Community Spring Cleaning week is here! Join your fellow Maveryx in digging through your old posts and marking comments on them as solved. Learn more here!

Alteryx Connect Knowledge Base

Definitive answers from Connect experts.

How To: Enable SSL in the Connect Installer

VojtechT
Alteryx
Alteryx
Created

How To: Enable SSL using the Connect 2019.1 Installer

With version 2019.1, you can make Connect run on https protocol and make the communication between client and server much more secure. This is an enhancement from the previous version, when you had to manually change configuration files, download SSL tools and execute several of commands. Now you can do it in a user friendly way just by using the Installer.

Note: SSL is a very broad topic and not every situation can be handled by the Installer (as opposed to CLI - command line interface).

In the 2019.1 version, we've focused on the more simple scenario - generating the self-signed certificate with the request file you can use to get the signed certificate (not mandatory).

The second (and more common) scenario, when you already have a certificate with the private key, cannot be directly achieved with the 2019.1, and the import must be done using CLI.

We plan to continue with enhancing the SSL configuration capabilities in the next releases.

Prerequisites

  • Alteryx Connect 2019.1

Terms used

Certificate

Private key - the part of certificate that is private only for you, is created with the creation of a keystore and is stored in it.

Public key - the part of certificate you share with the world in order to establish trust.

Intermediate Certificate -

Certificate Signing Request (CSR)

Self-signed certificate

Certification Authority (CA)

CA signed certificate

Keystore

Part one - running with self-signed only

  1. Run the AlteryxConnect_2019.1.exe file.

  2. If you don't have Connect installed, you have to install Connect first. Continue the install process until you see the "Enable SSL" option and continue from step #6 of this tutorial.

  3. Otherwise, you will see a screen with several options:
    1. Enable SSL
    2. Upgrade(depending on the installed version)
    3. Remove existing installation

  4. The upgrade includes the option to enable SSL as well. For the purpose of this guide, and because I already have 2019.1 installed, I'm selecting Enable SSL. I recommendthat you upgrade as well but it is not mandatory. You can use this Installer to set up SSL even for the previous versions (not version 1).

    Enable SSLEnable SSL
  5. If Connect is running, you will have to stop the service. Click the Stop service button and wait until another screen appears (it should take few seconds).

    Stop serviceStop service
  6. You want to Set up SSL, so leave that checkbox selected (or select if unchecked) and choose between the two offered options. This screen also displays during the Install and Upgrade scenario.

    1. Upload existing certificate - this scenario allows you to select an existing keystore or create a new one, create a CSR file and upload the signed and intermediate certificates.
    2. Generate self-signed certificate - choose this scenario if you want to use only a self-signed certificate and don't plan to get the signed one (e.g. just for testing purposes).

  7. Select the Upload option, since the additional screens can be skipped.

    Upload existing certificateUpload existing certificate
  8. On this screen you can change the port for https and have to select existing keystore or create a new one. You can only browse for the folder and the filename must be written separately. Let's assume you don't have any keystore so far:
    1. Specify the password for the keystore - since it contains your Private key, you have to have it password protected otherwise you cannot continue. Don't forget the password as it will be needed later.
    2. You can leave the default values for filename and path or choose your own.
    3. Uncheck the 'Redirect http communication' only if you want your users to type "https://" in the URL, but usually you should keep that option checked.
    4. Click Next (inactive if password not specified).

      04_keystore.JPG


  9. If the selected port is already used, you are notified and have to either release that port or go Back to select adifferent one.

    Port 443 in usePort 443 in use
  10. Here we are going to specify our self-signed certificate. If you already have a keystore with certificate, skip this step.
    1. Alias - is the identifier of the certificate in your keystore. You can type in whatever you want, but only use lowercase letters.
    2. Domain - should match your URL you're going to use to access Connect.
    3. All other options are self-explanatory - do not use special characters.
    4. This information will be presented to the user if he/she chooses to see your certificate in the browser, so choose them wisely.

      06_certificate.JPG
  11. I recommend creating the CSR file - you don't have to use it, but if you decide to get your certification signed, it is easier to take already existing CSR file than to create it. This step can be skipped, e.g. if you are using already existing keystore with a certificate.
    1. Just specify the filename
    2. The path says where will the CSR file be created. You can leave the default value which is Connect folder.

