Part 6 - Post-Installation Configuration

Configure SSL/TLS from load balancer to Tableau Server

Some organizations require end-to-end encryption channel from the client to the back end service. The default reference architecture as described to this point specifies SSL from the client to the load balancer running in the web tier of your organization.

This section describes how to configure SSL/TLS for Tableau Server and the Independent Gateway in the example AWS reference architecture. For a configuration example describing how to configure SSL/TLS on Apache in AWS reference architecture, see Example: Configure SSL/TLS in AWS reference architecture.

At this time, TLS is not supported on the backend Tableau Server processes that run in the 8000-9000 range. To enable TLS, you must configure Independent Gateway with a relay connection to the Tableau Server.

This procedure describes how to enable and configure TLS on Independent Gateway to Tableau Server, and Tableau Server to Independent Gateway. The procedure encrypts the relay traffic over HTTPS/443 and housekeeping traffic over HTTPS/21319.

The Linux procedures throughout this example show commands for RHEL-like distributions. Specifically the commands here have been developed with the Amazon Linux 2 distribution. If you are running the Ubuntu distribution, edit the commands accordingly.

The guidance here is prescriptive to the specific AWS example reference architecture as presented in this Guide. Therefore, optional configurations are not included. For full reference documentation, see Configure TLS on Independent Gateway (Linux(Link opens in a new window)).

Before you configure TLS

Perform the TLS configurations outside of business hours. Configuration requires at least one restart of Tableau Server. If you are running a full four-node reference architecture deployment, then restarting can take a while.

  • Verify that clients can connect to Tableau Server over HTTP. Configuring TLS with Independent Gateway is a multi-step process and may require troubleshooting. Therefore, we recommend starting with a fully operational Tableau Server deployment before configuring TLS.
  • Collect TLS/SSL certificates, keys, and related assets. You will need SSL certificates for the Independent Gateways and for Tableau Server. To simplify certificate management and deployment, and as a security best practice, we recommend using certificates generated by a major trusted-third party certificate authority (CA). Alternatively, you may generate self-signed certificates or use certificates from a PKI for TLS.

    The example configuration in this topic uses the following asset names by way of illustration:

    • tsig-ssl.crt: The TLS/SSL certificate for Independent Gateway.
    • tsig-ssl.key: The private key for tsig-ssl.crt on Independent Gateway.
    • ts-ssl.crt: The TLS/SSL certificate for Tableau Server.
    • ts-ssl.key: The private key for tsig-ssl.crt on Tableau Server.
    • tableau-server-CA.pem: The root certificate for the CA that generates the certificates for the Tableau Server computers. This certificate is generally not required if you are using certificates from major trusted-third parties.
    • rootTSIG-CACert.pem: The root certificate for the CA that generates the certificates for the Independent Gateway computers. This certificate is generally not required if you are using certificates from major trusted-third parties.
    • There are other certificates and key file assets required for SAML that are detailed in Part 5 of this Guide.
    • If your implementation requires the use of a certificate chain file, see the Knowledge Base article, Configure TLS on Independent Gateway when using a certificate that has a certificate chain(Link opens in a new window).

  • Verify that you have access to IdP. If you are using an IdP for authentication, you will likely need to make changes to the recipient and destination URLs at the IdP after you have configured SSL/TLS.

Configure Independent Gateway computers for TLS

Configuring TLS can be an error prone process. Since troubleshooting across two instances of Independent Gateway can be time consuming, we recommend enabling and configuring TLS on the EDG deployment with just one Independent Gateway. After you have validated that TLS works across the deployment, then configure the second Independent Gateway computer.

Step 1: Distribute certificates and keys to Independent Gateway computer

You can distribute the assets to any arbitrary directory as long as the tsig-httpd user has read access to the files. The paths to these files are referenced in other procedures. We will use the example paths under /etc/ssl, as shown below, throughout the topic.

  1. Create directory for private key:

    sudo mkdir -p /etc/ssl/private
  2. Copy the certificate and key files to the /etc/ssl paths. For example,

    sudo cp tsig-ssl.crt /etc/ssl/certs/
    sudo cp tsig-ssl.key /etc/ssl/private/
  3. (Optional) If you are using a self-signed or PKI certificate for SSL/TLS on Tableau Server, then you must copy the CA root certificate file to the Independent Gateway computer as well. For example,

    sudo cp tableau-server-CA.pem /etc/ssl/certs/

Step 2: Update the environmental variables for TLS

You must update port and protocol environmental variables for Independent Gateway configuration.

Change these values by updating the file, /etc/opt/tableau/tableau_tsig/environment.bash, as follows :

TSIG_HK_PROTOCOL="https"
TSIG_PORT="443"
TSIG_PROTOCOL="https"

Step 3: Update the stub configuration file for HK protocol

Manually edit the stub configuration file (/var/opt/tableau/tableau_tsig/config/httpd.conf.stub) to set TLS-related Apache httpd directives for the housekeeping (HK) protocol.

The stub configuration file includes a block of TLS-related directives that are commented out with a #TLS# marker. Remove the markers from the directives as shown in the example below. Note that the example shows use of root CA certificate for the SSL certificate used on Tableau Server with the SSLCACertificateFile option.

#TLS# SSLPassPhraseDialog exec:/path/to/file
<VirtualHost *:${TSIG_HK_PORT}>
SSLEngine on
#TLS# SSLHonorCipherOrder on
#TLS# SSLCompression off
SSLCertificateFile /etc/ssl/certs/tsig-ssl.crt
SSLCertificateKeyFile /etc/ssl/private/tsig-ssl.key
SSLCACertificateFile /etc/ssl/certs/tableau-server-CA.pem
#TLS# SSLCARevocationFile /path/to/file
</VirtualHost>

These changes will be lost if you re-install Independent Gateway. We recommend making a back-up copy.

Step 4: Copy stub file and restart the service

  1. Copy the file that you updated in the last step, to update httpd.conf with the changes:

    cp /var/opt/tableau/tableau_tsig/config/httpd.conf.stub /var/opt/tableau/tableau_tsig/config/httpd.conf
  2. Restart the Independent Gateway service:

    sudo su - tableau-tsig
    systemctl --user restart tsig-httpd
    exit

After you restart, the Independent Gateway will be nonoperational until you run the next set of steps on Tableau Server. After you have completed the steps on Tableau Server, Independent Gateway will pick up changes and come online.

Configure Tableau Server Node 1 for TLS

Run these steps on Node 1 of the Tableau Server deployment.

Step 1: Copy certificates and keys and stop TSM

  1. Verify that you have the Tableau Server "external SSL" certificates and keys copied to Node 1.

  2. To minimize downtime, we recommend stopping TSM, running the following steps, and then starting TSM after changes have been applied:

    tsm stop

Step 2: Set certificate assets and enable Independent Gateway configuration

  1. Specify the location of certificate and key files for Independent Gateway. These paths reference the location on the Independent Gateway computers. Note that this example assumes the same certificate and key pair are used to protect HTTPS and housekeeping traffic:

    tsm configuration set -k gateway.tsig.ssl.cert.file_name -v /etc/ssl/certs/tsig-ssl.crt --force-keys 
    tsm configuration set -k gateway.tsig.ssl.key.file_name -v /etc/ssl/private/tsig-ssl.key --force-keys	
  2. Enable TLS for HTTPS and HK protocols for Independent Gateway:

    tsm configuration set -k gateway.tsig.ssl.enabled -v true --force-keys
    tsm configuration set -k gateway.tsig.hk.ssl.enabled -v true --force-keys
  3. (Optional) If you are using a self-signed or PKI certificate for SSL/TLS on the Independent Gateway, then you must upload the CA root certificate file. The CA root certificate file is the root certificate that was used to generate the certificates for the Independent Gateway computers. For example,

    tsm security custom-cert add -c rootTSIG-CACert.pem
  4. (Optional) If you are using a self-signed or PKI certificate for SSL/TLS on Tableau Server, then you must copy the CA root certificate file to the Independent Gateway /etc/ssl/certs directory. The CA root certificate file is the root certificate that was used to generate the certificates for the Tableau Server computers. After you have copied the certificate to the Independent Gateway, you must specify the location of the certificate on Node 1 with the following tsm command. For example,

    tsm configuration set -k gateway.tsig.ssl.proxy.gateway_relay_cluster.cacertificatefile -v /etc/ssl/certs/tableau-server-CA.pem --force-keys
  5. (Optional: for testing purposes only) If you are using sharing self-signed or PKI certificates across computers and therefore the subject names on the certificates do not match the computer names, then you must disable certificate verification. 

