Secure communication between Qlik Sense and the index cluster
When you have deployed the index cluster, the communication is not encrypted by default. We recommend that you ensure that the communication between Qlik Sense and the index cluster is secure.
This topic describes one way to configure secure communication between Qlik Sense and Qlik Big Data Index using certificates. Only mutual authentication, with both server and client authentication, is supported.
-
Prepare the certificates bdi_client_cert.pem and bdi_server_cert.pem.
- Configure the QSL manager to use the server certificate.
-
Configure Qlik Sense to use the client certificate. There are two options:
-
Securing communication on connection level.
This option is mandatory in Qlik Sense Enterprise SaaS and Qlik Sense Enterprise on Kubernetes.
-
Securing communication on global level.
This option is available in Qlik Sense Enterprise on Windows.
-
- Deploying Qlik Sense in AWS, in the same Virtual Private Cloud as the index cluster.
- Setting up an SSH access tunnel to the QBDI index cluster.
Preparing the certificates
You need to prepare two folders, one for Qlik Sense and one for Qlik Big Data Index. Each folder needs to contain a certificate with a public key, as well as the key of the root certificate that the certificates were generated from (root_cert.pem). All files need to be named exactly as described here.
-
Qlik Sense folder should contain:
Certificate: bdi_client_cert.pem
Public keys: root_cert.pem and bdi_client_key.pem
-
Qlik Big Data Index folder should contain:
Certificate: bdi_server_cert.pem
Public keys: root_cert.pem and bdi_server_key.pem
You can generate certificates based on the guide and scripts that are available on https://github.com/qlik-oss/server-side-extension/tree/master/generate_certs_guide. If you use the scripts in the guide you need to:
- Adapt the config files to include the domains and/or IP adress you will use to access the QSL manager. If you do not perform this, the generated certificates will not be valid for that target.
- Rename the generated certificates to fit the file names described above, for example rename sse_*.pem to bdi_*.pem.
Configuring the QSL manager for secure communication
You can configure the certificates for the QSL manager when deploying the Helm charts. You need to create a .yamlfile containing the certificates and use it in the helm install command.
Example: Helm install with a .yaml file containing the certificates (qslmanager-tls.yaml)
Example: qslmanager-tls.yaml
You can check the QSL manager log file for the following message to verify that the certificates are applied and secure communication is enabled.
Configuring Qlik Sense for secure communication
You can enable the secure communication in Qlik Sense in two different ways.
-
Secure communication on global level.
This option is available in Qlik Sense Enterprise on Windows.
-
Secure communication on connection level.
This option is mandatory in Qlik Sense Enterprise SaaS and Qlik Sense Enterprise on Kubernetes.
This option is not available in Qlik Sense Enterprise on Windows.
Securing communication with certificates on global level
If you want to deploy secure communication between Qlik Sense Enterprise on Windows and Qlik Big Data Index on global level, you need to perform the following steps:
-
Add the following line to Settings.ini
BDIPemDir=<PATH_TO_CLIENT_CERT_FOLDER>
where <PATH_TO_CLIENT_CERT_FOLDER> is the full path to the folder that contains the public keys root_cert.pem and bdi_client_key.pem, and the certificate bdi_client_cert.pem.
- Restart the Engine service, as described inDeploy an index cluster .
Securing communication with certificates on connection level
You can also configure secure communication between Qlik Sense and Qlik Big Data Index using certificates on connection level.
-
Prepare the certificate bdi_client_cert.pem.
-
Package the certificate in an encrypted PFX/PKCS12 file. You will need to provide a password which is used when creating the data connection.
$ openssl pkcs12 -export -out bdi_client.pfx -inkey bdi_client_key.pem -in bdi_client_cert.pem -certfile root_cert.pem -
Create a data connection in Qlik Big Data Index using the packaged certificate and the password you provided.