Thursday 1 November 2018

How to Change the Qlik Sense Service Account - Considerations when changing the Sense Service account



Work to Prepare for the activity:-


  • Record the Share Path:
    • Navigate in the QMC > Service Cluster and record the Root Folder
User-added image

Changing Qlik Sense dependencies

  • Stop all Qlik Sense services
  • Ensure permissions on the Program Files path (this should be provided by Local Administrator rights):
    • Navigate to the installation path (default: C:\Program Files\Qlik)
    • Select the Sense folder > Right Click > Properties > Security > Edit > Add
      • Lookup the new service account
      • Ensure that the account has Full control over this folder
  • Ensure permissions on the %ProgramData% path (this should be provided by Local Administrator rights):
    • Navigate to the installation path (default: C:\ProgramData\Qlik)
    • Select the Sense folder > Right Click > Properties > Security > Edit > Add
      • Lookup the new service account
      • Ensure that the account has Full control over this folder
  • Ensure access to the certificates used by Qlik Sense
    • Start > MMC > File > Add/Remove Snap-In > Certificates > Computer Account > Finish
      • Go into Certificates (Local Computer) > Personal > Certificates
      • For the Qlik CA server certificate
        • Select > Right Click > All Tasks > Manage Private Keys > Ensure that the new service account has control
      • If using a third party certificate, do the same
  • Ensure access to the Service Cluster path used by Qlik Sense
    • Start > Computer Management > Shared Folders > Shares > Select the Share path
    • Right click on the Share Path > Properties > Share Permissions > Add the new service account to have full control
    • Open Windows File Explorer and navigate to the folder (e.g. C:\Share) > Right click on the folder > Security > Edit > Add the new service account to have full control
  • Start the Qlik Sense Repository Database
  • Ensure that the AppImport folder used by Qlik Sense for staging app imports will be accessible by the new service account:
    • Open a connection to the QSR database:
      • Open a Command Prompt
      • C:\"Program Files"\Qlik\Sense\Repository\PostgreSQL\9.6\bin\psql.exe -h localhost -p 4432 -U postgres -d QSR -e
        • Note: If Qlik Sense is installed in another location, then the above path will need to be adjusted
        • Note: If using Qlik Sense 3.x Shared Persistence, then the above path may need to be adjusted to the 9.3 directory rather than the 9.6 directory
    • Type in \x to enable extended mode on the terminal
    • For builds X-Y: SELECT "AppImportFolder" FROM "RepositoryServiceSettings";
    • For builds X-Y: SELECT "Temporaryfilepath" FROM "ServerNodeConfigurations";
    • If this path points to a user's profile or other path which the new service account does not have access to, then run this style of command:
      • UPDATE "public"."RepositoryServiceSettings" SET "AppImportFolder"='C:\foo' WHERE "AppImportFolder"='C:\Users\....';
      • UPDATE "public"."ServerNodeConfigurations" SET "Temporaryfilepath"='C:\foo' WHERE "AppImportFolder"='C:\Users\....';
      • Note: Ideal location is a path like C:\ProgramData\Qlik\Sense\Apps which is not tied to an individual user's account
  • Ensure membership in the Local Groups that Qlik Sense requires:
    • Start > Computer Management
    • Navigate to Local Users and Groups > Local Groups
    • Add the new service account as a member of:
      • Administrators (if using this configuration option)
      • Performance Monitor Users
      • Qlik Sense Service Users
  • Now for all Qlik service (except the Qlik Sense Repository Database Service) swap the account over by using the windows services control panel
  • Start the remaining Qlik Sense Services
  • Access the QMC to validate functionality, preferably as a previously configured RootAdmin
  • Access the Data Connections section of the QMC
  • Toggle the User ID field and change the data connections used by the License and Operations Monitor apps to use the new user ID and password:
User-added image
  • Execute the License Monitor reload task
  • Add the RootAdmin role to the new service account
    • QMC > Users
    • Filter on the new UserID > Edit
    • Add RootAdmin role
  • Inspect the configured User Directory Connectors and change the User ID and password combination if previously configured

External Dependencies:

  • Go into the QMC > Data Connections section
  • Inspect all Folder data connections and determine all network shares that the service account needs access to. Either change them yourself or alert the necessary teams to provide both Share and NT level access to these shares.
  • Inspect all Data Connections and ensure that none use the old Service account and password
    • Follow up with necessary teams to provision access to data sources which used the old credentials.
at

No comments:

Post a Comment

Subscribe to: Post Comments (Atom)

Nprinting- (ver -16) Server Certificate Update Process

Certificate Update Process for QLIK Nprinting Import the certificate to QV Nprinting Server 1. Copy the certificate to the Server th...

  • Migrating Qlik Sense from One Server to Another
    QlikSense Migrating Qlik Sense from One Server to Another On original server • In QMC, go to Certificates section and export new cer...
  • Upgrading Qlik Sense
    Qliksense  Upgradation Qlik Sense From one version to another version & Impact on System of Upgradation On Live Server Upgrad...
  • QlikSense Multinode Installation
    QlikSense QlikSense Multinode Installation Central node(Installation of Central node) Prerequisites (Get Port No 4444,4432,4242, 47...