Solved: How to get health-check info for a node without Pr... - Qlik Community

RadovanOresky · ‎2020-07-10

Hi,

I use engine/healthcheck API to monitor the availability of Qlik Sense nodes. One of the consumer nodes has only Engine, no Proxy. The virtual proxy is load balanced to this node and linked Proxy is from central node.

The problem = When I try to read the engine/healtcheck info for that consumer node (without Proxy) it returns the same values as the healthcheck for the central node.

I guess this is because, as the documentation says: "the health check request is called via the Qlik Sense Proxy Service, which routes the request to the engine on the same physical computer. To request the health check information for a different node, use that node's IP address with the engine port"

If I understand it correctly, I should use IP Address:4747 to check the health-check info for that node which has no Proxy. The problem is, that I cannot make it to work. Whatever combination I try times out.

Is there a workaround to enable this?

Levi_Turner · ‎2020-07-10

Ultimately you are going to want to pass along the internal client certificate used by Qlik and go over port 4747. There are many ways of accomplishing this in virtually any programming or scripting language, here's a concept using PowerShell:

$hdrs = @{}
$hdrs.Add("X-Qlik-Xrfkey","examplexrfkey123")
$hdrs.Add("X-Qlik-User", "UserDirectory=INTERNAL; UserId=sa_api")
$cert = Get-ChildItem -Path "Cert:\CurrentUser\My" | Where {$_.Subject -like '*QlikClient*'}
$Data = Get-Content C:\ProgramData\Qlik\Sense\Host.cfg
$FQDN = [System.Text.Encoding]::UTF8.GetString([System.Convert]::FromBase64String($($Data)))
[Net.ServicePointManager]::SecurityProtocol = [Net.SecurityProtocolType]'Ssl3,Tls,Tls11,Tls12'
while (1) {
    $health = Invoke-RestMethod -Uri "https://$($FQDN):4747/engine/healthcheck?xrfkey=examplexrfkey123" -Method Get -Headers $hdrs -ContentType 'application/json' -Certificate $cert; 
    Write-Host ($health.apps.in_memory_docs).count 'in memory doc';
    Write-Host ($health.apps.loaded_docs).count 'loaded doc';
    sleep 5; 
    Clear-Host}

from here.

Example output:

View solution in original post

Levi_Turner · ‎2020-07-10

Ultimately you are going to want to pass along the internal client certificate used by Qlik and go over port 4747. There are many ways of accomplishing this in virtually any programming or scripting language, here's a concept using PowerShell:

$hdrs = @{}
$hdrs.Add("X-Qlik-Xrfkey","examplexrfkey123")
$hdrs.Add("X-Qlik-User", "UserDirectory=INTERNAL; UserId=sa_api")
$cert = Get-ChildItem -Path "Cert:\CurrentUser\My" | Where {$_.Subject -like '*QlikClient*'}
$Data = Get-Content C:\ProgramData\Qlik\Sense\Host.cfg
$FQDN = [System.Text.Encoding]::UTF8.GetString([System.Convert]::FromBase64String($($Data)))
[Net.ServicePointManager]::SecurityProtocol = [Net.SecurityProtocolType]'Ssl3,Tls,Tls11,Tls12'
while (1) {
    $health = Invoke-RestMethod -Uri "https://$($FQDN):4747/engine/healthcheck?xrfkey=examplexrfkey123" -Method Get -Headers $hdrs -ContentType 'application/json' -Certificate $cert; 
    Write-Host ($health.apps.in_memory_docs).count 'in memory doc';
    Write-Host ($health.apps.loaded_docs).count 'loaded doc';
    sleep 5; 
    Clear-Host}

from here.

Example output:

RadovanOresky · ‎2020-07-15

@Levi_Turner , thank you very much. It works great. I even set it up via the native Qlik REST connector.

shaybitton · ‎2020-11-30

Hi @Levi_Turner

Your code works great only if I use the FQDN but not with an IP address. what is the reason?

In my case i want to check all engines in the cluster with an external system - will it work with the same Qlikclient certificate?

Thanks,

Shay

Levi_Turner · ‎2020-11-30

The installed name for Qlik would need to match the FQDN variable. In the code above it's parsing the installed name from a config file so it will always match. If you need to ignore this then it's more of a question for how to skip SSL validation in PowerShell than anything Qlik specific. That being said, from https://til.intrepidintegration.com/powershell/ssl-cert-bypass we can do this:

$hdrs = @{}
$hdrs.Add("X-Qlik-Xrfkey","examplexrfkey123")
$hdrs.Add("X-Qlik-User", "UserDirectory=INTERNAL; UserId=sa_api")
$cert = Get-ChildItem -Path "Cert:\CurrentUser\My" | Where {$_.Subject -like '*QlikClient*'}
$FQDN = '127.0.0.1'
add-type @"
    using System.Net;
    using System.Security.Cryptography.X509Certificates;
    public class TrustAllCertsPolicy : ICertificatePolicy {
        public bool CheckValidationResult(
            ServicePoint srvPoint, X509Certificate certificate,
            WebRequest request, int certificateProblem) {
            return true;
        }
    }
"@
[System.Net.ServicePointManager]::CertificatePolicy = New-Object TrustAllCertsPolicy
[Net.ServicePointManager]::SecurityProtocol = [Net.SecurityProtocolType]'Ssl3,Tls,Tls11,Tls12'
while (1) {
    $health = Invoke-RestMethod -Uri "https://$($FQDN):4747/engine/healthcheck?xrfkey=examplexrfkey123" -Method Get -Headers $hdrs -ContentType 'application/json' -Certificate $cert
    Write-Host ($health.apps.in_memory_docs).count 'in memory doc';
    Write-Host ($health.apps.loaded_docs).count 'loaded doc';
    sleep 5; 
    Clear-Host}

shaybitton · ‎2020-12-01

Works great !

Thank you very much

How to get health-check info for a node without Proxy?

General Question