Search our knowledge base, curated by global Support, for answers ranging from account questions to troubleshooting error messages.
Featured Content
-
How to contact Qlik Support
Qlik offers a wide range of channels to assist you in troubleshooting, answering frequently asked questions, and getting in touch with our technical e... Show MoreQlik offers a wide range of channels to assist you in troubleshooting, answering frequently asked questions, and getting in touch with our technical experts. In this article, we guide you through all available avenues to secure your best possible experience.
For details on our terms and conditions, review the Qlik Support Policy.
Index:
- Support and Professional Services; who to contact when.
- Qlik Support: How to access the support you need
- 1. Qlik Community, Forums & Knowledge Base
- The Knowledge Base
- Blogs
- Our Support programs:
- The Qlik Forums
- Ideation
- How to create a Qlik ID
- 2. Chat
- 3. Qlik Support Case Portal
- Escalate a Support Case
- Resources
Support and Professional Services; who to contact when.
We're happy to help! Here's a breakdown of resources for each type of need.
Support Professional Services (*) Reactively fixes technical issues as well as answers narrowly defined specific questions. Handles administrative issues to keep the product up-to-date and functioning. Proactively accelerates projects, reduces risk, and achieves optimal configurations. Delivers expert help for training, planning, implementation, and performance improvement. - Error messages
- Task crashes
- Latency issues (due to errors or 1-1 mode)
- Performance degradation without config changes
- Specific questions
- Licensing requests
- Bug Report / Hotfixes
- Not functioning as designed or documented
- Software regression
- Deployment Implementation
- Setting up new endpoints
- Performance Tuning
- Architecture design or optimization
- Automation
- Customization
- Environment Migration
- Health Check
- New functionality walkthrough
- Realtime upgrade assistance
(*) reach out to your Account Manager or Customer Success Manager
Qlik Support: How to access the support you need
1. Qlik Community, Forums & Knowledge Base
Your first line of support: https://community.qlik.com/
Looking for content? Type your question into our global search bar:
The Knowledge Base
Leverage the enhanced and continuously updated Knowledge Base to find solutions to your questions and best practice guides. Bookmark this page for quick access!
- Go to the Official Support Articles Knowledge base
- Type your question into our Search Engine
- Need more filters?
- Filter by Product
- Or switch tabs to browse content in the global community, on our Help Site, or even on our Youtube channel
Blogs
Subscribe to maximize your Qlik experience!
The Support Updates Blog
The Support Updates blog delivers important and useful Qlik Support information about end-of-product support, new service releases, and general support topics. (click)The Qlik Design Blog
The Design blog is all about product and Qlik solutions, such as scripting, data modelling, visual design, extensions, best practices, and more! (click)The Product Innovation Blog
By reading the Product Innovation blog, you will learn about what's new across all of the products in our growing Qlik product portfolio. (click)Our Support programs:
Q&A with Qlik
Live sessions with Qlik Experts in which we focus on your questions.Techspert Talks
Techspert Talks is a free webinar to facilitate knowledge sharing held on a monthly basis.Technical Adoption Workshops
Our in depth, hands-on workshops allow new Qlik Cloud Admins to build alongside Qlik Experts.Qlik Fix
Qlik Fix is a series of short video with helpful solutions for Qlik customers and partners.The Qlik Forums
- Quick, convenient, 24/7 availability
- Monitored by Qlik Experts
- New releases publicly announced within Qlik Community forums (click)
- Local language groups available (click)
Ideation
Suggest an idea, and influence the next generation of Qlik features!
Search & Submit Ideas
Ideation GuidelinesHow to create a Qlik ID
Get the full value of the community.
Register a Qlik ID:
- Go to: qlikid.qlik.com/register
- You must enter your company name exactly as it appears on your license or there will be significant delays in getting access.
- You will receive a system-generated email with an activation link for your new account. NOTE, this link will expire after 24 hours.
If you need additional details, see: Additional guidance on registering for a Qlik account
If you encounter problems with your Qlik ID, contact us through Live Chat!
2. Chat
Incidents are supported through our Chat, by clicking Chat Now on any Support Page across Qlik Community.
To raise a new issue, all you need to do is chat with us. With this, we can:
- Answer common questions instantly through our chatbot
- Have a live agent troubleshoot in real time
- With items that will take further investigating, we will create a case on your behalf with step-by-step intake questions.
3. Qlik Support Case Portal
Log in to manage and track your active cases in Manage Cases. (click)
Please note: to create a new case, it is easiest to do so via our chat (see above). Our chat will log your case through a series of guided intake questions.
Your advantages:
- Self-service access to all incidents so that you can track progress
- Option to upload documentation and troubleshooting files
- Option to include additional stakeholders and watchers to view active cases
- Follow-up conversations
When creating a case, you will be prompted to enter problem type and issue level. Definitions shared below:
Problem Type
Select Account Related for issues with your account, licenses, downloads, or payment.
Select Product Related for technical issues with Qlik products and platforms.
Priority
If your issue is account related, you will be asked to select a Priority level:
Select Medium/Low if the system is accessible, but there are some functional limitations that are not critical in the daily operation.
Select High if there are significant impacts on normal work or performance.
Select Urgent if there are major impacts on business-critical work or performance.
Severity
If your issue is product related, you will be asked to select a Severity level:
Severity 1: Qlik production software is down or not available, but not because of scheduled maintenance and/or upgrades.
Severity 2: Major functionality is not working in accordance with the technical specifications in documentation or significant performance degradation is experienced so that critical business operations cannot be performed.
Severity 3: Any error that is not Severity 1 Error or Severity 2 Issue. For more information, visit our Qlik Support Policy.
Escalate a Support Case
If you require a support case escalation, you have two options:
- Request to escalate within the case, mentioning the business reasons.
To escalate a support incident successfully, mention your intention to escalate in the open support case. This will begin the escalation process. - Contact your Regional Support Manager
If more attention is required, contact your regional support manager. You can find a full list of regional support managers in the How to escalate a support case article.
Resources
A collection of useful links.
Qlik Cloud Status Page
Keep up to date with Qlik Cloud's status.
Support Policy
Review our Service Level Agreements and License Agreements.
Live Chat and Case Portal
Your one stop to contact us.
Recent Documents
-
How to create a Qlik Replicate task to capture soft deletes and allow source tab...
Task requirements This task needs to capture soft deletes and allow the source table to reuse primary key values without a PK violation on the target.... Show MoreTask requirements
This task needs to capture soft deletes and allow the source table to reuse primary key values without a PK violation on the target.
Summary
Setting up this task requires four steps:
- Add a table to the task and two fields to the target primary key.
- Add transformations to the two new fields.
- Configure the task to use upsert mode.
- Show results of updates and deletes on the target table
Adding the two extra fields to the target side primary key and having the NOW timestamp ensures that the target record will be unique compared to the source record with only one field primary key.
This will allow the source to reuse a deleted records primary key without throwing a PK violation on the target. The transformations on the fields set unique values into the additional key segments.
Setting error handling and the apply conflicts handling policy to Upsert Mode (No record found for applying an Update: INSERT the messing target record) normally works by converting the source statement (whether Insert, Update, Delete) into a Delete followed by and Update. The unique three segment primary key is not able to be found during the delete which is why the records persist on the target.
The Steps
Add a table to the task and two additional fields to the target primary key
Example source table structure:
Note the single field Primary Key MyPK.
In our example, we have added Operation and OperationDateTime as the additional fields.
Example source table records:
In the Table Settings for your task, go to Transform and mark your newly added fields as target side primary keys.
In our example, we have marked Operation and OperationDateTime.Add transformations to the two new fields
Transformation are added through the Expression Builder, located in the Table Settings. You will modify the fields marked as keys in the previous step, Operation and OperationsDateTime.
Operation: set the expression to INSERT, UPDATE or DELETE based on the source transaction.
Transformation function:
CASE
WHEN $AR_H_STREAM_POSITION = ''
THEN "INSERTED"
ELSE operation_indicator("DELETED", "UPDATED", "INSERTED" )
ENDOperationDateTime: set the expression to to NOW date time
Transformation function:
Datetime('now')
Configure the task to use Upsert mode
- Go to Task Settings...
