Use the tsm security commands to configure Tableau Server support for external (gateway) SSL or repository (Postgres) SSL. Repository SSL configuration includes the option to enable SSL over direct connections from Tableau clientsâincluding Tableau Desktop, Tableau Mobile, and web browsersâto the repository.
Before you configure SSL, you must acquire certificates, and then copy them to the computer that runs the Tableau Server gateway process. Additional preparation is required for enabling direct connections from clients. To learn more, see the following articles:
Configure SSL for External HTTP Traffic to and from Tableau Server
Configure SSL for Internal Postgres Communication
 For information about mutual (two-way) SSL, see Configure Mutual SSL Authentication and tsm authentication mutual-ssl commands.
Authorizes a Tableau user to migrate embedded credentials from a Tableau Server installation to a Tableau Cloud site using Content Migration Tool. Both Tableau Server and Tableau Cloud must have an Advanced Management license to migrate content. For more information, see Migrate Workbooks and Data Sources with Embedded Credentials.
You can cancel authorization using the tsm security cancel-credential-migrations command.
tsm security authorize-credential-migration --source-site-url-namespace <Tableau Server site ID> --destination-site-url-namespace <Tableau Cloud site ID> --destination-server-url <Tableau Cloud site url> --authorized-migration-runner <username> --destination-public-encryption-key <public key>
--source-site-url-namespace
Required. Site ID of the Tableau Server site. The site ID is used in the URL to uniquely identify the site.
For example, a site named West Coast Sales might have a site ID of west-coast-sales.
--destination-site-url-namespace
Required. Site ID of the Tableau Cloud site. The site ID is used in the URL to uniquely identify the site.
--destination-server-url
Required. URL of the pod that your Tableau Cloud site is deployed to. The URL you specify must include a trailing slash (/).
Your pod is shown in the first portion of the site URL after signing in to Tableau Cloud. For example, https://10az.online.tableau.com/ is the United States - West (10AZ) pod. For more information about pods, see the Salesforce Trust(Link opens in a new window) page.
--authorized-migration-runner
Required. Username of the Tableau Server user authorized to migrate embedded credentials.
--destination-public-encryption-key
Required. Specify the public key generated on the Tableau Cloud site.
--expiration-time-in-days
Optional. Number of days before authorization expires. Default value is 7 days.
Version:Â Retired in version 2023.1. Beginning in 2023.1.0 this option is no longer valid and will generate an error if used. The expiration value is hard-coded as 7 days.
The following example authorizes user âadminâ to migrate workbooks and published data sources with embedded credentials from Tableau Server site âExampleAâ to Tableau Cloud site âExampleBâ. The authorization will expire in 9 days.
tsm security authorize-credential-migration --source-site-url-namespace ExampleA --destination-site-url-namespace ExampleB --destinationServerUrl https://10ay.online.tableau.com/ --authorized-migration-runner admin --destination-public-encryption-key <public key> --expiration-time-in-days 9
Cancels granted authorizations for migrating embedded credentials using Content Migration Tool. For more information, see Migrating Workbooks and Data Sources with Embedded Credentials.
Synopsistsm security cancel-credential-migrations --source-site-url-namespace <Tableau Server site ID>
--source-site-url-namespace
Required. Site ID of the Tableau Server site. The site ID is used in the URL to uniquely identify the site.
For example, a site named West Coast Sales might have a site ID of west-coast-sales.
Adds a custom CA certificate to Tableau Server. This certificate is optionally used to establish trust for TLSÂ communication between a SMTP server and Tableau Server.
If a custom certificate already exists, this command will fail. You can remove the existing custom certificate using the tsm security custom-cert delete command.
Note: The certificate that you add with this command may be used by other Tableau Server services for TLS connections.
As part of your disaster recovery plan, we recommend keeping a backup of the certificate file in a safe location off of the Tableau Server. The certificate file that you add to Tableau Server will be stored and distributed to other nodes by the Client File Service. However, the file is not stored in a recoverable format. See Tableau Server Client File Service.
Synopsistsm security custom-cert add --cert-file <file.crt> [global options]
-c, --cert-file <file.crt>
Required. Specify the name of a certificate file in valid PEM or DER format.
Removes the serverâs existing custom certificate. Doing this allows you to add a new custom certificate.
Synopsistsm security custom-cert delete[global options]
List details of custom certificate.
