Configuring Qlik Sense Server to JWT Auth

sri_c003 · ‎2017-12-08

Login into QlikSense Management Console
Optionally, configure the existing Central proxy to allow for HTTP connections also.
Head over the MMC to view the certificates, and add the Certificates snap in for local computer as well as current user.
Pick the certificate you inserted, or the one Qlik created when starting up. For simplicity, I used the one Qlik created. Open the certificate, and copy the thumbprint text, and save it. It would be used down the line.
Export the certificate, with all keys.
Install OpenSSL.
Place the exported certificate in a separate folder.
1. Execute the below commands in a command prompt (in the folder).
  1. openssl.exe pkcs12 -in QlikClient.pfx -nocerts -out priv.pem
  2. openssl.exe rsa -in priv.pem -out priv.pem
  3. openssl.exe pkcs12 -in QlikClient.pfx -out privpub.pem
  4. openssl x509 -inform pem -in privpub.pem -pubkey -out pub.pem -outform pem
2. Copy the public key to a text file to be used later.
Head over to Virtual Proxies screen. Click on “Create New” and fill in the details. Be careful about the case, especially when filling in attributes.
1. Identification
  1. Description: Description to identify the proxy in the virtual proxies screen
  2. Prefix: This would be the url on which user would access the application
    1. Example: default url: https://<server>/qmc
    2. Proxy prefix: jwt
    3. New url via proxy: https://<server>/jwt/qmc
2. Authentication
  1. Anonymous access mode: No anonymous user
  2. Authentication mode: JWT
  3. JWT certificate: In the folder we used in step 7 above, open the file pub.pem in notepad or similar application, copy the entire text, and paste the same in the text area.
  4. JWT attribute for user ID: UserId
  5. JWT attribute for user directory: UserDirectory
3. Click on Load Balancing and add the Server to be used by this proxy.
4. Click Apply and save the new virtual proxy.
5. By the end of this step, the virtual proxy screen should show our newly created proxy created, and linked to proxy service.
Head to the users section in QMC, and create/select the user we wish to use with the proxy we created to test if it works as intended.
1. Make a note of the user id, user directory, and any assigned roles.
Open browser window, and open the site https://jwt.io
1. Segment 1: leave as is
2. Segment 2: Update userid, user directory, and any attributes of the user (optional)
3. Segment 3: Paste the public key or the certificate contents
4. Segment 4: Paste the private key (this is only for testing the generated key)
5. Segment 5: Make sure that this says “Signature verified”. If this shows otherwise, make necessary changes in the above segments.
Install any tool to place requests to Qlik Sense server. I am using Postman.
Open postman (or any tool that supports placing requests).
1. Set the request to GET
2. Paste the server url (ensure you have /jwt between server and target page).
  1. https://<server>/jwt/sense/app/<app id>
3. Click on Headers
4. Add a new header – Authorization
5. Under the value enter as below
  1. Bearer <space> <encoded value from step 11 above>
To ensure it is all working fine, verify the following:
1. The response should not show a error 401, and/or a qlik page saying authentication failed at proxy.
2. Ensure the response headers show valid values, and the body portion has valid HTML/data.
That's it!