topic Re: Configure QRS certificate on Sense Server in Management & Governance

Configure QRS certificate on Sense Server

Thu, 21 May 2015 12:44:57 GMT

Hi,

I've successfully changed the SSL browser certificate thumbprint in the QMC. The new certificate is used when I open the hub or qmc in my browser.

However, the server certificate returned when I call the QRS (on port 4242) isn't changed. The QRS still uses the certificate that's generated by Qlik. Is there a way to configure the certificate that's used by the QRS?

Thanks in advance.

Danny

Re: Configure QRS certificate on Sense Server

Thu, 21 May 2015 18:48:26 GMT

Hi Danny,

How are you contacting QRS? Are you using ticketing, header, or session auth to connect? What tools are you using to identify the QRS is using the Qlik generated certs. I'd like to do some testing with this so any information you may be able to supply is helpful.

Re: Configure QRS certificate on Sense Server

Fri, 22 May 2015 07:53:06 GMT

Hi Jeffrey,

I use a .NET REST client (http://restsharp.org/) to communicate with the QRS, similar to the example shown here: http://help.qlik.com/sense/en-us/developer/#../Subsystems/RepositoryServiceAPI/Content/RepositoryServiceAPI/RepositorySe…

I would like to get rid of the following line of code:

ServicePointManager.ServerCertificateValidationCallback += (sender, certificate, chain, errors) => true;

I know I can add the Qlik certificate to the certificates store of the client making the request. Then the code above is no longer needed to make things work. However, I'd like to be able to add additional 'qlik sense clients' to my solution, without adding certificates to the client's certificate store. That's why I'd like to use a certificate issued by an authority that's already trusted by all clients in my domain.

I found that the Qlik certificate is still being used by opening the QRS url (https://myqlikserver.com:4242) in my browser and viewing the certificate information that's sent by the server.

The same certificate info is visible when I put a breakpoint in the ServerCertificateValidationCallback delegate.

Danny

Re: Configure QRS certificate on Sense Server

Fri, 22 May 2015 15:30:56 GMT

What about using a wildcard server cert? If you change the server cert the Sense servers use through the security thumbprint then I think you can get rid of of the ServicePointManager call.

I imagine that may work the way you want.

Re: Configure QRS certificate on Sense Server

Mon, 25 May 2015 18:50:06 GMT

Actually, I've used the thumbprint of our wildcard certificate. But the server certificate used when calling the qrs on port 4242 is still the auto-generated qlik certificate.

Even when I remove this certificate from the server's certificate store, next time I connect, a new certificate is generated and used.

Re: Configure QRS certificate on Sense Server

Wed, 16 Sep 2015 06:55:16 GMT

FYI, I got response from the Qlik Sense team:

you cannot change those certificates, they are generated by the Qlik Sense Installation itself which will detect and remove and regenerate invalid certificates. Additionally the root certificate is used to unlock the secured parts of the repository and so changing it will break the Sense installation. This makes it extremely important to ensure that the root certificate is backed up.

http://help.qlik.com/sense/2.0/en-US/online/#../Subsystems/PlanningQlikSenseDeployments/Content/Server/Server-Security-Authentication-Certificate-Trust-Architecture.htm