Unlock a world of possibilities! Login now and discover the exclusive benefits awaiting you.
Search our knowledge base, curated by global Support, for answers ranging from account questions to troubleshooting error messages.
Qlik NPrinting and Qlik Sense are installed on Azure cloud machines. The configuration respects all the requirements. in particular, the NPrinting Engine user is present on both the NPrinting and Sense servers with the same domain and SSID.
The Metadata reload test fails with a "Not a domain user" message. On the other side, the Metadata reload is successful when launched (ignoring the Test error) even if the NPrinting Engine logs show these error and warning messages:
Engine.Navigator.QlikSense.SDK.QlikSenseDiagnose 20231128T103337.642+01:00 ERROR NP-SERVER _NAME 0 0 0 0 0 0 0 0 PerformDiagnosis found a problem. ERROR: System.Exception: Not a domain User : Domain\NPUser↓↓ at Engine.Navigator.QlikSense.SDK.QlikSenseDiagnose.<>c__DisplayClass8_0.<PerformDiagnosis>b__3() in C:\Jws\release-may2023-SwCB9Sd4b\server\NPrinting\src\Engine.Navigator.QlikSense.SDK\QlikSenseDiagnose.cs:line 90↓↓ at Engine.Navigator.QlikSense.SDK.QlikSenseDiagnose.GetStep(DiagnoseStep step, Action stepCode) in C:\Jws\release-may2023-SwCB9Sd4b\server\NPrinting\src\Engine.Navigator.QlikSense.SDK\QlikSenseDiagnose.cs:line 40
Engine.Navigator.QlikSense.SDK 23.20.5.0 Engine.Navigator.QlikSense.SDK.QRSApi
20231128T103350.840+01:00 WARN NP-SERVER _NAME 0 0 0 0 0 0 0 0 Domain user check failed for Domain\NPUser. ERROR: System.Runtime.InteropServices.COMException (0x8007200A): The specified directory service attribute or value does not exist.↓↓↓↓ at System.DirectoryServices.DirectoryEntry.Bind(Boolean throwIfFail)↓↓ at System.DirectoryServices.DirectoryEntry.Bind()↓↓ at System.DirectoryServices.DirectoryEntry.get_SchemaEntry()↓↓
Ignore the error message and proceed with the metadata reload.
According to the current analysis, the error message is shown because Azure does not organize users and permissions as on-premise Windows servers do. NPrinting does not receive the expected answers from Azure AD Connect and interprets this as missing access levels in Azure during the connection tests.
On the other side, when the environment is correctly configured, the NPrinting Engine user has access to the Qlik Sense applications, so the metadata reload and the tasks executions are completed successfully at the end.
Sometimes we need to store column's before-image data in the target table. This is useful if we want to store both of the before-image and after-image of the columns values in the target table for downstream apps usage.
Under Apply Changes mode (Store changes mode is turn off), in the table setting by adding a new column in transformation (name it as "prevenient_salary" in this sample), the variable expression is like $BI__<columnName> where $BI__ is a mandatory prefix (which instructs Replicate to capture the before-image data) and <columnName> is the original table column. For example if the original table column name is SALARY then $BI__SALARY is the column before-image data:
If the column SALARY value is updated from 22 to 33 in source side, then before the UPDATE the target table row looks like:
after the UPDATE is applied to target table the row looks like:
In this sample the before-image value is 22, the after-image value is 33.
before-image data can be used in filer also, see sample here .
This article explains how to simply set up JWT authentication using Qlik Sense default certificates and test it.
Click here for Video Transcript
In order to integrate your solution with Qlik Sense using JWT authentication, you will need to pass in your code the JWT token in the authorization token for the first request to Qlik Sense so that a session is created.
HTTP Strict Transport Security (HSTS) is an opt-in security enhancement which any web application can support through the use of a special response header. When a supported browser receives this header that browser will prevent any communication sent over HTTP in the future and will redirect all traffic over HTTPS instead.
More details about HSTS can be found on https://cheatsheetseries.owasp.org/cheatsheets/HTTP_Strict_Transport_Security_Cheat_Sheet.html
In Qlik Sense, one can add additional HTTP response headers in the Virtual Proxy configuration to enforce HSTS
For additional information about HTTP to HTTPS redirects, see
Sites to Confirm HSTS setup
Gov Site on HSTS https://https.cio.gov/hsts/
Note: Qlik does NOT support the configuration or implementation of non-Qlik or Operating System related software. The above suggestion is an introduction to this topic, and if it does not work in your particular environment then please reach out internally to your IT team. If you need direct assistance, please contact your Account Owner to discuss purchasing Consulting Services. (see How to Contact the Consulting Team?)
The Oracle target endpoint occasionally encounters an error during the CDC stage. These issues arise specifically after abnormal disconnections between the Replicate server and the Oracle server. The error, ORA-14452, occurs when attempting to perform DDL operations while the table is either not truncated or has active sessions.
The error message in task log file:
[TARGET_APPLY ]I: Failed executing drop table statement: DROP TABLE "SCOTT"."attrep_changes7DA25A24_0000001" [1020403]
[TARGET_APPLY ]I: ORA-14452: attempt to create, alter or drop an index on temporary table already in use [1022307]
To resolve this issue, we need to kill the open sessions by below steps.
select object_id from dba_objects where object_name='attrep_changes7DA25A24_0000001';
-------
1192406
select sid from v$lock where id1=1192406;
--------
608
select serial# from v$session where sid=608;
----
10893
ALTER SYSTEM KILL SESSION '608,10893';
#00167394
When trying to apply changes to a virtual proxy set up with SAML authentication, the error "invalid signing certificate in the metadata file" appears.
Environments:
As the message says, the certificate provided in the IdP metadata file is invalid, the most common reason is that it has expired.
Example:
<KeyDescriptor use="signing"> <KeyInfo xmlns="http://www.w3.org/2000/09/xmldsig#"> <X509Data> <X509Certificate> MIIC8DCCAdigAwIBAxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx xxxxxxxxxxxxxxxxxxIDxibeHXAszya </X509Certificate> </X509Data> </KeyInfo> </KeyDescriptor>
By copying the certificate from the IdP file and decoding it, you will be able to see the expiration date.
For example, a website such as https://www.sslshopper.com/certificate-decoder.html can be used to decode the certificate.
This guide provides the basic instructions on configuring Qlik Cloud with Okta as an identity provider.
This customization is provided as is. Qlik Support cannot provide continued support of the solution. For assistance, reach out to our Professional Services or engage in our active Integrations forum.
This must be the actual tenant name, not the alias.
For additional information on how to create new identity providers in Qlik Cloud, see Creating a new identity provider configuration.
The information in this article is provided as-is and to be used at own discretion. Depending on tool(s) used, customization(s), and/or other factors ongoing support on the solution below may not be provided by Qlik Support.
This article provides step-by-step instructions for implementing Azure AD as an identify provider for Qlik Cloud. We cover configuring an App registration in Azure AD and configuring group support using MS Graph permissions.
It guides the reader through adding the necessary application configuration in Azure AD and Qlik Sense Enterprise SaaS identity provider configuration so that Qlik Sense Enterprise SaaS users may log into a tenant using their Azure AD credentials.
Content:
Throughout this tutorial, some words will be used interchangeably.
The tenant hostname required in this context is the original hostname provided to the Qlik Enterprise SaaS tenant.
Copy the "value of the client secret" and paste it somewhere safe.After saving the configuration the value will become hidden and unavailable.
In the OpenID permissions section, check email, openid, and profile. In the Users section, check user.read.
Failing to grant consent to GroupMember.Read.All may result in errors authenticating to Qlik using Azure AD. Make sure to complete this step before moving on.
In this example, I had to change the email claim to upn to obtain the user's email address from Azure AD. Your results may vary.
While not hard, configuring Azure AD to work with Qlik Sense Enterprise SaaS is not trivial. Most of the legwork to make this authentication scheme work is on the Azure side. However, it's important to note that without making some small tweaks to the IdP configuration in Qlik Sense you may receive a failure or two during the validation process.
For many of you, adding Azure AD means you potentially have a bunch of clean up you need to do to remove legacy groups. Unfortunately, there is no way to do this in the UI but there is an API endpoint for deleting groups. See Deleting guid group values from Qlik Sense Enterprise SaaS for a guide on how to delete groups from a Qlik Sense Enterprise SaaS tenant.
Qlik Cloud: Configure Azure Active Directory as an IdP
To manage and browse executions of your Tasks, Plans and Promotions, please use the correct objects in the processing entity.
As per our API doc https://api.talend.com/apis/processing/2021-03/ and PlanExecutable section, the object step identifier(stepId) should be equivalent to stepExecutionID.
