TLS cipher suites
A cipher suite is a set of algorithms used to encrypt network communication. Qlik NPrinting components support a variety of cipher suites, to allow for different security protocols.
Qlik NPrinting does not set a specific secure cipher suite as mandatory, in order to guarantee compatibility with different operating systems and platforms.
Qlik NPrinting proxy cipher suites
The proxy configuration parameter tls.ciphersuites lets you manage a custom set of cipher suites in the Qlik NPrinting proxy.
The proxy configuration files are:
- %ProgramData%\NPrinting\webconsoleproxy\app.conf
- %ProgramData%\NPrinting\newsstandproxy\app.conf
These files contain the list of customizable configuration properties, all commented by default. These files do not change when you upgrade to new versions of Qlik NPrinting. Therefore, this configuration property is not immediately visible when you upgrade from older versions. This ensures you do not lose your settings.
Limitations
- The Qlik NPrinting proxy supports a limited set of cipher suites. The list may change after a product upgrade in order to include new algorithms or deprecate others.
-
Some of the supported cipher suites are considered TLS 1.2 unsecure by the HTTP/2 protocol. They must be placed in the list of custom values after any non-blacklisted cipher. Otherwise, the proxy cannot be started, and you will see this error:
"http2: TLSConfig.CipherSuites index %index% contains an HTTP/2-approved cipher suite (%ciphername%), but it comes after unapproved cipher suites. With this configuration, clients that don't support previous, approved cipher suites may be given an unapproved one and reject the connection."
- Note that %index% and %ciphername% are variables that will show:
- %index%: the name of the index.
- %ciphername%: the name of the cipher suite that caused the issue.
-
These cipher suites are mandatory:
-
TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256 (HTTP/2 RFC required)
-
TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256 (to support ECDSA-only servers)
If they are removed, the proxy cannot be started, and you will see this error: "http2: TLSConfig.CipherSuites is missing an HTTP/2-required AES_128_GCM_SHA256 cipher"
-
Supported cipher suites
TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305
TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305
TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256
TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384
TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256
TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384
TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256
TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA
TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256
TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA
TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA
TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA
TLS_RSA_WITH_AES_128_GCM_SHA256
TLS_RSA_WITH_AES_256_GCM_SHA384
TLS_RSA_WITH_AES_128_CBC_SHA256
TLS_RSA_WITH_AES_128_CBC_SHA
TLS_RSA_WITH_AES_256_CBC_SHA
// RC4-based cipher suites are disabled by default
TLS_RSA_WITH_RC4_128_SHA
TLS_ECDHE_RSA_WITH_RC4_128_SHA
TLS_ECDHE_ECDSA_WITH_RC4_128_SHA
// black-listed by default
TLS_ECDHE_RSA_WITH_3DES_EDE_CBC_SHA
TLS_RSA_WITH_3DES_EDE_CBC_SHA
Accessing the custom cipher suites list
Do the following:
- Stop the QlikNPrintingWebEngine service.
- To customize the Qlik NPrinting web console, open webconsoleproxy\app.conf. To customize the NewsStand, open newsstandproxy\app.conf.
- Uncomment or add tls.ciphersuites.
- Enter the comma-separated list of cipher suites to support as value from most to least preferred.
- Save the file.
- Restart the QlikNPrintingWebEngine service.
Example
Set only the cipher suites considered secure by the RFC 7540 standard.
# set a custom set of supported cipher suites ordered from most to least preferred
tls.ciphersuites = "TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305,TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305,TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256,TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384,TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256,TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384"
Qlik NPrinting messaging service cipher suites
These are the cipher suites supported by Qlik NPrinting messaging service for TLS communication between Qlik NPrinting scheduler service and Qlik NPrinting Engines. They are supported by RabbitMQ and TLS 1.2.
If you want to disable TLS connections with client certificate authentication and use simple authentication, see: Configuring the messaging service for simple authentication.
