welcome [tc18.tableau.com] · implementing tableau server security related sessions oct 23 |...
TRANSCRIPT
![Page 1: Welcome [tc18.tableau.com] · Implementing Tableau Server security RELATED SESSIONS Oct 23 | 10:45am –11:45am | MCCNO - L3 - 338 Introducing Tableau Services Manager Oct 23 | 2:15pm](https://reader034.vdocuments.us/reader034/viewer/2022042921/5f69a1aa6750cf049438789a/html5/thumbnails/1.jpg)
![Page 2: Welcome [tc18.tableau.com] · Implementing Tableau Server security RELATED SESSIONS Oct 23 | 10:45am –11:45am | MCCNO - L3 - 338 Introducing Tableau Services Manager Oct 23 | 2:15pm](https://reader034.vdocuments.us/reader034/viewer/2022042921/5f69a1aa6750cf049438789a/html5/thumbnails/2.jpg)
Welcome
![Page 3: Welcome [tc18.tableau.com] · Implementing Tableau Server security RELATED SESSIONS Oct 23 | 10:45am –11:45am | MCCNO - L3 - 338 Introducing Tableau Services Manager Oct 23 | 2:15pm](https://reader034.vdocuments.us/reader034/viewer/2022042921/5f69a1aa6750cf049438789a/html5/thumbnails/3.jpg)
![Page 4: Welcome [tc18.tableau.com] · Implementing Tableau Server security RELATED SESSIONS Oct 23 | 10:45am –11:45am | MCCNO - L3 - 338 Introducing Tableau Services Manager Oct 23 | 2:15pm](https://reader034.vdocuments.us/reader034/viewer/2022042921/5f69a1aa6750cf049438789a/html5/thumbnails/4.jpg)
![Page 5: Welcome [tc18.tableau.com] · Implementing Tableau Server security RELATED SESSIONS Oct 23 | 10:45am –11:45am | MCCNO - L3 - 338 Introducing Tableau Services Manager Oct 23 | 2:15pm](https://reader034.vdocuments.us/reader034/viewer/2022042921/5f69a1aa6750cf049438789a/html5/thumbnails/5.jpg)
Tableau Server Security in Depth
Kacper Reiter
Sr. Software Engineer
Server and Cloud Platform
# T C 1 8
Dinç Çiftçi
Software Engineer
Server and Cloud Platform
![Page 6: Welcome [tc18.tableau.com] · Implementing Tableau Server security RELATED SESSIONS Oct 23 | 10:45am –11:45am | MCCNO - L3 - 338 Introducing Tableau Services Manager Oct 23 | 2:15pm](https://reader034.vdocuments.us/reader034/viewer/2022042921/5f69a1aa6750cf049438789a/html5/thumbnails/6.jpg)
Agenda
General security model
Transport Layer Security
Secure storage of secrets
Repository security
New nodes and upgrades
Hardening
Q&A
![Page 7: Welcome [tc18.tableau.com] · Implementing Tableau Server security RELATED SESSIONS Oct 23 | 10:45am –11:45am | MCCNO - L3 - 338 Introducing Tableau Services Manager Oct 23 | 2:15pm](https://reader034.vdocuments.us/reader034/viewer/2022042921/5f69a1aa6750cf049438789a/html5/thumbnails/7.jpg)
Implementing Tableau Server security
R E L AT E D S E S S I O N S
Oct 23 | 10:45am – 11:45am | MCCNO - L3 - 338
Introducing Tableau Services ManagerOct 23 | 2:15pm – 3:15pm | MCCNO – L3 - 398
![Page 8: Welcome [tc18.tableau.com] · Implementing Tableau Server security RELATED SESSIONS Oct 23 | 10:45am –11:45am | MCCNO - L3 - 338 Introducing Tableau Services Manager Oct 23 | 2:15pm](https://reader034.vdocuments.us/reader034/viewer/2022042921/5f69a1aa6750cf049438789a/html5/thumbnails/8.jpg)
Users and File System
![Page 9: Welcome [tc18.tableau.com] · Implementing Tableau Server security RELATED SESSIONS Oct 23 | 10:45am –11:45am | MCCNO - L3 - 338 Introducing Tableau Services Manager Oct 23 | 2:15pm](https://reader034.vdocuments.us/reader034/viewer/2022042921/5f69a1aa6750cf049438789a/html5/thumbnails/9.jpg)
Installation Directory
Run installer as Administrator Run rpm/deb with sudo
%PROGRAMFILES%\Tableau\Tableau
Server
/opt/tableau/tableau_server
Permissions
Inherited default permissions
Administrators – full permissions
Users – read & execute
Permissions
rwxr-x-r-x root root
rw-r---r-- root root
Installed packages are immutable, even by Tableau Server processes.
