Unlock a world of possibilities! Login now and discover the exclusive benefits awaiting you.
This video will demonstrate how to install and configure Qlik-CLI for SaaS editions of Qlik Sense.
Content:
get-command qlik
choco install qlik-cli
if ( -not (Test-Path $PROFILE) ) {
echo "" > $PROFILE
}
qlik completion ps > "./qlik_completion.ps1" # Create a file containing the powershell completion.
. ./qlik_completion.ps1 # Source the completion.
Advanced and additional instructions as seen in the video can be found at Qlik-CLI on Qlik.Dev. Begin with Get Started.
Customer policy adopted injection via the reverse proxy of the Content Security Policy header for security reasons.
The policy adopted is basic: default-src 'self'
Opening the QlikView AccessPoint or Qlik Sense Hub may fail or the AccessPoint may only render partially.
The Browser Debug tools will provide more insight:
QlikView
Qlik Sense Enterprise on Windows
The Header Content Security Option contains a string of rules that informs the browser which resource/code is trusted to be loaded, executed rendered.
More details on the argument could be found here:
https://www.w3.org/TR/CSP3/ ,
For QlikView Accesspoint a first example is to use Content-Security-Policy: "default-src 'self' 'unsafe-inline' data: ;" ; (note that using 'unsafe-inline' option could be unsafe in a the proxy injection scenario when the client will brose a different site , you could/evaluate to use instead the sha256-hashcode version )
Further option could be necessary if for example you have QlikView Extension Object ( Server and Document Extensions) that are using external resources downloaded from CDN locations;
In this case the troubleshoot is the same use F12/Development Tools to check the resource that violates the policy and ad an exclusion.
QlikView Access Point Shows "Loading Content" Indefinitely,
What is CSP (Content-Security-Policy) and How does it Relate to Qlik?
This article explains how to get started with the .NET SDK
The following must be installed to test the example provided in this article:
*It does not need to be installed on the same machine, but proper ports must be open for incoming connection on the Qlik Sense server side.
Please also make sure that the user connecting from the .NET SDK has a license assigned
Environments:
In the below program, we are using Windows authentication, so we have to use the AsNtlmUserViaProxy function to specify that we want to use Windows authentication.
// using System, etc. using Qlik; using Qlik.Engine; namespace ConsoleApp1 { class Program { static void Main(string[] args) { Uri uri = new Uri("https://qlikserver3.domain.local/"); ILocation location = Qlik.Engine.Location.FromUri(uri); location.AsNtlmUserViaProxy(certificateValidation: false); using (var hub = location.Hub()) { Console.WriteLine("Product Version: " + hub.ProductVersion()); Console.WriteLine("OS Name: " + hub.OSName()); Console.WriteLine("OS Version: " + hub.OSVersion()); Console.WriteLine("Press enter to close..."); Console.ReadLine(); } } } }
Product Version: 3.2.3
OS Name: WindowsNT
OS Version: 6.2.9200
Press enter to close...
Connect to an app:
using System; using System.Collections.Generic; using System.Linq; using System.Text; using System.Threading.Tasks; using Qlik; using Qlik.Engine; namespace ConsoleApp1 { class Program { static void Main(string[] args) { Uri uri = new Uri("https://qlikserver1.domain.local/"); ILocation location = Qlik.Engine.Location.FromUri(uri); location.AsNtlmUserViaProxy(certificateValidation: false); IAppIdentifier appIdentifier = location.AppWithId("03bbedf2-2c45-4e10-bf5a-fded0c21cda8"); using (var app = location.App(appIdentifier)) { var layout = app.GetAppLayout(); Console.WriteLine(layout.Title + " [" + app.Type + "]"); Console.ReadLine(); } } } }
Result:
Test1 [Doc]
Tip: If the program does not run, try to build it and execute the .exe file from the Qlik Sense server. If that works locally from the server itself, it might be that there is a network device that is not allowing the connection or the proper ports are not open.
HTTP Strict Transport Security (HSTS) is an opt-in security enhancement which any web application can support through the use of a special response header. When a supported browser receives this header that browser will prevent any communication sent over HTTP in the future and will redirect all traffic over HTTPS instead.
More details about HSTS can be found on https://cheatsheetseries.owasp.org/cheatsheets/HTTP_Strict_Transport_Security_Cheat_Sheet.html
In Qlik Sense, one can add additional HTTP response headers in the Virtual Proxy configuration to enforce HSTS
For additional information about HTTP to HTTPS redirects, see
Sites to Confirm HSTS setup
Gov Site on HSTS https://https.cio.gov/hsts/
Note: Qlik does NOT support the configuration or implementation of non-Qlik or Operating System related software. The above suggestion is an introduction to this topic, and if it does not work in your particular environment then please reach out internally to your IT team. If you need direct assistance, please contact your Account Owner to discuss purchasing Consulting Services. (see How to Contact the Consulting Team?)
This article explains how to simply set up JWT authentication using Qlik Sense default certificates and test it.
Click here for Video Transcript
In order to integrate your solution with Qlik Sense using JWT authentication, you will need to pass in your code the JWT token in the authorization token for the first request to Qlik Sense so that a session is created.
QlikView and Qlik Sense provides the capability to extend presentation capability by creating extension objects.
It is important to note that Qlik only supports the API calls made to the QlikView or Qlik Sense server. Qlik does not directly support 3rd party extension implementations. For issues with 3rd party provided extensions, the primary support channel is the 3rd party extension provider.
For Qlik to support API-related issues, the script or code must be minimised to show the issue is related to the specific API and not the custom code using the API. This initial troubleshooting and simplification of the script must be done by the extension developer.
Extensions provided by Qlik employees on Qlik Community are not supported by Qlik. These extension solutions are supported within these communities.
Extensions developed by Qlik’s partners, including certified Extensions, are supported by the Qlik partner.
A customer should also consider this:
The architecture of the integration at a High-level looks like this:
Qlik Sense Advanced Analytics integration is essentially an extension to Qlik Sense’s expression syntax, and as such it can be used in both Chart Expressions, and in Load Script Expressions.
With this new capability, we are now able to add syntax to a chart expression that tells Qlik Sense that particular expression should not be evaluated on the Qlik Sense server, but instead, all the information and data needed to calculate that expression should be sent via the server side extension on to the backend R system for calculation.
After the advanced analytic calculations are completed, the data is sent back to the Qlik Sense Server and to the client for visualization.
This video shows an example of how Qlik Sense connects to an R server for extending expression capabilities in Qlik Sense Apps while offloading the calculations to the R server engine.
Click here for Video Transcript
In order to start displaying a simple "Hello World" in Qlik Sense using a R-Script, we will do the following:
1. Have R & R-studio installed in your system. (RGui included with R for Windows can also be used) R can be downloaded at https://cloud.r-project.org/
2. We need a package in R to extend R functionality to applications via TCP/IP. The package name is "Rserve()"
Install the package using the below command in RStudio GUI:
install.packages('Rserve')
3. Now we need to invoke that library and start Rserve. In order to do so, execute the below scripts:
library(Rserve) Rserve()
4.The communication method from Sense to R is taken care using gRPC. R is not a supported language in gRPC by default.
So a possible solution for this is to develop a connector in any of the supported languages of gRPC. Qlik provides an open-source connector developed in C# which in turn access Rserve to be able to run R scripts.
qlik-oss/sse-r-plugin
Once you built the connector, start the SSEtoRserve.exe (ideally on the Rserve server itself)
Note: Qlik Support does not support this plugin directly. Inquiries should be submitted via GitHub under sse-r-plugin - Issues
5. Now we will have to configure the plugin:
Add the following line in the settings.ini file:
SSEPlugin=R,localhost:50051
The settings.ini is located in this location:
Add the following line in the settings.ini file:
SSEPlugin=R,localhost:50051
The settings.ini file is located in this location:
a. In the QMC, add a new Analytic Connection.
b. Restart the Qlik Sense Engine service.
Please refer to the screenshot below for creating a new connection.
Note: If the R-Plugin (SSEtoRserve.exe) was installed on the R-Server (where Rserve runs) or another machine, point to that machine name instead of 'localhost'. Also, in multi-node environments with multiple Qlik Sense Engines, even if the plugin was installed on the Central node, make sure to add the Central node's hostname instead of 'localhost' as the other Rim node Engine services need the correct DNS/Netbios name to reach the plugin.
6. Now Open a Qlik Sense App and add a KPI object in the sheet. This can be one of the Apps included with the plugin itself under <storage path>\sse-r-plugin-master\sense_apps
Note that the example apps also need data connections to be created to the data files included with these apps files in the above location.
7. Otherwise, a new app can be created and any data may be loaded for the SSE example below.
8. For the measure, add the following expression which contains an R-script:
R.ScriptEvalStr('paste(q$firstWord, q$secondWord);', 'Hello' as firstWord, 'World' as secondWord)
9. If everything is configured properly, the R-script shown in bold above should be executed fine and it should display a "Hello World" message.
