Prepare for SSL Configuration for Write-Back Server
Summary
Write-Back requires using HTTPS so it is mandatory to have a valid certificate applied.
If you are configuring in a test environment controlled by you, you can simply use the Write-Back manager defaults and it will generate automatically a self-signed certificate as this will be enough for that purpose. On the other hand, if you are running Write-Back in production or already on a server you need to have a valid certificate.
While there are multiple ways to generate the certificate, you should always check internally with your IT team what is the best procedure.
Upgrading to 4.1 has a new change to the certificate files, please take a look at our troubleshooting before proceeding with the upgrade:
Setting up SSL
On the Write-Back Manager Web-Server page, you can find the SSL configuration section that is used to upload the certificate and private key.
Certificate
Write-Back requires a certificate file in .crt or .cer format to be uploaded on the Write-Back Manager Web-Server page.
Private key
The private key should be in .key format and needs to be exported without the password and uploaded on the Write-Back Manager Web-Server page as well, just below the certificate.
While this process can vary from company to company, we leave here an example of how this can be achieved by exporting the certificate and key file from a PKCS12 Keystore:
Important note regarding the certificate
Tableau extensions are required to have a Subject Alternative Name (SAN) present in the certificate and it should match the URL where the extension is running.
For example, if Write-Back is running under https://mycompany.writeback.com:8143/twbe/site/default, then the SAN should be mycompany.writeback.com.
Certificate Troubleshoot assistance
Warning "Invalid file content type[Text/plain]"
When Warning "Invalid file content type[Text/plain]" appears that usually indicates that the certificate is not considered Trusted.
This usually happens when certificate is signed by one "certificate authority" through one or more intermediates. This builds a chain of trust up to a root certificate, where the issuer is equal to the subject, this certificate signs itself.
In this case, it is considered a "self-signed" certificate, indistinguishable technically from a CA certificate and no system by default, will give trust to such a certificate without specific configuration.
To overcome this In openssl
call add -trustout
and it will generate BEGIN TRUSTED CERTIFICATE
instead of BEGIN CERTIFICATE
.
Additional info regarding this topic can be located at https://www.openssl.org/docs/man1.0.2/man1/openssl-x509.html#:~:text=%2D-,trustout,-this%20causes%20x509
Generating Private key
To ensure that a private key is generated without a Password it is important to leave -nodes
command.