How to install certificates on Linux


When running Tableau Server on Linux and need it to connect to secure TabPy or secure Rserve instances (or any other analytics extension over secured channel) for Tableau Server to trust the connection it need to know to trust the certificate analytics extension is using. Some more details about Tableau and trusted certificates are in this post – Tableau and Trusted Certificates for Analytics Extensions.

In this post, I will show you how to install a trusted certificate (root or self-signed certificate) on Linux. Remember Rserve sends to Tableau leave certificate only so you may need to install the whole chain as trusted certificates.

NOTE: Instructions below may not work for your specific Linux version – check with documentation for your exact system.

Certificate formats: PEM, DER, PFX, etc.

There are a few different formats certificate file can be stored in. For the instructions below only PEM and DER are used. Some details about specific formats and how they are related can be found at

PEM and DER are just different encoding for the same data. DER is binary and PEM is Base64 encoded DER.

One format can be converted to another with OpenSSL. E.g. to convert DER to PEM run

openssl x509 -inform der -in cert.der -out cert.pem

More examples for how to convert certificate commands are at

NOTE: you only need certificates (public part) and not private key for it.

RPM-based Linux Steps

The following are the instructions for RPM-based Linux (CentOS, Fedora, Red Hat, etc.).

Copy PEM certificate to /etc/pki/ca-trust/source/anchors:

sudo cp cert.pem /etc/pki/ca-trust/source/anchors/cert.pem

Run the following command:

sudo update-ca-trust

For the certificate to be picked up by Tableau Server it is recommended to restart the whole machine. Restarting just Tableau Server may work as well but is not guaranteed.

Debian-based Linux Steps

For Debian-based Linux (Debian, Ubuntu, Kubuntu, etc.) use PEM certificate in .crt file. It means the format for the certificate file is PEM, but the file extension is required to be .crt.

First copy certificate file to /usr/local/share/ca-certificates:

sudo cp cert.crt /usr/local/share/ca-certificates/

Now run the following command:

sudo update-ca-certificates

For the certificate to be picked up by Tableau Server it is recommended to restart the whole machine. Restarting just Tableau Server may work as well but is not guaranteed.

Additional reading

Related posts:

Tableau and Trusted Certificates for Analytics Extensions

What is a Trusted Certificate?

Starting from Tableau Server 2020.2 analytics extensions are configured with admin UI and not with TSM (more details here – Multiple Analytics Extensions Connections with Tableau Server 2020.2). And if a connection is secured (Require SSL checkbox is on) Tableau will validate certificate used by TabPy, Rserve or any other analytics extensions.

For the certificate to be trusted there are a few checks: it should be issued to the host where the analytics extensions is running, dates (valid after/before) are valid, the certificate is signed with another certificate Tableau Server trusts and some other checks. But what certificates are trusted?

Each OS ships with preinstalled trusted certificates and anything signed with any of those trusted certificates is trusted (considering all other checks mentioned above pass). Each OS has its own way of installing a trusted certificate – refer to your OS documentation.

Leaf VS Whole Chain Certificate

When analytics extension sends it certificate to Tableau it can either send the whole chain (including all the certificates it signed with) or just the very last in the chain certificate (leaf certificate).

For example, we have certificate issues for machine my-server-cert which is signed with my-org-mid-cert, which is signed with my-org-root-cert:

NOTE: number of mid-certificated can be any, but there could be rules on how deep the chain can be to not be rejected.

TabPy, if uses my-server-cert from the example above sends to Tableau the whole chain.

If the my-server-cert is installed on Tableau Desktop or Server machine as trusted – validation for it passes. Otherwise, if my-org-mid-cert is trusted – my-server-cert is trusted as well. And finally, if my-org-root-cert is trusted – my-org-mid-cert and my-server-cert are trusted. This means it is sufficient to install my-org-root-cert as trusted on the Tableau machine to make the whole chain trusted.

Rserve, when configured to use the same certificate as on the example above only sends to Tableau leaf cert – meaning only my-server-cert. This means for Tableau to trust the certificate my-server-cert has to be installed as trusted.

Self-signed Certificates

Self-signed are certificates which are not signed with any other certificate.

