Question

Does NPrinting have the ability to send NPrinting reports to a Microsoft Sharepoint or other worldwide web url address destination?

Environment

• Qlik NPrinting: All Versions

Resolution

• It is not possible to automatically distribute Qlik NPrinting reports from an Qlik  NPrinting publish task to any type of HTTP, FTP or any other worldwide web url addresspath.
• Therefore, it is not possible to send NPrinting Reports to an MS SharePoint worldwide web address.
• To workaround, it is possible to use a local or network path as defined in Distributing reports to folders
• Create a network share on the Sharepoint server and use that network folder as a destination for the distribution of your Qlik NPrinting reports.

Local and Network path examples:

• Local: c:\nprinting\output
• network: \\myfileserver\files\nprintingoutput
  
  NOTE: Keep in mind that the NPrinting Scheduler service user account must have NTFS file and folder security permission to access local or network share folder destinations. It must also be in the same domain as the share point or destination server host address path or the NP service account will fail to open the network path.
  

*This feature is not planned nor on the NPrinting road map at this time. You can check our 'ideas' page to determine if this has been requested. You can add your request at the link below if it has not: Ideation 

Related Content

• NPrinting Engine System Requirements
  • Storage: Only Windows, local or shared, storage is supported.

There are environments where the cryptographic protocols available to the Windows Operating System need to be restricted for security or compliance reasons. This article will outline where various TLS versions are supported. This article will not have full coverage of the impact of TLS changes to other software installed on the Qlik Sense server. For examples of potential impacts:

• SQL connection not working with TLS 1.2
• OLEDB Connection not working with TLS 1.2

Resolution

• Full compatibility with TLS 1.2 in all current and supported versions of Qlik Sense Enterprise on Windows
• TLS 1.3 is not yet fully compatible [Internal Reference ID: SHEND-1269]

Implementation

To enable strong TLS implementation make sure to have all your servers updated to a version of both the operating system and the Qlik software, which explicitly details they support the required version of TLS.

If you have a clustered environment with multiple nodes spread across different machines, please make sure to enable the same subset of protocols on all Sense machines, otherwise the services will not be able to successfully communicate.

Using a third-party toolset

Third-party tools such as IIS Crypto can be used to enable and disable SSL or TLS. Consult your Windows administrator or network security team for what tools are usually used in your organization. 

Manual

The correct protocols and ciphers can then be applied using the PowerShell (PS) scripts and making changes to the Windows Registry. Consult Microsoft or your Windows administrator for details. 

Related Content

IIS Crypto is an example 3rd party tool that can be used to achieve this. IIS Crypto is not supported by Qlik, but by its respective vendor, NARTAC Software. To obtain IIS Crypto, visit https://www.nartac.com/Products/IISCrypto. 

A third-party certificate was configured in the Qlik Sense Proxy, but is not being used.

The connection is not private" NET::ERR_CERT_COMMON_NAME_INVALID may be displayed on HUB access. 

Qlik Sense Enterprise on Windows uses self-signed and self-generated certificates to protect communication between services, as well as user web traffic to the hub and management console.  It is possible to use a third-party-issued SSL certificate to protect client web traffic. Using the self-signed certificate will cause a certificate warning to be displayed in the web browser (such as Google Chrome or Internet Explorer). 

If the third-party certificate for the Qlik Sense Proxy Service is not fully compatible with Qlik Sense or it does not have the correct attributes and cyphers, the Qlik Sense Repository Service will revert to using the default certificates. The following error may occur in the Proxy Security logs:

Example:  C:\ProgramData\Qlik\Sense\Log\Proxy\Trace\HOSTNAME_Security_Proxy.txt

No private key found for certificate 'CN=qliksense.domain.com' ([CERTIFICATE THUMBPRINT HERE]) Couldn't find a valid ssl certificate with thumbprint [CERTIFICATE THUMBPRINT HERE] Reverting to default Qlik Sense SSLCertificate Set certificate 'CN=qliksenseserver1.domain.com' ([CERTIFICATE THUMBPRINT HERE]) as SSL certificate presented to browser

Resolution:

In order for Qlik Sense Enterprise to correctly recognize the third-party certificate as valid, the certificate will have to meet the following requirements:

Note: Root and Intermediate CA certificates need to be correctly installed. Should any be missing, Qlik Sense proxy will not use the server certificate and will revert back to using the self-signed certificate instead.

Certificates that are known to work well with Qlik Sense have the following attributes:

• Certificates that are x509 version 3. More information including filename extensions under https://en.wikipedia.org/wiki/X.509 
• Use signature algorithm sha256RSA
• Use signature hash algorithm sha256
• Signed by a valid, and OS/browser configured , CA
• Are valid according to date restrictions (valid from/valid to)
• Key in format CryptoAPI (not in CNG)
• The certificate itself has to contain private key no matter what Qlik Sense version.

 Related Content:

How to: Change the certificate used by the Qlik Sense Proxy to a custom third party certificate 

 

Disclaimer: Encrypted communication between PostgreSQL database and Qlik Sense services is a supported setup. This article provides general guidance on how to enable encryption on PostgreSQL database server, but local adjustment must be applied to comply with local IT requirements. Please be aware that Qlik Support can not help setting up Database Traffic Encryption, while Qlik Consulting Services may be utilized for deployment implementation. 

Qlik Sense supports database traffic encryption using SSL/TLS, but it is not enabled by default. The Qlik Sense installer cannot use SSL encryption for establishing a connection to PostgreSQL. When SSL encryption is enabled, the installer does not recognize any already installed PostgreSQL databases, and as a consequence, installation cannot be completed. Password security and local IT policy around certificate need to be considered before enabling database encryption, as the implementation includes manual configuration of the Qlik Sense deployment.

Qlik recommends that the configuration in this section is performed by someone with sufficient skills in PostgreSQL database configuration.

This article covers two scenarios for enabling Database Traffic Encryption;

1. PostgreSQL database installed locally with the Qlik Sense installer
2. Qlik Sense referred to the existing database during the installation 

Upgrades: Prior to Qlik Sense Enterprise August 2022 release, the Qlik Sense installer cannot use SSL encryption for establishing a connection to PostgreSQL. So any upgrades will fail unless you are upgrading to August 2022 and later. Prior to upgrading, disable the encryption. You can enable it again after the upgrade is complete.

See Unable to upgrade Qlik Sense with missing 'SenseServices', 'QSMQ', and 'Licenses' database for respective capabilities.

Always take a complete backup of Qlik Sense deployment before altering system configuration, to allow restoring a working state in case of disaster. 

These scenarios apply the default Qlik Sense signed certificate to encrypt traffic for a PostgreSQL database. Qlik Sense signed certificate is commonly only fully trusted by Qlik Sense nodes, which means other usage may not comply with local IT policies.  It is recommended that a fully trusted certificate is used when applying encrypted database traffic for production environments. Consult the local IT department for details on retrieving a fully trusted certificate. 

Scenario 1: PostgreSQL database installed locally with the Qlik Sense installer 

This scenario assumes a standard Qlik Sense installation, where the Qlik Sense Repository Database is installed on the Qlik Sense central node as part of the Qlik Sense installation. 

1. Complete installation of Qlik Sense Enterprise on Windows as described in Qlik Sense Help for Administrators: Installing Qlik Sense Enterprise on Windows. 
2. Enable encryption as described in Qlik Sense Help for Administrators: Database traffic encryption

Scenario 2: Qlik Sense referred to the existing database during the installation 

This scenario assumes a custom Qlik Sense installation, where Qlik Sense is configured to use a dedicated PostgreSQL database as its Repository Database. 

1. Install and configure a standalone PostgreSQL database server as described in Qlik Sense Help for Administrators: Installing and configuring PostgreSQL 
2. Install Qlik Sense central node connected to an existing repository database as described in Qlik Sense Help for Administrators: Installing Qlik Sense on a single node
3. Install Qlik Sense rim nodes if required as described in Qlik Sense Help for Administrators: Installing Qlik Sense in a multi-node site 
4. Enable encryption PostgreSQL database and all Qlik Sense nodes as described in Qlik Sense Help for Administrators: Database traffic encryption

You may get the errors, "A call to SSPI failed, see inner exception" and "The certificate chain was issued by an authority that is not trusted". While they should have no impact on your end-users, you'd still like to clean them up from the logs.

Qlik Sense otherwise functions without issues.

Example error:

System.Proxy.Qlik.Sense.Communication.Communication.Tcp.StreamFactory 16 c2972806-6ae3-4559-8ebf-c7c2201335f3 xx\xxx Failed to authenticate stream as Server The client and server cannot communicate, because they do not possess a common algorithm↵↓A call to SSPI failed, see inner exception. NO-STACKTRACE↵↓ at System.Net.Security.SslState.InternalEndProcessAuthentication(LazyAsyncResult lazyResult)

These, unfortunately, are not Qlik Sense errors, but rather errors from Windows that Qlik Sense reports.  You should also be able to see them in your Windows Application logs. For more information, please search out Windows Support.

See Security Support Provider Interface Architecture for additional details. 

Possible root causes:

1. A possible root cause for Windows reporting these errors is a missing or wrong certificate thumbprint.
   
   If a third party certificate is being used in the environment, verify that the correct thumbprint is added to the Qlik Sense Proxy.
   
   
2. It may also be related to the load balancer.   
   
   A common behaviour for a load balancer is a quite constant interval between two SSPI failures on Sense,  generally because the basic load balances HTTPS health check doesn't complete the HTTPS handshake.  The error "because they do not possess a common algorithm" is for this reason.  The fast check can be done by changing the frequency of HTTP health check on the load balancer and seeing the corresponding interval change on the Qlik Sense side pay attention if multiple LB nodes are present.

This is working as designed. Qlik Sense Enterprise on Windows uses self signed certificates for service communication (Certificates | Qlik Sense for administrators Help) and as the out-of-the-box proxy certificate.

This is not considered a security vulnerability.

If you have run a security scan and receive reports of vulnerabilities which are of concern to you, see Qlik Security Vulnerability Policy on how to report them to Qlik.

Resolution

To improve the security of your system, consider the following actions:

• How to change the certificate used by the Qlik Sense Proxy to a custom third party certificate 
• How to: Redirect HTTP to HTTPS in Qlik Sense
• HTTP Strict Transport Security (HSTS) in Qlik Sense
• Configuring preferred cipher suites for Qlik License Service in Qlik Sense Enterprise on Windows 

Environment

• Qlik Sense Enterprise on Windows

Sometimes a specific version JVM is needed rather than the shipped JVM, for example due to a known vulnerability in the JVM, the existing JVM need to upgrade to a higher verion. However, the new jvm folder may not contain two required security configuration files, causing Replicate to generate the following warning message:

JVM security configuration directory is missing or not a directory; unable to set the Java security policy

Resolution

This warning message is reported by Replicate due to the missing of the following two security configuration files:

• java.security.default
• java.security.FIPS

To resolve this issue, you can simply copy these two files from your backup or another Replicate server into the <Replicate folder>\jvm\conf\security folder.

Internal Investigation ID(s):

#00163870

Environment

• Qlik Replicate All versions
• All supported JVM versions

Qlik Replicate 

Security of Qlik Sense Enterprise on Windows can be approached in the below discrete areas. All these areas provide different options for increasing security in a deployment, and thereby mitigating vulnerabilities and protecting against attackers. 

Content:

• 1. Authentication
• 2. Authorization
• Security Rules
• Section Access
• 3. Operating System Hardening
• Step 1: Disabling protocols and ciphers
• Step 2: Firewalls
• Step 3: Service Account Permission
• Step 4: Anti-Virus
• Step 5 (Optional): FIPS
• 4. PostgreSQL Hardening
• 5. Generalized Web Server best practices
• Apply a trusted certificate
• Optional: Additional HTTP Response Headers

Be aware that a high level of server hardening can lead to failure in your deployment. Be mindful of always having a backup to restore to in case your configuration leads to irreversible failure.

1. Authentication

Qlik Sense Enterprise on Windows supports multiple different Authentication Solutions;

• Windows (NTLM)
• Kerberos 
• Ticketing
• SAML
• JWT
• Header
• Anonymous

Qlik can not specify which authentication method is appropriate for each deployment. It is advisable to review currently supported alternatives within your organization and/or Identity Provider (IdP) to implement the most suitable solution for your use case.

2. Authorization 

Qlik Sense Enterprise on Windows provides two levels of native authorization in the product.

Security Rules

Attribute based access control (ABAC), which is configured through Qlik Sense security rules. This article will not go in depth on how to best implement security rules for your requirements, but it is highly recommended to think of your users based on the capabilities that you intend to provide them. For example different roles and capabilities as shown in image below, allows for a security rule framework to be designed and implemented. This can be done either by yourself by referencing Qlik Sense Help for Administrators and available assets or by engaging with a Qlik Consultant or Qlik Partner.

Section Access

Row level data reduction, which is configured through Section Access at Qlik Sense app level. This article will not go in depth on Section Access implementation, but with this reduction a single file can be used to hold the data for a number of users or user groups. Qlik Sense uses the information in the section access for authentication and authorization, and dynamically reduces the data, so that users only see their own data. 

3. Operating System Hardening

Qlik Sense Enterprise on Windows inherits the available protocols, cipher suites, key exchanges and other security hardening which are enabled on the Windows Server operating Qlik Sense.

Step 1: Disabling protocols and ciphers

Windows Server has a lot of protocols enabled by default; however protocols, ciphers, hashes and key exchanges that are considered deprecated or not secure enough should be disabled. There are many ways of doing this, and the Windows administrator and security experts should be consulted so that local policies are accurately applied. For simplicity, understanding and a good overview IIS Crypto 3.0 can be a good tool for evaluating current Windows configuration and applying changes. 
Keep in mind that "Best Practice" today might not be recommended in the near future, what was considered "safe" a while ago is not necessarily considered so today. For this reason, it is also important to regularly scan servers for potential vulnerabilities and revisit configurations as required. 
Windows Server needs to be restarted for these settings changes to take effect. It is also important to ensure that all components running on the server still operate as expected after hardening is applied, for example older non-Qlik software might not be compliant with the latest options and standards. 

Step 2: Firewalls

Firewalls typically should be closed, with required ports only opened for intended purposes.
See Qlik Sense Enterprise on Windows ports overview for details on required port based on the deployed architecture.

Step 3: Service Account Permission

For most organizations, local administrator rights allow for an easier deployment, but Qlik Sense Enterprise on Windows does not require local administrator rights in order to function. This can be an attractive option inside some organizations. This will require additional configuration of boot strap mode as described in Qlik Sense Enterprise on Windows Services.
For a brief overview of the rights needed by a Qlik Sense Enterprise service account:

• Full control over the share used by Qlik Sense Enterprise
• Full control over the installation directory (default: C:\Program Files\Qlik)
• Full control over %ProgramData%\Qlik
• Full control over any folders used as data connections

Qlik Sense Enterprise for Windows does not officially support Group Managed Service Accounts (gMSA), but it can operate using one. The initial barrier is that the installer requires a service account and password to be entered during installation. A domain or local account could be substituted for the install stages only to be swapped out in the Windows Services applet (services.msc) after installation. Some functionality may require workarounds (e.g. A User Directory Connection to Active Directory).

Step 4: Anti-Virus

Qlik Sense Enterprise on Windows does require exceptions from anti-virus scan to avoid potential disk I/O conflicts. Refer to Qlik Sense Folder And Files To Exclude From AntiVirus Scanning for more details. 

Step 5 (Optional): FIPS

Qlik Sense Enterprise on Windows can run with Federal Information Processing Standards (FIPS) enabled on the Windows Server. This does require a few adjustments of configuration files due to Qlik using non-FIPS compliant algorithms for minor tasks like hash checks. See Running Qlik Sense on Windows systems with FIPS compliance enabled for more details on Qlik Sense and FIPS.

4. PostgreSQL Hardening

Qlik Sense Enterprise on Windows uses PostgreSQL to store meta-data relating to a Qlik Sense site. In multi-node sites or sites where PostgreSQL is isolated from Qlik Sense Enterprise for Windows additional security can be applied;

• Database Traffic Encryption
• Hardening what endpoints are allowed to connect to PostgreSQL as described in PostgreSQL: postgresql.conf and pg_hba.conf explained

5. Generalized Web Server best practices

Qlik Sense Proxy service bundled with Qlik Sense Enterprise on Windows is simply a web-service. This means applying general practice guidance but in the context of Qlik Sense as described below.

Apply a trusted certificate

Qlik Sense Enterprise on Windows acts as a Certificate Authority (CA) during initial installation and signs a certificate that is applied on all encrypted traffic between Qlik Sense services. The same Qlik Sense signed certificate is applied as default certificate also for incoming connections from users accessing Qlik Sense Hub and QMC. This default certificate is not intended for production use, unless user access to Qlik Sense comes through a network load balancer or reverse proxy that trusts the Qlik Sense certificate. For direct user access to Qlik Sense Proxy, a fully trusted certificate can typically be acquired from your local IT and then applied on the Qlik Sense Proxy service. 

