Configure Custom SSL Certificate for TSM Controller

The Tableau Server Administration Controller (aka, Controller) is the management component for administration changes to the Tableau Server cluster. By default the Controller runs on the initial (first) node of a Tableau Server cluster. Although it is technically possible to run multiple Controllers in a single Tableau cluster deployment, this is not a recommended practice.

The Controller includes an API that can be managed by various clients: TSM CLI, TSM Web Client, REST clients (curl, postman), etc. Using these clients, Tableau Server administrators can make configuration changes to the server cluster. The Controller, along with Zookeeper, manages and performs the configuration changes across the nodes.

Default TSM SSL functionality

Note    As is convention, the term “SSL” is used here when referring to using TLS to secure HTTPS traffic.

By default, the client connection is encrypted with SSL by means of a self-signed certificate that is created by Tableau Server during setup and renewed by the Controller. In addition to encryption, the identity (hostname or IP) of the Controller host machine is validated against the subject name presented in the certificate during the SSL handshake. However, because the certificate is self-signed, the trustworthiness of the certificate is not absolute .

In the case of CLI connection to the Controller, the inability to absolutely trust the certificate is not a huge security risk, since a man in the middle attack would generally require a malicious user access to the Tableau Server cluster in a private network. If a malicious user can spoof the certificate for the controller in CLI scenario then the malicious user already has “the keys to the kingdom.”

However, in the scenario where administrators are connecting to the Controller over TSM Web UI from outside the internal network, the lack of host validation via trusted certificate authority presents more of a security risk.

Until recently, customers running TSM Web UI on a Windows machine could place the Tableau Server CA certificate in a Windows trusted root store. Most browsers would validate the trust of the certificate by virtue of this configuration. Today, Chrome no longer validates (trusts) self-signed certificates that are placed in the OS trust store. Now, Chrome (and most major browsers) will only trust certificates that chain back to a trusted third-party root CA.

Tableau Server v2023.1 SSL custom certificate

The custom SSL TSM certificate feature closes the trust gap by allowing administrators to configure the TSM Controller with an identity certificate that chains back to a trusted third-party root CA.

There are a number of important details to understand:

  • Trust for the TSM custom SSL certificate is validated when connecting with TSM Web UI.
  • Trust validation is not attempted for TSM CLI scenario. As described previously, a “man-in-the-middle” attack on the CLI scenario does not present a credible risk.
  • Certificate chain may be included in the configuration. The chain may present all certificates signed by intermediate CAs. The chain can end at any point, and any certificates missing from the chain are presumed to be installed in the operating system trust store.

Configuration

You must use TSM CLI, to configure (or update) SSL custom certificate for TSM.

See tsm security custom-tsm-ssl enable.