Re: Enable SSL and digital certificate - Qlik Community

Sean_BI · ‎2019-05-29

Dear QV support team -

I have a 2 node qv enterprise license (no publisher license) installed on win 2016. The installation was straight forward In one machine all the services (except publisher) were installed with qlikview administrator group (Service Authentication method) while installing.

In another machine/node only qlikview server service is installed (qlikview administrator group (Service Authentication method to have HA (high availability). The load balance was "Random".

Defined cluster group with these two machines.

I was good till this stage.

Now, i need to enable SS, so that the communication between services are secure. (https://)

I need to know how to configure SSL for these qv services. I also tried re-installing qv with (Use digital certificates) while installing.

Do i need a digital certificate created by CA. If yes, where do i get it created and ow do i configure the digital certificate.

Also, in need to know how to configure a DNS (https://qv.abccompany.in) in QMC as the users will be using this URL to connect to access point.

Appreciate early response.

Chip_Matejowsky · ‎2019-05-29

Hi @Sean_BI,

First off, can you clarify what your intention is with the multi-server environment if you're not going to use Publisher? If you want to split the QlikView Distribution Service (QDS) to it's own server, a Publisher license is required.

If you want to ensure the QlikView services installed on separate servers communicate securely, then you'll want to use the digital certificate installation option. It is possible to change an existing installation from AD groups (administrators) to certificates (How to Change QlikView Services Authentication from Active Directory Groups to Certificates), but the most efficient method is to uninstall and reinstall and choose the certificate option. Reinstalling with certificate option will also ensure that when version upgrades are performed, the services authentication doesn't revert back to AD groups.

For QV services authentication via certificate, a third-party cert isn't required. QV will generate the necessary certs for you. See the online help "Configuring servers with digital certificates" for this information.

To configure HTTPS/SSL for end user use, see the Qlik Support article "How To Setup HTTPS / SSL with QlikView AccessPoint (WebServer and IIS)".

Hope this helps

Principal Technical Support Engineer with Qlik Support
Help users find answers! Don't forget to mark a solution that worked for you!

Sean_BI · ‎2019-06-06

Thank you Chip -

The publisher license is not used because there was not need to reduce and distribute qlikview docs. I plan for EDX (currently not installed) for task reloads based on the date/time of the ETL table load. Appreciate if you guide me in setting up EDX

The intention of having multi-server environments is because of HA (high availability) and to ensure two server environments can support the load balancing request.

There is also a DR server (two nodes) which is used for resilience.

As i have 2 prod server2 (two nodes where qlikview services are in active mode) and 2 DR servers (same setup as prod, but qliview services are in passive mode).

Regarding the certificates, i agree with you on reinstalling with digital certificate as authenticating mechanism. But i unsure where to start. I've obtained a digital certificate issue by my company. I am unsure what i need to do to configure the digital certificate.

Thank you!

Sean.

Sonja_Bauernfeind · ‎2019-06-18

@Sean_BI wrote:
Regarding the certificates, i agree with you on reinstalling with digital certificate as authenticating mechanism. But i unsure where to start. I've obtained a digital certificate issue by my company. I am unsure what i need to do to configure the digital certificate.

Hello Sean,

Since you are talking about communication between the services, what you want is to have the system set up to use certificate trust. This does not require you to purchase or otherwise obtain a certificate. All of that is done automatically by the QlikView management console at startup when you have selected to use Certificate Trust between the services, rather than Windows Administrator Groups.

A self-signed set of certificates is created on startup, and following the instructions on the Help site you can see how those are then transferred to the other nodes as you add the services to the Management Console.

Again, no certificate needs to be purchased.

The only time you will need to buy your own certificate or obtain one elsewhere, is if you want to have https:// available for the AccessPoint. Certificate Trust between the services does not enable https:// on the AccessPoint, but merely changes how the services authenticate between each other.

Don't forget to Like posts and use the "Accept as Solution" button on content that answered your question! Thanks 🙂

Brett_Bleess · ‎2019-07-02

Hey Sean,

Just wanted to provide some final clarification for you if you are still working through things on this one. Chip and Sonja have provided the right solution, but I just wanted to clarify that The Certificate Trust/Digital Certificate option only takes care of encrypting the service traffic between our services, that will not do anything for you regarding client to web server...

For the latter part, client to web server, that is where you want to use your certificate you got from your company, you just need to bind that to your web server, assuming you are likely using IIS, so that part should not be too difficult, the trickier part is the DNS setup, your network team should be able to assist you with that I think.

Hopefully you already have this all figured out, I just wanted to add the final clarification for you here, shout if you still have questions.

Regards,
Brett

To help users find verified answers, please do not forget to use the "Accept as Solution" button on any post(s) that helped you resolve your problem or question.
I now work a compressed schedule, Tuesday, Wednesday and Thursday, so those will be the days I will reply to any follow-up posts.