As of July 2019, Qlik Sense Enterprise on Windows support SHA1 and SHA2 certificates. If SHA384 or SHA512 certificates are needed, then a network load balancer or reverse proxy can be configured in front of Qlik Sense which offloads to Qlik Sense.

Optional: Additional HTTP Response Headers

There are numerous HTTP response headers that can be used in attempting to secure a server. Below are a couple of the most common ones, but as always it is recommended to consult local IT and web security expert on what the recommendations are. 

Any additional HTTP response header values can be configured in Qlik Sense Virtual Proxy settings under Additional response headers as shown in the below image and described in Qlik Sense for Administrators: Virtual Proxies. It is recommended to trial any header changes in a new virtual proxy, as poor configuration may accidentally lock you out from Qlik Sense access. 

• HTTP Strict Transport Security (HSTS) HTTP Strict Transport Security (HSTS) is an opt-in security enhancement which any web application can support through the use of a special response header. When a supported browser receives this header that browser will prevent any communication sent over HTTP in the future and will redirect all traffic over HTTPS instead. Caution is advised when implementing HSTS, as it might block HTTP access to certain pages that actually requires it or needs to be excluded from HSTS. See MDN Web Docs: Strict-Transport-Security for more details on configuration options. 
• Optional: X-Content-Type-Options X-Content-Type-Options response HTTP header is a marker used by the server to indicate that the MIME types advertised in the Content-Type headers should not be changed and be followed. This allows to opt-out of MIME type sniffing. 
• X-Frame-Options will prevent the site to be embedded in an iFrame, which can effective mitigate against ClickJacking attacks
• Content-Security-Policy: policy (old: X-XSS-Protection) improves security against some types of XSS (cross-site scripting) attacks.

  Policy is a placeholder for your policy of choice and cannot be used as a value. See Writing a Policy (Mozilla) for examples.

  

A virtual proxy which was configured to use Always Anonymous is not intended to be used for administration. While Qlik Sense will prompt for login when accessing the Qlik Sense Management Console (QMC), the Management Console cannot be navigated successfully.

Beginning with November 2023, access will fail with: 

An error occurred
The operation failed due to insufficient privileges

As well as: 

400
Bad Request

Previous version of Qlik Sense may succeed with the login but not allow navigation.

Resolution

Do not use a Virtual Proxy configured to use Always Anonymous as authentication method. Always have a Virtual Proxy ready which requires authentication. For information on how to create a new Virtual Proxy, see Qlik Sense: How to create a new Virtual Proxy.

If you have locked yourself out of the Qlik Sense Management Console by modifying the only available Virtual Proxy, change the enabled authentication method directly in the Qlik Sense QSR database. 

Manual steps to change the authentication method: 

1. Connect to the QSR using PGAdmin (see How to connect to the Qlik Sense Enterprise on Windows or Qlik NPrinting PostgreSQL database)
2. Open the VirtualProxyConfig table
3. In the row for your active Virtual Proxy, change the column AnonymousAccessMode value from 3 (Always Anonymous) to 0 (Requires Authentication)
4. Save the changes
5. Restart the database service

Cause 

A secure Qlik Sense Enterprise Management Console when anonymous access is required.

Internal Investigation ID(s) 

SHEND-1902

Environment

Qlik Sense November 2023 & Newer

Issue reported

Tabular Reporting events in the management console not showing for all the users in the tabular reporting recipient list

Environment

• Qlik Cloud 

Resolution

When section access is used in a Qlik App, ensure to add all required recipients/users to the section access load script

For example, users in the Recipient import file should ideally match the users entered to the Section Access load script of the app.

This generally permits users to view management console details such as 'Events' assuming those user also have the necessary 'view' permissions in the tenant in which the app exists

Cause 

If some of the recipients in the tabular reporting recipient list do not have access to the Space/App - they won't  be considered in the task execution because they fail the governance.

ie: Recipients/users that are not added to the load script will not have access to the app nor associated management console events. 

This is expected behavior.

Related Content

• Tabular reporting and section access
• URL to Events in your management console:  https://yourtenant.us.qlikcloud.com/console/events
• Reviewing system events

Executive Summary 

A security issue in Qlik Sense Enterprise for Windows has been identified, and patches have been made available. If successfully exploited, this vulnerability could lead to a compromise of the server running the Qlik Sense software, including remote code execution (RCE). 

This issue was responsibly disclosed to Qlik and no reports of it being maliciously exploited have been received. 

