Qlik Sense 3.1 SR4 comes with an improved support of the .NET SSL/TLS implementation. It is now possible to configure .NET framework to allow TLS v1.2, and disable TLS v1.1, and TLS 1.0. If you see the Qlik Help website page indication that TLS 1.0 is required please note this is incorrect per Is TLS 1.0 required in Qlik Sense Enterprise?
This does come with some limitations that are important to be aware of:
.NET framework support
Depending on the version of Windows that Qlik Sense 3.1 SR4 is deployed on, there might be a need to perform some necessary updates. .NET framework 4.6 is required to be able to support TLS v1.2.
If the Qlik Sense 3.1 SR4 deployment is expected to utilize ODBC connectors, there might be a need to update the drivers in Windows. This is, as with .NET, not a limitation in the Qlik Sense product, but it does depend on them being updated to be able to successfully communicate using TLS v1.2.
It is left to the reader to properly investigate if ODBC drivers needs to be updated and to perform the update if needed.
As reference, Qlik has seen positive results using the Microsoft provided ODBC driver 13.1: https://www.microsoft.com/en-us/download/details.aspx?id=53339
If the deployment does not contain a properly setup PKI structure with CA and server certificates, the ODBC connector has been known to not be able to communicate with certain databases. If setting up a proper PKI structure is not an option, the Microsoft ODBC driver 13.1 contain a setting called “Use strong encryption”. Enabling this will allow a second setting to be enabled as well “Trust Server Certificate”. By enabling this second option, the connector will be able to communicate with a server even though it does not contain a server certificate which is accompanied by a proper CA certificate.
Qlik strongly advices that a PKI structure is in place when utilizing TLS communication.
The .NET framework relies on settings available in the Windows Registry. Thus, to be able to modify how Qlik Sense 3.1 SR4 communicates securely, the Windows Registry needs to be modified. As it can be a complicated maneuver, Qlik has provided a companion document that described how to make the necessary changes.
Configuring SSL/TLS for Qlik Sense 3.1 SR4
Some changes will be done to the underlying OS. Making any changes to the OS could affect it or other applications relying on specific settings. Always make sure to have a full understanding of what ramifications a change could have, and at the very least make sure to have up to date backups of all important data. It is recommended that any changes should first be tested out on a staging environment.
There are many SSL/TLS related settings available for the .Net Framework in Windows. Apart from enabling and disabling specific protocol versions, other minor configurations can be done as well. With the new 3.1 SR4 release, Qlik Sense have received an improved support for the settings available.
There are different ways of configuring the SSL/TLS settings. This document will showcase three approaches. They are to be regarded as reference only.
Configuring SSL/TLS manually
The following registry paths point towards the different versions:
To enable, for example, TLS v1.1, the following changes needs to be done
- Open the registry editor as administrator on the server
- Navigate to the registry path for TLS v1.1 according to the bullet list above. Create it if it does not already exist.
- Add a new key named “Server”
- Navigate into the newly created “Server” key
- Create a DWORD key named “Enabled”
- Set the “Enabled” key value to 1
Configuring SSL/TLS using PowerShell
As reference, Qlik have the following script available for use when configuring SSL/TLS in Windows. It is configured according to best practices from Microsoft, when it comes to SSL/TLS and ciphersuites. Before using it in any environment it should be reviewed and approved.
To run the script, start a PowerShell as administrator. Since the script is a reference implementation it is not signed. Thus, the environment may need to allow unsigned scripts to be executed. Should this not be an option, the reader will need to either create their own script and sign it according to their own internal best practices, or sign the one provided by Qlik as reference.
Allowing unsigned scripts to be executed can be accomplished by running the following command in the Powershell window:
Then navigate to the folder where the script "tls_config_1.3.3.ps1" is stored, and run it.
The script will by default enable TLS v1.0, v1.1 and v1.2. These can be controlled at execution through the use of flags. Please review the script help-section for further information about the available flags.
Run the TLS script with flags for enabling or disabling protocols:
./tls_config_1.3.3.ps1 -ssl3 0 -tls1 0 -tls11 0 -tls12 1
Configuring SSL/TLS using other tools
There are GUIs available in Windows to manage the SSL/TLS settings, which can be used for the same results. There are also 3rd
party applications that can be used. One example being “IIS Crypto” from Nartac. The reader is encouraged to have experience in any application used and to be fully aware of what changes are done by it.
For Windows Server 2008 R2 see the documentation: