Alteryx Connect Knowledge Base

Don't forget to submit your entry for the Excellence Awards by October 30! | Need more information about the program? Check out the blog here

How To: Configure SSL (Self-Signed Certificate) on Connect

Alteryx
Created

How To: Configure SSL (Self-Signed Certificate) on Connect

This article provides instructions for adding a self-signed SSL certificate to the web page hosted by Alteryx Connect so that the page is served securely.

Note: This article is only intended for Self-Signed Certificates. A self-signed certificate is not recommended to be used for production purposes. This is because self-signed certificates must be installed on all of the machines you intend to use with Connect as a trusted certificate. This includes any machines that will use Connect applications like loading metadata in Alteryx Designer or using search results from Connect Designer.

Prerequisites

• Alteryx Connect ≤ 2018.4
• Administrator Permissions in Alteryx Connect

Procedure

1. Stop the service Alteryx Connect via Windows Task Manager or Services dialog.
2. Back up the entire Connect install folder, (default C:\Program Files\AlteryxConnect\ ). This folder contains the H2 database as well as configuration files. If you are unable to get Connect to start properly after applying the modifications, you can restore this backup to restore original functionality.
3. Open a command prompt (CMD.exe) as administrator (Right Click > Run as Administrator).
4. Change directory to the jre\bin folder inside the Connect install folder (default C:\Program Files\AlteryxConnect\jre\bin).

cd "C:\Program Files\AlteryxConnect\jre\bin"
5. Run the following command, changing the value after -keystore to a directory accessible by the service account (default is SYSTEM or Local System) running Alteryx Connect. You should also change the option after -ext to your server's Fully Qualified Domain Name (FQDN), hostname, or the DNS name(s) you wish to use for testing.
Note: The value here is important as newer browsers like Chrome will reject the certificate when you browse to your Connect instance if it doesn't contain the proper Subject Alternate Name (SAN) in the certificate. If you are unsure what to put here, you should use the root of the URL you are using to access your Connect instance if you were accessing it from a different machine. For example, if your Connect URL is http://ayxconnect01.yourdomain.tld , then set your SAN to ayxconnect01.yourdomain.tld). We do not recommend using localhost here as the certificate will not function properly on remote machines.
1. Single SAN (one domain name):

keytool -genkeypair -keystore "C:\Path\to\File\keystore.jks" -keysize 2048 -alias ssltomcat -validity 3600 -keyalg RSA -sigalg SHA256withRSA -ext san=dns:ayxconnect01.yourdomain.tld
2. Multiple SAN -  (multiple DNS/domain names/hostname, etc):

keytool -genkeypair -keystore "C:\Path\to\File\keystore.jks" -keysize 2048 -alias ssltomcat -validity 3600 -keyalg RSA -sigalg SHA256withRSA -ext san=dns:ayxconnect01,dns:ayxconnect01.yourdomain.tld,dns:connecturl.yourdomain.tld
6. You will be asked to provide some information during this process, please pay special attention to the first and last name question. This value will need to be set to your server's hostname, FQDN, or the DNS name you wish to use for testing. Please also make sure to keep your keystore password as it will be needed for further steps. The other values are up to personal preference and should not change the desired outcome.

7. Once the keystore file is generated, we need to export it out to a .crt file so it can be installed as a trusted cert on machines you wish to utilize. Replace the -file option with the target directory you wish to write the .crt file to, and the -keystore option with the same path to the keystore you created in the previous step. You'll also be asked for the keystore password that you previously provided.

keytool -export -alias ssltomcat -file "C:\Test\out.crt" -keystore "C:\test\keystore.jks"

8. Once you have your keystore and cert files, we can begin to configure Connect. Open the server.xml file within the conf directory inside the Connect install folder (default C:\Program Files\AlteryxConnect\conf) with a text editor such as Notepad.
9. Find line 70 within this file, add a new line, and add the following block of text. Modify the Connector port to the port number you wish to run Connect on, if not the SSL/HTTPS default of 443. Modify the keystorePass to the password for your keystore file that you created earlier. Modify the keystoreFile to the file location of your keystore file that you created in Step 5.

<Connector port="443" maxHttpHeaderSize="128000"
protocol="org.apache.coyote.http11.Http11NioProtocol"
acceptCount="100" scheme="https" secure="true"
clientAuth="false" sslProtocol="TLSv1.2" sslEnabledProtocols="TLSv1.2"
SSLEnabled="true"
URIEncoding="UTF-8" keystorePass="test123"
keystoreFile="c:/test/keystore.jks" />

The result should look similar to the following (screenshot below in Notepad++):

10. Save the server.xml file.
11. (Optional - Recommended) If you wish to redirect traffic from port 80 to port 443 (for example, if someone visits http://ayxconnect01.yourdomain.tld and you want them to be redirected automatically to https://ayxconnect01.yourdomain.tld and not simply receive an error message, then we also need to make the following modifications.
1. Modify line 68 of the same server.xml file to indicate the redirectPort as 443 (or the port you specified in Step 6 above for Connector port if not default).

<Connector port="80" protocol="HTTP/1.1" connectionTimeout="120000" redirectPort="8443" maxHttpHeaderSize="128000"/>

2. Save the server.xml file.
3. Open the web.xml file from the same conf directory with a text editor such as Notepad.
4. Find line 4680 within this file and insert the following block of text. Please verify that the item inserted is just before the </web-app> XML tag.

<security-constraint>
<web-resource-collection>
<web-resource-name>Automatic Forward to HTTPS/SSL
</web-resource-name>
<url-pattern>/*</url-pattern>
</web-resource-collection>
<user-data-constraint>
<transport-guarantee>CONFIDENTIAL</transport-guarantee>
</user-data-constraint>
</security-constraint>

The result should look like the following:

5. Save the web.xml file.
12. Start the service Alteryx Connect via Windows Task Manager or Services dialog. Allow at least 5-10 minutes for service to fully initialize all web services. While the service is starting, you can move to the next step.
13. (Optional - Recommended) Install the certificate .crt file you created to the Trusted Root Certification Store on the desired client machine(s). This can be done on the server itself or on the client machine. Note that this file must be installed on each machine as mentioned in the initial notes above in order to trust the SSL connection. Any machines you do not install this certificate to will not trust the certificate and will not show the connection as secure.
1. Right-click the .crt file you created and click Install Certificate.
2. Click Local Machine in the Store Location.
3. Click Next.

4. Click Place all certificates in the following store. Click Browse.
5. Click Trusted Root Certification Authorities from the list.
6. Click OK.
7. Click Next.

8. Click Finish. A message should appear stating The import was successful.

14. Browse to the (now SSL-enabled) URL via a browser (i.e. https://ayxconnect01.yourdomain.tld ). If you specified a non-default port in the steps above for your SSL configuration, make sure to add the port to the end of the URL, preceded by a colon : (i.e. https://ayxconnect01.yourdomain.tld:8443 ).
15. Verify operation of Alteryx Connect. If Connect is not operational, check log files for potential errors in XML files that were edited or other error messages. Verify your SSL port is allowed through any firewalls on the machine or on the network.
16. Update the Base URL to the SSL-enabled URL within Connect Admin settings:
1. Click the icon in the upper-right corner of the Connect page > Administration.

2. Click Connect Configuration Instance Settings.
3. Update the Base URL value to the new SSL-enabled URL.

4. Click Save at the bottom of the page.

8 - Asteroid

@MikeSp  Hello Mike, Is there any method for me to do this in  Alteryx Designer 2019.1, We have an API to call and it requires Certifications but when I call using Download tool I get below error. Any pointers would be of great help. Thanks!

HTTP/1.1 403 No client certificate supplied
Cache-Control: private, must-revalidate, max-age=0
Transfer-Encoding: chunked
Expires: Thu, 12 Mar 2020 17:53:29 GMT
Server: Microsoft-HTTPAPI/2.0
Date: Thu, 12 Mar 2020 17:53:28 GMT

Alteryx

Hi @vepp,

In the future, I'd definitely recommend posting this one on the Designer boards as it would help with visibility to other members of the community.

At the time of this writing, using a certificate for authentication in the Download Tool is not supported. I did some digging and found what I believe to be a relevant ideas post asking for this feature that has some thumbs up votes already. I'd highly recommend commenting and/or putting a thumbs up on the post to increase its visibility. Our product teams look at these posts regularly to determine new features or functionality that should be supported.