Unlock a world of possibilities! Login now and discover the exclusive benefits awaiting you.
Mar 29, 2023 6:35:54 AM
Oct 29, 2014 7:39:47 AM
Content:
If you’ve just installed Qlik Sense Enterprise, then this image probably looks familiar. Alternatively, Chrome might display The site's security certificate is not trusted, while Firefox may report This Connection is Untrusted.
By default, Qlik Sense uses a self-signed certificate to enable HTTPS access across both the Hub (https:// YourSenseServer/hub) and the Management Console (https://YourSenseServer/qmc). But self-signed certificates cannot be validated or trusted by web browsers and tend to prompt a warning message.
To establish a secure HTTPS connection, the browser must trust the SSL/TLS certificate installed on the server. In the case of self-signed certificates, the signing Certificate Authority is not trusted, hence no certificates generated by the CA are trusted.
To install a trusted certificate for use with the Qlik Sense Enterprise on Windows Hub and Management Console, we need:
These instructions are for replacing the certificate used for accessing the Qlik Sense Hub and Management Console. The certificate used for service communication cannot be replaced.
For video Transcript click here
During the initial install, the Qlik Sense Repository Service creates a set of certificates. Their purpose is to secure Service Communication and Service Authentication.
Qlik Sense uses certificates to authenticate its service across all nodes. See the Qlik Sense Online Help for details. In addition, other products (such as Qlik NPrinting) require these certificates to be establish a connection.
This self signed certificate is then also used to secure hub and Management Console access through HTTPS.
We will not modify, replace, or remove the originally created certificates. Doing so will break service communication.
What we’ll do instead is to add an additional one.
There are three possible types of certificates for us to use.
When support gets questions, they are most often related to a certificate missing the private key. Always verify the certificate comes bundled with one when you install it.
It’ll look like this:
The Certificate Authority you chose will have instructions for this, and if you are looking to get a self-signed one or one from your corporation's CA, then a local administrator can provide the certificate to you.
Either way, you are going to need to generate a Certificate Signing Request (CSR) to pass on to your CA. There are tools out there to get that done with, such as certreq from Microsoft (found here), and SSLhopper has a great article on that, which I often send to customers when they ask us about CSRs and how to do them.
Once you obtain the certificate, we'll move on to installing it and activating it in Qlik Sense. This will be done in three quick steps:
As mentioned before, we are not replacing certificates. The already existing ones will not be deleted. Doing so would break service authentication between the individual Qlik Sense services and render the system… broken.
On the Qlik Sense node running the Qlik Sense Proxy, log on with the user running the Sense services. This is important since the certificate needs to be accessible for this account.
If the certificate was saved in the .pfx format, then all you need to do is double click the file. Follow the prompt to import the certificate into the Personal store.
If you want to import it manually or verify if it was correctly installed:
Well, since we are already in the MMC, let's open the freshly installed certificate again.
Almost done!
Click Apply.
The Sense Proxy will now restart. During the restart, it will be using Windows API calls to correctly bind the new certificate to its SSL ports.
In the web browser:
When opening the Qlik Sense Hub or QMC, the certificate will now be displayed in the browser. This may look different depending on the web browser, but in Google Chrome you can click the padlock to the left of the URL to verify what certificate is used.
The information displayed needs to match the properties of the certificate you installed.
In the log files:
If you’d rather see what the Qlik Sense Proxy service is doing, then you can directly check up on that, too.
On the Proxy node, go to C:\ProgramData\Qlik\Sense\Log\Proxy\Trace and open the Security log file from just after the last start.
It will now print a slightly different message than before:
Security.Proxy.Qlik.Sense.Common.Security.Cryptography.LoggingDigester DOMAIN\_service Setting crypto key for log file secure signing: success
Security.Proxy.Qlik.Sense.Common.Security.Cryptography.SecretsKey DOMAIN\_service retrieving symmetric key from cert: success
Security.Proxy.Qlik.Sense.Common.Security.Cryptography.CryptoKey DOMAIN\_service setting crypto key: success
Security.Proxy.Qlik.Sense.Communication.Security.CertSetup 'CN=localhost' (08C871933A58E072FED7AD65E2DB6D5AD3EAF9FA) as SSL certificate presented to browser, which is a 3rd party SSL certificate
And that's it!
There isn't much more to it in a standard Qlik Sense Enterprise installation, but if you have more questions, then maybe a few of these articles can help:
Receiving Bad Request 400?
Make sure the URL/FQDN you are using to access the Hub and QMC is correctly added to the WebSocket Allow List: How to configure the WebSocket origin allow list and best practices
I applied my certificate and it seems to be using it correctly, but browsers are still saying the Common Name is Invalid?
ERR_CERT_COMMON_NAME_INVALID when using 3rd party certificate
Qlik Sense keeps reverting to the default and complains it can't find a valid ssl certificate with the thumbprint.
The certificate may not have a Private key or the service account does not have access to it.
How to: Manage Certificate Private Key
The Qlik Sense Service account doesn't have admin privileges and the certificate is not accepted.
@gdrabla we have similar situation with security scans - you will likely just have to provide documentation to your security team from Qlik, that these self signed certificates are just for INTERNAL communication and that as @Sonja_Bauernfeind is stating, there is no option to change that at all.
this pdf is a good starting point
(Qlik Sense use of certificates Architectural overview)
@Sonja_Bauernfeind - Thank you for reply, much appreciated. Few more questions -
Please note i'm learning QLIK being new user , still trying to understand architecture design. bear for me asking few more questions.
Question # 1 - Is it possible for you to pick up the QLIK Case directly & have screen session with me ?. We have support account with QLIK. If answer is yes - i will share create QLIK case via offline message.
Question # 2 - I'm still not clear on answer for below , please find the comments for below answer:
Question - Which Proxy choose Central or Proxy for updating Thumbprint?
If you still wish to change the certificate used for hub and qmc access, choose the proxy which is hosting your users.
We have one proxy node(web01) from where users can access to QMC and HUB also. Also we have Central node in case if proxy goes down then user can access QMC and HUB from central node. Currently our certificate on scheduler node is not secure that's reason we have vulnerability scan on port 443. We are planning to update certificate on scheduler node.
Question here - Do we need update the thumbprint from new certificate on Proxy/or QMC Link - https://<schedulernode>/qmc . Currently its updated on Proxy which might be incorrect so thought to check with you.
Hello @gdrabla
As you have multiple proxy nodes, you will need to:
I have replied to your direct message regarding the support request.
All the best,
Sonja
Hello @Sonja_Bauernfeind ,
I will followed the steps , will keep you posted about same. Fingers crossed.
I had similar issue while importing wild card certificate. The issue was related to folder, we had to import certificate in Personal folder instead of trusted root certificate.
After successfully installing a trusted certificate I am unable to access my QMC any longer. I believe its because I copied the Thumbnail from the new certificate to the Proxy of the Central node, any advice pls. (self managed windows Ent) Desperate to get back to QMC
Hello @Bamendaboyplus
Replacing the certificate thumbnail will not break the connection to the QMC. If it is incorrect, Sense will simply revert back to its self-signed certificate. Can you provide us with more information on the error you are seeing in the QMC as well as what is being logged? You can review the log files here: C:\ProgramData\Qlik\Sense\Log\.
It may be necessary for us to redirect this conversation to the forums for further troubleshooting or for a ticket to be logged.
All the best,
Sonja