Qlik Community

Ask a Question

Knowledge Base

Search or browse our knowledge base to find answers to your questions ranging from account questions to troubleshooting error messages. The content is curated and updated by our global Support team

Announcements
QlikWorld starts MONDAY! last chance to register is now ! REGISTER NOW

How To Setup HTTPS / SSL with QlikView AccessPoint (WebServer and IIS)

Andre_Sostizzo
Digital Support
Digital Support

How To Setup HTTPS / SSL with QlikView AccessPoint (WebServer and IIS)

Set up and configure the QlikView AccessPoint to use HTTPs and SSL instead of HTTP, using either the QlikView WebServer or Microsoft IIS.  Assumes Windows Server 2008 and 2012 and up.

For a detailed step-by-step guide for the QlikView WebServer, see QlikView AccessPoint and QMC with HTTPS and a custom SSL certificate. Includes certificate requirements and import steps.



Environment: 

QlikView 11.20
QlikView 12.10
QlikView 12.20 / November 2017 and up

The instructions in the article apply to the configuration of HTTPs / SSL for the QlikView AccessPoint using the inbuilt WebServer component.

Further instructions for using Microsoft IIS, and more detailed steps for the QlikView WebServer, are included in the attachments. 

 

 

 

Step 1:

 

Obtain a certificate, whether that is an officially signed one or a self-signed one. For example, in PowerShell, you would run the following command:

New-SelfSignedCertificate -DnsName "www.fabrikam.com", "www.contoso.com" -CertStoreLocation "cert:\LocalMachine\My"

Note: a self-signed certificate will not be trusted by others and might render a warning to end-users about certificate being unsecure.


 

Step 2:

 

Save the certificate on disk and import it either by double-clicking and installing directly from the certificate file, or install it using the Microsoft Management Console (MMC).

  • Open the MMC and select Add/Remove Snap-in

User-added image

  • Scroll down to Certificates, select and add the snap-in to the right pane.

User-added image

 

  • Select Computer Account.

User-added image

  • Select Local Computer, click Finish.

User-added image

  • Once completed, access the Certificate Store and Import the Certificate. 

User-added image


 

Step 3:

 

Find the certificate thumbprint.

  1. Open MMC and add a 'certificates' snap-in for your local computer.
  2. In Personal > Certificates, the certificate should be visible (import it here if this hasn't done so yet)
  3. Double-click the certificate and go to 'details'
  4. Copy the thumbprint field (make sure to remove spaces)


Step 4:



Bind the certificate to the machine. Use netsh.exe  if running Windows 2008/2012.

Example netsh.exe Command:

netsh http add sslcert ipport=0.0.0.0:443 certhash=d5101f33f4357cbf512e09da0c0b2d48b620db2d appid={b9feebc8-c903-477c-b042-ab15e0638aa3}

ipport -  0.0.0.0:443 refers to all IPV4 addresses on the local machine, port 443.
certhash - The certificate thumbprint retrieved in step 3.
appid - This is a unique random number. This parameter is a GUID that can be used to identify the owning application. Any GUID generator can be used to obtain this. 

For more info on netsh.exe, see http://msdn.microsoft.com/en-us/library/ms733768.aspx


Note: The above step is not required if hosting Microsoft IIS on the same machine and it's already been properly configured to support HTTPS.
Alternatively, if there is IIS on the same machine but that SSL is not set up already, binding the certificate to the default website by right clicking > edit binding and add the https binding with the correct certificate here will help you bind the certificate without using command line.

 

Step 5:

 

In the QlikView Management Console (QMC), head to Setup and on to WebServer configuration. In the General tab set the Use https flag and apply. Also set the port to 443. 
 

User-added image

 

Please note that, when using QlikView Webserver, you'll have to pick either http or https. You cannot use both. Should that be needed, you'll need to setup a separate webserver or consider using IIS.



