Certificate trust
Qlik Sense uses certificates for authentication. A certificate provides trust between nodes within a site.
Certificate trust requirements
The requirements described in this section must be fulfilled for the certificate trust to function properly.
When using Transport Layer Security (TLS) in Microsoft Windows environments, the private key must be stored together with the certificate in the Windows certificate store. In addition, the account that is used to run the Qlik Sense services must have permission to access the certificate private key.
If you want to use TLS 1.2 authentication, you need to enable TLS 1.2 support in the Windows registry of the server machine. You should consider the impact of enabling TLS 1.2, as this is a global system setting.
Communication ports
To set up certificate trust, the Qlik Sense Repository Services (QRSs) require that the ports listed in the following table can be opened and used for communication. If any communication passes through a network firewall, the ports in the firewall must be opened and configured for the services.
Port | Description |
---|---|
4570 |
Certificate password verification port, only used within multi-node sites by Qlik Sense Repository Services (QRSs) on rim nodes to receive the password that unlocks a distributed certificate. The port can only be accessed from localhost and it is closed immediately after the certificate has been unlocked. The communication is always unencrypted. This port uses HTTP for communication. |
4444 |
Security distribution port, only used by Qlik Sense Repository Services (QRSs) on rim nodes to receive a certificate from the primary QRS on the central node. The communication is always unencrypted, but the transferred certificate package is password-protected. This port uses HTTP for communication. |
Unlocking distributed certificates
When adding a new rim node to a site, the distributed certificate needs to be unlocked.
Authorize the certificate on the node
Certificate trust architecture
Certificates are used within a Qlik Sense site to authenticate communication between services that reside on different nodes. In addition, certificates can be used to build a trust domain between services that are located in different domains or areas (for example, internal networks, extranets, and Internet) without having to share a Microsoft Active Directory (AD) or other user directories.
The architecture is based on the primary Qlik Sense Repository Service (QRS) on the central node acting as the certificate manager or Certificate Authority (CA). The primary QRS creates and distributes certificates to all nodes within a site. The primary QRS is therefore an important part of the security solution and has to be managed from a secure location to keep the certificate solution secure.
The root certificate for the installation is stored on the central node in the site, where the primary QRS runs. All nodes with Qlik Sense services that are to be used within the site receive certificates signed with the root certificate when added to the primary QRS. The primary QRS (that is, the CA) issues digital certificates that contain keys and the identity of the owner. The private key is not made publicly available – it is kept secret by the nodes. The certificate enables the services in a Qlik Sense deployment to validate the authenticity of the other services. This means that the primary QRS is responsible for making sure that a service that is deployed on a node is a service within the site.
After the nodes have received certificates, the communication between the Qlik Sense services is encrypted using Transport Layer Security (TLS) encryption.
Confirming certificates using Microsoft Management Console
Certificates can be visually confirmed in the Microsoft Management Console (MMC) with the certificate snap-in added.
If the certificates have been properly deployed, they are available in the locations listed in the table.
Certificate | Location |
---|---|
QlikClient | Certificates - Current User>Personal>Certificates |
<full computer name>-CA | Certificates - Current User>Trusted Root Certification Authorities>Certificates |
<full computer name>-CA | Certificates (Local Computer)>Trusted Root Certification Authorities>Certificates |
<computer name> | Certificates (Local Computer)>Personal>Certificates |
Certificate handling
This section describes how the certificates are handled when a Qlik Sense service starts.
Client certificate
This section describes how the primary Qlik Sense Repository Service (QRS) on the central node in a site handles the client certificate when a Qlik Sense service starts.
The client certificate is located in the following place in the Microsoft Windows certificate store:
Current User>Personal>Certificates
When a Qlik Sense service starts, the QRS searches the certificate store to see if there are any Qlik Sense certificates. Depending on the results of the search, the QRS does the following:
- If no client certificate is found, the QRS logs that no certificate was found.
- If only one client certificate is found, the QRS checks if it is valid. If the certificate is not valid, the QRS logs that an invalid certificate was found.
- If more than one client certificate is found, the QRS deletes all certificates. Duplicates are not allowed. In addition, the QRS logs the number of valid and invalid certificates that were found and deleted.
If certificates are found to be missing or invalid, you must run the QRS in bootstrap mode to recreate the certificates. For more information, see Services.
Server certificate
This section describes how the primary Qlik Sense Repository Service (QRS) on the central node in a site handles the server certificate when a Qlik Sense service starts.
The server certificate is located in the following place in the Microsoft Windows certificate store:
Local Computer>Personal>Certificates
When a Qlik Sense service starts, the QRS searches the certificate store to see if there are any Qlik Sense certificates. Depending on the results of the search, the QRS does the following:
- If no server certificate is found, the QRS logs that no certificate was found.
- If only one server certificate is found, the QRS checks if it is valid. If the certificate is not valid, the QRS logs that an invalid certificate was found.
- If more than one server certificate is found, the QRS deletes all certificates. Duplicates are not allowed. In addition, the QRS logs the number of valid and invalid certificates that were found and deleted.
If certificates are found to be missing or invalid, you must run the QRS in bootstrap mode to recreate the certificates. For more information, see Services.
Root certificate
This section describes how the primary Qlik Sense Repository Service (QRS) on the central node in a site handles the root certificate when a Qlik Sense service starts.
The root certificate is located in the following places in the Microsoft Windows certificate store:
Current User>Trusted Root Certification Authorities>Certificates
Local Computer>Trusted Root Certification Authorities>Certificates
When a Qlik Sense service starts, the QRS searches the certificate store to see if there are any Qlik Sense certificates. Depending on the results of the search, the QRS does the following:
- If no root certificate is found, the QRS logs that no certificate was found.
- If only one root certificate is found, the QRS checks if it is valid. If it is not valid, the QRS logs a fatal error that an invalid root certificate was found, which means that the service is shut down, and that the administrator must manually delete any unwanted certificates. In addition, the QRS logs information about the certificates that are affected by this.
- If more than one root certificate is found, the QRS logs a fatal error that an invalid root certificate was found, which means that the service is shut down and that the administrator manually has to delete any unwanted certificates. In addition, the QRS logs information on the certificates that are affected by this.
If certificates are found to be missing or invalid, you must run the QRS in bootstrap mode to recreate the certificates. For more information, see Services.
Invalid certificate
The definition of an invalid certificate is as follows:
- The operating system considers the certificate to be too old or the certificate chain is incorrect or incomplete.
- The Qlik Sense certificate extension (OID “1.3.6.1.5.5.7.13.3”) is missing or does not reflect the location of the certificate:
- Current User/Personal certificate location: Client
- Local Machine/Personal certificate location: Server
- Local Machine/Trusted Root certificate location: Root
- Current User/Trusted Root certificate location: Root
- The server, client, and root certificates on the central node do not have a private key that the operating system allows them to access.
- The server and client certificates are not signed by the root certificate on the machine.
Maximum number of trusted root certificates
When a Qlik Sense service starts, it checks the number of trusted root certificates on the machine where it is running. If there are more than 300 certificates on the machine, warning messages containing the following information are logged:
- There are too many root certificates for the service to trust.
- The Microsoft Windows operating system will truncate the list of certificates during the Transport Layer Security (TLS) handshake.
If the Qlik Sense root certificate (<host-machine>-CA) that the Qlik Sense client certificate belongs to is deleted from the list of certificates because of the truncation, the service cannot be authenticated.
To manually view the root certificates on a machine, open the Microsoft Management Console (MMC) and go to Certificates (Local Computer)>Trusted Root Certification Authorities.