Alteryx 已增加与打开 TLS 或 SSL 连接(例如,使用 cURL 和 OpenSSL 的
这要求使用 TLS 保护与服务的连接,并且连接的服务器需要提供可信且有效的 CA 签名证书。验证必须沿着 CA 链一直到根证书,并根据 Microsoft Windows 证书存储的受信任证书颁发机构列表来验证证书。目前不支持 Linux。
此功能最初在 2022.1+ Designer-FIPS 和 2022.2 Server-FIPS 版本中启用,且无法关闭。
现在,非 FIPS 2022.3+ 版本也启用了对等验证。
我们知道部分管理员和用户可能会遇到此更改相关问题。尤其是,现有的工作流程或服务器环境应用不安全的连接或使用自签名、无效或不受信任证书的 TLS 连接。
要解决这些问题,并继续使用不安全的连接或应用未通过验证的证书的 TLS 连接,您必须向允许列表添加例外情况。
允许列表包含在启用对等验证的情况下通常会失败的 URL 站点条目。
将 URL 例外添加到名为
PeerValidationBypass.txt
的文本文件。您必须将文件放置在
C:\ProgramData\Alteryx\PeerValidationBypass.txt
中。如果文件不存在,则默认开启对等验证。但是,请注意,文件存在也不会关闭对等验证。这会使 Designer 和 Server 在连接到文件中列出的特定站点时忽略对等验证。
PeerValidationBypass.txt
文件中的条目必须遵循以下几条规则:
每行一个完全限定域名 (FQDN) 条目。
仅输入主机名。
移除 URL 开头的
protocol://
。从 URL 中移除任何路径、查询和密码。
请勿在条目之间留下空白行。
You can configure PeerValidationBypass.txt with FQDNs and IPv4 addresses that contain wildcard characters.
A domain name is a simple structure made of several fields, separated by dots and read from right to left. An example domain name is help.alteryx.com
where…
The Top-Level Domain (TLD) is
com
.The labels follow the TLD.
alteryx
is Label1 andhelp
is Label2.A label is a case-insensitive character sequence anywhere from one to sixty-three characters in length.
It contains only the letters A through Z, digits 0 through 9, and the hyphen (-) character (which can’t be the first or last character in the label).
The label located right before the TLD is also called a Secondary Level Domain (SLD), alteryx in the example above.
注意
A domain name might consist of one field only, or it might consist of two, three, or more than three fields. A fully qualified domain name (FQDN) is always labeled in the format:
hostname.SLD.TLD
When PeerValidationBypass.txt is parsed to determine whether a particular endpoint’s TLS certificate should be validated, the parser interprets wildcards as follows:
An asterisk (*) character matches 0 or more valid label characters.
A question mark (?) character matches exactly 1 valid label character.
For a domain name entry…
If TLD is a country code TLD, wildcard characters are not allowed in the last three fields. Wildcard matching is performed in Label 3 and onwards.
If TLD is not a country code TLD, wildcard characters are not allowed in the last two fields. Wildcard matching is performed in Label 2 and onwards.
???.*.com.fr
, alteryx*.help.n?t
, alteryx.*.net
, and hello.world.example*.???
For an IPv4 address entry…
Wildcard characters are not allowed in the first two fields.
Wildcard matching is performed in the last two fields.
192.*.*.23
, ???.*.123.234
, and *.10.100.200
Suppose Peer Validation blocks this URL:
https://ThisIsATest.com/?category.id=External
In the PeerValidationBypass.txt file, enter this:
ThisIsATest.com
Suppose you want to block these URLs with a similar pattern:
https://example.ThisIsATest.com/?category.id=External
https://warning.ThisIsATest.com/?category.id=External
https://info.ThisIsATest.com/?category.id=External
In the PeerValidationBypass.txt file you can block all 3 with one entry, using a wildcard:
*.ThisIsATest.com
To block visit.country.france.fr
and work.country.france.fr
, enter this in the PeerVAlidationBypass.txt
file:
*.country.france.fr
注意
TLD is a country code. As a result, wildcard characters are not allowed in the last 3 fields: country.france.fr
.
To block the 123.12.123.1
and 123.12.123.2
IPv4 addresses, in the PeerValidationBypass.txt file
, enter this:
123.12.123.?
编辑
PeerValidationBypass.txt
后,每当您在 Alteryx 工具中使用 cURL/OpenSSL 时,都会搜索匹配项。如果 Designer 或 Server 找到匹配项,则会关闭对等验证。请注意,FIPS 产品会忽略允许列表。
当外部服务器需要由中间 CA 签署的 SSL 证书时,为了避免 SSL 对等验证出现任何错误,请将所需的中间 CA 添加到 Microsoft 管理控制台中的受信任的根证书颁发机构 - 证书文件夹中。