How to configure Certificate Authentication for Qlik Sense Monitoring Applications

Description:

This document explains the steps to configure the Qlik Sense Monitoring Applications (License Monitor, Operations Monitor, Etc) to use Certificate Authentication instead of default Windows Authentication.

Environment:

• Qlik Sense Enterprise on Windows # - All Version

The information in this article is provided as-is and to be used at own discretion. Depending on tool(s) used, customization(s), and/or other factors ongoing support on the solution below may not be provided by Qlik Support.

1. Export Qlik Certificates via the QMC

• Use the FQDN of the central node for Machine name
• Use Certificate Password
• Check the box to Include secret key

2. Navigate to the path listed to obtain the exported certificates:

• C:\ProgramData\Qlik\Sense\Repository\Exported Certificates

3. Copy the folder that was created and paste it into Engine folder of ALL nodes that will be used to reload the Monitoring Applications

• C:\ProgramData\Qlik\Sense\Engine\Certificates

4. Create a security rule that allows a user to access all Data Connections within the HUB

1. Create rule from template = Data Connection Access
2. Name = Data Connection Access
3. Actions = Read / Update
4. user --> name --> value = <userID>

4. Modify all REST Data Connections that are used by the Monitoring Apps. (e.g. monitor_apps_REST_app, monitor_apps_REST_appobject, monitor_apps_REST_xxxxxx, etc)

1. Log into the HUB
2. Open any application within your workspace to access the Data Load Editor
3. Look for the Data Connections with the name monitor_apps_REST_xxxxxx
4. Edit the Data Connection (Example monitor_apps_REST_app)
   1. URL = https://FQDNofCentralNode:4242/app/full
   2. Authentication Schema = Anonymous
   3. Certificate validation = Skip Server Certificate Validation
   4. Use certificate = From file
   5. PFX file name = <FQDN>\client.pfx
   6. PFX file password = (password used during export of certificates)
   7. Query Headers:
      1. Delete User-Agent = Windows
      2. Add X-Qlik-User = UserDirectory=INTERNAL; UserID=sa_api
   8. Test Connection and Save
5. Log into QMC --> Data Connections --> Edit the Data Connection to remove the userID from the name.
   • e.g: Change from monitor_apps_REST_app (domain_administrator) to  monitor_apps_REST_app
6. Repeat steps for all Data Connections with monitor_apps_REST_xxxxxx

5. Another way to update the rest of the data connections would be to modify them via the QMC

1. Copy the Connection String from the one that was successfully updated via the HUB and paste into a notepad
   • CUSTOM CONNECT TO "provider=QvRestConnector.exe;url=https://QlikServer1.domain.local:4242/qrs/app/full;timeout=999;method=GET;sendExpect100Continue=true;autoDetectResponseType=true;keyGenerationStrategy=0;authSchema=anonymous;skipServerCertificateValidation=true;useCertificate=FromFile;certificateStoreLocation=LocalMachine;certificateStoreName=My;certificateFilePath=QlikServer1.domain.local\client.pfx;trustedLocations=qrs_proxy%2https://localhost:4244;queryParameters=xrfkey%20000000000000000;addMissingQueryParametersToFinalRequ... %%userid%%2sa_api;PaginationType=None;"
2. Copy the Connection String from one that still needs to be updated and paste into a notepad
   • (monitor_apps_REST_appobject)
   • CUSTOM CONNECT TO "provider=QvRestConnector.exe;url=https://localhost/qrs/app/object/full;timeout=900;method=GET;autoDetectResponseType=true;keyGenerationStrategy=0;authSchema=ntlm;skipServerCertificateValidation=true;useCertificate=No;certificateStoreLocation=LocalMachine;certificateStoreName=My;trustedLocations=qrs-proxy%2https://localhost:4244;queryParameters=xrfkey%20000000000000000;addMissingQueryParametersToFinalRequ...;"
3. Update the next connection string with all of the information from the first one, BUT using the correct URL and paste into the Data Connection
   • CUSTOM CONNECT TO "provider=QvRestConnector.exe;url=https://QlikServer1.domain.local:4242/qrs/app/object/full;timeout=999;method=GET;sendExpect100Continue=true;autoDetectResponseType=true;keyGenerationStrategy=0;authSchema=anonymous;skipServerCertificateValidation=true;useCertificate=FromFile;certificateStoreLocation=LocalMachine;certificateStoreName=My;certificateFilePath=QlikServer1.domain.local\client.pfx;trustedLocations=qrs_proxy%2https://localhost:4244;queryParameters=xrfkey%20000000000000000;addMissingQueryParametersToFinalRequ... %%userid%%2sa_api;PaginationType=None;"

6. Once all of the Data Connections have been modified, then you can attempt a Reload via the QMC of one of the Monitoring Applications (e.g: License Monitor)

PowerShell Script Option

Attached to the article is a zip file that includes a PowerShell Script that can preform all of the steps above. You can download and extract the script to your Central node.

(Nothing is deleted by running this script only renamed. If you would like to revert back prior to running the script, just swap the Data connections back in the QMC (they have -old appended to them)

1. Run the script as your Qlik Sense Service Account on the Central Node

2. Old Data connections used by the Monitoring Apps will be renamed: Example -  monitor_apps_REST_app --> monitor_apps_REST_app-old

3. The Data Connections will be modified to use certificate authorization instead of Windows Authentication (This will create a password protected Certificate at [ProgramData]\Qlik\Sense\Engine\Certificates using the FQDN of the Central Node)

4. Additional considerations: In multi-node environments where the central node does not perform reloads, the certificate generated will have to be moved to the corresponding folders on the other nodes: By Default, [ProgramData]\Qlik\Sense\Engine\Certificates\Central Node Name (keep the folder name the same)