Certificate Trust

In QlikView Server, if you choose digital authentication, you use certificates for authentication and authorization. A certificate provides trust between servers machines. In addition, dynamic encryption keys are used for sensitive data. The default configuration in QlikView relies on Windows trust (hard-coded cryptographic keys).

Note: Certificates contain encryption keys so it is vital to keep a backup of the certificates in a safe place. See: Backing up and restoring certificates
Note: You must reference the QlikView Server by its machine name, and not by the IP address or fully qualified domain name.

Architecture

In a QlikView Server installation, certificates authenticate and authorize communication between services running on multiple servers. The certificates include a SecretsKey that handles encryption and decryption of data such as passwords and connection strings.

Configuring certificates in a multiple server deployment within QlikView removes the dependency on a QlikView Administration Group for establishing trust . You can also use certificates to build a trust domain between QlikView services that are located in different domains without having to share an Active Directory (AD) or other user directories.

Note: The configuration steps described here only provide a trust domain between the QlikView services. The use of SSL and certificates for securing end-user communication has to be configured separately.

QlikView Server uses the following digital certificates for authentication and authorization:

Location Issued To Issued By Description
Local Computer / Personal <machine-name> QlikViewCA Server
Local Computer / Personal QVProxy QlikViewCA Client
Local Computer / Trusted Root Certification Authorities QlikViewCA QlikViewCA Root

Certificates are managed from the Microsoft Management Console (MMC).

The architecture is based on the QlikView Management Service (QMS) acting as the certificate manager or Certificate Authority (CA). The QMS can create and distribute certificates to all services in the QlikView installation.

QMS is therefore an important part of the security solution and has to be managed from a secure location to keep the certificate solution secure.

The root certificate for the installation is stored on the QMS server. All servers with QlikView services that are to participate in the installation receive certificates signed using the root certificate when added to the QMS. The QMS (that is, the CA) issues digital certificates that contain keys and the identity of the owner. The private key is not made publicly available – it is kept secret by the QlikView services. The certificate enables the QMS to validate the authenticity of the service. This means that the QMS is responsible for saying “yes, this service deployed on this server is a service in my installation”.

After the servers have received certificates, the communication between the QlikView services is encrypted using HTTPS (SSL encryption). The certificates only secure the communication between the services on the servers. The certificates do not secure the communication with the end user (that is, the certificates are not used for QlikView plug-in, client, or web server communication with the QVS).

The following diagram shows a multi-node QlikView Server deployment where the QMS (the Certificate Authority) distributes the certificates to the machines where the other services are installed.

License Service

In QlikView April 2019 or later, the License Service is always installed and actively used only when QlikView Server is licensed using a signed key. The License Service is installed on the machine running the QlikView Management Service (QMS), and handles certificates differently from the other services.

When the QlikView Management Service (QMS) is started for the first time, the Root and Server certificates are automatically exported and made available to the License Service. The certificates are exported as the following file:

  • root.pem
  • server.pem
  • server_key.pem
    This file contains the Server certificate key.

By default, these files are stored in the following location: %ProgramData%\QlikTech\LicenseService\Exported Certificates.

Note: When you update the certificates for your installation, you must restart the QlikView Management Service (QMS) before the License Service. Starting the services in this order ensures that the correct set of certificates is exported and made available to the License Service. You can manage the status of the License Service by starting and stopping the Qlik Service Dispatcher.

Requirements

The following requirements must be fulfilled for the certificate trust to function properly:

  • Certificate trust cannot be partially implemented. It is either used by all services in the QlikView installation or not at all.
  • Certificate trust is only supported by Windows Server 2008 and later.
  • Make sure that all machines use QlikView Server 12.00 or later. In QlikView Server 11.20 or earlier, a different method of encryption is used. Old certificates are not compatible with an installation running QlikView 12.00 or later and new certificates need to be generated.
  • If it is an initial installation of QlikView Server, install and configure the QlikView services without any modification. Prior to configuring the use of certificates, start and stop the services on the servers (that is, machines) where the QlikView services are deployed.
  • Section Access management must not be configured in environments where certificate trust is configured.
  • Ensure that you back up the following three certificates on the machine running the QlikView Management Service (QMS) every time they are updated:
  • Location Issued To Issued By Description
    Local Computer / Personal <machine-name> QlikViewCA Server
    Local Computer / Personal QVProxy QlikViewCA Client
    Local Computer / Trusted Root Certification Authorities QlikViewCA QlikViewCA Root

    For more information on how to backup certificates, see: Backing up and restoring certificates.

In addition, the technical requirements described in the following sections also have to be fulfilled.

Certificate ports

This section describes the ports that you need to open when configuring certificate trust.

The ports that are listed in the following table are needed for service to service communication and have to be configured as “open”.

For more information on QlikView ports, see: Ports.

Note: Firewall configuration changes might be necessary, depending on the location of the QlikView servers within the resulting network and the routing of the QVS communication.
Service Ports SSL-enabled Ports
QlikView Server 4747, 4749 4749
QlikView Distribution Service 4720 4720
QlikView Web Server 4750, 80, 443 4750, 443
QlikView Management Service 4780, 4799 4780, 4799
Directory Service Connector 4730 4730

The ports that are listed in the following table are needed for the certificate installation procedure on the local server.

Note: The ports are not used for service to service communication.
Service Ports
QlikView Distribution Service 14720
Directory Service Connector 14730
QlikView Web Server 14750

The following table lists the protocols that are used for communication on the ports that are specified in this section.

Service Ports
QlikView Server QVPX over SSL
All other services SOAP over SSL
Note: To install the distributed certificates for the respective services, physical access to the console or remote access to the console (for example, using remote desktop functionality) is needed.

Did this information help you?

Thanks for letting us know. Is there anything you'd like to tell us about this topic?

Can you tell us why it did not help you and how we can improve it?