Skip to main content
Announcements
Have questions about Qlik Connect? Join us live on April 10th, at 11 AM ET: SIGN UP NOW

TLS and SSL Support in Qlik Sense: How to configure Qlik Sense and TLS

No ratings
cancel
Showing results for 
Search instead for 
Did you mean: 
Sonja_Bauernfeind
Digital Support
Digital Support

TLS and SSL Support in Qlik Sense: How to configure Qlik Sense and TLS

Last Update:

Jan 15, 2024 2:57:54 AM

Updated By:

Sonja_Bauernfeind

Created date:

Oct 8, 2015 7:26:56 PM

This article is currently under review. 

There are environments where the cryptographic protocols available to the Windows Operating System need to be restricted for security or compliance reasons. This article will outline where various TLS versions are supported. This article will not have full coverage of the impact of TLS changes to other software installed on the Qlik Sense server. For examples of potential impacts:

 

Resolution

Current versions of Qlik Sense:

Note:  Prior to Qlik Sense Enterprise on Windows April 2018 release, certain internal only micro-services will still listen using TLS 1.0 / 1.1.

  • Reference Defect: QLIK-95026  / License.exe using weaker cipher suits. This is fixed in Qlik Sense September 2019 and higher: see License Service's Ciphers Being Flagged by Security Scan.
  • Reference Defect: QLIK-85492  / Node.exe still listening to TLS1.0/1.1 or SSL even after disable them in Windows. This is resolved in Qlik Sense April 2018 (12.16.2), under a scan it would appear that TLS 1.0/1.1 is still using port 9090 but not actively using it thus honoring the spirit of the change in function. 
    Further Reading: Qlik Sense Ports not honouring TLS version prior to April 2018

 

Qlik Sense older and unsupported versions:

  • Support for TLS 1.2:
    • Qlik Sense 2.0.7
    • Qlik Sense 2.2
    • Reference Defect: QLIK-41579 / TLS 1.2 is not supported by the proxy
  • Support for TLS 1.2 only (with TLS 1.0 and TLS 1.1 disabled) for all external facing ports:

 

Implementation

To enable strong TLS implementation make sure to have all your servers updated to a version of both the operating system and the Qlik software, which explicitly details they support the required version of TLS.

If you have a clustered environment with multiple nodes spread across different machines, please make sure to enable the same subset of protocols on all Sense machines, otherwise the services will not be able to successfully communicate.

Using a third-party toolset

Third-party tools such as IIS Crypto can be used to enable and disable SSL or TLS. Consult your Windows administrator or network security team for what tools are usually used in your organization. 

Manual

The correct protocols and ciphers can then be applied using the PowerShell (PS) scripts and making changes to the Windows Registry. Consult Microsoft or your Windows administrator for details. 

 

Related Content

IIS Crypto is an example 3rd party tool that can be used to achieve this. IIS Crypto is not supported by Qlik, but by its respective vendor, NARTAC Software. To obtain IIS Crypto, visit https://www.nartac.com/Products/IISCrypto

Comments
HendrikJ
Contributor III
Contributor III

@Sonja_Bauernfeind 

Is there an updated version of this that shows how to configure Qlik Sense properly with up to date ciphers?

I already posted this elsewhere:

I know this is old, but unfortunately, this still is an issue.

The license service, chat service, proxy service, and others popped up in a security scan for weak ciphers or known vulnerabilities.

We then configured the ciphers for the license service manually:

-cipher-suites=TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256,TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384,TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA,TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA,TLS_RSA_WITH_AES_128_GCM_SHA256,TLS_RSA_WITH_AES_256_GCM_SHA384,TLS_RSA_WITH_AES_128_CBC_SHA,TLS_RSA_WITH_AES_256_CBC_SHA,TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA,TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA

 

Unfortunately, that still leaves us with ciphers with no forward secrecy. If we remove the RSA ciphers, Qlik does not work anymore, probably because the other services can not talk to the license service anymore.

This is also the case for other Qlik services (webchat and others). We already had to remove all CBC ciphers system wide (because of the Goldendoodle vulnerability of the Qlik Proxy), and we now need to disable all RSA ciphers also (see https://support.qlik.com/articles/000115202). That in turn makes Qlik not work anymore.
I would be very happy if someone could please point me in a direction where I can find a collection of ciphers and settings that I can enable so the various Qlik services are using up to date ciphers with forward secrecy and everything still works. I was not able to find anything like that so far.

 

Sonja_Bauernfeind
Digital Support
Digital Support

@HendrikJ  Let me see what I can dig up for you! 

Sonja_Bauernfeind
Digital Support
Digital Support

Hello again @HendrikJ 

I've connected with some of our Subject Matter Experts - and since this would fall back to specific ciphers and services, we'd need to request a support ticket where you can outline exactly which ciphers are causing issues and which services. We can then reproduce this inhouse by disabling the same ciphers - and take our findings to our internal security team for review.

I've also been pinged by one of our engineers in the meantime and looks like a ticket might have already been created.

HendrikJ
Contributor III
Contributor III

Thanks a lot @Sonja_Bauernfeind ! That's correct, one of my colleagues opened a ticket for this.

I just did some testing with Qlik November 2020 newest patchlevel, and it looks much better than the older version. I may actually be able to use TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256 and TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384 with everything and Qlik still seems to work. That should satisfy our security requirements.

Version history
Last update:
‎2024-01-15 02:57 AM
Updated by: