Unlock a world of possibilities! Login now and discover the exclusive benefits awaiting you.
Nov 29, 2022 5:00:51 AM
Nov 21, 2022 11:02:02 AM
The problem occurs using the Google BigQuery connector (part of the ODBC Connector Package) with user authentication.
The connections on all nodes work when the data preview or reload is performed on the same node that the data connection was created on, but they fail when the same is attempted from another node.
The reloads run from the QMC may fail intermittently. Creating the data connection via the main site/load balancer has no effect.
The error is:
Failed to build token, please try again ---> Qlik.Connectors.SDK.Common.Encryption.WindowsAesGcmEncryptionException: Org.BouncyCastle.Crypto.InvalidCipherTextException: mac check in GCM failed
This problem occurs only on multi-node environments.
The solution consists in two step. In the first step we will create a suitable encryption key for the connector and in the second step we will apply this key on all Qlik Sense nodes.
First step: Generate the key.
The code below provides a Windows-friendly procedure for users to generate CLI safe keys using PowerShell. This does not require installing third-party tools
Here you can find an example. we generate a Base 64 encoding of a random 24 byte key that provides a potential entropy of 192 bits.
# Generates a 32 character base 64 encoded string based on a random 24 byte encryption key
function Get-Base64EncodedEncryptionKey {
$bytes = new-object 'System.Byte[]' (24)
(new-object System.Security.Cryptography.RNGCryptoServiceProvider).GetBytes($bytes)
[System.Convert]::ToBase64String($bytes)
}
$key = Get-Base64EncodedEncryptionKey
Write-Output "Get-Base64EncodedEncryptionKey: ""${key}"", Length: $($key.Length)"
For example:
Other options can be chosen to generate the key. In order to work, the key must be 32 bytes array converted into UTF-8 string.
Second Step: Apply the key
Do the following:
The problem is sue to a feature into SDK recently added, which generates an encryption key if it doesn't exist and uses it for further Oauth related encryption.
This can lead to a situation where each node has its own encryption key. This allows to perform encryption within single node, but different nodes can't work together because of the different encryption keys.
See this article.
QB-16841