Skip to main content

Peer Validation Allow List

Alteryx has added security checks for functionality that relates to opening TLS or SSL connections, for example, connections to https:// URLs that utilize cURL and OpenSSL. Adjust security checks with the Peer Validation setting.

This requires that the connection to a service is secured with TLS and that the connected server provides a valid, trusted CA-signed certificate. The validation must go all the way down the CA chain to the root certificate, and validate certificates against the Microsoft Windows Certificate Stores list of trusted certificate authorities. There is no support for Linux at this time.

  • This feature was initially enabled on the 2022.1+ Designer-FIPS and 2022.2 Server-FIPS releases and there is no way to turn it off.

  • Peer Validation is now also enabled for the non-FIPS 2022.3+ releases.

Set Up Allow List for Peer Validation

We know that some administrators and users might encounter issues with this change. Especially, with existing workflows or server environments that utilize insecure connections or TLS connections that use self-signed, invalid, or untrusted certificates.

To work around these issues and continue to use insecure connections or TLS connections that utilize certificates that fail validation, you must add an exception to the Allow List.

  • The Allow List holds entries of URL sites that normally fail with Peer Validation enabled.

  • Add URL exceptions to the text file called PeerValidationBypass.txt.

  • You must place the file in C:\ProgramData\Alteryx\PeerValidationBypass.txt.

  • If the file doesn't exist, then Peer Validation is turned on by default. However, note that the existence of the file doesn’t turn off Peer Validation. It allows Designer and Server to ignore Peer Validation when connecting to the specific sites listed within the file.

PeerValidationBypass.txt Requirements

Entries in the PeerValidationBypass.txt file must follow several rules:

  • One Fully Qualified Domain Name (FQDN) entry per line.

  • Enter only the hostname.

  • Remove the protocol:// from the beginning of the URL.

  • Remove any path, query, and password from the URL.

  • Don't leave blank lines between the entries.

Example Entry

Suppose Peer Validation blocks this URL:

https://ThisIsATest.com/?category.id=External

In the PeerValidationBypass.txt file, enter this:

ThisIsATest.com

Additional Notes

  • After you edit PeerValidationBypass.txt, any time you use cURL/OpenSSL in Alteryx tools, it searches for a match. If Designer or Server finds a match, they turn off Peer Validation.

  • Please note that FIPS products ignore the Allow List.

  • To avoid any errors with SSL Peer Validation when the external server requires an SSL certificate signed by an Intermediate CA, add the required Intermediate CA to the Trusted Root Certification Authorities - Certificates folder in the Microsoft Management Console.

本节内容如下: