Replacing the Master User Password
Qlik goes to great lengths to ensure that sensitive information is protected from unauthorized parties, which is why all passwords and other sensitive information are encrypted (and decrypted) using the Enterprise Manager Master Key. Enterprise Manager uses only FIPS 140-2 compliant algorithms for hashing and encryption: SHA256 for hashing and AES256 for encryption.
This topic provides an overview of how the Enterprise Manager Master Key is generated and applied as well as explaining how to encrypt the User Permissions file.
The Master Key
The following section describes the role the master key and the master user key play in keeping your data secure.
-
Using the Enterprise Manager CLI, the user provides the system with an alphanumeric password (Master User Password), which must be at least 32 characters.
Information noteBy default (i.e. after first time installation), the Master User Password is randomly generated by Enterprise Manager. It is strongly recommended to change the Master User Password as soon as possible (especially in a production environment) as this will allow recovery of backed up data in the event of disk failure. The password should of course be kept in a secure location for future use.
You can either use your own password or run the genpassword utility to generate a password for you.
-
Enterprise Manager uses a one way hashing functions to generate a key (Master User Key) from the Master User Password.
Information noteThe one way hash function guarantees that, given the same Master User Password as input, the same Master User Key will be generated. This is what happens in high availability scenarios - the same Master User Password is entered on two different machines.
- Enterprise Manager encrypts the Master User Key using the local machine’s key (Windows) and stores it in a file named muk.dat. The muk.dat file can contain several entries (and indeed does in a high availability environment), with each entry uniquely identifying the machine on which Enterprise Manager is running.
-
Enterprise Manager generates a random Master Key, encrypts it with the Master User Key and stores it in a common location (e.g. the root repository).
-
On software startup, the following occurs:
- The Master User Key is read and decrypted (using the local machine’s key)
- The Master Key is read and decrypted using the Master User Key
Once this process is complete, Enterprise Manager is able to encrypt and decrypt all sensitive information.
For more information on commands related to the master user password, see Commands Related to the Master User Password.
High Availability mode
In a High Availability environment, Enterprise Manager runs on at least two machines that share the same data folder. As there are two machines, there will also be two different keys - one for each machine.
As mentioned earlier, the Master User Key file (muk.dat) is constructed of entries, with each entry corresponding to one machine. Both machines scan the entries searching for an entry they can decrypt.
If no matching entry can be found, an error will be returned. In this case, simply use the Enterprise Manager CLI to enter the Master User Password again, and create an entry for the new machine.
See also Installing Qlik Enterprise Manager in a Windows cluster.