Protection of the Platform

Functionality

The functionality for downloading documents and/or print and export to Microsoft Excel can be restricted at the user level for each document on the server.

Special Accounts

Supervision Account

The supervision account is granted access to all documents that are created by tasks in QlikView Publisher. The characteristics of the supervision account are as follows:

  • Provides access to all files on the QVS
  • Does not provide any access to the QlikView Management Console (QMC)
  • Respects the types of clients that are allowed for each document (for example, a supervision account cannot open a QlikView document using the AJAX client, if the AJAX client has been blocked by the user that created the task)

Anonymous User Account

When QVS is started for the first time on a machine, a Windows account is created for anonymous users. The account name is IQVS_name, where name is the name of the machine in the local network.

If the machine in question is a domain server, the anonymous account is created as a domain account. If not, it is created as a local machine account.

Each folder and file that is to be available for anonymous clients must be given read privileges for the anonymous account.

Note: Start QVS and let it create the anonymous account before attempting to grant any privileges. Do not try to create the anonymous account manually.

QlikView Administrators

The QlikView Administrators group is used for granting access to the QlikView Management Console (QMC) as well as authorization of communication between services, if Windows Authentication is used.

Communication

Protection of AJAX Client

The AJAX client uses HTTP or HTTPS as the protocol for communication between the client browser and the QlikView Web Server (QVWS) or Microsoft IIS. It is strongly recommended to protect the communication between the browser and the web server using SSL/TSL encryption over the HTTP protocol (that is, HTTPS). If the communication is not encrypted, it is sent as clear text.

The communication between the web server and QVS uses QVP as described below.

Protection of Plugin

The QlikView plugin can communicate with QVS in two ways:

  • If the plugin has the ability to communicate with QVS using QVP (port 4747), the security is applied as follows:
  • See: Server Communication

  • If the communication cannot use QVP or if the client chooses it in the plugin, the communication is tunneled using HTTP to the web server.

If HTTPS is enabled on the web server, the tunnel is encrypted using SSL/TLS.

Server Communication

The QVS communication uses the QVP protocol, which is encrypted by default. The QVP protocol can be protected using 1024-bit RSA for key exchange and 128-bit RC4 for data encryption, provided the Microsoft Enhanced Cryptographic Provider is installed. If the Microsoft Base Cryptographic Provider is used, the protection of the communication is 512-bit RSA for key exchange and 40-bit RC4 for data encryption.

Services Communication

The services that are part of the QlikView platform (that is, QVS, DSC, QMC, QDS, and QVWS) all communicate using web services. The web services authenticate using Integrated Windows Authentication (IWA).

SSL and TLS support

The following table shows QlikView support for SSL and TLS.

  SSL v3.0 TLS v1.0 TLS v1.1 TLS v1.2
QlikView 11.20 SR12    
QlikView 11.20 SR16
QlikView 12.00    
QlikView 12.00 SR1 and later
QlikView 12.10
QlikView November 2017

Did this information help you?

Thanks for letting us know. Is there anything you'd like to tell us about this topic?

Can you tell us why it did not help you and how we can improve it?