Skip to main content Skip to complementary content
Qlik Resources

Secure communication between Qlik Sense and the index cluster

When you have deployed the index cluster, the communication is not encrypted by default. We recommend that you ensure that the communication between Qlik Sense and the index cluster is secure.

This topic describes one way to configure secure communication between Qlik Sense and Qlik Big Data Index using certificates. Only mutual authentication, with both server and client authentication, is supported.

  1. Prepare the certificates bdi_client_cert.pem and bdi_server_cert.pem.

  2. Configure the QSL manager to use the server certificate.

  3. Configure Qlik Sense to use the client certificate. There are two options:

    • Securing communication on connection level.

      This option is mandatory in Qlik Sense Enterprise SaaS and Qlik Sense Enterprise on Kubernetes.

    • Securing communication on global level.

      This option is available in Qlik Sense Enterprise on Windows.

Tip noteThere are other ways to ensure that communication is secure, for example:
  • Deploying Qlik Sense in AWS, in the same Virtual Private Cloud as the index cluster.
  • Setting up an SSH access tunnel to the QBDI index cluster.

Preparing the certificates

You need to prepare two folders, one for Qlik Sense and one for Qlik Big Data Index. Each folder needs to contain a certificate with a public key, as well as the key of the root certificate that the certificates were generated from (root_cert.pem). All files need to be named exactly as described here.

  • Qlik Sense folder should contain:

    Certificate: bdi_client_cert.pem

    Public keys: root_cert.pem and bdi_client_key.pem

  • Qlik Big Data Index folder should contain:

    Certificate: bdi_server_cert.pem

    Public keys: root_cert.pem and bdi_server_key.pem

You can generate certificates based on the guide and scripts that are available on https://github.com/qlik-oss/server-side-extension/tree/master/generate_certs_guide. If you use the scripts in the guide you need to:

  • Adapt the config files to include the domains and/or IP adress you will use to access the QSL manager. If you do not perform this, the generated certificates will not be valid for that target.
  • Rename the generated certificates to fit the file names described above, for example rename sse_*.pem to bdi_*.pem.

Configuring the QSL manager for secure communication

You can configure the certificates for the QSL manager when deploying the Helm charts. You need to create a .yamlfile containing the certificates and use it in the helm install command.

Example: Helm install with a .yaml file containing the certificates (qslmanager-tls.yaml)

$ helm install --name bt_bdi qlik/bdi -f my_values.yaml -f qslmanager-tls.yaml

Example: qslmanager-tls.yaml

qslmanager: tls: enabled: true certificate: |- -----BEGIN CERTIFICATE----- Copy content of bdi_server_cert.pem here -----END CERTIFICATE----- key: |- -----BEGIN RSA PRIVATE KEY----- Copy content of bdi_server_key.pem here -----END RSA PRIVATE KEY----- rootCert: |- -----BEGIN CERTIFICATE----- Copy content of root_cert.pem here -----END CERTIFICATE-----

 

You can check the QSL manager log file for the following message to verify that the certificates are applied and secure communication is enabled.

Securing external communication using TLS encryption with certificates in '/home/ubuntu/tls'

Configuring Qlik Sense for secure communication

You can enable the secure communication in Qlik Sense in two different ways.

  • Secure communication on global level.

    This option is available in Qlik Sense Enterprise on Windows.

  • Secure communication on connection level.

    This option is mandatory in Qlik Sense Enterprise SaaS and Qlik Sense Enterprise on Kubernetes.

    This option is not available in Qlik Sense Enterprise on Windows.

Securing communication with certificates on global level

If you want to deploy secure communication between Qlik Sense Enterprise on Windows and Qlik Big Data Index on global level, you need to perform the following steps:

  1. Add the following line to Settings.ini

    BDIPemDir=<PATH_TO_CLIENT_CERT_FOLDER>

    where <PATH_TO_CLIENT_CERT_FOLDER> is the full path to the folder that contains the public keys root_cert.pem and bdi_client_key.pem, and the certificate bdi_client_cert.pem.

  2. Restart the Engine service, as described inDeploy an index cluster .

Securing communication with certificates on connection level

You can also configure secure communication between Qlik Sense and Qlik Big Data Index using certificates on connection level.

Information noteThis option is not available in Qlik Sense Enterprise on Windows.

  1. Prepare the certificate bdi_client_cert.pem.

    See Preparing the certificates.

  2. Package the certificate in an encrypted PFX/PKCS12 file. You will need to provide a password which is used when creating the data connection.

    $ openssl pkcs12 -export -out bdi_client.pfx -inkey bdi_client_key.pem -in bdi_client_cert.pem -certfile root_cert.pem

  3. Create a data connection in Qlik Big Data Index using the packaged certificate and the password you provided.

    See Connecting to a data model.

Did this page help you?

If you find any issues with this page or its content – a typo, a missing step, or a technical error – let us know how we can improve!

Leave your feedback here