    tsm configuration set -k gateway.tsig.ssl.proxy.verify -v optional_no_ca --force-keys

Step 3: Enable "external SSL" for Tableau Server and apply changes

  1. Enable and configure "external SSL" on Tableau Server:

    tsm security external-ssl enable --cert-file ts-ssl.crt --key-file ts-ssl.key
  2. Apply changes.

    tsm pending-changes apply

Step 4: Update the gateway configuration JSON file and start tsm

  1. Update the Independent Gateway configuration file (for example, tsig.json) on the Tableau Server side to specify the https protocol for the Independent Gateway objects:

    "protocol" : "https",
  2. Remove (or comment-out) the connection information for the second instance of Independent Gateway. Be sure to verify the JSON in an external editor before you save it.

    After you have configured and validated TLS for the single instance of Independent Gateway, you will update this JSON file with the connection information for the second instance of Independent Gateway.

  3. Run the following command to update the Independent Gateway configuration:

    tsm topology external-services gateway update -c tsig.json
  4. Start TSM.

    tsm start
  5. While TSM is starting, sign in to the Independent Gateway instance and restart the tsig-httpd service:

    sudo su - tableau-tsig
    systemctl --user restart tsig-httpd
    exit

Update IdP authentication module URLs to HTTPS

If you have configured an external identity provider for Tableau, then you will likely need to update return URLs in the IdP administrative dashboard.

For example, if you are using a Okta pre-auth application, you will need to update the application to use HTTPS protocol for the Recipient URL and the Destination URL.

Configure AWS load balancer for HTTPS

If you are deploying with AWS load balancer as documented in this guide, then you reconfigure the AWS load balancer to send HTTPS traffic to the computers running Independent Gateway:

  1. Delete existing HTTP target group:

    In Target Groups, select the HTTP target group that has been configured for the load balancer, click Actions, and then click Delete.

  2. Create HTTPS target group:

    Target groups > Create target group

    • Select "Instances"
    • Enter a target group name, for example TG-internal-HTTPS
    • Select your VPC
    • Protocol: HTTPS 443
    • Under Health checks > Advanced health checks settings > Success codes, append the code list to read: 200,303.
    • Click Create.
  3. Select the target group that you just created, and then click the Targets tab: 

    • Click Edit
    • Select the EC2 instance that is running Tableau Server Independent Gateway that you have configured, and then click Add to registered.
    • Click Save.
  4. After the target group is created, you must enable stickiness:

    • Open AWS Target Group page (EC2> Load Balancing> Target groups), select the target group instance that you just set up. On the Action menu, select Edit attributes.
    • On the Edit attributes page, select Stickiness, specify a duration of 1 day, and then Save changes.
  5. On load balancer, update listener rules. Select the load balancer you have configured for this deployment, and then click the Listeners tab.

    • For HTTP:80, click View/edit rules. On the resulting Rules page, click the edit icon (once at the top of the page, and then again by the rule) to edit the rule. Delete the existing THEN rule and replace it by clicking Add action > Redirect to.... In the resulting THEN configuration, specify HTTPS and port 443 and leave the other options to default settings. Save the setting and then click Update.
    • For HTTPS:443, click View/edit rules. On the resulting Rules page, click the edit icon (once at the top of the page, and then again by the rule) to edit the rule. Delete the existing THEN rule and replace it by clicking Add action > Forward to.... Specify the Target group to the HTTPS group that you just created. Under Group-level stickiness, enable stickiness and set duration to 1 day. Save the setting and then click Update.
  6. On load balancer, update idle timeout to 400 seconds. Select the load balancer you have configured for this deployment, and then click the Actions > Edit attributes. Set Idle timeout to 400 seconds, and then click Save.

