Skip to main content

Qlik

cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Announcements
Global Transformation Awards! Applications are now open. Submit Entry
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
mbespartochnyy
Creator III
Creator III
a week ago

What is the purpose of QlikClient Certificate?

I'm trying to understand what QlikClient certificate is used for. More specifically, I'm referring to this certificate:

mbespartochnyy_0-1734655233462.png

The best explanation I found is in this Qlik documentation which states:

"The client certificate and client private key are used for client authentication when your service acts as a client, that is, when your service calls an API in another service."

That probably makes sense to someone who is knowledgeable in cybersecurity and networking space but, admittedly, I'm struggling to understand what that means. When I read that sentence I though "When my service acts as a client? What service of mine is it talking about?"

Plus it's not 100% clear that it's talking about QlikClient certificate so that document might not be relevant at all.

Does anyone know what role the QlikClient certificate plays in a Qlik Sense server? When is this certificate being used and what for?

Labels (3)
Labels
136 Views
0 Likes
1 Solution

Accepted Solutions
Levi_Turner
Employee
Employee
Friday

This will be simplified, but let's imagine the journey of a reload task that is scheduled at 9AM:

  1. The Repository Service checks the Repository Database for the schedule
  2. On the appointed time, the Repository Service checks to see what Scheduler Services are running and permitted to perform reloads (Slave, Worker)
  3. Each Scheduler Service requests their local Engine's current load
  4. Each Scheduler Service reports back the current load to the Repository
  5. The Repository Service allocates the reload task to the least busy Scheduler Service
  6. The appointed Scheduler Service tells its local Engine to perform the reload

In each of steps 2-6, a service is acting as the client (also known as making a request) and another service is acting as a server (also known as receiving a request / replying to the request). In step 2, the QRS is the client and the QSS is the server. In each of these exchanges, the client service will send the QlikClient certificate to both encrypt the traffic and verify the authenticity of the request and the server service will use the server certificate to receive traffic.

View solution in original post

103 Views
4 Replies
Levi_Turner
Employee
Employee
Friday

This will be simplified, but let's imagine the journey of a reload task that is scheduled at 9AM:

  1. The Repository Service checks the Repository Database for the schedule
  2. On the appointed time, the Repository Service checks to see what Scheduler Services are running and permitted to perform reloads (Slave, Worker)
  3. Each Scheduler Service requests their local Engine's current load
  4. Each Scheduler Service reports back the current load to the Repository
  5. The Repository Service allocates the reload task to the least busy Scheduler Service
  6. The appointed Scheduler Service tells its local Engine to perform the reload

In each of steps 2-6, a service is acting as the client (also known as making a request) and another service is acting as a server (also known as receiving a request / replying to the request). In step 2, the QRS is the client and the QSS is the server. In each of these exchanges, the client service will send the QlikClient certificate to both encrypt the traffic and verify the authenticity of the request and the server service will use the server certificate to receive traffic.

104 Views
mbespartochnyy
Creator III
Creator III
Friday
Author

In response to Levi_Turner

Ah, I think I understand it now! While Qlik Sense is operational, the services that are operating it are constantly communicating with each other.

To secure these communications, when a Qlik Sense service is making a request (acting as a client) it is encrypting the request using QlikClient certificate and its private key.

And when a Qlik Sense service is responding to a request, it is encrypting the response using the server certificate and it's private key.

Then, to complete the picture, there's also a server certificate that is stored in Trusted Root Certification Authorities store which is used to validate authenticity of both QlikClient and server certificates.

In short, QlikClient certificate is used to encrypt communications of Qlik Sense services whenever a Qlik Sense service takes on a role of a client (i.e. is making a request). Is that right?

89 Views
0 Likes
Levi_Turner
Employee
Employee
Friday

In response to mbespartochnyy

Broadly, yes. To be technical, the certificate in the Trusted Root store (MMC > Certs > doesn't matter the store > Trusted Root) and the server certificate (MMC > Certs > Local Server > Personal) aren't the same thing. The root is the root. It is used to generate the server and client. That chain of trust is validated when using certs for inter-service communication (and API calls).

82 Views
mbespartochnyy
Creator III
Creator III
Friday
Author

In response to Levi_Turner

Understood. Thank you!

P.S. I appreciate you adding an example. I love examples! They help translate unfamiliar topics to something relatable and familiar. Seven years I worked with Qlik Sense and this is the first time I finally able to get clarity on what the QlikClient cert is used for. Your answer and example helped. Thanks again!

76 Views