Configuring preferred cipher suites for Qlik License Service in Qlik Sense Enterprise on Windows
You can rank the preferred cipher suites that Qlik License Service uses to encrypt and decrypt the signed key license.
The Qlik License Service is included in Qlik Sense Enterprise on Windows February 2020 and in later releases.
The Qlik License Service uses Mutual TLS Authentication (mTLS) to ensure requests coming from both the server and client are trusted. The Qlik License Service listens on port 9200.
The following list shows the supported cipher suites:
- TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256
- TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384
- TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256
- TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384
- TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305
- TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305
- TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA
- TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA
- TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA
- TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA
- TLS_RSA_WITH_AES_128_GCM_SHA256
- TLS_RSA_WITH_AES_256_GCM_SHA384
- TLS_RSA_WITH_AES_128_CBC_SHA
- TLS_RSA_WITH_AES_256_CBC_SHA
- TLS_ECDHE_RSA_WITH_3DES_EDE_CBC_SHA
- TLS_RSA_WITH_3DES_EDE_CBC_SHA
To configure the preferred cipher suites for the Qlik License Service, do the following:
- Open the service.conf file.
The default path is %Program Files%\Qlik\Sense\ServiceDispatcher\service.conf. -
Go to the following section:
[licenses.parameters]
-qsefw-mode
-app-settings="..\Licenses\appsettings.json" -
Add a comma-separated list of ciphers to his section, as shown below:
[licenses.parameters]
-qsefw-mode
-cipher-suites=TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256,TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA
-app-settings="..\Licenses\appsettings.json" - Save the file and close.
- Restart the Qlik Sense Service Dispatcher, which handles execution of the Qlik License Service.
-
If you have a multi-node environment, repeat the steps above for each node.