Tableau Server, SAML Certificates, namespaces and my memory...

How to use POSH-ACME certs with Tableau and other tall tales.

The instructions on certificate usage for Tableau server and SAML are not memorable to me. Not much is, so I need to write this stuff down.

Tableau Official Guidance

The two docs that give the full details are here:

Configure SSL for External HTTP Traffic to and from Tableau Servertableau

SAML Requirementstableau

My Lab requirements

For my lab I want the simplest configuration so want to be able to use the same certificate for both the server and SAML. The relevant requirements for me are:

1. ...Confirm that the certificate includes only the certificate that applies to Tableau Server and not any other certificates or keys.

2. SSL certificate chain file: A certificate chain file is required for Tableau Desktop on the Mac and for Tableau Prep Builder on the Mac and Tableau Prep Builder on Windows. The chain file is also required for the Tableau Mobile app if the certificate chain for Tableau Server is not trusted by the iOS or Android operating system on the mobile device.

   • How to check: open the certificate and check the certificates are in order or... openssl crl2pkcs7 -nocrl -certfile $CERT_FILE | openssl pkcs7 -print_certs -noout3

3. You must either use a PCKS#1 (no password) or a PCKS#8 (with password) as described here.

   • How to check: You can check the format of the key simply by opening it shown here

4. All certificate files must be valid PEM-encoded X509 certificates with the extension .crt.

If you are running Windows follow the Tutorial linked below to get your certificates:

Posh-ACME - Tutorial

Great bit of software

Posh-ACME provides you with everything you need and stores the certificates in %LOCALAPPDATA%\Posh-ACME on Windows or ~/.config/Posh-ACME on Linux

• cert.cer (Base64 encoded PEM certificate)

• cert.key (Base64 encoded PEM private key)

• chain.cer (Base64 encoded PEM with the issuing CA chain)

• cert.pfx (PKCS12 container with cert+key)

• chainX.cer (Base64 encoded PEM with alternate issuing CA chains)

• fullchain.cer (Base64 encoded PEM with cert+chain)

• fullchain.pfx (PKCS12 container with cert+key+chain)

If you are using Linux then knock yourself out and try certbot.

You can just rename the .cer file to be .crt

SiteSAML requirements

I attempted to use the same Posh-ACME certificates for both the Server TLS and SAML. This worked without issue for Tableau Server-Wide SAML configuration. It did not work for Site SAML. I received the following error:

Expected private key stored in C:/ProgramData/Tableau/Tableau Server/data/tabsvc/config/vizportal_0.20201.20.0427.1803/files/samlkeyfile.key to be a PEMKeyPair (unencrypted PEM), but got PrivateKeyInfo instead

The confusing thing was that I knew the cert.key did not have an associated passphrase.

However the cert.key provided is PKCS#8. In our SAML requirements we state that:

To use a password-protected key file, you must configure SAML with a RSA PKCS#8 file. Note that a PKCS#8 file with a null password is not supported.

To resolve this I needed to convert the PKCS#8 formatted private key to PKCS#1. There are a number of ways to do this:

openssl rsa -in cert.key -out nopasscert.key 
openssl pkcs8 -in cert.key -traditional -nocrypt -out pkcsfingerscrossed.key  

Useful docs reference docs I found were PKCS formats are:

https://www.misterpki.com/pkcs8/

https://stackoverflow.com/questions/48958304/pkcs1-and-pkcs8-format-for-rsa-private-key

Updating your certificate

Click Reset and go through the standard steps of uploading your certificate files (cert, key and chain) to TSM. Yes, it needs a restart.

Namespace Considerations

Configure SSL for External HTTP Traffic to and from Tableau Servertableau

Tableau clients that need to access the server can use subject alternative names defined in the certificate. So as long as you manage the DNS you can have different names for clients to initially connect to (internal.example.com, external.example.com, desktop.example.com) the server.

However, if you have configured SAML then whatever you define as the SAML URLs (return URL and Entity ID) are what becomes the Server URL once the client has logged on, for both internal and external users and… if you plan to enable site-specific SAML later, this URL also serves as the base for each site’s unique ID.

Desktop me.

SAML Uber Alles

ISSUE: SSLHandshakeException

I have seen this error a few times.

Remember the guidance from ☝️

If you are using the Tableau clients you need a Certificate Chain file. That means that your certificate file should not only include the server certificate but also the intermediate certificate.

It can have a different root causes. We have a KB article to follow here which solves if the problem is from converting .pem to .crt.

However I have seen some customers not use a chain file at all. It is easy to do a basic check of this by just opening the file and checking the 2 certs match the distinct server and intermediate files. Or you can use a slightly more scientific method that I list above as well:

openssl crl2pkcs7 -nocrl -certfile $CERT_FILE | openssl pkcs7 -print_certs -noout3

Your Certificate Authority should have provided a chain certificate so if you only have the server certificate either reach back out to your CA or whoever manages it.

ISSUE: Certificate file not uploading

I attempted to update the cert.key a few times using the SAML configuration tsm command

tsm authentication saml configure --idp-entity-id https://tabwin-tfvm.developatribe.com --idp-return-url https://tabwin-tfvm.developatribe.com --cert-file cert.crt --key-file nopasscert.key

However, when I checked the key file I found it was updating even though TSM said the file upload was successful.

A quick workaround was to just copy over the file to the location shown above and restart services. Not sure how supported that is but worked for me!