Affected Software 

All versions of Qlik Sense Enterprise for Windows prior to and including these releases are impacted: 

• February 2024 Patch 3 
• November 2023 Patch 8 
• August 2023 Patch 13 
• May 2023 Patch 15 
• February 2023 Patch 13 
• November 2022 Patch 13 
• August 2022 Patch 16 
• May 2022 Patch 17

Severity Rating 

Using the CVSS V3.1 scoring system (https://nvd.nist.gov/vuln-metrics/cvss), Qlik rates this severity as high.   

Vulnerability Details

CVE-2024-36077(QB-26216) Privilege escalation for authenticated/anonymous user 

Severity: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H 8.8 (High) 

Due to improper input validation, a remote attacker with existing privileges is able to elevate them to the internal system role, which in turns allows them to execute commands on the server.  

Resolution 

Recommendation 

Customers should upgrade Qlik Sense Enterprise for Windows to a version containing fixes for these issues. Fixes are available for the following versions: 

• May 2024 Initial Release 
• February 2024 Patch 4 
• November 2023 Patch 9 
• August 2023 Patch 14 
• May 2023 Patch 16 
• February 2023 Patch 14 
• November 2022 Patch 14 
• August 2022 Patch 17 
• May 2022 Patch 18 

All Qlik software can be downloaded from our official Qlik Download page (customer login required).

Credit

This issue was identified and responsibly reported to Qlik by Daniel Zajork. 

Edited 20th of May 2024: Added recently assigned CVE number.

When patching Studio from the Feature manager, the Clean up libraries option is greyed out:

Resolution

1. Navigate to <Talend Studio Home>\studio\
2. Backup and edit Talend-Studio-win-x86_64.ini (Win OS) or Talend-Studio-macosx-cocoa.ini (Mac OS)
3. Remove the following parameter -Dtalend.studio.m2.clean=true
4. Save and restart Studio

Cause 

The -Dtalend.studio.m2.clean=true property ensures Studio removes obsolete jars during patching.

Related Content 

For more information, please review the Studio installation guide.

Environment

Talend Studio 8.0.1

HSTS (HTTP Strict-Transport-Security response header) security check failed.

HTTP Strict Transport Security (HSTS) is a policy mechanism that helps to protect websites against man-in-the-middle attacks such as protocol downgrade attacks and cookie hijacking. It allows web servers to declare that web browsers (or other complying user agents) should automatically interact with it using only HTTPS connections, which provide Transport Layer Security (TLS/SSL), unlike the insecure HTTP used alone.

Resolution

Before adding HSTS to either the QlikView AccessPoint or the QlikView Management Console (QMC), set both up to use HTTPS. See for QlikView AccessPoint and QMC with HTTPS and a custom SSL certificate instructions.

HSTS for the QlikView AccessPoint

Custom response headers can be set in both the QlikView WebServer (beginning with 12.30) and Microsoft IIS (all QlikView versions).

The custom header needed for HSTS is: Strict-Transport-Security

1. Run text editor (e.g. Notepad) as Administrator 
   
   
2. Edit QlikView WebServer configurations file. The default path is C:\ProgramData\QlikTech\WebServer\config.xml
   
   
3. Locate CustomHeaders element within the config file. For more information, see QlikView WebServer: Custom HTTP Header.
   
   
4. Add custom response header as <Header> element(s) with sub-elements defining Strict-Transport-Security as the name and your desired max-age= as value.
   
   Example:
   

   <Config>
     ...
     <Web>
      ...
       <CustomHeaders>
         <Header>    
           <Name>Strict-Transport-Security</Name>
           <Value>max-age=31536000</Value>
          </Header>
       </CustomHeaders>
     </Web>
   </Config>​

5. Restart QlikView WebServer service

For information on how to configure custom headers with Microsoft IIS, see Setting Custom HTTP Headers in IIS for QlikView. The site https://https.cio.gov/hsts/ gives information on how to setup the webserver to enable HSTS.

Testing can be achieved using any number of third party sites, such as: 

• https://tools.geekflare.com/hsts-test
• https://hstspreload.org/
• https://www.ssllabs.com/

HSTS for the QlikView Management Console (QMC)

This setting was introduced with QlikView 12.70 (May 2022) SR1.

