- TLC Home Home
- Discussions & Ideas Discussions & Ideas
- Product Guides Product Guides
- Knowledge Base Knowledge Base
- Developer Docs Developer Docs
- Education Education
- Blog Blog
- Support Desk Support Desk
Learn about first-party domains and how to configure your own domains and SSL/TLS certificates for data collection and delivery solutions in the Tealium Customer Data Hub.
To use first-party domains, you must have access to update your DNS database entries. You will need to work with your Production Operations team or the person responsible for your domain registration and SSL/TLS certificates.
In this article:
By default, the services offered in the Tealium Customer Data Hub are hosted on Tealium domains. When domain names don't match the domain of your brand's website, they are considered third-party domains. For example, the JavaScript files for Tealium iQ Tag Management are served from the domain tags.tiqcdn.com
and the data collection endpoint for Tealium EventStream API Hub uses the domain collect.tealiumiq.com
.
As new privacy regulations come out and as browsers begin limiting third-party capabilities, you might want to use your own domain to ensure that Tealium services are treated as first-party. First-party domains benefit from improved tracking and better compliance with browser privacy and cookie settings. Currently, only one first-party domain can be configured for an account.
Contact the Tealium Support Desk to enable first-party domains for your account.
To use your own domain name for tags.tiqcdn.com
, you must create a CNAME entry in your DNS database. A CNAME record is an alias that maps one domain name to another. For example, for the website www.example.com
, you would create a CNAME for tags.example.com
that points to Tealium's CDN to serve the files for iQ Tag Management.
For collect.tealiumiq.com
, you add A records to your DNS configuration. An A record maps a domain name to the IP address for the domain.
A critical part of this configuration is the management of the SSL/TLS certificates, which are the public key certificates that verify the encryption of your website over HTTPS. The Tealium first-party domain feature helps you manage which domains you want to use with Tealium services and validates the SSL/TLS certificates for those domains.
When using first-party domains, make sure you are using the latest version of the Tealium Collect tag.
You configure first-party domains by either importing your own certificates or by requesting certificates to be managed by Tealium. Imported certificates work the same as managed certificates, but with one important exception: imported certificates are not automatically renewed.
To use your own certificates, you must have access to the following SSL/TLS certificate files:
To request certificates managed by Tealium, you must have access to edit your DNS entries or have access to receive email messages sent to the domain administrator.
The maximum number of domains per certificate is determined when you sign up for first-party domains. The first-party domains overview screen shows the maximum number of domains per certificate. In the following example, no domains have been mapped and the maximum number of domains is 10.
Before Tealium can issue a certificate for your site, you must prove that you own or control all the domains in your request. You can prove ownership using either DNS validation or email validation.
We recommend DNS validation because it is usually a quicker process and because sometimes it can be difficult to track down who in your organization has access to the administrative emails. However, if you don't have access to edit your domain's DNS database, then you must use email validation.
To use the DNS validation method, you must have access to edit your DNS configuration.
After you enter your domains, you are provided with temporary CNAME records for each domain requested, which you must add to your DNS configuration.
After the DNS update for the temporary CNAME records propagates (which may take several hours), the ownership is confirmed and permanent DNS records (CNAME records for tags.tiqcdn.com
or A records for collect.tealiumiq.com
) are provided in the DNS Confirmation screen. You must then update your DNS configuration with the permanent records.
To use email validation, you must be able to receive email messages at one of the contact addresses listed in the WHOIS database for each of your requested domains. The email addresses that will receive a message include:
administrator@your_domain
hostmaster@your_domain
hostmaster@your_domain
postmaster@your_domain
webmaster@your_domain
admin@your_domain
You will receive an email message (one for each domain) from Amazon Web Services containing a validation token that expires in 72 hours. If you do not receive the email or the token has expired, return to the main screen and click Resend Email.
Use first-party domains with Tealium EventStream API Hub and Tealium AudienceStream CDP for first-party data collection.
The following data collection services and domains can be mapped to your first-party domain:
Tealium Service | Third-Party Domain | First-Party Example |
---|---|---|
Tealium Collect | collect.tealiumiq.com | collect.example.com |
To use first-party domains with other services, such as the View-Through Extension, contact the Tealium Support Desk.
Use first-party domains with Tealium iQ Tag Management to maintain core functionality as browsers adopt stricter privacy policies such as ITP and ad blockers.
The following tag management services and domains can be mapped to your first-party domain:
Tealium Service | Third-Party Domain | First-Party Example |
---|---|---|
iQ Tag Management Files (utag.js, utag.sync.js, utag.#.js) |
tags.tiqcdn.com | tags.example.com |
To configure first-party domains for your account, you must have the Manage Account permission.
To get started, navigate to iQ Tag Management > User Menu > First-Party Domains.
Determine which of the following services to configure:
Domains and certificates for Collection and Delivery are managed separately.
Next, click Configure Certificate and select one of the following:
To configure a domain and certificate for data collection, select the region in which your primary account operates:
The certificates are stored and configured on the Tealium endpoint in the region selected for the first-party domain. If the region for the first party domain is set to a different region than the region for the profile, the event and visitor data is collected in the first-party domain region and forwarded to the region configured for the profile.
The first-party domains you specify are typically subdomains of your customer-facing website. For example, the website located at www.example.com
would use a subdomain named tags.example.com
as a first-party domain for tag management services.