For self-signed certificates to be trusted they need to be installed on the client machine (machine which runs Tableau Desktop or Server).

Multiple Analytics Extensions Connections with Tableau Server 2020.2

Tableau Server 2020.2 is released ( and among many new features and improvements, there is one which is specifically related to what this blog is about.

With this improvement, it is possible now to have multiple connections for one server (one connection per site) – TabPy, Rserve,, AtlTabPy, MatLab version of TabPy, etc. This allows organizations to have different analytics extensions per department or user role.

Multiple Analytics Extensions (former External Services) connections feature is explained as:

Server administrators can now configure multiple Analytics Extension (formerly External Service) connections in Tableau Server. Administrators can set one per site through the Settings UI and turn connections on or off at the Site level. Now teams using different R, Python, and other external data science environments can share their work with consumers across the same Server. Settings are easier than ever to configure with UI controls or via the Server REST API.

We will look at REST API some other time and in this post I just want to show you how to configure a connection for a site. Tableau documentation for the configuration is at

It is important to understand that web UI or REST API are now the only way to enable, disable and configure analytics extensions – TSM doesn’t provide that functionality anymore.

To enable analytics extensions feature which is disabled by default you need to be a server administrator. The screenshot below shows how to enable the feature for the whole server:

Make sure you are configuring All Sites, go to Setting, Extensions tab, set Enable analytics extension checkbox and click Save.

With the feature enabled for a server now you can configure a connection for each specific site. To be able to do so you need to be a site administrator. The next screenshot demonstrates how a connection can be configured:

Select the site you want to configure (on the screenshot it is TabPy Site), go to Settings, Extensions tab, set Enable analytics extension for site checkbox and configure a connection with setting Connection Type, Host, and Port. Set Require SSL and authentication parameters as needed (read How to configure TabPy with authentication and use it in Tableau for authentication configurations steps) and click Save button.

With the configuration successfully saved all the workbooks published on the site will use the configured connection. For workbooks on other sites connection from that site (if configured at all) will be used.

Tableau Server 2020.1: Analytics Extensions Improvement

Similarly to Tableau Desktop 2020.1 improvements for analytics extension (formerly referred to as external service) Tableau Server 2020.1 also presents some improvements.

Specifically for configuring an analytics extension connection for Tableau Server there is no need to provide a certificate for tsm security vizql-extsvc-ssl enable command and --cert-file parameter is not supported anymore.

The certificate validation works in exactly the same way as it does for Tableau Desktop which means root certificate, self-signed certificate or the whole certificate chain (for Rserve) has to be installed as trusted on Tableau Server nodes.

With this improvement, there is no need to share an analytics extension certificate and it can be validated against what is configured on client machines (nodes running Tableau Server).

More details about configuring a connection for Tableau Server can be found at

How to configure TabPy with authentication and use it in Tableau


In this post, I will demonstrate how to configure TabPy to require username and password, how to manage users for TabPy and how to connect from Tableau (both Desktop and Server) to TabPy with specifying credentials.

User Management for TabPy

After TabPy is installed (read Tableau Installation Instructions for how to install it) you can use tabpy-user command-line utility for adding and updating TabPy user accounts.

The utility itself supports a set of parameters such as a path to passwords file, operation, username and so on. Run tabpy-user -h to see all the parameters.

Adding a User

To add a user specify a username, a path to passwords file, password and add operation, e.g.:

c:\TabPy>tabpy-user add -u alice -f c:\TabPy\tabpypwd.txt -p P@ssw0rd
Parsing passwords file c:\TabPy\tabpypwd.txt...
Passwords file c:\TabPy\tabpypwd.txt not found
Adding username "alice"
Adding username "alice" with password "P@ssw0rd"...
Added username "alice" with password "P@ssw0rd"

In the example above the user alice with password P@ssw0rd was added to file c:\TabPy\tabpypwd.txt.

You can also let the utility generate a password for you simply skipping -p <Password> parameter:

c:\TabPy>tabpy-user add -u bob -f c:\TabPy\tabpypwd.txt
Parsing passwords file c:\TabPy\tabpypwd.txt...
Found username alice
Authentication is enabled
Generated password: ")7!f}dA_K=hrF7{x"
Adding username "bob"
Adding username "bob" with password ")7!f}dA_K=hrF7{x"...
Added username "bob" with password ")7!f}dA_K=hrF7{x"

In the example above new user bob was added to the same password file with password )7!f}dA_K=hrF7{x.

