Configure Postgres SSL to Allow Direct Connections from Clients
When Tableau Server is configured to use SSL for internal communication with the Postgres repository, you can also require SSL for Tableau clients that connect directly to the repository. Direct connections include those using the tableau user or the readonly user. Examples of Tableau clients include Tableau Desktop, Tableau Mobile, REST API, web browsers.
Run the following commands:
tsm security repository-ssl enable
tsm pending-changes apply
This enables internal SSL support, generates new server certificate and key files, and requires all Tableau clients to use SSL to connect to the repository. For additional repository-ssl commands and options, see tsm security.
If the pending changes require a server restart, the
pending-changes applycommand will display a prompt to let you know a restart will occur. This prompt displays even if the server is stopped, but in that case there is no restart. You can suppress the prompt using the
--ignore-promptoption, but this does not change the restart behavior. If the changes do not require a restart, the changes are applied without a prompt. For more information, see tsm pending-changes apply.
(Optional) If you have configured your client computer to validate Postgres SSL connections, then you must import the certificate that is generated by Tableau Server onto the computers running Tableau Desktop. For each client computer that will connect directly to the repository, do the following:
Copy the server.crt file to the client computer. You can find this file in the following directory:
Note: Do not copy server.key to the client computer. This file should reside only on the server.
Import the certificate into the computer’s certificate store.
For information, use the documentation from the operating system manufacturer.