Certificate Trust

In QlikView Server, if you choose digital authentication, you use certificates for authentication and authorization. A certificate provides trust between servers machines. In addition, dynamic encryption keys are used for sensitive data. The default configuration in QlikView relies on Windows trust (hard-coded cryptographic keys).

Architecture

In a QlikView Server installation, certificates authenticate and authorize communication between services running on multiple servers. The certificates include a SecretsKey that handles encryption and decryption of data such as passwords and connection strings.

Configuring certificates in a multiple server deployment within QlikView removes the dependency on a QlikView Administration Group for establishing trust . You can also use certificates to build a trust domain between QlikView services that are located in different domains without having to share an Active Directory (AD) or other user directories.

QlikView Server uses the following digital certificates for authentication and authorization:

Certificates are managed from the Microsoft Management Console (MMC).

The architecture is based on the QlikView Management Service (QMS) acting as the certificate manager or Certificate Authority (CA). The QMS can create and distribute certificates to all services in the QlikView installation.

QMS is therefore an important part of the security solution and has to be managed from a secure location to keep the certificate solution secure.

The root certificate for the installation is stored on the QMS server. All servers with QlikView services that are to participate in the installation receive certificates signed using the root certificate when added to the QMS. The QMS (that is, the CA) issues digital certificates that contain keys and the identity of the owner. The private key is not made publicly available – it is kept secret by the QlikView services. The certificate enables the QMS to validate the authenticity of the service. This means that the QMS is responsible for saying “yes, this service deployed on this server is a service in my installation”.

After the servers have received certificates, the communication between the QlikView services is encrypted using HTTPS (SSL/TLS encryption). The certificates only secure the communication between the services on the servers. The certificates do not secure the communication with the end user (that is, the certificates are not used for QlikView plug-in, client, or web server communication with the QVS).

The following diagram shows a multi-node QlikView Server deployment where the QMS (the Certificate Authority) distributes the certificates to the machines where the other services are installed.

Qlik License Service

In QlikView April 2019 or later, the Qlik License Service is always installed and actively used only when QlikView Server is licensed using a signed key. The Qlik License Service is installed on the machine running the QlikView Management Service (QMS), and handles certificates differently from the other services.

When the QlikView Management Service (QMS) is started for the first time, the Root and Server certificates are automatically exported and made available to the Qlik License Service. The certificates are exported as the following file:

• root.pem
• server.pem
• server_key.pem
  This file contains the Server certificate key.

By default, these files are stored in the following location: %ProgramData%\QlikTech\LicenseService\Exported Certificates.

Requirements

The following requirements must be fulfilled for the certificate trust to function properly:

• Certificate trust cannot be partially implemented. It is either used by all services in the QlikView installation or not at all.
• Certificate trust is only supported by Windows Server 2008 and later.
• Make sure that all machines use QlikView Server 12.00 or later. In QlikView Server 11.20 or earlier, a different method of encryption is used. Old certificates are not compatible with an installation running QlikView 12.00 or later and new certificates need to be generated.
• If it is an initial installation of QlikView Server, install and configure the QlikView services without any modification. Prior to configuring the use of certificates, start and stop the services on the servers (that is, machines) where the QlikView services are deployed.
• Section Access management must not be configured in environments where certificate trust is configured.
• Ensure that you back up the following three certificates on the machine running the QlikView Management Service (QMS) every time they are updated:

Certificates

Location	Issued To	Issued By	Description
Local Computer / Personal	<machine-name>	QlikViewCA	Server
Local Computer / Personal	QVProxy	QlikViewCA	Client
Local Computer / Trusted Root Certification Authorities	QlikViewCA	QlikViewCA	Root

For more information on how to backup certificates, see: Backing up and restoring certificates.

In addition, the technical requirements described in the following sections also have to be fulfilled.

Certificate ports

This section describes the ports that you need to open when configuring certificate trust.

The ports that are listed in the following table are needed for service to service communication and have to be configured as “open”.

For more information on QlikView ports, see: Ports.

The ports that are listed in the following table are needed for the certificate installation procedure on the local server.

The following table lists the protocols that are used for communication on the ports that are specified in this section.