Search our knowledge base, curated by global Support, for answers ranging from account questions to troubleshooting error messages.
Qlik offers a wide range of channels to assist you in troubleshooting, answering frequently asked questions, and getting in touch with our technical experts. In this article, we guide you through all available avenues to secure your best possible experience.
For details on our terms and conditions, review the Qlik Support Policy.
Index:
We're happy to help! Here's a breakdown of resources for each type of need.
Support | Professional Services (*) | |
Reactively fixes technical issues as well as answers narrowly defined specific questions. Handles administrative issues to keep the product up-to-date and functioning. | Proactively accelerates projects, reduces risk, and achieves optimal configurations. Delivers expert help for training, planning, implementation, and performance improvement. | |
|
|
(*) reach out to your Account Manager or Customer Success Manager
Your first line of support: https://community.qlik.com/
Looking for content? Type your question into our global search bar:
Leverage the enhanced and continuously updated Knowledge Base to find solutions to your questions and best practice guides. Bookmark this page for quick access!
Subscribe to maximize your Qlik experience!
The Support Updates Blog
The Support Updates blog delivers important and useful Qlik Support information about end-of-product support, new service releases, and general support topics. (click)
The Qlik Design Blog
The Design blog is all about product and Qlik solutions, such as scripting, data modelling, visual design, extensions, best practices, and more! (click)
The Product Innovation Blog
By reading the Product Innovation blog, you will learn about what's new across all of the products in our growing Qlik product portfolio. (click)
Q&A with Qlik
Live sessions with Qlik Experts in which we focus on your questions.
Techspert Talks
Techspert Talks is a free webinar to facilitate knowledge sharing held on a monthly basis.
Technical Adoption Workshops
Our in depth, hands-on workshops allow new Qlik Cloud Admins to build alongside Qlik Experts.
Qlik Fix
Qlik Fix is a series of short video with helpful solutions for Qlik customers and partners.
Suggest an idea, and influence the next generation of Qlik features!
Search & Submit Ideas
Ideation Guidelines
Get the full value of the community.
Register a Qlik ID:
Incidents are supported through our Chat, by clicking Chat Now on any Support Page across Qlik Community.
To raise a new issue, all you need to do is chat with us. With this, we can:
Log in to manage and track your active cases in Manage Cases. (click)
Please note: to create a new case, it is easiest to do so via our chat (see above). Our chat will log your case through a series of guided intake questions.
When creating a case, you will be prompted to enter problem type and issue level. Definitions shared below:
Select Account Related for issues with your account, licenses, downloads, or payment.
Select Product Related for technical issues with Qlik products and platforms.
If your issue is account related, you will be asked to select a Priority level:
Select Medium/Low if the system is accessible, but there are some functional limitations that are not critical in the daily operation.
Select High if there are significant impacts on normal work or performance.
Select Urgent if there are major impacts on business-critical work or performance.
If your issue is product related, you will be asked to select a Severity level:
Severity 1: Qlik production software is down or not available, but not because of scheduled maintenance and/or upgrades.
Severity 2: Major functionality is not working in accordance with the technical specifications in documentation or significant performance degradation is experienced so that critical business operations cannot be performed.
Severity 3: Any error that is not Severity 1 Error or Severity 2 Issue. For more information, visit our Qlik Support Policy.
If you require a support case escalation, you have two options:
A collection of useful links.
Qlik Cloud Status Page
Keep up to date with Qlik Cloud's status.
Support Policy
Review our Service Level Agreements and License Agreements.
Live Chat and Case Portal
Your one stop to contact us.
Previewing Qlik NPrinting report templates in the Qlik NPrinting Designer leads to the error:
An error occurred while elaborating the entity tags.
Please check if the entities are properly placed inside their level tags.
Error message:
TemplateEntities list does not contain this column
Parameter name: templateEntities
Qlik NPrinting Designer May 2023 IR, May 2023 SR 1
Upgrade to Qlik NPrinting May 2023 SR 2.
Information on this defect is given as is at the time of documenting. For up-to-date information, please review the most recent Release Notes with the ID OP-95892 for reference.
Replace the current Qlik.Reporting.Adapters.dll file in C:\Program Files (x86)\NPrinting\Designer\libs.
For this workaround to function, the installed Qlik NPrinting designer version must be May 2023 SR1.
