Skip to main content

Qlik

cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Announcements
Introducing Qlik Answers: A plug-and-play, Generative AI powered RAG solution. READ ALL ABOUT IT!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
mattdetwiler
Contributor III
Contributor III
‎2024-07-24 04:50 PM

Connecting to Qlik-cli client managed site

First off if there is a way to connect to CM with Oauth?  That would be my first choice.

The docs from qlik.dev have me going through setting up a virtual proxy jwt connection.

- I'm not able to navigate to https://mysite/jwt so I'm not sure if the virtual proxy is even working
- After generating the jwt token the docs seem to trail off and don't really go through a way of testing the setup

I tried going through the qlik context init setup in qlik-cli but it doesn't seem to want to work for CM.
I tried manually setting the values in contexts.yml to see if I could set things up that way but I struck out there too.

I have the SaaS side working and qlik-cli looks great on that side I just need to get over this bump for setting up the CM side and I can start migrating apps.

Labels (4)
Labels
581 Views
1 Solution

Accepted Solutions
mattdetwiler
Contributor III
Contributor III
‎2024-07-25 06:17 PM
Author

So this was about a week of head banging, but for the sake of humanity I hope this saves someone frustration.  IT WORKS!

Start with the guide from Qlik, it's got most of what you need:
https://qlik.dev/toolkits/qlik-cli/qlik-cli-qrs-get-started/

A few notes that I wish that document included:

1. Key Generation
  - If OpenSSL doesn't work use Putty's keygen (part of putty) to generate and save both a public and private key
  - The public key will go into the "JWT certificate" field of the virutal proxy. (You can keep the beginning and end tags)

2. JWT Virtual Proxy
    - Creates a new endpoint on your server:  https://yourqlikserver.com/jwt
    - For JWT virtual proxy attributes:
         - User ID: Use userid (a variable name, not the actual user ID).
         - User Directory: Use userdirectory (a variable name).
         - Intended Audience: Choose a unique value for your environment.
         - Load balancing: Use your central node
         - Allowed Hosts: In the advanced section, add your site URL (e.g., https://yourqlikserver.com). If incorrect, you'll get a 400 error instead of a 401 auth error when you test.
         - Proxies: Select a running proxy (your central node)
         - Note: applying restarts specified nodes and logs out all active users.

3. Testing the setup
    -After applying changes, go to https://yourqlikserver.com/jwt. A 401 error indicates a correct setup.

4. JWT Token Generation

At this point my method varies a bit from the qlik.dev doc

I used https://jwt.io to convert my signatures into a jwt token with the following settings:
   - select RS256 as the algorythm
   - Replace the payload with:
{
    "audience": "<your intended audience value from the virtual proxy setup>",
    "userid": "<your user id from Qlik qmc users>",
    "userdirectory": "<your user directory from Qlik qmc users>"
}
- Add your public and private keys to populate the encoded text area.
- Copy the generated jwt token for use as a bearer token in Qlik-CLI

5. Configuring Qlik-CLI contexts.yml
- Locate your contexts.yml file (e.g., C:\Users\myusername\.qlik\contexts.yml).
- Add the following entry to the file:

current-context: qsecm
contexts:
    qsecm:
        headers:
           Authorization: Bearer <your generated jwt token>
        server: https://yourqlikserver.com/jwt
        server-type: windows

Ensure proper tab spacing (might be easier to set up the SaaS connection first and copy the formatting)

6. Testing the Connection:
    - Switch context in Qlik-CLI: qlik context use qsecm
    - Test the new context with a command: qlik app ls
    - This should list all app IDs and names from your server

That's it you are connected!

If you encounter issues, double-check your configurations and keys.

These are just my findings they come with no warranty and your mileage may very.

View solution in original post

523 Views
8 Replies
mattdetwiler
Contributor III
Contributor III
‎2024-07-25 06:17 PM
Author

So this was about a week of head banging, but for the sake of humanity I hope this saves someone frustration.  IT WORKS!

Start with the guide from Qlik, it's got most of what you need:
https://qlik.dev/toolkits/qlik-cli/qlik-cli-qrs-get-started/

A few notes that I wish that document included:

1. Key Generation
  - If OpenSSL doesn't work use Putty's keygen (part of putty) to generate and save both a public and private key
  - The public key will go into the "JWT certificate" field of the virutal proxy. (You can keep the beginning and end tags)

2. JWT Virtual Proxy
    - Creates a new endpoint on your server:  https://yourqlikserver.com/jwt
    - For JWT virtual proxy attributes:
         - User ID: Use userid (a variable name, not the actual user ID).
         - User Directory: Use userdirectory (a variable name).
         - Intended Audience: Choose a unique value for your environment.
         - Load balancing: Use your central node
         - Allowed Hosts: In the advanced section, add your site URL (e.g., https://yourqlikserver.com). If incorrect, you'll get a 400 error instead of a 401 auth error when you test.
         - Proxies: Select a running proxy (your central node)
         - Note: applying restarts specified nodes and logs out all active users.

3. Testing the setup
    -After applying changes, go to https://yourqlikserver.com/jwt. A 401 error indicates a correct setup.

4. JWT Token Generation

At this point my method varies a bit from the qlik.dev doc

I used https://jwt.io to convert my signatures into a jwt token with the following settings:
   - select RS256 as the algorythm
   - Replace the payload with:
{
    "audience": "<your intended audience value from the virtual proxy setup>",
    "userid": "<your user id from Qlik qmc users>",
    "userdirectory": "<your user directory from Qlik qmc users>"
}
- Add your public and private keys to populate the encoded text area.
- Copy the generated jwt token for use as a bearer token in Qlik-CLI

5. Configuring Qlik-CLI contexts.yml
- Locate your contexts.yml file (e.g., C:\Users\myusername\.qlik\contexts.yml).
- Add the following entry to the file:

current-context: qsecm
contexts:
    qsecm:
        headers:
           Authorization: Bearer <your generated jwt token>
        server: https://yourqlikserver.com/jwt
        server-type: windows

Ensure proper tab spacing (might be easier to set up the SaaS connection first and copy the formatting)

6. Testing the Connection:
    - Switch context in Qlik-CLI: qlik context use qsecm
    - Test the new context with a command: qlik app ls
    - This should list all app IDs and names from your server

That's it you are connected!

If you encounter issues, double-check your configurations and keys.

These are just my findings they come with no warranty and your mileage may very.

524 Views
DaveChannon
Employee
Employee
‎2024-07-26 08:57 AM

Thanks for the feedback, and for sharing your solution! I'll add a task for us to review this article and see what we can improve.

Thanks again!

489 Views
mattdetwiler
Contributor III
Contributor III
‎2024-07-26 09:15 AM
Author

In response to DaveChannon

Another thing that may be useful to add to the CLI kit would be a PS script to export a single app by ID from CM and and another for the import into SaaS.  That way folks can test a tiny piece before turning on the fire hose.

I also had trouble trying to figure out the "server-type" in the yml file.  I know the way I went about setting up that file wasn't traditional, but I could only found "windows" by trial and error and reading the error message in the terminal.

477 Views
0 Likes
Levi_Turner
Employee
Employee
‎2024-07-26 02:42 PM

In response to mattdetwiler

I would recommend using JWT for any production work-flows as it programmatically works reliably whereas Windows auth is dependent on a session cookie which does expire, but for what it's worth, in a pitch, if you need to do some quick testing, you can use Windows auth. Example:

qlik context create example --server https://<myserverurl.company.com> --server-type windows
qlik context use example
> Context: example
qlik context login example
> Using context 'example', with URL 'https://<myserverurl.company.com>'
> Enter Username (domain\user): <domain\userid>
> Enter Password:
qlik qrs app ls

 

466 Views
aschmeelk
Contributor III
Contributor III
‎2024-07-31 02:08 PM

In response to mattdetwiler

Matt, where do you create the payload file? Is this a separate '.yaml' file or something else?

414 Views
mattdetwiler
Contributor III
Contributor III
‎2024-07-31 02:12 PM
Author

In response to aschmeelk

So that payload is what you paste into the payload box in jwt.io.  It's basically what I have up there you just cut and paste the text (JSON?).  The values will be included when you create the token.  I'm not sure if you even need everything that I have up there but mine worked.

408 Views
aschmeelk
Contributor III
Contributor III
‎2024-08-01 06:36 AM

In response to mattdetwiler

Matt,

Thanks for the quick response! Appreciate the clarification.

381 Views
mattdetwiler
Contributor III
Contributor III
‎2024-08-01 09:21 AM
Author

In response to aschmeelk

Sure thing!  If you have any other issues feel free to ask!

370 Views
0 Likes