You should use SSL (secure socket layers) for sending data to and from ThoughtSpot. SSL provides authentication and data security. This section applies to both SSL to enable secure HTTP and secure LDAP.
Many IT departments require SSL for their applications that access data. To use SSL with ThoughtSpot, you’ll need your company’s own SSL certificate. The certificate is issued per domain (service), so if you want to use SSL for both HTTP(S) and LDAP(S), you will need two separate certificates - one for the HTTPS domain and one for the LDAPS domain.
If you do not have an SSL certificate:
- Check with your IT department to see if they already have an SSL certificate you can use.
- If not, you will need to obtain the certificate from an issuing authority.
- Alternatively, you may disable SSL if you don’t want the security it provides by using the command
tscli ssl off.
There are many SSL vendors to choose from. Check with your existing Web hosting provider first, to see if they can provide the certificate for you.
When you apply for the SSL certificate, you may specify a SAN, wildcard, or single domain certificate. Any of these can work with ThoughtSpot.
Configure SSL for web traffic
This procedure shows how to add SSL (secure socket layers) to enable secure HTTP (HTTPS) in ThoughtSpot. To set up SSL, you will need:
- The SSL certificate chain in .PEM format. This format has X.509v3 file containing ASCII (Base64) armored data packed between a “BEGIN” and “END” directive. It can be a bundle of certificates.
- The private key in compatible .PEM format. It should not be password/passphrase protected.
To install the SSL certificate:
- Follow the instructions from your certifying authority to obtain the certificate. This is usually sent via email or available by download.
Copy the certificate and key files to ThoughtSpot:
$ scp <key> <certificate> [email protected]<IP_address>:<path>
- Log in to the Linux shell using SSH.
Change directories to where you copied the certificate:
$ cd <path>
tsclicommand to install the certificate:
$ tscli ssl add-cert <key> <certificate>
To test that the certificate was installed correctly, Log in to the ThoughtSpot application.
You should see that the application’s URL begins with
Set the recommended TLS version
There are a couple of security vulnerabilities due to SSL certificates supporting older versions of TLS (Transport Layer Security). This procedure shows you how to set the recommended TLS version to avoid these vulnerabilities.
The PCI (Payment Card Industry) Data Security Standard and the FIPS 140-2 Standard require a minimum of TLS v1.1 and recommends TLS v1.2.
ThoughtSpot supports SSL v3, TLS v1.0, and TLS v1.1 for backwards compatibility. However, the recommended version is TLS v1.2. Therefore, to set the recommended TLS version:
- Enable your web browser to support TLS v1.2. This can be done in your browser’s advanced settings.
- Log in to the Linux shell using SSH..
Issue the following command:
tscli ssl set-min-version 1.2
This will block all usage of older versions.
Supported SSL ciphers
The types of SSL ciphers supported by webserver(s) in your ThoughtSpot instance can be listed by running the following command on any ThoughtSpot node (Not against the load-balancer).
nmap --script ssl-enum-ciphers -p 443 <ThoughtSpot_node_IP_address>
You will need to ensure that your load-balancer supports these ciphers.