Some connectors require an encryption key before you create or edit a connection. Failing to generate a key will result in:

Error retrieving the URL to authenticate: ENCRYPTION_KEY_MISSING - you must manually set an encryption key before creating new connections.

Environment

Qlik Sense Desktop February 2022 and onwards
Qlik Sense Enterprise on Windows February 2022 and onwards
all Qlik Web Storage Provider Connectors 
Google Drive and Spreadsheets Metadata 

Resolution

PowerShell demo on how to generate a key:

# Generates a 32 character base 64 encoded string based on a random 24 byte encryption key
function Get-Base64EncodedEncryptionKey {
$bytes = new-object 'System.Byte[]' (24)
(new-object System.Security.Cryptography.RNGCryptoServiceProvider).GetBytes($bytes)
[System.Convert]::ToBase64String($bytes)
}

$key = Get-Base64EncodedEncryptionKey
Write-Output "Get-Base64EncodedEncryptionKey: ""${key}"", Length: $($key.Length)"

Example output:

Get-Base64EncodedEncryptionKey: "muICTp4TwWZnQNCmM6CEj4gzASoA+7xB", Length: 32

Qlik Sense Desktop

This command must be run by the same user that is running the Qlik Sense Engine Service (Engine.exe). For Qlik Sense Desktop, this should be the currently logged-in user.

Do the following:

1. Open a command prompt and navigate to the directory containing the connector .exe file. For example:

   "cd C:\Program Files\Common Files\Qlik\Custom Data\QvWebStorageProviderConnectorPackage"
   
   

2. Run the following command:

   QvWebStorageProviderConnectorPackage.exe /key {key}

   Where {key} is the key you generated. For example, if you used the OpenSSL command, your key might look like: QvWebStorageProviderConnectorPackage.exe /key zmn72XnySfDjqUMXa9ScHaeJcaKRZYF9w3P6yYRr

3. You will receive a confirmation message:

   Info: Set key. New key id=qseow_prm_custom.

   Info: key set successfully!

Qlik Sense Enterprise on Windows

The {sense service user} must be the name of the Windows account which is running your Qlik Sense Engine Service. You can see this in the Windows Services manager. In this example, the user is: MYCOMPANY\senseserver.

Do the following:

1. Open a command prompt and run:

   runas /user:{sense service user} cmd. For example:runas /user:MYCOMPANY\senseserver

2. Run the following two commands to switch to the directory containing the connectors and then set the key:

   1. "cd C:\Program Files\Common Files\Qlik\Custom Data\QvWebStorageProviderConnectorPackage"

   2. QvWebStorageProviderConnectorPackage.exe /key {key}

      Where {key} is the key you generated. For example, if you used the OpenSSL command, your key might look like: QvWebStorageProviderConnectorPackage.exe /key zmn72XnySfDjqUMXa9ScHaeJcaKRZYF9w3P6yYRr

3. You should repeat this step, using the same key, on each node in the multinode environment.

4. Encryption keys will be stored in: "C:\Users\{sense service user}\AppData\Roaming\Qlik\QwcKeys\"

   For example, encryption keys will be stored in "C:\Users\QvService\AppData\Roaming\Qlik\QwcKeys\"

Note:

It is important to make sure to run the command prompt with Qlik Sense Service Account and has access to all the required folders/files.

Cause

This security requirement came into effect in February 2022. Old connections made before then will still work, but you will not be able to edit them. If you try to create or edit a connection that needs a key, you will receive an error message: Error retrieving the URL to authenticate: ENCRYPTION_KEY_MISSING) - you must manually set an encryption key before creating new connections.

Related Content

Setting an encryption key

The max concurrent reloads can be configured in the Qlik Sense Management Console.

1. Open the Qlik Sense Management Console
2. Navigate to Schedulers 
3. Enable the Advanced section (if not already on by default)
4. Set the required max concurrent reloads
   
   
   

    

IMPORTANT TO REMEMBER

• A reload node could run NumberOfCores - 2
• If for example, the reload node has 8 CPU Cores then it could possibly run 6 concurrent reloads at its maximum.
• A reload task typically consumes at least one core, sometimes more
• With more concurrent tasks running than there are number of cores, the total time to complete a number of tasks that is larger than the number of cores does not improve with more parallel tasks running due to starvation of the server
• Each reload running is loaded into RAM. This means that the average RAM footprint grows with more parallel reloads
• With more parallel reloads than cores the probability for total starvation increases since the QIX engine is CPU hungry and other processes (for example, the operating system) might not get enough CPU cycles to perform their duties
• Use the guideline, NumberOfCPUCores - 2 in performing capacity planning on the possible amount of concurrent scheduled reloads.
• Scheduled reloads are queued, however, if not enough resources in the system
• To validate that environment needs proper capacity planning, go to C:\ProgramData\Qlik\Sense\Log\Scheduler\Trace\<Server>_System_Scheduler.txt, an example log shows below:
  
  

  <ServerName>_System_Scheduler.txt
  Domain\qvservice    Engine connection released. 5 of 4 used 
  Domain\qvservice    Engine connection 6 of 4 established 
  Domain\qvservice    Request for engine-connection dequeued. Total in queue: 25

Concurrent settings

Use the "Max concurrent reloads" to limit the maximal concurrent tasks can be run at same time on current node. By default, it's set to 4, which means only 4 tasks can be run at same time on this node.
When the 5th task comes in:

1. It will be queued by sequence. 
2. The queue has a time setting, which will eliminate (erase) a queued task if the timeout limit reaches. By default, it's set to 30 mins, in this case, if none of the first 4 tasks finishes in 30 minutes after the 5th task comes in, then the 5th task will be cancelled due to timeout. It has to be triggered again (manually or next scheduled time slot).
3. Once one of the 4 running tasks finishes, the 5th task will be executed on this node if it's not timed out.
4. If you set timeout to 0, this will make the queue never timeout.
5. It's suggested not to run more than 10 concurrent reloads at once, unless the schedular node has an extreme amount of resources dedicated to it.
6. If there is low memory or cores available on the node, then some tasks may kick off however take several hours to complete. Adding resources to the node running the reloads is suggested.

Multi-node deployment

On a multi-node deployment, tasks will be balanced from the manager node to any node(s) designated as workers.

It's highly advised to check if the central node configured is set to Manager and Worker or Manager. When set to Manager, it will send all reload jobs to the reload/scheduler nodes, as it should. However if a central node is set to Manager and Worker, this means the Central node will also be involved in performing reloads. This is not recommended. 

The work flow looks as follows:

1. Manager node receives a new task execution request.
2. Manager node checks the resource availability on each of the worker nodes. 
3. Manager node assigns this task to the node with the lowest number of running tasks per "Max concurrent reloads" setting.

The improvement to track the Max concurrent reloads can, if desired, be disabled. This reverts Sense to an older load balancing method that relies only on CPU usage. 

To disable the setting:

1. Open the Scheduler.exe.config, which by default is located in: C:\Program Files\Qlik\Sense\Scheduler\Scheduler.exe.config
2. Set DisableLegacyLoadBalancingBehavior setting to false
3. Restart Qlik Sense Scheduler Service
4. Repeat these actions on each node of the cluster running the Qlik Sense Scheduler Service

Example

In our example, we allow one concurrent reload, but we assume that two reloads are executed at the same time.

• If Task A is executed first, Task B is queued.
• If Task A is executed first and then fails, Task B is executed after the failure.
• After Task A's failure, Task A is queued and will execute after Task B has finished.

When executing the task in DWH, there is no mention of Dropping the Staging tables in the ETL statements. Qlik Compose shows the creation and truncation of these tables only:

Explanation of the behavior:

For TMP tables and TSTG tables, whenever the Qlik Compose engine sees a create statement for these tables, and that is the statement shown in the ETL statements list, it does a DROP for that table in the background (Silently) : 

pool-2-thread-5 2023-10-03 13:29:37.554 [engine ] [VERBOSE] [] PI# 5 BEGIN dropSilentBeforeCreate()
pool-2-thread-5 2023-10-03 13:29:37.636 [engine ] [TRACE ] [] PI# 5 Performed implicit DROP TABLE [ADAM_DWH].[dboAdam].[TSTG_Categories]
pool-2-thread-5 2023-10-03 13:29:37.636 [engine ] [VERBOSE] [] PI# 5 END dropSilentBeforeCreate()

The same behavior can be seen for all the TMP tables Qlik Compose creates.

To verify this, run the task at TRACE level logs, and look for dropSilentBeforeCreate in the logs.

The staging tables are not dropped for customer convenience. This facilitates the development of user-defined statements like Pre/Post Loading ETL and Single/Multi Table ETL, which often involve these tables. Additionally, customers find it useful to have them available for adding test data during their development process, especially when Qlik Compose is not active.

Environment

Qlik Compose 

After an upgrade to Qlik Sense Enterprise on Windows May 2023 patch 3 or later, REST connections fail with the following error: 

"WITH CONNECTION" is not allowed. To allow "WITH CONNECTION", select Allow "WITH CONNECTION" in the connector settings.

The Allow WITH CONNECTION option is not exposed in the REST Connector GUI and cannot be changed.

Qlik Sense Enterprise on Windows August 2023 and later are not affected.

Resolution

To resolve the issue, upgrade to August 2023.

To manually mitigate the issue in the May release branch, replace the  qsdfw_qsefw_qlikview.qliksourceconfig file. Qlik is investigating a solution which does not require manual intervention.

Backup the affected file before continuing with the workaround. When taking the backup, do not keep the backed up file in the same folder. (see end notes)

1. On each Qlik Sense Server node, navigate to: C:\Program Files\Common Files\Qlik\Custom Data\QvRestConnector\
2. Locate qsdfw_qsefw_qlikview.qliksourceconfig
3. Replace qsdfw_qsefw_qlikview.qliksourceconfig with the file attached to this article. 
4. This resolves the issue. 
   
   Subscribe to this article or monitor the release notes for information on an automated fix.

End notes:

The folder C:\Program Files\Common Files\Qlik\Custom Data\QvRestConnector can only contain one qliksourceconfig file with correct name: qsdfw_qsefw_qlikview.qliksourceconfig

If there are two qliksourceconfig files (even with different names, such as a backup), the first one in alphabetical order will be chosen.

Cause 

QB-20735

Environment

Qlik Sense Enterprise on Windows May 2023 Patch 3 and later 

Does not affect August 2023 and later releases.

Internal Investigation ID(s) 

QB-20735

MFA is not supported in Qlik Sense on-premise installations. See Configuring security > Authentication.

NOTE

• MFA has been made Optional for Service Account Owner (SAO) with a paid Qlik Sense Business Subscription. 
• MFA is optional for Invitees and Tenant Admins.
• MFA can be disabled at any time.

FAQ

Q - What happens if SAO is MFA locked out due to (Change of device or lost)?
A - SAO Can use the Recovery Code generated in setting up the MFA.

Q - What happens if SAO looses the MFA Recovery link or does not save the new generated one.
A - Please contact Qlik Customer Support to reset MFA How to create a case

Q - Can a user setup MFA without a mobile?
A - Yes, there are desktop options fro Google authenticator.
 

