Re: Qlik Sense Server: Repository API Endpoint doe... - Qlik Community

dgoehler · ‎2014-11-02

Hi,

we setup the Qlik Sense Server and change the SSL Certificate. We set the SSL browser certificate thumbprint.

After restarting the server, hub and qmc responded with that certificate, also the QPS Service.

But QRS and QPS REST service respond with that certificate which was generate while installing. How can I change that?

Best regards,

Daniel Göhler

markhavi · ‎2015-06-29

Dear Daniel,

Did you manage to solve the problem? I'm facing the same problem right now and have no clue how to solve it.

dgoehler · ‎2015-06-29

Hi Mark,

unfortunately, I found no solution for this problem.

Anonymous · ‎2015-06-29

When you change the thumbprint in the QMC, you are actually only changing which certificate should be used when negotiating the TLS handshake with the end-users browser. It does not change the service certificates, since that is a different set of certificates.

dgoehler · ‎2015-06-29

Hi Magnus,

the big question is now: How do I change these service certificates?

Anonymous · ‎2015-06-29

Which use-case requires you to change them?

The short answer is however, you dont. Those particular certificates are created during installation and used by the services to communicate with each other in a secure manner. If you want to be part of that direct communication, and not go through the proxy, you need to use their certificates.

I may need someone to verify this, but I think most APIs can be reached through the proxy, which would mean that the thumbprint-specified brower certificate is used.

dgoehler · ‎2015-06-29

My use case is:
I create a Ticket via the REST API (https://server:4243/qps/ticket) to access and integration the Qlik Sense Server in an IFRAME of 3rd Party Web Application without logon every single time. In order to do that, I had to disable the Certificate Validation (e.g. C#: ServicePointManager.ServerCertificateValidationCallback = delegate { return true; };), which is nothing you want do with you precious company data on a public wifi in a coffee shop or airport, because there is always the possibility of a Man-in-the-Middle-Attacks (MITM). (Furthermore there is also the possibility of dns poisoning‌‌ + MITM, if you are not in the office).
Please also consider: Your generated certificate that last only 10 years. I can change the other certificates for the hub, the qmc and the browser certificates. But what happens on 10 Years + 1 Day with the Repository API Endpoint (internally and externally)? Does the Qlik Sense server Validates the Repository API Endpoint Certificate and starts to fail or is there no validation? Or what would happen?

Anonymous · ‎2015-06-29

Have a look at the manual regarding how to work with the certificates to communicate with the services. This is a good place to start: http://help.qlik.com/sense/2.0/en-US/online/#../Subsystems/PlanningQlikSenseDeployments/Content/Serv...

The repository validates the service certificates automatically. Failing that, manual intervention can solve any potential issue with the certificates, including renewal.

dgoehler · ‎2015-06-29

I'm sorry, but I did find anything on changing the QRS or QPS REST Certificate.

Anonymous · ‎2015-06-29

The documentation describes how to work with the existing service certificates, not how to change them. The documentation (coupled with the dev manual http://help.qlik.com/sense/2.0/en-us/developer/) may also be of help when developing a solution where you dont have to disable the certificate validation.

Qlik Sense Server: Repository API Endpoint doesn't uses my Cerificate