Manage Server Secrets
Tableau Server needs to store a number of secrets that it uses to perform various functions, typically securing internal communication, communicating with other applications or the operating system or providing secure communication with clients. In this context, the term secret may refer to a password, a token, or other string that is used to authenticate one entity to another.
There are two categories of secrets that are required to run Tableau Server. They differ according to how the secrets are generated:
- Secrets that are generated by administrators. These include credentials and associated secrets for the Run As User account and the SMTP credentials used by Tableau Server.
- Secrets that are automatically generated by various processes in the system. For example, a secret is required to protect communication between the Cluster Controller and ZooKeeper processes. And a number of different passwords are required for each service and programmatic user that communicates with Postgres.
Most secrets are encrypted while at rest. When a secret is needed, it is decrypted at run time.
This topic describes how secrets storage works and what you need to do to properly manage storage of secrets on Tableau Server.
Understanding how secrets storage works
During installation Tableau Server generates and stores a master key in a Java keystore. The master key is used to encrypt a configuration encryption key that is used across the system.
Whenever a new secret is created or updated, the secret is encrypted with the configuration encryption key. The encrypted value is then stored with its corresponding configuration parameter in a YAML file on the server. Parameters that hold an encrypted value use the format, ENC(<encrypted string>)
, where <encrypted string>
is a Base64-encoded encrypted string.
At run time, when a given secret needs to be accessed, the encrypted values are read into memory and decrypted with the configuration encryption key.
In the case of pending changes, where secrets are entered during a configuration change, the entire transaction is encrypted. In this scenario, after you enter a secret and save the pending change, the secret is transmitted to the Coordination Service (over encrypted SSL). The Coordination Service encrypts the secret and stores it until the pending changes are applied. When changes are applied, the secret (still encrypted) is promoted to the current configuration version.
Tableau Server encrypts secrets using 256-bit AES in GCM mode. The keys used for secure storage are different than the asset keys that are used to encrypt embedded database credentials before they are stored in the repository.
Who has access to the master key?
In a default installation, the Java keystore for Tableau Server will be replicated into the /tabsvc/keystores
folder for each service on that node under /var/opt/tableau/tableau_server/data/tabsvc/config
.
For example,
/var/opt/tableau/tableau_server/data/tabsvc/config/tabadminagent_<version_number>/tabsvc/keystores/tableauserver.jks
.
If you use a custom install directory, then the keystore files will be found under
<install directory>/tableau_server/data/tabsvc/config/<service name_#.version_number>/tabsvc/keystores
By default, the following users and groups have access to this directory:
- root
- tableau (user)
- members of the 'tableau' group
Import and export configuration information
Tableau Services Manager introduces the capability to import and export configuration information using tsm settings export.
Note: This version of Tableau Server does not support restoring configuration information from a backup. Instead, we recommend using the export and import configuration commands to backup and restore configuration information.
While configuration secrets are encrypted when stored on disk internally, when the configuration is exported to a file, secrets are written into the file in plain text. It is up to the administrator to take measures to protect this file. There are a variety of options available:
- Write the file to an encrypted file system.
- Write the file to a directory that is restricted to specific users or groups by file system permissions.
- Encrypt the output file.
Securing secrets for import and export operations
This section describes how to PGP encrypt the backup output. With this method, you will create a named pipe and provide it as the file argument, then use that as input to gpg encrypt it. The advantage is the secrets are never written to disk in plain text. gpg must be available and a private key available. An example of this method is shown in the following section.
The example in this section describes one way of handing secrets to store them on a separate computer.
See the following external references for more information:
Example: encrypt and export
The following is an example of how to secure the file when exporting the configuration.
mkfifo -m 600 /tmp/secure1 && (gpg --symmetric --batch --yes --passphrase-file ~/.secrets/pgppassphrase.txt --cipher-algo AES256 --output encrypted.enc < /tmp/secure1 &) && tsm settings export -f /tmp/secure1 && rm /tmp/secure1
The details of this operation are:
Create a named pipe with access limited by file permissions to rw for current user.
mkfifo -m 600 /tmp/secure1
Call gpg to encrypt the data sent to the named pipe, backgrounding it to a separate process. It will block waiting for data. The result will be a file containing the encrypted data.
gpg --symmetric --batch --yes --passphrase-file ~/.secrets/pgppassphrase.txt --cipher-algo AES256 --output encrypted.enc < /tmp/secure1 &
Call tsm to export the configuration, providing the named pipe as the file argument.
tsm settings export -f /tmp/secure1
Delete the named pipe.
rm /tmp/secure1
The encrypted data is in the file "encrypted.enc."
Example: decrypt and import
The following is an example of how to decrypt and import the configuration.
mkfifo -m 600 /tmp/secret2 && (gpg --decrypt --batch --yes --passphrase-file ~/.secrets/pgppassphrase.txt encrypted.enc > /tmp/secret2 &) && tsm settings import -f /tmp/secret2 && rm /tmp/secret2
The details of this operation are:
Create a named pipe with access limited by file permissions to rw for current user.
mkfifo -m 600 /tmp/secure2
Decrypt the configuration and send it to the named pipe. Background this to a separate process, it will block waiting to be read.
gpg --decrypt --batch --yes --passphrase-file ~/.secrets/pgppassphrase.txt encrypted.enc > /tmp/secret2 &
Execute the tsm configuration import command, logging in as needed.
tsm settings import -f /tmp/secret2
Delete the named pipe.
rm /tmp/secure1
The pending configuration contains the imported configuration.
