Unlock a world of possibilities! Login now and discover the exclusive benefits awaiting you.
First off if there is a way to connect to CM with Oauth? That would be my first choice.
The docs from qlik.dev have me going through setting up a virtual proxy jwt connection.
- I'm not able to navigate to https://mysite/jwt so I'm not sure if the virtual proxy is even working
- After generating the jwt token the docs seem to trail off and don't really go through a way of testing the setup
I tried going through the qlik context init setup in qlik-cli but it doesn't seem to want to work for CM.
I tried manually setting the values in contexts.yml to see if I could set things up that way but I struck out there too.
I have the SaaS side working and qlik-cli looks great on that side I just need to get over this bump for setting up the CM side and I can start migrating apps.
So this was about a week of head banging, but for the sake of humanity I hope this saves someone frustration. IT WORKS!
Start with the guide from Qlik, it's got most of what you need:
https://qlik.dev/toolkits/qlik-cli/qlik-cli-qrs-get-started/
A few notes that I wish that document included:
1. Key Generation
- If OpenSSL doesn't work use Putty's keygen (part of putty) to generate and save both a public and private key
- The public key will go into the "JWT certificate" field of the virutal proxy. (You can keep the beginning and end tags)
2. JWT Virtual Proxy
- Creates a new endpoint on your server: https://yourqlikserver.com/jwt
- For JWT virtual proxy attributes:
- User ID: Use userid (a variable name, not the actual user ID).
- User Directory: Use userdirectory (a variable name).
- Intended Audience: Choose a unique value for your environment.
- Load balancing: Use your central node
- Allowed Hosts: In the advanced section, add your site URL (e.g., https://yourqlikserver.com). If incorrect, you'll get a 400 error instead of a 401 auth error when you test.
- Proxies: Select a running proxy (your central node)
- Note: applying restarts specified nodes and logs out all active users.
3. Testing the setup
-After applying changes, go to https://yourqlikserver.com/jwt. A 401 error indicates a correct setup.
4. JWT Token Generation
At this point my method varies a bit from the qlik.dev doc
I used https://jwt.io to convert my signatures into a jwt token with the following settings:
- select RS256 as the algorythm
- Replace the payload with:
{
"audience": "<your intended audience value from the virtual proxy setup>",
"userid": "<your user id from Qlik qmc users>",
"userdirectory": "<your user directory from Qlik qmc users>"
}
- Add your public and private keys to populate the encoded text area.
- Copy the generated jwt token for use as a bearer token in Qlik-CLI
5. Configuring Qlik-CLI contexts.yml
- Locate your contexts.yml file (e.g., C:\Users\myusername\.qlik\contexts.yml).
- Add the following entry to the file:
current-context: qsecm
contexts:
qsecm:
headers:
Authorization: Bearer <your generated jwt token>
server: https://yourqlikserver.com/jwt
server-type: windows
Ensure proper tab spacing (might be easier to set up the SaaS connection first and copy the formatting)
6. Testing the Connection:
- Switch context in Qlik-CLI: qlik context use qsecm
- Test the new context with a command: qlik app ls
- This should list all app IDs and names from your server
That's it you are connected!
If you encounter issues, double-check your configurations and keys.
These are just my findings they come with no warranty and your mileage may very.
So this was about a week of head banging, but for the sake of humanity I hope this saves someone frustration. IT WORKS!
Start with the guide from Qlik, it's got most of what you need:
https://qlik.dev/toolkits/qlik-cli/qlik-cli-qrs-get-started/
A few notes that I wish that document included:
1. Key Generation
- If OpenSSL doesn't work use Putty's keygen (part of putty) to generate and save both a public and private key
- The public key will go into the "JWT certificate" field of the virutal proxy. (You can keep the beginning and end tags)
2. JWT Virtual Proxy
- Creates a new endpoint on your server: https://yourqlikserver.com/jwt
- For JWT virtual proxy attributes:
- User ID: Use userid (a variable name, not the actual user ID).
- User Directory: Use userdirectory (a variable name).
- Intended Audience: Choose a unique value for your environment.
- Load balancing: Use your central node
- Allowed Hosts: In the advanced section, add your site URL (e.g., https://yourqlikserver.com). If incorrect, you'll get a 400 error instead of a 401 auth error when you test.
- Proxies: Select a running proxy (your central node)
- Note: applying restarts specified nodes and logs out all active users.
3. Testing the setup
-After applying changes, go to https://yourqlikserver.com/jwt. A 401 error indicates a correct setup.
4. JWT Token Generation
At this point my method varies a bit from the qlik.dev doc
I used https://jwt.io to convert my signatures into a jwt token with the following settings:
- select RS256 as the algorythm
- Replace the payload with:
{
"audience": "<your intended audience value from the virtual proxy setup>",
"userid": "<your user id from Qlik qmc users>",
"userdirectory": "<your user directory from Qlik qmc users>"
}
- Add your public and private keys to populate the encoded text area.
- Copy the generated jwt token for use as a bearer token in Qlik-CLI
5. Configuring Qlik-CLI contexts.yml
- Locate your contexts.yml file (e.g., C:\Users\myusername\.qlik\contexts.yml).
- Add the following entry to the file:
current-context: qsecm
contexts:
qsecm:
headers:
Authorization: Bearer <your generated jwt token>
server: https://yourqlikserver.com/jwt
server-type: windows
Ensure proper tab spacing (might be easier to set up the SaaS connection first and copy the formatting)
6. Testing the Connection:
- Switch context in Qlik-CLI: qlik context use qsecm
- Test the new context with a command: qlik app ls
- This should list all app IDs and names from your server
That's it you are connected!
If you encounter issues, double-check your configurations and keys.
These are just my findings they come with no warranty and your mileage may very.
Thanks for the feedback, and for sharing your solution! I'll add a task for us to review this article and see what we can improve.
Thanks again!
Another thing that may be useful to add to the CLI kit would be a PS script to export a single app by ID from CM and and another for the import into SaaS. That way folks can test a tiny piece before turning on the fire hose.
I also had trouble trying to figure out the "server-type" in the yml file. I know the way I went about setting up that file wasn't traditional, but I could only found "windows" by trial and error and reading the error message in the terminal.
I would recommend using JWT for any production work-flows as it programmatically works reliably whereas Windows auth is dependent on a session cookie which does expire, but for what it's worth, in a pitch, if you need to do some quick testing, you can use Windows auth. Example:
qlik context create example --server https://<myserverurl.company.com> --server-type windows
qlik context use example
> Context: example
qlik context login example
> Using context 'example', with URL 'https://<myserverurl.company.com>'
> Enter Username (domain\user): <domain\userid>
> Enter Password:
qlik qrs app ls
Matt, where do you create the payload file? Is this a separate '.yaml' file or something else?
So that payload is what you paste into the payload box in jwt.io. It's basically what I have up there you just cut and paste the text (JSON?). The values will be included when you create the token. I'm not sure if you even need everything that I have up there but mine worked.
Matt,
Thanks for the quick response! Appreciate the clarification.
Sure thing! If you have any other issues feel free to ask!