Unlock a world of possibilities! Login now and discover the exclusive benefits awaiting you.
Nov 3, 2023 5:22:03 AM
Apr 24, 2019 10:07:42 AM
Content
Qlik Products have generally utilized license keys to enforce license entitlements and use rights. During activation, the licensed entitlement is downloaded to the product in the format of a Licensing Enabler File (LEF). Activation requires internet connectivity to the deployment and is triggered by entering a 16-digit serial number and a corresponding control number. Offline activation is also supported using a manual LEF by copying and pasting a text file into the activation user dialog. Communication is through an http protocol.
Introduced with the February 2019 release[GM1] of Qlik Sense Enterprise, Qlik has developed an alternative process for product activation. There have been several drivers for this change, including a move to an https protocol for a more secure connection between the Customer deployment and Qlik infrastructure. More information follows below.
To allow for Customers to make the decision when to move, Qlik has introduced the use of a Signed License Key to determine which activation method to use. Over time Qlik Licensing Service will replace the current activation process, but for now both methods of activations will work.
As mentioned above, Qlik has added one additional way to activate Qlik products.
JSON Web Token (JWT) is an open standard (RFC 7519) that defines a compact and self-contained way for securely transmitting information between parties as a JSON object. This information can be verified and trusted because it is digitally signed. JWT’s can be signed using a secret (with the HMAC algorithm) or a public/private key pair using RSA or ECDSA.
Although JWT’s can be encrypted to also provide secrecy between parties, we will focus on signed tokens. Signed tokens can verify the integrity of the claims contained within it, while encrypted tokens hide those claims from other parties. When tokens are signed using public/private key pairs, the signature also certifies that only the party holding the private key is the one that signed it. That is why we refer to this as the Signed License Key.
With the use of a Signed License Key, there are more Product and deployment offers to use.
All of the above is enabled by the use of the Signed License Key. This made possible as the local deployment will sync entitlement data with all deployment’s using the same Signed License Key through an online database, License Backend, hosted by Qlik within Qlik Cloud.
This is initiated by entering a Signed License Key to the Control Panel. The request is performed by the service Licenses using port 443 (https protocol procedures applies).
Signed license Key
|
Example data |
A Signed License Key based on one of Qlik’s internal keys.
|
eyJhbGciOiJSUzUxMiIsInR5cCI6IkpXVCIsImtpZCI6ImEzMzdhZDE3LTk1ODctNGNhOS05M2I3LTBi MmI5ZTNlOWI0OCJ9.eyJqdGkiOiI2MjNhYTlhZi05NTBmLTQ3ZjctOGJmMC1mNGQzOWY0MmQ5N mMiLCJsaWNlbnNlIjoiOTk5OTAwMDAwMDAwMTI1MyJ9.YJqTct2ngqLfl2VP3jxW4RsDNK2MTL-BpJ WnBdIfF5gGbJcX0hc__tfIa2ab5ZrL9h6tsZxTwgucTFiRTAOz8PaOQP7JTnhPCyrBZwpnmhvCrSHx2 C-HbCARFUIueBzMg8fgvWH-3HxBuxx6jnDhekDTUbb12vBq7CySampJkgMT7QsDdUkeJy5E7O0U 8yhd1RtEDeuTbeX35eIdQUN4DyJWHHPiT9qZt1AV0_Ofe1iLKxYZMa5jC0kIsVwYnRCJzibZlrLE7mS VlNitxmcm8OoUrR_ZIk8VuOkoz_qqy8N_wwrt7FcT2slWz50XzuL8TIWY9mcGIL |
Assignment information (what user has what type of access assigned) is synchronized from the license service to license.qlikcloud.com every 10 minutes.
Changes to a license (such as adding additional analyzer capacity) can take up to 24 hours to be retrieved.
Data Element | Comment | Example Data |
Signed License Key | See above | |
Cause | Initial or Update | “Initial” |
User agent | build by the License service version (operating system) and Product (e.g. QSEfW, QCS, QSEfE, QV) | Licenses/1.6.4 (windows) QSEfW |
Data Element | Comment | Sample Data |
License definition | content variable based on product and entitlement | "name": "analyzer_time", "usage": {"class": "time", "minimum": 5}, "provisions": [{ "accessType":"analyzer"} ],"units": [{"count": 200, "valid": "2018-06-01/2018-12-31"}]}, "name": "professional", "usage": { "class": "assigned", "minimum": 1 }, "provisions": [{ "accessType": "professional" }],"units": [{ "count": 10, "valid": "" }]} |
(Time schedule is not disclosed and includes grace time to support outages in the internet connection, a/k/a Optimistic Delegation.)
Data Element | Comment | Sample Data |
Signed License Key |
See above | |
Array Element id | Used for internal match only | 1 |
Allotment name | alternatives are Analyzer_Time, Core_Time | “analyzer_time” |
Year/Month | YYYY-MM | 2018-11 |
Consumption | for this deployment since last sync | 242 |
Source | hashed ID to make each deployment unique, e.g. a Qlik Sense Enterprise on Windows and a Qlik Sense Enterprise on Kubernetes will have different Source ID's | fbe89d02-6d24-4595-915e-c52ce76f2195 |
User agent | same construct as for as activation request | Licenses/1.6.4 (windows) QSEfW |
Data Element | Comment | Sample Data |
Total consumption | Used by the Product for enforcement. Deny access will be executed if quota has been exceeded. Quota is set in the LEF. Additional quota for the month could be managed as Overage in the LEF. This would contain an Overage Value (COUNT) or the value YES. Total quota for the month is calculated as licensed quota + Overage quota. If the LEF contains the value YES, there will be no cap on the capacity for the Year/Month. |
12345 |
Data Element | Comment | Sample Data |
Signed License Key | See above | |
Allotment name | Professional / Analyzer | “professional” |
Subject | Domain / User ID; if this an add or delete transaction. By delete the subject will be removed immediately. An internal id will be used to secure sync to other deployments using the same Signed License Key. The internal id will disappear within 60 days after a delete transaction. (This information is stored for all assigned users until such a time that the assignment is deleted at which point it is deleted. The information is used for synchronizing assignments across deployments in order to facilitate the single-license-multi-deployment scenario. It is encrypted in transit and at rest.) |
“acme\bob”
(For information on how data is submitted and stored in the audit logs see here) |
User agent | Build by the License service version (operating system) and Product (e.g. QSEfW, QCS, QSEfE, QV) | Licenses/1.6.4 (windows) QSEfW |
Source | Hashed ID to make each deployment unique, e.g. a Qlik Sense Enterprise on Windows and a Qlik Sense Enterprise on Kubernetes will have different Source ID's | fbe89d02-6d24-4595-915e-c52ce76f2195 |
Sync metadata | Versioning information about the subjects and list of subjects to manage the synchronization process | { "source": "my assignments", "bases": [{ "license": "1234 1234 1234 1234", "version": 0 }], "patches": [{ "instance": "", "version": 0, "license": "1234 1234 1234 1234", "allotment": "analyzer", "subject": \\generated4, "created": "2019-04-18T10:01:35.024031Z" } |
Data Element | Comment | Sample Data |
Signed License Key | See above | |
Subject | Including subjects changed by other deployments | “acme\bob” |
Sync metadata | Versioning information about the subjects and list of subjects to manage the synchronization process | { "bases": [{ "license": "1234 1234 1234 1234", "version": 17 }], "patches": [{ "instance": "5382018630938057025", "version": 14, "license": "1234 1234 1234 1234", "allotment": "analyzer", "subject": ACME\\bob", "created": "2019-04-18T10:01:35.024Z", "rejection": "" }] |
This Reference Guide is intended solely for general informational purposes and its contents do not form part of the product documentation. The information in this guide is subject to change without notice. ALL INFORMATION IN THIS GUIDE IS BELIEVED TO BE ACCURATE BUT IS PRESENTED WITHOUT WARRANTY OF ANY KIND, EXPRESS OR IMPLIED. Qlik makes no commitment to deliver any future functionality and purchasing decisions should not be based upon any future expectation.
Good post and it helps to dig and upgrade. I got one question. For this "Activation Using the Signed License Key".
Does Port 443 need to enabled? By Default, Qlik will listen 443 only (Do we still need more on this)
https://license.qlikcloud.com ? For this, I can talk to URL from my machine where as I can't listen that and accessing thru Qlik Sense server? Do we need to provide access to that URL where before apply JWT?
When I applying SLK, I am troubling some issue.
Kindly Acknowledge about your feedback?
Hello @Anil_Babu_Samineni !
When activating a Qlik Sense SLK, port 443 to the license backend needs to be open.
See comment in this article:
This is initiated by entering a Signed License Key to the Control Panel. The request is performed by the service Licenses using port 443 (https protocol procedures applies).
If you experience any issues when applying the signed license key, I would recommend searching our knowledge base for further assistance. Here is a link with a simple pre-defined query.
@Sonja_Bauernfeind I've opened port where as I can't get link to open due to restrict with in my storage in servers due to policy. I hope, I can apply with Key and control number as alternate. And also, I may not finding any different behaviour with SLK vs Control number? Do you think this will behave different?
Hi All, We need to test our license over internet for QLIK VIEW . Do we need to whitelist same url https://license.qlikcloud.com from our servers for port 443 ?
Short Answer: Yes
If that is not viable, then it is possible to set up a proxy for this service, please see the help at https://help.qlik.com/en-US/qlikview/May2021/Subsystems/Server/Content/QV_Server/QlikView-Server/QVS...
@Sonja_Bauernfeind @Andrew_Delaney
I have important question from our customer about online communication to QLS. You mentioned about User Assignment Sync Process: Data Transmitted and Reply from License Backend. Is Subject (user login) in hashed form (like you mentioned here) or unchanged form transmitted to QLS?
“a24a2f2b67c5e051bcb6cd2d7a9f7ebe” (hashed form) OR “acme\bob” (unchanged form)?
Hello @humansoft
I've reached out to our licence team and will update you as soon as I hear back.
All the best,
Sonja
Hello @humansoft
We received a reply.
The subject is sent to the backend not hashed. The communication's encryption mechanism is described in this link: Configuring preferred cipher suites for Qlik License Service in Qlik Sense Enterprise on Windows.
All the best,
Sonja
Good morning @Sonja_Bauernfeind !, we understand that the same SLK can be used to set up an independent development server since both environments would use the unified license allocation and would not be duplicating users. Is this correct?
Thank you very much!
Hello @amartinezSAND
That is correct. Users who are shared between the environments (example, if my user exists in both, the production and development node), the user will be synced. In this example I would have the same license on both nodes.
All the best,
Sonja