mutualSSLSettings Entity
Before you configure mutual SSL, review Configure SSL for External HTTP Traffic to and from Tableau Server.
The mutualSSLSettings
entity combines both SSL and mutual SSL configuration. Mutual SSL requires that external SSL has been enabled and properly configured.
The TSM entities use JSON and key-value pairs. Use the configuration file template below to create a .json file. Provide values for the appropriate keys for your environment, and then pass the .json file to Tableau Server with the following commands:
tsm settings import -f <path-to-file.json>
tsm pending-changes apply
If the pending changes require a server restart, the pending-changes apply
command will display a prompt to let you know a restart will occur. This prompt displays even if the server is stopped, but in that case there is no restart. You can suppress the prompt using the --ignore-prompt
option, but this does not change the restart behavior. If the changes do not require a restart, the changes are applied without a prompt. For more information, see tsm pending-changes apply.
Configuration template
Use this template to configure mutual SSL settings.
Important: All entity options are case sensitive.
For more explanation about configuration files, entities, and keys see Configuration File Example.
{ "configEntities": { "mutualSSLSettings": { "_type": "mutualSSLSettingsType", "sslEnabled": true, "proxyLogin": false, "clientCertRequired": true, "caCertFile": "required", "keyFileName": "required", "keyPassphrase": "", "chainFile": "", "revocationFile": "", "redirect": false, "fallbackToPassword": true, "protocols": "", "cipherSuite": "", "forceHttpsForPublicEmbed": false } } }
Configuration file reference
- sslEnabled
Enable SSL. This is a prerequisite to enabling mutual SSL.
clientCertRequired (MutualSSL)
Set to true to enable mutual SSL authentication. Set to false to disable.
- caCertFile (MutualSSL)
Required.
Specify the CA-issued certificate file for two-way SSL. The file path must be readable by Tableau Server.
certFileName
Specify the file that contains the concatenation of PEM encoded CA certificates that form the certificate chain for the server certificate.
Alternatively the referenced file can be the same as caCertFile when the CA certificates are directly appended to the server certificate for convenience.
keyFileName
If the key is not combined with the certificate, use this configuration key to point to the key file. If you have both an RSA and a DSA private key, you can configure both in parallel (for example, to also allow the use of DSA ciphers).
keyPassphrase
Optional. Passphrase for the certificate file. The passphrase you enter will be encrypted while at rest.
Note: If you create a certificate key file with a passphrase, you cannot reuse the SSL certificate key for SAML.
revocationFile
Specifies the file path for an SSL CA Certificate Revocation List (.crl) file.
Redirect
Default: true. Specifies whether Tableau Server should redirect http requests as https requests to the appropriate endpoint.
clientCertMapping (MutualSSL)
Specifies the method for retrieving the user name from the certificate.
Accepted values:
ldap
,upn
,cn
For a server using local authentication, the default setting is
upn
(User Principal Name).When Tableau Server authentication is configured for Active Directory (AD), the default is
ldap
(Lightweight Directory Access Protocol). This tells the server to go to AD to validate the user, and it ignores the names inside the certificate.
You can set
cn
for either authentication type to use the CN in the Subject DN in the certificate.For more information, see Mapping a Client Certificate to a User During Mutual Authentication.
fallbackToPassword (MutualSSL)
Set to true to give users the option to sign in to Tableau Server through their user name and password if mutual SSL authentication fails. Set to false to disallow this fallback option.
protocols
List the Transport Layer Security (TLS) protocol versions you want to allow or disallow.
Default value:
"all -SSLv2 -SSLv3"
However, we recommend the using the following setting:
"all -SSLv2 -SSLv3 -TLSv1 -TLSv1.1"
For more information, see tsm security external-ssl enable. For general information, see the Apache online documentation.
cipherSuite
List ciphers to allow or disallow for SSL.
Default value:
"HIGH:MEDIUM:!aNULL:!MD5:!RC4:!3DES:!CAMELLIA:!IDEA:!SEED"
See the OpenSSL ciphers(Link opens in a new window) page for cipher list format. Use caution when changing this option. The default values disallow ciphers that are no longer considered adequately secure.
proxyLogin
Default: false. Indicates that Tableau Server uses a proxy for SSL on sign-in only. It controls the protocol the server reports to Tableau Desktop for sign-in APIs.
forceHTTPForPublicEmbed
Default value: false. Forces the code for embedded views to use SSL.