Related content:

SAML configuration with Okta (Qlik Help)
Qlik Sense SAML: Okta Configuration (YouTube)
 

Resolution:

1. Access to My Qlik Portal How to Access My Qlik Portal
2. Go to Password & Security
3. Click on Setup
   
   
   
   
4. Install a Multi Factor Authentication (MFA) on phone. There are several on the market, (Google Authenticator - LastPass Authenticator - Microsoft Authenticator and more)
   
   Note: Using just a QR reader will not work, Only a MFA Authetication app will.
    
5. Scan the QR code with your MFA Authenticator
   
   
   
   
6. Proceeded to use the code created from MFA authenticator 
7. You are given an important recovery link. The link is ONE time use - IMPORTANT - Save this code for recovery purposes *
   
   
   
   
8. You will see that the MFA is successfully set.
   
   
   
   * If you see yourself the need to use the MFA Recovery code, Note that a new one will be generated. Please save the last one generated.
   
   
9. If in the future MFA needs to be disabled, navigate to the same screen and click "Remove"...
   
   
   
   
10. Click "Yes, remove"
    
    
    

This article gives an overview of the available blocks in the Qlik Platform Operations connector in Qlik Application Automation.

The purpose of the Qlik Platform Operations connector is to simplify the deployment and management of multiple tenants within Qlik Cloud. To learn more about the multitenant model in Qlik Cloud, please review the following series of tutorials.

This connector consists of:

• Authentication to Qlik Cloud using OAuth2.
• Support for deploying tenants with a multitenant-enabled Qlik Cloud license, using the Create tenant block.
• Support for managing apps, spaces, automations, groups, identity providers, licenses, and users within the deployed tenants.
• Metadata support, using, for example, the Update tenant auto license assign settings block.

To authenticate, you will need to provide your OAuth2 client ID and client secret. If you have a multitenant license, enter a regional OAuth client (generated via My Qlik) or a tenant OAuth client (generated from within a tenant). Note that only regional OAuth clients can create new Qlik Cloud tenants. In order to use your own tenant, you need to create an OAuth m2m client (trusted) in the management console on your tenant. For more information, please check this article.

Most blocks require a specified tenant as the target. A tenant is uniquely identified by name and the region that it is deployed to. For example, for mytenant.eu.qlikcloud.com, enter mytenant.eu. You can use the Get Tenant Name and Region block to obtain the tenant from a full URL.

Let's now go over a basic example of how to deploy a tenant, create an automation inside the deployed tenant and run it using the Qlik Platform Operations:

1. Create a new automation.
2. From the Block library menu on the left side of the screen, select the Qlik Platform Operations connector.
3. Use the Search for blocks input to search for the Create tenant block.
4. Drag and drop the block into the automation and link it to the start block.
   
   
   
   
5. On the Block configuration menu on the right side of the screen, use the input fields to add the information about the tenant: the Qlik Cloud region (for example,  sg for Singapore) and the signed license key:
   
   
   
6. Use the Search for blocks input to search for the Create Automation block, drag and drop it into the automation and link it to the Create tenant block. Before creating an automation, we need to update the license of the newly created tenant using the Update tenant auto license assign settings block. You can use the Get tenant name and Region block to get the tenant name from the full URL.
   
   
   
   
7. On the Block configuration menu on the right side of the screen, use the input fields to fill in the information about the automation. In the tenant field, use the example output from the previous block to add the ID.
8. Repeat the same steps for the Run automation and Get Automation Run blocks.
   
   
   
   
9. Run the automation. This will deploy a new tenant within your Qlik Cloud License in the Singapore region, create an automation inside this tenant, run it, and return the result.

The information in this article is provided as-is and to be used at own discretion. Depending on tool(s) used, customization(s), and/or other factors ongoing support on the solution below may not be provided by Qlik Support.

To install or upgrade your existing Qlik NPrinting governance dashboard, simply deploy the new QVF  and reload the app: NPrinting Governance Dashboard - version3

If and only if you have altered the engine.config file(s) on your NPrinting Engine computer(s) to change the default 'resolvers-count' value,  then go to the 'deployment summary' sheet and enter the 'resolvers-count' value under 'Available Resolvers'.  This value sets a baseline that the new concurrency metric can evaluate to ensure your NPrinting environment is not core constrained. 

Please enjoy and post comments/suggestions in GitHub preferably, or in the community comments below.  

Version 3.0 (4/12/2022)

Update Details:

-Fixed a bug introduced by NP May 2021 SR3 where the reload fails in the load script:
< Field 'id' not found FROM "nprinting"."public"."task_execution" >

-Updated background colours on the "Task Recipients" Pivot Table to green

Version 2.0 

Update Details:

Deployment Summary Sheet:

• Configurable variable "vResolvers ".  By default this is set to the # logical engine processors. If you have changed  the "content-resolvers" property in the engine.config file(s)  to increase/decrease the number of resolvers in your NPrinting environment,  set vResolvers to the sum of this value in all your engine.config files.  

-New KPI "Peak  Connection Concurrency".  This is the number of unique connections used at any one time by executing publish tasks, subscriptions, on-demand requests, or metadata reload requests. It does not include preview requests.  If this number exceeds 60% of your resolver count, queuing is expected to occur and reports will take longer to run. The metric will turn red indicating it is time to add logical engine processors to your NPrinting Engine(s) to a maximum of 16 logical processors per engine. 

-New KPI "Peak Execution Concurrency". This is the number of concurrent execution requests at any one time . It is the sum of executing publish tasks + executing subscription requests + executing onDemand Requests + executing Metadata reload requests. If multiple reports are running in a single publish task, it counts as just '1' in this resolver . Does not include 'preview' requests.  

Report Delivery Sheet:

-New filters added

Data Connections Sheet:

-New filters added 

-Section Access field (yes/no ) added 

Qlik Lineage Sheet:

-New filters added

-New KPIs added:  Complex reports , Medium reports, simple reports

App Content Sheet:

-new filters added

Task Recipients Sheet:

-new filters added

Execution Analysis Sheet:

• New time chart:  "Active Connections by Type Over Time".  Shows concurrently used connections over time , stacked bar charts splits the type of request using the connection  (Publish Task, Subscription,OnDemand,Metadata Reload) . A Y Axis limit line shows the peak.  It turns red if it exceeds 60% of the vResolvers variable

-New table "Days when Concurrency Exceeded". Shows the number of days where the peak concurrency connections exceeds 60% of vResolvers.  

• New time chart:  "Executions by Type Over Time".  Shows concurrent executions over time , stacked bar charts splits the type of request   (Publish Task, Subscription,OnDemand,Metadata Reload) . A y axis limit line shows the peak over time.

-New table "Peak Concurrency by Day". Shows peak concurrency by day.

Report Performance Sheet:

-Container with 4 distribution plots showing execution length for publish tasks, subscriptions,ondemand requests and metadata reloads.  Colored by status (green = success,  red = failed)

-Container with 4 tables showing detailed executions

• 4 KPIs showing  "Average Publish Task Length", "Average OnDemand Length", "Average Subscription Length", "Average Metadata Reload Length" . 

Users Sheet:

-New Filters added

Execution Log Messages:

-New Filters added

Load Script / Model:

- vResolvers variable set to the sum of logical processors on each NP engine found

• section access field added to connections

• New master date table intervalmatched to executions. 

• vMonthsToLoad variable determines how many trailing months to generate in the master date table (default is 3 months)

Upgrade:

For anybody upgrading you will need to re-edit the data source in the load script and if and only if you have changed the resolvers-count setting in the NPrinting engine.config file .... then after reloading the app , go to the deployment summary sheet and update the vResolvers variable to be equivalent to the same value as 'resolvers-count' in the engine.config. If you have multiple NP engines, sum the number together and set vResolvers to the sum of the values found in the engine.config files.

Most Qlik Web Storage Provider Connectors require an encryption key. If no key exists, the following error will be displayed when authenticating:

Error retrieving the URL to authenticate: ENCRYPTION_KEY_MISSING - you must manually set an encryption key before creating new connections.

Resolution

General information, as well as a list of which connectors require an encryption key, can be found in Setting an encryption key | Qlik Connectors Help.

The actual generation of a key depends on your organization's best practices, but we can provide you with an example on how to go about it with OpenSSL:

The below example is not supported by Qlik Support. Review it with your local security office to see what method your organization follows.

1. Download and install OpenSSL.
   See https://slproweb.com/products/Win32OpenSSL.html
2. Open the OpenSSL folder (default C:\Program Files\OpenSSL - Win64\bin).
   
   
   
   
3.  Open the command prompt as an administrator and run these commands:
   1. cd C:\Program Files\OpenSSL -Wind64\bin
   2. openssl rand -base64 256
      
4. Copy and save the successfully generated key. 
   
   
   
   

5. Follow the instructions on how to set the encryption key in Qlik Sense Enterprise on Windows and/or Qlik Sense Desktop:
   
   Setting an encryption key on Qlik Sense Enterprise on Windows 
   Setting an encryption key on Qlik Sense Desktop 

6. Create the data connection. 

Related Content 

Setting an encryption key | Qlik Connectors Help
Setting an encryption key on Qlik Sense Enterprise on Windows 
Setting an encryption key on Qlik Sense Desktop 

Environment

Qlik Sense Enterprise on Windows 
Qlik Sense Desktop 

SAML is not supported by default in QlikView but can be implemented by creating a custom authentication module that will convert SAML requests/responses to QlikView Ticket to log the user in.

This customization is provided as is. Qlik Support cannot provide continued support of the solution. For assistance, contact our Professional Services or engage in our QlikView Integrations forum.

Currently, this solution only works for SP initiated authentication. Making it work for IDP-initiated authentication might require further code changes in the library/module source code.

This has been tested with QlikView 12.10 SR7.

Requirements:

• IIS installed with asp .net development language
• .NET framework 4.0
• Copy and unzip qvsaml.zip in the root of your IIS website. Make sure to edit the bindings of your website and set up https.

Configuration on the QlikView side:

1. Edit the file C:\ProgramData\QlikTech\WebServer\config.xml to include the IP address of the machine where the authentication module is hosted.
   
   You will need to change the line:
   

   <GetWebTicket url="/QvAjaxZfc/GetWebTicket.aspx"/>​

   to
   

   <GetWebTicket url="/QvAjaxZfc/GetWebTicket.aspx">
   	<TrustedIP>fe80::b178:730a:5c2a:86d2%11</TrustedIP>
       </GetWebTicket>​

    

2. If you are unsure if the request is sent over IPv4 or IPv6, you can just use: ping servername in a command prompt and see which IP address is returned.

Configuration of the authentication module:

1. Copy your authentication module code in your IIS site folder. The site needs to be run over HTTPS.
   
   The sample is built using "CodeBehind" so you will need to compile the source code and place the compiled binary in the bin folder for the sample to work.
   
   A compiled version "QlikViewSamlAuthentication.dll" is provided as is.
   
   The sample also uses the third party library OIOSAML.NET (version 2.0.1):  https://www.digitaliser.dk/resource/3868871
   
   A compiled version that works with OneLogin (dk.nita.saml20.dll) is provided as is.
   
   If you choose to compile the source code yourself for use with OneLogin, you will need to comment out the statement to check that the name is an URI as this attribute is an email address in OneLogin:
   
   File: DKSaml20AttributeValidator.cs 
   
   
2. Before:
   

   public void ValidateAttribute(SamlAttribute samlAttribute)
           {     
   
               if (!Uri.IsWellFormedUriString(samlAttribute.Name, UriKind.Absolute))
                   throw new DKSaml20FormatException("The DK-SAML 2.0 profile requires that an attribute's \"Name\" is an URI.");​

   after

   public void ValidateAttribute(SamlAttribute samlAttribute)
           {     
               /*
               if (!Uri.IsWellFormedUriString(samlAttribute.Name, UriKind.Absolute))
                   throw new DKSaml20FormatException("The DK-SAML 2.0 profile requires that an attribute's \"Name\" is an URI.");
                   */

3.  Settings for QlikView in the module web.config:
   

   <QlikViewSaml
       accessPointUrl="https://qlikserver1.domain.local/"
       authenticatePage="QvAjaxZfc/Authenticate.aspx"
       webTicketPage="QvAjaxZfc/GetWebTicket.aspx"
       tryPage="https://qlikserver1.domain.local/qlikview/"
       backUrl="https://qlikserver1.domain.local/webticketerror.html" />

   Replace https://qlikserver1.domain.local/ by your qlikview server URL in the above code.
4. Settings for the Audience:
   

   <AllowedAudienceUris>
         <Audience>https://qlikserver1.domain.local</Audience>
       </AllowedAudienceUris>​

   
   *It must exactly match the setting you have in Onelogin.
   
   
5. Settings for the certificate used to sign the SAML request:
   

   <Federation xmlns="urn:dk.nita.saml20.configuration">
       <SigningCertificate findValue="CN=qlikserver1" storeLocation="LocalMachine" storeName="My" x509FindType="FindBySubjectDistinguishedName"/>

   *In this case, we use a certificate that has "CN=qlikserver1" as its distinguished name.
   *You need to install the certificate in Windows first. It must have a private key.
   
   
6. Settings for the folder for the IDP metadata:
   

   <IDPEndPoints metadata="C:\idpdata\">
   ...​

   
   *In this example, the folder is C:\idpdata, once Onelogin is set up, download the metadata from Onelogin and copy it in this folder.

Configuration of OneLogin

1. Create a new company app using the template "SAML Test Connector (IdP w/attr)". Below, you can find the settings used in this example:
   
   
   
   
2. Make sure that the audience set here matches what you have in the web.config of the module
3. In saml_login.aspx (file that handles the SAML request in the module), make sure the URL is correct.
   
   
   
   
   Other tabs are left at default values.

Test the solution and log in:

1. Open the URL of your module (In this case, the module is hosted in IIS on the same server as QlikView):
   
   
   
   
2. Click on "Go to QlikView" and you should get to the Onelogin login page:
   
   
   
   
3. Once you're logged in, you should be redirected to the Access point, notice your user name in the upper right corner:
   
   

After upgrading QlikView to May 2023 IR, charts may show as blank objects in Qlik NPrinting.

Qlik NPrinting Designer displays the images correctly in preview mode.

Environment

Qlik NPrinting Any version
QlikView May 2023 IR
Nprinting Reports: Excel, PowerPoint, PDF

Resolution

This is currently being investigated.

The issue is found to be with QlikView May 2023 IR not with any Qlik NPrinting versions. It works perfectly fine with QlikView May 2022 SR2 and earlier supported QlikView versions.

Also, the problem occurs when Qlik View Server Connection is used in Qlik NPrinting connections.

Workaround:

Internal Investigation ID(s)

QV-24977

Information on this defect is given as is at the time of documenting. For up-to-date information, please review the most recent Release Notes with the ID QV-24977 for reference.

After upgrading to QlikView 12.70 SR2 users cannot open documents from the AccessPoint once the session timeout is reached. The following error is displayed:

Failed to open document, You don't have access to this document

Environment

QlikView May 2022 (12.70) IR to SR2

Resolution

This is caused by QV-24743 and QV-24830.

Fix Version

Fix scheduled to be released in:

• QlikView 12.70 SR3

Upgrade to the appropriate version when it has become available. Refer to the QlikView Release Notes for details once the versions have been released.

Internal Investigation ID(s) 

QV-24743 and QV-24830

This article provides information on how to get started with the ServiceNow connector in Qlik Application Automation.
The connector for ServiceNow is making use of Basic Authentication. To connect you will also need the name of your instance.

Authentication and Authorization

When you connect to ServiceNow in Qlik Application Automation you will be presented with the following screen.
You can obtain the instance name from the URL that you use to access ServiceNow. You can use your username / password of your account provided it has enough privileges for what you aim to do. It is recommended to create a service account for integrations and limit it's roles to what is necessary.

Working with the ServiceNow blocks

Most of the blocks for the ServiceNow connector make use of the Table API of ServiceNow.
ServiceNow documentation for the Table API can be found at: https://developer.servicenow.com/dev.do#!/reference/api/rome/rest/c_TableAPI

The following data types have easy to use blocks for all CRUD operations:
• Incident
• Change Task
• Problem
• Change Request

Furthermore it is possible to work with user objects, listing journal items, audit lines, obtaining and adding attachments.
When modifying or deleting objects from the Table API, make sure to be using the "sys_id" field of objects as the identifier.

Custom API blocks

With the blocks "get table content by id", "create table content", "delete table content", "update table content", "list table content", it is possible to work with every object through the use of the Table API. These blocks also allow you to look up the name of a table with the "do lookup" functionality. As this lookup obtains information from the sys_db_object table in ServiceNow, it's possible that this lookup does not work due to your permissions.

There is also a "Raw API Request" available. This block allows providing your own sub path starting from the Base URL of ServiceNow, HTTP method and optionally a JSON body.
This can be used to contact other API groups than the Table API of ServiceNow as well as custom scripted API's.

The information in this article is provided as-is and to be used at own discretion. Depending on tool(s) used, customization(s), and/or other factors ongoing support on the solution below may not be provided by Qlik Support.

If after the procedure is completed errors are logged of a wrong password, see Qliksenserepository password error in the event logs after changing the database service user password for further information. 

1. Stop all the Qlik Sense services
   
   Verify that the Qlik Sense Repository Database service (or postgresql-x64-xx if the database is not a bundled install and/or was installed using QPI) is stopped.
   
   
   
   
2. The next step will require modifying the pg_hba.conf and postgresql.conf files. We will swap the currently active authentication method to trust, allowing us to connect without a password. 
   
   Before modifying the file, take a backup of both files.
   
   File locations:
   
   Default (bundled):  
   
   C:\ProgramData\Qlik\Sense\Repository\PostgreSQL\12.5
   
   Alternative (unbundled, custom install):
   
   C:\Program Files\PostgreSQL\12.5\data
   
   *12.5 refers to the PostgreSQL version. Adjust accordingly depending on what version is installed.  
   
   
3. Open a text editor (such as Notepad or Notepad++) As Administrator and browse to the .conf file location. 
   
   If you cannot see the .conf files, switch the file view to All Files (*) or All Types, depending on your editor.
   
   
   
   
4. Open pg_hba.conf
   
   
5. Change the METHOD from md5 (alternative: scram-sha-256) to trust 
   
   Only the first two lines for IPv4 and IPv6 entries must be changed. trust must be lowercase.
   
   Original:
   

   # TYPE  DATABASE        USER            ADDRESS                 METHOD
   
   # IPv4 local connections:
   host    all             all             127.0.0.1/32            md5
   # IPv6 local connections:
   host    all             all             ::1/128                 md5

   
   Updated:
   

   # TYPE  DATABASE        USER            ADDRESS                 METHOD
   
   # IPv4 local connections:
   host    all             all             127.0.0.1/32            trust
   # IPv6 local connections:
   host    all             all             ::1/128                 trust

6. Save the file, close it
   
   
7. Start the Qlik Sense Repository Database (or postgresql-x64-xx).
   
   
8. Launch the Windows Command Line As Administrator.
   
   
9. In the command line, navigate to the PostgreSQL bin folder
   

   cd "C:\Program files\Qlik\Sense\Repository\PostgreSQL\12.5\bin"

   *12.5 refers to the PostgreSQL version. Adjust accordingly depending on what version is installed.  
   
   
10. Run psql to connect to the database: 
    

    psql -h 127.0.0.1 -p 4432 -U postgres​

    The response will provide the postgres=# prompt, which we will use to change the passwords.
    
    
    
    
11. Proceed from the postgres=#
    
    The Qlik Sense PostgreSQL database has two users:
    
    postgre: the super user
    qliksenserepository: the service user; if the database was installed manually or set up with QPI, this may be the only user set up
    
    The passwords must be the same for both. 
    
    
    1. Change the postgres user account (you must include the single quotes and the semicolon):
       

       alter user postgres with encrypted password 'EnterYourNewPasswordHere';​

       Response:
       

    2. Change the qliksenserepository user account (you must include the single quotes and the semicolon):
       

       alter user qliksenserepository with encrypted password 'EnterYourNewPasswordHere';

       Response:
       
       
       
12. Close the command prompt.
    
    
13. Adjust the connection string using QlikSenseUtil
    
    
    1. Open QlikSenseUtil (C:\Program Files\Qlik\Sense\Repository\Util\QlikSenseUtil)
       
       
    2. Open the Connection String Editor tab
       
       
    3. Click Read
       
       
    4. Adjust the password
       
       
    5. Click Save Value in config file encrypted
       
       
       
       
       
14. Change the Connection Strings for Micro-Services as per Changing the Connection String for Micro-Services.
15. Stop the Qlik Sense Repository Database (or postgresql-x64-xx).
    
    
16. Revert the changes done to the pg_hba.conf file, changing back  METHOD from trust to md5 (alternative: scram-sha-256).
    
    
17. Start all services (Manual start and stop order of Qlik Sense services).

This concludes the required steps.

To verify if the password was correctly changed, you can either run psql again, connect with the PGAdmin, or review the Qlik Sense Repository log for success messages on boot.

If after the procedure is completed errors are logged of a wrong password, see Qliksenserepository password error in the event logs after changing the database service user password for further information. 

This article explains how the Qlik Reporting connector in Qlik Application Automation can be used to generate a bursted report that delivers recipient-specific data.

For more information on the Qlik Reporting connector, see this Reporting tutorial.

This article offers two examples where the recipient list and field for reduction are captured in an XLS file or a straight table in an app. Qlik Application Automation allows you to connect to a variety of data sources, including databases, cloud storage locations, and more. This allows you to store your recipient lists in the appropriate location and apply the concepts found in the examples below to create your reporting automation. By configuring the Start block's run mode, the reporting automations can be scheduled or driven from other business processes.

Contents

• Using a straight table as a distribution list
• Using an Excel File as a distribution list

Using a straight table as a distribution list

In this example, the email addresses of the recipients are stored in a straight table. Add a private sheet to your app and add a straight table to it. This table should contain the recipients' email address, name, and a value to reduce the app on. We won't go over the step-by-step creation of this automation since it's available as a template in the template picker under the name "Send a burst report to email recipients from a straight table".

Instead, a few key blocks of this template are discussed below.

1. List Values Of Field. This block will return a list of all values of the specified field. The selected field should directly map to the recipient scope of data to be delivered. For each value, a report will be generated and distributed to the recipients who have that value assigned in the distribution list. We'll call this value the scope of the report, an example field could be Region to build a report for each different region and delivery to regional employees.
   
