Protection of the Platform
Functionality
The functionality for downloading documents and/or print and export to Microsoft Excel can be restricted at the user level for each document on the server.
Special Accounts
Supervision Account
The supervision account is granted access to all documents that are created by tasks in QlikView Publisher. The characteristics of the supervision account are as follows:
- Provides access to all files on the QVS
- Does not provide any access to the QlikView Management Console (QMC)
- Respects the types of clients that are allowed for each document (for example, a supervision account cannot open a QlikView document using the AJAX client, if the AJAX client has been blocked by the user that created the task)
Anonymous User Account
When QVS is started for the first time on a machine, a Windows account is created for anonymous users. The account name is IQVS_name, where name is the name of the machine in the local network.
If the machine in question is a domain server, the anonymous account is created as a domain account. If not, it is created as a local machine account.
Each folder and file that is to be available for anonymous clients must be given read privileges for the anonymous account.
QlikView Administrators
The QlikView Administrators group is used for granting access to the QlikView Management Console (QMC) as well as authorization of communication between services, if Windows Authentication is used.
Communication
Protection of AJAX Client
The AJAX client uses HTTP or HTTPS as the protocol for communication between the client browser and the QlikView Web Server (QVWS) or Microsoft IIS. It is strongly recommended to protect the communication between the browser and the web server using SSL/TSL encryption over the HTTP protocol (that is, HTTPS). If the communication is not encrypted, it is sent as clear text.
The communication between the web server and QVS uses QVP as described below.
Protection of Plugin
The QlikView plugin can communicate with QVS in two ways:
- If the plugin has the ability to communicate with QVS using QVP (port 4747), the security is applied as follows:
- If the communication cannot use QVP or if the client chooses it in the plugin, the communication is tunneled using HTTP to the web server.
If HTTPS is enabled on the web server, the tunnel is encrypted using SSL/TLS.
Server Communication
The QVS communication uses the QVP protocol, which is encrypted by default. The QVP protocol can be protected using 1024-bit RSA for key exchange and 256-bit AES GCM for data encryption, provided the Microsoft Enhanced Cryptographic Provider is installed. If the Microsoft Base Cryptographic Provider is used, the protection of the communication is 512-bit RSA for key exchange and 40-bit AES CBC for data encryption.
Services Communication
The services that are part of the QlikView platform (that is, QVS, DSC, QMC, QDS, and QVWS) all communicate using web services. The web services authenticate using Integrated Windows Authentication (IWA).
SSL and TLS support
The following table shows QlikView support for SSL and TLS.
- | SSL v3.0 | TLS v1.3 | TLS v1.2 | TLS v1.1 | TLS v1.0 |
---|---|---|---|---|---|
QlikView May 2023 | √ | √ | √ | - | - |
QlikView May 2022 | √ | - | √ | √ | √ |