Step 6:

 

(optional) Add an additional line to the config.xml file in C:\ProgramData\QlikTech\WebServer which matches the URL the certificate has been registered to
Example: <Url>https://qlikviewserver.com:443/</Url>

<Config>
  <ConfigVersion>11</ConfigVersion>
  <DefaultUrl>http://_/</DefaultUrl>
  <!-- ADD HERE -->
  <DefaultQvs>QVS Cluster</DefaultQvs>
  <ConfigUrl>http://_:4750/QVWS/Service</ConfigUrl>
...





Step 7:

 

Restart the QlikView WebServer Service




Step 8:

 

Check in the log to see if it bound the ports correctly. (C:\ProgramData\QlikTech\WebServer\Log)

Example: These will change from http://+:80  to https://+:443 
 

2013-04-19 09:59:33.9740181	Information	register prefix: "https://+:443/scripts/"
2013-04-19 09:59:33.9896186	Information	register prefix: "http://+:80/qvajaxzfc/"
2013-04-19 09:59:33.9896186	Information	register prefix: "http://+:80/scripts/"
2013-04-19 09:59:33.9896186	Information	Connect to server: localhost
2013-04-19 09:59:33.9896186	Information	register prefix: "http://+:80/qlikview/"
2013-04-19 09:59:33.9896186	Information	register prefix: "http://+:80/qvdesktop/"
2013-04-19 09:59:33.9896186	Information	register prefix: "http://+:80/qvplugin/"

 

NOTE: that you might have to swap out the opendoc.htm with the opendoc_fix.htm to supress the additional security warnings when using QlikView Plugin.
For more information see:  Why do I get a warning: "This page contains both secure and non-secure items" when connecting over H...

NOTE: Some browsers might declare the website insecure, despite having installed a certificate, if the server is setup to use obsolete TLS version. Please, refer to https://community.qlik.com/t5/Qlik-Support-Knowledge-Base/SSL-amp-TLS-Support-in-QlikView-How-to-con... for details about changing the server's TLS settings.

For detailed step-by-step instruction from creating Self-singed Certificate to enabling SSL, or how to go about this using IIS, please refer to the attached documents. To access the attachments, please log on to the Support Portal. 


Labels (1)
Attachments
Comments
peter_brown
Contributor III
Contributor III

Do you require additional configuration elsewhere when using another port number other than the default 443? 

 

Sonja_Bauernfeind
Digital Support
Digital Support

No special steps are required for the QlikView product. Additional steps may need to be performed in the environment, such as opening this port for traffic on firewalls or allowing traffic through proxies. 

 

peter_brown
Contributor III
Contributor III

I skipped the configuration on the IIS to use SSL, which is important for getting SSL to work with QV Webserver.

 Also, I didn't have to make any modifications to the Webserver config.xml

francescopuppin
Contributor III
Contributor III

Andre, thanks a lot for posting this!

I have a question to anyone who can help. I am really bad at system engineering: this has never been my job, but the two QlikView system experts in the company have both left (one has resigned and one is in sick leave since early 2019), and the company will not hire a new one. Here is my doubt: is there any "risk" in doing this HTTPS setup? I mean, something like QlikView stops working and it's hard to restore? And by the way, is it possible to "roll back" in case of issues/malfunction?

Thanks,

Francesco

peter_brown
Contributor III
Contributor III

@francescopuppin Pertaining to QlikView itself using a secure access point requires WebServer and sometimes WebServer config file configurations.

So rolling back would simply mean changing the communication port back to its default and replacing the configure backup file in the WebServer repository.

 

 

Sonja_Bauernfeind
Digital Support
Digital Support

@francescopuppin I can confirm @peter_brown 's statement. All you need to do is revert the settings back to what they were before.

This applies to both IIS and QVWS.

 

francescopuppin
Contributor III
Contributor III

Thank you @peter_brown and @Sonja_Bauernfeind !

 

Marcoimp
Partner
Partner

Thank you @Andre_Sostizzo for this article:
is the netsh command the same for updating a certificate?

I think I have only to give a new thumbprint value, is it right?

Andre_Sostizzo
Digital Support
Digital Support

The command "netsh http update..." is available for updating bindings.

Version history
Revision #:
6 of 6
Last update:
‎2021-02-02 09:40 AM
Updated by:
 
Contributors