Qlik Sense: Cannot access QMC or Hub. Error in repository log: implementation not part of Windows FIPS validated cryptographic algorithmsArticle Number: 000005559 | Last Modified: 2019/01/17
- Qlik Management Console (QMC) cannot be accessed using either localhost or hostname when attempting to connect
- After enter license the error message pop up as below:
- Hub cannot be accessed, either locally or remotely
- Looking into the repository log (*_system_repository.txt located in %ProgramData%\Qlik\Sense\Log\Repository) indicates an error:
Fatal exception This implementation is not part of the Windows Platform FIPS validated cryptographic algorithms.
Qlik Sense is not FIPS compliant with and will probably not be.
Microsoft doesn't recommend to use the FIPS compliance check in Windows. https://blogs.technet.microsoft.com/secguide/2014/04/07/why-were-not-recommending-fips-mode-anymore/
Check if FIPS has been enabled in Local Policy Security Setting through below steps:
- From Windows interface, navigate to Start > Control Panel
- Open Administrative Tools
- Open Local Security Policy
- In Local Security Policy, navigate to Security Settings > Local Policies > Security Options
- In the right pane, locate and double-click on "System cryptography: Use FIPS compliant algorithms for encryption, hashing, and signing"
- Click Disabled to disable the policy (if enabled)
- Close Local Security Settings window
Note: Local policies may be enforced using Group Policy Objects configured in your network. If unsure, verify whether the policy is being enforced in your network if you are unable to change this policy. A few places can be checked: http://www.howtogeek.com/245859/why-you-shouldnt-enable-fips-compliant-encryption-on-windows/
Enabling FIPS mode makes Windows and its subsystems use only FIPS-validated cryptographic algorithms. In this mode Microsoft .NET Framework applications only allow for using algorithm implementations that are certified by NIST to be FIPS 140 compliant.
What is FIPS mode?
The only cryptographic algorithm classes that can be instantiated are those where the names of the class end in "CryptoServiceProvider" or "Cng." Any attempt to create an instance of other cryptographic algorithm classes, such as classes with names ending in "Managed," cause an InvalidOperationException exception to occur.
Even though for example SHA256Managed class is using a FIPS validated algorithm (SHA256), this implementation has never been submitted to NIST for validation and cannot be instantiated when FIPS mode is enabled.
For additional information from Microsoft, see: http://blogs.technet.com/b/secguide/archive/2014/04/07/why-we-re-not-recommending-fips-mode-anymore.aspx
If the customer needs to run the system with FIPS check enabled in Windows we have two options:
- Get a exception from the need to run Windows with the FIPS check
- A workaround as below on how you can turn off the FIPS check for Qlik Sense. This lets the system still run the server with FIPS check enabled but Sense will not enforce it.
Running Qlik Sense on Windows systems with FIPS compliance enabled
1. Install central node select to not start services
2. Change configuration files as described in section below
3. Install the rim node select not to start the services
4. Change the configuration files as described in section below
5. Start the services on the rim node
6. Register the node in the QMC (occasionally in my test I had to select the node from the overview page and press the button “Redistribute” to get the password to unlock the certificates)
7. Unlock certificates
Add to the <configuration>, <runtime> section of the configuration files below the parameter <enforceFIPSPolicy enabled="false"/>
<?xml version="1.0" encoding="utf-8"?>
<add key="SenseHome" value=""/>
<startup><supportedRuntime version="v4.0" sku=".NETFramework,Version=v4.5.2"/></startup>
<assemblyIdentity name="log4net" publicKeyToken="669e0ddf0bb1aa2a" culture="neutral"/>
<bindingRedirect oldVersion="0.0.0.0-126.96.36.199" newVersion="188.8.131.52"/>
Have a Question?
Search Qlik's Support Knowledge database or request assisted support for highly complex issues.Submit a case
Experiencing a serious issue, please contact us by phone. View phone numbers and hours by region.