Unlock a world of possibilities! Login now and discover the exclusive benefits awaiting you.
Mar 29, 2023 6:35:54 AM
Oct 29, 2014 7:39:47 AM
Content:
If you’ve just installed Qlik Sense Enterprise, then this image probably looks familiar. Alternatively, Chrome might display The site's security certificate is not trusted, while Firefox may report This Connection is Untrusted.
By default, Qlik Sense uses a self-signed certificate to enable HTTPS access across both the Hub (https:// YourSenseServer/hub) and the Management Console (https://YourSenseServer/qmc). But self-signed certificates cannot be validated or trusted by web browsers and tend to prompt a warning message.
To establish a secure HTTPS connection, the browser must trust the SSL/TLS certificate installed on the server. In the case of self-signed certificates, the signing Certificate Authority is not trusted, hence no certificates generated by the CA are trusted.
To install a trusted certificate for use with the Qlik Sense Enterprise on Windows Hub and Management Console, we need:
These instructions are for replacing the certificate used for accessing the Qlik Sense Hub and Management Console. The certificate used for service communication cannot be replaced.
For video Transcript click here
During the initial install, the Qlik Sense Repository Service creates a set of certificates. Their purpose is to secure Service Communication and Service Authentication.
Qlik Sense uses certificates to authenticate its service across all nodes. See the Qlik Sense Online Help for details. In addition, other products (such as Qlik NPrinting) require these certificates to be establish a connection.
This self signed certificate is then also used to secure hub and Management Console access through HTTPS.
We will not modify, replace, or remove the originally created certificates. Doing so will break service communication.
What we’ll do instead is to add an additional one.
There are three possible types of certificates for us to use.
When support gets questions, they are most often related to a certificate missing the private key. Always verify the certificate comes bundled with one when you install it.
It’ll look like this:
The Certificate Authority you chose will have instructions for this, and if you are looking to get a self-signed one or one from your corporation's CA, then a local administrator can provide the certificate to you.
Either way, you are going to need to generate a Certificate Signing Request (CSR) to pass on to your CA. There are tools out there to get that done with, such as certreq from Microsoft (found here), and SSLhopper has a great article on that, which I often send to customers when they ask us about CSRs and how to do them.
Once you obtain the certificate, we'll move on to installing it and activating it in Qlik Sense. This will be done in three quick steps:
As mentioned before, we are not replacing certificates. The already existing ones will not be deleted. Doing so would break service authentication between the individual Qlik Sense services and render the system… broken.
On the Qlik Sense node running the Qlik Sense Proxy, log on with the user running the Sense services. This is important since the certificate needs to be accessible for this account.
If the certificate was saved in the .pfx format, then all you need to do is double click the file. Follow the prompt to import the certificate into the Personal store.
If you want to import it manually or verify if it was correctly installed:
Well, since we are already in the MMC, let's open the freshly installed certificate again.
Almost done!
Click Apply.
The Sense Proxy will now restart. During the restart, it will be using Windows API calls to correctly bind the new certificate to its SSL ports.
In the web browser:
When opening the Qlik Sense Hub or QMC, the certificate will now be displayed in the browser. This may look different depending on the web browser, but in Google Chrome you can click the padlock to the left of the URL to verify what certificate is used.
The information displayed needs to match the properties of the certificate you installed.
In the log files:
If you’d rather see what the Qlik Sense Proxy service is doing, then you can directly check up on that, too.
On the Proxy node, go to C:\ProgramData\Qlik\Sense\Log\Proxy\Trace and open the Security log file from just after the last start.
