Was this page helpful?
Yes No

Configure SSL for Internal Postgres Communication

Tableau Server on Windows now includes Tableau Services Manager (TSM), which replaces the Configuration Utility and the command line tool. If you need help for an earlier version of Tableau Server, see the Tableau Help page.

You can configure Tableau Server to use SSL (TLS) for encrypted communication between the Postgres repository and other server components. By default, communication that is internal to Tableau Server components is not encrypted.

While you enable support for internal SSL, you can also configure support for direct connections to the repository from Tableau clients, such as Tableau Desktop, Tableau Mobile, REST API, web browsers.

In this article

Configure Postgres SSL using your preferred method:

Use the TSM web interface

Use the TSM CLI

ClosedUse the TSM web interface Use the TSM web interface
  1. As a server administrator, open TSM in a browser:

    https://<tsm-computer-name>:8850

    For more information, see Sign in to Tableau Services Manager Web UI.

  2. On the Configuration tab, select Security > Repository SSL.

    Screen shot of the TSM Repository SSL settings

  3. Select one of the options for using repository SSL.

    • Required for all connections—uses SSL for internal Tableau Server communication, and requires SSL for Tableau clients that connect directly to the repository, including those using the tableau or readonly user.

      Important: If you select this option, you must also complete the steps in Configure Postgres SSL to Allow Direct Connections from Clients, to place the certificate files in the correct location on the client computers.

    • Optional for user connections—uses SSL for internal Tableau Server communication, and supports but does not require SSL for direct connections to the server from Tableau clients.

    • Off for all connections (default)—Internal server communication is not encrypted, and SSL is not required for direct connections from clients.

  4. Click OK.

    The first two options generate the server’s certificate files, server.crt and server.key, and place them in the following location.

    C:/ProgramData/Tableau/Tableau Server/data/tabsvc/config/pgsql<version>/security

    Use this .crt file if you need to configure clients for direct connections.

ClosedUse the TSM CLI Use the TSM CLI

To enable SSL for internal traffic among the server components, run the following commands:

tsm security repository-ssl enable

tsm pending-changes apply

What the command does

repository-ssl enable generates the server’s certificate files, which it places in the following location:

C:/ProgramData/Tableau/Tableau Server/data/tabsvc/config/pgsql<version>/security

By default, this command sets Tableau Server to require SSL for traffic between the repository and other server components, as well as for direct connections from Tableau clients (including for connections through the tableau or readonly users).

To complete the configuration, you must also do the steps described in Configure Postgres SSL to Allow Direct Connections from Clients, to place the certificate files in the correct location on the client computers.

The pending-changes apply command displays a prompt to let you know this will restart Tableau Server if the server is running. The prompt displays even if the server is stopped, but in that case there is no restart. You can suppress the prompt using the --ignore-prompt option, but this does not change the restart behavior. For more information, see tsm pending-changes apply.

Option for repository-ssl enable

If you want to require SSL only for internal Tableau Server communication, and not for direct connections from client apps, use the following option with the repository-ssl enable command:

--internal-only

Cluster environments

If you run repository-ssl enable on a node in a cluster, it copies the required certificate file to the same location on each other node.

For more information about downloading the public certificate for direct connections, see Configure Postgres SSL to Allow Direct Connections from Clients.