Skip to main content
Announcements
Global Transformation Awards! Applications are now open. Submit Entry
cancel
Showing results for 
Search instead for 
Did you mean: 
Keryss
Contributor II
Contributor II

Qlik Sense certificates backup

Hi,

I need to automate (with PowerShell) a backup of a Qlik Sense Site (Single Node)

The backup will be restored in two different cases :

1. On the same hostname, after a disaster recovery (the machine is re-created from scratch and we have to restore Qlik Sense site from a full backup)

2. On a different hostname, to migrate a Qlik Sense Site from a Production environment to a Test environment (for example)

For that, I used both official procedures

https://help.qlik.com/en-US/sense-admin/May2024/Subsystems/DeployAdministerQSE/Content/Sense_DeployA...

https://help.qlik.com/en-US/sense-admin/May2024/Subsystems/DeployAdministerQSE/Content/Sense_DeployA...

Both procedures are very clear, don't have any problem.

Buy, when it comes to automate Qlik certificates backup, I'm facing an issue with the following certificate 

# client certificate
# Certificates (Current User) > Personal > Certificates
# Issued To : QlikClient
# Issued By : <server-name.domain>-CA

As the account used to run the PowerShell script is not the same as the "Qlik Sense services" user, it is impossible to export the "QlikClient" certificate from the 'Current User' store.

And due to security restrictions, it is also impossible to export a certificate for another user.

What do you think ? What is the best practice to do that ?

Please advice. 

Thanks very much !

 

 

 

 

Labels (2)
7 Replies
David_Friend
Support
Support

I think you could just not worry about that and bootstrap the environment after restore (which recreates those certs):

https://community.qlik.com/t5/Official-Support-Articles/How-to-recreate-or-just-delete-certificates-...

 

Keryss
Contributor II
Contributor II
Author

Hi,

Thanks for your quick reply.

Not sure to understand. The official documentation specifies :

"To be able to recover from a system crash, you should create a backup of the certificates on the central node of your Qlik Sense site."

In my case, before I restore the backup, Qlik is firstly installed from scratch on the fresh machine, then I run the restore.

What if, as you suggest, I don't restore old certificates ?

 

 

Keryss
Contributor II
Contributor II
Author

Hi,

@David_Friend, I just took a look on the document you shared. In step 7, it is asked to delete the QlikClient certificate.

But, as explained previously, I don't have access to that certificate from my script (as it is launched with another user account than the account used by Qlik).

Please advice,

Thanks very much.

David_Friend
Support
Support

I think its simpler to just re-create them, but want to hear from others on the best strategy. @Nick_Asilo or @Mike_Dickson ?

Nick_Asilo
Support
Support

@Keryss the backup of the certificates is a useful step when you are restoring to a server with the same hostname, so either restoring to the same server or to a different server that has been given the same FQDN for the purpose of the migration.

However, when you migrate to a new server with a different hostname you are forced to recreate the certificates since the certificates are tied to the central node's hostname. This means recreating the certificate as mentioned by @David_Friend 

Note that the password for data connections are encrypted using the certificate so if you recreate the certificate you have to manually re-enter the username and password into the data connections to have them inserted into the DB with the correct encryption.

See the following documentation:
Restoring a Qlik Sense site to a machine with a different hostname 
Qlik Sense Enterprise on Windows: Change hostname (and certificates) after an installation 

Help users find answers! Don't forget to mark a solution that worked for you! If already marked, give it a thumbs up!
Keryss
Contributor II
Contributor II
Author

Hi, 

Thanks for your reply.

Sorry, but I don't understand.

In my case, I will restore in two different cases :

Case 1 : On a server with the same hostname. Every night, I do a full backup of Qlik Site from that server. And if, for some reason, the VM crashes, the "Disaster recovery" process will delete the VM and re-created from scratch, with same hostname. Then, Qlik is installed (fresh installed from scratch), and finally we need to restore the backup done before the crash.

In this case, do we need old certificates ?

Case 2 : On a server with different hostname. In this case, on that VM, Qlik is already installed on the machine and correctly works. All we need is to restore a backup from another VM (For example to migrate PROD Qlik site to UAT Qlik Site).

In this case, do we need old certificates ?

Thanks

Nick_Asilo
Support
Support

@Keryss my comment above addresses both but its content is more directly gear for case 2.

"when you migrate to a new server with a different hostname you are forced to recreate the certificates since the certificates are tied to the central node's hostname. This means recreating the certificate as mentioned by @David_Friend"

In the scenario of Case 1 then yes backing up the old certificates is ideal

"the backup of the certificates is a useful step when you are restoring to a server with the same hostname"

However, due to the limitations you mentioned previously, you are unable to automate backing up the Service Account personal certificates. I advise manually exporting and backing up the certificates as these change very infrequently, when you manually recreate the certificates for troubleshooting, when you migrate to a new server or change the hostname, and very infrequently for certain upgrades.

So unlike the DB which will require frequent backing up as part of a DR plan, the certs are fairly static and do not require frequent backing up and can be done manually without it being a difficult task.

Help users find answers! Don't forget to mark a solution that worked for you! If already marked, give it a thumbs up!