It will now print a slightly different message than before:
Security.Proxy.Qlik.Sense.Common.Security.Cryptography.LoggingDigester DOMAIN\_service Setting crypto key for log file secure signing: success
Security.Proxy.Qlik.Sense.Common.Security.Cryptography.SecretsKey DOMAIN\_service retrieving symmetric key from cert: success
Security.Proxy.Qlik.Sense.Common.Security.Cryptography.CryptoKey DOMAIN\_service setting crypto key: success
Security.Proxy.Qlik.Sense.Communication.Security.CertSetup 'CN=localhost' (08C871933A58E072FED7AD65E2DB6D5AD3EAF9FA) as SSL certificate presented to browser, which is a 3rd party SSL certificate
And that's it!
There isn't much more to it in a standard Qlik Sense Enterprise installation, but if you have more questions, then maybe a few of these articles can help:
Receiving Bad Request 400?
Make sure the URL/FQDN you are using to access the Hub and QMC is correctly added to the WebSocket Allow List: How to configure the WebSocket origin allow list and best practices
I applied my certificate and it seems to be using it correctly, but browsers are still saying the Common Name is Invalid?
ERR_CERT_COMMON_NAME_INVALID when using 3rd party certificate
Qlik Sense keeps reverting to the default and complains it can't find a valid ssl certificate with the thumbprint.
The certificate may not have a Private key or the service account does not have access to it.
How to: Manage Certificate Private Key
The Qlik Sense Service account doesn't have admin privileges and the certificate is not accepted.
Hello @bmenicucci
Qlik Sense does not come with a web server that allows you to host a file in a custom folder structure like this. If you require a web server to host a file, we would need to recommend a third party web server, such as IIS.
I would suggest connecting with the customer support of the org where you are attempting to purchase the certificate from, as they should be able to provide you with information on this.
All the best,
Sonja
Hello @bmenicucci
We cannot recommend having it installed on the same server (while in production). You are likely to run into port conflicts. But if this validation is only required once, you can shut down the Qlik Sense services during a maintenance window, set up IIS, do your validation, and then uninstall/disable IIS to return to the normal Qlik Sense operation.
But as I mentioned: This is something you'd want to check with the vendor you are trying to purchase the certificate from.
All the best,
Sonja
Does anything have to be done to VIRTUAL PROXIES, after a new certificate is set up?
The only changes necessary when swapping to a 3rd party certificate are outlined in this guide. No modifications need to be done to the Virtual Proxy. All Virtual Proxies using the Proxy the cert is configured for will use this cert.
All the best,
Sonja
@Sonja_Bauernfeind we had to generate SP Metadata for all of our virtual proxies which had been individually configured with SAML authentication, after we updated our certificate. Had to send these new files to our team that handles SAML, and they had to do some updates with those files before our virtual proxies that had specific/different SAML set up started working again. This was on our QAP system where several virtual proxies are set up to have different SAML authentication.
ps, this article helped us get it all working !
Hello @Ken_T !
I am glad the article helped! And based on what you explained here: Yeah, alright, I only considered out of the box (going directly to the hub) in my reply and did not take into consideration possible customizations that rely on certificates. That's a very good point! Thank you for bringing it up and leaving the note here.
All the best,
Sonja
@Sonja_Bauernfeind @Andre_Sostizzo -
Our vulnerability Scanning Team scanning our servers with -
Server Name | Port | Process | Process Description Name | Location |
|
443 | proxy.exe | Qlik Sense Proxy Service | C:\Program Files\Qlik\Sense\Proxy |
Proxy Node Scheduler Node Engine Node 1 Engine Node 2 |
4242 | ntoskrnl.exe | NT Kernel & System | C:\Windows\System32 |
5926 | dotnet.exe | .NET Core Host | C:\Program Files\Qlik\Sense\ServiceDispatcher\dotnet | |
5927 | dotnet.exe | .NET Core Host |
C:\Program
Files\Qlik\Sense\ServiceDispatcher\dotnet |
Hello @gdrabla
It looks like you are attempting to change the service communication certificate. This is not currently possible; Qlik Sense can only operate with its own certificate.
This article documents how to change the certificate used on the hub and management console; so the certificate seen in the browser when users access either.
So, to answer your questions in turn: