Skip to main content

Configure Server SSL/TLS

Server supports both TLS (Transport Layer Security) and SSL (Secure Socket Layer) encryption for HTTPS to ensure safe and secure communication between Designer and Server, as well as any communication between a user’s web browser and your company's Alteryx Server UI.

Note

Server-FIPS

AlteryxService now supports TLS for internal and direct service layer communication. For the Server-FIPS, TLS is enabled for all services and cannot be disabled. Because of this change, you must install an X.509 (TLS) certificate on the Controller and Server UI nodes. This allows communication between nodes to work with TLS. We recommend installing certificates on all of the machines hosting Server, regardless of their configuration.

Important

  • We recommend involving IT network administrators to configure TLS/SSL. TLS/SSL configuration requires expertise in creating, distributing, and certifying TLS/SSL files via a Certificate Authority (CA).

  • Use a recognized CA to sign your TLS/SSL certificates.

  • We recommend that you use a TLS (SSL) certificate.

  • Self-signed certificates are not recommended for production deployments.

Before enabling SSL on your machine, obtain a TLS/SSL certificate for your company's Alteryx Server UI from a trusted Certificate Authority (CA). The Subject or Subject Alternative Name that you specify for the certificate has to match the address that you want to use for your Server website domain (the Base Address in System Settings on the Server UI Configuration screen). Go to the Server UI help page for more info about setting the Base Address.

After you have obtained an TLS/SSL certificate, you need to configure the Alteryx Server to use that certificate when users visit your site. To do this, the certificate thumbprint has to be associated with a specific port on the machine.

Step 1. Install a TLS/SSL Certificate in Windows

Once you have received the signed certificate from the CA, it needs to be installed in Windows. To install the certificate:

  1. Select the Windows Start button.

  2. Enter mmc in Search, then select Enter.

  3. In the Microsoft Management Console (MMC), select Add/Remove Snap-in from the File menu.

  4. In the Add Remove Snap-in dialog box, select Certificates, then select Add.

  5. In the Add Standalone Snap-in dialog box, select Certificates, then select Add.

  6. In the Certificates snap-in dialog box, select the Computer account, and select Next.

  7. In the Select Computer dialog box, leave the default Local computer selected, and select Finish.

  8. In the Add Standalone Snap-in dialog box, select Close.

  9. In the Add/Remove Snap-in dialog box, select OK.

  10. Expand Certificates > Personal.

  11. Right-click on Certificates under Personal, select All Tasks, and then Import.

  12. Select Next on the Certificate Import Wizard.

  13. Select Browse on the File to Import dialog box and browse to the file provided by your CA, then select Next.

  14. If the certificate includes the private key, when prompted, enter the password.

  15. Check Mark this key as exportable and select Next.

  16. Select Place all certificates in the following store, browse to Personal, and select Next.

  17. Select Finish on the Completing the Certificate Import Wizard dialog box to import the certificate to the Windows Personal certificate store.

Step 2. Obtain Your TLS/SSL Certificates Thumbprint

Obtain the thumbprint of the certificate:

  1. Select the Windows Start button.

  2. Enter mmc in Search, then select Enter.

  3. In the Microsoft Management Console (MMC), select Add/Remove Snap-in from the File menu.

  4. In the Add Remove Snap-in dialog box, select Certificates, then select Add.

  5. In the Add Standalone Snap-in dialog box, select Certificates, then select Add.

  6. In the Certificates snap-in dialog box, select the Computer account, and select Next.

  7. In the Select Computer dialog box, leave the default Local computer selected, and select Finish.

  8. In the Add Standalone Snap-in dialog box, select Close.

  9. In the Add/Remove Snap-in dialog box, select OK.

  10. Expand Certificates > Personal.

  11. Right-click the certificate imported in Step 1. Install a TLS/SSL Certificate in Windows and select Open.

  12. Select the Details tab.

  13. Scroll through the list and highlight Thumbprint.

  14. The value displayed in the box at the bottom is the thumbprint of the certificate. Copy the value and paste it into a text editor to remove all spaces. Use this value when configuring the port.

Step 3. Configure a Port to Use the TLS/SSL Certificate

To associate the certificate thumbprint to a specific port:

  1. Select the Windows Start button.

  2. Enter netsh in Search, and select Enter.

  3. Edit the example command. Example Command

    http add sslcert ipport=0.0.0.0:443 certhash=0000000000003ed9cd0c315bbb6dc1c08da5e6 appid={eea9431a-a3d4-4c9b-9f9a-b83916c11c67}

    1. Replace the certhash value with the certificate thumbprint value without the spaces.

    2. Modify the ipport value if you want to use a port other than the default port (443).

    3. Leave the appid as it is since it is the application ID for the Server.

  4. Paste the resulting command into the netsh console and select Enter to associate the certificate with the given port.

  5. Verify the association and successful installation of the certificate by running this command in the netsh console.

    http show sslcert.

All SSL certificate associations and their respective ports are listed.

Step 4. Configure the Server for TLS/SSL

After the certificate is associated with a port, the Server configuration has to be changed to accept web requests over HTTPS instead of HTTP. If you associated the certificate with a port other than the default (443), the Alteryx Server has to be configured to utilize that port.

  1. Double-click the System Settings icon on your desktop.

  2. Select Next on each screen in Alteryx System Settings to navigate to the Server UI screens.

  3. Verify the Base Address and the Web API Address match the Subject or a Subject Alternative Name protected by the TLS/SSL Certificate.

  4. On the Server UI General screen, select Enable Server UI SSL/TLS. Enabling this option changes the URL in the Base Address and Web API Address fields to HTTPS.

  5. If you enable SSL and your certificate is set to a port other than the default 443, specify the port in the Base Address and Web API Address fields. For example, https://localhost:445/gallery/ and https://localhost:445/webapi.

  6. Select Next to continue navigating through the settings.

  7. Select Finish to close System Settings and restart AlteryxService.

After you have enabled SSL in the Server System Settings, users who go to the Server will see HTTPS and a tune icon will be displayed before the URL in their browser. This means that a secure connection is established with a unique session key and communications are secure.

Replacing an Existing TLS/SSL Certificate

To replace or to update a certificate that has expired or will be expiring soon, follow these steps:

  1. Install the new Certificate using the steps detailed in Step 1. Install a TLS/SSL Certificate in Windows.

  2. Stop the AlteryxService.

  3. Select the Windows Start button.

  4. Enter netsh in Search, then select Enter.

  5. Edit the example command. Example Command

    http delete sslcert ipport=0.0.0.0:443

    • Modify the ipport value if you used a port other than the default port (443).

  6. Paste the resulting command into the netsh console and select Enter to remove the certificate binding with the given port.

  7. Verify the association has been removed by running this command in the netsh console.

    http show sslcert

  8. Obtain the new certificates thumbprint using the steps detailed in Step 2. Obtain your TLS/SSL Certificates Thumbprint.

  9. Associate the certificate with a given port using the steps details in Step 3. Configure a Port to Use the TLS/SSL Certificate.

  10. Start the AlteryxService.