Recreating Qlik Sense root CA certificate when upgrading to June 2019 and above (script based back-up and removal of existing certificates)
IMPORTANT NOTE: The following steps are applicable for Qlik Sense deployments originally installed with versions prior to the June 2019 release. For Qlik Sense deployments originally installed with the June 2019 or later releases, follow standard steps for patching Qlik Sense and do not perform steps below. If you are not certain about the initially installed version of Qlik Sense, please refer to Validating Qlik Sense root CA certificate for presence of CA:TRUE attribute to check the current certificate for the CA:TRUE attribute.
In February 2020, versions of Qlik Sense were released to fix critical vulnerabilities within NodeJS. Unfortunately this requires recreating the root CA for certificates generated with versions of Qlik Sense prior to the June 2019 release. More information under Node.js Vulnerability - FAQ
Note: In these steps we will occasionally ask you to run Powershell code. Executing PowerShell code:
i. Copy the code and save it in a ps1 file, in example: certificates_backup.ps1
ii. Open elevated command line and navigate to the location where the script was saved.
iii. Start PowerShell by executing following command: Powershell
iv. Run the script by executing following command: .\<name_of_the_script>.ps1 in example: .\certificates_backup.ps1
Qlik Sense Enterprise on Windows, June 2019 thru November 2019
New NodeJS requirements.
After upgrading to June 2019 or above, check the Root certificate by running the C2 Validator tool on ALL NODES. If CA and Critical display 'Missing', please follow the instructions below.
Stop all services on ALL NODES in the Qlik Sense cluster.
Back up all current Qlik Sense certificates from the CENTRAL NODE by executing the following PowerShell code:
NOTE: For information on how to execute above code please refer to “Executing PowerShell code” section at the top. Modify $mypwd variable to define custom password. Make sure certificates were backed up after running the script:
NOTE: If you are installing a patch on November 2018 track, name of the key is: <add key="CertificatesSelfSignedRootBasicConstraintsCA" value="true" />
On the CENTRAL NODE, start Qlik Sense Repository Database service.
On CENTRAL NODE, from an elevated command line navigate to C:\Program Files\Qlik\Sense\Repository (or corresponding nondefault location) and run:
repository.exe -bootstrap -iscentral
When bootstrap mode has reached Entering main startup phase.., start Qlik Sense Service Dispatcher service and make sure that the Bootstrap mode has terminated. Press ENTER to exit.. final message is shown
Note: If this message is not shown, open Windows Task Manager, find Qlik Sense Repository Service in the Processes tab and end it by right-clicking on it and selecting End task.