Secure your Aternity on-premise Deployment

You can secure your Aternity on-premise deployment by configuring HTTPS links when the system communicates outside your network:

Secure external connections with HTTPS

Before you begin

Obtain an HTTPS certificate for your enterprise from a certification authority.

Procedure

  1. Step 1 Configure the Agent installer to use a secured HTTPS connection, by specifying https:// in the address of the Aggregation Server in the Agent's installation parameters file.
    Secure installation of the Aternity Agent
    Tip

    You can also deploy two-way TLS authentication if required (Agent 9.0.7 or later only) by adding CLIENT_CERTIFICATE=AUTOMATIC in the Agent's installation parameters file.

  2. Step 2 To secure user access to the Aternity system and its dashboards, secure the Aternity Management Server.
    Secure the Management Server
    Tip

    For secure HTTPS (SSL) web access to Aternity, you must secure both the Aternity Management Server and the Aternity Dashboard Server.

    1. a On the computer which runs the Management Server, add your certificate to the system's Java keystore file (.jks) using Java's keytool utility (see Oracle's keytool documentation).
    2. b On that same computer, launch the Configuration Tool from the Start menu, by right-clicking it and selecting Run as administrator to start.

      When you create any Aternity server it adds the Configuration Tool.

    3. c Select Reconfigure Server and select Next until you reach the Web Server Configuration screen.
    4. d Configure the server for HTTPS.
      Secure SSL connections to this server
      Field Description
      HTTP or HTTPS

      Select HTTPS if you want any connection to this server to be via HTTPS.

      Tip

      To see the Aternity's system-wide security settings, view the security overview of all components.

      Port

      Enter the port required to receive data from the monitored devices. The default for HTTPS is 443.

      Custom keystore

      Enter the pathname of the system's keystore containing your enterprise's certificate.

      You must add your certificate to the system's Java keystore file (.jks) using Java's keytool utility (see Oracle's keytool documentation).

      Custom keystore password

      Enter the password required to access the system's keystore file.

    5. e Select Next repeatedly until you reach the end of the wizard, leaving all other values unchanged.

      This process forces a restart of the Windows service for this Aternity server.

  3. Step 3 To secure browser access to Aternity with HTTPS, configure the Dashboard Server to use your certificate files.
    Tip

    For secure HTTPS (SSL) web access to Aternity, you must secure both the Aternity Management Server and the Aternity Dashboard Server.

    Secure the Dashboard Server for secure access to Aternity
    1. a On the Dashboard Server itself, create a subdirectory in the Tableau directory called SSL.

      For example, D:\Tableau\Tableau Server\SSL.

    2. b Copy your signed certificate file (.crt) and the key file (.key) into this folder.
    3. c On the main Dashboard Server, stop the Tableau service by opening a command prompt as administrator and entering tabadmin stop.
      Stop the server on the main Dashboard Server
    4. d Backup libeay32.dll and ssleay32.dll from the apache\bin directory (like C:\Program Files\Tableau\Tableau Server\9.0\apache\bin).
    5. e Download Win32 OpenSSL v1.0.2j Light and launch it.
    6. f Copy the newly downloaded libeay32.dll and ssleay32.dll into the apache\bin directory.
    7. g Configure SSL by selecting Start > All Programs > Aternity Dashboard Server > Configure Tableau Server > SSL.
      Open the Tableau Server Configuration window
      Field Description
      Use SSL for server communication

      Select to enable SSL encrypted communication with other components.

      SSL certificate file

      Enter the pathname of the certificate (.crt) file.

      SSL certificate key file

      Enter the pathname of the key (.key) file.

    8. h Select OK.
    9. i On the main Dashboard Server, start the Tableau service by opening a command prompt as administrator and entering tabadmin start.
      Start the Dashboard Server after configuring the Dashboard Worker Server
  4. Step 4 After enabling SSL on the Tableau Server, you must also:
    • Enable SSL on the Aternity Dashboard Gateway Server, by reinstalling it. Update the Tableau Port to 443 and select Use SSL Transport. Learn more.

      The Dashboard Gateway is on the same computer as the Dashboard Server
    • Update the dashboard layouts again, after you enabled SSL by republishing them.

      Add the layouts from the Management Server into the Dashboard Server via Dashboard Gateway
  5. Step 5 If you deployed a single Aggregation Server, configure it for HTTPS using the server-side Configuration Tool:
    Secure your Aggregation Server
    1. a On the computer which runs the Aggregation Server, add your certificate to the system's Java keystore file (.jks) using Java's keytool utility (see Oracle's keytool documentation).
    2. b On that same computer, launch the Configuration Tool from the Start menu, by right-clicking it and selecting Run as administrator to start.

      When you create any Aternity server it adds the Configuration Tool.

    3. c Select Reconfigure Server and select Next until you reach the Web Server Configuration screen.
    4. d Configure the server for HTTPS.
      Secure SSL connections to this server
      Field Description
      HTTP or HTTPS

      Select HTTPS if you want any connection to this server to be via HTTPS.

      Tip

      To see the Aternity's system-wide security settings, view the security overview of all components.

      Port

      Enter the port required to receive data from the monitored devices. The default for HTTPS is 443.

      Custom keystore

      Enter the pathname of the system's keystore containing your enterprise's certificate.

      You must add your certificate to the system's Java keystore file (.jks) using Java's keytool utility (see Oracle's keytool documentation).

      Custom keystore password

      Enter the password required to access the system's keystore file.

    5. e Select Next repeatedly until you reach the end of the wizard, leaving all other values unchanged.

      This process forces a restart of the Windows service for this Aternity server.

    6. f Configure the Agent installer to use a secured HTTPS connection, by specifying https:// in the address of the Aggregation Server in the Agent's installation parameters file
  6. Step 6 If you deployed several Aggregation Servers with a load balancer (LB), encrypt the connection to the LB only.

    Install your enterprise's certificate on the load balancer (LB). You do not need to encrypt the connections between LB and the Aggregation Servers. For more information, on securing your LB, consult the vendor's documentation.

    Secure the load balancer if you have more than one Aggregation Server
  7. Step 7 Aternity automatically ends a session, disconnecting the user after a set time of inactivity.

    The default session timeout is 3.5 hours. An Administrator of Aternity can change this value.

    1. a Select the Gear Icon > Settings > Advanced Settings > mgmt > web > session-timeout.
    2. b Enter the number of minutes of inactivity before automatic logout.
      Tip

      Enter -1 to disable session timeouts completely.

      Change the time when the system automatically logs out
    3. c Select Apply.
  8. Step 8 To protect end user privacy, you can configure the Aternity Agent on a device (or all devices) to display data anonymously.

    Configure the Aternity Agent to report data anonymously, by adding ENFORCE_PRIVACY=true to the Agent installation parameters.

    It encrypts all attributes which can identify a user, like the username, hostname, IP address and so on. For more information, see Configure Advanced Settings for the Agent.

    Example of encrypted fields when privacy is enabled on the device's Agent