- Open Error Handling and navigate to Apply Conflicts
- Set No record found for applying an UPDATE to INSERT the missing target record
Show results of updates and deletes on the target table
Results in target table after updates and deleting source record #6 and reuse of primary key on source.
Target table after full load:
Target table results after updates and delete on source:
Target table after reuse of source primary key new record inserted.
Outcome
Results show that the target table is acting like an Audit table; all source transactions are stored.
The target table can have multiple records that have the same primary key on the source (MyPk 6).
The information in this article is provided as-is and to be used at own discretion. Depending on tool(s) used, customization(s), and/or other factors ongoing support on the solution below may not be provided by Qlik Support.
Related Content
Environment
-
Vulnerability Concern: Username and password sent in plain text
A penetration test shows traffic traces between a client device and a server that reveals the user's credentials. This might be flagged as a potentia... Show MoreA penetration test shows traffic traces between a client device and a server that reveals the user's credentials. This might be flagged as a potential risk for man-in-the-middle (MITM) attacks in a security report.
Below images show an example of a login request through Qlik Sense form login, where the HTTP request body contains the user's credentials in plain text.
Diagnosis
In this scenario, the end-user typically enters credentials into a form on a login page. The login form usually hides the password from plain sight by masking it on the screen, but the entries are still plain text.
The communication between the client browser and server should be secured and encrypted with HTTPS so that the plain text credentials and any other content are encrypted at all times during transport between the client device and server.
An attacker does not have the required certificates, and can therefore not decrypt intercepted HTTPS traffic and the server reveal the content.
This test result is a false-positive since the penetration tool, in this case, acts as the connecting and trusted client, and thereby decrypts the traffic and consequently can also display and analyze the traffic content.
Qlik Sense on Windows defaults to HTTPS. All communication is under TLS. When a user is attempted to log in, the web browser establishes a TLS connection with the server and is able to view requests in plain text (in the browser). This does not mean the request has gone out into the world without encryption. From the provided screenshots, the target URL is omitted. I'm unable to verify if the scheme in the browser is HTTP or HTTPS (as seen in the below screenshot)
A change to your environment would require you to communicate with your support in order to reset the proxy to the default configuration.
-
Qlik Cloud: Delete license allocation with Qlik-CLI
Sometimes it might be necessary to deallocate licenses using the Qlik Command Line Interface, for instance in case of licenses allocated to users no l... Show MoreSometimes it might be necessary to deallocate licenses using the Qlik Command Line Interface, for instance in case of licenses allocated to users no longer in the system.
Environment
Resolution
- Download and configure the Qlik-cli
- run "qlik license assignment ls" in the Powershell or UNIX shell to see currently assigned licenses. You will get something like this:
[ { "created": "2023-04-03T11:24:05.101Z", "excess": false, "name": “Enzo Bearzot”, "subject": "auth0|12345678”, "type": "professional", "userId": “userid1” }, { "created": "2022-08-17T11:50:04.647Z", "excess": false, "name": “Vittorio Pozzo”, "subject": "auth0|910111213”, "type": “analyzer”, "userId": “userid2” }, { "created": "2022-08-17T11:50:04.647Z", "excess": false, "name": “Ferruccio Valcareggi”, "subject": "auth0|14151617”, "type": "professional", "userId": “userid3” }, { "created": "2022-06-07T11:36:15.704Z", "excess": false, "subject": “18192021”, "type": “professional” }, { "created": "2022-06-03T13:50:14.105Z", "excess": false, "subject": “22232425”, "type": "analyzer" }, ] - identify any user that should not have a license assigned. There is a higher probability that you'll find them among the users who have no "name:" and "userid:" fields
- for each of this user contruct the string
The syntax below is for Unix shells. For usage in Windows Powershell add a "backslash" before each "doublequote" sign. '[{"subject"... will have to become '[{\"subject\"...
'[{"subject":"USERSUBJECT","type":"ASSIGNEDLICENSE"}]'
For instance, in the case of the final user in the list above it will be '[{"subject":"22232425","type":"analyzer"}]' -
feed the string into this command:
qlik license assignment delete --delete STRING
With the example above you will run:
qlik license assignment delete --delete '[{"subject":"22232425","type":"analyzer"}]' -
Run the command and wait for the result.
A "200" will confirm that the removal worked% qlik license assignment delete --delete '[{"subject":"22232425","type":"analyzer"}]' [ { "status": 200, "subject": "22232425", "type": "analyzer" } ] -
Check the "Home" section of the management console to confirm that the allocation was removed
Related Content
- Download and configure the Qlik-cli
-
How to change the Qlik Sense Enterprise on Windows PostgreSQL password
During installation, Qlik Sense Enterprise on Windows prompts you to choose a password for its PostgreSQL repository. This password can be changed. T... Show MoreDuring installation, Qlik Sense Enterprise on Windows prompts you to choose a password for its PostgreSQL repository. This password can be changed. The process is split into three steps.
- 1. Changing the PostgreSQL password in the database
- 2. Changing the Connection String to QSR and QSMQ Database
- 3. Changing the Connection String for Micro-Services
1. Changing the PostgreSQL password in the database
- Download and install pgAdmin 4
- Connect to your Qlik Sense PostgreSQL database:
-
Host name/address: localhost (if the database has been installed on the local machine)
-
Port: 4432
-
Maintenance database (*): postgres
-
Username: postgres
-
Password: Your current password
(*) Note that the maintenance database name may differ if this was not a standard installation and changes were made during setup. Consult your configuration file if necessary.
-
- Right Click on the postgres database.
- Click Query Tool
- Copy the following queries into the Query Tool, replacing Example Password with your new password:
ALTER USER postgres WITH PASSWORD 'Example_Password';
ALTER USER qliksenserepository WITH PASSWORD 'Example_Password';
- Run the Query
This has changed the password in the database itself. We will now move on to modifying the connection strings used by the database.
2. Changing the Connection String to QSR and QSMQ Database
For this step, we will need the QlikSenseUtil stored in C:\Program Files\Qlik\Sense\Repository\Util\QlikSenseUtil\.
It has to be repeated on all nodes.
- On the Qlik Sense central node, stop all services except the Qlik Sense Repository Service
- Open QlikSenseUtil
- Open the Connection String Editor and Read the current configuration. This decrypts the current data.
- Change the Password in the following two connectionStrings:
- QSR
- QSMQ
- Hit Save Value in config file encrypted
We have now changed the connection strings to the QSMQ database and the QSR database.
3. Changing the Connection String for Micro-Services
Qlik Sense has introduced micro-services, all of which will require to have their connection strings modified.
To make changing them easier, we have provided a Configure-Service.ps1 for each. They can be located in:
- C:\Program Files\Qlik\Sense\Licenses\Configure-Service.ps1
- C:\Program Files\Qlik\Sense\NotifierService\install\Configure-Service.ps1
- C:\Program Files\Qlik\Sense\AppDistributionService\Configure-Service.ps1
- C:\Program Files\Qlik\Sense\HybridDeploymentService\Configure-Service.ps1
- C:\Program Files\Qlik\Sense\MobilityRegistrarService\install\Configure-Service.ps1
- C:\Program Files\Qlik\Sense\PrecedentsService\install\Configure-Service.ps1
- C:\Program Files\Qlik\Sense\NLAppSearch\install\Configure-Service.ps1
Depending on your version of Qlik Sense, the above list may not be complete. Review C:\Program Files\Qlik\Sense\ for any additional micro-service folders that include a Configure-Service.ps1. You can obtain a list of all relevant folders by running the following command in a command prompt: dir /s configure-service.ps1
To update your password using Configure-Service.ps1:
- Open an elevated Powershell and change the directory to (for example with the license service) C:\Program Files\Qlik\Sense\Licenses
- Run the Configure-Service.ps1 script as follows, providing the correct hostname and the new password:
.\Configure-Service.ps1 YourPostgresHostName 4432 qliksenserepository ExamplePassword - Repeat these steps for the remaining micro-services.
