# How To: Configure SSL (Issued SSL Certificate) on Connect

Alteryx
Created

How To: Configure SSL (Issued SSL Certificate) on Connect

This article provides instructions for adding an issued SSL certificate to the web page hosted by Alteryx Connect so that the page is served securely.

Note: This article is intended for trusted certificates in your environment. You must have a copy of the certificate (such as .crt) and the signing key (such as .key), or a combined certificate file (such as .pfx or .p12) in order to complete this process. This certificate must be installed on all machines you intend to use with Connect as a trusted certificate if these machines are to be used in conjunction with Alteryx Connect, such as loading metadata with Alteryx Designer or search results from Alteryx Connect displayed within Alteryx Designer.

Prerequisites

• Alteryx Connect ≤ 2018.4
• Trusted SSL Certificate
• Administrator Permissions in Alteryx Connect

Procedure

1. Stop the service Alteryx Connect via Windows Task Manager or Services dialog.
2. Back up the entire Connect install folder, (default C:\Program Files\AlteryxConnect\ ). This folder contains the H2 database as well as configuration files. If you are unable to get Connect to start properly after applying the modifications, you can restore this backup to restore original functionality.
3. Open a command prompt (CMD.exe) as administrator (Right Click > Run as Administrator).
4. The following steps will depend on the type of certificates you have:
1. To import a .pfx or .p12 file:
1. Change directory to the jre\bin folder inside the Connect install folder (default C:\Program Files\AlteryxConnect\jre\bin).

cd "C:\Program Files\AlteryxConnect\jre\bin"
2. Use the following command to import a .pfx or .p12 file to a new keystore. Replace the value after -srckeystore with your .pfx or .p12 file location and the value after -destkeystore to a directory accessible by the service account (default is SYSTEM or Local System) that is running the Alteryx Connect service. Take note of this location and your keystore password as you will need this information later.

keytool -importkeystore -srckeystore "C:\Path\to\File\pfxfile.pfx" -srcstoretype pkcs12 -destkeystore "C:\Path\to\File\keystore.jks" -deststoretype JKS

2. To import a .key and .crt file combination:
1. You will need OpenSSL for this operation. You can find pre-compiled binaries at the following location:
https://wiki.openssl.org/index.php/Binaries

These binaries work well:
http://slproweb.com/products/Win32OpenSSL.html
2. Once you have OpenSSL installed, change to the directory in Command Prompt with the openssl.exe (typically \bin under the OpenSSL installation directory) and run the following command to combine your cert and key pair. Make sure to replace the value after -in with the path to your .crt file, the value after -inkey with the path to your .key file, the value after -out with the destination combined file location, and the value after -name with a name for the certificate (such as the hostname of the server).

openssl pkcs12 -export -in "C:\Path\to\File\server.crt" -inkey "C:\Path\to\File\server.key" -out "C:\Path\to\File\server.p12" -name ayxconnect01
3. Once you have the new .p12 file, please follow the steps above to import a .pfx or .p12 file to a Java keystore file.
5. Once you have your keystore file, we can begin to configure Connect. Open the server.xml file within the conf directory inside the Connect install folder (default C:\Program Files\AlteryxConnect\conf) with a text editor such as Notepad.
6. Find line 70 within this file, add a new line, and add the following block of text. Modify the Connector port to the port number you wish to run Connect on, if not the SSL/HTTPS default of 443. Modify the keystorePass to the password for your keystore file that you created earlier. Modify the keystoreFile to the file location of your keystore file that you created in Step 4.

<Connector port="443" maxHttpHeaderSize="128000"
protocol="org.apache.coyote.http11.Http11NioProtocol"
acceptCount="100" scheme="https" secure="true"
clientAuth="false" sslProtocol="TLSv1.2" sslEnabledProtocols="TLSv1.2"
SSLEnabled="true"
URIEncoding="UTF-8" keystorePass="test123"
keystoreFile="c:/test/keystore.jks" />

The result should look similar to the following (screenshot below in Notepad++):

7. Save the server.xml file.
8. (Optional - Recommended) If you wish to redirect traffic from port 80 to port 443 (for example, if someone visits http://ayxconnect01.yourdomain.tld and you want them to be redirected automatically to https://ayxconnect01.yourdomain.tld and not simply receive an error message, then we also need to make the following modifications.
1. Modify line 68 of the same server.xml file to indicate the redirectPort as 443 (or the port you specified in Step 6 above for Connector port if not default).

<Connector port="80" protocol="HTTP/1.1" connectionTimeout="120000" redirectPort="8443" maxHttpHeaderSize="128000"/>

2. Save the server.xml file.
3. Open the web.xml file from the same conf directory with a text editor such as Notepad.
4. Find line 4680 within this file and insert the following block of text. Please verify that the item inserted is just before the </web-app> XML tag.

<security-constraint>
<web-resource-collection>
<web-resource-name>Automatic Forward to HTTPS/SSL
</web-resource-name>
<url-pattern>/*</url-pattern>
</web-resource-collection>
<user-data-constraint>
<transport-guarantee>CONFIDENTIAL</transport-guarantee>
</user-data-constraint>
</security-constraint>

The result should look like the following:

5. Save the web.xml file.
9. Start the service Alteryx Connect via Windows Task Manager or Services dialog. Allow at least 5-10 minutes for service to fully initialize all web services.
10. Browse to the (now SSL-enabled) URL via a browser (i.e. https://ayxconnect01.yourdomain.tld ). If you specified a non-default port in the steps above for your SSL configuration, make sure to add the port to the end of the URL, preceded by a colon : (i.e. https://ayxconnect01.yourdomain.tld:8443 ).
11. Verify that Alteryx Connect is operational. If Connect is not operational, check log files for potential errors in XML files that were edited or other error messages. Verify your SSL port is allowed through any firewalls on the machine or on the network.
12. Update the Base URL to the SSL-enabled URL within Connect Admin settings:
1. Click the icon in the upper-right corner of the Connect page > Administration.

2. Click Connect Configuration Instance Settings.
3. Update the Base URL value to the new SSL-enabled URL.

4. Click Save at the bottom of the page.