Unlock a world of possibilities! Login now and discover the exclusive benefits awaiting you.
Hi,
In Qlik Sense (Enterprise on Windows – May 2022), we tried to create a connection to OneDrive and had the attached error come up "Error retrieving the URL to authenticate: ENCYRPTION_KEY_MISSING - you must manually set an encryption key before creating new connections."
We are using 3rd party certificates for our https://
I found relevant articles,
https://help.qlik.com/en-US/connectors/Content/Connectors_Home/Setting-encryption-key.htm
Question 1: Is the “key” that need to be entered in step 2 (b) (in above link) is the one that we have in QMC --> Proxie --> Central Node --> Security --> Thumbprint? If not can anyone please let us know where we can find this key? Confusion is the key they are talking here is the same as one we get from the 3rd party certificate for our https://
Question 2: By setting up key (as in above article) are we actually adding key to QMC --> Service Cluster --> Data encryption (QVD and QVF)?
Question 3: Currently we do not have any encryption key setup (please see attached image of Service Cluster). Wondering what impact we will have by adding the encryption key as in above article? Would it affect any normal operation from the user/developer/admin perspective?
Your knowledge and support will be very helpful. Please do not hesitate to contact me if you need more information.
Hello @Mr_Pearl , when you generate a CSR for the 3rd party cert for use with Qlik it should give you the info you need to complete Step 2b.
Qlik Sense supports the use of certificates issued by trusted certificate authorities like Symantec, Digicert, GoDaddy, and others. While the Management Console (QMC) has a certificate export function, the only capability is exporting the Qlik Sense generated self-signed certs. To generate a CSR, you need to use an additional tool like OpenSSL.
Source: https://community.qlik.com/t5/Official-Support-Articles/Qlik-Sense-Generating-CSR-for-3rd-Party-Cert...
And the PDF referenced: https://community.qlik.com/cyjdu72974/attachments/cyjdu72974/qlik-support-knowledge-base/2749/2/Gene...
If you follow that process (OpenSSL in this case) and get the key, you should be able to complete Step 2b.
Note, you should probably backup this key somewhere so that if you reinstall Sense at a later date, add nodes to the cluster etc. you will be able to continue to use connections created with this key.
Update to this if you do not have your key generated from the 3rd party cert:
Follow the process listed here:
https://community.qlik.com/t5/Official-Support-Articles/Qlik-Sense-Enterprise-on-Windows-Error-retri...
Seems we were making this too complicated but after some testing and review I thought I would clarify.
Hello @Mr_Pearl , when you generate a CSR for the 3rd party cert for use with Qlik it should give you the info you need to complete Step 2b.
Qlik Sense supports the use of certificates issued by trusted certificate authorities like Symantec, Digicert, GoDaddy, and others. While the Management Console (QMC) has a certificate export function, the only capability is exporting the Qlik Sense generated self-signed certs. To generate a CSR, you need to use an additional tool like OpenSSL.
Source: https://community.qlik.com/t5/Official-Support-Articles/Qlik-Sense-Generating-CSR-for-3rd-Party-Cert...
And the PDF referenced: https://community.qlik.com/cyjdu72974/attachments/cyjdu72974/qlik-support-knowledge-base/2749/2/Gene...
If you follow that process (OpenSSL in this case) and get the key, you should be able to complete Step 2b.
Note, you should probably backup this key somewhere so that if you reinstall Sense at a later date, add nodes to the cluster etc. you will be able to continue to use connections created with this key.
Update to this if you do not have your key generated from the 3rd party cert:
Follow the process listed here:
https://community.qlik.com/t5/Official-Support-Articles/Qlik-Sense-Enterprise-on-Windows-Error-retri...
Seems we were making this too complicated but after some testing and review I thought I would clarify.
@Jay_Brown Thank you for your guidance much appreciate it. Before we setup encryption key in our production environment, can you (or anyone) please let me know what impact we will have by adding the encryption key? Would it affect any normal operation from the user/developer/admin perspective?
Hi @Mr_Pearl , yes it may. See my last "Note" above, you need to save the key and have clear documentation for your Admin team. If you reinstall Sense (failed upgrade for example), migrate to new hardware or need to expand and add a node, you will need that key, otherwise you will need to repeat parts of the process.
It will be low impact if you have the key saved and all steps you took documented. If you don't have that, it will create quite a lot of administrative overhead and inconvenience for the users and developers as those connections may suddenly stop working with the same error about ENCRYPTION _KEY_MISSING.
@Jay_Brown Thank you for your detailed response. I think I didnt state my question clearly.
At the moment (Without encryption key setup), we are able to do lot of operations in hub and qmc like, export/import app; create/use/edit qvd's in our Qlik server through Qlik Sense script; use third party certificate issued by symantec; install extensions; edit tasks; use qlik web server; use Qlik web connector tool; use existing rim node etc., Would any of these or other QMC/hub functions gets affected because of installing "Encryption Key"?
Much appreciate your time and effort 🙂
Hello @Mr_Pearl , this should not affect those QMC/Hub functions. Data encryption key usage should only affect data connections, and if you don't have the key when adding nodes or reinstalling sense you would need to repeat the steps and recreate/redeploy the key.
Hope that helps!
@Jay_Brown Thank you. We will try it in our dev server and let you know how it goes.
First of all, I would like to thank @Jay_Brown for helping me with this query. And I would like to answer some of my questions that I raised in my original post.
What is the encryption key?
If you have 3rd party SSL certificate installed in your Qlik Servver, than the private key that you would have obtained with your certificate (https://) is the encryption key. If you happen to have .pfx file with key then you can extract this key using open ssl. Or if you can export it out off mmc (usually your server admin would have disabled this option when adding certificate). If these are not options for you then you need to redo the https certificate.
Are we adding key to qvf or qvd?
I dont think so. App import or export functions doesnt seem to be affected by this.
Would adding encryption key affect normal operations?
Not at all. But as @Jay_Brown mentioned save this key some where safe for future use.
Request to Qlik team: We are lucky to get hands on this key. Given its important, it would be great if you mention the private key usages in your posts/documents related to 3rd party certification.