Skip to main content
Announcements
Have questions about Qlik Connect? Join us live on April 10th, at 11 AM ET: SIGN UP NOW
cancel
Showing results for 
Search instead for 
Did you mean: 
Not applicable

QMS API - Using Certificates

Hi,

I am trying to use the example as found in the SDK Docs and attempting to connect to the QMS API but keep getting the error:

> The HTTP request was forbidden with client authentication scheme 'Anonymous'.

I am trying to connect to the QMS API on a developer machine which is on a different network. I installed the certificates on the developer machine by exporting on the Qlikview server and importing on the dev box. Any ideas how I can connect to the QMS API remotely?

1 Solution

Accepted Solutions
Not applicable
Author

Hi Erik,

Managed to get a solution:

I deleted all certificates.. Rebooted a number of times and allowed Qlikview to recreate all the certificates. It appeared when I did the original export of certificates under the *administrator* account I should of exported it under the user that runs the Qlikview services. To resolve the problem:

  1. Signed in to the server desktop as the user who runs the services (in > this case "QlikviewUser")
  2. Load up MMC.exe :: Certificates :: Local Computer (not personal or service)
  3. Exported all 3 Certificates with Private Key (Private key isn't available under any other user). If you export them as another user it'll export them successful but its not including the private key.. So it has to be signed in as the user who runs the Qlikview Services and under Local Computer. I did try giving the Administrator user access to the private key under Local Computer but this didn't resolve the problem.
  4. Sign in as the Administrator User or whatever user you want to use the API under to the Desktop
  5. Go to MMC :: Certificates :: Personal
  6. Import all 3 certificates.
  7. Success

This is how I got it to work under other users on the local server box. Previously, all the certificates were marked as valid and were  installed following the Qlikview manual line by line. It seems as if this "functionality" hasn't been documented very well.

To get it working remotely, I added the Qlikview Server's name in my hostfile and added the certificates to the Local Computer and Personal times. After this it resolved itsself.

Only challenge yet is how to configure the API in Qlikview to use a FQDN instead of a computer hostname.

View solution in original post

16 Replies
ergustafsson
Partner - Specialist
Partner - Specialist

Hi Chris,

As stated in the Server Reference Manual, you also need to be a member of the "QlikView Management API" security group, see page 59: https://d1cf4w4kkla6tb.cloudfront.net/qlikview/11.20/12451/QlikView%20Server%20Reference%20Manual_EN... . Also ensure the ports are open, so easiest way to test that it works is by doing it locally first.

Regards,

Erik

Not applicable
Author

Hi Erik,

This fails locally as well as remotely. Also the user running Qlikview is in all groups.

-Chris

ergustafsson
Partner - Specialist
Partner - Specialist

Hi Chris,

If this fails locally then you might want to start investigating on that end. Ensure the user you are running with is running as an administrator (Right click on the program and select "Run as an administrator") and is a member of "QlikView Administrators", Local "Administrators" and "QlikView Management API" groups.

I would recommend to test with the QMS API Client first, part of the power tools. Then you can test commands too. It is an unsupported product but it is quite neat. Accessible at Power Tools 1.2 for QlikView . Ensure that the service address matches your QMC, that the Service Version is correct and that you automatically retrieve new service key if needed.

Regards,

Erik

Not applicable
Author

Hi Erik,

Funny you should say that.. tried using QMSClient on the local server today and got this error when trying to get a service key:

System.ServiceModel.Security.SecurityNegotiationException: Could not establish secure channel for SSL/TLS with authority 'qvapp1:4799'. ---> System.Net.WebException: The request was aborted: Could not create SSL/TLS secure channel.

ergustafsson
Partner - Specialist
Partner - Specialist

Hello again,

Can you access the service URL locally? http://localhost:4799/QMS/Service. If it doesn't work, might want to start in that end. Have you enabled SSL on the QMC? See C:\Program Files\QlikView\Management Service\QVManagementService.exe.config:

<!-- Use HTTPS instead of HTTP for SSL-encrypted communication. You must configure a certificate for this to work -->
<add key="UseHTTPS" value="false"/>

This setting is by default set to false, and if changed to true and you are using SSL communication, it might be the reason why it fails. Try temporarily changing it, and restart the QMC.

Regards,

Erik

Not applicable
Author

Hi Eric,

Unfortunately no I am unable to get the http only https, in fact all the services throughout qlikview seem to be only accessible through https (and Qlikview itself seems to be working). Checking the configurations, all of them are set as <add key="UseHTTPS" value="false"/>. Setting to true and restarting the management service unfortunately doesn't change the error.

As a bit more information, its a base/clean installation on a freshly installed OS.

ergustafsson
Partner - Specialist
Partner - Specialist

Hi Chris,

Do you build trust with certificates? Check the same .config file, but instead check:

<!-- Set to true to enable regular windows authentication between services;
    set to false to enable certificates and SSL in communication between services -->
<add key="UseWinAuthentication" value="true"/>

If set to false, then that is the reason why. Enabling communication with trust between services, should still make a local QMS API client work, if trying to connect to https://localhost:4799/QMS/Service . Notice the S after HTTP.

Regards,

Erik

Not applicable
Author

Hi Erik,

Yes we use certificate trust, so WinAuthentication is set to false.. Our systems don't utilize active directory. I can connect to https://localhost:4799/QMS/Service and it says within the browser that the all the certificates are valid. QV itself is working perfectly. Its all very strange. Any other points are appreciated.

ergustafsson
Partner - Specialist
Partner - Specialist

Hi Chris,

When using the QMS API Client, try https://localhost:4799/QMS/Service when connecting, notice the S. If it is not working, you might need to bind the certificates for it to pick up. Not sure if the QMS API Client supports HTTPS. Either way, I know that for instance when using certificates and sending EDX triggers, there are some configuration steps. I can imagine API calls would be similar to a certain extent. See attached, that is the closest I can get you I believe. Otherwise try disabling the whole certificate trust and confirm that is where the issue lies.

Regards,

Erik