Qlik NPrinting April February 2019 SR1 and April 2019 server & engine could be installed successfully, however the engine connection located in the Qlik NPrinting engine manager shows an engine with an offline status.
Check all Qlik NPrinting logs for any 'WebSocket' errors. See example below:
"WebSocket connection to 'wss://localhost:2727/app/4857231c-57 <others logs> net::ERR_CONNECTION_CLOSED, source"
In the logfile of RabbitMQ normally located here C:\ProgramData\NPrinting\RabbitMQ\log following entry can be found repeatedly:
"TLS server: In state hello at tls_handshake.erl:197 generated SERVER ALERT: Fatal - Insufficient Security - no_suitable_ciphers"
Environments:
Qlik NPrinting, February 2019 SR1 and newer versions running on RabbitMQ 3.7.10
Resolution:
RabbitMQ 3.7.10 (Qlik NPrinting Messaging Service) supports the following list of 36 cipher suites for the TLS version 1.2:
Note: For latest information see TLS cipher suites - Qlik NPrinting
TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384
TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384
TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA384
TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384
TLS_ECDH_ECDSA_WITH_AES_256_GCM_SHA384
TLS_ECDH_RSA_WITH_AES_256_GCM_SHA384
TLS_ECDH_ECDSA_WITH_AES_256_CBC_SHA384
TLS_ECDH_RSA_WITH_AES_256_CBC_SHA384
TLS_DHE_RSA_WITH_AES_256_GCM_SHA384
TLS_DHE_DSS_WITH_AES_256_GCM_SHA384
TLS_DHE_RSA_WITH_AES_256_CBC_SHA256
TLS_DHE_DSS_WITH_AES_256_CBC_SHA256
TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256
TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256
TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256
TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256
TLS_ECDH_ECDSA_WITH_AES_128_GCM_SHA256
TLS_ECDH_RSA_WITH_AES_128_GCM_SHA256
TLS_ECDH_ECDSA_WITH_AES_128_CBC_SHA256
TLS_ECDH_RSA_WITH_AES_128_CBC_SHA256
TLS_DHE_RSA_WITH_AES_128_GCM_SHA256
TLS_DHE_DSS_WITH_AES_128_GCM_SHA256
TLS_DHE_RSA_WITH_AES_128_CBC_SHA256
TLS_DHE_DSS_WITH_AES_128_CBC_SHA256
TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA
TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA
TLS_DHE_RSA_WITH_AES_256_CBC_SHA
TLS_DHE_DSS_WITH_AES_256_CBC_SHA
TLS_ECDH_ECDSA_WITH_AES_256_CBC_SHA
TLS_ECDH_RSA_WITH_AES_256_CBC_SHA
TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA
TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA
TLS_DHE_RSA_WITH_AES_128_CBC_SHA
TLS_DHE_DSS_WITH_AES_128_CBC_SHA
TLS_ECDH_ECDSA_WITH_AES_128_CBC_SHA
TLS_ECDH_RSA_WITH_AES_128_CBC_SHA
This cipher suites list is valid from February 2019 SR1 and higher.
To resolve this issue, at least one of these cipher suites needs to be enabled on all of the following servers:
- Qlik NPrinting server
- Each NPrinting Engine computer connected to the NPrinting server computer.
- Each Qlik Sense server that the NPrinting server connects to
Note: The cipher suites enabled should be consistent across all machines mentioned above
Note: Cipher suites may be updated in the future following an Erlang upgrade as some new cipher suites could be added and or be removed due to deprecation or for security reasons.
To verify cipher suites support for the RabbitMQ version, use the the batch script located at %ProgramFiles%\NPrintingServer\rabbitmq_server-3.7.10\sbin\rabbitmq-diagnostics.bat:
-Open an administrator command prompt
-Change directory
CD C:\Program Files\NPrintingServer\rabbitmq_server-3.7.10\sbin
-Use the following command:
rabbitmq-diagnostics cipher_suites --openssl-format -q
Example:
CD C:\Program Files\NPrintingServer\rabbitmq_server-3.7.10\sbin
rabbitmq-diagnostics cipher_suites --openssl-format -q
More information on this is available in https://www.rabbitmq.com/ssl.html#cipher-suites
To Verify Cipher Suites on Qlik Sense server:
Internal Investigation IDs:
- OP-8617
- HLP-5114: Documentation improvement in order to have this information documented in our help page.
