Unable to install or upgrade Qlik Sense to a remote PostgreSQL database with FIPS enabled

When attempting to install or upgrade Qlik Sense Enterprise on Windows and connecting to a remote PostgreSQL database, the installer will fail to connect if FIPS is enabled.

Error during installation: 

The database could not be reached. Details: Exception has been thrown by the target of an invocation.

Error during upgrade:

This version of Qlik Sense requires a 'SenseServices' database for multi cloud capabilities. Ensure that you have a created a 'SenseService' database in your cluster before upgrading.

This version of Qlik Sense requires a 'QSMQ' database for multi cloud capabilities. Ensure that you have a created a 'QSMQ' database in your cluster before upgrading.

This version of Qlik Sense requires a 'Licenses' database for multi cloud capabilities. Ensure that you have a created a 'Licenses' database in your cluster before upgrading.

Resolution:

There are two options available. 

Option 1 (for newer version of Qlik Sense):

Modify the password encryption for Postgres users and update it to use scram-sha-256.

1. Log into your stand-alone Postgres database server
2. Open PowerShell and navigate to the install location of PostgreSQL. IE:  C:\Program Files\PostgreSQL\12\bin
3. Access Postgres console:  .\psql -h localhost -p 4432 -U postgres
4. Run the following commands to update the encryption:
   

   postgres=# SHOW password_encryption;
    password_encryption
   ---------------------
    md5
   (1 row)
   
   postgres=# SET password_encryption TO 'scram-sha-256';
   SET
   
   postgres=# SHOW password_encryption;
    password_encryption
   ---------------------
    scram-sha-256
   (1 row)
   
   ****change the password from what is displayed in this example****
   postgres=# ALTER USER postgres WITH PASSWORD 'yourpostgresuserpwd';
   ALTER ROLE
   
   postgres=# ALTER USER qliksenserepository WITH PASSWORD 'yourqliksensrepositoryuserpwd'; 
   ALTER ROLE
   
   
   --check if both have now a scram-sha-256 prefix
   
    SELECT usename, passwd FROM pg_shadow WHERE usename IN ('postgres', 'qliksenserepository');
   
         usename       |                    passwd
   --------------------+--------------------------------------------------
    postgres | SCRAM-SHA-256$4096:[some scram-sha-256 hash...]=
    qliksenserepository           | SCRAM-SHA-256$4096:[some scram-sha-256 hash...]=

5. Run the Qlik Sense upgrade again

Option 2 (for older versions of Qlik Sense): 

1. Create a file in the same directory as the installer naming it the same name as the installer.config
2. In the installer paste in this XML information:
   

   <?xml version="1.0" encoding="utf-8" ?>
   <configuration>
   	<runtime>
   		<enforceFIPSPolicy enabled="false" />
   	</runtime>
   </configuration>​

3. Save the file
4. Re-run the installer

Example:

Installation file name: Qlik_Sense_setup.exe
Config file name: Qlik_Sense_setup.exe.config

Cause:

The Qlik Sense installer uses a third-party library (Npgsql) which is not built for systems with FIPS enabled. This limitation is uncovered when attempting to authenticate against a remote PostgreSQL database. Once the installation is complete, it is recommended to disable the FIPS check for Qlik Sense's services themselves as well , see Running Qlik Sense on Windows systems with FIPS compliance enabled for direction there.