One-Way SSL for JDBC Connections
If you are using regular (one-way) SSL with a JDBC based connector, and you have self-signed certificates, or certificates that are signed by a non-public certificate authority (CA), then you will need to configure trust for your certificate.
With Tableau, you can configure one-way SSL trust for JDBC connections using one of these methods:
Some connectors support embedding the certificate in the workbook or data source. If that is available, then you can use Tableau Desktop to embed the CA certificate.
If embedding is not available, you will need to configure the Java Runtime to trust your certificate. Also, it may be easier to do this than to embed the certificate in every workbook.
You can install your CA or self-signed certificate in the Windows root CA trust store. The Java Runtime looks for trusted CAs in the system root trust store. It does not look in the intermediate certificate storage.
Note: If you have installed your root CA, but are still having trouble making connections, it may be caused by missing intermediate certificates. While the TLS standard requires that servers send all certificates in their chain except the root certificate, not all servers are compliant. If you server doesn’t send the intermediate certificates, you can either fix the server to properly forward intermediate certificates or install the intermediate certificates in the root trust store. Alternatively, you could choose to embed certificates in the data source or configure a trust store with driver properties.
- In Windows, search for "certificates".
- Select Manage computer certificates.
- From the Action menu, select All Tasks, and then, depending on Windows version, do one of the following:
- Select Import and then select Local Machine.
- Select Find Certificates.
- Browser to find your certificate file.
- Import into "Trusted Root Certificate Authorities".
To install a custom certificate on a Mac, follow these steps to import the certificate into the "System" keychain.
Note: Loading certificates from keychain on Mac works for most, but not all, drivers. In a small number of cases, you may need to use a PROPERTIES file to configure truststore. For more information, see Customize and Tune Connections.
- Go to https://support.apple.com/guide/keychain-access/add-certificates-to-a-keychain-kyca2431/mac(Link opens in a new window).
- Import the certificate into the "System" keychain (not "System Roots").
- Enable trust as follows:
- In the Keychain App, right-click the new certificate.
- Select Get Info.
- In the dialog, open the Trust section, and then select When using this certificate always trust.
Note: For SAP HANA connections with Tableau versions before 2020.2, you will add the certificate to the JRE instead on a Mac. For details, see the "Install trusted SSL certificates on the Mac" section in the SAP HANA connector Help topic.
Many Linux distributions will generate a trust store in Java format from the system certificates. You may need to install Java from the package manager for this file to be created.
This allows the JRE to use the same certificates as the operating system.
Note: Tableau Server looks for this file in the standard locations:
To configure a different location, run:
tsm configuration set -k native_api.ConnectivityTrustStore -v <path-to-cacerts> --force-keys
This file should:
- Contain all trusted CAs and self-signed certificates.
- Contain only public keys.
- Be in JKS format.
- Be readable by the Tableau unprivileged user ("run as user").
- Use default JKS password "changeit"
To install a custom CA or self-signed certificate, see the documentation for your distribution. Run the appropriate commands to generate the key store. For example:
You can customize JDBC connection options, including the location of the trust store, with a properties file. This is a plain-text file containing key-value pairs for each connection parameter. For details on specific property settings, see the documentation for your driver.
For example, lines in this properties file are being used to configure trust settings:
When you create the file and save it to the correct location, the properties in the file are applied to all JDBC connections to the same data source type.
If you use the generic "Other Database (JDBC)" connector, you can specify a properties file directly in the connection dialog.
For more information, see Customize and Tune Connections(Link opens in a new window).
- Require SSL for Oracle JDBC Connections(Link opens in a new window) - Installation instructions for adding trusted SSL certificates to Oracle JDBC connections.