tsm security

Use the tsm security commands to configure Tableau Server support for external (gateway) SSL or repository (Postgres) SSL. Repository SSL configuration includes the option to enable SSL over direct connections from Tableau clients—including Tableau Desktop, Tableau Mobile, and web browsers—to the repository.


Before you configure SSL, you must acquire certificates, and then copy them to the computer that runs the Tableau Server gateway process. Additional preparation is required for enabling direct connections from clients. To learn more, see the following articles:

Configure SSL for External HTTP Traffic to and from Tableau Server

Configure SSL for Internal Postgres Communication

 For information about mutual (two-way) SSL, see Configure Mutual SSL Authentication and tsm authentication mutual-ssl commands.

tsm security custom-cert add

Adds a custom CA certificate to Tableau Server. This certificate is optionally used to establish trust for TLS communication between a SMTP server and Tableau Server.

If a custom certificate already exists, this command will fail. You can remove the existing custom certificate using the tsm security custom-cert delete command.

Note: The certificate that you add with this command may be used by other Tableau Server services for TLS connections.


tsm security custom-cert add --cert-file <file.crt> [global options]


-c, --cert-file <file.crt>

Required. Specify the name of a certificate file in valid PEM or DER format.

tsm security custom-cert delete

Removes the server’s existing custom certificate. Doing this allows you to add a new custom certificate.


tsm security custom-cert delete[global options]

tsm security custom-cert list

List details of custom certificate.


tsm security custom-cert list[global options]

tsm security external-ssl disable

Removes the server’s existing SSL configuration settings and stops encrypting traffic between external clients and the server.


tsm security external-ssl disable [global options]

tsm security external-ssl enable

Enable and specify certificate and key files for SSL over external HTTP communication.


tsm security external-ssl enable --cert-file <file.crt> --key-file <file.key> [options] [global options]


--cert-file <file.crt>

Required. Specify the name of a valid PEM-encoded x509 certificate with the extension .crt.

--key-file <file.key>

Required. Specify a valid RSA or DSA private key file, with the extension .key by convention.

--chain-file <chainfile.crt>

Specify the certificate chain file (.crt)

A certificate chain file is required for Tableau Desktop on the Mac. In some cases, a certificate chain file may be required for Tableau Mobile.

Some certificate providers issue two certificates for Apache. The second certificate is a chain file, which is a concatenation of all the certificates that form the certificate chain for the server certificate.

All certificates in the file must be x509 PEM-encoded and the file must have a .crt extension (not .pem).


Optional. Passphrase for the certificate file. The passphrase you enter will be encrypted while at rest.

Note: If you create a certificate key file with a passphrase, you cannot reuse the SSL certificate key for SAML.

--protocols <list protocols>

Optional. List the Transport Layer Security (TLS) protocol versions you want to allow or disallow.

TLS is an improved version of SSL. Tableau Server uses TLS to authenticate and encrypt connections. Accepted values include protocol versions supported by Apache. To disallow a protocol, prepend the protocol version with a minus (-) character.

Default setting: "all, -SSLv2, -SSLv3"

This default explicitly does not allow clients to use SSL v2 or SSL v3 protocols to connect to Tableau Server. However, we recommend that you also disallow TLS v1 and TLS v1.1.

Before you deny a specific version of TLS, verify that the browsers from which your users connect to Tableau Server support TLS v1.2. You might need to preserve support for TLSv1.1 until browsers are updated.

If you do not need to support TLS v1 or v1.1, use the following command to allow TLS v1.2 (using the value all), and explicitly deny SSL v2, SSL v3, TLS v1, and TLS v1.1.

tsm security external-ssl enable --cert-file file.crt --key-file file.key --protocols "all -SSLv2 -SSLv3 -TLSv1 -TLSv1.1"

tsm security external-ssl list

Displays a list of settings related to the configuration of gateway external SSL. The list includes the names of the certificate files in use, but not their location.


tsm security external-ssl list [global options]

tsm security regenerate-internal-tokens

This command performs the following operations:

  1. Generates new internal SSL certificates for Postgres repository the search server.

  2. Generates new passwords for all of the internally managed passwords.

  3. Updates all Postgres repository passwords.

  4. Generates a new encryption key for asset key management and encrypts the asset key data with the new key.

  5. Generates a new encryption key for configuration secrets (master key) and encrypts the configuration with it.

  6. Reconfigures and updates Tableau Server with all of these secrets. In a distributed deployment, this command also distributes the reconfiguration and updates across all nodes in the cluster.

  7. Stops the server.

  8. Regenerates a new master key, adds it to the master keystore file, and then creates new security tokens for internal use.

