KNOWLEDGE BASE

Tableau Server Authentication Fails After Upgrade to 2021.1 When Using Mutual SSL


Published: 10 Feb 2021
Last modified date: 26 Mar 2021

Issue

Tableau Server set up for mutual SSL authentication will not allow authentication of users with client certificates that have an insecure key attribute. Additionally, upgrades to Tableau Server 2021.1 or newer may fail because of invalid root Certificate Authority.
One of the following errors may be present in the vizportal logs: 
 
Elliptic Curve size does not meet the required min allowed curve size

OR 
Key size is smaller than the min allowed key size 

Environment

Tableau Server 2021.1 and newer versions 

Resolution

Option 1: Update your certificates

 

If you are using Tableau Server with mutual SSL authentication, we recommend updating your certificate key/curve sizes to RSA2048 or ECDSA256 or greater prior to upgrading to 2021.1. 

Option 2: Disable blocklisting as a temporary workaround


As a temporary measure, you can disable key size blocklisting with the following command(s):
tsm configuration set -k "ssl.client_certificate_login.min_allowed.rsa_key_size" -v "0"
and/or tsm configuration set -k "ssl.client_certificate_login.min_allowed.elliptic_curve_size" -v "0" depending on the key type you use.

After certificates are updated to use a more secure key size, re-enable minimum key sizes with the following command(s): br/> tsm configuration set -k “ssl.client_certificate_login.min_allowed.rsa_key_size” -v “2048”
and/or tsm configuration set -k “ssl.client_certificate_login.min_allowed.elliptic_curve_size” -v “256”

Cause

Beginning with Tableau Server 2021.1, Tableau Server set up for mutual SSL authentication will not allow authentication of users with client certificates that have an insecure key size. Upgrades may fail because of invalid root Certificate Authority (CA) Certificate key sizes less than RSA 2048 or ECDSA 256 will not be supported by default.

Additional information

Tableau Server 2021.1 automatically blocks less secure key sizes by default. To verify whether or not your instance is blocking a key size, you can run the following commands:
tsm configuration get -k "ssl.client_certificate_login.min_allowed.rsa_key_size"
If Tableau Server returns "2048", Tableau Server is blocking certs with key size less than RSA 2048.
tsm configuration get -k "ssl.client_certificate_login.min_allowed.elliptic_curve_size"
If Tableau Server returns "256", Tableau Server is blocking certs with key size less than ECDSA 256.
Did this article resolve the issue?