Qlik Community

New to Qlik Sense

Discussion board where members can get started with Qlik Sense.

dgoehler
New Contributor III

Qlik Sense Server: Repository API Endpoint doesn't uses my Cerificate

Hi,

we setup the Qlik Sense Server and change the SSL Certificate. We set the SSL browser certificate thumbprint. 002.png

After restarting the server, hub and qmc responded with that certificate, also the QPS Service.003.png

006.png

But QRS and QPS REST service respond with that certificate which was generate while installing. How can I change that?004.png

005.png

Best regards,

Daniel Göhler

9 Replies
markhavi
New Contributor III

Re: Qlik Sense Server: Repository API Endpoint doesn't uses my Cerificate

Dear Daniel,

Did you manage to solve the problem? I'm facing the same problem right now and have no clue how to solve it.

dgoehler
New Contributor III

Re: Qlik Sense Server: Repository API Endpoint doesn't uses my Cerificate

Hi Mark,

unfortunately, I found no solution for this problem.

mhk
New Contributor III

Re: Qlik Sense Server: Repository API Endpoint doesn't uses my Cerificate

When you change the thumbprint in the QMC, you are actually only changing which certificate should be used when negotiating the TLS handshake with the end-users browser. It does not change the service certificates, since that is a different set of certificates.

dgoehler
New Contributor III

Re: Qlik Sense Server: Repository API Endpoint doesn't uses my Cerificate

Hi Magnus,

the big question is now: How do I change these service certificates?

mhk
New Contributor III

Re: Qlik Sense Server: Repository API Endpoint doesn't uses my Cerificate

Which use-case requires you to change them?

The short answer is however, you dont. Those particular certificates are created during installation and used by the services to communicate with each other in a secure manner. If you want to be part of that direct communication, and not go through the proxy, you need to use their certificates.

I may need someone to verify this, but I think most APIs can be reached through the proxy, which would mean that the thumbprint-specified brower certificate is used.

dgoehler
New Contributor III

Re: Qlik Sense Server: Repository API Endpoint doesn't uses my Cerificate

  • My use case is:
    I create a Ticket via the REST API (https://server:4243/qps/ticket) to access and integration the Qlik Sense Server in an IFRAME of 3rd Party Web Application without logon every single time. In order to do that, I had to disable the Certificate Validation (e.g. C#: ServicePointManager.ServerCertificateValidationCallback = delegate { return true; };), which is nothing you want do with you precious company data on a public wifi in a coffee shop or airport, because there is always the possibility of a Man-in-the-Middle-Attacks (MITM). (Furthermore there is also the possibility of dns poisoning‌‌ + MITM, if you are not in the office).
  • Please also consider: Your generated certificate that last only 10 years. I can change the other certificates for the hub, the qmc and the browser certificates. But what happens on 10 Years + 1 Day with the Repository API Endpoint (internally and externally)? Does the Qlik Sense server Validates the Repository API Endpoint Certificate and starts to fail or is there no validation? Or what would happen?
mhk
New Contributor III

Re: Qlik Sense Server: Repository API Endpoint doesn't uses my Cerificate

Have a look at the manual regarding how to work with the certificates to communicate with the services. This is a good place to start: http://help.qlik.com/sense/2.0/en-US/online/#../Subsystems/PlanningQlikSenseDeployments/Content/Serv...

The repository validates the service certificates automatically. Failing that, manual intervention can solve any potential issue with the certificates, including renewal.

dgoehler
New Contributor III

Re: Qlik Sense Server: Repository API Endpoint doesn't uses my Cerificate

I'm sorry, but I did find anything on changing the QRS or QPS REST Certificate.

mhk
New Contributor III

Re: Qlik Sense Server: Repository API Endpoint doesn't uses my Cerificate

The documentation describes how to work with the existing service certificates, not how to change them. The documentation (coupled with the dev manual http://help.qlik.com/sense/2.0/en-us/developer/) may also be of help when developing a solution where you dont have to disable the certificate validation.