  9. Starts the server.

If you plan to add a node to your cluster after you have run this command, then you will need to generate a new node configuration file to update the tokens, keys, and secrets that are generated by this command. See Install and Configure Additional Nodes.


tsm security regenerate-internal-tokens [options] [global options]


--request-timeout <timeout in seconds>


Wait the specified amount of time for the command to finish. Default value is 1800 (30 minutes).

tsm security repository-ssl disable

Stop encrypting traffic between the repository and other server components, and stop support for direct connections from Tableau clients.


tsm security repository-ssl disable [global-options]

tsm security repository-ssl enable

Enables SSL and generates the server’s .crt and .key files used for encrypted traffic between the Postgres repository and other server components. Enabling this also gives you the option to enable SSL over direct connections from Tableau clients to the server.


tsm security repository-ssl enable [options] [global options]


-i, --internal-only

Optional. When set to --internal-only, Tableau Server uses SSL between the repository and other server components, and it supports but does not require SSL for direct connections through tableau or readonly users.

If this option is not set, Tableau Server requires SSL for traffic between the repository and other server components, as well as for direct connections from Tableau clients (for connections through the tableau or readonly users).

When you specify this option, you must also complete the steps described in Configure Postgres SSL to Allow Direct Connections from Clients.

tsm security repository-ssl get-certificate-file

Get the public certificate file used for SSL communication with the Tableau repository. SSL must be enabled for repository communication before you can retrieve a certificate. The certificate file is distributed automatically to internal clients of the repository in the Tableau Server cluster. To enable remote clients to connect over SSL to the repository, you must copy the public certificate file to each client.


tsm security repository-ssl get-certificate-file [global-options]


-f, --file


Full path and file name (with .cert extension) where the certificate file should be saved. If a duplicate file exists it will be overwritten.

tsm security repository-ssl list

Returns the existing repository (Postgres) SSL configuration.


tsm security repository-ssl list [global-options]

tsm security vizql-extsvc-ssl disable

Disables the connection to external service connection for SCRIPT functions.


tsm security vizql-extsvc-ssl disable [global options]

tsm security vizql-extsvc-ssl enable

Enables and configures connection to external service connection for SCRIPT functions. Tableau Server supports SSL for Rserve or TabPy connections.

If you are updating or changing an existing external services configuration, run the tsm security vizql-extsvc-ssl disablecommand to clear the settings before you run this command.


tsm security vizql-extsvc-ssl enable --connection-type <type> --extsvc-host <host_name> --extsvc-port <port> [options] [global options]


--connection-type <type>

Specify the external service type that you are configuring. Valid values are: rserve-secure, rserve, tabpy-secure, tabpy.

--extsvc-host <host_name>

Required. Specify the host name or IP address of the server in your organization that is hosting the external service.

--extsvc-port <port_number>

Required. Specify the port that is used to connect to the external service. Default value for Rserve is typically 6311. Default value for TabPy is typically 9004.

-cf, --cert-file <file.crt>

Optional. Specify the path and filename of a valid PEM-encoded x509 certificate with the extension .crt.

--extsvc-username <user_name>

Optional. If the connection to the external service requires authentication, specify the user name.

--extsvc-password <password>

Optional. If the connection to the external service requires authentication, specify the password.

--connect-timeout-ms <milliseconds>

Optional. Connection timeout in milliseconds. Default is 1000. Raise the value of this setting if Tableau is timing out before the external server can respond.

--script-disabled <true | false>

Optional. Disable scripts originating from the external service from running on Tableau Server. Default is true. To allow scripts from the external service to run on Tableau Server, set to false.

tsm security vizql-extsvc-ssl list

Displays a list of settings related to the configuration of external service SSL connection for SCRIPT functions. The list includes the names of the certificate files in use, host name, port, user name, timeout duration, and other details.


tsm security vizql-extsvc-ssl list [global options]

Global options

-h, --help


Show the command help.

-p, --password <password>

Required, along with -u or --username if no session is active.

Specify the password for the user specified in -u or --username.

If the password includes spaces or special characters, enclose it in quotes:

--password 'my password'

-s, --server <url_to_tsm>


Use the specified address for Tableau Services Manager. The URL must start with https, include port 8850, and use the server name not the IP address, for example https://mytableauhost:8850. If no server is specified, https://<localhost | dnsname>:8850 is assumed.



Use this flag to trust the self-signed certificate on the TSM controller. For more information about certificate trust and CLI connections, see Connecting TSM clients.

-u, --username <user>

Required if no session is active, along with -p or --password.

Specify a user account. If you do not include this option, the command is run using credentials you signed in with.

Thanks for your feedback! There was an error submitting your feedback. Try again or send us a message.