QVManagementService.exe.Config Changes:

1. Stop the QlikView Management Services
   
   
2. Go to ProgramFiles => qliktech => management service => open QVManagementService.exe.config using an administrator notepad
   
   
3. Update this value to true =>
   
   <add key="UseHSTS" value="true" />
   
   
4. To enable HSTS to header this value has to be set to true
   
   <add key="UseHTTPS" value="true" />

Environment:

QlikView 

Executive Summary

A security issue in QlikView has been identified and patches have been made available. In both cases, a user with existing access to the Windows environment running QlikView or the QlikView plugin may be able to escalate their privileges to that of Administrator.

The issue was identified and responsibly reported to Qlik by Pawel Karwowski and Julian Horoszkiewicz from Eviden Red Team.

Qlik has received no reports of these vulnerabilities being exploited maliciously.

Affected Software

All versions of QlikView prior to and including the following releases are impacted: 

• QlikView May 2023 SR1 (12.80.20100) 
• QlikView May 2022 SR2 (12.70.20200) 

Vulnerability Details

CVE-2024-29863 (QV-25113)  

Severity: CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:C/C:H/I:H/A:H (7.8 High)  

A race condition exists in the QlikView installer executable that may allow an existing lower privileged user to cause code to be executed in the context of a Windows Administrator. 

Resolution

Recommendation

Customers should upgrade QlikView to a version containing fixes for these issues. Fixes are available for the following versions:

• QlikView May 2023 SR2 (12,80.20200)
• QlikView May 2022 SR3 (12.70.20300)

Credits

Pawel Karwowski and Julian Horoszkiewicz from Eviden Red Team.

This solution (modifying ServiceConfiguration.xml) is only valid for versions 6.6 to 7.0.

SSL Certificates that are imported are being replaced by Replicate’s self-assigning certificate on reboot. 

Resolution

Without ServiceConfiguration.xml in current versions

1. Stop the Qlik Replicate server service, followed by the Qlik Replicate UI server service
   
   
2. Extract the globalrepo data to a JSON file using these steps:
   
   
   1. Open an elevated command line (Run as Administrator)
      
      
   2. Run:
      
      

      RepUiCtl.exe repository export -r "c:\program files\attunity\replicate\data\GlobalRepo.sqlite" -f c:\temp\a.json

      Note: You can change the temporary storage location (c:\temp) for the file destination, and adjust the first part of the command to match your environment.
      
      Our example uses the filename a.json.
      
      
3. Open c:\templ\a.json with an editor (such as Notepad) and change test_https to false
   
   Example: "test_https": false,
   
   
4. Save the a.json file
   
   
5. Import the file using this command: 
   
   

   RepUiCtl.exe repository export -r "c:\program files\attunity\replicate\data\GlobalRepo.sqlite" -f c:\temp\a.json

6. Start the Qlik Replicate server service, followed by the Qlik Replicate UI server service.

Using ServiceConfiguration.xml in older versions

The Service Configuration parameters need to be changed to allow Qlik Replicate to stop testing the HTTP URL and overriding with a self-assigned certificate.

1. Locate the data directory for Qlik Replicate
   
   If the data directory was installed in a different location,  check by going to: 
   
   
   1. Services in the Start Menu
   2. Locating Attunity Replicate Server (May be named Qilk depending on installation)
   3. Right-click and choose Properties
      
      
      
      
   4. Data Directory location will be displayed after -d
      
      
2. Open the data directory
   
   
3. Open ServiceConfiguration.xml found in the Qlik Replicate data directory with any text editor
   
   Add the following to the ending of the service configuration:
   
   

   testHttps = "false"

   
   Full example:
   
   

   <ServiceConfiguration url="https://demo.com:443/attunityreplicate;http://demo.com:80/attunityreplicate" allowUnsafeProtocols="false" testHttps = "false" />

   
   
4. Save the file and reboot the machine
   
   
5. Clean the old SSL certificate and import the new certificate
   
   If the data directory is installed in a different location, add the data directory path to the certificate clean command:
   
   

   RepUiCtl.exe -d f:\data certificate clean​

Environment

Qlik Replicate 6.6 - 7.0

The PostgreSQL source endpoint is set up with a privileged account (account with a superuser role) used in the source endpoint connection.  After the task's first successful run, all of the regular user (account without a superuser role) cannot perform any DDL operations in the database,regardless if the table is included in the replication task or not, or even create a new table. Below errors will show up upon any DDL operation.

