How to configure the QlikView Management Console (QMC) to use HTTPS.
Environment:
QlikView 11.20
QlikView 12.00 to 12.10
QlikView November 2017 (12.20) and up
QlikView November 2018 (12.30) and up
Resolution:
Before starting, there is a first thing to consider: What certificate would you like to use?
There are 3 types of certificates:
- Commercial certificates
- Commercial certificate is trusted by most of devices in the world.
- It can only be purchased from one of many public Certificate Authorities such as Comodo or GlobalSign
- Corporate certificates
- Corporate certificate is trusted by devices within the organization.
- It can only be issued by the exact organization's IT department.
- Self-signed certificates
- Self-signed certificates is trusted by the machine which issued the certificate. By default it is not trusted by any other devices unless special configuration is done.
- It can be generated on Windows Server by either IIS, or PowerShell commands or other tools. Via IIS, find the option under Servername > Server Certificates > Create Self-Signed Certificate. Make sure to set its use for "Web Hosting". This certificate will be placed under the Certificate's snap-in > Local Computer > Trusted Root Certification Authorities > Certificates. It will need to be copied to Personal > Certificates via the Certificate snap-in. (Run > mmc > Add snap-in).
This article includes instructions for Self-signed certificates only.
One obstacle is how to create a Self-signed certificate on a server that does not have IIS installed?
If the Qlikview Management Service is installed on a server that does have IIS, you have several options.
1. You can temporarily install IIS role, open IIS and select Server Certificates to create a self signed certificate. Once you are done with the install and binding using netsh you can remove IIS role from the server
2. There are other server certificate tools available that can be used in lieu of installing the IIS role temporarily to generate the self signed certificate.
http://www.mcbsys.com/blog/2016/11/generate-an-ssl-certificate-request-without-iis/
https://www.digicert.com/util/csr-creation-microsoft-servers-using-digicert-utility.htm
Step 1: Install the Certificate in the Local Certificate Store, and implement SSL by binding the certificate in the host operating system.
Example command line prompt:
netsh http add sslcert ipport=0.0.0.0:4780 certhash=08c871933a58e072fed7ad65e2db6d5ad3eaf9fa appid={c749f5d4-272b-44db-9d63-78f7265eb04a}Note1: the actual IP address of the server may need to be used instead of 0.0.0.0 when performing the binding, if access should be restricted. If not, 0.0.0.0 is correct. Note2: the
appid value is a guid that can be generated by any compatible guid generator
Note3: It is common to receive an error
"The parameter is incorrect". See some reasons here. The most common reason is due to an invisible character in front of the Thumbnail string that comes from copying the text from the certificate properties. This can be confirmed and fixed by pasting the string to a text editor, and hitting the delete and/or backspace with the cursor in front of the string. If nothing happens when the delete key is pressed, the character was just removed. The second time Delete is pressed should delete the next character which confirms the issue.
Note4: To get current cert bindings type netsh http show sslcert
Step 2: Enabling the use of HTTPS in the Management Console.
Stop the QlikView Management Console
Open the file C:\Program Files\QlikView\Management Service\QVManagementService.exe.config
Modify the following tag: <add key="UseHTTPS" value="True"/>
Find the section <!-- ****** QlikView Management Service - FRONTEND ****** -->
Set the value to the port the certificate was bound to in the following tag: <add key="QMSFrontendWebServicePort" value="YOURPORT"/>
Restart QlikView Management Console and access it through https://YOURHOSTNAME or CERTIFICATENAME:YOURPORT/qmc