Synopsistsm security custom-cert list[global options]
Add custom certificates for Index and Search Server for Tableau Server 2023.1 and newer. The SSL implementation is based on Opensearch.org TLSÂ implementation. See Configuring TLSÂ certificates(Link opens in a new window) for more information.
tsm security custom-indexandsearch-ssl add --node <file.crt> --admin <file.crt> --node-key <file.key> --admin-key <file.key> --ca <file.crt> [parameters] [global options]
List details of Index and Search Server SSL custom certificate configuration.
Synopsistsm security custom-indexandsearch-ssl list[global options]
Disable the custom SSL certificate for connections to TSM Controller. Revert back to an automatically-managed, self-signed certificate.
Synopsistsm security custom-tsm-ssl disable [global options]
Enable the custom SSL certificate for connections to TSM Controller for Tableau Server 2023.1 and newer. If you have already enabled SSLÂ and need to update an expired certificate, use this command.
Specify the path to a certificate chain file (.crt)
The chain file is a concatenation of all the certificates that form the certificate chain for the server certificate.
All certificates in the file must be x509 PEM-encoded and the file must have a .crt extension (not .pem).
tsm security custom-tsm-ssl enable --key-file <file.key> --cert-file <file.crt> [global options]
List details of TSM custom certificate configuration.
Synopsistsm security custom-tsm-ssl list[global options]
Removes the serverâs existing SSLÂ configuration settings and stops encrypting traffic between external clients and the server.
Synopsistsm security external-ssl disable [global options]
Enable and specify certificate and key files for SSL over external HTTP communication.
Synopsistsm security external-ssl enable --cert-file <file.crt> --key-file <file.key> [options] [global options]
--cert-file <file.crt>
Required. Specify the name of a valid PEM-encoded x509 certificate with the extension .crt.
--key-file <file.key>
Required. Specify a valid RSA or DSA private key file, with the extension .key by convention.
--chain-file <chainfile.crt>
Specify the certificate chain file (.crt)
A certificate chain file is required for Tableau Desktop on the Mac. In some cases, a certificate chain file may be required for Tableau Mobile.
Some certificate providers issue two certificates for Apache. The second certificate is a chain file, which is a concatenation of all the certificates that form the certificate chain for the server certificate.
All certificates in the file must be x509 PEM-encoded and the file must have a .crt extension (not .pem).
--passphrase
Optional. Passphrase for the certificate file. The passphrase you enter will be encrypted while at rest.
Note: If you create a certificate key file with a passphrase, you cannot reuse the SSL certificate key for SAML.
--protocols <list protocols>
Optional. List the Transport Layer Security (TLS) protocol versions you want to allow or disallow.
TLSÂ is an improved version of SSL. Tableau Server uses TLSÂ to authenticate and encrypt connections. Accepted values include protocol versions supported by Apache. To disallow a protocol, prepend the protocol version with a minus (-) character.
Default setting: "all, -SSLv2, -SSLv3"
This default explicitly does not allow clients to use SSL v2 or SSL v3 protocols to connect to Tableau Server. However, we recommend that you also disallow TLS v1 and TLS v1.1.
Before you deny a specific version of TLS, verify that the browsers from which your users connect to Tableau Server support TLS v1.2. You might need to preserve support for TLSv1.1 until browsers are updated.
If you do not need to support TLS v1 or v1.1, use the following command to allow TLS v1.2 (using the value all), and explicitly deny SSL v2, SSL v3, TLS v1, and TLS v1.1.
tsm security external-ssl enable --cert-file file.crt --key-file file.key --protocols "all -SSLv2 -SSLv3 -TLSv1 -TLSv1.1"
Displays a list of settings related to the configuration of gateway external SSL. The list includes the names of the certificate files in use, but not their location.
Synopsistsm security external-ssl list [global options]
Set the KMS mode to AWS.
You will need the full ARN string from AWS KMS. This string is in the "General configuration" section of the AWSÂ KMS management pages. The ARNÂ is presented in this format: arn:aws:kms:<region>:<account>:key/<CMK_ID>, for example, arn:aws:kms:us-west-2:867530990073:key/1abc23de-fg45-6hij-7k89-1l0mn1234567.
For more information, see AWS Key Management System.
Synopsistsm security kms set-mode aws --key-arn "<arn>" --aws-region "<region>" [global options]
--key-arn
Required. The --key-arn option takes a direct string copy from the ARN in the "General configuration" section of the AWSÂ KMS management pages.
