Skip to main content

Peer Validation Allow List

Alteryx has added security checks for functionality related to opening TLS or SSL connections, such as connections to https:// URLs that utilize cURL and OpenSSL. You can adjust security checks with the Peer Validation setting.

This requires that the connection to a service be secured with TLS and that the connected server provides a valid, trusted CA-signed certificate. The validation must go all the way down the CA chain to the root certificate, and validate certificates against the Microsoft Windows Certificate Stores list of trusted certificate authorities. There is no support for Linux at this time.

  • This feature was initially enabled in the 2022.1+ Designer-FIPS and 2022.2 Server-FIPS releases, and it cannot be turned off.

  • Peer Validation is now also enabled for the non-FIPS 2022.3+ releases.

Set Up Allow List for Peer Validation

We know that some administrators and users might encounter issues with this change, especially with existing workflows or server environments that utilize insecure connections or TLS connections that use self-signed, invalid, or untrusted certificates.

To work around these issues and continue to use insecure connections or TLS connections that utilize certificates that fail validation, you must add an exception to the Allow List.

  • The Allow List holds entries of URL sites that normally fail with Peer Validation enabled.

  • Add URL exceptions to the text file called PeerValidationBypass.txt.

  • You must place the file in C:\ProgramData\Alteryx\PeerValidationBypass.txt.

  • If the file doesn't exist, then Peer Validation is turned on by default. However, note that the existence of the file doesn’t turn off Peer Validation. It allows Designer and Server to ignore Peer Validation when connecting to the specific sites listed within the file.

PeerValidationBypass.txt Requirements

Entries in the PeerValidationBypass.txt file must follow several rules:

  • One Fully Qualified Domain Name (FQDN) entry per line.

  • Enter only the domain name or IP address.

  • Remove the protocol:// from the beginning of the URL.

  • Remove any path, query, and password from the URL.

  • Don't leave blank lines between the entries.

Using Wildcards

You can configure PeerValidationBypass.txt with FQDNs and IPv4 addresses that contain wildcard characters.

A domain name is a simple structure made of several fields, separated by dots and read from right to left. An example domain name is help.alteryx.com where…

  • The Top-Level Domain (TLD) is com.

  • The labels follow the TLD. alteryx is Label1 and help is Label2.

    • A label is a case-insensitive character sequence anywhere from one to sixty-three characters in length.

    • It contains only the letters A through Z, digits 0 through 9, and the hyphen (-) character (which can’t be the first or last character in the label).

  • The label located right before the TLD is also called a Secondary Level Domain (SLD), alteryx in the example above.

    Note

    A domain name might consist of one field only, or it might consist of two, three, or more than three fields. A fully qualified domain name (FQDN) is always labeled in the format:

    hostname.SLD.TLD

When PeerValidationBypass.txt is parsed to determine whether a particular endpoint’s TLS certificate should be validated, the parser interprets wildcards as follows:

  • An asterisk (*) character matches 0 or more valid label characters.

  • A question mark (?) character matches exactly 1 valid label character.

Domain Name Entry Details

For a domain name entry…

  • If TLD is a country code TLD, wildcard characters are not allowed in the last three fields. Wildcard matching is performed in Label 3 and onwards.

  • If TLD is not a country code TLD, wildcard characters are not allowed in the last two fields. Wildcard matching is performed in Label 2 and onwards.

Example Invalid Domain Name Entries

???.*.com.fr, alteryx*.help.n?t, alteryx.*.net, and hello.world.example*.???

IPv4 Address Entry Details

For an IPv4 address entry…

  • Wildcard characters are not allowed in the first two fields.

  • Wildcard matching is performed in the last two fields.

Example Invalid IPv4 Entries

192.*.*.23, ???.*.123.234, and *.10.100.200

Example Entries

Example 1

Suppose Peer Validation blocks this URL:

https://ThisIsATest.com/?category.id=External

In the PeerValidationBypass.txt file, enter this:

ThisIsATest.com

Example 2

Suppose you want to block these URLs with a similar pattern:

  • https://example.ThisIsATest.com/?category.id=External

  • https://warning.ThisIsATest.com/?category.id=External

  • https://info.ThisIsATest.com/?category.id=External

In the PeerValidationBypass.txt file you can block all 3 with one entry, using a wildcard:

*.ThisIsATest.com

Example 3

To block visit.country.france.fr and work.country.france.fr, enter this in the PeerVAlidationBypass.txt file:

*.country.france.fr

Note

TLD is a country code. As a result, wildcard characters are not allowed in the last 3 fields: country.france.fr.

Example 4

To block the 123.12.123.1 and 123.12.123.2 IPv4 addresses, in the PeerValidationBypass.txt file, enter this:

123.12.123.?

Additional Notes

  • After you edit PeerValidationBypass.txt, any time you use cURL/OpenSSL in Alteryx tools, it searches for a match. If Designer or Server finds a match, they turn off Peer Validation.

  • Please note that FIPS products ignore the Allow List.

  • To avoid errors with SSL Peer Validation when the external server requires an SSL certificate signed by an Intermediate CA, add the required Intermediate CA to the Trusted Root Certification Authorities - Certificates folder in the Microsoft Management Console.

In this section: