Which prevents you from being untrustworthy

Securing traffic between clients and your server

This chapter describes how Tableau Server communicates with other computers and how you can make this traffic more secure.

A few turns ahead

While the previous chapters of Tableau Server: General Installation Guide may have been quite pleasant, this one gets more complicated. It doesn't get too difficult, but it does require a little more focus.

It is helpful to know that some of this information is difficult, even for an IT professional. When it comes to your sensitive information, you would too simple Trust approach?

If you have already implemented the whole thing with these instructions alone, you should now contact a local IT expert. If you don't have an in-house IT professional, consider helping out with Tableau Professional Services.

Even with IT help, it's important that everyone who manages Tableau Server understand the principles and procedures beyond securing the environment. It's also up to you what you learn, or whether you might even want to become an expert. We are therefore trying our best to convey to you what you need to be in the picture. You can also find plenty of information online, including in Tableau's own Help and KnowledgeBase articles.

An overview of the HTTP and client-server communication

By default, like many server applications, Tableau Server communicates with clients using the standard HTTP web protocol. In HTTP, when a browser sends a request to the server and the server responds, the information is sent back and forth in clear text. The content can be read by anyone sniffing the communication.

Some of the information shared between your users and the server may be sensitive. For example, a user can access Tableau Server through a web browser and send a username and password to log in to the server. Or a user requests a Tableau view created using sensitive data. If someone can view this traffic (snooping on HTTP isn't difficult for a seasoned IT person), that person may see information they shouldn't be seeing.

Your security goals: data protection and trust

When it comes to communication between Tableau Server and its clients, privacy and trustworthiness are important. To ensure data protection, make HTTP content unreadable for any snoop. It does this through the Encrypt of the traffic.

However, you also need a trusted relationship between the server and the client. Thus, when the server sends information, the client can be confident that the information is from the server with which it believes the client is communicating. The trust is established through a Authentication in a manner similar to how you are authenticated as a user when you supply a username and password to log on to your computer. Authentication helps prevent a client from being fooled and, consequently, from communicating with a malicious site.

Use SSL to encrypt Tableau Server communications

SSL (Secure Sockets Layer) is a protocol that is similar to HTTP. However, it enables computers to send encrypted information across a network such as the web. (The term SSL is used as the generic name for this protocol. It may also be called a TLS SSL aims at the two aforementioned goals (data protection and trust) via the encryption and authentication just mentioned. When SSL is enabled for Tableau Server, users can use instead to request content from the server.

Enabling SSL significantly increases the security of client-server traffic. If your Tableau Server instance is accessible over the internet (not just your internal network), configuring SSL for the server is vital. When a server is made available on a public network without SSL, it is a significant security issue. Even if public access to your server is not possible, it is recommended that you enable SSL for client-server communication on your local network.

The following sections provide some background information about how SSL works. It also describes requirements for using SSL with Tableau Server, whether you want to support secure traffic over the Internet or on your local network. It describes how to enable SSL and directs you to external resources for additional information. How you enable SSL on your local network depends on many factors in your environment. Your IT contact knows best how to best handle this for your particular server installation.


Some of your Tableau Server users may be accessing your server remotely using a virtual private network (VPN) connection. In this case, the VPN connection offers privacy and trust even when the users are not on site. It is still a good idea to enable SSL. However, it is not essential that your users access Tableau Server using a VPN connection.

SSL certificates

To support SSL, the server needs a digital certificate. You can obtain a digital certificate from a third-party public trusted entity that is known as a Certification Authority (Certificate Authority, CA). A trusted CA verifies the identity of your organization and then issues a signed certificate that is unique to your organization. Trusted CAs include: Symantec (VeriSign), thawte, and GlobalSign. There are many more.

"Publicly trusted" means that all operating systems, browsers supported by Tableau, and other clients generally trust the root certificates of these CAs. They meet web industry standards for recommended encryption and they mean less work for you to configure client-server trust.

