Loading

Unable to Connect to Amazon Athena from Tableau Desktop in an SSE Environment

Julkaisupäivä: Apr 16, 2026
Kuvaus

In an environment where an SSE (like Cisco Umbrella) is deployed, attempts to connect to Amazon Athena from Tableau Desktop on MacOS result in a failure with the following error message:

PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target

Ratkaisu

Follow these steps to allow the embedded Java environment to recognize the SSE environment's certificates.

1. Identify and Extract the Missing Intermediate Certificate

If importing the Root CA alone does not resolve the issue, an intermediate certificate is likely missing. Use one of the following methods to extract it:

  • Using OpenSSL: Run the following command in Terminal to view the certificate chain presented by the SSE. Replace <region> with your specific AWS region (e.g., us-east-1, ap-northeast-1):
    echo QUIT | openssl s_client -connect athena.<region>.amazonaws.com:443 -showcerts 

    

    

    

    

    In the output, copy the block starting from -----BEGIN CERTIFICATE----- to -----END CERTIFICATE----- (typically the second block, which represents the intermediate CA) and save it as a text file (e.g., intermediate.crt).
    

  • 

    Using a Web Browser: Navigate to https://athena.<region>.amazonaws.com in your web browser (it is okay if an access denied page appears). Click the padlock icon in the address bar, view the certificate details, select the intermediate certificate from the hierarchy, and export it as a file.
    



2. Import the Certificate into the Java Truststore


Open Terminal as an Administrator and use the keytool command to import the certificate.


Example for Apple Silicon, version 2025.1:








sudo "/Applications/Tableau Desktop (Apple silicon) 2025.1.app/Contents/Plugins/jre/bin/keytool" -importcert -file "/path/to/intermediate.crt" -keystore "/Applications/Tableau Desktop (Apple silicon) 2025.1.app/Contents/Plugins/jre/lib/security/cacerts" -alias "umbrella_intermediate" -storepass changeit









Note: When prompted with "Trust this certificate? [no]:", type yes (or y) and press Enter.


3. Restart Tableau Desktop


Completely close and restart Tableau Desktop to apply the configuration changes, then retry the connection to Amazon Athena.


Alternative Workaround


If managing certificates on individual client machines is not feasible, work with your network administrator to add the Amazon Athena endpoint (athena.<region>.amazonaws.com) to the SSL Inspection Bypass list in your Cisco Umbrella (or SSE) settings. This prevents the certificate from being rewritten in the first place, effectively avoiding the error.
Knowledge-artikkelin numero
005318671
 
Ladataan
Salesforce Help | Article