Upgrade to May 2023 SR2 when released.
Qlik NPrinting May 2023 SR 2
OP-95892
When using Replicate to replicate data to Big Query Target the attrep_change Table gets dropped and recreated for the batches to send to Big Query which is causing the DML generated for the Table to exceed the 1500 default Quota Limit for Big Query Table.
For the Big Query Target in Replicate you can add an internal parameter below to use the Truncate method for the attrep_change Table so the data is truncated to reduce the Quota cost for the given Tables being Replicated in the Task.
Advanced Tab on Big Query Target Internal Parameters
$info.query_syntax.truncate_table (won't show up in the list, just hit enter)
With a value of: TRUNCATE TABLE ${QO}${TABLE_OWNER}${QC}.${QO}${TABLE_NAME}${QC}
The GCP (Google Cloud Provider) has Quota Limit setup on the given tables in Big Query with the default of 1500. During CDC processing with Replicate the attrep_change (temp table) to keep track of the batches to send to Target is dropping and recreating as the bulk process to send to Target. These are DML calls to Big Query which are the used via the Quota's per Table.
Reference
https://cloud.google.com/bigquery/docs/troubleshoot-quotas
When your Qlik Sense server is behind a proxy you will need to add the proxy in the License service:
Configuring a proxy for Qlik License Service communication in Qlik Sense Enterprise on Windows
Qlik Sense Enterprise on Windows
{"caller":"handler.go:53","errorMessage":"invalid license error, no license found, tenant not found","errorType":"LICENSES-ForbiddenRequest","level":"info","logTraceId":"XXXXXXXXXXd674e50adef83","statusCode":403,"timestamp":"2021-09-23T09:17:27.1566729Z"}
This 403 forbidden error doesn't tell us more than that something is forbidden.
If we want to check this Proxy and be sure it is really working from the Qlik Sense server, we can use PowerShell and test the connection.
If you are using a Proxy with no authentication required, you can use below command:
Where "myproxy" = the proxy IP address or hostname set in the Qlik Sense dispatcher service
And where "8080" = the port number used for the Proxy
[Net.ServicePointManager]::SecurityProtocol = [Net.SecurityProtocolType]::Tls12
$Site="https://license.qlikcloud.com"
$Test=Invoke-WebRequest -URI $Site -Proxy 'http://myproxy:8080'
$Test.Links
If your proxy requires authentication, you can use below command (run PowerShell as Administrator).
Where "172.16.16.101" = the proxy IP address or hostname set in the Qlik Sense dispatcher service
And where "808" = the port number used for the Proxy
[Net.ServicePointManager]::SecurityProtocol = [Net.SecurityProtocolType]::Tls12
netsh winhttp set proxy "172.16.16.101:808"
$Wcl=New-Object System.Net.WebClient
$Creds=Get-Credential
$Wcl.Proxy.Credentials=$Creds
$Site="https://license.qlikcloud.com"
$Test=Invoke-WebRequest -URI $Site
$Test.Links
The above command will prompt a Window where you need to put the login name and the password for the proxy authentication.
The result of the two above PowerShell scripts should show below result:
If you have any other result like for example "Your system policy has denied the requested action", or "proxy denied access", or similar, contact your IT security team to allow access to https://license.qlikcloud.com (port 443) through your Proxy.
Sometimes it might be necessary to deallocate licenses using the Qlik Command Line Interface, for instance in case of licenses allocated to users no longer in the system.
[
{
"created": "2023-04-03T11:24:05.101Z",
"excess": false,
"name": “Enzo Bearzot”,
"subject": "auth0|12345678”,
"type": "professional",
"userId": “userid1”
},
{
"created": "2022-08-17T11:50:04.647Z",
"excess": false,
"name": “Vittorio Pozzo”,
"subject": "auth0|910111213”,
"type": “analyzer”,
"userId": “userid2”
},
{
"created": "2022-08-17T11:50:04.647Z",
"excess": false,
"name": “Ferruccio Valcareggi”,
"subject": "auth0|14151617”,
"type": "professional",
"userId": “userid3”
},
{
"created": "2022-06-07T11:36:15.704Z",
"excess": false,
"subject": “18192021”,
"type": “professional”
},
{
"created": "2022-06-03T13:50:14.105Z",
"excess": false,
"subject": “22232425”,
"type": "analyzer"
},
]
The syntax below is for Unix shells. For usage in Windows Powershell add a "backslash" before each "doublequote" sign. '[{"subject"... will have to become '[{\"subject\"...
'[{"subject":"USERSUBJECT","type":"ASSIGNEDLICENSE"}]'
For instance, in the case of the final user in the list above it will be '[{"subject":"22232425","type":"analyzer"}]'
feed the string into this command:
qlik license assignment delete --delete STRING
With the example above you will run:
qlik license assignment delete --delete '[{"subject":"22232425","type":"analyzer"}]'
Run the command and wait for the result.
A "200" will confirm that the removal worked
% qlik license assignment delete --delete '[{"subject":"22232425","type":"analyzer"}]'
[
{
"status": 200,
"subject": "22232425",
"type": "analyzer"
}
]
Check the "Home" section of the management console to confirm that the allocation was removed
This article provides step-by-step instructions for implementing Azure AD as an identify provider for Qlik Cloud. We cover configuring an App registration in Azure AD and configuring group support using MS Graph permissions.
It guides the reader through adding the necessary application configuration in Azure AD and Qlik Sense Enterprise SaaS identity provider configuration so that Qlik Sense Enterprise SaaS users may log into a tenant using their Azure AD credentials.
Content:
Throughout this tutorial, some words will be used interchangeably.
The tenant hostname required in this context is the original hostname provided to the Qlik Enterprise SaaS tenant.
Copy the "value of the client secret" and paste it somewhere safe.After saving the configuration the value will become hidden and unavailable.
In the OpenID permissions section, check email, openid, and profile. In the Users section, check user.read.
Failing to grant consent to GroupMember.Read.All may result in errors authenticating to Qlik using Azure AD. Make sure to complete this step before moving on.
In this example, I had to change the email claim to upn to obtain the user's email address from Azure AD. Your results may vary.
While not hard, configuring Azure AD to work with Qlik Sense Enterprise SaaS is not trivial. Most of the legwork to make this authentication scheme work is on the Azure side. However, it's important to note that without making some small tweaks to the IdP configuration in Qlik Sense you may receive a failure or two during the validation process.
For many of you, adding Azure AD means you potentially have a bunch of clean up you need to do to remove legacy groups. Unfortunately, there is no way to do this in the UI but there is an API endpoint for deleting groups. See Deleting guid group values from Qlik Sense Enterprise SaaS for a guide on how to delete groups from a Qlik Sense Enterprise SaaS tenant.
Qlik Cloud: Configure Azure Active Directory as an IdP
This article provides information on how to get started with the ServiceNow connector in Qlik Application Automation.
The connector for ServiceNow is making use of Basic Authentication. To connect you will also need the name of your instance.
When you connect to ServiceNow in Qlik Application Automation you will be presented with the following screen.
You can obtain the instance name from the URL that you use to access ServiceNow. You can use your username / password of your account provided it has enough privileges for what you aim to do. It is recommended to create a service account for integrations and limit it's roles to what is necessary.
Most of the blocks for the ServiceNow connector make use of the Table API of ServiceNow.
ServiceNow documentation for the Table API can be found at: https://developer.servicenow.com/dev.do#!/reference/api/rome/rest/c_TableAPI
The following data types have easy to use blocks for all CRUD operations:
• Incident
• Change Task
• Problem
• Change Request
Furthermore it is possible to work with user objects, listing journal items, audit lines, obtaining and adding attachments.
When modifying or deleting objects from the Table API, make sure to be using the "sys_id" field of objects as the identifier.
With the blocks "get table content by id", "create table content", "delete table content", "update table content", "list table content", it is possible to work with every object through the use of the Table API. These blocks also allow you to look up the name of a table with the "do lookup" functionality. As this lookup obtains information from the sys_db_object table in ServiceNow, it's possible that this lookup does not work due to your permissions.
There is also a "Raw API Request" available. This block allows providing your own sub path starting from the Base URL of ServiceNow, HTTP method and optionally a JSON body.
This can be used to contact other API groups than the Table API of ServiceNow as well as custom scripted API's.
The information in this article is provided as-is and to be used at own discretion. Depending on tool(s) used, customization(s), and/or other factors ongoing support on the solution below may not be provided by Qlik Support.
With Microsoft SQL as an endpoint, Qlik Replicate can be set up to Delete processed backup logs.
When the delete processed backup logs option is enabled, logs are deleted after a task processed the given log. This can lead to other tasks needing the log to complain about the missing log.
This is working as intended. Qlik Replicate tasks do not communicate with each other.
Disable Delete processed backup logs.
This will retain all log files. The files will need to be manually deleted.
As such, we advise reviewing latency and once it is zero, deleting the old logs. If Qlik Enterprise Manager has been deployed, we advise using API calls to check latency and to create a PowerShell script to delete the old files to automate the process.
In this article, we walk you through the requirements and process of how to upgrade and unbundle an existing Qlik Sense Repository Database (see supported scenarios) as well as how to install a brand new Repository based on PostgreSQL. We will use the Qlik PostgreSQL Installer (QPI).
For a manual method, see How to manually upgrade the bundled Qlik Sense PostgreSQL version to 12.5 version.
Using the Qlik Postgres Installer not only upgrades PostgreSQL; it also unbundles PostgreSQL from your Qlik Sense Enterprise on Windows install. This allows for direct control of your PostgreSQL instance and facilitates maintenance without a dependency on Qlik Sense. Further Database upgrades can then be performed independently and in accordance with your corporate security policy when needed, as long as you remain within the supported PostgreSQL versions. See How To Upgrade Standalone PostgreSQL.
Index
The following versions have been tested and verified to work with QPI 1.3.0 (May 2023):
February 2022 to May 2023.
If you are on any version prior to these, upgrade to at least February 2022 before you begin.
Note that November 2022 and later do not support 9.6, and a warning will be displayed during the Qlik Sense upgrade.
The Qlik PostgreSQL Installer supports installing a new Qlik Sense Repository Database cluster on a new server, setting up a new environment or migrating an existing Database to a separate host.
Download the installer here.
Qlik PostgreSQL installer version 1.3.0 Release Notes
The following versions have been tested and verified to work with QPI 1.3.0 (May 2023):
February 2022 to May 2023.
If you are on any version prior to these, upgrade to at least February 2022 before you begin.
Note that November 2022 and later do not support 9.6, and a warning will be displayed during the Qlik Sense upgrade.
If the upgrade was unsuccessful and you are missing data in the Qlik Management Console or elsewhere, contact Qlik Support.
Before upgrading Qlik Sense Enterprise on Windows to the next major release
The old Qlik Sense Repository Database service must be removed from the server.
Perform the following steps to delete the Qlik Sense Repository Database Service:
This version of the upgrade tool is fully compatible with the official PostgreSQL installers from https://www.enterprisedb.com/downloads/postgres-postgresql-downloads.
If you have previously used the Qlik Postgres Installer (version 1.2.1 or earlier), you can simply install the latest PostgreSQL version (within your major release).
Example: You have used the old QPI to upgrade to 12.5. You can now easily upgrade to a later version in the same major release, such as 12.15.
The information in this article is provided as-is and to be used at own discretion. Depending on tool(s) used, customization(s), and/or other factors ongoing support on the solution below may not be provided by Qlik Support. The video in this article was recorded in a earlier version of QPI, some screens might differ a little bit.
Qlik PostgreSQL installer version 1.3.0 Release Notes
Techspert Talks - Upgrading Qlik Sense Repository Service
Backup and Restore Qlik Sense Enterprise documentation
Migrating Like a Boss
Optimizing Performance for Qlik Sense Enterprise
Qlik Sense Enterprise on Windows: How To Upgrade Standalone PostgreSQL
How-to reset forgotten PostgreSQL password in Qlik Sense
How to configure Qlik Sense to use a dedicated PostgreSQL database
Troubleshooting Qlik Sense Upgrades
Accessing the Qlik Replicate or Qlik Enterprise Manager console errors out with the following:
SYS,GENERAL_EXCEPTION,The requested security protocol is not supported.
After an upgrade of Windows to Windows 2019, the previously installed .NET 4.8 install may be reverted to an older .NET version. A reinstall of .NET may be required.
Qlik Replicate and Qlik Enterprise Manger require .NET framework 4.8 or later. See Windows software requirements.
To verify the currently installed .NET Framework version, open a command line prompt and run:
reg query "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\NET Framework Setup\NDP\v4\full" /v version
A typical output looks like (in my sample the .NET Framework 4.8 was installed):
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\NET Framework Setup\NDP\v4\full
version REG_SZ 4.8.03761
Once you have confirmed that the wrong .NET Framework version is listed, reinstall .NET Framework 4.8.
.NET Framework 4.8.1 is not supported until Windows Server 2022 version, so version 4.8 is required.
This is .NET Framework 4.8 English edition Offline Installer from Microsoft Download Center.
Global expressions are not propagated to all tables.
Defining a soft delete transformation can be done on each individual table as needed. However, if you want to do it for all tables in the task you will want to use a Global Transformation.
Issue
The issue manifested when defining a Global Expression to do a soft delete.
The field is supposed to be automatically added to all tables in the task. The field was not added to all tables. It was random results as some tables had the field and others did not.
When reviewing the process of defining the expression we noticed there are two screens which would allow you to enter the expression.
When we used both the Transformation Scope / Advanced Options screen and the Transformation Action / Value screen, not all tables got the field.
Example: Transformation Scope, with Advanced Options expanded:
Resolution
The information in this article is provided as-is and to be used at own discretion. Depending on tool(s) used, customization(s), and/or other factors ongoing support on the solution below may not be provided by Qlik Support.
Transformation - Operation Indicator - Archive User - Soft Delete
It is important to understand the options which PostgreSQL uses to allow connectivity. These principles are valid no matter whether you are using the Qlik Sense Repository Database service to host the database or using a standalone PostgreSQL instance. The two key files which PostgreSQL uses to define who can connect, how they connect, where they can connect from, and how many connections are allowed are:
For bundled PostgreSQL instances, the files are located in:
C:\ProgramData\Qlik\Sense\Repository\PostgreSQL\x.x
If you have unbundled PostgreSQL using the Qlik PostgreSQL installer (QPI), the default location is:
C:\Program Files\PostgreSQL\xx\data
For any other standalone PostgreSQL instances, consulting with your database admin to locate the data directory.
Note: Any changes to these files will require a restart of the Qlik Sense Repository Database or PostgreSQL.
Note: Any lines prefixed with a # are commented out and not active.
In the postgresql.conf, in a basic Qlik Sense configuration, there are two key configuration options which are important:
Where these lines are can vary but an expected single node Qlik Sense site would look like this:
listen_addresses = '*' max_connections = 100
The pg_hba.conf file defines a variety of aspects:
# TYPE DATABASE USER ADDRESS METHOD # IPv4 local connections: host all all 127.0.0.1/32 md5 # IPv6 local connections: host all all ::/0 md5 # Allow replication connections from localhost, by a user with the # replication privilege. #host replication postgres 127.0.0.1/32 md5 #host replication postgres ::1/128 md5 host all all 0.0.0.0/0 md5
In this example pg_hba.conf file there two active lines. The first line specifies that all users can connect to all databases from the local loopback IP using MD5 authentication (host all all 127.0.0.1/32 md5). The second line specifies that all users can connect to all databases from any valid IPv4 address using MD5 authenication (host all all 0.0.0.0/0 md5)
Please review our help for references to more sophisticated configurations where specific IP addresses or IP address ranges are covered.
To recap, when ensuring connectivity in a Qlik Sense Shared Persistence environment, especially a multi-node site, the core configurations which are needed are:
This article gives an overview of the available blocks in the Qlik Platform Operations connector in Qlik Application Automation.
The purpose of the Qlik Platform Operations connector is to simplify the deployment and management of multiple tenants within Qlik Cloud. To learn more about the multitenant model in Qlik Cloud, please review the following series of tutorials.
This connector consists of:
To authenticate, you will need to provide your OAuth2 client ID and client secret. If you have a multitenant license, enter a regional OAuth client (generated via My Qlik) or a tenant OAuth client (generated from within a tenant). Note that only regional OAuth clients can create new Qlik Cloud tenants. In order to use your own tenant, you need to create an OAuth m2m client (trusted) in the management console on your tenant. For more information, please check this article.
Most blocks require a specified tenant as the target. A tenant is uniquely identified by name and the region that it is deployed to. For example, for mytenant.eu.qlikcloud.com, enter mytenant.eu. You can use the Get Tenant Name and Region block to obtain the tenant from a full URL.
Let's now go over a basic example of how to deploy a tenant, create an automation inside the deployed tenant and run it using the Qlik Platform Operations:
The information in this article is provided as-is and to be used at own discretion. Depending on tool(s) used, customization(s), and/or other factors ongoing support on the solution below may not be provided by Qlik Support.
After an upgrade to Qlik Sense Enterprise on Windows May 2023 patch 3 or later, REST connections fail with the following error:
"WITH CONNECTION" is not allowed. To allow "WITH CONNECTION", select Allow "WITH CONNECTION" in the connector settings.
The Allow WITH CONNECTION option is not exposed in the REST Connector GUI and cannot be changed.
Qlik Sense Enterprise on Windows August 2023 and later are not affected.
To resolve the issue, upgrade to August 2023.
To manually mitigate the issue in the May release branch, replace the qsdfw_qsefw_qlikview.qliksourceconfig file. Qlik is investigating a solution which does not require manual intervention.
Backup the affected file before continuing with the workaround. When taking the backup, do not keep the backed up file in the same folder. (see end notes)
End notes:
The folder C:\Program Files\Common Files\Qlik\Custom Data\QvRestConnector can only contain one qliksourceconfig file with correct name: qsdfw_qsefw_qlikview.qliksourceconfig
If there are two qliksourceconfig files (even with different names, such as a backup), the first one in alphabetical order will be chosen.
QB-20735
Qlik Sense Enterprise on Windows May 2023 Patch 3 and later
Does not affect August 2023 and later releases.
QB-20735
The Qlik Sense PostgreSQL database was previously updated and unbundled using the Qlik PostgreSQL Installer (QPI).
Following an upgrade of Qlik Sense Enterprise on Windows, the Qlik Repository Service may not start or the Management Console open to the following error:
Failed to load properties. No data found.
Qlik Sense on Windows May 2023 (upgraded to)
Previous use of Qlik PostgreSQL Installer (QPI) while Qlik Sense had a patch installed
Repair the installation. See Repairing an installation.
Previously to using QPI, all patches need to be removed. See Requirements for QPI.
Upgrading and unbundling the Qlik Sense Repository Database using the Qlik PostgreSQL Installer
QB-20581
When PostgreSQL restart and error message is logged in the windows event logs. Error message:
The description for Event ID 0 from source PostgreSQL cannot be found. Either the component that raises this event is not installed on your local computer or the installation is corrupted. You can install or repair the component on the local computer.
If the event originated on another computer, the display information had to be saved with the event.
The following informatin was included with the event:
ERROR: relation "nodes" already exists
STATEMENT: CREATE TABLE nodes (
hash BYTEA PRIMARY KEY,
refs INT NOT NULL,
value BYTEA,
value_string TEXT,
datatype TEXT,
language TEXT,
iri BOOLEAN,
bnode BOOLEAN,
value_int BIGINT,
value_bool BOOLEAN,
value_float double precision,
value_time timestamp with time zone
);
This is working by design and a harmless error message. Whenever precedents service starts up, it re-runs the appropriate database initialization request. This is to ensure the required tables exist before it starts using those tables.
This article explains how to connect to the QMS API using HTTPS with the QVClient certificate.
Prerequisites:
In Visual Studio, once you have followed the procedure in QlikView: Connect to QMS API with Visual Studio then you can just right-click on the QMS API reference in the solution explorer and choose "Configure service reference".
Modify "http" to "https" in the connection address.
In Visual Studio solution explorer, find App.config and double-click to edit it.
This customization is provided as is. Qlik Support cannot provide continued support of the solution. For assistance, reach out to our Professional Services or engage in our active Integrations forum.
Add this section to the app.config inside the <system.serviceModel> ... </system.serviceModel> tags:
<behaviors>
<endpointBehaviors>
<behavior name="ServiceKeyEndpointBehavior">
<clientCredentials>
<clientCertificate findValue="CN=QVProxy" x509FindType="FindBySubjectDistinguishedName" storeLocation="LocalMachine" storeName="My" />
<serviceCertificate>
<authentication certificateValidationMode="ChainTrust" revocationMode="NoCheck"/>
</serviceCertificate>
</clientCredentials>
</behavior>
</endpointBehaviors>
</behaviors>
Note:If you get the following error "The client certificate is not provided. Specify a client certificate in ClientCredentials." add behaviorConfiguration="ServiceKeyEndpointBehavior" to all of the "endpoint" sections in the app.config
Qlik Sense allows for Data Encryption for Qlik Sense Apps (QVF) and Data (QVD) Files.
