Configuring Qlik Sense Server to JWT Auth

sri_c003 · Dec 8, 2017 11:46:12 AM

Login into QlikSense Management Console
Optionally, configure the existing Central proxy to allow for HTTP connections also.
Head over the MMC to view the certificates, and add the Certificates snap in for local computer as well as current user.
Pick the certificate you inserted, or the one Qlik created when starting up. For simplicity, I used the one Qlik created. Open the certificate, and copy the thumbprint text, and save it. It would be used down the line.
Export the certificate, with all keys.
Install OpenSSL.
Place the exported certificate in a separate folder.
1. Execute the below commands in a command prompt (in the folder).
  1. openssl.exe pkcs12 -in QlikClient.pfx -nocerts -out priv.pem
  2. openssl.exe rsa -in priv.pem -out priv.pem
  3. openssl.exe pkcs12 -in QlikClient.pfx -out privpub.pem
  4. openssl x509 -inform pem -in privpub.pem -pubkey -out pub.pem -outform pem
2. Copy the public key to a text file to be used later.
Head over to Virtual Proxies screen. Click on “Create New” and fill in the details. Be careful about the case, especially when filling in attributes.
1. Identification
  1. Description: Description to identify the proxy in the virtual proxies screen
  2. Prefix: This would be the url on which user would access the application
    1. Example: default url: https://<server>/qmc
    2. Proxy prefix: jwt
    3. New url via proxy: https://<server>/jwt/qmc
2. Authentication
  1. Anonymous access mode: No anonymous user
  2. Authentication mode: JWT
  3. JWT certificate: In the folder we used in step 7 above, open the file pub.pem in notepad or similar application, copy the entire text, and paste the same in the text area.
  4. JWT attribute for user ID: UserId
  5. JWT attribute for user directory: UserDirectory
3. Click on Load Balancing and add the Server to be used by this proxy.
4. Click Apply and save the new virtual proxy.
5. By the end of this step, the virtual proxy screen should show our newly created proxy created, and linked to proxy service.
Head to the users section in QMC, and create/select the user we wish to use with the proxy we created to test if it works as intended.
1. Make a note of the user id, user directory, and any assigned roles.
Open browser window, and open the site https://jwt.io
1. Segment 1: leave as is
2. Segment 2: Update userid, user directory, and any attributes of the user (optional)
3. Segment 3: Paste the public key or the certificate contents
4. Segment 4: Paste the private key (this is only for testing the generated key)
5. Segment 5: Make sure that this says “Signature verified”. If this shows otherwise, make necessary changes in the above segments.
Install any tool to place requests to Qlik Sense server. I am using Postman.
Open postman (or any tool that supports placing requests).
1. Set the request to GET
2. Paste the server url (ensure you have /jwt between server and target page).
  1. https://<server>/jwt/sense/app/<app id>
3. Click on Headers
4. Add a new header – Authorization
5. Under the value enter as below
  1. Bearer <space> <encoded value from step 11 above>
To ensure it is all working fine, verify the following:
1. The response should not show a error 401, and/or a qlik page saying authentication failed at proxy.
2. Ensure the response headers show valid values, and the body portion has valid HTML/data.
That's it!

kishorj1982 · ‎2018-04-19

Hi All,

In step 10 we have specified one user in usename section(jwt.io page).Could you please suggest what we need to do if I need to use all the users in AD.

Also, in our organization users security is as per tokens and token can be generated dynamically.

once user logged, in token can be assigned dynamically.

May I know how to handle such kind of scenario's.

It would be great it you could mention the steps for handling multiple users in above article.

Also currently I used extension header for preparing demo.

I have a big question where to make settings for jwt.io page (Means respective users machine or only at my local pc or on server)

Thanks.

sri_c003 · ‎2018-04-20

In step 10 we have specified one user in usename section(jwt.io page).Could you please suggest what we need to do if I need to use all the users in AD.

--- A separate token needs to be generated on a per user basis

I have a big question where to make settings for jwt.io page (Means respective users machine or only at my local pc or on server)

--- This can be done on any machine. jwt.io is a public site I used in the article above so people need not write their own jwt token creation code.

Ideally this should be happening at the proxy level.

User browser --> proxy --> Qlik server

User credentials are validated at proxy, and a jwt token is generated. This token is used from that point onward to communicate with Qlik server.

kishorj1982 · ‎2018-04-22

Thanks for the Reply Srinivas,

Can you please share the screenshots for the process for setting it for number of users.

In last week I hada call with Qlik , I got information that I need to create the JWT link for number of users on jwt.io page.

For creation of link we can use language like python.

But unfortunately I am still unable to do that.

Thanks

sri_c003 · ‎2018-04-23

Kishore,

After you generate the token, you would need to do an API call to NPrinting using any tool like PostMaster. I am not sure on why you would want to do it manually. This kind of task is generally handled by the organization proxy. The proxy takes the incoming userid and password, constructs a token based on it, and possibly any other parameters needed (like user directory), and then uses this to communicate with the NPrinting server.

Since the proxy handles this for me, I am attaching a screenshot of how I tested via postman.

kishorj1982 · ‎2018-04-24

then step 10 jwt page manual setting will not require if it can be handled by organisation level.

Please correct me if i am wrong.

Also please let me know in that case how ssl works.

Do we need to generate all public and private key.

Also, in qlik sense if i am retrieving users from excel not fromAD then in that case JWT is applicable?

(Note that we have same maintained organisation users in excel )

Please suggest

kishorj1982 · ‎2018-05-18

Hi All,

In our domain our identity is set in directory \username format.

Eg. My name id Kishorj and domain is sg then my identity is sg\kishorj.

Could you please suggest how to set above identity on jwt.io page.

Thanks

sri_c003 · ‎2018-06-11

Sorry about the delayed response Kishor.

Assuming you used UserId and UserDirectory as parameter names:

{

"UserId": "kishorj",

"UserDirectory": "sg"

}

kishorj1982 · ‎2018-06-11

But my question is format of domainname\\username is differenet on server and for Qlik it is different in that case how it would communicate.

In that case token will not be passed.

Could you please suggest what we need to do in this case?

And also what we need to do for n number of users, in my last response I have attached the screenshots

for your perusal.

Thanks

sri_c003 · ‎2018-06-12

Define domain in a property file or in a variable. Domain name here does not pertain the domain the box is on. It is the user directory defined for the user during user creation. Notice the term "UserDirectory" being used in the parameters and not "domain".

This process is the same for one user or n users.

You would need to write a snippet that creates a jwt token, possibly in java or any tool that programmatically generates tokens. In our case, our proxy handles creation of jwt tokens.

olivierdupre · ‎2018-11-14

Hi all,

This works well when you want to query the API. But... Qlik offers access to the hub using JWT. But, is there any chance we could use JWT to connect to the HUB GUI?

You are sending JWT token in the HTTP header. No way to modify the header from a 3rd party auth. app. where the JWT token would be generated.

Is it possible in Qlik Sense GUI to enable logging using JWT token reading it from a Cookie? From param sent in the HTTP body (using a form)? From params in the URL?

Cheers,

Olivier