Validate TLS

To validate TLS functionality, sign-in to Tableau Server with the public URL (e.g., https://tableau.example.com) with the Tableau admin account that you created at the beginning of this procedure.

If TSM is not starting or you get other errors, see Troubleshooting Tableau Server Independent Gateway.

Configure second instance of Independent Gateway for SSL

After you have successfully configured the first instance of Independent Gateway, deploy the second instance.

The process for deploying the second Independent Gateway requires the following steps:

  1. On the configured (first) instance of Independent Gateway: Copy the following files to corresponding locations on the second instance of Independent Gateway:

    • /etc/ssl/certs/tsig-ssl.crt
    • /etc/ssl/private/tsig-ssl.key (You will need to create the private directory on the second instance).
    • /var/opt/tableau/tableau_tsig/config/httpd.conf.stub
    • /etc/opt/tableau/tableau_tsig/environment.bash
  2. On Node 1 of the Tableau Server deployment: Update the connection file (tsig.json) with the connection information from the second Independent Gateway.

    An example connection file (tsig.json) is shown here:

    {
    "independentGateways": [
     {
       "id": "ip-10-0-1-169.ec2.internal",
       "host": "ip-10-0-1-169.ec2.internal",
       "port": "21319",
       "protocol" : "https",
       "authsecret": "13660-27118-29070-25482-9518-22453"
     },
     {
       "id": "ip-10-0-2-230.ec2.internal",
       "host": "ip-10-0-2-230.ec2.internal",
       "port": "21319",
       "protocol" : "https",
       "authsecret": "9055-27834-16487-27455-30409-7292"
     }]
     }
  3. On Node 1 of the Tableau Server deployment: Run the following commands to update the configuration:

    tsm stop
    tsm topology external-services gateway update -c tsig.json
    
    tsm start
  4. On both instances of Independent Gateway: As Tableau Server is starting, restart the tsig-httpd process on both instances of Independent Gateway:

    sudo su - tableau-tsig
    systemctl --user restart tsig-httpd
    exit
  5. In AWS EC2>Target groups: Update target group to include the EC2 instance running the second Independent Gateway instance.

    Select the target group that you just created, and then click the Targets tab: 

    • Click Edit.
    • Select the EC2 instance of the second Independent Gateway computer, and then click Add to registered.Click Save.

Configure SSL for Postgres

You may optionally configure SSL (TLS) for the Postgres connection for the external repository connection on Tableau Server.

To simplify certificate management and deployment, and as a security best practice, we recommend using certificates generated by a major trusted-third party certificate authority (CA). Alternatively, you may generate self-signed certificates or use certificates from a PKI for TLS.

This procedure describes how to use OpenSSL to generate self-signed certificate on the Postgres host on a RHEL-like Linux distribution in the example AWS reference architecture.

After you generate and sign the SSL certificate, you must copy the CA certificate to the Tableau host.

On the host running Postgress:

  1. Generate signing root certificate authority (CA) key:

    openssl genrsa -out pgsql-rootCAKey.pem 2048
  2. Create the root CA certificate:

    openssl req -x509 -sha256 -new -nodes -key pgsql-rootCAKey.pem -days 3650 -out pgsql-rootCACert.pem

    You will be prompted to enter values for the certificate fields. For example:

    Country Name (2 letter code) [XX]:US
    State or Province Name (full name) []:Washington
    Locality Name (eg, city) [Default City]:Seattle
    Organization Name (eg, company) [Default Company Ltd]:Tableau
    Organizational Unit Name (eg, section) []:Operations
    Common Name (eg, Postgres server's hostname) []:ip-10-0-1-189.us-west-1.compute.internal
    Email Address []:example@tableau.com				
  3. Create the certificate and related key (server.csrand server.key in the example below) for the Postgres computer. The subject name for the certificate must match the EC2 private DNS name of the Postgres host. The subject name is set with the -subj option with the format "/CN=<private DNS name>", for example:

    openssl req -new -nodes -text -out server.csr -keyout server.key -subj "/CN=ip-10-0-1-189.us-west-1.compute.internal"
  4. Sign the new certificate with the CA certificate that you created in step 2. The following command also outputs the certificate in the crt format:

