Manage Server Secrets

Tableau Server needs to store a number of secrets that it uses to perform various functions, typically securing internal communication, communicating with other applications or the operating system or providing secure communication with clients. In this context, the term secret may refer to a password, a token, or other string that is used to authenticate one entity to another.

There are two categories of secrets that are required to run Tableau Server. They differ according to how the secrets are generated:

  • Secrets that are generated by administrators. These include credentials and associated secrets for the Run As User account and the SMTP credentials used by Tableau Server.
  • Secrets that are automatically generated by various processes in the system. For example, a secret is required to protect communication between the Cluster Controller and ZooKeeper processes. And a number of different passwords are required for each service and programmatic user that communicates with Postgres.

Most secrets are encrypted while at rest. When a secret is needed, it is decrypted at run time.

This topic describes how secrets storage works and what you need to do to properly manage storage of secrets on Tableau Server.

Understanding how secrets storage works

During installation Tableau Server generates and stores a master key in a Java keystore. The master key is used to encrypt a configuration encryption key that is used across the system.

Whenever a new secret is created or updated, the secret is encrypted with the configuration encryption key. The encrypted value is then stored with its corresponding configuration parameter in a YAML file on the server. Parameters that hold an encrypted value use the format, ENC(<encrypted string>), where <encrypted string> is a Base64-encoded encrypted string.

At run time, when a given secret needs to be accessed, the encrypted values are read into memory and decrypted with the configuration encryption key.

In the case of pending changes, where secrets are entered during a configuration change, the entire transaction is encrypted. In this scenario, after you enter a secret and save the pending change, the secret is transmitted to the Coordination Service (over encrypted SSL). The Coordination Service encrypts the secret and stores it until the pending changes are applied. When changes are applied, the secret (still encrypted) is promoted to the current configuration version.

Tableau Server encrypts secrets using 256-bit AES in GCM mode. The keys used for secure storage are different than the asset keys that are used to encrypt embedded database credentials before they are stored in the repository.

Who has access to the master key?

In a default installation, the Java keystore for Tableau Server will be replicated into the /tabsvc/keystores folder for each service on that node under /var/opt/tableau/tableau_server/data/tabsvc/config.

For example,

/var/opt/tableau/tableau_server/data/tabsvc/config/tabadminagent_<version_number>/tabsvc/keystores/tableauserver.jks.

If you use a custom install directory, then the keystore files will be found under

<install directory>/tableau_server/data/tabsvc/config/<service name_#.version_number>/tabsvc/keystores

By default, the following users and groups have access to this directory:

  • root
  • tableau (user)
  • members of the 'tableau' group

Import and export configuration information

Tableau Services Manager introduces the capability to import and export configuration information using tsm settings export.

Note: This version of Tableau Server does not support restoring configuration information from a backup. Instead, we recommend using the export and import configuration commands to backup and restore configuration information.

While configuration secrets are encrypted when stored on disk internally, when the configuration is exported to a file, secrets are written into the file in plain text. It is up to the administrator to take measures to protect this file. There are a variety of options available:

  • Write the file to an encrypted file system.
  • Write the file to a directory that is restricted to specific users or groups by file system permissions.
  • Encrypt the output file.

Securing secrets for import and export operations

This section describes how to PGP encrypt the backup output. With this method, you will create a named pipe and provide it as the file argument, then use that as input to gpg encrypt it. The advantage is the secrets are never written to disk in plain text. gpg must be available and a private key available. An example of this method is shown in the following section.

The example in this section describes one way of handing secrets to store them on a separate computer.

See the following external references for more information:

Example: encrypt and export

The following is an example of how to secure the file when exporting the configuration.

mkfifo -m 600 /tmp/secure1 && (gpg --symmetric --batch --yes --passphrase-file ~/.secrets/pgppassphrase.txt --cipher-algo AES256 --output encrypted.enc < /tmp/secure1 &) && tsm settings export -f /tmp/secure1 && rm /tmp/secure1

The details of this operation are:

  • Create a named pipe with access limited by file permissions to rw for current user.

    mkfifo -m 600 /tmp/secure1

  • Call gpg to encrypt the data sent to the named pipe, backgrounding it to a separate process. It will block waiting for data. The result will be a file containing the encrypted data.

    gpg --symmetric --batch --yes --passphrase-file ~/.secrets/pgppassphrase.txt --cipher-algo AES256 --output encrypted.enc < /tmp/secure1 &

  • Call tsm to export the configuration, providing the named pipe as the file argument.

    tsm settings export -f /tmp/secure1

  • Delete the named pipe.

    rm /tmp/secure1

The encrypted data is in the file "encrypted.enc."

Example: decrypt and import

The following is an example of how to decrypt and import the configuration.

mkfifo -m 600 /tmp/secret2 && (gpg --decrypt --batch --yes --passphrase-file ~/.secrets/pgppassphrase.txt encrypted.enc > /tmp/secret2 &) && tsm settings import -f /tmp/secret2 && rm /tmp/secret2

The details of this operation are:

  • Create a named pipe with access limited by file permissions to rw for current user.

    mkfifo -m 600 /tmp/secure2

  • Decrypt the configuration and send it to the named pipe. Background this to a separate process, it will block waiting to be read.

    gpg --decrypt --batch --yes --passphrase-file ~/.secrets/pgppassphrase.txt encrypted.enc > /tmp/secret2 &

  • Execute the tsm configuration import command, logging in as needed.

    tsm settings import -f /tmp/secret2

  • Delete the named pipe.

    rm /tmp/secure1

The pending configuration contains the imported configuration.

Run tsm pending-changes apply to commit changes. If the pending changes require a server restart, the pending-changes apply command will display a prompt to let you know a restart will occur. This prompt displays even if the server is stopped, but in that case, there is no restart. You can suppress the prompt using the --ignore-prompt option, but this does not change the restart behaviour. If the changes do not require a restart, the changes are applied without a prompt. For more information, see tsm pending-changes apply.

Cluster nodes

When adding a new node to your Tableau Server cluster, you will first need to generate the node configuration file (tsm topology). The node configuration file contains a copy of the master keystore file used for encrypting the configuration secrets.

Important: We strongly recommend that you take additional measures to secure the node configuration file when exporting a configuration file with secrets.

When installing and configuring Tableau Server on the new node, you will need to provide the node configuration file to the initialize-tsm command. You can use a similar technique as described above to decrypt the contents of the file that was previously encrypted and send it via a named pipe to the initialize-tsm command.

Secrets storage event logging

The following events related to secrets storage are logged:

  • Generating new encryption keys
  • Encryption key is rolled or changed
  • Encrypting a new value in the configuration file

For more information about log files and where they are stored, see Work with Log Files.

Managing secrets

As a Tableau Server administrator the most important task related to secrets storage is to periodically update secrets. In some cases (server troubleshooting or auditing), you may need to retrieve a password.

For other operations, such as upgrading versions, backing up and restoring, or adding new nodes to a cluster – as noted above – Tableau Server manages secrets storage and related processes automatically.

Updating secrets

You should update secrets periodically, according to your company's security policy.

To update the master key and automatically generated secrets, run tsm security regenerate-internal-tokens.

Retrieving passwords

In some cases, you may need to retrieve a password for troubleshooting or other operations. For example, you may need the Postgres read only user credentials that are generated and encrypted by Tableau Server. In these cases, you can run a tsm command that will retrieve and decrypt the password for you.

To retrieve a password, open Command Prompt and issue a tsm configuration get command for one of the parameters listed in the table below.

For example, to retrieve a password for the Postgres read only user, type the following command:

tsm configuration get -k pgsql.readonly_password

The command will return the password in clear text:

$ tsm configuration get -k pgsql.readonly_password

password

Configuration ParameterDescription
clustercontroller.zookeeper.passwordPassword for cluster controller to connect to zookeeper.
indexandsearchserver.client.password Password for logging into Index and Search Server.
indexandsearchserver.ssl.admin.cert.bytes Admin certificate that is used for administrative access to the Index and Search Server. The admin certificate is used to generate the node certificate.
indexandsearchserver.ssl.admin.key.file_bytes Certificate key for administrative access to the Index and Search Server.
indexandsearchserver.ssl.node.cert.bytes Certificate that is used for Index and Search Server node-to-node communication.
indexandsearchserver.ssl.node.key.file_bytes Certificate key that is used for Index and Search Server node-to-node communication.
indexandsearchserver.ssl.root.cert.bytes Certificate that is used to sign the admin and node certificates . This certificate is used by TSM for health check and by NLP to connect to Index and Search Server.
indexandsearchserver.ssl.root.key.file_bytes Certificate key for root certificate.
filestore.zookeeper.passwordPassword for filestore to connect to zookeeper.
hyper.connection.init_password Password used to initialize the Hyper database for user tableau_internal_user and is then used for connecting to Hyper.
jdbc.passwordPassword for the rails Postgres user.
kms.persistent_store A collection of master encryption keys (MEKs) used by the Key Management System.
maestro.rserve.password Password for connecting to an external Rserve instance used by Tableau Prep Conductor for running flows that have nodes with R scripts.
maestro.tabpy.passwordPassword for connecting to an external TabPy (Python server) instance used by Tableau Prep Conductor for running flows that have nodes with Python scripts.
oauth.google.client_secretClient secret of the Google Cloud Platform account.
oauth.quickbooks.consumer_secretConsumer secret of the Intuit developer account.
oauth.salesforce.client_secretClient secret of the Salesforce developer account.
pgsql.adminpassword

Password for the tblwgadmin Postgres user.

Note: Although the configuration parameter is encrypted in Tableau's configuration files (tabsvc.yml, workgroup.yml), this password is stored in plain text in files used by SAML.

pgsql.readonly_passwordPassword for the readonly Postgres user.
pgsql.remote_passwordPassword for the tableau Postgres user.
redis.password

Password for Redis.

Note: Although the configuration parameter is encrypted in Tableau's configuration files (tabsvc.yml, workgroup.yml), the configuration will still be in plain text in the redis.conf file that is consumed by the Redis application. Redis does not support encrypted/secured passwords.

servercrashupload.proxy_server_passwordPassword for custom proxy server used to upload crash reports.
service.runas.passwordPassword of the Run As users. Stored temporarily.
ssl.cert.file_bytes The content of one of the three SSL certificate files uploaded by the administrator. The certificate files are required to enable secure external connections to Tableau Server.
ssl.chain.file_bytes The chain file(s) for the certificates uploaded by the administrator for external SSL.
ssl.key.file_bytesKey file(s) for the certificates uploaded by the administrator for external SSL.
ssl.key.passphraseOptional passphrase used to protect the external SSL key.
svcmonitor.notification.smtp.passwordSMTP Server password supplied by the administrator through TabConfig.exe.
tabadminservice.passwordPassword for the service that allows server admins to download log files through the web interface.
vizportal.openid.client_secretThis is the password ("provider client secret") used for OpenID Connect SSO.
vizqlserver.external_proxy_password Password used to authenticate to an external proxy.
wgserver.domain.passwordPassword used to bind to Active Directory.
wgserver.saml.key.passphrasePassphrase used to access the PKCS#8 SAML key file.
zookeeper.tsm.passwordPassword that TSM uses to connect to Zookeeper coordination service
Thanks for your feedback!Your feedback has been successfully submitted. Thank you!