Run tsm pending-changes apply to commit changes. If the pending changes require a server restart, the pending-changes apply
command will display a prompt to let you know a restart will occur. This prompt displays even if the server is stopped, but in that case, there is no restart. You can suppress the prompt using the --ignore-prompt
option, but this does not change the restart behaviour. If the changes do not require a restart, the changes are applied without a prompt. For more information, see tsm pending-changes apply.
Cluster nodes
When adding a new node to your Tableau Server cluster, you will first need to generate the node configuration file (tsm topology). The node configuration file contains a copy of the master keystore file used for encrypting the configuration secrets.
Important: We strongly recommend that you take additional measures to secure the node configuration file when exporting a configuration file with secrets.
When installing and configuring Tableau Server on the new node, you will need to provide the node configuration file to the initialize-tsm
command. initialize-tsm
command.
Secrets storage event logging
The following events related to secrets storage are logged:
- Generating new encryption keys
- Encryption key is rolled or changed
- Encrypting a new value in the configuration file
For more information about log files and where they are stored, see Work with Log Files.
Managing secrets
As a Tableau Server administrator the most important task related to secrets storage is to periodically update secrets. In some cases (server troubleshooting or auditing), you may need to retrieve a password.
For other operations, such as upgrading versions, backing up and restoring, or adding new nodes to a cluster – as noted above – Tableau Server manages secrets storage and related processes automatically.
Updating secrets
You should update secrets periodically, according to your company's security policy.
To update the master key and automatically generated secrets, run tsm security regenerate-internal-tokens.
Retrieving passwords
In some cases, you may need to retrieve a password for troubleshooting or other operations. For example, you may need the Postgres read only user credentials that are generated and encrypted by Tableau Server. In these cases, you can run a tsm command that will retrieve and decrypt the password for you.
To retrieve a password, open Command Prompt and issue a tsm configuration get
command for one of the parameters listed in the table below.
For example, to retrieve a password for the Postgres read only user, type the following command:
tsm configuration get -k pgsql.readonly_password
The command will return the password in clear text:
$ tsm configuration get -k pgsql.readonly_password
password
Configuration Parameter | Description |
---|---|
clustercontroller.zookeeper.password | Password for cluster controller to connect to zookeeper. |
indexandsearchserver.client.password | Password for logging into Index and Search Server. |
indexandsearchserver.ssl.admin.cert.bytes | Admin certificate that is used for administrative access to the Index and Search Server. The admin certificate is used to generate the node certificate. |
indexandsearchserver.ssl.admin.key.file_bytes | Certificate key for administrative access to the Index and Search Server. |
indexandsearchserver.ssl.node.cert.bytes | Certificate that is used for Index and Search Server node-to-node communication. |
indexandsearchserver.ssl.node.key.file_bytes | Certificate key that is used for Index and Search Server node-to-node communication. |
indexandsearchserver.ssl.root.cert.bytes | Certificate that is used to sign the admin and node certificates . This certificate is used by TSM for health check and by NLP to connect to Index and Search Server. |
indexandsearchserver.ssl.root.key.file_bytes | Certificate key for root certificate. |
filestore.zookeeper.password | Password for filestore to connect to zookeeper. |
hyper.connection.init_password | Password used to initialize the Hyper database for user tableau_internal_user and is then used for connecting to Hyper.
|
jdbc.password | Password for the rails Postgres user. |
kms.persistent_store | A collection of master encryption keys (MEKs) used by the Key Management System. |
maestro.rserve.password | Password for connecting to an external Rserve instance used by Tableau Prep Conductor for running flows that have nodes with R scripts. |
maestro.tabpy.password | Password for connecting to an external TabPy (Python server) instance used by Tableau Prep Conductor for running flows that have nodes with Python scripts. |
oauth.google.client_secret | Client secret of the Google Cloud Platform account. |
oauth.quickbooks.consumer_secret | Consumer secret of the Intuit developer account. |
oauth.salesforce.client_secret | Client secret of the Salesforce developer account. |
pgsql.adminpassword | Password for the tblwgadmin Postgres user. Note: Although the configuration parameter is encrypted in Tableau's configuration files (tabsvc.yml, workgroup.yml), this password is stored in plain text in files used by SAML. |
pgsql.readonly_password | Password for the readonly Postgres user. |
pgsql.remote_password | Password for the tableau Postgres user. |
redis.password | Password for Redis. Note: Although the configuration parameter is encrypted in Tableau's configuration files (tabsvc.yml, workgroup.yml), the configuration will still be in plain text in the redis.conf file that is consumed by the Redis application. Redis does not support encrypted/secured passwords. |
servercrashupload.proxy_server_password | Password for custom proxy server used to upload crash reports. |
service.runas.password | Password of the Run As users. Stored temporarily. |
ssl.cert.file_bytes | The content of one of the three SSL certificate files uploaded by the administrator. The certificate files are required to enable secure external connections to Tableau Server. |
ssl.chain.file_bytes | The chain file(s) for the certificates uploaded by the administrator for external SSL. |
ssl.key.file_bytes | Key file(s) for the certificates uploaded by the administrator for external SSL. |
ssl.key.passphrase | Optional passphrase used to protect the external SSL key. |
svcmonitor.notification.smtp.password | SMTP Server password supplied by the administrator through TabConfig.exe. |
tabadminservice.password | Password for the service that allows server admins to download log files through the web interface. |
vizportal.openid.client_secret | This is the password ("provider client secret") used for OpenID Connect SSO. |
vizqlserver.external_proxy_password | Password used to authenticate to an external proxy. |
wgserver.domain.password | Password used to bind to Active Directory. |
wgserver.saml.key.passphrase | Passphrase used to access the PKCS#8 SAML key file. |
zookeeper.tsm.password | Password that TSM uses to connect to Zookeeper coordination service |