Unlock a world of possibilities! Login now and discover the exclusive benefits awaiting you.
Jun 16, 2021 8:43:21 AM
Jul 17, 2017 3:22:28 AM
This document is aimed at providing steps to gather information to help identify TLS, Network and Certificate related issues. Follow the steps in order; although skip any steps to set up extra logging deemed not to be required. Cleaning out the Qlik certificates should be done to eliminate any problems with them causing TLS or other connection issues.
Steps are:
Enable trace logging for the Proxy and Repository services.
<system.diagnostics> <trace autoflush="true" /> <sources> <source name="System.Net"> <listeners> <add name="System.Net"/> </listeners> </source> <source name="System.Net.HttpListener"> <listeners> <add name="System.Net"/> </listeners> </source> <source name="System.Net.Sockets"> <listeners> <add name="System.Net"/> </listeners> </source> <source name="System.Net.Cache"> <listeners> <add name="System.Net"/> </listeners> </source> </sources> <sharedListeners> <add name="System.Net" type="System.Diagnostics.TextWriterTraceListener" initializeData="c:\temp\proxy_trace.log" traceOutputOptions = "ProcessId, DateTime" /> </sharedListeners> <switches> <add name="System.Net" value="Verbose" /> <add name="System.Net.Sockets" value="Verbose" /> <add name="System.Net.Cache" value="Verbose" /> <add name="System.Net.HttpListener" value="Verbose" /> </switches> </system.diagnostics>
<system.diagnostics> <trace autoflush="true" /> <sources> <source name="System.Net"> <listeners> <add name="System.Net"/> </listeners> </source> <source name="System.Net.HttpListener"> <listeners> <add name="System.Net"/> </listeners> </source> <source name="System.Net.Sockets"> <listeners> <add name="System.Net"/> </listeners> </source> <source name="System.Net.Cache"> <listeners> <add name="System.Net"/> </listeners> </source> </sources> <sharedListeners> <add name="System.Net" type="System.Diagnostics.TextWriterTraceListener" initializeData="c:\temp\repository_trace.log" traceOutputOptions = "ProcessId, DateTime" /> </sharedListeners> <switches> <add name="System.Net" value="Verbose" /> <add name="System.Net.Sockets" value="Verbose" /> <add name="System.Net.Cache" value="Verbose" /> <add name="System.Net.HttpListener" value="Verbose" /> </switches> </system.diagnostics>
Verbose trace info should now be written to c:\temp\proxy_trace.log and c:\temp\repository_trace.log respectively when Qlik Sense Services are restarted.
Note: All Qlik Sense services should be stopped before proceeding
Note. If the user running the Qlik services is not a member of the local Administrators group, you'll need to perform the bootstrap procedure described here in the Qlik Sense Online Help section on Using an account without administrator privileges.
Certificate list is truncated during the TLS handshake.
If there is a large number of root certificates it might cause servers to hit the following issue: http://netsekure.org/2011/04/tls-client-authentication-and-trusted-issuers-list/ This may result in the Sense root certificate not being included in the trusted issuers list and thus we cannot find the matching client certificate to use.
This can be worked around by setting the following registry key:
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL
Value name: SendTrustedIssuerList Value type: REG_DWORD Value data: 0 (False)
We should make sure that TLS is allowed on the server. Please make sure that none of the "Enabled" keys are present and set "0", or "DisabledByDefault" is present and set to "1" for the TLS protocol/s as described here: https://technet.microsoft.com/en-us/library/dn786418(v=ws.11).aspx#BKMK_SchannelTR_TLS10
Note. All Qlik services should be stopped before proceeding.
Run the below from the Command Prompt
netsh trace start capture=yes scenario=netconnection maxsize=2000 filemode=circular overwrite=yes report=no persistent=yes tracefile=c:/Temp/%computername%.etl
This creates 2 files (etl and .cab) with the computer name in the C:/temp directory
Note: Microsoft Message Analyzer is required to view the logs created. See the Appendix for suggested filter parameters
Shows listening interfaces for all services, i.e. which IP addresses the Sense services are listening on (default is empty = all interfaces)
Captures which SSL certificates are bound to specific listening ports.
Captures certificate thumbprints which can be matched to the output of above command.
Complete whatever steps are needed to reproduce the problem.
Keep a record of the time, as closely as possible, for each step of the testing; or if it’s a short test the start and stop times.
Gather logs and undo all changes made to the system.
Note: The Repository and Network trace files can be quite large, so the zip file may need to be split. See your compression tool instructions on how to achieve that.
Note. All Qlik services should be stopped before proceeding.
Reset the TLS registry key values if required
Message Number, Timestamp, PayloadLength, Summary, ProcessName, SourePort, Destination Port
Adjust based the nature of the problem.
The * is for all field types. Filters can be by protocol or communications type, e.g. TCP, HTTP or LDAP. Use filters aimed at the type of problem.
Download from https://www.microsoft.com/en-au/download/details.aspx?id=44226
Microsoft_Windows_WinHttp.ProcessName == "Repository.exe" or (Windows_Kernel_Trace.ProcessName == "Proxy.exe")
(*ProcessName == "Proxy.exe") And (*DestinationPort == 4242)
There seems to be an issue with the McAfee security software that could interfere with client authentication process. It explicitly states that it's not affecting self-signed certs, but the symptoms can match customer situations and may be worth investigating with McAfee. https://kc.mcafee.com/corporate/index?page=content&id=KB87705