Skip to main content
Announcements
Have questions about Qlik Connect? Join us live on April 10th, at 11 AM ET: SIGN UP NOW
cancel
Showing results for 
Search instead for 
Did you mean: 
dgoehler
Partner - Contributor III
Partner - Contributor III

Qlik Sense Server: Repository API Endpoint doesn't uses my Cerificate

Hi,

we setup the Qlik Sense Server and change the SSL Certificate. We set the SSL browser certificate thumbprint. 002.png

After restarting the server, hub and qmc responded with that certificate, also the QPS Service.003.png

006.png

But QRS and QPS REST service respond with that certificate which was generate while installing. How can I change that?004.png

005.png

Best regards,

Daniel Göhler

9 Replies
markhavi
Contributor III
Contributor III

Dear Daniel,

Did you manage to solve the problem? I'm facing the same problem right now and have no clue how to solve it.

dgoehler
Partner - Contributor III
Partner - Contributor III
Author

Hi Mark,

unfortunately, I found no solution for this problem.

Anonymous
Not applicable

When you change the thumbprint in the QMC, you are actually only changing which certificate should be used when negotiating the TLS handshake with the end-users browser. It does not change the service certificates, since that is a different set of certificates.

dgoehler
Partner - Contributor III
Partner - Contributor III
Author

Hi Magnus,

the big question is now: How do I change these service certificates?

Anonymous
Not applicable

Which use-case requires you to change them?

The short answer is however, you dont. Those particular certificates are created during installation and used by the services to communicate with each other in a secure manner. If you want to be part of that direct communication, and not go through the proxy, you need to use their certificates.

I may need someone to verify this, but I think most APIs can be reached through the proxy, which would mean that the thumbprint-specified brower certificate is used.

dgoehler
Partner - Contributor III
Partner - Contributor III
Author

  • My use case is:
    I create a Ticket via the REST API (https://server:4243/qps/ticket) to access and integration the Qlik Sense Server in an IFRAME of 3rd Party Web Application without logon every single time. In order to do that, I had to disable the Certificate Validation (e.g. C#: ServicePointManager.ServerCertificateValidationCallback = delegate { return true; };), which is nothing you want do with you precious company data on a public wifi in a coffee shop or airport, because there is always the possibility of a Man-in-the-Middle-Attacks (MITM). (Furthermore there is also the possibility of dns poisoning‌‌ + MITM, if you are not in the office).
  • Please also consider: Your generated certificate that last only 10 years. I can change the other certificates for the hub, the qmc and the browser certificates. But what happens on 10 Years + 1 Day with the Repository API Endpoint (internally and externally)? Does the Qlik Sense server Validates the Repository API Endpoint Certificate and starts to fail or is there no validation? Or what would happen?
Anonymous
Not applicable

Have a look at the manual regarding how to work with the certificates to communicate with the services. This is a good place to start: http://help.qlik.com/sense/2.0/en-US/online/#../Subsystems/PlanningQlikSenseDeployments/Content/Serv...

The repository validates the service certificates automatically. Failing that, manual intervention can solve any potential issue with the certificates, including renewal.

dgoehler
Partner - Contributor III
Partner - Contributor III
Author

I'm sorry, but I did find anything on changing the QRS or QPS REST Certificate.

Anonymous
Not applicable

The documentation describes how to work with the existing service certificates, not how to change them. The documentation (coupled with the dev manual http://help.qlik.com/sense/2.0/en-us/developer/) may also be of help when developing a solution where you dont have to disable the certificate validation.