Re: Changing QMS api to HTTPS without using QVProx... - Qlik Community

Mats_E · ‎2020-10-27

Hi

I am looking into changing communication to QMS api to HTTPS. We mainly use the api to start jobs via EDX using QMSEDX. I have a few questions in relation to that.

1. Does QMSEDX support HTTPS. Can someone confirm this? From what i have read the answer is no it doesnt.

2. In this link (https://support.qlik.com/articles/000037701) it says to use QVProxy certificate (which is installed if you have setup certificate authentication). We have not setup certificate authentication and use NTLM instead. Can i not just use a regular signed certificate (signed by our own CA) and bind it to port QMS api uses in order to be able to communicate to QMS api via https?

Any info in relation to this is appreciated.

Regards

Brett_Bleess · ‎2020-11-05

@Mats_E There are two different things in play here, the one to which you are referring is just applying a certificate as you mentioned and changing the following QMS exe.config setting to true and binding your cert as you mentioned:

<add key="UseHTTPS" value="false" />

The other more entailed one you mentioned is the following:

https://help.qlik.com/en-US/qlikview/April2020/Subsystems/Server/Content/QV_Server/QlikView-Server/Q...

With the latter, all communication between the services is encrypted due to the self-signed cert, but in your case, you are just concerned with the QMS only communication, so the setting in the exe.config would be the way to go in that case, and I believe you have everything ready to go there from what you described, hope this helps.

I do know the client cert is necessary if you are using Certificate Trust option and want to connect EDX calls etc., but in your case since you are just changing the QMC connection only, I do not believe that should be necessary, but I am not certain. You will have to try things and see how it goes.

Believe I found a better article reference for you as well:

https://support.qlik.com/articles/000003889

Regards,
Brett

To help users find verified answers, please do not forget to use the "Accept as Solution" button on any post(s) that helped you resolve your problem or question.
I now work a compressed schedule, Tuesday, Wednesday and Thursday, so those will be the days I will reply to any follow-up posts.

Mats_E · ‎2020-11-06

Hi Brett

Thx for your reply. I have already changed QMC Management console page to HTTPS (certificate bound to port 4780). And thus

<add key="UseHTTPS" value="false" />

Has been changed to

<add key="UseHTTPS" value="True" />

Changing this setting to true does not appear to affect QMS Api communication (to port 4799) at all (and make it https enabled). It only seem to affect Management console webpage hosted by Management service (port 4780).

From what i have read you have QMS front end (which is Managenment console and port 4780). This is what <add key="UseHTTPS" value="false" /> controls.

Then you have QMS back end which is then the QMS api (port 4799).

This is also indicated in below link where it tells you what is needed to switch the QMS Api to HTTPS.
https://support.qlik.com/articles/000037701?_ga=2.118856329.1238173772.1604584438-458541645.15619897...

In this link it also says
"Prerequisites: - Certificates trust must be configured in the QlikView environment"

So that seem to indicate that i cannot just lets say bind another certificate to port 4799 as when reading about certificate trust it says you either enable it for all services or for none.

This seem to be what you are saying below aswell. Although note that you are mentioning QMC connection which mentioned has doesnt affect QMS api communication. So i can confirm that changing QMC connection only to HTTPS does not force you to have Certificate trust setup (as our current configuration is <add key="UseWinAuthentication" value="true"/>)

I do know the client cert is necessary if you are using Certificate Trust option and want to connect EDX calls etc., but in your case since you are just changing the QMC connection only, I do not believe that should be necessary, but I am not certain. You will have to try things and see how it goes.

So to summarise it doesnt seem likely that i can bind a certificate to 4799 and not change to full certificate trust. But i guess i can test it.

sebastianQlik · ‎2023-03-29

Hi Mats_E,

I am currently working on the same issue. Were you able to test the integration of your own certificate (without "Certificate trust")? Does it work?

thanks a lot!

regards, sebastian

Mats_E · ‎2023-03-29

Hi Sebastian

No i haven't tested it yet. I will most likely in coming months though.

Regards Mats

nasarkhann · ‎2024-01-28

Hello Mats, I am currently working on the same issue. Does it work?

Changing QMS api to HTTPS without using QVProxy certificate