After you go through the steps to get a certificate, the CA sends you your certificates as a set of files. Install the certificate files on your server after receiving them. Then, when a client tries to access the server, the information that the client gets from the server's certificate enables the client to authenticate the server. This covers the goal of the trust relationship. The certificate also contains a public key. This enables the client to establish encrypted communications with the server. This covers the goal of data protection.

Generally speaking, when a client wants to start an encrypted session with the server, the client requests the server's certificate. (This is done completely automatically if a user enters a URL at the beginning.) The server replies with its certificate. The server certificate usually points to the issuer's certificate, which in turn points to a certificate from another issuer until the certification authority is reached. In fact, there is usually a complete chain of certificates. The client checks the certificate or all certificates in the chain and compares the CA information in the certificate with the CA information already available on the client. (Browsers and other clients have a store from known CAs.) When the client determines that the certificates are valid and trusted, the client and server can begin an encrypted session and exchange information.

Mutual SSL (two-way SSL)

It should only be mentioned here that it is possible mutual SSL to configure (also called bidirectional SSL where the server and client have certificates. Mutual SSL is particularly useful for users who access the server in public places, especially over public WiFi, as it ensures that only preconfigured clients can access the server.

The mutual SSL client certificate is usually created by the IT staff in your organization. The client certificate contains a user name and information to ensure that the certificate cannot be forged. With mutual SSL, when the client starts a session with the server, the client requests and verifies the server certificate as usual. The server then requests the client certificate and checks it to determine its validity.

Mutual SSL is not further described in these instructions. However, later in this chapter there are links to more information if you are interested in enabling this feature for your Tableau Server installation.

Self-signed certificates

Your organization can generate its own certificates without going through the CA's verification process. This becomes a self-signed certificate created. With a self-signed certificate, the client and server can establish encrypted sessions. However, the client cannot confirm the identity of the server (authentication of the server). When users connect to the server, they see a message similar to the following: "This certificate is not trusted." The exact text depends on the browser or other client.

By default, many Tableau clients, including Tableau Mobile, are not compatible with a self-signed certificate on Tableau Server. With some clients (such as iOS devices) you can configure that the device trusts a self-signed certificate. If you are interested, just read the KnowledgeBase article on Using Tableau Mobile with an SSL Server listed in the Additional Resources section at the end of this chapter.

Instead of using the browser's "Certificate is not trusted" warning or configuring devices to work with self-signed certificates (with potentially unreliable results), you should obtain a publicly trusted certificate from a known CA.

SSL for client-server traffic in your organization

The certificate you obtained from the trusted CA helps secure traffic between your server and the users who work on computers that are outside of your organization, that is, traffic from the Internet. For this scenario, clients use the fully qualified (public) Domain name Of your server, for example. (Note that at the end of)

You can also use SSL encryption for content in Activate your local network. This will protect traffic when your colleagues access the server using an internal host name such as.

The following sections describe some options for enabling SSL for internal traffic. Our recommendations follow these descriptions. Talk to your IT partner to determine which is best for your environment and for configuration assistance.

Use your organization's existing internal CA and self-signed root certificate

If your organization has an IT team, you should ask if they have their own internal certification authority. If so, ask them to create a certificate for you. Often times, these certificates are automatically trusted by your Tableau users' computers. Therefore, you don't have to configure every client to trust the certificates.

Alternatively, if you don't have an internal CA, you can use OpenSSL to create an internal CA. This is an open source tool built into Tableau Server. You then set each client to trust the internal CA. If you need to update the certificate, you can distribute it to clients through your system administration tool such as Group Policy.

Although the steps to do this are documented in Tableau Server Help and documented on the web, there are many moving parts that need to be coordinated at the system level of your computer. You shouldn't do this without an experienced IT partner.

