Skip to main content
Announcements
Global Transformation Awards! Applications are now open. Submit Entry
cancel
Showing results for 
Search instead for 
Did you mean: 
Mr_Pearl
Creator II
Creator II

Encryption key missing - more info on how to setup

Hi,

In Qlik Sense (Enterprise on Windows – May 2022), we tried to create a connection to OneDrive and had the attached error come up "Error retrieving the URL to authenticate: ENCYRPTION_KEY_MISSING - you must manually set an encryption key before creating new connections."

We are using 3rd party certificates for our https://

I found relevant articles,

https://help.qlik.com/en-US/connectors/Content/Connectors_Home/Setting-encryption-key.htm

Question 1:  Is the “key” that need to be entered in step 2 (b) (in above link) is the one that we have in QMC --> Proxie --> Central Node --> Security --> Thumbprint? If not can anyone please let us know where we can find this key? Confusion is the key they are talking here is the same as one we get  from the 3rd party certificate for our https://

Question 2: By setting up key (as in above article) are we actually adding key to QMC --> Service Cluster --> Data encryption (QVD and QVF)?

Question 3: Currently we do not have any encryption key setup (please see attached image of Service Cluster). Wondering what impact we will have by adding the encryption key as in above article? Would it affect any normal operation from the user/developer/admin perspective?

Your knowledge and support will be very helpful. Please do not hesitate to contact me if you need more information.

1 Solution

Accepted Solutions
Jay_Brown
Support
Support

Hello @Mr_Pearl , when you generate a CSR for the 3rd party cert for use with Qlik it should give you the info you need to complete Step 2b.

Qlik Sense supports the use of certificates issued by trusted certificate authorities like Symantec, Digicert, GoDaddy, and others. While the Management Console (QMC) has a certificate export function, the only capability is exporting the Qlik Sense generated self-signed certs. To generate a CSR, you need to use an additional tool like OpenSSL.

Source: https://community.qlik.com/t5/Official-Support-Articles/Qlik-Sense-Generating-CSR-for-3rd-Party-Cert... 
And the PDF referenced: https://community.qlik.com/cyjdu72974/attachments/cyjdu72974/qlik-support-knowledge-base/2749/2/Gene... 

If you follow that process (OpenSSL in this case) and get the key, you should be able to complete Step 2b.

Note, you should probably backup this key somewhere so that if you reinstall Sense at a later date, add nodes to the cluster etc. you will be able to continue to use connections created with this key.

Update to this if you do not have your key generated from the 3rd party cert:
Follow the process listed here: 
https://community.qlik.com/t5/Official-Support-Articles/Qlik-Sense-Enterprise-on-Windows-Error-retri...

  1. Generate a Key in PowerShell.
  2. Run CMD as the service account (this is important, it will fail otherwise!)
  3. Set the encryption key from step 1.
  4. Test and things should be successful

Seems we were making this too complicated but after some testing and review I thought I would clarify.

To help users find verified answers, please don't forget to mark a correct resolution or answer to your problem or question as correct.

View solution in original post

7 Replies
Jay_Brown
Support
Support

Hello @Mr_Pearl , when you generate a CSR for the 3rd party cert for use with Qlik it should give you the info you need to complete Step 2b.

Qlik Sense supports the use of certificates issued by trusted certificate authorities like Symantec, Digicert, GoDaddy, and others. While the Management Console (QMC) has a certificate export function, the only capability is exporting the Qlik Sense generated self-signed certs. To generate a CSR, you need to use an additional tool like OpenSSL.

Source: https://community.qlik.com/t5/Official-Support-Articles/Qlik-Sense-Generating-CSR-for-3rd-Party-Cert... 
And the PDF referenced: https://community.qlik.com/cyjdu72974/attachments/cyjdu72974/qlik-support-knowledge-base/2749/2/Gene... 

If you follow that process (OpenSSL in this case) and get the key, you should be able to complete Step 2b.

Note, you should probably backup this key somewhere so that if you reinstall Sense at a later date, add nodes to the cluster etc. you will be able to continue to use connections created with this key.

Update to this if you do not have your key generated from the 3rd party cert:
Follow the process listed here: 
https://community.qlik.com/t5/Official-Support-Articles/Qlik-Sense-Enterprise-on-Windows-Error-retri...

  1. Generate a Key in PowerShell.
  2. Run CMD as the service account (this is important, it will fail otherwise!)
  3. Set the encryption key from step 1.
  4. Test and things should be successful

Seems we were making this too complicated but after some testing and review I thought I would clarify.

To help users find verified answers, please don't forget to mark a correct resolution or answer to your problem or question as correct.
Mr_Pearl
Creator II
Creator II
Author

@Jay_Brown  Thank you for your guidance much appreciate it. Before we setup encryption key in our production environment, can you (or anyone) please let me know what impact we will have by adding the encryption key? Would it affect any normal operation from the user/developer/admin perspective?

Jay_Brown
Support
Support

Hi @Mr_Pearl , yes it may.  See my last "Note" above, you need to save the key and have clear documentation for your Admin team.  If you reinstall Sense (failed upgrade for example), migrate to new hardware or need to expand and add a node, you will need that key, otherwise you will need to repeat parts of the process. 

It will be low impact if you have the key saved and all steps you took documented.  If you don't have that, it will create quite a lot of administrative overhead and inconvenience for the users and developers as those connections may suddenly stop working with the same error about ENCRYPTION _KEY_MISSING.

To help users find verified answers, please don't forget to mark a correct resolution or answer to your problem or question as correct.
Mr_Pearl
Creator II
Creator II
Author

@Jay_Brown  Thank you for your detailed response. I think I didnt state my question clearly.

At the moment (Without encryption key setup), we are able to do lot of operations in hub and qmc like, export/import app; create/use/edit qvd's in our Qlik server through Qlik Sense script; use third party certificate issued by symantec; install extensions; edit tasks; use qlik web server; use Qlik web connector tool; use existing rim node etc., Would any of these or other QMC/hub functions gets affected because of installing "Encryption Key"?

Much appreciate your time and effort 🙂

Jay_Brown
Support
Support

Hello @Mr_Pearl , this should not affect those QMC/Hub functions. Data encryption key usage should only affect data connections, and if you don't have the key when adding nodes or reinstalling sense you would need to repeat the steps and recreate/redeploy the key.  

Hope that helps!

To help users find verified answers, please don't forget to mark a correct resolution or answer to your problem or question as correct.
Mr_Pearl
Creator II
Creator II
Author

@Jay_Brown Thank you. We will try it in our dev server and let you know how it goes. 

Mr_Pearl
Creator II
Creator II
Author

First of all, I would like to thank @Jay_Brown  for helping me with this query. And I would like to answer some of my questions that I raised in my original post.

What is the encryption key?

If you have 3rd party SSL certificate installed in your Qlik Servver, than the private key that you would have obtained with your certificate (https://) is the encryption key. If you happen to have .pfx file with key then you can extract this key using open ssl. Or if you can export it out off mmc (usually your server admin would have disabled this option when adding certificate). If these are not options for you then you need to redo the https certificate.

Are we adding key to qvf or qvd?

I dont think so. App import or export functions doesnt seem to be affected by this.

Would adding encryption key affect normal operations?

Not at all. But as @Jay_Brown mentioned save this key some where safe for future use.

Request to Qlik team: We are lucky to get hands on this key. Given its important, it would be great if you mention the private key usages in your posts/documents related to 3rd party certification.