Qlik Sense Enterprise on Windows: Error retrieving the URL to authenticate: ENCRYPTION_KEY_MISSING

Rakesh_HB · Nov 1, 2022 4:04:15 AM

Some connectors require an encryption key before you create or edit a connection. Failing to generate a key will result in:

Error retrieving the URL to authenticate: ENCRYPTION_KEY_MISSING - you must manually set an encryption key before creating new connections.

Encryption 1.png

Environment

Qlik Sense Desktop February 2022 and onwards
Qlik Sense Enterprise on Windows February 2022 and onwards
all Qlik Web Storage Provider Connectors
Google Drive and Spreadsheets Metadata

Resolution

PowerShell demo on how to generate a key:

# Generates a 32 character base 64 encoded string based on a random 24 byte encryption key
function Get-Base64EncodedEncryptionKey {
$bytes = new-object 'System.Byte[]' (24)
(new-object System.Security.Cryptography.RNGCryptoServiceProvider).GetBytes($bytes)
[System.Convert]::ToBase64String($bytes)
}

$key = Get-Base64EncodedEncryptionKey
Write-Output "Get-Base64EncodedEncryptionKey: ""${key}"", Length: $($key.Length)"

Example output:

Get-Base64EncodedEncryptionKey: "muICTp4TwWZnQNCmM6CEj4gzASoA+7xB", Length: 32

Qlik Sense Desktop

This command must be run by the same user that is running the Qlik Sense Engine Service (Engine.exe). For Qlik Sense Desktop, this should be the currently logged-in user.

Do the following:

Open a command prompt and navigate to the directory containing the connector .exe file. For example:

"cd C:\Program Files\Common Files\Qlik\Custom Data\QvWebStorageProviderConnectorPackage"
Run the following command:

QvWebStorageProviderConnectorPackage.exe /key {key}

Where {key} is the key you generated. For example, if you used the OpenSSL command, your key might look like: QvWebStorageProviderConnectorPackage.exe /key zmn72XnySfDjqUMXa9ScHaeJcaKRZYF9w3P6yYRr
You will receive a confirmation message:

Info: Set key. New key id=qseow_prm_custom.

Info: key set successfully!

Qlik Sense Enterprise on Windows

The {sense service user} must be the name of the Windows account which is running your Qlik Sense Engine Service. You can see this in the Windows Services manager. In this example, the user is: MYCOMPANY\senseserver.

Do the following:

Open a command prompt and run:

runas /user:{sense service user} cmd. For example:runas /user:MYCOMPANY\senseserver
Run the following two commands to switch to the directory containing the connectors and then set the key:
1. "cd C:\Program Files\Common Files\Qlik\Custom Data\QvWebStorageProviderConnectorPackage"
2. QvWebStorageProviderConnectorPackage.exe /key {key}
  
  Where {key} is the key you generated. For example, if you used the OpenSSL command, your key might look like: QvWebStorageProviderConnectorPackage.exe /key zmn72XnySfDjqUMXa9ScHaeJcaKRZYF9w3P6yYRr
You should repeat this step, using the same key, on each node in the multinode environment.
Encryption keys will be stored in: "C:\Users\{sense service user}\AppData\Roaming\Qlik\QwcKeys\"

For example, encryption keys will be stored in "C:\Users\QvService\AppData\Roaming\Qlik\QwcKeys\"

Always run the command prompt while logged in with the Qlik Sense Service Account which is running your Qlik Sense Engine Service and which has access to all the required folders and files.

Cause

This security requirement came into effect in February 2022. Old connections made before then will still work, but you will not be able to edit them. If you try to create or edit a connection that needs a key, you will receive an error message: Error retrieving the URL to authenticate: ENCRYPTION_KEY_MISSING) - you must manually set an encryption key before creating new connections.

Related Content

Setting an encryption key

Ken_T · ‎2022-12-28

Does this need to be done for OneDrive and Office 365 Sharepoint connections too?
seeing the exact same error for these other connection types (OneDrive and Office 365 Sharepoint) in the HUB on May 2022 P8 version

janyf · ‎2023-01-05

Hello @Ken_T from my experiences Yes. Same need to be done also for OneDrive and Office 365 Sharepoint.

QFabian · ‎2023-04-25

@Rakesh_HB works perfectly, thanks!

mbespartochnyy · ‎2023-10-02

Thanks for putting together this support article @Rakesh_HB! Would you be able to provide some context around why encryption key is required? Do you know how Qlik Sense is using an encryption key in data connections?

mbespartochnyy · ‎2023-10-03

Did more research on this. Both Data Encryption that can be configured in Service cluster section of QMC and browser security that can ben configured in Proxy section of QMC use asymmetric encryption and encryption keys from SSL/TLS certificates.

While Data Connection Encryption seems to be using symmetric encryption algorithm and an encryption key generated by the PowerShell script mentioned in this article.

Can anyone please confirm that Data Connection Encryption is using symmetric encryption algorithm?

mbespartochnyy · ‎2023-10-03

One more question. What is being encrypted with the encryption key?

Is the data that is being transferred from data source like Google Drive to our Qlik Sense server that's being encrypted as it travels from Google Drive to Qlik Sense server?
Or is the data being encrypted on a Qlik Sense server once it is delivered from Google Drive (or other data sources)?
Or are the credentials that are used during authentication process being encrypted?
Is it used for something else?

Any insight that you can provide is appreciated.

Sonja_Bauernfeind · ‎2023-10-05

Hello @mbespartochnyy

Data Connection Encryption uses symmetric encryption, correct
Data and encrypted in transit
Credentials are also encrypted
The encryption keys for data connections are required for specific connectors to adhere to security standards. See Connectors that require an encryption key on which ones require one

All the best,
Sonja

mbespartochnyy · ‎2023-10-05

Thanks for the reply, @Sonja_Bauernfeind! Do you have any more details on the encryption process and security standards that you mentioned?

Symmetric vs. Asymmetric Algorithm Key Sizes

Symmetric encryption algorithms tend to use key sizes that are between 56 bits and 256 bits. Setting an encryption key documentation says that the encryption key could be as large as 4,096 bytes (or 32,768 bits). I'm trying to piece those two things together and make sense out of the key size ranges.

Asymmetric Private Key As Symmetric Encryption Key?

Also, if the encryption key that's discussed in this article is used to encrypt data in transit, then whoever is sending the data would need to have a copy of the key to encrypt the data before they send it to our Qlik Sense server. This Community Post suggests that a private key of an SSL certificate can be used as an encryption key. Private key of an SSL certificate is used in asymmetric encryption by asymmetric encryption algorithms. I don't think it's impossible to use asymmetric key within symmetric encryption algorithm, but it sounds odd. Not only that but, more importantly, if the encryption key is used to encrypt data in transit and is shared with data providers, then using a private key of an SSL certificate compromises the certificate.

With that as context, what I'm trying to figure out is:

Which symmetric encryption algorithm is in place that uses key sizes as large as 4,096 bytes?
Should private asymmetric key of an SSL certificate be used as encryption key for web connectors?
Is the encryption key that's used for web connectors shared with data source providers like Google Drive?

Do you have any added details that can help clear up the confusion and add clarity around choice of keys and encryption process that we should consider when generating encryption keys for use in web connectors?

Sonja_Bauernfeind · ‎2023-10-12

Hello @mbespartochnyy

We're reviewing your follow-up question and will get back to you as soon as possible.

All the best,
Sonja

Himanchal06 · ‎2024-03-13

hi @Sonja_Bauernfeind ,

Once i get the setup the encryption keys in one node can i simply copy the Qwckeys folder to other rim nodes or i need to run the powershell script at every node.