R.ScriptEvalStr('paste(q$firstWord, q$secondWord);', Only([First Word]) as firstWord, Only([Second Word]) as secondWord)
Eight script functions are automatically added to the functionality of the plugin. What is needed to be covered on the plugin side to fulfill the functionality is to implement the EvaluateScript rpc function.
The syntax of these functions is:
<EngineSSEName>.<FunctionName>(Script [,Parameter...])
Where the Script is an R-Script to be evaluated & Parameter is the data sent from Qlik's end.
Here, we use the ScriptEvalStr function which accepts argument of type String & returns a String. The 'paste' function in R concatenates vectors after converting to character. We pass two data fields of type string from Qlik (First Word & Second Word). The R-script then references these data fields through the q dataframe (structure already taken care in R) (q$firstWord and q$secondWord). The script/function finally returns a String back to Qlik Sense.
When using SAML or ticket authentication which started in Qlik Sense June 2019, some users belonging to a big number of groups see the error "Qlik Sense G3 Broker API" on the hub and cannot proceed further.
You may receive the following error when setting up the SAML virtual proxy: cachebust pending
Environments:
The only known workaround in the above versions is to reduce the number of groups sent in the SAML response or ticket request.
The fix for this defect is included in the following versions, but additional steps may be necessary:
All Versions
The default setting will still be a header size of 8192 bytes. The fix adds support for a configurable MaxHttpHeaderSize.
Steps:
[globals]
LogPath="${ALLUSERSPROFILE}\Qlik\Sense\Log"
MigrationPort=4545
(...)
MaxHttpHeaderSize=65534
Note: Above value (16384) is an example. You may potentially need to put more depending of the total number of characters of all the AD groups to which the user belongs. The max value is 65534.
Other Related Articles:
https://community.qlik.com/t5/Official-Support-Articles/Error-431-when-trying-to-access-the-Qlik-Sense-Management/ta-p/1789124
QB-234.
When using Qlik Sense behind a reverse proxy, environment.user.ip is always the IP of the reverse proxy instead of the end user client.
Environments:
This is a product limitation.
A feature request (SHEND-225) has been logged but there is no information if and when the feature will be implemented yet.
When embedding a sheet in an iFrame, the "full screen" toggle button for Qlik Sense native chart objects is missing. This feature is present at the sheet level in the hub
Full Screen toggle button is available at the sheet level in the hub
The same feature is missing, once a sheet is added in an iFrame (Single Configurator)
This is a known limitation.
An improvement task has been created (Jira task VIZ-103) and an idea is available on our Ideation Platform.
To check the current status or to add your vote, head over to the idea: full screen for iframe and embed
QB-4967
VIZ-103
Qlik Cloud platform features and APIs rely on rate limits to help provide a predictably pleasant experience for users.
The details of how and when rate limiting works differs between features and not based on customer subscriptions. All customers meet the same API rate limit tiers depending on the API endpoint. See Rate limiting for details.
Examples:
By embedding a chart object to your web application, you will use the following example in the body
of the HTML file to set the ui
attribute to object, indicating to qlik-embed that you want to embed a specific visualization from a Qlik Sense application.
[ Fig.1 ]
<qlik-embed
ui="analytics/chart"
app-id="<APP_ID>"
object-id="<CHART_ID>"
></qlik-embed>
Using " ui= analytics/chart"
it should correctly render, for instance, a single KPI object, as per the documentation below : https://qlik.dev/extend/extend-qlik-visualizations/supported-charts/
The following error can occurs when trying to render the KPI in your web application:
Failed to load visualization: 'kpi'
This is because the character set is not supported and the only supported one is "utf-8".
Apply the following instructions in your HTML file element which enforces utf-8 encoding and solves the issue:
<meta charset="utf-8">
For usage where the encoding cannot be controlled by the user (such as embedding in a tool, e.g. Microsoft Excel ) and this error arises, the customer will have to embed with the "classic/chart" type and the option "iframe=true".
Qlik Cloud
This article provides step-by-step instructions for implementing Azure AD as an identify provider for Qlik Cloud. We cover configuring an App registration in Azure AD and configuring group support using MS Graph permissions.
It guides the reader through adding the necessary application configuration in Azure AD and Qlik Sense Enterprise SaaS identity provider configuration so that Qlik Sense Enterprise SaaS users may log into a tenant using their Azure AD credentials.
Content:
Throughout this tutorial, some words will be used interchangeably.
