Skip to main content
Announcements
Qlik Community Office Hours, March 20th. Former Talend Community users, ask your questions live. SIGN UP

Qlik Licensing Service Reference Guide

No ratings
cancel
Showing results for 
Search instead for 
Did you mean: 
Andrew_Delaney
Support
Support

Qlik Licensing Service Reference Guide

Last Update:

Nov 3, 2023 5:22:03 AM

Updated By:

Sonja_Bauernfeind

Created date:

Apr 24, 2019 10:07:42 AM

Content

 

Background

Qlik Products have generally utilized license keys to enforce license entitlements and use rights.  During activation, the licensed entitlement is downloaded to the product in the format of a Licensing Enabler File (LEF). Activation requires internet connectivity to the deployment and is triggered by entering a 16-digit serial number and a corresponding control number. Offline activation is also supported using a manual LEF by copying and pasting a text file into the activation user dialog. Communication is through an http protocol.

Qlik Licensing Service (QLS)

Introduced with the February 2019 release[GM1]  of Qlik Sense Enterprise, Qlik has developed an alternative process for product activation. There have been several drivers for this change, including a move to an https protocol for a more secure connection between the Customer deployment and Qlik infrastructure. More information follows below. 
 
To allow for Customers to make the decision when to move, Qlik has introduced the use of a Signed License Key to determine which activation method to use. Over time Qlik Licensing Service will replace the current activation process, but for now both methods of activations will work.

Signed License Key (JWT)

As mentioned above, Qlik has added one additional way to activate Qlik products. 

What is a JSON Web Token?

JSON Web Token (JWT) is an open standard (RFC 7519) that defines a compact and self-contained way for securely transmitting information between parties as a JSON object. This information can be verified and trusted because it is digitally signed. JWT’s can be signed using a secret (with the HMAC algorithm) or a public/private key pair using RSA or ECDSA.
 
Although JWT’s can be encrypted to also provide secrecy between parties, we will focus on signed tokens. Signed tokens can verify the integrity of the claims contained within it, while encrypted tokens hide those claims from other parties. When tokens are signed using public/private key pairs, the signature also certifies that only the party holding the private key is the one that signed it. That is why we refer to this as the Signed License Key.

What’s in this for me as a Customer?

With the use of a Signed License Key, there are more Product and deployment offers to use.

  • Use of multi-site deployments, such as connecting a Qlik Sense Enterprise site with a QlikView Server deployment using Qlik Sense Enterprise license options. This is enabled by accepting a Dual-Use offer for each QlikView deployment that should be enabled for a Unified License scenario.
  • Use of multi-geo deployments, such as having Qlik Sense Enterprise sites in different locations using the same list of users.
  • Use of the consumption-based license, Qlik Sense Enterprise Analyzer Capacity. This additional user license is possible to use in a single or multi-cloud scenario.

All of the above is enabled by the use of the Signed License Key. This made possible as the local deployment will sync entitlement data with all deployment’s using the same Signed License Key through an online database, License Backend, hosted by Qlik within Qlik Cloud.

Activation Using the Signed License Key

This is initiated by entering a Signed License Key to the Control Panel. The request is performed by the service Licenses using port 443 (https protocol procedures applies).

 

Signed license Key 
Example data
A Signed License Key based on one of Qlik’s internal keys.
 
eyJhbGciOiJSUzUxMiIsInR5cCI6IkpXVCIsImtpZCI6ImEzMzdhZDE3LTk1ODctNGNhOS05M2I3LTBi
MmI5ZTNlOWI0OCJ9.eyJqdGkiOiI2MjNhYTlhZi05NTBmLTQ3ZjctOGJmMC1mNGQzOWY0MmQ5N
mMiLCJsaWNlbnNlIjoiOTk5OTAwMDAwMDAwMTI1MyJ9.YJqTct2ngqLfl2VP3jxW4RsDNK2MTL-BpJ
WnBdIfF5gGbJcX0hc__tfIa2ab5ZrL9h6tsZxTwgucTFiRTAOz8PaOQP7JTnhPCyrBZwpnmhvCrSHx2
C-HbCARFUIueBzMg8fgvWH-3HxBuxx6jnDhekDTUbb12vBq7CySampJkgMT7QsDdUkeJy5E7O0U
8yhd1RtEDeuTbeX35eIdQUN4DyJWHHPiT9qZt1AV0_Ofe1iLKxYZMa5jC0kIsVwYnRCJzibZlrLE7mS
VlNitxmcm8OoUrR_ZIk8VuOkoz_qqy8N_wwrt7FcT2slWz50XzuL8TIWY9mcGIL