This feature was originally introduced in September 2019 as a feature flag and fully implemented in the Management Console in November 2019.
This article includes instructions for both.
Qlik Sense Engine can encrypt data by using a data encryption key (DEK), which is generated from a certificate based key encryption key (KEK). The DEK is unique to each encrypted file and is stored along side the encrypted data (inside the QVF and QVD files) in an encrypted format using RSA. The industry standard AES-256 GCM is used as the data encryption algorithm. Decryption requires access to the same certificate as used during encryption, which mean that the KEK certifcate thumbprint in certificate store must match the thumbprint used for the DEK generation.
Data encryption can be enabled in the Service Cluster configuration of the Qlik Sense Management Console. See the Online Help at Qlik Sense Enterprise on Windows > Administer Qlik Sense Enterprise on Windows > Managing a Qlik Sense Enterprise on Windows site > QMC resources overview > Service cluster > Data encryption
This is a simple example of how to explore data encryption in Qlik Sense Enterprise on Windows.
ASCII: Load if(RecNo()>=65 and RecNo()<=90,RecNo()-64) as Num, Chr(RecNo()) as AsciiAlpha, RecNo() as AsciiNum autogenerate 255 Where (RecNo()>=32 and RecNo()<=126) or RecNo()>=160 ;
STORE ASCII INTO [lib://MyData (domain_administrator)/ascii.qvd] (QVD);
New-SelfSignedCertificate -Subject "QlikSenseDataEncrytion" ` -KeyAlgorithm RSA ` -KeyLength 4096 ` -Provider "Microsoft Software Key Storage Provider" ` -KeyExportPolicy ExportableEncrypted ` -CertStoreLocation "cert:\CurrentUser\My"
New-SelfSignedCertificate -DnsName "QlikSenseDataEncrytion" ` -CertStoreLocation "cert:\CurrentUser\My"
Files remain encrypted after disabling encryption until next following app reload or QVD generation.
Compare the unencrypted and encrypted files to validate successful encryption
Qlik Sense app (.qvf) file is a binary file, which makes it harder to visually confirm the encryption effect.
Encrypted app files have multiple references to ciphertext, which in turn refers to secrets used for the encryption.
App file without encryption has no such references. The cypher text portion of QVF represents the data encryption key (DEK) used to encrypt the app data and bookmarks.
Encrypted data (.qvd) files has "Encryption Info" defined, which includes the data encryption (DEK) references.
Data part is also significantly different, even though both version have exactly the same static data content.
Data encryption feature was soft-launched in September 2019 release. This means that the feature and functionality were included in the release, but are not enabled and exposed by default in the product.
{ "contentHash": "10159d595f5fa3bd250e90f30b1b7bf3", "originalClassName": "FeatureToggle", "flag": "DATA_ENCRYPTION", "enabled": true }
Qlik Sense on Windows: Data Encryption Key Rotation
Using Server Certificates for Data Encryption
Operation Monitor and License Monitor apps in Qlik Sense failed to reload with error message;
"Error: QVX_UNEXPECTED_END_OF_DATA: Unexpected character encountered while parsing value: <. Path '', line 0, position 0."
Check the connection string of the data connections for your monitor_apps_*.
The connection string should be: queryHeaders=X-Qlik-XrfKey%20000000000000000%1User-Agent%2Windows;PaginationType=None;
If the string is instead: queryHeaders=X-Qlik-XrfKey%20000000000000000%1User-Agent%2Forms;PaginationType=None; then modify it to User-Agent%2Windows.
Create a secondary virtual proxy using standard windows authentication. In our example we use "win" as the prefix. For detailed instructions on how to add a new Virtual Proxy, see Qlik Sense: How to create a new Virtual Proxy.
Edit all Data Connections prefixed with monitor_apps_ to use the new virtual proxy. Change the connector URL path to contain the Windows authenticated virtual proxy.
Operations Monitor and License Monitor apps use the Qlik REST Connector to fetch data. The connector requires Windows Authentication to be successful in fetching data. This issue occurs when no virtual proxy in the Qlik Sense deployment utilizes Windows authentication.
When starting Qlik Sense Repository Service you may receive the following error in the Windows Application log: