Skip to main content

Configure Security for Relational Connections

You can apply the following Designer Cloud Powered by Trifacta platform features to relational connections to ensure compliance with enterprise practices.

Note

These security options apply to external relational connections. For more information configuring security for internal connections to the Alteryx databases, see Enable SSL for Databases.

User Security

Connection Security Levels

Connection Security Level

Description

Private

Private connections are created by individuals and are by default accessible only to the individual who created them.

Private and shared

Optionally, they can be shared by individuals with other users.

Note

If needed, credential sharing can be disabled. See below.

Global

Global connections are either created by administrators or are private connections promoted to global by administrators.

Credential Sharing

By default, users are permitted to share credentials through the application. Credentials can be shared in the following ways:

  • A user can create a private connection to a relational database. Through the application, this private connection can be shared with other users, so that they can access the creator's datasets.

  • When sharing a flow with another user, the owner of the flow can choose to share the credentials that are necessary to connect to the datasets that are the sources of the flow.

As needed, credential sharing can be disabled.

Note

If enterprise policy is to disable the sharing of credentials, collaborators may need to be permitted to store their source data in shared locations.

Tip

Credential sharing can be disabled by individual users when they share a connection. The connection is shared, but the new user must provide new credentials to use the connection.

Steps:

To disable credential sharing at the global level:

  1. Login to the application as an administrator.

  2. You can apply this change through the Admin Settings Page (recommended) or trifacta-conf.json. For more information, see Platform Configuration Methods.

  3. Locate the following parameter. Set this property to false:

    "webapp.enableCredentialSharing": true,

  4. Save your changes and restart the platform.

Technical Security

The following features enhance the security of individual and global relational connections.

Encryption Key File

Relational database passwords are encrypted using key files:

  • Passwords in transit: The platform uses a proprietary encryption key that is invoked each time a relational password is shared among platform services.

  • Passwords at rest: For creating connections to your relational sources, you must create and reference your own encryption key file. This encryption key is accessing your relational connections from the web application.

This encryption key file must be created and installed on the Trifacta node. For more information, see Create Encryption Key File.

SSL

You can enable SSL for any connection by adding the following string to the Connect String Opts field:

?ssl=true;

Tip

Some connection windows have a Use SSL checkbox, which also works.

Configure long load timeout limits

For long loading relational sources, a timeout is applied to limit the permitted load time. As needed, you can modify this limit to account for larger load times.

You can apply this change through the Admin Settings Page (recommended) or trifacta-conf.json. For more information, see Platform Configuration Methods.

  1. Locate and edit the following parameter:

    "webapp.connectivity.longLoadTimeoutMillis": 120000,

  2. Save your changes and restart the platform.

Property

Description

longLoadTimeoutMillis

Max number of milliseconds to wait for a long-loading data source. The default value is 120000 (2 minutes).

For additional relational configuration settings, see Configure Data Service.

Enable SSO authentication

Relational connections can be configured to leverage your enterprise Single Sign-On (SSO) infrastructure for authentication. Additional configuration is required. For more information, see Enable SSO for Relational Connections.

Troubleshooting

Reading or writing over TLS/SSL fails

Reading or writing over TLS/SSL may fail with an error message in the data service data service log similar to the following:

The server selected protocol version TLS11 is not accepted by client preferences [TLS12, SSL20Hello]

In this case:

  • External libraries referenced by the data service may use TLS/SSL protocols of their own choosing.

  • These libraries are included during initialization of the data service.

  • The listed protocol (TLSv1.1) is a version of the TLS protocol that is no longer supported.

Solution:

You can configure the platform to override the default protocols supported by Java 8 and to instead use the set of protocols listed in platform configuration.

  1. Administrators can apply this configuration change through the Admin Settings Page in the application. If the application is not available, the settings are available in trifacta-conf.json. For more information, see Platform Configuration Methods.

  2. When set to true, the following parameter instructs the data service to use the protocols listed in Admin Settings page instead. Set this parameter to true:

    "data-service.httpsProtocols.reset": false,

    Setting

    Description

    false

    (default) Supported HTTPS protocols are defined by Java 8.

    true

    Supported HTTPS protocols are defined by theDesigner Cloud Powered by Trifacta platform.

  3. Locate the following parameter:

    "data-service.httpsProtocols.defaultProtocols": "SSLv3,TLSv1,TLSv1.1,TLSv1.2"

    Tip

    You can enter any TLS/SSL protocol supported by Java 8 in the above. Other protocols are likely to cause read/write failures.

  4. In this case, you can add the missing protocol to the list, as in the following example:

    "data-service.httpsProtocols.defaultProtocols": "SSLv3,TLSv1,TLSv1.1,TLSv1.2,TLSv1.1"

  5. Save your changes and restart the platform.

In this section: