Prepare for SSL Configuration for Write-Back Server

Owned by Ricardo Pires
Last updated: Mar 01, 2024 by Bruno Gomes
2 min read

Summary

Write-Back requires using HTTPS so it is mandatory to have a valid certificate applied.

If you are configuring in a test environment controlled by you, you can simply use the Write-Back manager defaults and it will generate automatically a self-signed certificate as this will be enough for that purpose.  On the other hand, if you are running Write-Back in production or already on a server you need to have a valid certificate.

While there are multiple ways to generate the certificate, you should always check internally with your IT team what is the best procedure. 


Upgrading to 4.1 has a new change to the certificate files, please take a look at our troubleshooting before proceeding with the upgrade:


Setting up SSL

On the Write-Back Manager Web-Server page, you can find the SSL configuration section that is used to upload the certificate and private key.

Certificate

Write-Back requires a certificate file in .crt or .cer format to be uploaded on the Write-Back Manager Web-Server page.

Private key

The private key should be in .key format and needs to be exported without the password and uploaded on the Write-Back Manager Web-Server page as well, just below the certificate.



While this process can vary from company to company, we leave here an example of how this can be achieved by exporting the certificate and key file from a PKCS12 Keystore:

Important note regarding the certificate

Tableau extensions are required to have a Subject Alternative Name (SAN) present in the certificate and it should match the URL where the extension is running.

For example, if Write-Back is running under https://mycompany.writeback.com:8143/twbe/site/default, then the SAN should be mycompany.writeback.com.

Certificate Troubleshoot assistance

Warning "Invalid file content type[Text/plain]"

When Warning "Invalid file content type[Text/plain]" appears that usually indicates that the certificate is not considered Trusted.

This usually happens when certificate is signed by one "certificate authority" through one or more intermediates. This builds a chain of trust up to a root certificate, where the issuer is equal to the subject, this certificate signs itself.

In this case, it is considered  a "self-signed" certificate, indistinguishable technically from a CA certificate and no system by default, will give trust to such a certificate without specific configuration.

To overcome this In openssl call add -trustout  and it will generate BEGIN TRUSTED CERTIFICATE instead of BEGIN CERTIFICATE. 

Additional info regarding this topic can be located at https://www.openssl.org/docs/man1.0.2/man1/openssl-x509.html#:~:text=%2D-,trustout,-this%20causes%20x509 

Generating Private key

To ensure that a private key is generated without a Password it is important to leave -nodes command.