Solved: Re: Remote Management Services and certificate tru... - Qlik Community

Report Inappropriate Content · ‎2014-06-25

Hello,

We have an installed QV server that uses certificate trust for its services. Recently, we have added another server (new environment). However, I am not able to set up the Remote Management Services.

After adding the URL, this is what I get in the logs:

6/25/2014 11:00:13.0475564

Information

Non-critical exception when trying to add new certificate service at https://acte-qa01:4799/QMS/Service:

System.TimeoutException: The request channel timed out while waiting for a reply after 00:00:30. Increase the timeout value passed to the call to Request or increase the SendTimeout value on the Binding. The time allotted to this operation may have been a portion of a longer timeout. ---> System.TimeoutException: The HTTP request to 'http://acte-qa01:4799/INIT/Service' has exceeded the allotted timeout of 00:00:30. The time allotted to this operation may have been a portion of a longer timeout. ---> System.Net.WebException: The operation has timed out

at System.Net.HttpWebRequest.GetResponse()

at System.ServiceModel.Channels.HttpChannelFactory.HttpRequestChannel.HttpChannelRequest.WaitForReply(TimeSpan timeout)

--- End of inner exception stack trace ---

at System.ServiceModel.Channels.HttpChannelUtilities.ProcessGetResponseWebException(WebException webException, HttpWebRequest request, HttpAbortReason abortReason)

at System.ServiceModel.Channels.HttpChannelFactory.HttpRequestChannel.HttpChannelRequest.WaitForReply(TimeSpan timeout)

at System.ServiceModel.Channels.RequestChannel.Request(Message message, TimeSpan timeout)

--- End of inner exception stack trace ---

Server stack trace:

at System.ServiceModel.Channels.RequestChannel.Request(Message message, TimeSpan timeout)

at System.ServiceModel.Channels.ServiceChannel.Call(String action, Boolean oneway, ProxyOperationRuntime operation, Object[] ins, Object[] outs, TimeSpan timeout)

at System.ServiceModel.Channels.ServiceChannelProxy.InvokeService(IMethodCallMessage methodCall, ProxyOperationRuntime operation)

at System.ServiceModel.Channels.ServiceChannelProxy.Invoke(IMessage message)

Exception rethrown at [0]:

at System.Runtime.Remoting.Proxies.RealProxy.HandleReturnMessage(IMessage reqMsg, IMessage retMsg)

at System.Runtime.Remoting.Proxies.RealProxy.PrivateInvoke(MessageData& msgData, Int32 type)

at PIX.Services.IStartService.GetMachineName()

at QMSBackendInterface.QMSBackendService.TryAddNewCertService(Uri serviceSoapAddress, String pwd)

Regards,

Krzysztof

Giuseppe_Novello · ‎2014-06-25

Dear Krzysztof,

When you mean trust certificate, I would guess that you mean "digital certificate". In that case according to

bug# 65685- this is working as design. The reason why remote management service does not work in certificate trust mode “out of the box” is that, for every QMS installation a unique root CA certificate (QlikViewCA) and two server certificates are created (signed with the created QlikViewCA root certificate). This results in that the certificate chain verification will fail, when 2 separate QMS setups on different servers are configured to communicate with each other in trusted certificate mode (SSL).

It is possible to work around this problem by manually assigning the same root CA certificate on both servers running the QMSs, and manually (using the shared root certificate) signing and assigning server certificates for the configured servers. The consequence of this setup is that the “QlikView Management API” group settings will not be applied, instead all QMSs with server certificates signed by the same root certificate will be able to establish remote management service setup.

Giuseppe Novello
Principal Technical Support Engineer @ Qlik

View solution in original post

Giuseppe_Novello · ‎2014-06-25

Dear Krzysztof,

When you mean trust certificate, I would guess that you mean "digital certificate". In that case according to

bug# 65685- this is working as design. The reason why remote management service does not work in certificate trust mode “out of the box” is that, for every QMS installation a unique root CA certificate (QlikViewCA) and two server certificates are created (signed with the created QlikViewCA root certificate). This results in that the certificate chain verification will fail, when 2 separate QMS setups on different servers are configured to communicate with each other in trusted certificate mode (SSL).

It is possible to work around this problem by manually assigning the same root CA certificate on both servers running the QMSs, and manually (using the shared root certificate) signing and assigning server certificates for the configured servers. The consequence of this setup is that the “QlikView Management API” group settings will not be applied, instead all QMSs with server certificates signed by the same root certificate will be able to establish remote management service setup.

Giuseppe Novello
Principal Technical Support Engineer @ Qlik

Report Inappropriate Content · ‎2014-06-28

This is what I thought.

So, what I would need to do is:

1. Export the QlikViewCA certificate to the other server.

2. Regenerate the certificate of that server and the proxy certificate by signing with the QlikViewCA certificate.

3. Readd all the services

Giuseppe_Novello · ‎2014-06-30

Correct, but note that if any remote servers have been configured in the QMS where the new certificates are imported to, new certificates need to be created and distributed manually to the remote servers as well. As an example, if I had remote DSC configured in the QMC in <server you importing the certificate>, then I would need to generate new certificates for the remote server running the DSC as well. Therefore this work around should be considered as a complex work around!

Giuseppe Novello
Principal Technical Support Engineer @ Qlik

Remote Management Services and certificate trust