Qlik Community

Qlik Sense Deployment & Management

Discussion board where members learn more about Qlik Sense Installation, Deployment and Management.

Announcements
QlikWorld 2020: Join us May 11 - 14, 2020 in Phoenix, AZ. Register early and save $400. Learn More
Highlighted
Not applicable

Configure QRS certificate on Sense Server

Hi,

I've successfully changed the SSL browser certificate thumbprint in the QMC. The new certificate is used when I open the hub or qmc in my browser.

However, the server certificate returned when I call the QRS (on port 4242) isn't changed. The QRS still uses the certificate that's generated by Qlik. Is there a way to configure the certificate that's used by the QRS?

Thanks in advance.

Danny

5 Replies
Not applicable

Re: Configure QRS certificate on Sense Server

Hi Danny,

How are you contacting QRS?  Are you using ticketing, header, or session auth to connect?  What tools are you using to identify the QRS is using the Qlik generated certs.  I'd like to do some testing with this so any information you may be able to supply is helpful.

jg

Not applicable

Re: Configure QRS certificate on Sense Server

Hi Jeffrey,

I use a .NET REST client (http://restsharp.org/) to communicate with the QRS, similar to the example shown here: http://help.qlik.com/sense/en-us/developer/#../Subsystems/RepositoryServiceAPI/Content/RepositorySer...

I would like to get rid of the following line of code:

ServicePointManager.ServerCertificateValidationCallback += (sender, certificate, chain, errors) => true;

I know I can add the Qlik certificate to the certificates store of the client making the request. Then the code above is no longer needed to make things work. However, I'd like to be able to add additional 'qlik sense clients' to my solution, without adding certificates to the client's certificate store. That's why I'd like to use a certificate issued by an authority that's already trusted by all clients in my domain.

I found that the Qlik certificate is still being used by opening the QRS url (https://myqlikserver.com:4242) in my browser and viewing the certificate information that's sent by the server.

The same certificate info is visible when I put a breakpoint in the ServerCertificateValidationCallback delegate.

Danny

Not applicable

Re: Configure QRS certificate on Sense Server

What about using a wildcard server cert? If you change the server cert the Sense servers use through the security thumbprint then I think you can get rid of of the ServicePointManager call.

I imagine that may work the way you want.

Not applicable

Re: Configure QRS certificate on Sense Server

Actually, I've used the thumbprint of our wildcard certificate. But the server certificate used when calling the qrs on port 4242 is still the auto-generated qlik certificate.

Even when I remove this certificate from the server's certificate store, next time I connect, a new certificate is generated and used.

Not applicable

Re: Configure QRS certificate on Sense Server

FYI, I got response from the Qlik Sense team:

you cannot change those certificates, they are generated by the Qlik Sense Installation itself which will detect and remove and regenerate invalid certificates. Additionally the root certificate is used to unlock the secured parts of the repository and so changing it will break the Sense installation. This makes it extremely important to ensure that the root certificate is backed up.


http://help.qlik.com/sense/2.0/en-US/online/#../Subsystems/PlanningQlikSenseDeployments/Content/Serv...