    openssl x509 -req -in server.csr -days 3650 -CA pgsql-rootCACert.pem -CAkey pgsql-rootCAKey.pem -CAcreateserial -out server.crt
  5. Copy the crt and key files to the Postgres /var/lib/pgsql/13/data/ path:

    sudo cp server.crt /var/lib/pgsql/13/data/
    sudo cp server.key /var/lib/pgsql/13/data/
  6. Switch to root user:

    sudo su
  7. Set permissions on the cer and key files. Run the following commands:

    cd /var/lib/pgsql/13/data
    chown postgres.postgres server.crt
    chown postgres.postgres server.key
    chmod 0600 server.crt
    chmod 0600 server.key
  8. Update the pg_haba configuration file, /var/lib/pgsql/13/data/pg_hba.conf to specify md5 trust:

    Change the existing connection statements from

    host all all 10.0.30.0/24 password, and

    host all all 10.0.31.0/24 password

    to  

    host all all 10.0.30.0/24 md5, and

     host all all 10.0.31.0/24 md5.

  9. Update the postgresql file, /var/lib/pgsql/13/data/postgresql.conf, by adding this line:

    ssl = on
  10. Exit root user mode:

    exit
  11. Restart Postgres:

    sudo systemctl restart postgresql-13

Optional: Enable certificate trust validation on Tableau Server for Postgres SSL

If you followed the installation procedure in Part 4 - Installing and Configuring Tableau Server, then Tableau Server is configured with optional SSL for the Postgres connection. This means that configuring SSL on Postgres (as described above) will result in an encrypted connection.

If you want to require certificate trust validation for the connection, then you must run the following command on Tableau Server to reconfigure the Postgres host connection:

tsm topology external-services repository replace-host -f <filename>.json -c CACert.pem

Where <filename>.json is the connection file described in Configure external Postgres. And CACert.pem is the CA certificate file for the SSL/TLS certificate used by Postgres.

Optional: Verify SSL connectivity

To verify SSL connectivity, you must:

  • Install the Postgres client on Tableau Server Node1.
  • Copy the root certificate that you created in the previous procedure to the Tableau host.
  • Connect to Postgres server from Node1

Install Postgres client on Node1

This example shows how to install version Postgres 13.4. Install the same version that you are running for the external repository.

  1. On Node 1, create and edit the file, pgdg.repo, in the /etc/yum.repos.d path. Populate the file with the following configuration information.

    [pgdg13]
    name=PostgreSQL 13 for RHEL/CentOS 7 - x86_64
    baseurl=https://download.postgresql.org/pub/repos/yum/13/redhat/rhel-7-x86_64
    enabled=1
    gpgcheck=0
  2. Install the Postgres client:

    sudo yum install postgresql13-13.4-1PGDG.rhel7.x86_64

Copy root certificate to Node 1

Copy the CA certificate (pgsql-rootCACert.pem) to the Tableau host:

scp ec2-user@<private-DNS-name-of-Postgress-host>:/home/ec2-user/pgsql-rootCACert.pem /home/ec2-user

Connect to Postgres host over SSL from Node 1

Run the following command from Node1, specifying the Postgres server host IP address and the root CA certificate:

psql "postgresql://postgres@<IP-address>:5432/postgres?sslmode=verify-ca&sslrootcert=pgsql-rootCACert.pem"

For example:

 psql "postgresql://postgres@10.0.1.189:5432/postgres?sslmode=verify-ca&sslrootcert=pgsql-rootCACert.pem"

Postgres will prompt you for the password. After successful sign in, the shell will return:

psql (13.4)
SSL connection (protocol: TLSv1.2, cipher: ECDHE-RSA-AES256-GCM-SHA384, bits: 256, compression: off)
Type "help" for help.
postgres=#

Configure SMTP and event notifications

Tableau Server sends email notifications to admins and users. To enable this, you must configure Tableau Server to send mail to your email server. You must also specify the event types, thresholds, and subscription information you want sent.

For the initial configuration of SMTP,and notifications we recommend that you use the configuration file template below to create a json file. You can also set any single configuration key listed below with the syntax described tsm configuration set (Linux(Link opens in a new window)).

Run this procedure on Node 1 in your Tableau Server deployment:

  1. Copy the following json template to a file. Customize the file with your SMTP configuration options and the subscription and alert notifications for your organization.

    {
    "configKeys": {
    	"svcmonitor.notification.smtp.server": "SMTP server host name",
    	"svcmonitor.notification.smtp.send_account": "SMTP user name",
    	"svcmonitor.notification.smtp.port": 443,
    	"svcmonitor.notification.smtp.password": "SMTP user account password",
    	"svcmonitor.notification.smtp.ssl_enabled": true,
    	"svcmonitor.notification.smtp.from_address": "From email address",
    	"svcmonitor.notification.smtp.target_addresses": "To email address1,address2",
    	"svcmonitor.notification.smtp.canonical_url": "Tableau Server URL",
    	"backgrounder.notifications_enabled": true,
    	"subscriptions.enabled": true,
    	"subscriptions.attachments_enabled": true,
    	"subscriptions.max_attachment_size_megabytes": 150,
    	"svcmonitor.notification.smtp.enabled": true,
    	"features.DesktopReporting": true,
    	"storage.monitoring.email_enabled": true,
    	"storage.monitoring.warning_percent": 20,
    	"storage.monitoring.critical_percent": 15,
    	"storage.monitoring.email_interval_min": 25,
    	"storage.monitoring.record_history_enabled": true
    	}
    }
  2. Run the tsm settings import -f file.json to pass the json file to Tableau Services Manager.

  3. Run the tsm pending-changes apply command to apply the changes.

  4. Run the tsm email test-smtp-connection to view and verify the connection configuration.

Install PostgreSQL driver

To view admin views on Tableau Server, the PostgreSQL driver must be installed on Node1 of the Tableau Server deployment.

  1. Go to the Tableau Driver Download(Link opens in a new window) page and copy the URL for the PostgreSQL jar file.

  2. Run the following procedure on each node of the Tableau deployment:

    • Create the following file path:

      sudo mkdir -p /opt/tableau/tableau_driver/jdbc

    • From the new path, download the latest version of the PostgreSQL jar file. For example:

      sudo wget https://downloads.tableau.com/drivers/linux/postgresql/postgresql-42.2.22.jar

  3. On the initial node, restart Tableau Server:

    tsm restart

Configure strong password policy

If you are not deploying Tableau Server with an IdP authentication solution, we recommend security hardening the default Tableau password policy.

If you are deploying Tableau Server with an IdP, then you must manage password policies with the IdP.

The following procedure includes json configuration for setting password policy on Tableau Server. For more information about the options below, see Local Authentication (Linux(Link opens in a new window)).

  1. Copy the following json template to a file. Fill in the key values with your password policy configuration.

    {
     "configKeys": {
    	"wgserver.localauth.policies.mustcontainletters.enabled": true,
    	"wgserver.localauth.policies.mustcontainuppercase.enabled": true,
    	"wgserver.localauth.policies.mustcontainnumbers.enabled": true,
    	"wgserver.localauth.policies.mustcontainsymbols.enabled": true,
    	"wgserver.localauth.policies.minimumpasswordlength.enabled": true,
    	"wgserver.localauth.policies.minimumpasswordlength.value": 12,
    	"wgserver.localauth.policies.maximumpasswordlength.enabled": false,
    	"wgserver.localauth.policies.maximumpasswordlength.value": 255,
    	"wgserver.localauth.passwordexpiration.enabled": true,
    	"wgserver.localauth.passwordexpiration.days": 90,
    	"wgserver.localauth.ratelimiting.maxbackoff.minutes": 60,
    	"wgserver.localauth.ratelimiting.maxattempts.enabled": false,
    	"wgserver.localauth.ratelimiting.maxattempts.value": 5,
    	"vizportal.password_reset": true	
     }
    }
  2. Run the tsm settings import -f file.json to pass the json file to Tableau Services Manager to configure Tableau Server.

  3. Run the tsm pending-changes apply command to apply the changes.

Thanks for your feedback!Your feedback has been successfully submitted. Thank you!