Skip to main content
Announcements
Have questions about Qlik Connect? Join us live on April 10th, at 11 AM ET: SIGN UP NOW

License Service's Ciphers Being Flagged by Security Scan

No ratings
cancel
Showing results for 
Search instead for 
Did you mean: 
Alan_Slaughter
Support
Support

License Service's Ciphers Being Flagged by Security Scan

Last Update:

Sep 1, 2022 6:52:25 AM

Updated By:

Sonja_Bauernfeind

Created date:

May 29, 2019 9:57:28 AM

LICENSES.EXE - SSL Medium Strength Cipher Suites Supported (SWEET32)

In Qlik Sense with QAP licenses service may ignore Windows SSL/TLS settings and use ciphers that have been disabled.

The service is flagged by a security scan for not being strong enough by the client's standards. That is, the cipher suites are between 64-112 bits or use the 3DES encryption suite, and it is recommended that the suites use a higher bit number or a stronger encryption suite. 

 

Resolution

 

Configuring preferred cipher suites for Qlik License Service in Qlik Sense Enterprise on Windows 

The services.conf file for the DispatcherService needs to be configured to specify a list of ciphers. 

This must be applied to all nodes.


Internal Investigation ID(s):

QLIK-95026, QB-11482, JIRA: QB-10036

 

 




Labels (1)
Comments
HendrikJ
Contributor III
Contributor III

I know this is old, but unfortunately, this still is an issue.

The license service popped in a security scan for weak ciphers. We then configured the ciphers for the license service manually:

-cipher-suites=TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256,TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384,TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA,TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA,TLS_RSA_WITH_AES_128_GCM_SHA256,TLS_RSA_WITH_AES_256_GCM_SHA384,TLS_RSA_WITH_AES_128_CBC_SHA,TLS_RSA_WITH_AES_256_CBC_SHA,TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA,TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA

 

Unfortunately, that still leaves me with ciphers with no forward secrecy. If I remove the RSA ciphers, Qlik does not work anymore, probably because the other services can not talk to the license service anymore.

This is also the case for other Qlik services (webchat and others). We already had to remove all CBC ciphers system wide (because of the Goldendoodle vulnerability of the Qlik Proxy), and we now need to disable all RSA ciphers also (see https://support.qlik.com/articles/000115202). That in turn makes Qlik not work anymore.
I would be very happy if someone could please point me in a direction where I can find a collection of ciphers and settings that I can enable so the various Qlik services are using up to date ciphers with forward secrecy and everything still works. I was not able to find anything like that so far.

Probably something like this, but with updated ciphers:
https://community.qlik.com/t5/Support-Knowledge-Base/TLS-and-SSL-Support-in-Qlik-Sense-How-to-config...

 

monjay07
Contributor II
Contributor II

I  am having same issue 

Sonja_Bauernfeind
Digital Support
Digital Support

Hello @monjay07 

This post might be of interest to you. Especially the response by @HendrikJ (thank you again for following up!).

TLS and SSL Support in Qlik Sense: How to configure Qlik Sense and TLS 

RajaDumpa
Contributor III
Contributor III

This issue is only in Qlik Sense and does not apply for N Printing.  Only Qlik Sense comes with nlappsearc.exe that uses port 9200 to talk to License service. We cannot disable the port as it used by other security tools to scan the server. 

RajaDumpa
Contributor III
Contributor III

The below is what is License config file by default in Feb 2021 Version of N printing. Even after disabling TLS1.2 etc. It still reads the weak ciphers . License Service is using Port 4998 which is being flagged. 

The below is a working cipher list approved by my Security Team:

TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384,TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256,TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384,TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256,TLS_RSA_WITH_AES_256_GCM_SHA384,TLS_RSA_WITH_AES_128_GCM_SHA256,TLS_RSA_WITH_NULL_MD5,TLS_PSK_WITH_AES_256_GCM_SHA384,TLS_PSK_WITH_AES_128_GCM_SHA256,TLS_PSK_WITH_AES_256

<appSettings>

<!--=========================================
License options
=========================================-->

<!--To be enabled if proxy tunneling is required-->
<!-- <add key="proxy-uri" value="https://localhost:8888" /> -->
<!--NTLM authentication settings for proxy tunneling-->
<!--Enable Basic authentication-->
<!-- <add key="proxy-basic-authentication" value="true" /> -->
<!--Enable NTLM authentication-->
<!-- <add key="proxy-ntlm-authentication" value="true" /> -->
<!--Domain for authentication-->
<!-- <add key="proxy-domain" value="windows-domain" /> -->
<!--Username for authentication (without domain)-->
<!-- <add key="proxy-username" value="username-without-domain" /> -->
<!--Encrypted password as generated by Encrypt-Password.ps1 -password [user password]-->
<!-- <add key="proxy-encrypted-password" value="script-generated-password" /> -->
<!--Clear text password, if encrypted version cannot be used-->
<!-- <add key="proxy-password" value="clear-text-password" /> -->
<!--Add a custom comma-separated list of cipher suites as shown below-->
<!-- <add key="cipher-suites" value="TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256,TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256" /> -->
</appSettings>

Sonja_Bauernfeind
Digital Support
Digital Support

Hello @RajaDumpa 

I would like to recommend for you open a ticket with our support for this topic as this will require direct investigation.

All the best,
Sonja 

Version history
Last update:
‎2022-09-01 06:52 AM
Updated by: