Configure SSL for Internal Postgres Communication
You can configure Tableau Server to use SSL (TLS) for encrypted communication between the Postgres repository and other server components. By default, communication that is internal to Tableau Server components is not encrypted.
While you enable support for internal SSL, you can also configure support for direct connections to the repository from Tableau clients, such as Tableau Desktop, Tableau Mobile, REST API, web browsers.
As a server administrator, open TSM in a browser:
https://<tsm-computer-name>:8850
For more information, see Sign in to Tableau Services Manager Web UI.
On the Configuration tab, select Security > Repository SSL.
Select one of the options for using repository SSL.
Required for all connections—uses SSL for internal Tableau Server communication, and requires SSL for Tableau clients and any external (non-Tableau) clients that connect directly to the postgres repository, including those using the tableau or readonly user.
Important: Unless you complete the steps in Configure Postgres SSL to Allow Direct Connections from Clients, to place the certificate files in the correct location on the client computers, Tableau clients and external postgres clients will not be able to validate the identity of the Tableau repository by comparing certificates on the client computers with the SSL certificate from the repository computer.
Optional for user connections—When enabled, Tableau uses SSL for internal Tableau Server communication, and supports but does not require SSL for direct connections to the server from Tableau clients and external clients.
Off for all connections (default)—Internal server communication is not encrypted, and SSL is not required for direct connections from clients.
Click OK.
The first two options generate the server’s certificate files, server.crt and server.key, and place them in the following location.
/var/opt/tableau/tableau_server/data/tabsvc/config/pgsql_<version>/security
Use this .crt file if you need to configure clients for direct connections.
For more information about downloading the public certificate for direct connections, see Configure Postgres SSL to Allow Direct Connections from Clients.