The tenant hostname required in this context is the original hostname provided to the Qlik Enterprise SaaS tenant.
Copy the "value of the client secret" and paste it somewhere safe.After saving the configuration the value will become hidden and unavailable.
In the OpenID permissions section, check email, openid, and profile. In the Users section, check user.read.
Failing to grant consent to GroupMember.Read.All may result in errors authenticating to Qlik using Azure AD. Make sure to complete this step before moving on.
In this example, I had to change the email claim to upn to obtain the user's email address from Azure AD. Your results may vary.
While not hard, configuring Azure AD to work with Qlik Sense Enterprise SaaS is not trivial. Most of the legwork to make this authentication scheme work is on the Azure side. However, it's important to note that without making some small tweaks to the IdP configuration in Qlik Sense you may receive a failure or two during the validation process.
For many of you, adding Azure AD means you potentially have a bunch of clean up you need to do to remove legacy groups. Unfortunately, there is no way to do this in the UI but there is an API endpoint for deleting groups. See Deleting guid group values from Qlik Sense Enterprise SaaS for a guide on how to delete groups from a Qlik Sense Enterprise SaaS tenant.
Qlik Cloud: Configure Azure Active Directory as an IdP
An extension previously deployed successfully in a Qlik Sense on-premise environment has stopped working after being imported to Qlik Cloud Analytics.
The error Invalid visualization is shown in the Qlik Sense app.
The browser debug tools may display an error similar to:
Failed to load resource: the server responded with a status of 404
All required files (see Managing Extensions and Visualization extensions for details) are included in the uploaded zip file.
Change all file names in the extension .zip file to lowercase. Qlik Cloud Analytics tenants handle extensions differently than Qlik Sense on-premise. It is case-sensitive when reading files.
The Qlik Cloud Analytics tenant could not find the missing JSON file in the file extension .zip due to case-sensitivity.
Snowflake supports using key pair authentication for enhanced authentication security as an alternative to basic authentication (i.e. username and password). This article covers end-to-end setup for Key Pair Authentication in Snowflake and Qlik Replicate.
This authentication method requires, at minimum, a 2048-bit RSA key pair. You can generate the Privacy Enhanced Mail (i.e. PEM) private-public key pair using OpenSSL.
Qlik Replicate will use the ODBC driver to connect snowflake and ODBC is one of the supported clients which will support key pair authentication.
Let's assume, you decided to use key pair authentication for the Snowflake user which is used in Qlik Replicate to connect to Snowflake. You have to follow the below process to convert user authentication from basic to key pair.
You can generate either an encrypted version of the private key or an unencrypted version of the private key.
To generate an unencrypted version use the following command in the command prompt:
$ openssl genrsa 2048|openssl pkcs8 -topk8 -inform PEM -out rsa_key.p8 -nocrypt
To generate an encrypted version (which omits -nocrypt) use:
$ openssl genrsa 2048|openssl pkcs8 -topk8 -v2 des3 -inform PEM -out rsa_key.p8
In our example case, we generate an encrypted version of a private key.
We:
This generates a private key in PEM format:
From the command line, we generate the public key by referencing the private key. The following command assumes the private key is encrypted and contained in the file named rsa_key.p8.
When it requests a passphrase, use the same password that we generated in step 1.
openssl rsa -in rsa_key.p8 -pubout -out rsa_key.pub
This command generates the public key in PEM format:
Copy the public and private key files to a local directory for storage and record the path to the files. Note that the private key is stored using the PKCS#8 (Public Key Cryptography Standards) format and is encrypted using the passphrase you specified in the previous step.
However, the file should still be protected from unauthorized access using the file permission mechanism provided by your operating system. It is your responsibility to secure the file when it is not being used.
Describe the user to see current information. We can see that there is no public key assigned to the HDW user. Therefore, the user needs to use basic authentication.
Execute an ALTER USER command to assign the public key to a Snowflake user.
Execute a DESCRIBE USER command to verify the user’s public key.
Qlik Replicate
Snowflake Target
Google Workspace can be used as a SAML identify Provider for Qlik Sense Enterprise on Windows, facilitating a single sign-on solution. In this article, we will cover how to perform a quick setup using Qlik Sense Enterprise on Windows September 2020.
To begin setting up SAML, we need to set up a new Virtual Proxy.
This concludes the setup!
To test, access the Qlik Sense hub using the prefix defined in the setup. In our case, the URL is: https://qlikserver2.domain.local/saml
You will be redirected to a Google Account signing page.