2 Replies Latest reply: Mar 6, 2013 3:27 AM by Fredrik Lautrup RSS

    question about using certificates to secure web services communication

    Jérémy George

      I am currently trying to use certifcates to secure the communication between qlikview services. From what I understand, this is needed to have a secure communication if the services are not all located on the same domain. However this should not be needed for communication between the qv management service and services located on the same server.

       

      The documentation seems to imply that:

      1) Once certificates are used, they are used for communication between all services.

      2) Certficates should only be used when services are not on the same server as QMS.

       

      This kind of confuses me....

       

      For example, suppose a first server hosts: QMS, DSC, QDS and QVWS services while another server hosts the QVS service. Is it possible to keep the communication between services on the first server using windows authentication while requiring ssl for the exchange between QVS and QMS?

        • Re: question about using certificates to secure web services communication
          Bill Britt

          Hi,

           

          That is an interesting question and I am not sure. However, I would think it is all or none. I don't think the the QMS can be setup for both. Now if you look at the QEMC you will see it talks to the QVS using the QVP protocol which is RSA 128.

           

          Bill

          • Re: question about using certificates to secure web services communication
            Fredrik Lautrup

            So using certificates is a all or nothing approach. If you change to use certificates all services are authorized to communicate using certificates. In more detail, the certificates are not bound to a service but to a machine. So in the scenario that you run more than one service on a machine they will use this servers certificate to authorize the communication.

             

            So it is possible to run all services on one machine and still use certificates but from a security perspective there is no benefit of doing it.

             

            So in a scenario where you have two machines and choose certificates these are used to make sure that the services that try to connect are authorized to do so independent if they are running on the same machine or an other host.

             

            But to remember is that the QVAdministrators group is still used to authorize people on the server running the QMS to get access to the QMC.

             

            I hope this answers your question.