Skip to main content

Qlik

cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Phero
Contributor III
Contributor III
‎2022-02-06 05:35 PM

How can I move certificates from Central Node to another Central Node?

Hi!

I am planning to move from an old server (Win 2012) to a new server (Win 2019). This is the central node. Which certificates needs to be moved? Whats the reason? I have heard that the connections are encrypted and needs to be opened by the same key as they used when they were created. 

Labels (2)
Labels
1,432 Views
0 Likes
2 Solutions

Accepted Solutions
Alexis_Touet
Former Employee
Former Employee
‎2022-02-07 05:12 AM

hi @Phero 

This operation is quite complex and we would highly recommand you to contact our professionnal services to help you doing the migration. See how to contact them https://community.qlik.com/t5/Knowledge/How-and-When-to-Contact-the-Consulting-Team/ta-p/1714936

If you however decide to make this operation yourself, it is very important that you back up your Qlik Sense certificates and site following this link.  https://help.qlik.com/en-US/sense-admin/November2021/Subsystems/DeployAdministerQSE/Content/Sense_De...

If your actual central node is also your Sense proxy where your users are authentication to, and if you use a 3rd party certificate to allow a trusted connection to an alias, make sure you back up this cert and restore it on the machine. https://community.qlik.com/t5/Knowledge/How-to-change-the-certificate-used-by-the-Qlik-Sense-Proxy-t... 

If your qlik sense servers are virtual machines, ensure to make a snapshot so that you can easily restore if anything goes wrong. 

Related to your question on the Qlik Sense client managed certificates, they have several functions, and you are right, one of them is to encrypt & decrypt the data connections credentials to the Qlik Sense Repository Database. So if you decide to create new certs on the new machine you will need to put the credentials used in your data connections again. 

If you want to keep the same Qlik Sense certificates, I believe you will need to set the exact same FQDN as per the old one, since the Qlik Sense self signed certificates are being created by default with the FQDN of the machine you installed the first time  (it could be that you used a DNS alias at this step, if that is the case, the new server will need to be set with the same alias, by example adding it to the windows host file). 

I would also restore the entire program data folder (C:\ProgramData\Qlik) on the new machine.

Beforehand it is important to test the operation on a test environment so you are sure of all the steps to take when migration production.

Hope this helps.

Please don't forget to mark a correct resolution or answer to your problem or question as correct, as it will help other members to find solutions more easily 😉

View solution in original post

1,367 Views
0 Likes
8 Replies
Alexis_Touet
Former Employee
Former Employee
‎2022-02-07 05:12 AM

hi @Phero 

This operation is quite complex and we would highly recommand you to contact our professionnal services to help you doing the migration. See how to contact them https://community.qlik.com/t5/Knowledge/How-and-When-to-Contact-the-Consulting-Team/ta-p/1714936

If you however decide to make this operation yourself, it is very important that you back up your Qlik Sense certificates and site following this link.  https://help.qlik.com/en-US/sense-admin/November2021/Subsystems/DeployAdministerQSE/Content/Sense_De...

If your actual central node is also your Sense proxy where your users are authentication to, and if you use a 3rd party certificate to allow a trusted connection to an alias, make sure you back up this cert and restore it on the machine. https://community.qlik.com/t5/Knowledge/How-to-change-the-certificate-used-by-the-Qlik-Sense-Proxy-t... 

If your qlik sense servers are virtual machines, ensure to make a snapshot so that you can easily restore if anything goes wrong. 

Related to your question on the Qlik Sense client managed certificates, they have several functions, and you are right, one of them is to encrypt & decrypt the data connections credentials to the Qlik Sense Repository Database. So if you decide to create new certs on the new machine you will need to put the credentials used in your data connections again. 

If you want to keep the same Qlik Sense certificates, I believe you will need to set the exact same FQDN as per the old one, since the Qlik Sense self signed certificates are being created by default with the FQDN of the machine you installed the first time  (it could be that you used a DNS alias at this step, if that is the case, the new server will need to be set with the same alias, by example adding it to the windows host file). 

I would also restore the entire program data folder (C:\ProgramData\Qlik) on the new machine.

Beforehand it is important to test the operation on a test environment so you are sure of all the steps to take when migration production.

Hope this helps.

Please don't forget to mark a correct resolution or answer to your problem or question as correct, as it will help other members to find solutions more easily 😉
1,368 Views
0 Likes
Phero
Contributor III
Contributor III
‎2022-02-09 06:53 AM
Author

In response to Alexis_Touet

Thanks for the answer

QMC and Hub is working. The SSL-certificate is in place.

I have tested before to take a full backup and full restore - it worked. 

"If you want to keep the same Qlik Sense certificates, I believe you will need to set the exact same FQDN as per the old one, since the Qlik Sense self signed certificates are being created by default with the FQDN of the machine you installed the first time  (it could be that you used a DNS alias at this step, if that is the case, the new server will need to be set with the same alias, by example adding it to the windows host file). "

This is the most vital part of the migration right now. How to handle the certificates. The servers have different names. I need the same certificates, otherwise I will not be able to to decrypt database and connections. 

The whole environment is virtualized. 

1,343 Views
0 Likes
Phero
Contributor III
Contributor III
‎2022-02-09 08:40 AM
Author

In response to Phero

Wouldn't it be possible to setup a another node that joined the cluster and flag it to be a failsafe candidate? Next step would be to turn off the old central node and then new server will replace the old one? 

1,336 Views
0 Likes
Alexis_Touet
Former Employee
Former Employee
‎2022-02-12 03:52 AM

Hi @Phero 

This could work I believe if you then set the same FQDN as per the original central. 
It is always better if you can test it first in a lower environment than prod, if not, make sure you backup/snapshot your vm´s so you can revert the changes quickly if something goes wrong. 


Best regards

Please don't forget to mark a correct resolution or answer to your problem or question as correct, as it will help other members to find solutions more easily 😉
1,060 Views
0 Likes
Phero
Contributor III
Contributor III
‎2022-02-12 08:35 AM
Author

In response to Alexis_Touet

What I understand I can take any node and make that node to a Centralnode, just as I flag it as a Failover Candidate? I can't really understand what you mean that the server needs to have the same FQDN? 

1,051 Views
0 Likes
Alexis_Touet
Former Employee
Former Employee
‎2022-02-13 04:22 AM

If you leave the default settings when installing the first time your central node, the Qlik Sense certificates will then be created under the same name as the server FQDN of your central node. 
You can check that by verifying your Qlik sense root certificate name, is it the same as your central node FQDN ?
If yes, then the server that will be replacing that central node will need to keep the same name, unless you want to recreate the certs.

Please don't forget to mark a correct resolution or answer to your problem or question as correct, as it will help other members to find solutions more easily 😉
1,039 Views
Phero
Contributor III
Contributor III
‎2022-02-18 03:35 PM
Author

In response to Alexis_Touet

I think I need to talk someone at Qlik to understand that requirements of the failsafe-node, as I don't believe that this server needs to have the same name as the original one. It doesn't feel right. Very odd solution if you ask me. 

974 Views
0 Likes