Qlik Community

Ask a Question

Knowledge Base

Search or browse our knowledge base to find answers to your questions ranging from account questions to troubleshooting error messages. The content is curated and updated by our global Support team

Announcements
Join us at the Cloud Data and Analytics Tour! REGISTER TODAY

Recreating Qlik Sense root CA certificate when upgrading to June 2019 and above (script based back-up and removal of existing certificates)

Andrew_Delaney
Support
Support

Recreating Qlik Sense root CA certificate when upgrading to June 2019 and above (script based back-up and removal of existing certificates)

IMPORTANT NOTE: The following steps are applicable for Qlik Sense deployments originally installed with versions prior to the June 2019 release. For Qlik Sense deployments originally installed with the June 2019 or later releases, follow standard steps for patching Qlik Sense and do not perform steps below. If you are not certain about the initially installed version of Qlik Sense, please refer to Validating Qlik Sense root CA certificate for presence of CA:TRUE attribute to check the current certificate for the CA:TRUE attribute.

In February 2020, versions of Qlik Sense were released to fix critical vulnerabilities within NodeJS. Unfortunately this requires recreating the root CA for certificates generated with versions of Qlik Sense prior to the June 2019 release. More information under Node.js Vulnerability - FAQ
 

Note: In these steps we will occasionally ask you to run Powershell code.
Executing PowerShell code:

i. Copy the code and save it in a ps1 file, in example: certificates_backup.ps1

ii. Open elevated command line and navigate to the location where the script was saved.

iii. Start PowerShell by executing following command: Powershell

iv. Run the script by executing following command: .\<name_of_the_script>.ps1 in example: .\certificates_backup.ps1


Environment:

  • Qlik Sense Enterprise on Windows, June 2019 thru November 2019

 

New NodeJS requirements.

Resolution:

  1. After upgrading to June 2019 or above, check the Root certificate by running the C2 Validator tool on ALL NODES. If CA and Critical display 'Missing', please follow the instructions below.
  2. Stop all services on ALL NODES in the Qlik Sense cluster.
  3. Back up all current Qlik Sense certificates from the CENTRAL NODE by executing the following PowerShell code:
Set-ExecutionPolicy -Scope Process -ExecutionPolicy Bypass

function ExportCertificatesFromStore(
    [string] $name,
    [string] $location)
{
    $success = 1
    $oid = "1.3.6.1.5.5.7.13.3"
    
    $localStore = new-object System.Security.Cryptography.X509Certificates.X509Store $name, $location
    $localStore.Open("MaxAllowed")

    $mypwd = ConvertTo-SecureString -String "MyPassword" -Force -AsPlainText

    try
    {
        $certs = $localStore.Certificates
        foreach ($cert in $certs)
        {
            $extensions = $cert.Extensions
            foreach($extension in $extensions)
            {
                if ($extension.Oid.Value.Equals($oid))
                {
                    Get-ChildItem -Path cert:\$($localStore.Location)\$($localStore.Name) | Where-Object { $_.PrivateKey.CspKeyContainerInfo.Exportable } | Export-PfxCertificate -FilePath "$($localStore.Name)_$($localStore.Location).pfx" -Password $mypwd
                    break;
                }
            }
        }
    }

    catch
    {
        write-host "An error occurred while removing certificates" -ForegroundColor Red
        write-host $_.Exception.GetType().FullName -ForegroundColor Red
        write-host $_.Exception.Message -ForegroundColor Red
        $success = 0
    }

    finally
    {
        $localStore.Close()
    }
    
    if ($success -ne 1)
    {
        exit 20
    }
}

function ExportCertificates()
{
    ExportCertificatesFromStore "Root" "LocalMachine"
    ExportCertificatesFromStore "My" "LocalMachine"
    ExportCertificatesFromStore "My" "CurrentUser"
}

ExportCertificates
write-host "Done."
exit 0

NOTE: For information on how to execute above code please refer to “Executing PowerShell code” section at the top. Modify $mypwd variable to define custom password. Make sure certificates were backed up after running the script:

  • Root_LocalMachine.pfx – root CA
  • My_LocalMachine.pfx – server
  • My_CurrentUser – client

NOTE: If you happen to have more certificates with the same values in Issued To, Issued By and Friendly Name columns and you are unable to identify the correct certificate, please refer to Identifying Qlik Sense root CA and server certificates in certificate store.

  1. Remove current Qlik Sense root CA certificate from CENTRAL NODE by executing the following PowerShell code:
Set-ExecutionPolicy -Scope Process -ExecutionPolicy Bypass

function RemoveCertificatesFromStore(
[string] $name,
[string] $location)
{
    $success = 1
    $oid = "1.3.6.1.5.5.7.13.3"

    $localStore = new-object System.Security.Cryptography.X509Certificates.X509Store $name, $location
    $localStore.Open("MaxAllowed")
    try
    {
        $certs = $localStore.Certificates
        foreach ($cert in $certs)
        {
            $extensions = $cert.Extensions
            foreach($extension in $extensions)
            {
                if ($extension.Oid.Value.Equals($oid))
                {
                    write-host "Deleting certificate from" $localStore.Name $localStore.Location
                    write-host " Subject:"$cert.Subject
                    write-host " Issuer:"$cert.Issuer
                    write-host " Serial:"$cert.SerialNumber
                    $localStore.Remove($cert)
                    break;
                }
            }
        }
    }
    catch
    {
        write-host "An error occurred while removing certificates" -ForegroundColor Red
        write-host $_.Exception.GetType().FullName -ForegroundColor Red
        write-host $_.Exception.Message -ForegroundColor Red
        $success = 0
    }
    finally
    {
        $localStore.Close()
    }

    if ($success -ne 1)
    {
        exit 20
    }
}

function CleanCertificates()
{
    RemoveCertificatesFromStore "Root" "LocalMachine"
}

