Solved: Re: question about using certificates to secure we... - Qlik Community

Report Inappropriate Content · ‎2013-01-15

I am currently trying to use certifcates to secure the communication between qlikview services. From what I understand, this is needed to have a secure communication if the services are not all located on the same domain. However this should not be needed for communication between the qv management service and services located on the same server.

The documentation seems to imply that:

1) Once certificates are used, they are used for communication between all services.

2) Certficates should only be used when services are not on the same server as QMS.

This kind of confuses me....

For example, suppose a first server hosts: QMS, DSC, QDS and QVWS services while another server hosts the QVS service. Is it possible to keep the communication between services on the first server using windows authentication while requiring ssl for the exchange between QVS and QMS?

Fredrik_Lautrup · ‎2013-03-06

So using certificates is a all or nothing approach. If you change to use certificates all services are authorized to communicate using certificates. In more detail, the certificates are not bound to a service but to a machine. So in the scenario that you run more than one service on a machine they will use this servers certificate to authorize the communication.

So it is possible to run all services on one machine and still use certificates but from a security perspective there is no benefit of doing it.

So in a scenario where you have two machines and choose certificates these are used to make sure that the services that try to connect are authorized to do so independent if they are running on the same machine or an other host.

But to remember is that the QVAdministrators group is still used to authorize people on the server running the QMS to get access to the QMC.

I hope this answers your question.

View solution in original post

Bill_Britt · ‎2013-01-15

Hi,

That is an interesting question and I am not sure. However, I would think it is all or none. I don't think the the QMS can be setup for both. Now if you look at the QEMC you will see it talks to the QVS using the QVP protocol which is RSA 128.

Bill

Bill - Principal Technical Support Engineer at Qlik
To help users find verified answers, please don't forget to use the "Accept as Solution" button on any posts that helped you resolve your problem or question.

Fredrik_Lautrup · ‎2013-03-06

So using certificates is a all or nothing approach. If you change to use certificates all services are authorized to communicate using certificates. In more detail, the certificates are not bound to a service but to a machine. So in the scenario that you run more than one service on a machine they will use this servers certificate to authorize the communication.

So it is possible to run all services on one machine and still use certificates but from a security perspective there is no benefit of doing it.

So in a scenario where you have two machines and choose certificates these are used to make sure that the services that try to connect are authorized to do so independent if they are running on the same machine or an other host.

But to remember is that the QVAdministrators group is still used to authorize people on the server running the QMS to get access to the QMC.

I hope this answers your question.

question about using certificates to secure web services communication