Frequency in which license information is updated

Assignment information (what user has what type of access assigned) is synchronized from the license service to license.qlikcloud.com every 10 minutes. 
Changes to a license (such as adding additional analyzer capacity) can take up to 24 hours to be retrieved.

Data Transmitted by an Activation Request

Data Element Comment Example Data
Signed License Key   See above
Cause Initial or Update “Initial”
User agent build by the License service version (operating system) and Product (e.g. QSEfW, QCS, QSEfE, QV) Licenses/1.6.4 (windows) QSEfW

Activation Reply

Data Element Comment Sample Data
License definition content variable based on product and entitlement "name": "analyzer_time", "usage": {"class": "time",
              "minimum": 5},
            "provisions": [{                "accessType":"analyzer"}            ],"units": [{"count": 200, "valid": "2018-06-01/2018-12-31"}]},
"name": "professional",
  "usage": { "class": "assigned",
  "minimum": 1 },                "provisions": [{
  "accessType": "professional" }],"units": [{ "count": 10, "valid": "" }]}

Analyzer Capacity License Report Process

(Time schedule is not disclosed and includes grace time to support outages in the internet connection, a/k/a Optimistic Delegation.)

Data Transmitted

Data Element Comment Sample Data
Signed License Key 
 
  See above
Array Element id Used for internal match only 1
Allotment name alternatives are Analyzer_Time, Core_Time “analyzer_time”
Year/Month YYYY-MM 2018-11
Consumption for this deployment since last sync 242
Source hashed ID to make each deployment unique, e.g. a Qlik Sense Enterprise on Windows and a Qlik Sense Enterprise on Kubernetes will have different Source ID's fbe89d02-6d24-4595-915e-c52ce76f2195
 
User agent same construct as for as activation request Licenses/1.6.4 (windows) QSEfW

Sync Reply

Data Element Comment Sample Data
Total consumption Used by the Product for enforcement. Deny access will be executed if quota has been exceeded. Quota is set in the LEF.
Additional quota for the month could be managed as Overage in the LEF. This would contain an Overage Value (COUNT) or the value YES.
 
Total quota for the month is calculated as licensed quota + Overage quota. If the LEF contains the value YES, there will be no cap on the capacity for the Year/Month.
12345

User Assignment Sync Process

Data Transmitted

Data Element Comment Sample Data
Signed License Key   See above
Allotment name  Professional / Analyzer “professional”
Subject Domain / User ID;
if this an add or delete transaction. By delete the subject will be removed immediately. An internal id will be used to secure sync to other deployments using the same Signed License Key. The internal id will disappear within 60 days after a delete transaction.
(This information is stored for all assigned users until such a time that the assignment is deleted at which point it is deleted. The information is used for synchronizing assignments across deployments in order to facilitate the single-license-multi-deployment scenario. It is encrypted in transit and at rest.)

 

 

“acme\bob”

 

(For information on how data is submitted and stored in the audit logs see here)

User agent Build by the License service version (operating system) and Product (e.g. QSEfW, QCS, QSEfE, QV) Licenses/1.6.4 (windows) QSEfW
Source Hashed ID to make each deployment unique, e.g. a Qlik Sense Enterprise on Windows and a Qlik Sense Enterprise on Kubernetes will have different Source ID's fbe89d02-6d24-4595-915e-c52ce76f2195
 
Sync metadata Versioning information about the subjects and list of subjects to manage the synchronization process { "source": "my assignments",
    "bases": [{ "license": "1234 1234 1234 1234",
 "version": 0 }], "patches": [{
 "instance": "", "version": 0,
            "license": "1234 1234 1234 1234", "allotment": "analyzer", "subject": \\generated4, "created": "2019-04-18T10:01:35.024031Z" }
 

Reply from License Backend 

Data Element Comment Sample Data
Signed License Key   See above
Subject Including subjects changed by other deployments “acme\bob”
Sync metadata Versioning information about the subjects and list of subjects to manage the synchronization process { "bases": [{ "license": "1234 1234 1234 1234",  "version": 17 }], "patches": [{ "instance": "5382018630938057025",
      "version": 14,
      "license": "1234 1234 1234 1234", "allotment": "analyzer",
      "subject": ACME\\bob",
      "created": "2019-04-18T10:01:35.024Z",
      "rejection": "" }]

 
This Reference Guide is intended solely for general informational purposes and its contents do not form part of the product documentation.  The information in this guide is subject to change without notice.  ALL INFORMATION IN THIS GUIDE IS BELIEVED TO BE ACCURATE BUT IS PRESENTED WITHOUT WARRANTY OF ANY KIND, EXPRESS OR IMPLIED.  Qlik makes no commitment to deliver any future functionality and purchasing decisions should not be based upon any future expectation.

 
 

Related Content:

Offline User Assignment Log 

Labels (1)
Comments
Anil_Babu_Samineni

@Andrew_Delaney 

Good post and it helps to dig and upgrade. I got one question. For this "Activation Using the Signed License Key".

Does Port 443 need to enabled? By Default, Qlik will listen 443 only (Do we still need more on this)

https://license.qlikcloud.com ? For this, I can talk to URL from my machine where as I can't listen that and accessing thru Qlik Sense server? Do we need to provide access to that URL where before apply JWT?

When I applying SLK, I am troubling some issue.

Kindly Acknowledge about your feedback?

Sonja_Bauernfeind
Digital Support
Digital Support

Hello @Anil_Babu_Samineni !

When activating a Qlik Sense SLK, port 443 to the license backend needs to be open. 

See comment in this article:

This is initiated by entering a Signed License Key to the Control Panel. The request is performed by the service Licenses using port 443 (https protocol procedures applies).

 

If you experience any issues when applying the signed license key, I would recommend searching our knowledge base for further assistance. Here is a link with a simple pre-defined query.

Anil_Babu_Samineni

@Sonja_Bauernfeind  I've opened port where as I can't get link to open due to restrict with in my storage in servers due to policy. I hope, I can apply with Key and control number as alternate. And also, I may not finding any different behaviour with SLK vs Control number? Do you think this will behave different?

aniketvasadkar_eq
Contributor III
Contributor III

Hi All, We need to test our license over internet for QLIK VIEW . Do we need to whitelist same url https://license.qlikcloud.com from our servers for port 443 ?

@Sonja_Bauernfeind @Andrew_Delaney 

Andrew_Delaney
Support
Support

Short Answer: Yes

 

If that is not viable, then it is possible to set up a proxy for this service, please see the help at https://help.qlik.com/en-US/qlikview/May2021/Subsystems/Server/Content/QV_Server/QlikView-Server/QVS...

humansoft
Partner - Contributor III
Partner - Contributor III

@Sonja_Bauernfeind @Andrew_Delaney 

I have important question from our customer about online communication to QLS. You mentioned about User Assignment Sync Process: Data Transmitted and Reply from License Backend. Is Subject (user login) in hashed form (like you mentioned here) or unchanged form transmitted to QLS? 

“a24a2f2b67c5e051bcb6cd2d7a9f7ebe” (hashed form) OR “acme\bob” (unchanged form)?

Sonja_Bauernfeind
Digital Support
Digital Support

Hello @humansoft 

I've reached out to our licence team and will update you as soon as I hear back.

All the best,
Sonja 

Sonja_Bauernfeind
Digital Support
Digital Support

Hello @humansoft 

We received a reply.

The subject is sent to the backend not hashed. The communication's encryption mechanism is described in this link: Configuring preferred cipher suites for Qlik License Service in Qlik Sense Enterprise on Windows.

All the best,
Sonja 

Contributors
Version history
Last update:
‎2023-11-03 05:22 AM
Updated by: