Configure SSL for Internal Postgres Communication

You can configure Tableau Server to use SSL (TLS) for encrypted communication between the Postgres repository and other server components. By default, communication that is internal to Tableau Server components is not encrypted.

While you enable support for internal SSL, you can also configure support for direct connections to the repository from Tableau clients, such as Tableau Desktop, Tableau Mobile, REST API, web browsers.

  1. As a server administrator, open TSM in a browser:


    For more information, see Sign in to Tableau Services Manager Web UI.

  2. On the Configuration tab, select Security > Repository SSL.

    Screen shot of the TSM Repository SSL settings

  3. Select one of the options for using repository SSL.

    • Required for all connections – uses SSL for internal Tableau Server communication, and requires SSL for Tableau clients and any external (non-Tableau) clients that connect directly to the postgres repository, including those using the tableau or readonly user.

      Important: Unless you complete the steps in Configure Postgres SSL to Allow Direct Connections from Clients, to place the certificate files in the correct location on the client computers, Tableau clients and external postgres clients will not be able to validate the identity of the Tableau repository by comparing certificates on the client computers with the SSL certificate from the repository computer.

    • Optional for user connections – When enabled, Tableau uses SSL for internal Tableau Server communication, and supports but does not require SSL for direct connections to the server from Tableau clients and external clients.

    • Off for all connections (default) – Internal server communication is not encrypted, and SSL is not required for direct connections from clients.

  4. Click OK.

    The first two options generate the server’s certificate files, server.crt and server.key, and place them in the following location.

    C:/ProgramData/Tableau/Tableau Server/data/tabsvc/config/pgsql<version>/security

    Use this .crt file if you need to configure clients for direct connections.

To enable SSL for internal traffic among the server components, run the following commands:

tsm security repository-ssl enable

tsm pending-changes apply

What the command does

repository-ssl enable generates the server’s certificate files, which it places in the following location:

C:/ProgramData/Tableau/Tableau Server/data/tabsvc/config/pgsql<version>/security

By default, this command sets Tableau Server to require SSL for traffic between the repository and other server components, as well as for direct connections from Tableau clients (including for connections through the tableau or readonly users).

To complete the configuration, you must also do the steps described in Configure Postgres SSL to Allow Direct Connections from Clients, to place the certificate files in the correct location on the client computers.

If the pending changes require a server restart, the pending-changes apply command will display a prompt to let you know a restart will occur. This prompt displays even if the server is stopped, but in that case, there is no restart. You can suppress the prompt using the --ignore-prompt option, but this does not change the restart behaviour. If the changes do not require a restart, the changes are applied without a prompt. For more information, see tsm pending-changes apply.

Option for repository-ssl enable

If you want to require SSL only for internal Tableau Server communication, and not for direct connections from client apps, use the following option with the repository-ssl enable command:


Cluster environments

If you run repository-ssl enable on a node in a cluster, it copies the required certificate file to the same location on each other node.

For more information about downloading the public certificate for direct connections, see Configure Postgres SSL to Allow Direct Connections from Clients.

Thanks for your feedback!Your feedback has been successfully submitted. Thank you!