KNOWLEDGE BASE

Configure TLS on Independent Gateway when using a certificate that has a certificate chain


Published: 22 Aug 2022
Last Modified Date: 25 Aug 2022

Question

How do I configure TLS on Tableau Server with Independent Gateway (TSIG) when I want to use a certificate that has a certification path?

Environment

  • Tableau Server 2022.1.2
  • Windows Server 

Answer

Before starting the configuration of the TLS for TSIG described here : https://help.tableau.com/current/server/en-us/server_tsig_configure_tls.htm
Please apply the procedure below in order to concatenate all certificates:
 

  1. Convert all the certificates of the chain into PEM format (Certificate1.pem, Certificate2.pem, Certificate3.pem,...)  
  2. Create a new text file
  3. Copy all certificates PEM format into the new text file 
    • -----BEGIN CERTIFICATE-----
      (Your Primary SSL certificate: your_domain_name.crt)
      -----END CERTIFICATE-----
      -----BEGIN CERTIFICATE-----
      (Your Intermediate certificate: DigiCertCA.crt)
      -----END CERTIFICATE-----
      -----BEGIN CERTIFICATE-----
      (Your Root certificate: TrustedRoot.crt)
      -----END CERTIFICATE-----
  4. Use this new PEM file as SSLCertificateFile inside the httpd.conf file of the TSIG (when it has been copied from httpd.conf.stub as part of setting up the HK TLS configuration). 
  5. Use this new PEM file as SSLCertificateFile in Tableau Server configuration (gateway.tsig.ssl.cacert.file, gateway.tsig.hk.ssl.cacert.file, gateway.tsig.ssl.cert.file_name and gateway.tsig.hk.ssl.cert.file_name)
  6. The root certificate will be used in step 2 of HK configuration

Additional Information

This is the error message you will have in the tabadminagent logs if there is a certificate issue:

2022-08-10 10:42:05.641 +0000  ExternalStatusRequestDispatcher-0 : INFO  com.tableausoftware.tabadmin.agent.status.ExternalStatusStore - Posting external status update DOWN for gateway: {"statuses":[{"independentGateway":{"id":"EC2AMAZ-UV5C115","host":"10.108.29.122","port":21319,"protocol":"https","authsecret":"******"},"code":"ERROR","message":"javax.net.ssl.SSLHandshakeException: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target"}]}


What Is a Certification Path?

Certification Path: Also called Certificate Chain. An ordered list of certificates where the subject entity of one certificate is identical to the issuing entity of the next certificate.

A certification path can also be defined as an ordered list of certificates where the issuing entity of one certificate can be identified as the subject entity of the previous certificate. But the first certificate has to be a special one, because there is no previous certificate to identify the issuing entity. The first certificate must be a self-signed certificate, where the issuing entity is the same as the subject entity.

For example, the following diagram shows you a certification path:

Certificate 1
   Issuer: Herong Yang
   Subject: Herong Yang

Certificate 2
   Issuer: Herong Yang
   Subject: John Smith

Certificate 3
   Issuer: John Smith
   Subject: Bill White

OpenSSL offers a nice tool, the "verify" command, to validate a certification path. Here is the syntax of the "verify" command:

verify -CAfile first.crt -untrusted all_middle.crt last.crt

  • "first.crt" is the first certificate of the path. It should be self-signed certificate.
  • "last.crt" is the last certificate of the path.
  • "all_middle.crt" is a collection of all middle certificates. If certificates are store in PEM format, you can join them into a collection in any text editor.
Did this article resolve the issue?