CleanCertificates
write-host "Done."
exit 0

  1. Make sure script completes without any errors. Otherwise remove Qlik Sense root CA certificate manually (please see Recreating Qlik Sense root CA certificate (manual back-up and removal of existing certificates).
  2. Remove all current Qlik Sense certificates from NON-CENTRAL NODES by executing the following PowerShell code:
Set-ExecutionPolicy -Scope Process -ExecutionPolicy Bypass

function RemoveCertificatesFromStore(
    [string] $name,
    [string] $location)
{
    $success = 1
    $oid = "1.3.6.1.5.5.7.13.3"

    $localStore = new-object System.Security.Cryptography.X509Certificates.X509Store $name, $location
    $localStore.Open("MaxAllowed")

    try
    {
        $certs = $localStore.Certificates
        foreach ($cert in $certs)
        {
            $extensions = $cert.Extensions
            foreach($extension in $extensions)
            {
                if ($extension.Oid.Value.Equals($oid))
                {
                    write-host "Deleting certificate from" $localStore.Name $localStore.Location
                    write-host " Subject:"$cert.Subject
                    write-host " Issuer:"$cert.Issuer
                    write-host " Serial:"$cert.SerialNumber
                    $localStore.Remove($cert)
                    break;
                }
            }
        }
    }

    catch
    {
        write-host "An error occurred while removing certificates" -ForegroundColor Red
        write-host $_.Exception.GetType().FullName -ForegroundColor Red
        write-host $_.Exception.Message -ForegroundColor Red
        $success = 0
    }

    finally
    {
        $localStore.Close()
    }

    if ($success -ne 1)
    {
        exit 20
    }
}

function CleanCertificates()
{
    RemoveCertificatesFromStore "Root" "LocalMachine"
    RemoveCertificatesFromStore "My" "LocalMachine"
    RemoveCertificatesFromStore "My" "CurrentUser"
}

CleanCertificates
write-host "Done."
exit 0
  1. Make sure script completes without any errors. Otherwise remove certificates manually (please see Recreating Qlik Sense root CA certificate (manual back-up and removal of existing certificates).
  2. Remove all current Qlik Sense certificates from NON-CENTRAL NODES stored locally by deleting all files from following location:

        C:\ProgramData\Qlik\Sense\Repository\Exported Certificates\.Local Certificates

  1. On ALL NODES navigate to C:\Program Files\Qlik\Sense\Repository (or corresponding nondefault location) and open Repository.exe.config file.
  2. Make sure Certificates.SelfSignedRoot.BasicConstraintsCA key has value set to true, in example:

<add key="Certificates.SelfSignedRoot.BasicConstraintsCA" value="true" />

If the above key is not present, add it within <appSettings> section, in example:

(…)
<add key="BackgroundWork.CountLimit" value="3" />
<add key="Certificates.SelfSignedRoot.BasicConstraintsCA" value="true" />
<add key="DatabaseCommandTimeout" value="00:01:30" />
(…)

NOTE: If you are installing a patch on November 2018 track, name of the key is: <add key="CertificatesSelfSignedRootBasicConstraintsCA" value="true" />

  1. On the CENTRAL NODE, start Qlik Sense Repository Database service.
  2. On CENTRAL NODE, from an elevated command line navigate to C:\Program Files\Qlik\Sense\Repository (or corresponding nondefault location) and run:

repository.exe -bootstrap -iscentral

  1.  When bootstrap mode has reached Entering main startup phase.., start Qlik Sense Service Dispatcher service and make sure that the Bootstrap mode has terminated. Press ENTER to exit.. final message is shown

Note: If this message is not shown, open Windows Task Manager, find Qlik Sense Repository Service in the Processes tab and end it by right-clicking on it and selecting End task.

  1. To make sure new certificate is in use, run the C2 Validator tool,
  2. On CENTRAL NODE restart Qlik Sense Service Dispatcher and start all remaining services.
  3. On the NON-CENTRAL NODES, depending on the setup, perform either step a) or b) below:
    1. Account running the Qlik Sense services has administrator privileges:
  • [Applicable ONLY for April 2019 track]: Delete host.cfg file from C:\ProgramData\Qlik\Sense\ 
  • Start Qlik Sense Repository Service.
  • Open the Qlik Management Console (QMC) and redistribute the certificates according to Redistributing a certificate
  • Restart Qlik Sense Repository Service and start all remaining services on the node to make sure they are using the newly distributed certificates.
  1. Account running the Qlik Sense service does not have administrator privileges:
  • [Applicable ONLY for April 2019 track]: Delete host.cfg file from C:\ProgramData\Qlik\Sense\ 
  • At the command line, navigate to C:\Program Files\Qlik\Sense\Repository (or corresponding nondefault location), and run:
repository.exe -bootstrap
  • When the Waiting for certificates to be installed.. message is displayed, redistribute the certificates according to Redistributing a certificate
  • Once the bootstrap mode has terminated, start the Qlik Sense Service Dispatcher, then start the Qlik Sense Repository Service, and finally the remaining Qlik Sense services.

 

Related Content:

Labels (1)
Comments
ken4runner
Creator
Creator

can you confirm some of the issues that this certificate problem are known to cause? 
what are some of the symptoms that the system will exhibit when this issue is present?

thanks - Ken

 

Version history
Revision #:
6 of 6
Last update:
‎2020-08-25 02:56 AM
Updated by:
 
Contributors