      07_csrFile.JPG


  12. Now I am on the Import certificate page. As I mentioned in the beginning of this post, in the 2019.1 only the certificate signed based on the CSR file created in the previous step will lead to a successful startup of Connect. So at this point you have these options:
    1. Click Next and don't import anything - this will lead to a (most likely) successful start of Tomcat on https with the self-signed certificate and once you get the certificate signed you can go back on this page (skip the previous ones) and import it here.
    2. Provide your IT department with the CSR file and wait until they give you a signed certificate back. In such case don't forget to click the Import button once you specify the alias, path and filename of the certificate. You also have to first import the certificate of the CA (the body that signed your certificate) otherwise the keystore doesn't trust the signature and won't let you import it.

  13. For demonstration purposes, I'm not importing anything now and go to the next screen.

    08_uploadCert1.JPG

  14. Start the service - leave the checkbox selected and press Next. Notice I'm running https on port 4430.

    09_startService.JPG

  15. While the service is starting, you can check catalina.log in logs folder. If you find this row (depending on your https port) there:
    INFO: Starting ProtocolHandler ["https-openssl-nio-4430"] 
    then your SSL setting and keystore are properly configured.
  16. Once the service is up and running, click Next.

    10_running.JPG


  17. Click Finish to open Connect in your browser.

    11_open.JPG

  18. You will probably see a page similar to this:

    12_untrusted.JPG

  19. You can also check the SSL certificate on the top of the page - it should show the same values you used to create the certificate in step #10.

    14_showCertificate.png

  20. Depending on your browser, you should be able to accept the risk and proceed to the page.

    13_proceed.JPG

  21. Finally, you will get to the Connect page.

    15_connectRunning.JPG


You get the warning from your browser because it does not trust the SSL certificate the application is using, which is expected behaviour. It is not verified by any trusted party. So in order to have it trusted, you have to either import the certificate to every machine you want to access Connect from (could be manageable by GPO), but that is not a best practice, or you can get verification from a certification authority (CA) - a body that your browser trust. By getting that certificate signed by it, you establish a chain of trust. For that, you need to provide them with the CSR file you've created in step #11.

Once you get the file back, continue with part two.

Part Two - Import the Signed Certificate

  1. Once you receive your certificate signed, run the Installer again.

  2. Get to the Import screen, i.e.
    1. Enable SSL -> Stop the service -> Upload existing certificate -> keep the keystore settings as is -> Skip creating self-signed certificate -> Skip creating CSR file

  3. You are on the Import screen. First you have to import the certificate of the CA. Usually they have them on their website ready for download. The certificate must be in X.509 format, i.e. it should have extension either crt, pem or der.
    1. Alias - use any value, e.g. 'ca''
    2. Certificate file - filename of the CA certificate.
    3. Path to file -select the folder the CA certificate is in.
    4. Click Import.
      You should see agreen status that the certificate was imported successfully.

      17_importCA.JPG


  4. Stay on the Import page and import your signed certificate.The certificate must be in X.509 format, i.e. it should have extension either crt, pem or der.
    1. Alias - use the same as previously, in my case 'mycert'
    2. Certificate file - filename of the signed certificate
    3. Path to file - select the folder the signed certificate is in
    4. Click Import.
      You should get a green status again.

      18_importSigned.JPG

  5. Click Next, Start the Service and Open Connect in browser.

  6. The icon next the URL should be green now and your browser should not warn you about unsecured website.

    19_sslTrusted.png


Common Issues

Cannot create Keystore

  • This could be because the keystore alias has already been used.
  • Or because there are forbidden characters in the fields, e.g. 'Alteryx, Inc.' is aninvalid value.
Comments
VojtechT
Alteryx
Alteryx

For instructions on how to import PFX using CLI see How To: Import a PFX Certificate

JanSnaur
Alteryx
Alteryx

In case you want to change current certificate (import or generate new), it is necessary to make following steps:

 

  1. After new certificate is generated or imported, it is necessary to delete old certificate - Alteryx Connect can work with one certificate only.
  2. Open the command line and navigate to the folder containing keytool.exe:

 

cd "c:\Program Files\AlteryxConnect\jre\bin"

 

  1. Stop Alteryx Connect service.
  2. Once the service is stopped you should create backup of .keystore file:

 

copy "c:\Program Files\AlteryxConnect\connect.keystore" "c:\Program Files\AlteryxConnect\connect_bckp.keystore"

 

  1. Delete old certificate:
    • mycert - name of your old certificate.
    • password - your keystore password.

 

keytool.exe -delete -alias mycert -keystore "c:\Program Files\AlteryxConnect\connect.keystore" -storepass password

 

  1. Start Alteryx Connect service and install your new certificate into your browser (It might be necessary to reopen web browser and clear browser cache to make new certificate works).
  2. Certificate has to be placed into "Trusted Root Certification Authorities".