Architecture

Certificates are used within a Qlik Sense site to authenticate communication between services that reside on multiple nodes.

This means that certificates can be used within a multi-node site instead of the Microsoft Windows authentication. In addition, certificates can be used to build a trust domain between services that are located in different domains or areas (for example, internal networks, extranets, and Internet) without having to share a Microsoft Active Directory (AD) or other user directories.

The architecture is based on the master Qlik Sense Repository Service (QRS) acting as the certificate manager or Certificate Authority (CA). The master QRS creates and distributes certificates to all nodes within a Qlik Sense site. The master QRS is therefore an important part of the security solution and has to be managed from a secure location to keep the certificate solution secure.

The root certificate for the installation is stored on the central node in the Qlik Sense site, where the master QRS runs. All nodes with Qlik Sense services that are to be used within the site receive certificates signed using the root certificate when added to the master QRS. The master QRS (that is, the CA) issues digital certificates that contain keys and the identity of the owner. The private key is not made publicly available – it is kept secret by the Qlik Sense nodes. The certificate enables the master QRS to validate the authenticity of the node. This means that the master QRS is responsible for making sure that a service that is deployed on the node is a service within the Qlik Sense site.

After the nodes have received certificates, the communication between the Qlik Sense services is encrypted using Secure Sockets Layer (SSL) encryption.