   
2. The Create Report block and attached blocks will then be executed for each unique value of the field. Tip: you can dynamically name your reports by mapping the current field's value to the Report name parameter of the Create Report block:
   
   
   
   
3. Add any sheets to the report by using the Add Sheet to Report block. Use the block Add Selection To Sheet to add selections. Add at least a selection for the current scope of the report. Also, apply a selection to the app using the Select Field Value block. This will reduce the straight table that contains the distribution list to the current scope.
   
   
4. Now, use the block Get Straight Table Data and configure it to retrieve the distribution list. The important step here is to append each email address from the distribution list to a string variable. Also, add a semicolon ';' to the field to separate the email addresses. 
   
   
   
   
5. The scope from the distribution list should be used to add a sheet to the report and apply a selection for the current recipient. For example, if the recipients are sales reps, this could be used to provide an overview of each recipient's individual sales.
   
   
   
   
6. Use the Generate Report block to finalize the report. Map this block's output to the attachment parameter of the Send Mail block. Map the string of email addresses to the To input field of the Send Mail block.
   
   
   
   
7. Then make sure to execute the block Unlock Selections to allow the selections to be overwritten for the next report scope. Also, empty the email addresses from the string variable to make sure they aren't persisted for the next scope.
   
   

Helpful tips

1. The Output block can be used to keep track of the automation's progress by showing the current scope.
2. When building the report automation, you can test the email output by sending the report to yourself before using the distribution variable for operational execution.
3. It's also possible to use the Copy File block from the Cloud Storage connector to store a copy of the report on any file storage system like Dropbox or SFTP. 

Using an Excel File as a distribution list

In this example, the email addresses of the recipients are stored in an Excel file. This can be a simple file that contains one worksheet with headers on the first row (name, email & a value for reduction) and one record on each subsequent row. 

1. The first step is to gather the Excel file's item id. This can be retrieved from the URL when the file is open in a browser window or by executing the List Items In Root Folder Of Drive block. Execute this block in a test run to fetch these records.
   
   
   
   
2. The results from the test run can now be used in other blocks, click the Item Id input field of the List Rows WIth Headers block and select the id key from the right item in the output returned by the List Items In Root Folder Of Drive block. 
   
   
   
   
3.  Further configure the  List Rows With Header block by specifying the worksheet name and the dimensions of the data (header row included). Below is an example of the excel file shown at the beginning of this section.
   
   
   
   
4. The other steps of the automation are similar to the first part of this article so they won't be repeated here. Optionally, values from the Excel file can be used for reducing the report with the block Add Selection To Report. 
   
   

The information in this article is provided as-is and to be used at own discretion. Depending on tool(s) used, customization(s), and/or other factors ongoing support on the solution below may not be provided by Qlik Support.

Importing a Qlik Sense App (.qvf) in the Qlik Sense Management Console fails. There are various causes for this issue and this article will help in identifying the most common root causes. 

In the process of importing an App one must access the Sense QMC, Start-> Apps -> Import 
 - Select a QVF (App) to import using the Browse, and select <Import>.

This process will result in one of the following:

• The import fails with Failed to import app. Please check the log file.
• Or the Process remains at the Import stage until aborted. 

Resolution:

What does the log file say?

Review the log file for more detailed errors to assist in further troubleshooting.  For basic log file information, see Logging Storage.

Locate the logs in the following locations:

C:\ProgramData\Qlik\Sense\Log\Repository\Trace\SERVERNAME_System_Repository.txt
C:\ProgramData\Qlik\Sense\Log\Engine\trace\SERVERNAME_System_Engine.txt
 

Note: If you are running a multi node environment, each node will have its own local copy. Review all of them. In addition, if the logs have been archived since the issue occurred, review the location of the archived log, which by default is in the configured Service Cluster location. 

Service Account permissions 

Verify that the account running the Qlik Sense Services has the correct permissions: It requires Read/Write permissions.

• To locate your Apps folder, open the QMC: https://<QPS server name>/qmc
• Select Service cluster on the QMC start page to display the service cluster page.
• This will list your App folder.
• To verify permissions, navigate to the App folder share location in a Windows Explorer.
• Right-click the folder and verify both Sharing and Security for the service account permissions.

Disk space

In the case of large Apps, verify that enough disk space is available. Check the available space on the central node's C:\ disk. Even if Sense is installed on another drive, C:\ (and its temporary folder) will be used for the calculation.

At least 2 times the App size need to be available for the import to succeed. 

Example: If the app is 8 GB then a minimum of 16 GB free disk space is required to Import the app.

Related content:

Qlik Sense shows error when importing an app - log files read "request entity too large"
Cannot import App (qvf) to the QMC "Failed to import app. Please check the log file"
Import of apps in Qlik Sense failed when FIPS is enabled
 

All users with the Automation Creator role can create automations. 

To add or remove the Automations Creator role:

1. Open the Qlik Cloud Management Console
2. Navigate to Users and select the User you wish to modify
3. Check or uncheck the Automations Creator role

Automations at large can be enabled or disabled as a feature in Qlik Cloud. See Managing automations for more information on how to manage automations.

Also see a related video posted on Hub access times out with: Error Connection lost. Make sure that Qlik Sense is running properly  

This option is available in Qlik Sense June 2018 Patch 1 and later releases.   

Description of related problem:

Getting errors "Connection to the Qlik Sense engine failed for unspecified reasons. Refresh your browser or contact our system administrator" for external users on other browsers except for IE when they open the Qlik sense app and leave it inactive until it exceeds the Firewall session idle timeout. This is followed by a connection reset for the TCP WebSocket session.

For Qlik Sense Enterprise for Business (Cloud), see Loading of an app is hanging when using QlikSense Cloud.

 Cause:

TCP WebSocket connection is terminated by the firewall because the firewall is not receiving any TCP traffic such as keep-alive packets from client browser (e.g. Firefox, older Chrome versions).  Specific web browsers have their own tcp keep-alive behavior. 