Enter the first-party domain you want to use, omitting https://
and the ending slash.
First-party domains apply to all profiles in your account. Enter a subdomain for each site managed by this account.
After you enter a domain, click View Contact Info to view the WHOIS database information for that domain. If the WHOIS database contains contact information for the domain, such as a name, mailing address, email address, or phone number, the contact information is displayed. Verify that the information is correct.
Click + Add Another Domain to add additional domains. When the maximum number of domains for the account is reached, + Add Domain is grayed out. Click Next when you have finished entering domains.
To continue, accept the agreement to allow Tealium to manage certificates for the provided domains.
If you chose DNS validation, the following messages are displayed:
When you first request the certificate, temporary DNS records (CNAME records or A records) are displayed for validation purposes, after which the permanent records are displayed. The temporary DNS records are also used for auto-renewal of the certificate. Do not delete the temporary DNS records.
When the validation process is completed, one or more permanent DNS records are displayed. Each record contains a Name and Value that you must enter into your DNS provider's web interface to update the records.
The record name appears in the format _X.sub.example.com.
where X
is a generated alpha-numeric string and sub.example.com
is the first-party domain you entered.
Example record name:
_4c71ce829d13dacf824b18af1067d273.tags.example.com.
DNS providers are inconsistent in their handling of the record name (or name) field. In some cases, you are expected to provide the entire value as shown above, while other providers automatically append the domain name to the value you enter.
The record value is similar and appears in the format _X.Y.acm-validations.aws.
where X.Y
is a generated alpha-numeric string.
Example record value:
_6e23f25da49d05e43a419ea7c5f4162d.zzxlnyslwt.acm-validations.aws.
If you chose email validation, the following message is displayed:
When the validation process is completed, your permanent DNS records are displayed, as follows:
If you provide your own certificate, you are responsible for renewing the certificate before it expires. Your certificates must meet the AWS requirements for importing certificates. For more information, see AWS Prerequisites for importing certificates.
To configure your own certificate, select a region. The certificates are stored and configured on the Tealium endpoint in the region selected for the first-party domain. If the region for the first party domain is set to a different region than the region for the profile, the event and visitor data is collected in the first-party domain region and forwarded to the region configured for the profile.
Upload the following PEM-encoded files:
The Private Key must match the Public Key in the certificate and must not be encrypted with a password.
The domains for the certificate are displayed. Verify that the list of domains is correct and click Save.
The following message is displayed when your certificate files have been uploaded:
When the domain status is changed to Issued, your domains are ready to use.
If you need to re-import a certificate that contains new or updated domains, you need to remove the current certificate and re-import it.
The following message is displayed while your domain information is being validated:
Please wait while domain information is validated. This won't take long.
Domain Statuses
During the setup and validation process the domain certificate could appear with one of the following statuses:
The domain validation must occur within 72 hours.
If the validation period expires, request a new certificate for the same domain. The DNS validation records are the same for subsequent requests of the same domain.
After you have configured your domains, you can view contact information and add or remove a domain for a certificate.
To view the contact information for a domain, navigate to First-Party Domains, click on a domain, then click View Contact Info.
To add domains to a certificate, use the following steps:
Use the following steps to remove a domain:
After your domains are configured and the certificates are validated you can begin using your first-party domains with the following services:
Environment switcher is a browser plugin that can be used to change the Tealium files (utag.js and utag.sync.js) that are loaded on a page, which is useful during testing. Environment switcher does not work properly when first-party domains is used for the tags.tiqcdn.com
domain. In this case, you can setup a URL redirect for tags.tiqcdn.com
in environment switcher. For more information, see Tealium Tools: Environment Switcher.
To use your first-party domain with iQ Tag Management you must also make the following changes:
To update the Universal Tag code snippet:
The example code snippet is updated to use your first-party domain.
The new URL only uses the profile name and environment in the path. The account name and /utag/
portions are omitted.
The URL to the Universal Tag on a first-party domain is:
https://sub.your_domain.com/PROFILE/ENV/utag.js
For example, the code snippet for tags.tealiumecommerce.com
would be:
<!-- Loading script asynchronously --> <script type="text/javascript"> (function(a,b,c,d){ a='https://tags.tealiumecommerce.com/ecomm/prod/utag.js'; b=document;c='script';d=b.createElement(c);d.src=a;d.type='text/java'+c;d.async=true; a=b.getElementsByTagName(c)[0];a.parentNode.insertBefore(d,a); })(); </script>
The publishing URLs determine where to load the additional utag.#.js
files for each default environment. If you forget this step, then the vendor tag files loaded after utag.js will not originate from your domain.
To set the publishing URLs:
//sub.your_domain.com/your_profile/dev/
//sub.your_domain.com/your_profile/qa/
//sub.your_domain.com/your_profile/prod/
After all of these changes, save and publish to apply the changes to your site.
To use your first-party domain with Tealium EventStream or Tealium AudienceStream you need to update the data collection URL in your installation of Tealium Collect. For websites, this requires setting the Tealium Collect Endpoint field for the Tealium Collect tag.
To update the Tealium Collect tag:
sub.your_domain.com/your_account/your_profile/2/i.gif
For mobile apps, you must override the dispatch URL in the Collect module.
For more information on setting your first-party domain endpoint, see the following:
Copyright All Rights Reserved © 2008-2022