1 Reply Latest reply: Aug 27, 2015 8:30 AM by Chris Cammers RSS

    Security of username/password over http? (iPad issue)

    Simon Hogg

      I'm just rolling out a test installation of Qlik Sense and came up against the iPad issue (refusing to access the hub over https).

       

      I made the recommended changes (turned on http, changed the port number to avoid a clash, and added the server name & ip address to the virtual proxy settings) and it works - I can connect to the server with my iPad

       

      However I am concerned that now the user enters their username/password combo over http, so this is unsecure and can be sniffed on the network (or even appear in Qlik logs).  I just wanted to get a view on whether this is possible, or whether somehow the user/pass is protected and it really is just the server/client communication which is non-secure.

       

      At the moment we are only deploying the solution internally, so hopefully any issues are not that great, but people are still inquisitive and go hunting for things...

        • Re: Security of username/password over http? (iPad issue)
          Chris Cammers

          We encountered this same issue when we first set up sense. The https page did not work on the ipad becuase of the self signed certificate that Sense configures at initial install. If you want to use ipads over https, which you should, you will need to get a "trusted certificate" from an organization like GoDaddy. Make sure that when you attempt to configure the certificate on the sever you have port 80 enabled because if the configuration fails you will not be able to access port 443. The most common mistake that I have seen made in setting this up is to not include the private key with your certificate, if the cert does not have the key then you won't be able to bind the cert to the ports.

           

          Configuration Steps

          1. Get your cert with private key from your certificate authority
          2. On your server use MMC.exe with the Certificates snap in (computer account/local server) to add the certificate to the Personal Certificate store.
          3. double click the Certificate and get the Thumbprint from the Certificate details tab, copy the thumbprint to the ssl thumbprint box on the security tab of the central proxy. Click Apply
          4. Verify the ports were successfully bound using the command line "netsh http show sslcert" you should see the new thumbprint on ports 443 and 4244
          5. Test your ipad using ssl

           

          Once you have completed your test and you are sure it works then disable port 80 in your proxy settings.

           

          Best of Luck let me know if you have any issues

           

           

          Chris