Manage Server Secrets
Tableau Server needs to store a number of secrets it uses to perform various functions, typically securing internal communication, communicating with other applications or the operating system, or providing secure communication with clients. In this context, the term secret may refer to a password, a token, or other string that is used to authenticate one entity to another.
There are two categories of secrets that are required to run Tableau Server. They differ according to how the secrets are generated:
- Secrets that are generated by administrators. These include credentials and associated secrets for the Run As User account and the SMTP credentials used by Tableau Server.
- Secrets that are automatically generated by various processes in the system. For example, a secret is required to protect communication between the Cluster Controller and ZooKeeper processes. And a number of different passwords are required for each service and programmatic user that communicates with Postgres.
Most secrets are encrypted while at rest. When a secret is needed, it is decrypted at run time.
This topic describes how secrets storage works and what you need to do to properly manage storage of secrets on Tableau Server.
Understanding how secrets storage works
During installation Tableau Server generates and stores a master key in a Java keystore. The master key is used to encrypt a configuration encryption key that is used across the system.
Whenever a new secret is created or updated, the secret is encrypted with the configuration encryption key. The encrypted value is then stored with its corresponding configuration parameter in a YAML file on the server. Parameters that hold an encrypted value use the format, ENC(<encrypted string>)
, where <encrypted string>
is a Base64-encoded encrypted string.
At run time, when a given secret needs to be accessed, the encrypted values are read into memory and decrypted with the configuration encryption key.
In the case of pending changes, where secrets are entered during a configuration change, the entire transaction is encrypted. In this scenario, after you enter a secret and then save the pending change, the secret is transmitted to the Coordination Service (over encrypted SSL). The Coordination Service encrypts the secret and stores it until the pending changes are applied. When changes are applied, the secret (still encrypted) is promoted to the current configuration version.
Tableau Server encrypts secrets using 256-bit AES in GCM mode. The keys used for secure storage are different than the asset keys that are used to encrypt embedded database credentials before they are stored in the repository.
Who has access to the master key?
In a default installation, the Java key store for Tableau Server is installed in \ProgramData\Tableau\Tableau Server\data\tabsvc\crypto\keystores\
folder. If you have installed Tableau on a non-system drive, then the path is <install drive>:\Tableau\Tableau Server\data\tabsvc\crypto\keystores\
. By default, the following accounts have access to this directory:
- Run As User account (if configured)
- NetworkService predefined local Windows account
- LocalSystem predefined local Windows account
- Members of the computer Administrators group
Import and export configuration information
Tableau Services Manager introduces the capability to import and export configuration information using tsm settings export.
Note: This version of Tableau Server does not support restoring configuration information from a backup. Instead, we recommend using the export and import configuration commands to backup and restore configuration information.
While configuration secrets are encrypted when stored on disk internally, when the configuration is exported to a file, secrets are written into the file in plain text. It is up to the administrator to take measures to protect this file. There are a variety of options available:
- Write the file to an encrypted file system.
- Write the file to a directory that is restricted to specific users or groups by file system permissions.
- Encrypt the output file.
Securing secrets for import and export operations
Use a third-party toolset, such as OpenSSL, to encrypt the backup output.
Cluster nodes
When adding a new node to your Tableau Server cluster, you will first need to generate the node configuration file (tsm topology). The node configuration file contains a copy of the master keystore file used for encrypting the configuration secrets.
Important: We strongly recommend that you take additional measures to secure the node configuration file when exporting a configuration file with secrets.
When installing and configuring Tableau Server on the new node, you will need to provide the node configuration file to the initialize-tsm
command.
Secrets storage event logging
The following events related to secrets storage are logged:
- Generating new encryption keys
- Encryption key is rolled or changed
- Encrypting a new value in the configuration file
For more information about log files and where they are stored, see Work with Log Files.
Managing secrets
As a Tableau Server administrator the most important task related to secrets storage is to periodically update secrets. In some cases (server troubleshooting or auditing), you may need to retrieve a password.
For other operations, such as upgrading versions, backing up and restoring, or adding new nodes to a cluster—as noted above—Tableau Server manages secrets storage and related processes automatically.
Updating secrets
You should update secrets periodically, according to your company's security policy.
To update the master key and automatically generated secrets, run tsm security regenerate-internal-tokens.
