SSL provides authentication and data security

You should use SSL (secure socket layers) for sending data to and from ThoughtSpot. SSL provides authentication and data security. This section applies to both SSL to enable secure HTTP and secure LDAP.

About SSL

Many IT departments require SSL for their applications that access data. To use SSL with ThoughtSpot, you’ll need your company’s own SSL certificate. The certificate is issued per domain (service), so if you want to use SSL for both HTTP(S) and LDAP(S), you will need two separate certificates - one for the HTTPS domain and one for the LDAPS domain.

If you do not have an SSL certificate:

  • Check with your IT department to see if they already have an SSL certificate you can use.
  • If not, you will need to obtain the certificate from an issuing authority.
  • Alternatively, you may disable SSL if you don’t want the security it provides by using the command tscli ssl off.

There are many SSL vendors to choose from. Check with your existing Web hosting provider first, to see if they can provide the certificate for you.

When you apply for the SSL certificate, you may specify a SAN, wildcard, or single domain certificate. Any of these can work with ThoughtSpot.

Required ports

To use SSL, the following ports must be open:

  • 443
  • 80

Configure SSL for web traffic

This procedure shows how to add SSL (secure socket layers) to enable secure HTTP (HTTPS) in ThoughtSpot. To set up SSL, you will need:

  • The SSL certificate chain in .PEM format. This format has X.509v3 file containing ASCII (Base64) armored data packed between a “BEGIN” and “END” directive. It can be a bundle of certificates.
  • The private key in compatible .PEM format. It should not be password/passphrase protected.
  • The Certificate Signing Request. You can generate a CSR in several ways. Most often, you generate a CSR and a new private key at the same time. If you already have a private key, use it to generate a CSR.

NOTE: Do not use a passphrase while creating the cert. Invoke the command, openssl rsa -check -in pk.key to verify if you’re prompted to specify a passphrase. If yes, then you need to remove the passphrase to use the key.

When you generate a Certificate Signing Request, you handle sensitive data. Therefore, ThoughtSpot recommends that its customers generate their own CSRs.

Follow these steps to generate a CSR and a private key. You need a computer you can run Linux commands on, and a recent version of openssl.

  1. ssh into one of your ThoughtSpot nodes.
     ssh admin@<node_IP>
  2. Run the command to generate a CSR and private key pair:
     openssl req -new -newkey rsa:2048 -nodes -out csr.pem -keyout pk.key[-subj "/key1=value1/key2=value with space/"]

    Note the following parameters:

    • ThoughtSpot supports a 2048 or 4096 bit key.
    • subj: a common subject. Logically equivalent to the -dname property of keytool. Alternatively, you can skip this flag, and openssl prompts you to enter this information interactively.
    • Optionally, run add-multivalue-rdn to allow multiple values to be set for the same key.
    • Run man req for more details.

If you already have a private key, you can use it to generate a CSR. Follow these steps to generate a CSR with an existing private key:

  1. ssh into one of your ThoughtSpot nodes.
     ssh admin@<node_IP>
  2. Run the command to generate a CSR and private key pair:
     openssl req -new -key <private_key_file> -nodes -out csr.pem[-subj "/key1=value1/key2=value with space/"]

    Specify the existing private key file. Refer to the parameters listed above.

To install the SSL certificate:

  1. Follow the instructions from your certifying authority to obtain the certificate. This is usually sent via email or available by download.
  2. Copy the certificate and key files to ThoughtSpot:

       $ scp <key> <certificate> admin@<IP_address>:<path>
  3. Log in to the Linux shell using SSH.
  4. Change directories to where you copied the certificate:

     $ cd <path>
  5. Issue the tscli command to install the certificate:

     $ tscli ssl add-cert <key> <certificate>
  6. To test that the certificate was installed correctly, Log in to the ThoughtSpot application.

    You should see that the application’s URL begins with https://.

This procedure shows you how to set the recommended TLS version. This helps avoid exposure of your ThoughtSpot service to known vulnerabilities.

The PCI (Payment Card Industry) Data Security Standard and the FIPS 140-2 Standard require a minimum of TLS v1.1. TLS v1.2 is recommended for both.

ThoughtSpot ships with v1.2 set as default. However, it supports SSL v3, TLS v1.0, and TLS v1.1 for backwards compatibility. However, the recommended version is TLS v1.2 and is now set as default.

To discover supported TLS versions, log in to any ThoguhtSpot node using SSH and issue the following commands. tscli ssl set-min-tls-version --help To change the TLS version, issue the following commands as an example.

tscli ssl set-min-version 1.1

This will enable TLS version 1.1 and higher on ThoughtSpot.

Configuration string for load balancers

When enabling SSL support on a load balancer’s server-side SSL client profile, use the following list of ciphers to ensure compatibility between the load balancer and ThoughtSpot.


The following ciphers are currently supported in ThoughtSpot:

|   TLSv1.2:
|     ciphers:
|       TLS_DHE_RSA_WITH_AES_128_GCM_SHA256 - strong
|       TLS_DHE_RSA_WITH_AES_256_CBC_SHA - strong
|       TLS_DHE_RSA_WITH_AES_256_CBC_SHA256 - strong
|       TLS_DHE_RSA_WITH_AES_256_GCM_SHA384 - strong
|       TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256 - strong
|       TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA - strong
|       TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384 - strong
|       TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384 - strong
|     compressors:
|       NULL
|_  least strength: strong

You can retrieve these from the ThoughtSpot web server (not against the load balancer) by running the following command on any ThoughtSpot node:

nmap --script ssl-enum-ciphers -p 443 <ThoughtSpot_node_IP_address>

You must ensure that your load balancer supports these ciphers.

Additional resources

As you develop your expertise in authentication and security, we recommend the following ThoughtSpot U course:

See other training resources at
ThoughtSpot U