Unlock a world of possibilities! Login now and discover the exclusive benefits awaiting you.
Apr 24, 2023 2:57:15 AM
Jan 31, 2012 3:48:05 AM
QlikView is installed with the AccessPoint (http://YourWebServer/qlikview/index.htm) and Management Console (http://YourQMCServer:4780/qmc/) accessible through HTTP only. Understandably, you might want to switch these over to HTTPS.
If you're looking to implement HSTS (HTTP Strict-Transport-Security) as well, see QlikView HSTS (HTTP Strict-Transport-Security response header).
Content:
Note: This article does not cover the configuration of Certificate Trust between the QlikView services. For more information about Certificate Trust, check out the QlikView Online Help.
No. While the AccessPoint is hosted by the QlikView WebServer (QVWS) service, the Management Console is directly served by the QlikView Management Service (QMS).
That means if you wish to swap both from HTTP to HTTPS, both services will need to be individually configured.
But you only need one certificate.
In this article we assume that the AccessPoint web server currently in use is the QlikView WebServer (QVWS). The QlikView AccessPoint can be hosted by Microsoft IIS as well, but Microsoft IIS has its own instructions on how to import an SSL certificate for one of its sites. A guide can be found attached to this article.
There are three possible types of certificates for us to use:
As far as formats and algorithms are concerned, the following are confirmed to work with QlikView:
The Certificate Authority you chose will have instructions for this, and if you are looking to get a self-signed one or one from your corporation's CA, then a local administrator can provide the certificate to you.
Either way, you are going to need to generate a Certificate Signing Request (CSR) to pass on to your CA. There are tools out there to get that done with, such as certreq from Microsoft (found here), and SSLhopper has a great article on that, which I often send to customers when they ask us about CSRs and how to do them.
Once you obtain the certificate, we'll move on to installing it and binding it to the desired ports.
We only need to import/install it once (unless you have your services across multiple machines).
On the QlikView node running the QlikView WebServer, log on with the user running the QlikView services. This is important since the certificate needs to be accessible for this account.
(Optional:) If you want to switch the Management Console to HTTPS as well, and the services are not on the same machine, repeat the step on the node running the QlikView Management Service.
If the certificate was saved in the .pfx format, then all you need to do is double-click the file. Follow the prompt to import the certificate into the Personal store.
If you want to import it manually or verify if it was correctly installed, then we'll need to do a little more work.
Next, we need to manually bind the certificate to the correct port and IP address. This is done using either PowerShell or the Windows command prompt and the netsh command. For details on netsh, see the official Microsoft documentation.
Since we are already in the MMC, let's open the freshly installed certificate again and:
There is a wide range of different tools available to generate GUIDs. My favorite is https://www.guidgenerator.com/
Click Generate some GUIDs! Copy that into Notepad as well.
(Optional:) Generate and save two if you want to use one for the Management Console as well.
Open either PowerShell or a Windows command prompt with elevated permissions.
Let's assume the thumbprint is 55ab3131fbd585ad3ad817f25aee025a51a2ffb5 and the GUID is e23183e3-c874-467a-bd39-d110cd066f1f. Based on this, we will build the following command:
netsh http add sslcert ipport=0.0.0.0:443 certhash=55ab3131fbd585ad3ad817f25aee025a51a2ffb5 appid={e23183e3-c874-467a-bd39-d110cd066f1f}
netsh http add sslcert ipport=0.0.0.0:4780 certhash=55ab3131fbd585ad3ad817f25aee025a51a2ffb5 appid={UseTheSecondGUID}
We are using ipport=0.0.0.0 in our examples. If you wish to restrict the target IP address, meaning only a specific IP address can be used in combination with this certificate, then specify that here.
Also, note how we are using port 4780 for the Management Console. You can choose a different port. Instructions for that are a little further down.
If you wish to verify the port bindings, use the netsh http show sslcert command line.
It should look like this:
IP:port : 0.0.0.0:443
Certificate Hash : 55ab3131fbd585ad3ad817f25aee025a51a2ffb5
Application ID : {e23183e3-c874-467a-bd39-d110cd066f1f}
Certificate Store Name : (null)
Verify Client Certificate Revocation : Enabled
Verify Revocation Using Cached Client Certificate Only : Disabled
Usage Check : Enabled
Revocation Freshness Time : 0
URL Retrieval Timeout : 0
Ctl Identifier : (null)
Ctl Store Name : (null)
DS Mapper Usage : Disabled
Negotiate Client Certificate : Disabled
Almost done!
Information register prefix: "https://+:443/scripts/"
Information register prefix: "https://+:443/qvajaxzfc/"
Information register prefix: "https://+:443/scripts/"
Information register prefix: "https://+:443/qlikview/"
Information register prefix: "https://+:443/qvdesktop/"
Information register prefix: https://+:443/qvplugin/
The QlikView AccessPoint can now be opened using https://YourWebServer/qlikview.
<add key="UseHTTPS" value="True"/>
<!-- ****** QlikView Management Service - FRONTEND ****** -->
Set the value to the port the certificate was bound to in the following tag:<add key="QMSFrontendWebServicePort" value="YOURPORT"/>
If, during the binding process, you are getting an error of The parameter is incorrect, then this is likely caused by a hidden character copied along with the certificate thumbprint. Use your arrow keys to the left and right of the copied key to see if there is a blank space that needs to be removed.
Do you require additional configuration elsewhere when using another port number other than the default 443?
No special steps are required for the QlikView product. Additional steps may need to be performed in the environment, such as opening this port for traffic on firewalls or allowing traffic through proxies.
I skipped the configuration on the IIS to use SSL, which is important for getting SSL to work with QV Webserver.
Also, I didn't have to make any modifications to the Webserver config.xml
Andre, thanks a lot for posting this!
I have a question to anyone who can help. I am really bad at system engineering: this has never been my job, but the two QlikView system experts in the company have both left (one has resigned and one is in sick leave since early 2019), and the company will not hire a new one. Here is my doubt: is there any "risk" in doing this HTTPS setup? I mean, something like QlikView stops working and it's hard to restore? And by the way, is it possible to "roll back" in case of issues/malfunction?
Thanks,
Francesco
@francescopuppin Pertaining to QlikView itself using a secure access point requires WebServer and sometimes WebServer config file configurations.
So rolling back would simply mean changing the communication port back to its default and replacing the configure backup file in the WebServer repository.
@francescopuppin I can confirm @BrunPierre 's statement. All you need to do is revert the settings back to what they were before.
This applies to both IIS and QVWS.
Thank you @BrunPierre and @Sonja_Bauernfeind !
Thank you @Andre_Sostizzo for this article:
is the netsh command the same for updating a certificate?
I think I have only to give a new thumbprint value, is it right?
The command "netsh http update..." is available for updating bindings.
Is there a way to allow both HTTP and HTTPS communication? I assume this disables HTTP and enables HTTPS? I ask because I don't want to enable HSTS to force communication over HTTPS yet.