Configure Postgres SSL to Allow Direct Connections from Clients
When Tableau Server is configured to use SSL for internal communication with the postgres repository, you can also require Tableau clients and external postgres clients that connect directly to the repository to verify the identity of the Tableau postgres repository by comparing the SSL certificate presented by the internal postgres instance wit the certificate distributed to the Tableau or external postgres client.
Direct connections include those using the tableau user or the readonly user. Examples of Tableau clients include Tableau Desktop, Tableau Mobile, REST API, web browsers.
Enable internal SSL for the repository by running the following commands:
tsm security repository-ssl enable
tsm pending-changes apply
This enables internal SSL support and generates new server certificate and key files, and requires all Tableau clients to use SSL to connect to the repository. For additional repository-ssl commands and options, see tsm security.
If the pending changes require a server restart, the
pending-changes applycommand will display a prompt to let you know a restart will occur. This prompt displays even if the server is stopped, but in that case there is no restart. You can suppress the prompt using the
--ignore-promptoption, but this does not change the restart behavior. If the changes do not require a restart, the changes are applied without a prompt. For more information, see tsm pending-changes apply.
(Optional) If you have configured your client computer to validate Postgres SSL connections, then you must import the certificate that is generated by Tableau Server onto the computers running Tableau Desktop. For each client computer that will connect directly to the repository, do the following:
Copy the server.crt file to the client computer. You can find this file in the following directory:
Note: Do not copy server.key to the client computer. This file should reside only on the server.
Import the certificate into the computer’s certificate store.
For information, use the documentation from the operating system manufacturer.
(Optional) Configure any external (non-Tableau) postgres clients (PgAdmin or Dbeaver for example) to verify the identity of the Tableau Server postgres repository. Do this in the postgresql JDBC driver the client is using to connect by setting the "sslmode" directive to "verify-ca" or "verify-full". The options available may be different depending on the version of the postgres driver being used. For more information, see the drive documentation about SSL support.