Configure Gallery SSL/TLS

Version:
2019.3
Last modified: April 16, 2021

Do not delete this has styles that are applied to the article.

Server supports both TLS (Transport Layer Security) and SSL (Secure Socket Layer) encryption for HTTPS to ensure safe and secure communication between Designer and Server, as well as any communication between a user’s web browser and your company's Private Gallery.

  • We recommend involving IT network administrators to configure TLS/SSL. TLS/SSL configuration requires expertise in creating, distributing, and certifying TLS/SSL files via a Certificate Authority (CA).
  • Use a recognized CA to sign your TLS/SSL certificates. 
  • We recommend that you use a TLS (SSL) certificate.
  • Self-signed certificates are not recommended for production deployments. 

Before enabling SSL on your machine, obtain a TLS/SSL certificate for your company's Private Gallery from a trusted Certificate Authority (CA). The Subject or Subject Alternative Name that you specify for the certificate has to match the address that you want to use for your Gallery website domain (the Base Address in System Settings on the Gallery General screen). Go to the Gallery help page for more info about setting the Base Address

After you have obtained an TLS/SSL certificate, you need to configure the Alteryx Gallery to use that certificate when users visit your site. To do this, the certificate thumbprint has to be associated with a specific port on the machine.

Step 1. Install a TLS/SSL Certificate in Windows

Once you have received the signed certificate from the CA, it needs to be installed in Windows. To install the certificate: 

  1. Select the Windows Start button. 
  2. Enter mmc in Search, then select Enter
  3. In the Microsoft Management Console (MMC), select Add/Remove Snap-in from the File menu.
  4. In the Add Remove Snap-in dialog box, select Certificates, then select Add.
  5. In the Add Standalone Snap-in dialog box, select Certificates, then select Add.
  6. In the Certificates snap-in dialog box, select the Computer account, and select Next.
  7. In the Select Computer dialog box, leave the default Local computer selected, and select Finish.
  8. In the Add Standalone Snap-in dialog box, select Close.
  9. In the Add/Remove Snap-in dialog box, select OK.
  10. Expand Certificates > Personal.
  11. Right-click on Certificates under Personal, select All Tasks, and then Import.
  12. Select Next on the Certificate Import Wizard.
  13. Select Browse on the File to Import dialog box and browse to the file provided by your CA, then select Next.
  14. If the certificate includes the private key, when prompted, enter the password.
  15. Check Mark this key as exportable and select Next.
  16. Select Place all certificates in the following store, browse to Personal, and select Next.
  17. Select Finish on the Completing the Certificate Import Wizard dialog box to import the certificate to the Windows Personal certificate store.

Step 2. Obtain Your TLS/SSL Certificates Thumbprint

Obtain the thumbprint of the certificate:

  1. Select the Windows Start button. 
  2. Enter mmc in Search, then select Enter
  3. In the Microsoft Management Console (MMC), select Add/Remove Snap-in from the File menu.
  4. In the Add Remove Snap-in dialog box, select Certificates, then select Add.
  5. In the Add Standalone Snap-in dialog box, select Certificates, then select Add.
  6. In the Certificates snap-in dialog box, select the Computer account, and select Next.
  7. In the Select Computer dialog box, leave the default Local computer selected, and select Finish.
  8. In the Add Standalone Snap-in dialog box, select Close.
  9. In the Add/Remove Snap-in dialog box, select OK.
  10. Expand Certificates > Personal.
  11. Right-click the certificate imported in Step 1. Install a TLS/SSL Certificate in Windows and select Open.
  12. Select the Details tab.
  13. Scroll through the list and highlight Thumbprint.
  14. The value displayed in the box at the bottom is the thumbprint of the certificate. Copy the value and paste it into a text editor to remove all spaces. Use this value when configuring the port.

Step 3. Configure a Port to Use the TLS/SSL Certificate

To associate the certificate thumbprint to a specific port:

  1. Select the Windows Start button.
  2. Enter netsh in Search, and select Enter.
  3. Edit the example command. Example Command
    http add sslcert ipport=0.0.0.0:443 certhash=0000000000003ed9cd0c315bbb6dc1c08da5e6 appid={eea9431a-a3d4-4c9b-9f9a-b83916c11c67}
    1. Replace the certhash value with the certificate thumbprint value without the spaces.
    2. Modify the ipport value if you want to use a port other than the default port (443).
    3. Leave the appid as it is since it is the application ID for the Gallery.
  4. Paste the resulting command into the netsh console and select Enter to associate the certificate with the given port.
  5. Verify the association and successful install of the certificate by running this command in the netsh console.
    http show sslcert.

All SSL certificate associations and their respective ports are listed.

Step 4. Configure the Gallery for TLS/SSL

After the certificate is associated with a port, the Server configuration has to be changed to accept web requests over HTTPS instead of HTTP. If you associated the certificate with a port other than the default (443), the Alteryx Gallery has to be configured to utilize that port.

  1. Double-click the System Settings icon on your desktop.
  2. Select Next on each screen in System Settings to navigate to the Gallery screens. 
  3. On the Gallery General screen, select Enable SSL. Enabling this option changes the URL in the Base Address field to HTTPS.
  4. If you enable SSL and your certificate is set to a port other than the default 443, specify the port in the Base Address. For example, https://localhost:445/gallery/.
  5. Select Next to continue navigating through the settings.
  6. Select Done to close the System Settings and restart Alteryx Services.

After you have enabled SSL in the Server System Settings, users who go to the Gallery will see HTTPS and a padlock symbol will be displayed before the URL in their browser. This means that a secure connection is established with a unique session key and communications are secure.

Replacing an Existing TLS/SSL Certificate

To replace or to update a certificate that has expired or will be expiring soon, follow these steps: 

  1. Install the new Certificate using the steps detailed in Step 1. Install a TLS/SSL Certificate in Windows
  2. Stop the Alteryx Service
  3. Select the Windows Start button.
  4. Enter netsh in Search, then select Enter.
  5. Edit the example command. Example Command
    http delete sslcert ipport=0.0.0.0:443 
    1. Modify the ipport value if you used a port other than the default port (443).
  6. Paste the resulting command into the netsh console and select Enter to remove the certificate binding with the given port.
  7. Verify the association has been removed by running this command in the netsh console.
    http show sslcert
  8. Obtain the new certificates thumbprint using the steps detailed in Step 2. Obtain your TLS/SSL Certificates Thumbprint
  9. Associate the certificate with a given port using the steps details in Step 3. Configure a Port to Use the TLS/SSL Certificate.
  10. Start the Alteryx Service.
Was This Page Helpful?

Running into problems or issues with your Alteryx product? Visit the Alteryx Community or contact support. Can't submit this form? Email us.