Skip to main content
Announcements
Join us at Qlik Connect for 3 magical days of learning, networking,and inspiration! REGISTER TODAY and save!
cancel
Showing results for 
Search instead for 
Did you mean: 
vogel_jo
Contributor
Contributor

Remotely calling QRS API via Virtual Proxy using Client Certificate

Hi,

i am getting lost while trying to call the QRS API remotely, using a client certificate.

Calling through localhost:4242/qrs works as expected, however i cannot find any resources on how to authenticate to the QRS API remotely. Am i doing something wrong? I assume it should be possible like this:

  1. authenticate against QPS remotely (via virtual proxy?)
  2. use ticket or similar from step 1 in cookies to call QRS via https://[Qlik Sense VM DNS]/[virtual proxy]/qrs/...

This is how the QMC works. However, when i try to call QRS in my application with a client certificate using an endpoint like https://[Qlik Sense VM DNS]/[virtual proxy]/qrs/...  ,  i get 401 unauthorized. Of course, because i am not sending session information via cookies. But how is step 1. done? How do i retrieve my session information to continue using the QRS API?

I feel like i am missing a piece of the puzzle.

My setup:

  • single-node Qlik Sense instance, one VM
  • two virtual proxies:
  1. Windows authentication (default, prefix "windows")
  2. SAML virtual proxy (no prefix)

Can someone give me a hint or explain to me how to authenticate remotely, using a client certificate in detail? I looked at a lot of examples, but almost all of them focus on calling QRS API directly (which is working), not through the QPS. Or is it recommended to just open port 4242 to the public? 

 

Thanks in advance

Jonathan

Labels (7)
3 Replies
Øystein_Kolsrud
Employee
Employee

I think you're mixing authentication mechanisms here. Certificates are only relevant for direct connections to the Repository service and is primarily used for communication between services in the Qlik Sense system. Virtual proxies are used to provide other authentication mechanisms that do not require certificates. So doing a connection to a virtual proxy using certificates is not very meaningful.

The authentication flow for connecting to virtual proxies can be rather complicated, but typically involves setting some headers on the request. When you hit the virtual proxy the first time, then you are typically redirected to the location where the authentication is performed and where the session cookie is created before being redirected back to the virtual proxy.

I don't know about SAML, but for Windows authentication you need to set the header "User-Agent" to "Windows" and possibly (depending on the language you are using) add the Windows credentials to the credential cache of the request.

vogel_jo
Contributor
Contributor
Author

Hi Yko,

thanks for your fast response. Okay, i can see now why my approach did not work as expected. I think the documentation here is rather confusing:  "If you plan to access the APIs from a remote server, you must export client certificates from the Qlik Management Console (QMC) and install them on the calling server." This is what i was going to do, assuming i would be able to without opening port 4242.

Let's consider a simple use case:

On demand, i want to have status information for an arbitrary app, referenced by its ID, in our Qlik Sense instance, including its owner and last modified as well as last reload date, and the load script. This information needs to be retrieved from a remote computer (e.g. on prem).

I know the API endpoints needed to retrieve this information, just not how to access it from external sources. What would your best practice recommandation be in this case?

Thanks

Øystein_Kolsrud
Employee
Employee

I don't know if there is really any best practice to point you to. How to do that would depend very much on the individuals experience with different technologies. But personally I typically go with a solution involving C# when I want to build something for interacting with the APIs. I have this library that takes care of the authentication part (though it doesn't provide much help for authentication with SAML):

https://www.nuget.org/packages/QlikSenseRestClient/

With that library you can connect using Windows authentication like this:

 

var restClient = new RestClient("https://my.server.url/vproxy");
restClient.AsNtlmUserViaProxy();
var rsp = restClient.Get("/qrs/about");
Console.WriteLine(rsp);

 

You'll find some more examples here:

https://github.com/kolsrud/qlik_rest_sdk/tree/master/Qlik.Sense.RestClient/Examples