Limitations
-
Due to a limitation in the certificates used to connect to Qlik NPrinting messaging service, only some TLS 1.2 cipher suites can be used.
-
Cipher suites based on Cipher Block Chaining (CBC) mode, even if supported by the product, are not considered secure. It is recommended that you use cipher suites that rely on Galois/Counter Mode (GCM), if supported by your operating system.
-
While it is possible to restrict cipher suites accepted by Qlik NPrinting Messaging service when customizing the RabbitMQ config file, this method may cause errors. Instead, it is recommended that you disable weak cipher suites at the Microsoft Windows operating system level using IIS Crypto or a similar product. Be sure to leave at least one of the following cipher suites enabled (along with other needed cipher suites). For more information, see How to use IIS Crypto GUI to enable or disable cipher suites on a Microsoft Windows OS machine.
Supported cipher suites
TLS_ECDHE_RSA_AES128_GCM_SHA256
TLS_ECDHE_RSA_AES256_GCM_SHA384
Licensing service cipher suites
The license service configuration parameter cipher-suites lets you manage a custom set of cipher suites in the licensing service.
Limitations
-
The licensing service configuration file is reset when you upgrade to a new version of Qlik NPrinting. Therefore, a change to the cipher-suites parameter must be done again after an upgrade.
-
The licensing service supports a limited set of cipher suites. The list may change after a product upgrade in order to include new algorithms or deprecate others.
-
These cipher suites are mandatory:
-
TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256 (HTTP/2 RFC required)
-
TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256 (to support ECDSA-only servers)
-
Supported cipher suites
TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256
TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384
TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA25
TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384
TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305
TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305
TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA
TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA
TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA
TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA
TLS_RSA_WITH_AES_128_GCM_SHA256
TLS_RSA_WITH_AES_256_GCM_SHA384
TLS_RSA_WITH_AES_128_CBC_SHA
TLS_RSA_WITH_AES_256_CBC_SHA
TLS_ECDHE_RSA_WITH_3DES_EDE_CBC_SHA
TLS_RSA_WITH_3DES_EDE_CBC_SHA
Accessing the custom cipher suites list
Do the following:
-
Stop the services QlikNPrintingScheduler, QlikNPrintingWebEngine, and QlikNPrintingLicenseService.
-
Open the configuration file %ProgramFiles%\NPrintingServer\NPrinting\License\license.config.
-
Uncomment or add the cipher-suites parameter.
-
Enter the comma-separated list of cipher suites to support as value from most to least preferred.
-
Save the file.
-
Restart the services.
Example
Set only the cipher suites considered secure by the RFC 7540 standard.
<!--Add a custom comma-separated list of cipher suites as shown below-->
<add key="cipher-suites" value="TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256,TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256" />
Qlik NPrinting Server and Engine cipher suites to connect to a Qlik Sense server
These are the cipher suites supported by Qlik NPrinting Server and Qlik NPrinting Engine service for TLS communication between Qlik NPrinting and Qlik Sense. At least one of these must be enabled on all:
-
Qlik NPrinting Server machines
-
Qlik NPrinting Engine machines
-
Qlik Sense machines (including all Sense nodes) which connect to Qlik NPrinting
Please note that Qlik NPrinting uses these cipher suites to publish reports to Qlik Sense servers. For more information, see Distributing reports to the Qlik Sense hub
Supported cipher suites
TLS_ECDHE_RSA_AES128_GCM_SHA256
TLS_ECDHE_RSA_AES256_GCM_SHA384
How to use IIS Crypto GUI to enable or disable cipher suites on a Microsoft Windows OS machine
Do the following:
- Download IIS Crypto 3.3 or a more recent version from Nartac Software downloads.
-
Execute it with admin privileges, and then go to the "Cipher Suites" on the sidebar on the left.
-
Enable the requested cipher suites listed above for all Qlik NPrinting components. If not present, you can add them using the appropriate button.
This step will only work if these cipher suites are supported by your operating system.
- Click Apply.
- Reboot the machine.