--aws-region
Required. Specify a region as shown in the Region column in the Amazon APIÂ Gateway table(Link opens in a new window).
For example, if your AWSÂ KMSÂ instance is running in us-west-2 region, your account number is 867530990073, and your CMKÂ key is 1abc23de-fg45-6hij-7k89-1l0mn1234567, then the command would be:
tsm security kms set-mode aws --aws-region "us-west-2" --key-arn "arn:aws:kms:us-west-2:867530990073:key/1abc23de-fg45-6hij-7k89-1l0mn1234567"
Set the KMS mode to Azure Key Vault.
Note: The KMSÂ mode will display as "Azure Key Vault" when you run tsm security kms status, but you set it as "azure".
You will need the name of the Azure key vault and the name of the key in Azure.
For more information, see Azure Key Vault.
Synopsistsm security kms set-mode azure --key-name "<key_name>" --vault-name "<vault_name>" [global options]
--key-name
Required. The name of the asymmetric key stored in the Azure Key Vault.
--vault-name
Required. Name of the Azure Key Vault.
For example, if your Azure Key Vault is named tabsrv-keyvault and your key is tabsrv-sandbox-key01, then the command would be:
tsm security kms set-mode azure --key-name "tabsrv-sandbox-key01" --vault-name "tabsrv-keyvault"
Set or reset the KMS mode to local. Local is the default KMS mode. For more information, see Tableau Server Key Management System.
Synopsistsm security kms set-mode local [global options]
View the status of KMS configuration. The status returned includes:
Encrypt and decrypt master encryption key:
KMS stores a collection of master extract keys (MEKs). Each MEK has:
Other values returned depend on the KMS mode.
When the KMS mode is AWS, the following is returned:
When the KMS mode is Azure Key Vault, the following is returned:
tsm security kms status [global options]
Disable the Rserve connection.
For more information, see Use R (Rserve) scripts in your flow.
tsm security maestro-rserve-ssl enableConfigure a connection between an Rserve server and Tableau Server version 2019.3 or later.
For more information, see Use R (Rserve) scripts in your flow.
Synopsistsm security maestro-rserve-ssl enable --connection-type <maestro-rserve-secure | maestro-rserve> --rserve-host <Rserve IP address or host name> --rserve-port <Rserve port> --rserve-username <Rserve username> --rserve-password <Rserve password> --rserve-connect-timeout-ms <RServe connect timeout>
--connection-type
Select maestro-rserve-secure to enable a secure connection or maestro-rserve to enable an unsecured connection. If you select maestro-rserve-secure, specify the certificate file path in the command line.
--rserve-host
Host
--rserve-port
--rserve-username
--rserve-password
--rserve-connect-timeout-ms
--rserve-connect-timeout-ms 900000.
Disable the TabPy connection.
For more information, see Use Python scripts in your flow.
tsm security maestro-tabpy-ssl enableConfigure a connection between a TabPy server and Tableau Server version 2019.3 or later.
For more information, see Use Python scripts in your flow.
Synopsistsm security maestro-tabpy-ssl enable --connection-type <maestro-tabpy-secure | maestro-tabpy> --tabpy-host <TabPy IP address or host name> --tabpy-port <TabPy port> --tabpy-username <TabPy username> --tabpy-password <TabPy password> --tabpy-connect-timeout-ms <TabPy connect timeout>
--connection-type
Select maestro-tabpy-secure to enable a secure connection or maestro-tabpy to enable an unsecured connection. If you select maestro-tabpy-secure, specify the certificate file -cf<certificate file path> in the command line.
--tabpy-host
Host
--tabpy-port
--tabpy-username
--tabpy-password
--tabpy-connect-timeout-ms
--tabpy-connect-timeout-ms 900000.
This command performs the following operations:
Stops Tableau Server if it is running.
Generates new internal SSL certificates for Postgres repository the search server.
Generates new passwords for all of the internally managed passwords.
Updates all Postgres repository passwords.
Generates a new encryption key for asset key management and encrypts the asset key data with the new key.
Generates a new encryption key for configuration secrets (master key) and encrypts the configuration with it.
Reconfigures and updates Tableau Server with all of these secrets. In a distributed deployment, this command also distributes the reconfiguration and updates across all nodes in the cluster.
Regenerates a new master key, adds it to the master keystore file, and then creates new security tokens for internal use.
Starts Tableau Server.
If you plan to add a node to your cluster after you have run this command, then you will need to generate a new node configuration file to update the tokens, keys, and secrets that are generated by this command. See Install and Configure Additional Nodes.
For more information about internal passwords see Manage Server Secrets.
Synopsistsm security regenerate-internal-tokens [options] [global options]
--ignore-prompt
Optional.
Perform a restart (if necessary) without prompting. This option only suppresses the prompt. The restart behavior is unchanged.
--request-timeout <timeout in seconds>
Optional.
Wait the specified amount of time for the command to finish. Default value is 1800 (30 minutes).
Stop encrypting traffic between the repository and other server components, and stop support for direct connections from Tableau clients.
Synopsistsm security repository-ssl disable [global-options]
When the repository is local, enables SSLÂ and generates the serverâs .crt and .key files used for encrypted traffic between the Postgres repository and other server components.
Starting in version 2021.4, when using an external repository, imports the server's .crt and 'key files used to encrypt traffic between external PostgreSQL repository and Tableau Server components.
Enabling this also gives you the option to enable SSL over direct connections from Tableau clients to the server.
Synopsistsm security repository-ssl enable [options] [global options]
-i, --internal-only
Optional. This option only applies when the repository is local to Tableau Server and is not configured external to Tableau Server. This option should not be used for Tableau Server configured with External Repository.
When set to --internal-only, Tableau Server uses SSL between the repository and other server components, and it supports but does not require SSL for direct connections through tableau or readonly users.
If this option is not set, Tableau Server requires SSL for traffic between the repository and other server components, as well as for direct connections from Tableau clients (for connections through the tableau or readonly users).
When you specify this option, you must also complete the steps described in Configure Postgres SSL to Allow Direct Connections from Clients.
-c, --certificate
Optional. Â Added in version 2021.4. This option is only applicable to Tableau Server configured with External Repository and can be used to enable or disable SSL connections post installation.
This option allows you to enable the use of SSL/TSL connections between Tableau Server and the External Repository. When using this option, provide the full path to the SSL certificate file including the file name for the External Repository. This file is the same as the one used when enabling the external repository.
Get the public certificate file used for SSL communication with the Tableau repository. SSL must be enabled for repository communication before you can retrieve a certificate. The certificate file is distributed automatically to internal clients of the repository in the Tableau Server cluster. To enable remote clients to connect over SSL to the repository, you must copy the public certificate file to each client.
This command works only for Tableau Server that uses a local Repository and will result in an error when Tableau Server is configured with an External Repository.
Synopsistsm security repository-ssl get-certificate-file [global-options]
-f, --file
Required.
Full path and file name (with .cert extension) where the certificate file should be saved. If a duplicate file exists it will be overwritten.
Returns the existing repository (Postgres) SSL configuration.
Synopsistsm security repository-ssl list [global-options]
Version:Â Added in version 2022.1
Generates new certificates, keys, and trust stores used by the Coordination Service for secure connections.
Synopsistsm security rotate-coordination-service-secrets [options][global options]
--coord-svc-restart-timeout <seconds>
Optional.
Wait the specified number of seconds for Coordination Service to restart. Default:Â 1200 (20 minutes).
--ignore-prompt
Optional.
Perform a restart (if necessary)Â without prompting.
--request-timeout <seconds>
Optional.
Wait the specified number of seconds for the command to finish. Default: 1800 (30 minutes).
-h, --help
Optional.
Show the command help.
-p, --password <password>
Required, along with -u or --username if no session is active.
Specify the password for the user specified in -u or --username.
If the password includes spaces or special characters, enclose it in quotes:
--password 'my password'
-s, --server https://<hostname>:8850
Optional.
Use the specified address for Tableau Services Manager. The URL must start with https, include port 8850, and use the server name not the IP address. For example https://<tsm_hostname>:8850. If no server is specified, https://<localhost | dnsname>:8850 is assumed.
--trust-admin-controller-cert
Optional.
Use this flag to trust the self-signed certificate on the TSMÂ controller. For more information about certificate trust and CLIÂ connections, see Connecting TSMÂ clients.
-u, --username <user>
Required if no session is active, along with -p or --password.
Specify a user account. If you do not include this option, the command is run using credentials you signed in with.
RetroSearch is an open source project built by @garambo | Open a GitHub Issue
Search and Browse the WWW like it's 1997 | Search results from DuckDuckGo
HTML:
3.2
| Encoding:
UTF-8
| Version:
0.7.4