Adding Cipher Suite for Qlik Data Transfer on Windows 2012 R2

Benoit_C · Jun 29, 2023 3:05:10 AM

All the steps below need to be performed by Windows Administrator on Windows level. These steps are not supported by Qlik Support. Consult Windows Support before proceeding.

Warning: This change can negatively affect NPrinting. NPrinting should not be installed on the same machine as Qlik Data Transfer.

See the following article for Cipher Suite Requirements: Cipher Suite Requirements

To add the required Cipher Suite:

In the Windows server, open gpedit.msc and click on Enabled for Computer Configuration
Expand Administrative Templates
Expand Network and SSL Configuration Settings -
Open SSL Cipher Suite Order

Copy past in the below to the Options field:

The Ciphers in this list include the needed Cipher for QDT May SR1 + the Cipher already present in our standard Windows 2012 R2 machine.

Generic weak Ciphers have already been removed from the list, but if you are looking for additional information on how Ciphers can be enabled/disabled, see Disabling Weak Cipher suites for TLS 1.2 on a Windows machine running Qlik Sense Enterprise on Windo....

TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256,TLS_ECDHE_RSA_WITH_RC4_128_SHA,TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA,TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA,TLS_RSA_WITH_AES_128_GCM_SHA256,TLS_RSA_WITH_RC4_128_SHA,TLS_RSA_WITH_RC4_128_MD5,TLS_RSA_WITH_AES_128_CBC_SHA,TLS_RSA_WITH_AES_256_CBC_SHA,TLS_RSA_WITH_3DES_EDE_CBC_SHA,TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384,TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256,TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384,TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256

Click Apply and OK.
(Important) Restart the server.

The Cipher Suites will now be correctly listed:

The information in this article is provided as-is and to be used at own discretion. Depending on tool(s) used, customization(s), and/or other factors ongoing support on the solution below may not be provided by Qlik Support.

Environment:

Qlik DataTransfer

Fred · ‎2022-03-06

Hi @Benoit_C ,

Can you elaborate a bit on the NPrinting impact?
You say this can negatively impact NPrinting, but are we talking performance-wise or functionality-wise?

In this article, you also state that NPrinting should not be installed on the same machine as QDT.
I cannot find this on the Qlik Help & QDT System Requirements?
Is this a hard requirement?

Thanks.

Benoit_C · ‎2022-03-07

Hi @Fred,

If you do use Qlik Data Transfer in a Production server we recommend to have a dedicated server for it.

For the NPrinting impact with Windows 2012, Qlik Data Transfer doesn't need the same Cipher than Nprinting, that's why we've put the warning.

For Qlik Data Transfer:

https://help.qlik.com/en-US/cloud-services/Subsystems/Hub/Content/Sense_Hub/QlikDataTransfer/install...

For NPrinting:

https://help.qlik.com/en-US/nprinting/May2021/Content/NPrinting/DeployingQVNprinting/TLS-cipher-suit...

thiago_tsds · ‎2022-04-29

Guys
There is a dot '.' after MD5.
Replace with ','

TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256,TLS_ECDHE_RSA_WITH_RC4_128_SHA,TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA,TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA,TLS_RSA_WITH_AES_128_GCM_SHA256,TLS_RSA_WITH_RC4_128_SHA,TLS_RSA_WITH_RC4_128_MD5,TLS_RSA_WITH_AES_128_CBC_SHA,TLS_RSA_WITH_AES_256_CBC_SHA,TLS_RSA_WITH_3DES_EDE_CBC_SHA,TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384,TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256,TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384,TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256

Benoit_C · ‎2022-05-02

Corrected, thanks @thiago_tsds

afujikawa · ‎2023-06-29

Hi @Benoit_C,

https://help.qlik.com/en-US/cloud-services/Subsystems/Hub/Content/Sense_Hub/QlikDataTransfer/install...
The above help includes the following statement.
"For instructions for updating the TLS Cipher Suite in your system or to disable weak ciphers in the Qlik DataTransfer environment, see the following community article:"
The link is to this article.

Screenshot 2023-06-29 at 130756.png

However, I don't think this article contains the steps to disable weak ciphers.
Could you tell me the steps to disable weak ciphers?

Thanks.

Benoit_C · ‎2023-06-29

Hi @afujikawa,

I believe you are looking for the below article:
https://community.qlik.com/t5/Official-Support-Articles/Disabling-Weak-Cipher-suites-for-TLS-1-2-on-...

Regards,
Benoit

Sonja_Bauernfeind · ‎2023-06-29

Hello @afujikawa

We've updated the article to add clarity. The Cipher suites listed in this article are sufficient and already do not include known weak ones. It should be all you need to get started. If, however, you need more details on reviewing the Cipher suites, I added a link to the article that Benoit mentioned.

Though we of course also recommend Windows documentation itself, as this will provide you with more in-depth explanations. What you need to remember are the Ciphers the Data Gateway needs when you start planning what to disable; otherwise, you'll be good to go.

All the best,
Sonja

afujikawa · ‎2023-07-18

Hi @Benoit_C @Sonja_Bauernfeind

Thanks for the quick reply.
Sorry for the late reply.
I understood the following.

1. If Qlik DataTransfer May 2021 or later is used on Windows Server 2012 R2, it is necessary to do the steps in this article.
2. "The Cipher suites listed in this article are sufficient and already do not include known weak ones."
Therefore, disabling is not necessary.

Thanks.

Benoit_C · ‎2023-07-18

Hi @afujikawa, yes that's correct 👍

Adding Cipher Suite for Qlik Data Transfer on Windows 2012 R2