In the meanwhile, DML operations continue to work; the INSERT/UPDATE/DELETE changing records can be captured and applied to target sides successfully.

Errors:

ERROR: permission denied for table attrep_ddl_audit. The SQL statement 'insert into public.attrep_ddl_audit values ...'.

Resolution:

There are two alternatives. Apply one. 

Pros and Cons:

• Update permissions. This is a straightforward but potentially work-intensive solution. Give all regular users who need to run tasks the required permissions.

• Execute the function definition with "security definer" option by a privileged account. While this option is simpler, it must be performed carefully as not to enable misuse. 

Update permissions

In this scenario Qlik Replicate is in fact using the default option "security invoker" in function definition.
Grant the following permissions to the non-privileged account, see Qlik Replicate User Guide:

Security definer and privileged account

WARNING! Writing SECURITY DEFINER Functions Safely

Because a SECURITY DEFINER function is executed with the privileges of the user that owns it, care is needed to ensure that the function cannot be misused. For security, search_path should be set to exclude any schemas writable by untrusted users.

Execute the function definition with "security definer" option by a privileged account, for example an account with superuser privilege. See the complete function definition code is as below.

The code is generated by Qlik Replicate 2023.5, only "security definer" option is added manually.

This customization is provided as is. Qlik Support cannot provide continued support for the solution. For assistance, reach out to your DBA and/or PostgreSQL related services.

Internal Investigation ID(s):

#00021532, #00123792

Environment:

• Qlik Replicate All versions
• PostgreSQL All versions ("security definer" was introduced from version 8.0)

The Windows Security Event log reports the following event:

event ID 4768, Task Category "Kerberos Authentication Service". Account name for these entries will be "X509N:<S>CN=QlikClient

Resolution: 

Without a Multi-Cloud/Hybrid setup

If you are a customer currently not using a Multi-Cloud/Hybrid setup, meaning you are not distributing Apps from Client Managed into SaaS.

Option 1:

1. Stop the Qlik Sense Services
2. Open the following path: C:\Program Files\Qlik\Sense\Repository\
3. Open Repository.exe.config
4. Set "EnableDotNetWebSockets" to true.
5. If the Qlik Services are running using a non-local administrator account, then bootstrapping needs to be run after the changed configuration. The fix is not supported by Windows 7.

Option 2:

It is possible that the error is still seen after option one is applied.  It is found that due to the current architecture following services are triggering the error:

[hybriddeploymentservice]
[appdistributionservice]
[qib-webchat-service]

If the Qlik Sense environment is not using Multi-cloud deployment, you may apply the following workaround by disabling the following two services:

[hybriddeploymentservice]
[appdistributionservice]

To do this: 

1. Open the file "services.conf" of the Qlik Sense installations (it is typically located at C:\ProgramFiles\Qlik\Sense\ServiceDispatcher).
2. Make a backup of "services.conf" file first
3. Go to the section defining the service in question by adding the row "Disabled=true" like this:
   
   [hybriddeploymentservice]
   Disabled=true
   Identity=Qlik.hybrid-deployment-service
   DisplayName=Hybrid Deployment Service
   ExePath=dotnet\dotnet.exe UseScript=false
   
   [appdistributionservice]
   Identity=Qlik.app-distribution-service
   DisplayName=App Distribution Service
   ExePath=dotnet\dotnet.exe
   UseScript=false
   
   
4. The "Qlik Sense Service Dispatcher" service needs to be restarted for the setting to take effect.

If you are not using Qlik Webchat, you can also disable  [qib-webchat-service] by following same steps as above.

With a Multi-Cloud/Hybrid setup

If you are a customer currently using a Multi-Cloud/Hybrid setup, meaning you are distributing Apps from Client Managed into SaaS.

With a multi-cloud setup, there is no complete workaround available as of today. It is important to mention that this is not an issue that affects in any way your security and/or stability of your Client Managed deployment. This is a result of how affected Qlik Sense .NET microservices are handling certificates in .NET Core technology. To address this shortcoming, a significant re-design of current architecture would be required that is currently not in the pipeline, hence would recommend submitting a product ideation.

To limit the number of events in question, if you are not using Qlik Webchat, you can disable  [qib-webchat-service] - see step-by-step instructions in the previous section.

Environment:

Qlik Sense Enterprise on Windows 

Internal Investigation ID(s):

QLIK-87774, QB-274. Working as intended, please apply the resolution given in this article.