I am trying to use the example as found in the SDK Docs and attempting to connect to the QMS API but keep getting the error:
> The HTTP request was forbidden with client authentication scheme 'Anonymous'.
I am trying to connect to the QMS API on a developer machine which is on a different network. I installed the certificates on the developer machine by exporting on the Qlikview server and importing on the dev box. Any ideas how I can connect to the QMS API remotely?
Solved! Go to Solution.
Managed to get a solution:
I deleted all certificates.. Rebooted a number of times and allowed Qlikview to recreate all the certificates. It appeared when I did the original export of certificates under the *administrator* account I should of exported it under the user that runs the Qlikview services. To resolve the problem:
This is how I got it to work under other users on the local server box. Previously, all the certificates were marked as valid and were installed following the Qlikview manual line by line. It seems as if this "functionality" hasn't been documented very well.
To get it working remotely, I added the Qlikview Server's name in my hostfile and added the certificates to the Local Computer and Personal times. After this it resolved itsself.
Only challenge yet is how to configure the API in Qlikview to use a FQDN instead of a computer hostname.
As stated in the Server Reference Manual, you also need to be a member of the "QlikView Management API" security group, see page 59: https://d1cf4w4kkla6tb.cloudfront.net/qlikview/11.20/12451/QlikView%20Server%20Reference%20Manual_EN... . Also ensure the ports are open, so easiest way to test that it works is by doing it locally first.
If this fails locally then you might want to start investigating on that end. Ensure the user you are running with is running as an administrator (Right click on the program and select "Run as an administrator") and is a member of "QlikView Administrators", Local "Administrators" and "QlikView Management API" groups.
I would recommend to test with the QMS API Client first, part of the power tools. Then you can test commands too. It is an unsupported product but it is quite neat. Accessible at Power Tools 1.2 for QlikView . Ensure that the service address matches your QMC, that the Service Version is correct and that you automatically retrieve new service key if needed.
Funny you should say that.. tried using QMSClient on the local server today and got this error when trying to get a service key:
System.ServiceModel.Security.SecurityNegotiationException: Could not establish secure channel for SSL/TLS with authority 'qvapp1:4799'. ---> System.Net.WebException: The request was aborted: Could not create SSL/TLS secure channel.
Can you access the service URL locally? http://localhost:4799/QMS/Service. If it doesn't work, might want to start in that end. Have you enabled SSL on the QMC? See C:\Program Files\QlikView\Management Service\QVManagementService.exe.config:
|<!-- Use HTTPS instead of HTTP for SSL-encrypted communication. You must configure a certificate for this to work -->|
|<add key="UseHTTPS" value="false"/>|
This setting is by default set to false, and if changed to true and you are using SSL communication, it might be the reason why it fails. Try temporarily changing it, and restart the QMC.
Unfortunately no I am unable to get the http only https, in fact all the services throughout qlikview seem to be only accessible through https (and Qlikview itself seems to be working). Checking the configurations, all of them are set as <add key="UseHTTPS" value="false"/>. Setting to true and restarting the management service unfortunately doesn't change the error.
As a bit more information, its a base/clean installation on a freshly installed OS.
Do you build trust with certificates? Check the same .config file, but instead check:
|<!-- Set to true to enable regular windows authentication between services;|
|set to false to enable certificates and SSL in communication between services -->|
|<add key="UseWinAuthentication" value="true"/>|
If set to false, then that is the reason why. Enabling communication with trust between services, should still make a local QMS API client work, if trying to connect to https://localhost:4799/QMS/Service . Notice the S after HTTP.
Yes we use certificate trust, so WinAuthentication is set to false.. Our systems don't utilize active directory. I can connect to https://localhost:4799/QMS/Service and it says within the browser that the all the certificates are valid. QV itself is working perfectly. Its all very strange. Any other points are appreciated.
When using the QMS API Client, try https://localhost:4799/QMS/Service when connecting, notice the S. If it is not working, you might need to bind the certificates for it to pick up. Not sure if the QMS API Client supports HTTPS. Either way, I know that for instance when using certificates and sending EDX triggers, there are some configuration steps. I can imagine API calls would be similar to a certain extent. See attached, that is the closest I can get you I believe. Otherwise try disabling the whole certificate trust and confirm that is where the issue lies.