Create a self-signed certificate for your server and configure clients to support it

In fact, what is described here is the exact opposite of what was described in the section on Using Self-Signed Certificates for Public Traffic. This is because client-server traffic that is isolated on your organization's private network does not require you to have a public-level trust that you get with a certificate issued by a CA.

Even for your internal data traffic, you have to configure the browsers on the respective user's computer, on the iOS devices and other clients to support the self-signed certificate. Otherwise, you'll need to tell users how to deal with the "Untrusted Site" warning that appears in the browser when they try to connect. Another contradiction is that even if you configure clients, if the certificate expires, you have to do it again and reissue it.

Select which option to use

The following is the recommended setting sequence for enabling SSL for internal traffic to Tableau Server. If the preferred option is inconvenient for your organization (for example, if you do not have an internal CA), consider the next option.

  1. If your organization has an internal CA then use it. This enables you to enable SSL internally and at the same time save users the annoying browser message "Untrusted Site".

  2. Use a self-signed certificate and configure your clients to trust it, or explain to users that it is okay to make an exception for Tableau Server and ignore the "Untrusted Site" browser message.

  3. Obtain a certificate from a publicly trusted CA.

  4. If none of the first three options are available, you should contact your IT department for assistance with the process described for creating an internal CA.

Get and install a public certificate for Tableau Server

The process for obtaining a certificate is different for each CA, and the cost will vary based on the CA and the level of certificate you receive. If your organization does not have an IT department, the first thing to do is to search the web using a phrase like "get an SSL certificate" and read what each CA has to offer.

If your organization has an IT department disposes, you should ask them if there is a relationship with public certification bodies that can streamline the acquisition process.

Your IT professional needs to know the following requirements for certificates that you install on Tableau Server. (The acronyms stand for different encryption algorithms. You only need to know the bare essentials for the purposes you want, unless you want to quench your thirst for knowledge.)

  • The server certificate must be a PEM-encoded x509 certificate.

    Other formats are also possible. So make sure you get a PEM-encoded certificate or use a tool like OpenSSL to save the certificate in PEM format.

  • The certificate file contains the key in RSA or DSA format and an embedded passphrase, although the file itself is not password-protected.

  • If the server certificate was not signed directly by a root CA, the issuer should provide a chain file.

    The chain file must be in PEM format and contain all intermediate certificates between the server certificate and the root certificate. Including the root certificate (or "trust anchor") is optional. The chain file is required if you want Tableau Mobile or Tableau Desktop users on the Mac to connect to the server.

Enable SSL

  1. Open TSM in a browser:

    https: // : 8850. For more information, see Sign in to the Tableau Services Manager web interface (link opens in a new window).

  2. On the Configuration tab, select Security> External SSL.

  3. Under External web server SSL, select Enable SSL for server communication.

  4. Upload the certificate and key files and, if required in your environment, also the certificate chain file and enter the passphrase key:

  5. Click Save Pending Changes.

  6. At the top of the page, click Pending Changes:

  7. Click Apply Changes and Restart.

View the certificate

After installing the files, you can navigate to your site in a browser and view the certificate. We use Tableau Online on Google Chrome to show you how this works.

  1. Open your browser and switch to.

  2. Click the green padlock that appears in the address bar.

  3. Click the Details link. The site's security summary is displayed.

    It shows that Chrome has determined that the site is using a valid, trusted certificate. As you click through the security overview, you can also view the CA that issued the certificate and chain of trust. Click the option to view the certificate here to view more specific information (although that might not mean much here).

    You can test this action in different browsers to see how each is viewing the certificate information, or in different sites that you log in to, such as an online bank account.

Notes for future use

When you receive the certificate files, make a note of their expiration date and immediately create a schedule for updating the certificate before it expires. Set a reminder on your calendar that will appear three months before the expiration date. Make a note of who you contacted to get the certificate, including orders, receipts, and ticket numbers.

Also think of others who may have to do this next time; H. include this information in your system documentation.

Proceed to Configuring Communication with the Internet.

More resources