storage are different than the asset keys that are used to encrypt embedded database credentials before they are stored in the repository.
Who has access to the master key?
In a default installation, the Java keystore for Tableau Server is installed in
\ProgramData\Tableau\Tableau Server\config\tabsvc\keystores\ folder. If you have installed Tableau on a non-system drive, then the path is
<install drive>:\Tableau\Tableau Server\config\tabsvc\keystores\. By default, the following accounts have access to this directory:
- Run As User account (if configured)
- NetworkService predefined local Windows account
- LocalSystem predefined local Windows account
- Members of the computer Administrators group
Import and export configuration information
Tableau Services Manager introduces the capability to import and export configuration information using tsm configuration.
Note: This version of Tableau Server does not support restoring configuration information from a backup. Instead, we recommend using the export and import configuration commands to backup and restore configuration information.
While configuration secrets are encrypted when stored on disk internally, when the configuration is exported to a file, secrets are written into the file in plain text. It is up to the administrator to take measures to protect this file. There are a variety of options available:
- Write the file to an encrypted file system.
- Write the file to a directory that is restricted to specific users or groups by file system permissions.
- Encrypt the output file.
Use a third-party toolset, such as OpenSSL, to encrypt the backup output.
When adding a new node to your Tableau Server cluster, you will first need to generate the node configuration file (tsm topology). The node configuration file contains a copy of the master keystore file used for encrypting the configuration secrets.
Important: We strongly recommend that you take additional measures to secure the node configuration file when exporting a configuration file with secrets.
When installing and configuring Tableau Server on the new node, you will need to provide the node configuration file to the
Secrets storage event logging
The following events related to secrets storage are logged:
- Generating new encryption keys
- Encryption key is rolled or changed
- Encrypting a new value in the configuration file
For more information about log files and where they are stored, see Work with Log Files.
As a Tableau Server administrator the most important task related to secrets storage is to periodically update secrets. In some cases (server troubleshooting or auditing), you may need to retrieve a password.
For other operations, such as upgrading versions, backing up and restoring, or adding new nodes to a cluster—as noted above—Tableau Server manages secrets storage and related processes automatically.
You should update secrets periodically, according to your company's security policy.
To update the master key and automatically generated secrets, run tsm security regenerate-internal-tokens.
In some cases, you may need to retrieve a password for troubleshooting or other operations. For example, you may need the Postgres readonly user credentials that are generated and encrypted by Tableau Server. In these cases, you can run a tsm command that will retrieve and decrypt the password for you.
To retrieve a password, open Command Prompt and issue a
tsm configuration get command for one of the parameters listed in the table below.
For example, to retrieve a password for the readonly Postgres user, type the following command:
tsm configuration get -k pgsql.readonly_password
The command will return the password in clear text:
$ tsm configuration get pgsql.readonly_password
|clustercontroller.zookeeper.password||Password for cluster controller to connect to zookeeper.|
|filestore.zookeeper.password||Password for filestore to connect to zookeeper.|
|jdbc.password||Password for the rails Postgres user.|
|oauth.google.client_secret||Client secret of the Google Cloud Platform account.|
|oauth.quickbooks.consumer_secret||Consumer secret of the Intuit developer account.|
|oauth.salesforce.client_secret||Client secret of the Salesforce developer account.|
Password for the tblwgadmin Postgres user.
Note: Although the configuration parameter is encrypted in Tableau's configuration files (tabsvc.yml, workgroup.yml), this password is stored in plain text in other files used by SAML and the Postgres recovery process.
|pgsql.readonly_password||Password for the readonly Postgres user.|
|pgsql.remote_password||Password for the tableau Postgres user.|
|servercrashupload.proxy_server_password||Password for custom proxy server used to upload crash reports.|
|service.runas.password||Password of the Run As users. Stored temporarily.|
|ssl.key.passphrase||Optional passphrase used to protect the Apache SSL key.|
|svcmonitor.notification.smtp.password||SMTP Server password supplied by the administrator through TabConfig.exe.|
|tabadminservice.password||Password for the service that allows server admins to download log files through the web interface.|
|vizportal.openid.client_secret||This is the password ("provider client secret") used for OpenID Connect SSO.|
|vizqlserver.external_proxy_password||Password used to authenticate to an external proxy.|
|vizqlserver.extsvc.password||Password for the service that supports R functionality in workbooks.|
|wgserver.domain.password||Password used to bind to Active Directory.|
|wgserver.saml.key.passphrase||Passphrase used to access the PKCS#8 SAML key file.|
|zookeeper.tsm.password||Password that TSM uses to connect to Zookeeper coordination service|