![Page 10: Welcome [tc18.tableau.com] · Implementing Tableau Server security RELATED SESSIONS Oct 23 | 10:45am –11:45am | MCCNO - L3 - 338 Introducing Tableau Services Manager Oct 23 | 2:15pm](https://reader034.vdocuments.us/reader034/viewer/2022042921/5f69a1aa6750cf049438789a/html5/thumbnails/10.jpg)
Linux—“run as” Users
tableau/tableauAll services
![Page 11: Welcome [tc18.tableau.com] · Implementing Tableau Server security RELATED SESSIONS Oct 23 | 10:45am –11:45am | MCCNO - L3 - 338 Introducing Tableau Services Manager Oct 23 | 2:15pm](https://reader034.vdocuments.us/reader034/viewer/2022042921/5f69a1aa6750cf049438789a/html5/thumbnails/11.jpg)
Windows—“run as” Users
Local SystemTableau Server Administration Agent
Local ServiceTableau Server License Manager
Network ServiceTableau Server Administration Controller
Tableau Server Coordination Service
Network Service or custom “run as” userTableau Server Service Manager
All “business” services
![Page 12: Welcome [tc18.tableau.com] · Implementing Tableau Server security RELATED SESSIONS Oct 23 | 10:45am –11:45am | MCCNO - L3 - 338 Introducing Tableau Services Manager Oct 23 | 2:15pm](https://reader034.vdocuments.us/reader034/viewer/2022042921/5f69a1aa6750cf049438789a/html5/thumbnails/12.jpg)
Tableau Server Data Directory
%PROGRAMDATA%\Tableau\Tableau Server
\appzookeeper
\filestore
\pgsql
\tabadminagent
\<other services>
/var/opt/tableau/tableau_server
/appzookeeper
/filestore
/pgsql
/tabadminagent
/<other services>
Permissions:Break inheritance at service level
Read & Write permission for the service user
Permissions:rwxrwx---- tableau tableau
rw-rw----- tableau tableau
![Page 13: Welcome [tc18.tableau.com] · Implementing Tableau Server security RELATED SESSIONS Oct 23 | 10:45am –11:45am | MCCNO - L3 - 338 Introducing Tableau Services Manager Oct 23 | 2:15pm](https://reader034.vdocuments.us/reader034/viewer/2022042921/5f69a1aa6750cf049438789a/html5/thumbnails/13.jpg)
Transport Layer Security(TLS/SSL)
![Page 14: Welcome [tc18.tableau.com] · Implementing Tableau Server security RELATED SESSIONS Oct 23 | 10:45am –11:45am | MCCNO - L3 - 338 Introducing Tableau Services Manager Oct 23 | 2:15pm](https://reader034.vdocuments.us/reader034/viewer/2022042921/5f69a1aa6750cf049438789a/html5/thumbnails/14.jpg)
Transport Layer Security
Chain of Trust
![Page 15: Welcome [tc18.tableau.com] · Implementing Tableau Server security RELATED SESSIONS Oct 23 | 10:45am –11:45am | MCCNO - L3 - 338 Introducing Tableau Services Manager Oct 23 | 2:15pm](https://reader034.vdocuments.us/reader034/viewer/2022042921/5f69a1aa6750cf049438789a/html5/thumbnails/15.jpg)
Transport Layer Security
Chain of Trust
![Page 16: Welcome [tc18.tableau.com] · Implementing Tableau Server security RELATED SESSIONS Oct 23 | 10:45am –11:45am | MCCNO - L3 - 338 Introducing Tableau Services Manager Oct 23 | 2:15pm](https://reader034.vdocuments.us/reader034/viewer/2022042921/5f69a1aa6750cf049438789a/html5/thumbnails/16.jpg)
Transport Layer Security
Chain of Trust
![Page 17: Welcome [tc18.tableau.com] · Implementing Tableau Server security RELATED SESSIONS Oct 23 | 10:45am –11:45am | MCCNO - L3 - 338 Introducing Tableau Services Manager Oct 23 | 2:15pm](https://reader034.vdocuments.us/reader034/viewer/2022042921/5f69a1aa6750cf049438789a/html5/thumbnails/17.jpg)
Transport Layer Security
Chain of Trust
![Page 18: Welcome [tc18.tableau.com] · Implementing Tableau Server security RELATED SESSIONS Oct 23 | 10:45am –11:45am | MCCNO - L3 - 338 Introducing Tableau Services Manager Oct 23 | 2:15pm](https://reader034.vdocuments.us/reader034/viewer/2022042921/5f69a1aa6750cf049438789a/html5/thumbnails/18.jpg)
Transport Layer Security
![Page 19: Welcome [tc18.tableau.com] · Implementing Tableau Server security RELATED SESSIONS Oct 23 | 10:45am –11:45am | MCCNO - L3 - 338 Introducing Tableau Services Manager Oct 23 | 2:15pm](https://reader034.vdocuments.us/reader034/viewer/2022042921/5f69a1aa6750cf049438789a/html5/thumbnails/19.jpg)
Transport Layer Security
![Page 20: Welcome [tc18.tableau.com] · Implementing Tableau Server security RELATED SESSIONS Oct 23 | 10:45am –11:45am | MCCNO - L3 - 338 Introducing Tableau Services Manager Oct 23 | 2:15pm](https://reader034.vdocuments.us/reader034/viewer/2022042921/5f69a1aa6750cf049438789a/html5/thumbnails/20.jpg)
Transport Layer Security
TLS Handshake
![Page 21: Welcome [tc18.tableau.com] · Implementing Tableau Server security RELATED SESSIONS Oct 23 | 10:45am –11:45am | MCCNO - L3 - 338 Introducing Tableau Services Manager Oct 23 | 2:15pm](https://reader034.vdocuments.us/reader034/viewer/2022042921/5f69a1aa6750cf049438789a/html5/thumbnails/21.jpg)
Transport Layer Security
TLS Handshake
![Page 22: Welcome [tc18.tableau.com] · Implementing Tableau Server security RELATED SESSIONS Oct 23 | 10:45am –11:45am | MCCNO - L3 - 338 Introducing Tableau Services Manager Oct 23 | 2:15pm](https://reader034.vdocuments.us/reader034/viewer/2022042921/5f69a1aa6750cf049438789a/html5/thumbnails/22.jpg)
Transport Layer Security
TLS Handshake
![Page 23: Welcome [tc18.tableau.com] · Implementing Tableau Server security RELATED SESSIONS Oct 23 | 10:45am –11:45am | MCCNO - L3 - 338 Introducing Tableau Services Manager Oct 23 | 2:15pm](https://reader034.vdocuments.us/reader034/viewer/2022042921/5f69a1aa6750cf049438789a/html5/thumbnails/23.jpg)
Transport Layer Security
TLS providesAuthentication (trust)
Privacy (encryption)
Message reliability (integrity)
![Page 24: Welcome [tc18.tableau.com] · Implementing Tableau Server security RELATED SESSIONS Oct 23 | 10:45am –11:45am | MCCNO - L3 - 338 Introducing Tableau Services Manager Oct 23 | 2:15pm](https://reader034.vdocuments.us/reader034/viewer/2022042921/5f69a1aa6750cf049438789a/html5/thumbnails/24.jpg)
Transport Layer Security
Tableau Components Supporting TLSGateway—external and mutualThe web server handling requests from various clients
RepositoryThe database where the vast majority of server content is persisted
TSM ControllerThe process orchestrating administrative actions
![Page 25: Welcome [tc18.tableau.com] · Implementing Tableau Server security RELATED SESSIONS Oct 23 | 10:45am –11:45am | MCCNO - L3 - 338 Introducing Tableau Services Manager Oct 23 | 2:15pm](https://reader034.vdocuments.us/reader034/viewer/2022042921/5f69a1aa6750cf049438789a/html5/thumbnails/25.jpg)
Gateway
Mobile
Tableau
Desktop
tabcmd
Gateway
VizPortal VizqlServer DataServer
Search
Server
Postgres(Repository)
Data Engine
Backgrounder
![Page 26: Welcome [tc18.tableau.com] · Implementing Tableau Server security RELATED SESSIONS Oct 23 | 10:45am –11:45am | MCCNO - L3 - 338 Introducing Tableau Services Manager Oct 23 | 2:15pm](https://reader034.vdocuments.us/reader034/viewer/2022042921/5f69a1aa6750cf049438789a/html5/thumbnails/26.jpg)
Transport Layer Security
Gateway (AKA Apache, httpd)Provides access to all server content
Browser client, REST API, tabcmd
No TLS by default
![Page 27: Welcome [tc18.tableau.com] · Implementing Tableau Server security RELATED SESSIONS Oct 23 | 10:45am –11:45am | MCCNO - L3 - 338 Introducing Tableau Services Manager Oct 23 | 2:15pm](https://reader034.vdocuments.us/reader034/viewer/2022042921/5f69a1aa6750cf049438789a/html5/thumbnails/27.jpg)
Transport Layer Security
GatewayProvides access to all server content
Browser client, REST API, tabcmd
No TLS by default
External SSL: Admin-provided certificate
Mutual SSL: Client certificates managed by CA
Secrets live in the server configuration
![Page 28: Welcome [tc18.tableau.com] · Implementing Tableau Server security RELATED SESSIONS Oct 23 | 10:45am –11:45am | MCCNO - L3 - 338 Introducing Tableau Services Manager Oct 23 | 2:15pm](https://reader034.vdocuments.us/reader034/viewer/2022042921/5f69a1aa6750cf049438789a/html5/thumbnails/28.jpg)
Gateway
Mobile
Tableau
Desktop
tabcmd
Gateway
VizPortal VizqlServer DataServer
Search
Server
Postgres(Repository)
Data
Engine
Backgrounder
![Page 29: Welcome [tc18.tableau.com] · Implementing Tableau Server security RELATED SESSIONS Oct 23 | 10:45am –11:45am | MCCNO - L3 - 338 Introducing Tableau Services Manager Oct 23 | 2:15pm](https://reader034.vdocuments.us/reader034/viewer/2022042921/5f69a1aa6750cf049438789a/html5/thumbnails/29.jpg)
Gateway
Mobile
tabcmd
Gateway
VizPortal VizqlServer DataServer
Search
Server
Postgres(Repository)
Data
Engine
Backgrounder
Tableau
Desktop
![Page 30: Welcome [tc18.tableau.com] · Implementing Tableau Server security RELATED SESSIONS Oct 23 | 10:45am –11:45am | MCCNO - L3 - 338 Introducing Tableau Services Manager Oct 23 | 2:15pm](https://reader034.vdocuments.us/reader034/viewer/2022042921/5f69a1aa6750cf049438789a/html5/thumbnails/30.jpg)
Transport Layer Security
GatewayProvides access to all server content
Browser client, REST API, tabcmd
No TLS by default
External SSL: Admin-provided certificate
Mutual SSL: Client certificates managed by CA
Secrets live in the server configuration
![Page 31: Welcome [tc18.tableau.com] · Implementing Tableau Server security RELATED SESSIONS Oct 23 | 10:45am –11:45am | MCCNO - L3 - 338 Introducing Tableau Services Manager Oct 23 | 2:15pm](https://reader034.vdocuments.us/reader034/viewer/2022042921/5f69a1aa6750cf049438789a/html5/thumbnails/31.jpg)
Gateway
![Page 32: Welcome [tc18.tableau.com] · Implementing Tableau Server security RELATED SESSIONS Oct 23 | 10:45am –11:45am | MCCNO - L3 - 338 Introducing Tableau Services Manager Oct 23 | 2:15pm](https://reader034.vdocuments.us/reader034/viewer/2022042921/5f69a1aa6750cf049438789a/html5/thumbnails/32.jpg)
Repository
Mobile
Tableau
Desktop
tabcmd
Gateway
VizPortal VizqlServer DataServer
Search
Server
Postgres(Repository)
Data
Engine
Backgrounder
![Page 33: Welcome [tc18.tableau.com] · Implementing Tableau Server security RELATED SESSIONS Oct 23 | 10:45am –11:45am | MCCNO - L3 - 338 Introducing Tableau Services Manager Oct 23 | 2:15pm](https://reader034.vdocuments.us/reader034/viewer/2022042921/5f69a1aa6750cf049438789a/html5/thumbnails/33.jpg)
Transport Layer Security
Repository (AKA postgres, PostgreSQL)Stores the vast majority of Server content
Workbooks, datasource credentials, user permissions, local auth credentials
Queried by other Server processes
No TLS by default
![Page 34: Welcome [tc18.tableau.com] · Implementing Tableau Server security RELATED SESSIONS Oct 23 | 10:45am –11:45am | MCCNO - L3 - 338 Introducing Tableau Services Manager Oct 23 | 2:15pm](https://reader034.vdocuments.us/reader034/viewer/2022042921/5f69a1aa6750cf049438789a/html5/thumbnails/34.jpg)
Transport Layer Security
Repository (AKA postgres, PostgreSQL)Stores the vast majority of Server content
Workbooks, datasource credentials, user permissions, local auth credentials
Queried by other Server processes
No TLS by default
Certificate is self–signed and generated internally
Secrets live in the server configuration
![Page 35: Welcome [tc18.tableau.com] · Implementing Tableau Server security RELATED SESSIONS Oct 23 | 10:45am –11:45am | MCCNO - L3 - 338 Introducing Tableau Services Manager Oct 23 | 2:15pm](https://reader034.vdocuments.us/reader034/viewer/2022042921/5f69a1aa6750cf049438789a/html5/thumbnails/35.jpg)
Repository
Mobile
Tableau
Desktop
tabcmd
Gateway
VizPortal VizqlServer DataServer
Search
Server
Postgres(Repository)
Data
Engine
Backgrounder
![Page 36: Welcome [tc18.tableau.com] · Implementing Tableau Server security RELATED SESSIONS Oct 23 | 10:45am –11:45am | MCCNO - L3 - 338 Introducing Tableau Services Manager Oct 23 | 2:15pm](https://reader034.vdocuments.us/reader034/viewer/2022042921/5f69a1aa6750cf049438789a/html5/thumbnails/36.jpg)
Repository
Mobile
Tableau
Desktop
tabcmd
Gateway
VizPortal VizqlServer DataServer
Search
Server
Postgres(Repository)
Data
Engine
Backgrounder
![Page 37: Welcome [tc18.tableau.com] · Implementing Tableau Server security RELATED SESSIONS Oct 23 | 10:45am –11:45am | MCCNO - L3 - 338 Introducing Tableau Services Manager Oct 23 | 2:15pm](https://reader034.vdocuments.us/reader034/viewer/2022042921/5f69a1aa6750cf049438789a/html5/thumbnails/37.jpg)
Repository
![Page 38: Welcome [tc18.tableau.com] · Implementing Tableau Server security RELATED SESSIONS Oct 23 | 10:45am –11:45am | MCCNO - L3 - 338 Introducing Tableau Services Manager Oct 23 | 2:15pm](https://reader034.vdocuments.us/reader034/viewer/2022042921/5f69a1aa6750cf049438789a/html5/thumbnails/38.jpg)
Repository
![Page 39: Welcome [tc18.tableau.com] · Implementing Tableau Server security RELATED SESSIONS Oct 23 | 10:45am –11:45am | MCCNO - L3 - 338 Introducing Tableau Services Manager Oct 23 | 2:15pm](https://reader034.vdocuments.us/reader034/viewer/2022042921/5f69a1aa6750cf049438789a/html5/thumbnails/39.jpg)
TSM Controller
TSM CLI
TSM Web UI
Installer
variants
TSM Controller
![Page 40: Welcome [tc18.tableau.com] · Implementing Tableau Server security RELATED SESSIONS Oct 23 | 10:45am –11:45am | MCCNO - L3 - 338 Introducing Tableau Services Manager Oct 23 | 2:15pm](https://reader034.vdocuments.us/reader034/viewer/2022042921/5f69a1aa6750cf049438789a/html5/thumbnails/40.jpg)
Transport Layer Security
Tableau Services Manager's ControllerTSM REST API, Web UI and CLI
Self–signed certificate
Set up by default
![Page 41: Welcome [tc18.tableau.com] · Implementing Tableau Server security RELATED SESSIONS Oct 23 | 10:45am –11:45am | MCCNO - L3 - 338 Introducing Tableau Services Manager Oct 23 | 2:15pm](https://reader034.vdocuments.us/reader034/viewer/2022042921/5f69a1aa6750cf049438789a/html5/thumbnails/41.jpg)
Tableau Server Administration Controller Security
Administrators Group tsmadmin group
Custom defined group
AuthenticationUser Name & Password -> the OS
Authorization
![Page 42: Welcome [tc18.tableau.com] · Implementing Tableau Server security RELATED SESSIONS Oct 23 | 10:45am –11:45am | MCCNO - L3 - 338 Introducing Tableau Services Manager Oct 23 | 2:15pm](https://reader034.vdocuments.us/reader034/viewer/2022042921/5f69a1aa6750cf049438789a/html5/thumbnails/42.jpg)
Transport Layer Security
Location%PROGRAMDATA%\Tableau\Tableau
Server\data\tabsvc\tabadmincontroller\0\keystores
Location/var/opt/tableau/tableau_server/data/tabsvc/tabadmincontroller/
0/keystores
PermissionsBreak inheritance at service level
Read & Write permission for Network Service
Permissions-rw-rw---- tableau tableau cakeystore.jks
-rw-rw---- tableau tableau tabadmincontroller.jks
TSM CLI needs the public certificate atWindows-ROOT Key Store
TSM CLI needs the public certificate at/etc/opt/tableau/tableau_server/tableauservicesmanagerca.jks
Tableau Services Manager's ControllerTSM REST API, Web UI and CLI
Self–signed certificate
Set up by default
![Page 43: Welcome [tc18.tableau.com] · Implementing Tableau Server security RELATED SESSIONS Oct 23 | 10:45am –11:45am | MCCNO - L3 - 338 Introducing Tableau Services Manager Oct 23 | 2:15pm](https://reader034.vdocuments.us/reader034/viewer/2022042921/5f69a1aa6750cf049438789a/html5/thumbnails/43.jpg)
Tableau Services Manager
![Page 44: Welcome [tc18.tableau.com] · Implementing Tableau Server security RELATED SESSIONS Oct 23 | 10:45am –11:45am | MCCNO - L3 - 338 Introducing Tableau Services Manager Oct 23 | 2:15pm](https://reader034.vdocuments.us/reader034/viewer/2022042921/5f69a1aa6750cf049438789a/html5/thumbnails/44.jpg)
Secure Storage of Secrets
![Page 45: Welcome [tc18.tableau.com] · Implementing Tableau Server security RELATED SESSIONS Oct 23 | 10:45am –11:45am | MCCNO - L3 - 338 Introducing Tableau Services Manager Oct 23 | 2:15pm](https://reader034.vdocuments.us/reader034/viewer/2022042921/5f69a1aa6750cf049438789a/html5/thumbnails/45.jpg)
Secure Storage of Secrets
https://onlinehelp.tableau.com/current/server/en-
us/security_secret_storage.htm
![Page 46: Welcome [tc18.tableau.com] · Implementing Tableau Server security RELATED SESSIONS Oct 23 | 10:45am –11:45am | MCCNO - L3 - 338 Introducing Tableau Services Manager Oct 23 | 2:15pm](https://reader034.vdocuments.us/reader034/viewer/2022042921/5f69a1aa6750cf049438789a/html5/thumbnails/46.jpg)
Secure Storage of Secrets
Encryption of Server secrets at restServer-wide secrets are persisted in encrypted formpgsql.adminusername: tblwgadmin
pgsql.adminpassword: ENC(w4c7e9rkR022ayv9GeWrb6Y3tSSqg5...SoEI0WFU1Xhs0jg7JSwLjg=)
![Page 47: Welcome [tc18.tableau.com] · Implementing Tableau Server security RELATED SESSIONS Oct 23 | 10:45am –11:45am | MCCNO - L3 - 338 Introducing Tableau Services Manager Oct 23 | 2:15pm](https://reader034.vdocuments.us/reader034/viewer/2022042921/5f69a1aa6750cf049438789a/html5/thumbnails/47.jpg)
Secure Storage of Secrets
Encryption of Server secrets at restServer-wide secrets are persisted in encrypted formpgsql.adminusername: tblwgadmin
pgsql.adminpassword: ENC(w4c7e9rkR022ayv9GeWrb6Y3tSSqg5...SoEI0WFU1Xhs0jg7JSwLjg=)
Secrets are managed by TSM, stored in ZooKeeper
![Page 48: Welcome [tc18.tableau.com] · Implementing Tableau Server security RELATED SESSIONS Oct 23 | 10:45am –11:45am | MCCNO - L3 - 338 Introducing Tableau Services Manager Oct 23 | 2:15pm](https://reader034.vdocuments.us/reader034/viewer/2022042921/5f69a1aa6750cf049438789a/html5/thumbnails/48.jpg)
Secure Storage of Secrets
![Page 49: Welcome [tc18.tableau.com] · Implementing Tableau Server security RELATED SESSIONS Oct 23 | 10:45am –11:45am | MCCNO - L3 - 338 Introducing Tableau Services Manager Oct 23 | 2:15pm](https://reader034.vdocuments.us/reader034/viewer/2022042921/5f69a1aa6750cf049438789a/html5/thumbnails/49.jpg)
Secure Storage of Secrets
Encryption of Server secrets at restServer-wide secrets are persisted in encrypted formpgsql.adminusername: tblwgadmin
pgsql.adminpassword: ENC(w4c7e9rkR022ayv9GeWrb6Y3tSSqg5...SoEI0WFU1Xhs0jg7JSwLjg=)
Secrets are managed by TSM, stored in ZooKeeper
The master key lives on disk, generated during install
![Page 50: Welcome [tc18.tableau.com] · Implementing Tableau Server security RELATED SESSIONS Oct 23 | 10:45am –11:45am | MCCNO - L3 - 338 Introducing Tableau Services Manager Oct 23 | 2:15pm](https://reader034.vdocuments.us/reader034/viewer/2022042921/5f69a1aa6750cf049438789a/html5/thumbnails/50.jpg)
Secure Storage of Secrets
Encryption of Server secrets at restServer-wide secrets are persisted in encrypted form:pgsql.adminusername: tblwgadmin
pgsql.adminpassword: ENC(w4c7e9rkR022ayv9GeWrb6Y3tSSqg5...SoEI0WFU1Xhs0jg7JSwLjg=)
Secrets are managed by TSM, stored in ZooKeeper
The master key lives on disk, generated during install
Symmetric key encryption: AES GCM 256
Each service decrypts the secrets in memory
![Page 51: Welcome [tc18.tableau.com] · Implementing Tableau Server security RELATED SESSIONS Oct 23 | 10:45am –11:45am | MCCNO - L3 - 338 Introducing Tableau Services Manager Oct 23 | 2:15pm](https://reader034.vdocuments.us/reader034/viewer/2022042921/5f69a1aa6750cf049438789a/html5/thumbnails/51.jpg)
Encryption in the Repository
![Page 52: Welcome [tc18.tableau.com] · Implementing Tableau Server security RELATED SESSIONS Oct 23 | 10:45am –11:45am | MCCNO - L3 - 338 Introducing Tableau Services Manager Oct 23 | 2:15pm](https://reader034.vdocuments.us/reader034/viewer/2022042921/5f69a1aa6750cf049438789a/html5/thumbnails/52.jpg)
The Repository (PostgreSQL)
Encryption of sensitive content in the RepositoryThe Repository contains data source credentials
The database tables containing this information are encrypted with asset keys
![Page 53: Welcome [tc18.tableau.com] · Implementing Tableau Server security RELATED SESSIONS Oct 23 | 10:45am –11:45am | MCCNO - L3 - 338 Introducing Tableau Services Manager Oct 23 | 2:15pm](https://reader034.vdocuments.us/reader034/viewer/2022042921/5f69a1aa6750cf049438789a/html5/thumbnails/53.jpg)
The Repository (PostgreSQL)
Encryption of sensitive content in the RepositoryThe Repository contains data source credentials
The database tables containing this information are encrypted with asset keys
Symmetric Key Encryption: AES CBC mode with PKCS5 padding
The key (“asset key”) is managed by TSM
![Page 54: Welcome [tc18.tableau.com] · Implementing Tableau Server security RELATED SESSIONS Oct 23 | 10:45am –11:45am | MCCNO - L3 - 338 Introducing Tableau Services Manager Oct 23 | 2:15pm](https://reader034.vdocuments.us/reader034/viewer/2022042921/5f69a1aa6750cf049438789a/html5/thumbnails/54.jpg)
