Last Update:
Feb 23, 2021 4:36:40 AM
Updated By:
Created date:
Sep 16, 2016 10:05:43 AM
Qlik Sense Repository Service API (QRS API) contains all data and configuration information for a Qlik Sense site. The data is normally added and updated using the Qlik Management Console (QMC) or a Qlik Sense client, but it is also possible to communicate directly with the QRS using its API. This enables the automation of a range of tasks, for example:
- Start tasks from an external scheduling tool
- Change license configurations
- Extract data about the system
Using Xrfkey header
A common vulnerability in web clients is cross-site request forgery, which lets an attacker impersonate a user when accessing a system. Thus we use the Xrfkey to prevent that, without Xrfkey being set in the URL the server will send back a message saying: XSRF prevention check failed. Possible XSRF discovered. Some users like to use Postman for API calls and testing purposes, for more details on this see https://www.getpostman.com/docs/
Resolution:
This procedure has been tested with Qlik Sense 2.x and Qlik Sense 3.x.
- Install Postman Chrome Extension, you can get it from the Chrome Web Store (Do NOT use the Desktop version of Postman for this procedure! See How to configure Postman (desktop app) to connect to Qlik Sense for information on how to do this with the Desktop Application)
- Make sure the Qlik Repository service is up and running and port 4242 is open on the target server
Method 1: Authenticating through Qlik Proxy Service
- In Postman click on the interceptor icon and let the extension install itself if needed. This is needed to pass authentication credentials from Chrome to Postman.
- Open the hub or the QMC in Chrome and authenticate to Qlik Sense.
- Go to Postman and in the URL section type https://<machine hostname>/qrs/About?Xrfkey=12345678qwertyui
- In this example we are sending a GET request with a header of Xrfkey=12345678qwertyui and we are addressing the endpoint of /about. For more details on all end points, please refer to https://help.qlik.com/en-US/sense-developer/3.0/Subsystems/RepositoryServiceAPI/Content/RepositorySe...
In summary a typical QRS API call using Xrfkey header, querying QMC at the end point of “/about” will look like this in Postman browser (given that the host machine name is qlikserver1):
https://qlikserver1/qrs/about?xrfkey=12345678qwertyui
A possible response may look like this:
{"buildVersion":"2.2.4.0","buildDate":"9/20/2013 10:09:00 AM","databaseProvider":"Devart.Data.PostgreSql","nodeType":1,"schemaPath":"About"}
Method 2: Use certificate and send direct request to Repository API
- Open Qlik Management Console and export the certificate. Please refer to Export client certificate and root certificate to make API calls for procedure.
- Make sure that port 4242 is open between the machine making the API call and the Qlik Sense server.
- Import the certificate on the machine you will use to make API calls. This must be imported in the personal certificate store of your user in MMC.
- Go to Postman and in the URL section type https://<machine FQDN>:4242/qrs/About?Xrfkey=iX83QmNlvu87yyAB
- In Postman, specify the following headers: X-Qlik-Xrfkey, X-Qlik-User as on the screenshot below:
Execute the command.
A possible response may look like this:
{"buildVersion":"2.2.4.0","buildDate":"9/20/2013 10:09:00 AM","databaseProvider":"Devart.Data.PostgreSql","nodeType":1,"schemaPath":"About"}