For example:
{
"executable": "b91cf8b2-5dd1-4b18-915b-4c447cee5267",
"executionPlanId": "0798b8d1-0e12-472f-be02-a0f04e792daa",
"rerunOnlyFailedTasks": true,
"stepId": "09043c9f-02d0-41f6-b3cb-0ea53ffde377"
}
If we put stepId in the field, it is likely to get exception when calling API to execute plan
"Validation do not allow processing entity"
The solution is to get all steps for a plan execution (order by designed execution, only steps, without error handlers) to gain stepExecutionID from query by issuing this API
{{apiUrl}}/processing/executions/plans/:planExecutionId/steps
And the executionID in the successful response array of StepExecution is the one you need to select and put in the stepID field of API call post /processing/executions/plans
various Talend Products
Upgrade installation or fresh installation of Qlik Replicate 2023.11 (includes builds GA, PR01 & PR02), Qlik Replicate reports errors for MySQL or MariaDB source endpoints. The task attempts over and over for the source capture process but fail, Resume and Startup from timestamp leads to the same results:
[SOURCE_CAPTURE ]T: Read next binary log event failed; mariadb_rpl_fetch error 0 () [1020403] (mysql_endpoint_capture.c:1060)
[SOURCE_CAPTURE ]T: Error reading binary log. [1020414] (mysql_endpoint_capture.c:3998)
Upgrade to Replicate 2023.11 PR03 (expires 8/31/2024).
The fix is included in Replicate 2024.05 GA.
If you are running 2022.11, then keep run it.
No workaround for 2023.11 (GA, or PR01/PR02) .
Jira: RECOB-8090 , Description: MySQL source fails after upgrade from 2022.11 to 2023.11
There is a bug in the MariaDB library version 3.3.5 that we started using in Replicate in 2023.11.
The bug was fixed in the new version of MariaDB library 3.3.8 which be shipped with Qlik Replicate 2023.11 PR03 and upper version(s).
support case #00139940, #00156611
Replicate - MySQL source defect and fix (2022.5 & 2022.11)
Qlik Sense supports Web Content Accessibility (WCAG 2.0 compliant).
When using the Qlik Sense hub, this is available by default, however, in a mashup, some work is needed from the mashup developer to make the mashup accessible.
This article provides an example of a mashup that is compliant with Web Content Accessibility. Find the attachment below.
The example is provided as-is and to be used at own discretion. Depending on tool(s) used, customization(s), and/or other factors ongoing support on the solution below may not be provided by Qlik Support.
This article goes over how to use LDAP filters and common examples when setting up Qlik Sense User Directory Connector (UDC).
Note: Qlik Support has no scope in assisting in composing an LDAP filter that fits the environment needs. If further assistance is needed please see How and When to Contact the Consulting Team? AD and Qlik Sense must be within the same Domain. If different domains refer to this article Users of a different Active Directory, but with membership to a group in the same Domain as the QlikSense server, are not synced
Click here for Video Transcript
Notes:
1. (Optional) Create a group that the filter will be based on. For example, "SenseUsers" group with 4 users is created in AD:
2. Recommended: Mark all RootAdmins as Delete Prohibited to prevent locking oneself out of the QMC, see How to avoid the RootAdmin(s) from becoming inactive
3. In this article, we will use native Windows tools to preview the LDAP query. Third party tools like LDAP Admin or LDAP Browser by Softerra are also valid tools to use.
4. On the Windows Server, open the Server Manager:
5. Click on Manage then Add Roles and Features:
6. If Before You Begin is displayed, click Next
7. On Installation Type, select Role-based or feature-based installation:
8. On Server Selection, select the server that you are working with
9. Next navigate to Features, and select the Active Directory Administrative Center option:
10. Confirm that this is the feature(s) that you want to install and allow the installation to complete
11. After the installation completes, Click Start then select Administrative Tools and open the Active Directory Users and Computers module
12. The main domain that the server is on should automatically be present, so right click on the domain and select Find:
13. In the Find section select Custom Search:
14. Write out your potential LDAP filter and ensure that it selects all the expected users:
15. Once you have an LDAP filter which works correctly outside of Qlik Sense, then navigate in the QMC to User Directory Connectors > edit the pre-existing Active Directory Connector > ensure that the Advanced section is displayed and paste in the LDAP filter. At this step you should unselect the Sync user data for existing users toggle:
16. The rationale for unselecting the Sync user data for existing users toggle is as follows. If you are already filtering the results from AD, then it makes sense to pull in the entire set of the filtered subset of users. This step isn't strictly speaking required but if you opt for the route of using an LDAP filter then it makes logistical sense to pull in all the users in the filtered subset.
17. Save the changes and go back to the root of the User Directory Connectors section and sync the altered Connector:
Qlik Sense: How to connect to AD using "Active Directory" UDC
How to get LDAP filters for Active Directory groups from users already in Qlik Sense
LDAP filter to only include all users in a certain Organizational Unit (OU) into Qlik Sense
Retrieve OU (Organizational Unit) users from Active Directory LDAP Filter
Video: Qlik Sense Platform - Qlik Management Console - User Directory Connector - Part 5
ADSI - Search Filter Syntax - Extended match operator / Nested groups rule
SAML is not supported by default in QlikView but can be implemented by creating a custom authentication module that will convert SAML requests/responses to QlikView Ticket to log the user in.