Updating User Password

It is possible to update the password for a user with update command, e.g.:

c:\TabPy>tabpy-user update -u alice -f c:\TabPy\tabpypwd.txt -p Secret_D0nt_Te11
Parsing passwords file c:\TabPy\tabpypwd.txt...
Found username alice
Found username bob
Authentication is enabled
Updating username "alice"
Updating username "alice" password  to "Secret_D0nt_Te11"

In this example alice‘s password was changed to Secret_D0nt_Te11.

What’s Inside Passwords File?

The password file is just a text file with user names and hashed passwords on each line. If you open the file you will see something like this:

alice edb6473a71775f48538c1cee15dc41269302b06b79260c70ce149d1b24a4192f764570702d5449fa2712c0a99d0db9216c1a452f07a3a3b44dca1b491cd7d516
bob 7716853bdc91132fe4bef86adaac0ae6fa9cf474c5b075e89880fcd21834d2bb16266eb65d0be0a8faa2ee48342708350b95af4af3caebbb8044f59341fcfab6

Those long codes are actually the hashes for the passwords. Instead of keeping passwords in plain text or encrypted form TabPy uses hashes. What it does is makes it impossible (rather incredibly expensive) to recover passwords from those hashes. If you wonder how the passwords are hashed – at the moment TabPy uses PBKDF2 method with 10000 iterations (

Deleting a User

Since the password file is just a text file you can delete a user with any text editor simply deleting the whole line with the user name in it.

Configuring TabPy with Authentication

Now when you have the passwords file you can point TabPy to it so it knows to require credentials with all the requests to serve.

NOTE: any changes for the password file do not affect any running instances of TabPy – you will need to restart TabPy for the changes to take effect.

In previous post TabPy: modifying default configuration it was shown how to changes some (or all) TabPy configuration parameters with a config file. Let’s create a config file to turn on authentication as well. I am storing the following configuration in c:\TabPy\tabpy_auth.conf:

TABPY_PWD_FILE = c:\TabPy\tabpypwd.txt

As you can see the only configuration parameter I am modifying there is the password file path. In real-life scenarios, you will have logger settings, port, timeout and any other of the parameters documented at TabPy Custom Settings page.

Now let’s start TabPy with the config:

c:\TabPy>tabpy --config c:\TabPy\tabpy_auth.conf
... TABPY_PWD_FILE set to "c:\TabPy\tabpypwd.txt" from config file or environment variable passwords file c:\TabPy\tabpypwd.txt... username alice username bob is enabled
... service listening on port 9004

TabPy is running with authentication on!

Connecting from Tableau

For Tableau to communicate with TabPy when credentials are required you need to configure the product with username and password. As mentioned at TabPy Authentication page basic authentication is used at the moment ( which means username (login) and password sent with each HTTP request to TabPy. This is why it is highly recommended to use a secured communication channel rather than plain text. For how to configure secure connection read Configuring HTTP vs HTTPS documentation page.

Tableau Desktop

For Tableau Desktop go to the main menu, Help, Settings and Performance, Manage External Service Connection. The screenshots below are for Tableau 2019.4.2:

Set connection type to be TabPy/External API, enter Server (host) and Port for your TabPy instance (localhost and 9004 on the screenshot below), set check mark for Sign with username and password and enter credentials for a user:

To confirm the credentials are valid click Test Connection button and popup message with confirming success (or failure details) will show:

Tableau Server

To configure Tableau Server connection to TabPy with authentication follow instructions at TSM Security page. At the moment this post is being written the latest available version of Tableau Server is 2019.4.2 and the steps will be setting up a connection and applying the changes:

c:\user\admin>tsm security vizql-extsvc-ssl enable --connection-type tabpy --extsvc-host my_tabpy_server --extsvc-port 9004 --extsvc-username alice --extsvc-password Secret_D0nt_Te11

c:\user\admin>tsm pending-changes apply