Your PostgreSQL password has now been changed.
Micro-Services Alternative method:
The alternative is to find all the PowerShell files programmatically.
Note that in our example we assume the default install directory and the default port of 4432. You may need to adapt the script accordingly.
# Set the Installation Directory for Qlik Sense $installDir = 'C:\Program Files\Qlik\Sense\' # Specify the new password for the qliksenserepository account $password = 'MyNewPassword' $files = Get-ChildItem -Path $installDir -Include Configure-Service.ps1 -Recurse foreach ($file in $files) { $ScriptToRun=$($file.FullName) &$ScriptToRun localhost 4432 qliksenserepository $password } -
Qlik Sense with a Proxy - How to test access to the license server
When your Qlik Sense server is behind a proxy you will need to add the proxy in the License service: Configuring a proxy for Qlik License Service comm... Show MoreWhen your Qlik Sense server is behind a proxy you will need to add the proxy in the License service:
Configuring a proxy for Qlik License Service communication in Qlik Sense Enterprise on Windows
Environment
Qlik Sense Enterprise on Windows
Troubleshooting
If you are not able to apply the SLK license in your QMC, or see an issue with the License not being updated, check the License logs: C:\ProgramData\Qlik\Sense\Log\LicensesAnd for most of the cases we can find the below kind of error:{"caller":"handler.go:53","errorMessage":"invalid license error, no license found, tenant not found","errorType":"LICENSES-ForbiddenRequest","level":"info","logTraceId":"XXXXXXXXXXd674e50adef83","statusCode":403,"timestamp":"2021-09-23T09:17:27.1566729Z"}This 403 forbidden error doesn't tell us more than that something is forbidden.
If we want to check this Proxy and be sure it is really working from the Qlik Sense server, we can use PowerShell and test the connection.
If you are using a Proxy with no authentication required, you can use below command:
Where "myproxy" = the proxy IP address or hostname set in the Qlik Sense dispatcher service
And where "8080" = the port number used for the Proxy[Net.ServicePointManager]::SecurityProtocol = [Net.SecurityProtocolType]::Tls12 $Site="https://license.qlikcloud.com" $Test=Invoke-WebRequest -URI $Site -Proxy 'http://myproxy:8080' $Test.LinksIf your proxy requires authentication, you can use below command (run PowerShell as Administrator).
Where "172.16.16.101" = the proxy IP address or hostname set in the Qlik Sense dispatcher service
And where "808" = the port number used for the Proxy[Net.ServicePointManager]::SecurityProtocol = [Net.SecurityProtocolType]::Tls12 netsh winhttp set proxy "172.16.16.101:808" $Wcl=New-Object System.Net.WebClient $Creds=Get-Credential $Wcl.Proxy.Credentials=$Creds $Site="https://license.qlikcloud.com" $Test=Invoke-WebRequest -URI $Site $Test.LinksThe above command will prompt a Window where you need to put the login name and the password for the proxy authentication.
The result of the two above PowerShell scripts should show below result:
Resolution
If you have any other result like for example "Your system policy has denied the requested action", or "proxy denied access", or similar, contact your IT security team to allow access to https://license.qlikcloud.com (port 443) through your Proxy.
-
Error: TemplateEntities list does not contain this column when previewing report...
Previewing Qlik NPrinting report templates in the Qlik NPrinting Designer leads to the error: An error occurred while elaborating the entity tags.Plea... Show MorePreviewing Qlik NPrinting report templates in the Qlik NPrinting Designer leads to the error:
An error occurred while elaborating the entity tags.
Please check if the entities are properly placed inside their level tags.
Error message:
TemplateEntities list does not contain this column
Parameter name: templateEntitiesEnvironment
Qlik NPrinting Designer May 2023 IR, May 2023 SR 1
Resolution
Upgrade to Qlik NPrinting May 2023 SR 2.
Information on this defect is given as is at the time of documenting. For up-to-date information, please review the most recent Release Notes with the ID OP-95892 for reference.
Workaround:
Replace the current Qlik.Reporting.Adapters.dll file in C:\Program Files (x86)\NPrinting\Designer\libs.
For this workaround to function, the installed Qlik NPrinting designer version must be May 2023 SR1.
- Take a backup of the current Qlik.Reporting.Adapters.dll file
- Download the attached Qlik.Reporting.Adapters.zip file
- Extract the .dll.
- Replace the Qlik.Reporting.Adapters.dll file
Upgrade to May 2023 SR2 when released.
Fix Version:
Qlik NPrinting May 2023 SR 2
Cause
OP-95892
-
Replicate when writing to Big Query causes Quota issue with the Target Table
When using Replicate to replicate data to Big Query Target the attrep_change Table gets dropped and recreated for the batches to send to Big Query whi... Show MoreWhen using Replicate to replicate data to Big Query Target the attrep_change Table gets dropped and recreated for the batches to send to Big Query which is causing the DML generated for the Table to exceed the 1500 default Quota Limit for Big Query Table.
Environment
- Replicate 7.0
- Replicate 2021.5
Resolution
For the Big Query Target in Replicate you can add an internal parameter below to use the Truncate method for the attrep_change Table so the data is truncated to reduce the Quota cost for the given Tables being Replicated in the Task.
Advanced Tab on Big Query Target Internal Parameters
$info.query_syntax.truncate_table (won't show up in the list, just hit enter)
With a value of: TRUNCATE TABLE ${QO}${TABLE_OWNER}${QC}.${QO}${TABLE_NAME}${QC}Cause
The GCP (Google Cloud Provider) has Quota Limit setup on the given tables in Big Query with the default of 1500. During CDC processing with Replicate the attrep_change (temp table) to keep track of the batches to send to Target is dropping and recreating as the bulk process to send to Target. These are DML calls to Big Query which are the used via the Quota's per Table.
Reference
https://cloud.google.com/bigquery/docs/troubleshoot-quotas
-
How To: Configure Qlik Sense Enterprise SaaS to use Azure AD as an IdP. Now with...
This article provides step-by-step instructions for implementing Azure AD as an identify provider for Qlik Cloud. We cover configuring an App registra... Show MoreThis article provides step-by-step instructions for implementing Azure AD as an identify provider for Qlik Cloud. We cover configuring an App registration in Azure AD and configuring group support using MS Graph permissions.
It guides the reader through adding the necessary application configuration in Azure AD and Qlik Sense Enterprise SaaS identity provider configuration so that Qlik Sense Enterprise SaaS users may log into a tenant using their Azure AD credentials.
Content:
- Prerequisites
- Helpful vocabulary
- Considerations when using Azure AD with Qlik Sense Enterprise SaaS
- Configure Azure AD
- Create the app registration
- Create the client secret
- Add claims to the token configuration
- Add group claim
- Collect Azure AD configuration information
- Configure Qlik Sense Enterprise SaaS IdP
- Recap
- Addendum
- Related Content (VIDEO)
Prerequisites
- An Microsoft Azure account
- A Microsoft Azure Active Directory instance
- A Qlik Sense Enterprise SaaS tenant
- The BYOIDP feature in your Qlik license is set to YES. Contact customer support to find out if you are entitled to bring your own identity provider to your tenant.
Helpful vocabulary
Throughout this tutorial, some words will be used interchangeably.
- Qlik Sense Enterprise SaaS: Qlik Sense hosted in Qlik’s public cloud
- Microsoft Azure Active Directory: Azure AD
- Tenant: Qlik Sense Enterprise SaaS tenant or instance
- Instance: Microsoft Azure AD
- OIDC: Open Id Connect
- IdP: Identity Provider
Considerations when using Azure AD with Qlik Sense Enterprise SaaS
- Qlik Sense Enterprise SaaS allows for customers to bring their own identity provider to provide authentication to the tenant using the Open ID Connect (OIDC) specification (https://openid.net/connect/)
- Given that OIDC is a specification and not a standard, vendors (e.g. Microsoft) may implement the capability in ways that are outside of the core specification. In this case, Microsoft Azure AD OIDC configurations do not send standard OIDC claims like email_verified. Using the Azure AD configuration in Qlik Sense Enterprise SaaS includes an advanced option to set email_verified to true for all users that log into the tenant.
- The Azure AD configuration in Qlik Sense Enterprise SaaS includes special logic for contacting Microsoft Graph API to obtain friendly group names. Whether those groups originate from an on-premises instance of Active Directory and sync to Azure AD through Azure AD Connect or from creation within Azure AD, the friendly group name will be returned from the Graph API and added to Qlik Sense Enterprise SaaS.
Configure Azure AD
Create the app registration
- Log into Microsoft Azure by going to https://portal.azure.com.
- Click on the Azure Active Directory icon in the browser Or search for "Azure Active Directory" in the search bar on the top. The overview page for the active directory will appear.
- Click the App registrations item in the menu to the left.
- Click the New registration button at the top of the detail window. The application registration page appears.
- Add a name in the Name section to identify the application. In this example, the name of the hostname of the tenant is entered along with the word OIDC.
- The next section contains radio buttons for selecting the Supported account types. In this example, the default – Accounts in this organizational directory only – is selected.
- The last section is for entering the redirect URI. From the dropdown list on the left select “web” and then enter the callback URL from the tenant. Enter the URI https://<tenant hostname>/login/callback.
The tenant hostname required in this context is the original hostname provided to the Qlik Enterprise SaaS tenant.
Using the Alias hostname will cause the IdP handshake to fail. - Complete the registration by clicking the Register button at the bottom of the page.
- Click on the Authentication menu item on the left side of the screen.
- On the middle of the page, the reference to the callback URI appears. There is no additional configuration required on this page.
Create the client secret
- Click on the Certificates and secrets menu item on the left side of the screen.
- In the center of the Certificates and secrets page, there is a section labeled Client secrets with a button labeled New client secret. Click the button.
- In the dialog that appears, enter a description for the client secret and select an expiration time. Click the Add button after entering the information.
- Once a client secret is added, it will appear in the Client secrets section of the page.
Copy the "value of the client secret" and paste it somewhere safe.
After saving the configuration the value will become hidden and unavailable.
Add claims to the token configuration
- Click on the Token configuration menu item on the left side of the screen.
- The Optional claims window appears with two buttons. One for adding optional claims, and another for adding group claims. Click on the Add optional claim button.
- For optional claims, select the ID token type, and then select the claims to include in the token that will be sent to the Qlik Sense Enterprise SaaS tenant. In this example, ctry, email, tenant_ctry, upn, and verified_primary_email are checked. None of these optional claims are required for the tenant identity provider to work properly, however, they are used later on in this tutorial.
- Some optional claims may require adding OpenId Connect scopes from Microsoft Graph to the application configuration. Click the check mark to enable and click Add.
- The claims will appear in the window.
Add group claim
- Click on the API permissions menu item on the left side of the screen.
- Observe the configured permissions set during adding optional claims.
- Click the Add a permission button and select the Microsoft Graph option in the Request API permissions box that appears. Click on the Microsoft Graph banner.
- Click on Delegated permissions. The Select permission search and the OpenId permissions list appears.
In the OpenID permissions section, check email, openid, and profile. In the Users section, check user.read.
- In the Select permissions search, enter the word group. Expand the GroupMember option and select GroupMember.Read.All. This will grant users logging into Qlik Sense Enteprise SaaS through Azure AD to read the group memberships they are assigned.
- After making the selection, click the Add permissions button.
- The added permissions will appear in the list. However, the GroupMember.Read.All permission requires admin consent to work with the app registration. Click the Grant button and accept the message that appears.
Failing to grant consent to GroupMember.Read.All may result in errors authenticating to Qlik using Azure AD. Make sure to complete this step before moving on.
Collect Azure AD configuration information
- Click on the Overview menu item to return to the main App registration screen for the new app. Copy the Application (client) ID unique identifier. This value is needed for the tenant’s idp configuration.
- Click on the Endpoints button in the horizontal menu of the overview.
- Copy the OpenID Connect metadata document endpoint URI. This is needed for the tenant’s IdP configuration.
Configure Qlik Sense Enterprise SaaS IdP
- With the configuration complete and required information in hand, open the tenant’s management console and click on the Identity provider menu item on the left side of the screen.
- Click the Create new button on the upper right side of the main panel.
- Select Interactive from the Type drop-down menu item, and select 'AZURE AD' from the Provider drop-down menu item.
- Scroll down to the Application credentials section of the configuration panel and enter the following information:
- ADFS discovery URL: This is the endpoint URI copied from Azure AD.
- Client ID: This is the application (client) id copied from Azure AD.
- Client secret: This is the value copy and pasted to a safe location from the Certificates & secrets section from Azure AD.
- The Realm is an optional value used if you want to enter what is commonly referred to as the Active Directory domain name.
- Scroll down to the Claims mapping section of the configuration panel. There are five textboxes to confirm or alter.
- The sub field is the subject of the token sent from Azure AD. This is normally a unique identifier and will represent the UserID of the user in the tenant. In this example, the value “sub” is left and appid is removed. To use a different claim from the token, replace the default value with the name of the desired attribute value.
- The name field is the “friendly” name of the user to be displayed in the tenant. For Azure AD, change the attribute name from the default value to “name”.
- In this example, the groups, email, and client_id attributes are configured properly, therefore, they do not need to be altered.
In this example, I had to change the email claim to upn to obtain the user's email address from Azure AD. Your results may vary.
- The sub field is the subject of the token sent from Azure AD. This is normally a unique identifier and will represent the UserID of the user in the tenant. In this example, the value “sub” is left and appid is removed. To use a different claim from the token, replace the default value with the name of the desired attribute value.
- Scroll down to the Advanced options and expand the menu. Slide the Email verified override option ON to ensure Azure AD validation works. Scope does not have to be supplied.
- The Post logout redirect URI is not required for Azure AD because upon logging out the user will be sent to the Azure log out page.
- Click the Save button at the bottom of the configuration to save the configuration. A message will appear confirming intent to create the identity provider. Click the Save button again to start the validation process.
- The validation procedure begins by redirecting the person configuring the IdP to the login page for the IdP.
- After successful authentication, Azure AD will confirm that permission should be granted for this user to the tenant. Click the Accept button.
- If the validation fails, the validation procedure will return a window like the following.
- If the validation succeeds, the validation procedure will return a mapped claims window. If the validation states it cannot map the user's email address, it is most likely because the email_verified switch has not been turned on. Go ahead and confirm, move through the remaining steps, and update the configuration as per the previous step. Re-run the validation to map the email.
- After confirming the information is correct, the account used to validate the IdP may be elevated to a TenantAdmin role. It is strongly recommended to do make sure the box is checked before clicking continue.
- The next to last screen in the configuration will ask to activate the IdP. By activating the Azure AD IdP in the tenant, any other identity providers configured in the tenant will be disabled.
- Success.
- Please log out of the tenant and re-authenticate using the new identity provider connection. Once logged in, change the url in the address bar to point to https://<tenanthostname>/api/v1/diagnose-claims. This will return the JSON of the claims information Azure AD sent to the tenant. Here is a slightly redacted example.
- Verify groups resolve properly by creating a space and adding members. You should see friendly group names to choose from.
Recap
While not hard, configuring Azure AD to work with Qlik Sense Enterprise SaaS is not trivial. Most of the legwork to make this authentication scheme work is on the Azure side. However, it's important to note that without making some small tweaks to the IdP configuration in Qlik Sense you may receive a failure or two during the validation process.
Addendum
For many of you, adding Azure AD means you potentially have a bunch of clean up you need to do to remove legacy groups. Unfortunately, there is no way to do this in the UI but there is an API endpoint for deleting groups. See Deleting guid group values from Qlik Sense Enterprise SaaS for a guide on how to delete groups from a Qlik Sense Enterprise SaaS tenant.
Related Content (VIDEO)
Qlik Cloud: Configure Azure Active Directory as an IdP
-
How to get started with ServiceNow in Qlik Application Automation
This article provides information on how to get started with the ServiceNow connector in Qlik Application Automation.The connector for ServiceNow is m... Show MoreThis article provides information on how to get started with the ServiceNow connector in Qlik Application Automation.
The connector for ServiceNow is making use of Basic Authentication. To connect you will also need the name of your instance.Authentication and Authorization
When you connect to ServiceNow in Qlik Application Automation you will be presented with the following screen.
You can obtain the instance name from the URL that you use to access ServiceNow. You can use your username / password of your account provided it has enough privileges for what you aim to do. It is recommended to create a service account for integrations and limit it's roles to what is necessary.Working with the ServiceNow blocks
Most of the blocks for the ServiceNow connector make use of the Table API of ServiceNow.
ServiceNow documentation for the Table API can be found at: https://developer.servicenow.com/dev.do#!/reference/api/rome/rest/c_TableAPIThe following data types have easy to use blocks for all CRUD operations:
• Incident
• Change Task
• Problem
• Change RequestFurthermore it is possible to work with user objects, listing journal items, audit lines, obtaining and adding attachments.
When modifying or deleting objects from the Table API, make sure to be using the "sys_id" field of objects as the identifier.Custom API blocks
With the blocks "get table content by id", "create table content", "delete table content", "update table content", "list table content", it is possible to work with every object through the use of the Table API. These blocks also allow you to look up the name of a table with the "do lookup" functionality. As this lookup obtains information from the sys_db_object table in ServiceNow, it's possible that this lookup does not work due to your permissions.
There is also a "Raw API Request" available. This block allows providing your own sub path starting from the Base URL of ServiceNow, HTTP method and optionally a JSON body.
This can be used to contact other API groups than the Table API of ServiceNow as well as custom scripted API's.The information in this article is provided as-is and to be used at own discretion. Depending on tool(s) used, customization(s), and/or other factors ongoing support on the solution below may not be provided by Qlik Support.
-
Qlik Replicate and MSSQL: backup logs are removed after the task has processed t...
With Microsoft SQL as an endpoint, Qlik Replicate can be set up to Delete processed backup logs. When the delete processed backup logs option is enabl... Show MoreWith Microsoft SQL as an endpoint, Qlik Replicate can be set up to Delete processed backup logs.
When the delete processed backup logs option is enabled, logs are deleted after a task processed the given log. This can lead to other tasks needing the log to complain about the missing log.
This is working as intended. Qlik Replicate tasks do not communicate with each other.
Resolution
Disable Delete processed backup logs.
- Open the MSSQL endpoint
- Open the Advanced tab
- Uncheck Delete processed backup logs
This will retain all log files. The files will need to be manually deleted.
As such, we advise reviewing latency and once it is zero, deleting the old logs. If Qlik Enterprise Manager has been deployed, we advise using API calls to check latency and to create a PowerShell script to delete the old files to automate the process.
Environment
-
Upgrading and unbundling the Qlik Sense Repository Database using the Qlik Postg...
In this article, we walk you through the requirements and process of how to upgrade and unbundle an existing Qlik Sense Repository Database (see suppo... Show MoreIn this article, we walk you through the requirements and process of how to upgrade and unbundle an existing Qlik Sense Repository Database (see supported scenarios) as well as how to install a brand new Repository based on PostgreSQL. We will use the Qlik PostgreSQL Installer (QPI).
For a manual method, see How to manually upgrade the bundled Qlik Sense PostgreSQL version to 12.5 version.
Using the Qlik Postgres Installer not only upgrades PostgreSQL; it also unbundles PostgreSQL from your Qlik Sense Enterprise on Windows install. This allows for direct control of your PostgreSQL instance and facilitates maintenance without a dependency on Qlik Sense. Further Database upgrades can then be performed independently and in accordance with your corporate security policy when needed, as long as you remain within the supported PostgreSQL versions. See How To Upgrade Standalone PostgreSQL.
Index
- Supported Scenarios
- Upgrades
- New installs
- Requirements
- Installing anew Qlik Sense Repository Database using PostgreSQL
- Qlik PostgreSQL Installer - Download Link
- Upgrading anexisting Qlik Sense Repository Database
- The Upgrade:
- Finalizing the Upgrade/Uninstalling the old Database Service:
- Compatibility with PostgreSQL installers
- Troubleshooting
- Video Walkthrough
- Related Content
Supported Scenarios
Upgrades
The following versions have been tested and verified to work with QPI 1.3.0 (May 2023):
February 2022 to May 2023.
If you are on any version prior to these, upgrade to at least February 2022 before you begin.
Note that November 2022 and later do not support 9.6, and a warning will be displayed during the Qlik Sense upgrade.
New installs
The Qlik PostgreSQL Installer supports installing a new Qlik Sense Repository Database cluster on a new server, setting up a new environment or migrating an existing Database to a separate host.
Requirements
- Review the QPI Release Notes before you continue
- Using the Qlik PostgreSQL Installer on a patched Qlik Sense version can lead to unexpected results. If you have a patch installed, either:
- Uninstall all patches before using QPI or
- Upgrade to an IR release of Qlik Sense which supports QPI
- This installer will not detect a standalone PostgreSQL database installed by any other means, other than through an official Qlik installer package.
- The user who runs the installer must be an administrator.
- The backup destination must have sufficient free disk space to dump the existing database
- The backup destination must not be a network path or virtual storage folder. It is recommended the backup is stored on the main drive.
- The installer itself does not provide an automatic rollback feature.
- There will be downtime during this operation, please plan accordingly
Installing a new Qlik Sense Repository Database using PostgreSQL
- Run the Qlik PostgreSQL Installer as an administrator
- Click on Install
- Accept the Qlik Customer Agreement
- Set your Local database settings and click Next. You will use these details to connect other nodes to the same cluster.
- Set your Database superuser password and click Next
- Set the database installation folder, standard: C:\Program Files\PostgreSQL\14
- Set the database data folder, standard: C:\Program Files\PostgreSQL\14\data
- Review your settings and click Install, then click Finish
- Start installing Qlik Sense Enterprise Client Managed. Choose Join Cluster option.
The Qlik PostgreSQL Installer has already seeded the databases for you and has created the users and permissions. No further configuration is needed. - The tool will display information on the actions being performed. Once installation is finished, you can close the installer.
If you are migrating your existing databases to a new host, please remember to reconfigure your nodes to connect to the correct host. How to configure Qlik Sense to use a dedicated PostgreSQL database
Qlik PostgreSQL Installer - Download Link
Download the installer here.Qlik PostgreSQL installer version 1.3.0 Release Notes
Upgrading an existing Qlik Sense Repository Database
The following versions have been tested and verified to work with QPI 1.3.0 (May 2023):
February 2022 to May 2023.
If you are on any version prior to these, upgrade to at least February 2022 before you begin.
Note that November 2022 and later do not support 9.6, and a warning will be displayed during the Qlik Sense upgrade.
The Upgrade:
- Stop all services on rim nodes
- On your Central Node, stop all services except the Qlik Sense Repository Database
- Run the Qlik PostgreSQL Installer. An existing Database will be detected.
- Highlight the database and click Upgrade
- Read and confirm the (a) Installer Instructions as well as the Qlik Customer Agreement, then click (b) Next.
- Provide your existing Database superuser password and click Next.
- Define your Database backup path and click Next.
- Define your Install Location (default is prefilled) and click Next.
- Define your database data path (default is prefilled) and click Next.
- Review all properties and click Upgrade.
The review screen lists the settings which will be migrated. No manual changes are required post-upgrade. - The upgrade is completed. Click Close.
- Open the Windows Services Console and locate the Qlik Sense Enterprise on Windows services.
You will find that the Qlik Sense Repository Database service has been set to manual. Do not change the startup method.
You will also find a new postgresql-x64-12 service. Do not rename this service. - Start all services except the Qlik Sense Repository Database service.
- Start all services on your rim nodes.
- Validate that all services and nodes are operating as expected. The original database folder in C:\ProgramData\Qlik\Sense\Repository\PostgreSQL\X.X_deprecated
If the upgrade was unsuccessful and you are missing data in the Qlik Management Console or elsewhere, contact Qlik Support.
Finalizing the Upgrade/Uninstalling the old Database Service:
Before upgrading Qlik Sense Enterprise on Windows to the next major release
- for example: November 2022 or higher versions,
The old Qlik Sense Repository Database service must be removed from the server.
Perform the following steps to delete the Qlik Sense Repository Database Service:
- Open a command prompt and run the command:
cd "C:\ProgramData\Package Cache" - From there, run:
If 9.6:
From "c:\ProgramData\Package Cache\"
Run following command: dir /s PostgreSQL.msi
If 12.5:
From "c:\ProgramData\Package Cache\"
Run following command: dir /s PostgreSQL125.msi - The folder containing the msi will be revealed.
- Right-click on the msi file and select uninstall from the menu.
Compatibility with PostgreSQL installers
This version of the upgrade tool is fully compatible with the official PostgreSQL installers from https://www.enterprisedb.com/downloads/postgres-postgresql-downloads.
If you have previously used the Qlik Postgres Installer (version 1.2.1 or earlier), you can simply install the latest PostgreSQL version (within your major release).
Example: You have used the old QPI to upgrade to 12.5. You can now easily upgrade to a later version in the same major release, such as 12.15.
Troubleshooting
- If the installation crashes, the server reboots unexpectedly during this process, or there is a power outage, the new database may not be in a serviceable state. Installation/upgrade logs are available in the location of your temporary files, for example:
C:\Users\Username\AppData\Local\Temp\2
A backup of the original database contents is available in your chosen location, or by default in:
C:\ProgramData\Qlik\Sense\Repository\PostgreSQL\backup\X.X
The original database data folder has been renamed to:
C:\ProgramData\Qlik\Sense\Repository\PostgreSQL\X.X_deprecated - Upgrading Qlik Sense after upgrading PostgreSQL with the QPI tool fails with:
This version of Qlik Sense requires a 'SenseServices' database for multi cloud capabilities. Ensure that you have created a 'SenseService' database in your cluster before upgrading. For more information see Installing and configuring PostgreSQL.
See Qlik Sense Upgrade fails with: This version of Qlik Sense requires a _ database for _.
To resolve this, start the postgresql-x64-XX service.
Video Walkthrough
The information in this article is provided as-is and to be used at own discretion. Depending on tool(s) used, customization(s), and/or other factors ongoing support on the solution below may not be provided by Qlik Support. The video in this article was recorded in a earlier version of QPI, some screens might differ a little bit.
Related Content
Qlik PostgreSQL installer version 1.3.0 Release Notes
Techspert Talks - Upgrading Qlik Sense Repository Service
Backup and Restore Qlik Sense Enterprise documentation
Migrating Like a Boss
Optimizing Performance for Qlik Sense Enterprise
Qlik Sense Enterprise on Windows: How To Upgrade Standalone PostgreSQL
How-to reset forgotten PostgreSQL password in Qlik Sense
How to configure Qlik Sense to use a dedicated PostgreSQL database
Troubleshooting Qlik Sense Upgrades -
Qlik Replicate and Qlik Enterprise Manager: Error The requested security protoco...
Accessing the Qlik Replicate or Qlik Enterprise Manager console errors out with the following: SYS,GENERAL_EXCEPTION,The requested security protocol i... Show MoreAccessing the Qlik Replicate or Qlik Enterprise Manager console errors out with the following:
SYS,GENERAL_EXCEPTION,The requested security protocol is not supported.
After an upgrade of Windows to Windows 2019, the previously installed .NET 4.8 install may be reverted to an older .NET version. A reinstall of .NET may be required.
Qlik Replicate and Qlik Enterprise Manger require .NET framework 4.8 or later. See Windows software requirements.
To verify the currently installed .NET Framework version, open a command line prompt and run:
reg query "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\NET Framework Setup\NDP\v4\full" /v version
A typical output looks like (in my sample the .NET Framework 4.8 was installed):
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\NET Framework Setup\NDP\v4\full
version REG_SZ 4.8.03761Resolution
Once you have confirmed that the wrong .NET Framework version is listed, reinstall .NET Framework 4.8.
.NET Framework 4.8.1 is not supported until Windows Server 2022 version, so version 4.8 is required.
This is .NET Framework 4.8 English edition Offline Installer from Microsoft Download Center.
Environment
-
Qlik Replicate Global Transformation: Soft Delete Limitation
Global expressions are not propagated to all tables. Defining a soft delete transformation can be done on each individual table as needed. However, i... Show MoreGlobal expressions are not propagated to all tables.
Defining a soft delete transformation can be done on each individual table as needed. However, if you want to do it for all tables in the task you will want to use a Global Transformation.
IssueThe issue manifested when defining a Global Expression to do a soft delete.
The field is supposed to be automatically added to all tables in the task. The field was not added to all tables. It was random results as some tables had the field and others did not.
When reviewing the process of defining the expression we noticed there are two screens which would allow you to enter the expression.
When we used both the Transformation Scope / Advanced Options screen and the Transformation Action / Value screen, not all tables got the field.Example: Transformation Scope, with Advanced Options expanded:
Resolution-
Use Transformation Action > Value instead and leave the Transformation Scope > Advanced option blank.
This resulted in all tables getting the field added. -
If you have already entered the expression in the Transformation Scope > Advanced Option, remove the expression.
Environment
The information in this article is provided as-is and to be used at own discretion. Depending on tool(s) used, customization(s), and/or other factors ongoing support on the solution below may not be provided by Qlik Support.
Related Content
Transformation - Operation Indicator - Archive User - Soft Delete
-
-
PostgreSQL: postgresql.conf and pg_hba.conf explained
It is important to understand the options which PostgreSQL uses to allow connectivity. These principles are valid no matter whether you are using the ... Show MoreIt is important to understand the options which PostgreSQL uses to allow connectivity. These principles are valid no matter whether you are using the Qlik Sense Repository Database service to host the database or using a standalone PostgreSQL instance. The two key files which PostgreSQL uses to define who can connect, how they connect, where they can connect from, and how many connections are allowed are:
For bundled PostgreSQL instances, the files are located in:C:\ProgramData\Qlik\Sense\Repository\PostgreSQL\x.x
If you have unbundled PostgreSQL using the Qlik PostgreSQL installer (QPI), the default location is:
C:\Program Files\PostgreSQL\xx\data
For any other standalone PostgreSQL instances, consulting with your database admin to locate the data directory.
Note: Any changes to these files will require a restart of the Qlik Sense Repository Database or PostgreSQL.
Note: Any lines prefixed with a # are commented out and not active.postgresql.conf
In the postgresql.conf, in a basic Qlik Sense configuration, there are two key configuration options which are important:
- listen_addresses
- This configuration defines which NICs PostgreSQL will listen on. For standalone PostgreSQL servers or multi-node Qlik Sense sites, the recommended setting is * (example below). This allows PostgreSQL to bind to any NICs presented to the server. Multiple comma-separated DNS entries may be added as well. (e.g. listen_addresses = 'localhost,QlikServer2.domain.local' ) More advanced configurations are possible here but will not be covered in this guide.
- max_connections
- This configuration defines how many connections PostgreSQL will allow. It is best to use a rule of thumb of about 110 connections per node +20. For example, for 4 nodes set to 460. See Installing Qlik Sense in a multi node for more details.
Where these lines are can vary but an expected single node Qlik Sense site would look like this:
listen_addresses = '*' max_connections = 100
pg_hba.conf
The pg_hba.conf file defines a variety of aspects:
- What IP addresses or ranges can connect to PostgreSQL and for what accounts
- What method of authentication those IP ranges / accounts can use
- For more details on configuration options for IP listeners, such as samenet, see https://www.postgresql.org/docs/9.6/auth-pg-hba-conf.html
# TYPE DATABASE USER ADDRESS METHOD # IPv4 local connections: host all all 127.0.0.1/32 md5 # IPv6 local connections: host all all ::/0 md5 # Allow replication connections from localhost, by a user with the # replication privilege. #host replication postgres 127.0.0.1/32 md5 #host replication postgres ::1/128 md5 host all all 0.0.0.0/0 md5
In this example pg_hba.conf file there two active lines. The first line specifies that all users can connect to all databases from the local loopback IP using MD5 authentication (host all all 127.0.0.1/32 md5). The second line specifies that all users can connect to all databases from any valid IPv4 address using MD5 authenication (host all all 0.0.0.0/0 md5)
Please review our help for references to more sophisticated configurations where specific IP addresses or IP address ranges are covered.
To recap, when ensuring connectivity in a Qlik Sense Shared Persistence environment, especially a multi-node site, the core configurations which are needed are:- PostgreSQL configured to listen to an external IP address (listen_address in postgresql.conf)
- Sufficient connections available for Qlik Sense (max_connections in postgresql.conf)
- Explicit allowing the IP address which is used to connect (pg_hba.conf)
- listen_addresses
-
Qlik Application Automation - How to get started with the Qlik Platform Operatio...
This article gives an overview of the available blocks in the Qlik Platform Operations connector in Qlik Application Automation. The purpose of the Ql... Show MoreThis article gives an overview of the available blocks in the Qlik Platform Operations connector in Qlik Application Automation.
The purpose of the Qlik Platform Operations connector is to simplify the deployment and management of multiple tenants within Qlik Cloud. To learn more about the multitenant model in Qlik Cloud, please review the following series of tutorials.
This connector consists of:
- Authentication to Qlik Cloud using OAuth2.
- Support for deploying tenants with a multitenant-enabled Qlik Cloud license, using the Create tenant block.
- Support for managing apps, spaces, automations, groups, identity providers, licenses, and users within the deployed tenants.
- Metadata support, using, for example, the Update tenant auto license assign settings block.
To authenticate, you will need to provide your OAuth2 client ID and client secret. If you have a multitenant license, enter a regional OAuth client (generated via My Qlik) or a tenant OAuth client (generated from within a tenant). Note that only regional OAuth clients can create new Qlik Cloud tenants. In order to use your own tenant, you need to create an OAuth m2m client (trusted) in the management console on your tenant. For more information, please check this article.
Most blocks require a specified tenant as the target. A tenant is uniquely identified by name and the region that it is deployed to. For example, for mytenant.eu.qlikcloud.com, enter mytenant.eu. You can use the Get Tenant Name and Region block to obtain the tenant from a full URL.
Let's now go over a basic example of how to deploy a tenant, create an automation inside the deployed tenant and run it using the Qlik Platform Operations:
- Create a new automation.
- From the Block library menu on the left side of the screen, select the Qlik Platform Operations connector.
- Use the Search for blocks input to search for the Create tenant block.
- Drag and drop the block into the automation and link it to the start block.
- On the Block configuration menu on the right side of the screen, use the input fields to add the information about the tenant: the Qlik Cloud region (for example, sg for Singapore) and the signed license key:
- Use the Search for blocks input to search for the Create Automation block, drag and drop it into the automation and link it to the Create tenant block. Before creating an automation, we need to update the license of the newly created tenant using the Update tenant auto license assign settings block. You can use the Get tenant name and Region block to get the tenant name from the full URL.
- On the Block configuration menu on the right side of the screen, use the input fields to fill in the information about the automation. In the tenant field, use the example output from the previous block to add the ID.
- Repeat the same steps for the Run automation and Get Automation Run blocks.
- Run the automation. This will deploy a new tenant within your Qlik Cloud License in the Singapore region, create an automation inside this tenant, run it, and return the result.
The information in this article is provided as-is and to be used at own discretion. Depending on tool(s) used, customization(s), and/or other factors ongoing support on the solution below may not be provided by Qlik Support.
-
Qlik Sense May 2023 Patch 3 causes REST connection error: "WITH CONNECTION" is n...
After an upgrade to Qlik Sense Enterprise on Windows May 2023 patch 3 or later, REST connections fail with the following error: "WITH CONNECTION" is ... Show MoreAfter an upgrade to Qlik Sense Enterprise on Windows May 2023 patch 3 or later, REST connections fail with the following error:
"WITH CONNECTION" is not allowed. To allow "WITH CONNECTION", select Allow "WITH CONNECTION" in the connector settings.
The Allow WITH CONNECTION option is not exposed in the REST Connector GUI and cannot be changed.
Qlik Sense Enterprise on Windows August 2023 and later are not affected.
Resolution
To resolve the issue, upgrade to August 2023.
To manually mitigate the issue in the May release branch, replace the qsdfw_qsefw_qlikview.qliksourceconfig file. Qlik is investigating a solution which does not require manual intervention.
Backup the affected file before continuing with the workaround. When taking the backup, do not keep the backed up file in the same folder. (see end notes)
- On each Qlik Sense Server node, navigate to: C:\Program Files\Common Files\Qlik\Custom Data\QvRestConnector\
- Locate qsdfw_qsefw_qlikview.qliksourceconfig
- Replace qsdfw_qsefw_qlikview.qliksourceconfig with the file attached to this article.
- This resolves the issue.
Subscribe to this article or monitor the release notes for information on an automated fix.
End notes:
The folder C:\Program Files\Common Files\Qlik\Custom Data\QvRestConnector can only contain one qliksourceconfig file with correct name: qsdfw_qsefw_qlikview.qliksourceconfig
If there are two qliksourceconfig files (even with different names, such as a backup), the first one in alphabetical order will be chosen.Cause
QB-20735
Environment
Qlik Sense Enterprise on Windows May 2023 Patch 3 and later
Does not affect August 2023 and later releases.
Internal Investigation ID(s)
QB-20735
-
Failed to load properties. No data found error when opening Qlik Sense Managemen...
The Qlik Sense PostgreSQL database was previously updated and unbundled using the Qlik PostgreSQL Installer (QPI). Following an upgrade of Qlik Sense ... Show MoreThe Qlik Sense PostgreSQL database was previously updated and unbundled using the Qlik PostgreSQL Installer (QPI).
Following an upgrade of Qlik Sense Enterprise on Windows, the Qlik Repository Service may not start or the Management Console open to the following error:
Failed to load properties. No data found.
Environment
Qlik Sense on Windows May 2023 (upgraded to)
Previous use of Qlik PostgreSQL Installer (QPI) while Qlik Sense had a patch installedResolution:
Repair the installation. See Repairing an installation.
Cause
Previously to using QPI, all patches need to be removed. See Requirements for QPI.
Related Content
Upgrading and unbundling the Qlik Sense Repository Database using the Qlik PostgreSQL Installer
Internal Investigation ID(s)
QB-20581
-
Create table error on start up - postgreSQL
When PostgreSQL restart and error message is logged in the windows event logs. Error message: The description for Event ID 0 from source PostgreSQL ca... Show MoreWhen PostgreSQL restart and error message is logged in the windows event logs. Error message:
The description for Event ID 0 from source PostgreSQL cannot be found. Either the component that raises this event is not installed on your local computer or the installation is corrupted. You can install or repair the component on the local computer.
If the event originated on another computer, the display information had to be saved with the event.
The following informatin was included with the event:
ERROR: relation "nodes" already exists
STATEMENT: CREATE TABLE nodes (
hash BYTEA PRIMARY KEY,
refs INT NOT NULL,
value BYTEA,
value_string TEXT,
datatype TEXT,
language TEXT,
iri BOOLEAN,
bnode BOOLEAN,
value_int BIGINT,
value_bool BOOLEAN,
value_float double precision,
value_time timestamp with time zone
);
This is working by design and a harmless error message. Whenever precedents service starts up, it re-runs the appropriate database initialization request. This is to ensure the required tables exist before it starts using those tables.
Environment:
-
QlikView: Connecting to QMS API using HTTPS
This article explains how to connect to the QMS API using HTTPS with the QVClient certificate.Prerequisites: Certificates trust must be configured in... Show MoreThis article explains how to connect to the QMS API using HTTPS with the QVClient certificate.
Prerequisites:- Certificates trust must be configured in the QlikView environment. Please see Certificate trust
- You will need an API client to connect (see QlikView: Connect to QMS API with Visual Studio on how to create one)
Environment:
Export QVProxy certificate from the QlikView Server machine
- Log into the virtual machine as the user running QlikView services
- Open Microsoft Management Console (Start - Run - mmc)
- Add the Certificates snap in (File - Add/Remove snap-in - Certificates - Add)
- Choose "Computer account" in the dialogue box
- "Local Computer" should be selected
- Next - Finish - OK
- Expand the View: Certificates - Personal - Certificates
- Right click the QVProxy certificate - All Tasks - Export
- Next
- Check the box for exporting the private key and click Next
- Click Next with default options
- Fill in and remember the password (It will be used when importing the certificate)
- Give it a name - put it somewhere where you can reach it from the machine running the client - Finish
Import QVProxy certificate to the machine running the client
- Open Microsoft Management Console (Start - Run - mmc) on the computer running the client
- Add the Certificates snap-in (File - Add/Remove snap-in - Certificates - Add)
- Choose "Computer account" in the dialogue
- "Local Computer" should be selected
- Next - Finish - OK
- Expand the View: Certificates - Personal - Certificates
- Right-click on the Certificates folder - All tasks - Import
- Next
- Look for the exported file (change the type to .pfx)
- Next
- Type in the password
- Choose Personal store
- Done
Modify the QMS Service reference to use HTTPS
In Visual Studio, once you have followed the procedure in QlikView: Connect to QMS API with Visual Studio then you can just right-click on the QMS API reference in the solution explorer and choose "Configure service reference".
Modify "http" to "https" in the connection address.
Modify app.config in the client codeIn Visual Studio solution explorer, find App.config and double-click to edit it.
This customization is provided as is. Qlik Support cannot provide continued support of the solution. For assistance, reach out to our Professional Services or engage in our active Integrations forum.
Add this section to the app.config inside the <system.serviceModel> ... </system.serviceModel> tags:
<behaviors> <endpointBehaviors> <behavior name="ServiceKeyEndpointBehavior"> <clientCredentials> <clientCertificate findValue="CN=QVProxy" x509FindType="FindBySubjectDistinguishedName" storeLocation="LocalMachine" storeName="My" /> <serviceCertificate> <authentication certificateValidationMode="ChainTrust" revocationMode="NoCheck"/> </serviceCertificate> </clientCredentials> </behavior> </endpointBehaviors> </behaviors> Note:If you get the following error "The client certificate is not provided. Specify a client certificate in ClientCredentials." add behaviorConfiguration="ServiceKeyEndpointBehavior" to all of the "endpoint" sections in the app.config -
How to enable Data Encryption In Qlik Sense Enterprise On Windows
Qlik Sense allows for Data Encryption for Qlik Sense Apps (QVF) and Data (QVD) Files. This feature was originally introduced in September 2019 as a fe... Show MoreQlik Sense allows for Data Encryption for Qlik Sense Apps (QVF) and Data (QVD) Files.
This feature was originally introduced in September 2019 as a feature flag and fully implemented in the Management Console in November 2019.
This article includes instructions for both.
Qlik Sense Engine can encrypt data by using a data encryption key (DEK), which is generated from a certificate based key encryption key (KEK). The DEK is unique to each encrypted file and is stored along side the encrypted data (inside the QVF and QVD files) in an encrypted format using RSA. The industry standard AES-256 GCM is used as the data encryption algorithm. Decryption requires access to the same certificate as used during encryption, which mean that the KEK certifcate thumbprint in certificate store must match the thumbprint used for the DEK generation.
For Qlik Sense Enterprise on Windows November 2019 and later
Data encryption can be enabled in the Service Cluster configuration of the Qlik Sense Management Console. See the Online Help at Qlik Sense Enterprise on Windows > Administer Qlik Sense Enterprise on Windows > Managing a Qlik Sense Enterprise on Windows site > QMC resources overview > Service cluster > Data encryption
Detailed Instructions with Example
This is a simple example of how to explore data encryption in Qlik Sense Enterprise on Windows.
- Create a new sample app, like the attached ascii-table.qvf
- Add a simple script to generate an ASCII table
ASCII: Load if(RecNo()>=65 and RecNo()<=90,RecNo()-64) as Num, Chr(RecNo()) as AsciiAlpha, RecNo() as AsciiNum autogenerate 255 Where (RecNo()>=32 and RecNo()<=126) or RecNo()>=160 ;
- Create a folder connection to a folder where the QVD can be written
- Generate QVD of a data table. Note, change the lib:// reference to match a valid data connection
STORE ASCII INTO [lib://MyData (domain_administrator)/ascii.qvd] (QVD);
- Add a simple script to generate an ASCII table
- Reload the app
- Copy the app and qvd files to allow comparison after enabling encryption
- Default app location: C:\ProgramData\Qlik\Sense\Apps
- The QVD location is per app's folder data connection path
- Create a certificate to test, following Encryption Certificates.
- Run Powershell as Qlik Sense service account or login to Windows as Qlik Sense service account
Note, this is to make the generated cert available to service account. - Generate a self-signed certificate to use as an encryption key
Windows Server 2016
New-SelfSignedCertificate -Subject "QlikSenseDataEncrytion" ` -KeyAlgorithm RSA ` -KeyLength 4096 ` -Provider "Microsoft Software Key Storage Provider" ` -KeyExportPolicy ExportableEncrypted ` -CertStoreLocation "cert:\CurrentUser\My"
Windows Server 2012 R2New-SelfSignedCertificate -DnsName "QlikSenseDataEncrytion" ` -CertStoreLocation "cert:\CurrentUser\My" - Validate that cert is available
- Run Powershell as Qlik Sense service account or login to Windows as Qlik Sense service account
- Get the cert thumbprint from generation result. This thumbprint can be used as key-encryption key (KEK) by Qlik Sense.
Note: When copying the certificate thumbprint, an invisible character may be added at the beginning of the certificate thumbprint. Verify the thumbprint before executing the command in PowerShell: - Enable encryption in Service Cluster settings per Data Encryption
- Restart Qlik Sense Engine service
- Reload app to generate data encryption keys (DEK) for encrypted QVF and QVD file.
Disable Encryption
Files remain encrypted after disabling encryption until next following app reload or QVD generation.
- Disable encryption in QMC > Service Cluster
- Uncheck both encryption options
- Remove encryption key
- Restart Qlik Sense Engine Service on all nodes
- Complete full successful app reload cycle, including QVD generators
- All QVF files have been decrypted
- All QVD files have been decrypted
File Comparison
Compare the unencrypted and encrypted files to validate successful encryption
Qlik Sense app (.qvf) file is a binary file, which makes it harder to visually confirm the encryption effect.
Encrypted app files have multiple references to ciphertext, which in turn refers to secrets used for the encryption.
App file without encryption has no such references. The cypher text portion of QVF represents the data encryption key (DEK) used to encrypt the app data and bookmarks.
Encrypted data (.qvd) files has "Encryption Info" defined, which includes the data encryption (DEK) references.
Data part is also significantly different, even though both version have exactly the same static data content.Encryption Scope
- Encryption only applies at rest, meaning when stored on disk.
- Data in memory is not encrypted
- Exported app (QVF) file is not encrypted
- Encrypted file (from apps storage folder) can not be imported in an other Qlik Sense instance.
The import fails as the importing server is unable to parse the encrypted file.
For Qlik Sense Enterprise on Windows September 2019
Data encryption feature was soft-launched in September 2019 release. This means that the feature and functionality were included in the release, but are not enabled and exposed by default in the product.
- Edit Capability Service configuration. Default location; C:\Program Files\Qlik\Sense\CapabilityService\capabilities.json
- Add DATA_ENCRYPTION flag and set it to enabled.
{ "contentHash": "10159d595f5fa3bd250e90f30b1b7bf3", "originalClassName": "FeatureToggle", "flag": "DATA_ENCRYPTION", "enabled": true } - Restart Qlik Sense Service Dispatcher and Qlik Sense Engine services
- Repeat steps 1-3 on each node in Qlik Sense deployment
Related Content:
Qlik Sense on Windows: Data Encryption Key Rotation
Using Server Certificates for Data Encryption
- Create a new sample app, like the attached ascii-table.qvf