This customization is provided as is. Qlik Support cannot provide continued support of the solution. For assistance, contact our Professional Services or engage in our QlikView Integrations forum.
Currently, this solution only works for SP initiated authentication. Making it work for IDP-initiated authentication might require further code changes in the library/module source code.
This has been tested with QlikView 12.10 SR7.
<GetWebTicket url="/QvAjaxZfc/GetWebTicket.aspx"/>
to<GetWebTicket url="/QvAjaxZfc/GetWebTicket.aspx">
<TrustedIP>fe80::b178:730a:5c2a:86d2%11</TrustedIP>
</GetWebTicket>
public void ValidateAttribute(SamlAttribute samlAttribute)
{
if (!Uri.IsWellFormedUriString(samlAttribute.Name, UriKind.Absolute))
throw new DKSaml20FormatException("The DK-SAML 2.0 profile requires that an attribute's \"Name\" is an URI.");
after
public void ValidateAttribute(SamlAttribute samlAttribute)
{
/*
if (!Uri.IsWellFormedUriString(samlAttribute.Name, UriKind.Absolute))
throw new DKSaml20FormatException("The DK-SAML 2.0 profile requires that an attribute's \"Name\" is an URI.");
*/
<QlikViewSaml
accessPointUrl="https://qlikserver1.domain.local/"
authenticatePage="QvAjaxZfc/Authenticate.aspx"
webTicketPage="QvAjaxZfc/GetWebTicket.aspx"
tryPage="https://qlikserver1.domain.local/qlikview/"
backUrl="https://qlikserver1.domain.local/webticketerror.html" />
Replace https://qlikserver1.domain.local/ by your qlikview server URL in the above code.<AllowedAudienceUris>
<Audience>https://qlikserver1.domain.local</Audience>
</AllowedAudienceUris>
<Federation xmlns="urn:dk.nita.saml20.configuration">
<SigningCertificate findValue="CN=qlikserver1" storeLocation="LocalMachine" storeName="My" x509FindType="FindBySubjectDistinguishedName"/>
*In this case, we use a certificate that has "CN=qlikserver1" as its distinguished name.<IDPEndPoints metadata="C:\idpdata\">
...
See the Qlik Online Help for general information about Qlik Sense and AWS deployments. The content may change depending on the version of Sense.
In an Amazon Web Services (AWS) deployment, you install Qlik Sense Enterprise on an Amazon virtual private cloud infrastructure that is flexible, high-performance, and quick to set up.
Deploying Qlik Sense Enterprise on AWS will enable you to quickly add new applications in a simple and scalable manner. You can do this with a basic knowledge of AWS security and scalability options but without the need to follow complex on-premise installation and configuration procedures. Using AWS will enable you to get your Qlik Sense infrastructure up and running in fraction of the time required for an on-premise deployment, and will enable you to scale your deployment quickly and easily, regardless of unexpected changes in demand.
You can deploy Qlik Sense to AWS manually, or you can use an Amazon Machine Image (AMI) available in the AWS Marketplace that includes Qlik Sense preinstalled. However, predefined images do not include a file share, so can only support single node Qlik Sense deployments.
Qlik Sense Enterprise on Windows deployment to AWS (about)
Preparing your Amazon AWS platform to install Qlik Sense Enterprise on Windows
Install Qlik Sense Enterprise on Windows on the AWS server
The attached document guides the reader through adding the necessary application configuration in AWS Cognito and Qlik Sense Enterprise SaaS (Qlik Cloud) identity provider configuration so that Qlik Sense Enterprise SaaS users may log into a tenant using their AWS Cognito credentials.
Content of the document:
This customization is provided as is. Qlik Support cannot provide continued support of the solution. For assistance, reach out to our Professional Services or engage in our active Integrations forum.
This video will demonstrate how to install and configure Qlik-CLI for SaaS editions of Qlik Sense.
Content:
get-command qlik
choco install qlik-cli
if ( -not (Test-Path $PROFILE) ) {
echo "" > $PROFILE
}
qlik completion ps > "./qlik_completion.ps1" # Create a file containing the powershell completion.
. ./qlik_completion.ps1 # Source the completion.
Advanced and additional instructions as seen in the video can be found at Qlik-CLI on Qlik.Dev. Begin with Get Started.