Rolling the Secrets
![Page 55: Welcome [tc18.tableau.com] · Implementing Tableau Server security RELATED SESSIONS Oct 23 | 10:45am –11:45am | MCCNO - L3 - 338 Introducing Tableau Services Manager Oct 23 | 2:15pm](https://reader034.vdocuments.us/reader034/viewer/2022042921/5f69a1aa6750cf049438789a/html5/thumbnails/55.jpg)
Key Roll
Easy way to roll all the internal keys and secrets
tsm security regenerate-internal-tokens
Updates following secretsAll internal passwords (postgres, redis, etc…)
Master encryption keys
Internally generated SSL certificates (postgres, solr )
Asset keys
Re-encrypt secrets with new encryption keys
![Page 56: Welcome [tc18.tableau.com] · Implementing Tableau Server security RELATED SESSIONS Oct 23 | 10:45am –11:45am | MCCNO - L3 - 338 Introducing Tableau Services Manager Oct 23 | 2:15pm](https://reader034.vdocuments.us/reader034/viewer/2022042921/5f69a1aa6750cf049438789a/html5/thumbnails/56.jpg)
Nodes and Upgrades
![Page 57: Welcome [tc18.tableau.com] · Implementing Tableau Server security RELATED SESSIONS Oct 23 | 10:45am –11:45am | MCCNO - L3 - 338 Introducing Tableau Services Manager Oct 23 | 2:15pm](https://reader034.vdocuments.us/reader034/viewer/2022042921/5f69a1aa6750cf049438789a/html5/thumbnails/57.jpg)
Adding New Nodes
Establish 2 way trust through “bootstrapping”
“initialBootstrapSettings”: {
“configurationName”: “tabsvc”,“clusterId”: “tabsvc-clustered”,“nodeId”: “node1”,“machineAddress”: “hostname1”“port”: 8850,
“certificate”: “-----BEGIN CERTIFICATE----- <encoded cert> -----END CERTIFICATE-----”,“cryptoKeyStore”: “<encoded keystore>”
}
bootstrap.json
AuthN / AuthZ
![Page 58: Welcome [tc18.tableau.com] · Implementing Tableau Server security RELATED SESSIONS Oct 23 | 10:45am –11:45am | MCCNO - L3 - 338 Introducing Tableau Services Manager Oct 23 | 2:15pm](https://reader034.vdocuments.us/reader034/viewer/2022042921/5f69a1aa6750cf049438789a/html5/thumbnails/58.jpg)
Upgrades
Upgrade
Authentication
Generate new secrets
Operations that require admin/sudo privileges
![Page 59: Welcome [tc18.tableau.com] · Implementing Tableau Server security RELATED SESSIONS Oct 23 | 10:45am –11:45am | MCCNO - L3 - 338 Introducing Tableau Services Manager Oct 23 | 2:15pm](https://reader034.vdocuments.us/reader034/viewer/2022042921/5f69a1aa6750cf049438789a/html5/thumbnails/59.jpg)
Hardening
![Page 60: Welcome [tc18.tableau.com] · Implementing Tableau Server security RELATED SESSIONS Oct 23 | 10:45am –11:45am | MCCNO - L3 - 338 Introducing Tableau Services Manager Oct 23 | 2:15pm](https://reader034.vdocuments.us/reader034/viewer/2022042921/5f69a1aa6750cf049438789a/html5/thumbnails/60.jpg)
Hardening
https://onlinehelp.tableau.com/current/server/en-us/security_harden.htm
![Page 61: Welcome [tc18.tableau.com] · Implementing Tableau Server security RELATED SESSIONS Oct 23 | 10:45am –11:45am | MCCNO - L3 - 338 Introducing Tableau Services Manager Oct 23 | 2:15pm](https://reader034.vdocuments.us/reader034/viewer/2022042921/5f69a1aa6750cf049438789a/html5/thumbnails/61.jpg)
Hardening
Gateway SSLProtect your users
Maintain your certificate
![Page 62: Welcome [tc18.tableau.com] · Implementing Tableau Server security RELATED SESSIONS Oct 23 | 10:45am –11:45am | MCCNO - L3 - 338 Introducing Tableau Services Manager Oct 23 | 2:15pm](https://reader034.vdocuments.us/reader034/viewer/2022042921/5f69a1aa6750cf049438789a/html5/thumbnails/62.jpg)
Hardening
Gateway SSLProtect your users
Maintain your certificate
Postgres SSLEasy to set up, defense in depth
![Page 63: Welcome [tc18.tableau.com] · Implementing Tableau Server security RELATED SESSIONS Oct 23 | 10:45am –11:45am | MCCNO - L3 - 338 Introducing Tableau Services Manager Oct 23 | 2:15pm](https://reader034.vdocuments.us/reader034/viewer/2022042921/5f69a1aa6750cf049438789a/html5/thumbnails/63.jpg)
Hardening
Gateway SSLProtect your usersMaintain your certificate
Postgres SSLEasy to set up, defense in depth
FirewallRun Server within a subnetOnly expose the Gateway port externallySet up firewall rules to allow communication between nodes
![Page 64: Welcome [tc18.tableau.com] · Implementing Tableau Server security RELATED SESSIONS Oct 23 | 10:45am –11:45am | MCCNO - L3 - 338 Introducing Tableau Services Manager Oct 23 | 2:15pm](https://reader034.vdocuments.us/reader034/viewer/2022042921/5f69a1aa6750cf049438789a/html5/thumbnails/64.jpg)
Ports
$ tsm topology list-ports
Node Name Instance Port
node1 clientfileservice:primary 0 8218
node1 clientfileservice:status 0 8048
node1 licenseservice:vendor_daemon 0 8889
node1 tabadmincontroller:primary 0 8850
node1 appzookeeper:leader 0 13000
node1 appzookeeper:client 0 12000
node1 appzookeeper:peer 0 14000
node1 tabadminagent:filetransfer 0 9347
node1 tabadminagent:columbo 0 8729
![Page 65: Welcome [tc18.tableau.com] · Implementing Tableau Server security RELATED SESSIONS Oct 23 | 10:45am –11:45am | MCCNO - L3 - 338 Introducing Tableau Services Manager Oct 23 | 2:15pm](https://reader034.vdocuments.us/reader034/viewer/2022042921/5f69a1aa6750cf049438789a/html5/thumbnails/65.jpg)
Hardening
Gateway SSLProtect your usersMaintain your certificate
Postgres SSLEasy to set up, defense in depth
FirewallRun Server within a subnetOnly expose the Gateway port externallySet up firewall rules to allow communication between nodes
Restrict access to hostsOnly allow privileged personnel to access
Physical and over-the-network
![Page 66: Welcome [tc18.tableau.com] · Implementing Tableau Server security RELATED SESSIONS Oct 23 | 10:45am –11:45am | MCCNO - L3 - 338 Introducing Tableau Services Manager Oct 23 | 2:15pm](https://reader034.vdocuments.us/reader034/viewer/2022042921/5f69a1aa6750cf049438789a/html5/thumbnails/66.jpg)
Hardening
Gateway SSLProtect your usersMaintain your certificate
Postgres SSLEasy to set up, defense in depth
FirewallRun Server within a subnetOnly expose the Gateway port externallySet up firewall rules to allow communication between nodes
Restrict access to hostsOnly allow privileged personnel to access
Physical and over-the-network
UpgradeOS upgrades
Monitor Tableau security bulletins
Upgrade to get new security features
![Page 67: Welcome [tc18.tableau.com] · Implementing Tableau Server security RELATED SESSIONS Oct 23 | 10:45am –11:45am | MCCNO - L3 - 338 Introducing Tableau Services Manager Oct 23 | 2:15pm](https://reader034.vdocuments.us/reader034/viewer/2022042921/5f69a1aa6750cf049438789a/html5/thumbnails/67.jpg)
Please complete the
session survey from the
Session Details screen
in your TC18 app
![Page 68: Welcome [tc18.tableau.com] · Implementing Tableau Server security RELATED SESSIONS Oct 23 | 10:45am –11:45am | MCCNO - L3 - 338 Introducing Tableau Services Manager Oct 23 | 2:15pm](https://reader034.vdocuments.us/reader034/viewer/2022042921/5f69a1aa6750cf049438789a/html5/thumbnails/68.jpg)
Thank you!
#TC18
kreiter <at> tableau.com
dciftci <at> tableau.com
![Page 69: Welcome [tc18.tableau.com] · Implementing Tableau Server security RELATED SESSIONS Oct 23 | 10:45am –11:45am | MCCNO - L3 - 338 Introducing Tableau Services Manager Oct 23 | 2:15pm](https://reader034.vdocuments.us/reader034/viewer/2022042921/5f69a1aa6750cf049438789a/html5/thumbnails/69.jpg)
Relevant Documentation
https://onlinehelp.tableau.com/current/server/en-us/security_net.htm
https://onlinehelp.tableau.com/current/server/en-us/security_secret_storage.htm
https://onlinehelp.tableau.com/current/server-linux/en-us/config_firewall_linux.htm,
https://onlinehelp.tableau.com/current/server/en-us/requ.htm#firewall
https://onlinehelp.tableau.com/current/server/en-us/cli_security_tsm.htm#regenerate-tokens
![Page 70: Welcome [tc18.tableau.com] · Implementing Tableau Server security RELATED SESSIONS Oct 23 | 10:45am –11:45am | MCCNO - L3 - 338 Introducing Tableau Services Manager Oct 23 | 2:15pm](https://reader034.vdocuments.us/reader034/viewer/2022042921/5f69a1aa6750cf049438789a/html5/thumbnails/70.jpg)