Retrieving passwords
In some cases, you may need to retrieve a password for troubleshooting or other operations. For example, you may need the Postgres readonly user credentials that are generated and encrypted by Tableau Server. In these cases, you can run a tsm command that will retrieve and decrypt the password for you.
To retrieve a password, open Command Prompt and issue a tsm configuration get
command for one of the parameters listed in the table below.
For example, to retrieve a password for the readonly Postgres user, type the following command:
tsm configuration get -k pgsql.readonly_password
The command will return the password in clear text:
$ tsm configuration get -k pgsql.readonly_password
password
Configuration Parameter | Description |
---|---|
clustercontroller.zookeeper.password | Password for cluster controller to connect to zookeeper. |
indexandsearchserver.client.password | Password for logging into Index and Search Server. |
indexandsearchserver.ssl.admin.cert.bytes | Admin certificate that is used for administrative access to the Index and Search Server. The admin certificate is used to generate the node certificate. |
indexandsearchserver.ssl.admin.key.file_bytes | Certificate key for administrative access to the Index and Search Server. |
indexandsearchserver.ssl.node.cert.bytes | Certificate that is used for Index and Search Server node-to-node communication. |
indexandsearchserver.ssl.node.key.file_bytes | Certificate key that is used for Index and Search Server node-to-node communication. |
indexandsearchserver.ssl.root.cert.bytes | Certificate that is used to sign the admin and node certificates . This certificate is used by TSM for health check and by NLP to connect to Index and Search Server. |
indexandsearchserver.ssl.root.key.file_bytes | Certificate key for root certificate. |
filestore.zookeeper.password | Password for filestore to connect to zookeeper. |
hyper.connection.init_password | Password used to initialize the Hyper database for user tableau_internal_user and is then used for connecting to Hyper.
|
jdbc.password | Password for the rails Postgres user. |
kms.persistent_store | A collection of master encryption keys (MEKs) used by the Key Management System. |
maestro.rserve.password | Password for connecting to an external Rserve instance used by Tableau Prep Conductor for running flows that have nodes with R scripts. |
maestro.tabpy.password | Password for connecting to an external TabPy (Python server) instance used by Tableau Prep Conductor for running flows that have nodes with Python scripts. |
oauth.google.client_secret | Client secret of the Google Cloud Platform account. |
oauth.quickbooks.consumer_secret | Consumer secret of the Intuit developer account. |
oauth.salesforce.client_secret | Client secret of the Salesforce developer account. |
pgsql.adminpassword |
Password for the tblwgadmin Postgres user. Note: Although the configuration parameter is encrypted in Tableau's configuration files (tabsvc.yml, workgroup.yml), this password is stored in plain text in files used by SAML. |
pgsql.readonly_password | Password for the readonly Postgres user. |
pgsql.remote_password | Password for the tableau Postgres user. |
redis.password |
Password for Redis. Note: Although the configuration parameter is encrypted in Tableau's configuration files (tabsvc.yml, workgroup.yml), the configuration will still be in plain text in the redis.conf file that is consumed by the Redis application. Redis does not support encrypted/secured passwords. |
servercrashupload.proxy_server_password | Password for custom proxy server used to upload crash reports. |
service.runas.password | Password of the Run As users. Stored temporarily. |
ssl.cert.file_bytes | The content of one of the three SSL certificate files uploaded by the administrator. The certificate files are required to enable secure external connections to Tableau Server. |
ssl.chain.file_bytes | The chain file(s) for the certificates uploaded by the administrator for external SSL. |
ssl.key.file_bytes | Key file(s) for the certificates uploaded by the administrator for external SSL. |
ssl.key.passphrase | Optional passphrase used to protect the external SSL key. |
svcmonitor.notification.smtp.password | SMTP Server password supplied by the administrator through TabConfig.exe. |
tabadminservice.password | Password for the service that allows server admins to download log files through the web interface. |
vizportal.openid.client_secret | This is the password ("provider client secret") used for OpenID Connect SSO. |
vizqlserver.external_proxy_password | Password used to authenticate to an external proxy. |
wgserver.domain.password | Password used to bind to Active Directory. |
wgserver.saml.key.passphrase | Passphrase used to access the PKCS#8 SAML key file. |
zookeeper.tsm.password | Password that TSM uses to connect to Zookeeper coordination service |