This issue may be found with less frequency with IE because it sends the TCP Websocket keep-alive more frequent than any other main stream browser. Here are the default intervals for the three main browsers latest releases as of September 2020:

Default TCP-Keep-Alive intervals:

• Chrome: 45 sec
• Edge: 45 sec
• Internet Explorer: 30 sec (see IE: Change Keep-Alive timeout)
• FireFox 81.0: 10sec for ~2 minutes (115sec) period, then a keep-alive packet every 10 minutes; More details under Mozilla Networking Preferences.

General info

This functionality is by default switched off not to affect any existing customers. Customers who do not experience any issues with web sockets terminated by the network due to inactive SHOULD NOT switch this feature ON since it will send unnecessary traffic on the network. See How are WebSockets used in QlikSense ? for more information.

How to configure?

1. Stop the Qlik Sense Proxy Service
2. Edit the file C:\Program Files\Qlik\Sense\Proxy\Proxy.exe.config This location may not be available if Qlik Sense was not installed in the default location.
3. Add the configuration key:
   

   <add key="WebSocketPingInterval" value="0"/>   <!-- Interval in seconds for the web socket ping to the client (a value of "0" is disabling the ping)–>

   Where value is a suitable positive number depending on the inactive web socket timeout setting in the network. The effective interval that the Qlik Sense Proxy server will send keep-alive messages towards the client my oscillate between 2 x value and 1 x value, since it also takes into account backend inter-process socket activity. Eg: setting the value of WebSocketPingInterval to 30 may lead to keep-alive messages sent to the client every 30 or 60 seconds.
   
   Note: The Qlik Sense Proxy service may not send keep-alive packets if it detects activity on that client's Websocket tcp session.
   
   Recommended is 60-300 second range, shorter interval generates more load on Proxy CPU and network. It should be set as high as possible, meaning it's best to identify at which interval an intermediate proxy cuts the connection when it perceives it as idle, and then set the ping interval to a slightly smaller value.
   
   A too small number (e.g. less than 30) will load the proxy and the network and IS NOT recommended. Suitable numbers could be 60 to 300 (i.e. 1 minute to 5 minutes), but it all depends on the network configuration (if the network removes web sockets that have been inactive for more than 5 minutes then, of course, the value must be set something less than 5 minutes (i.e. less than 300)). If a lower value is required, it is recommended to investigate the components involved in the connection, such as third party proxies and network load balancers to configure them with less restrictive timeouts. 
   
   

         It is possible that the same WebSocketPingInterval value has different behaviors in each Qlik Sense Hub                    section due to various network device. The value may keep the connection live in Dashboard but still lose                  connection in Data Load Editor. You may test with a lower  WebSocketPingInterval value until the proper                      value is found to keep connection in all sections. For example, when connecting CloudFlare as web                                application firewall, the WebSocketPingInterval value may need to set to 10 seconds otherwise "connection              lost" may still be received in Data Load Editor even the rest of Qlik Sense Hub keeps connected. 

          4. Restart the Qlik Sense Proxy Service.

Related content:

• Hub access times out with: Error Connection lost. Make sure that Qlik Sense is running properly  
• How are WebSockets used in QlikSense ?
• Loading of an app is hanging when using QlikSense Cloud
• Browser Timeout
• Qlik Sense HUB timeout even with session timeouts configured correctly
• Increase session timeout in QlikSense

Setting sensitivity in Qlik Catalog allows you to mark certain fields as sensitive, indicating that they require extra care to maintain security and privacy.

When exporting data, the chosen obfuscation method is automatically applied to sensitive fields to ensure confidentiality. Users are prompted to select the obfuscation method during the export process.

In more detail, administrators can configure sensitivity settings for individual fields, deciding which ones should be considered sensitive. Sensitivity enforcement applies obfuscation to sensitive fields upon export, hiding or transforming the data. Administrators can choose from different obfuscation methods like CharClassObfuscator, DigestObfuscator, NumericObfuscator, ConstantValueObfuscator, and DictionaryObfuscator.

Each method has its own way of transforming or masking the data. By selecting a specific obfuscation rule for sensitive fields, administrators can control how the data will be transformed when exported.

Examples of obfuscation methods include replacing digits and letters, converting values into hash codes, modifying numeric values, returning constant values, or mapping data to different values using a dictionary.

Overall, Qlik Catalog provides a way to manage sensitivity and apply obfuscation methods to protect sensitive data when published, ensuring that it remains secure and confidential.

To use the sensitivity feature for source fields:

1. Navigate to the source, entity and then the field
2. Click Edit (pencil icon)
   
   
   
   
3. Enable Sensitive and choose the obfuscation method
   
   
   
4. Follow the same steps to configure sensitivity for other fields as necessary
5. Shop for the entity and publish to a location of choice
   
   

Note: 

The sensitivity feature for fields only applies when you publish to a target location using the Publish option in Catalog.

Environment

Qlik Catalog

Attempting to start the Data Movement server on Linux (service repagent start) fails with the following error:

Failed to start service

Symptom

One of following  error messages can be seen in the repsrv.log file in such scenarios.

Failed to write file

Failed to write entire file

Resolution

The root cause is likely a lack of storage. See the Data Movement system requirements for details: Recommended hardware. Either free up storage by removing unnecessary files or directories, or increase the available capacity. 

To verify current capacity run df -h from the root ( / ) directory.

To review which directories take up the most space run the following from root:

sudo du -h --max-depth=1 | sort -rh

To find files larger than 100MB which may clutter the storage, run: 

sudo find / -type f -size +100M -exec ls -lh {} \;

Cause

Directory has reached 100% capacity and has consumed all of the storage that was available.

Environment:

Qlik Data Movement