https://community.qlik.com/t5/Management-Governance/What-is-the-purpose-of-QlikClient-Certificate/m-p/2498961#M29193 <P>This will be simplified, but let's imagine the journey of a reload task that is scheduled at 9AM:</P> <OL> <LI>The Repository Service checks the Repository Database for the schedule</LI> <LI>On the appointed time, the Repository Service checks to see what Scheduler Services are running and permitted to perform reloads (Slave, Worker)</LI> <LI>Each Scheduler Service requests their local Engine's current load</LI> <LI>Each Scheduler Service reports back the current load to the Repository</LI> <LI>The Repository Service allocates the reload task to the least busy Scheduler Service</LI> <LI>The appointed Scheduler Service tells its local Engine to perform the reload</LI> </OL> <P>In each of steps 2-6, a service is acting as the client (also known as making a request) and another service is acting as a server (also known as receiving a request / replying to the request). In step 2, the QRS is the client and the QSS is the server. In each of these exchanges, the client service will send the QlikClient certificate to both encrypt the traffic and verify the authenticity of the request and the server service will use the server certificate to receive traffic.</P> Fri, 20 Dec 2024 14:42:19 GMT Levi_Turner 2024-12-20T14:42:19Z https://community.qlik.com/t5/Management-Governance/What-is-the-purpose-of-QlikClient-Certificate/m-p/2498872#M29192 <P>I'm trying to understand what QlikClient certificate is used for. More specifically, I'm referring to this certificate:</P> <P><span class="lia-inline-image-display-wrapper lia-image-align-inline" image-alt="mbespartochnyy_0-1734655233462.png" style="width: 999px;"><img src="https://community.qlik.com/t5/image/serverpage/image-id/175930iF10AF9430C2B4007/image-size/large?v=v2&amp;px=999" role="button" title="mbespartochnyy_0-1734655233462.png" alt="mbespartochnyy_0-1734655233462.png" /></span></P> <P>The best explanation I found is in <A title="Service certificates" href="https://help.qlik.com/en-US/sense-admin/November2024/Subsystems/DeployAdministerQSE/Content/Sense_DeployAdminister/QSEoW/Administer_QSEoW/Managing_QSEoW/service-certificates.htm" target="_blank" rel="noopener">this Qlik documentation</A> which states:</P> <P>"<FONT color="#333333"><EM>The client certificate and client private key are used for client authentication <STRONG>when your service acts as a client</STRONG>, that is, when your service calls an&nbsp;API</EM></FONT><SPAN><FONT color="#333333"><EM>&nbsp;in another service.</EM></FONT>"</SPAN></P> <P><SPAN>That probably makes sense to someone who is knowledgeable in cybersecurity and networking space but, admittedly, I'm struggling to understand what that means.</SPAN><SPAN>&nbsp;When I read that sentence I though "<EM>When my service acts as a client? What service of mine is it talking about?</EM>"<BR /></SPAN></P> <P><SPAN>Plus it's not 100% clear that it's talking about QlikClient certificate so that document might not be relevant at all.</SPAN></P> <P><SPAN>Does anyone know what role the QlikClient certificate plays in a Qlik Sense server? When is this certificate being used and what for?</SPAN></P> Wed, 29 Jan 2025 16:21:29 GMT https://community.qlik.com/t5/Management-Governance/What-is-the-purpose-of-QlikClient-Certificate/m-p/2498872#M29192 mbespartochnyy 2025-01-29T16:21:29Z https://community.qlik.com/t5/Management-Governance/What-is-the-purpose-of-QlikClient-Certificate/m-p/2498961#M29193 <P>This will be simplified, but let's imagine the journey of a reload task that is scheduled at 9AM:</P> <OL> <LI>The Repository Service checks the Repository Database for the schedule</LI> <LI>On the appointed time, the Repository Service checks to see what Scheduler Services are running and permitted to perform reloads (Slave, Worker)</LI> <LI>Each Scheduler Service requests their local Engine's current load</LI> <LI>Each Scheduler Service reports back the current load to the Repository</LI> <LI>The Repository Service allocates the reload task to the least busy Scheduler Service</LI> <LI>The appointed Scheduler Service tells its local Engine to perform the reload</LI> </OL> <P>In each of steps 2-6, a service is acting as the client (also known as making a request) and another service is acting as a server (also known as receiving a request / replying to the request). In step 2, the QRS is the client and the QSS is the server. In each of these exchanges, the client service will send the QlikClient certificate to both encrypt the traffic and verify the authenticity of the request and the server service will use the server certificate to receive traffic.</P> Fri, 20 Dec 2024 14:42:19 GMT https://community.qlik.com/t5/Management-Governance/What-is-the-purpose-of-QlikClient-Certificate/m-p/2498961#M29193 Levi_Turner 2024-12-20T14:42:19Z https://community.qlik.com/t5/Management-Governance/What-is-the-purpose-of-QlikClient-Certificate/m-p/2498987#M29194 <P>Ah, I think I understand it now! While Qlik Sense is operational, the services that are operating it are <STRONG>constantly communicating with each other</STRONG>.</P> <P>To secure these communications, when a Qlik Sense service is <STRONG>making</STRONG> a request (acting as a client) it is encrypting the request using <STRONG>QlikClient</STRONG> certificate and its private key.</P> <P>And when a Qlik Sense service is <STRONG>responding</STRONG> to a request, it is encrypting the response using the <STRONG>server</STRONG> certificate and it's private key.</P> <P>Then, to complete the picture, there's also a server certificate that is stored in Trusted Root Certification Authorities store which is used to validate authenticity of both QlikClient and server certificates.</P> <P>In short, <STRONG>QlikClient</STRONG> certificate is used to <STRONG>encrypt communications</STRONG> of Qlik Sense services whenever a Qlik Sense service <STRONG>takes on a role of a client</STRONG> (i.e. is making a request). Is that right?</P> Fri, 20 Dec 2024 18:16:46 GMT https://community.qlik.com/t5/Management-Governance/What-is-the-purpose-of-QlikClient-Certificate/m-p/2498987#M29194 mbespartochnyy 2024-12-20T18:16:46Z https://community.qlik.com/t5/Management-Governance/What-is-the-purpose-of-QlikClient-Certificate/m-p/2498989#M29195 <P>Broadly, yes. To be technical, the certificate in the Trusted Root store (MMC &gt; Certs &gt; doesn't matter the store &gt; Trusted Root) and the&nbsp;<STRONG>server</STRONG> certificate (MMC &gt; Certs &gt; Local Server &gt; Personal) aren't the same thing. The root is the root. It is used to generate the server and client. That chain of trust is validated when using certs for inter-service communication (and API calls).</P> Fri, 20 Dec 2024 18:25:47 GMT https://community.qlik.com/t5/Management-Governance/What-is-the-purpose-of-QlikClient-Certificate/m-p/2498989#M29195 Levi_Turner 2024-12-20T18:25:47Z https://community.qlik.com/t5/Management-Governance/What-is-the-purpose-of-QlikClient-Certificate/m-p/2498990#M29196 <P>Understood. Thank you!</P> <P>P.S. I appreciate you adding an example. I love examples! They help translate unfamiliar topics to something relatable and familiar. Seven years I worked with Qlik Sense and this is the first time I finally able to get clarity on what the QlikClient cert is used for. Your answer and example helped. Thanks again!</P> Fri, 20 Dec 2024 18:57:12 GMT https://community.qlik.com/t5/Management-Governance/What-is-the-purpose-of-QlikClient-Certificate/m-p/2498990#M29196 mbespartochnyy 2024-12-20T18:57:12Z