Qlik Sense QRS API using Xrfkey header in PowerShell
Qlik Sense Repository Service API (QRS API) contains all data and configuration information for a Qlik Sense site. The data is normally added and updated using the Qlik Management Console (QMC) or a Qlik Sense client, but it is also possible to communicate directly with the QRS using its API. This enables the automation of a range of tasks, for example:
Start tasks from an external scheduling tool
Change license configurations
Extract data about the system
Using Xrfkey header
A common vulnerability in web clients is cross-site request forgery, which lets an attacker impersonate a user when accessing a system. Thus we use the Xrfkey to prevent that, without Xrfkey being set in the URL the server will send back a message saying: XSRF prevention check failed. Possible XSRF discovered.
Note: Please note that this example is related to token-based licenses and in case this is needed to be configured with Professional Analyser type of licenses you might need to use the following API calls:
Furthermore, combining this with QlikCli and in case you need to monitor and more specifically remove users, the following link from community might be useful: Deallocation of Qlik Sense License
This procedure has been tested in a range of Qlik Sense Enterprise on Windows versions.
PowerShell 3.0 or higher (Installed by default in Windows 8 / Windows Server 2012 and later)
Make sure the Qlik Repository service is up and running and port 4242 is open on the target server
Method 1: Authenticating through Qlik Proxy Service
Go to PowerShell ISE and paste the following script
In this example we are sending a GET request with a header of Xrfkey=12345678qwertyui and we are addressing the end point of /about. For more details on all end points, please refer to Connecting to the QRS API
Make sure that port 4242 is open between the machine making the API call and the Qlik Sense server.
Import the certificate on the machine you will use to make API calls. This must be imported in the personal certificate store of your user in MMC. The following PowerShell script is fetching automatically the Qlik Client certificate from the Certificate Personal store for the current user. You may need to modify the script if you have QlikClient certificates imported from different Qlik Sense servers in the store)
If there are several certificates from different Qlik Sense server, these can not be fetched by subject as there will have several certificates with subject QlikClient and that script will fail as it will return as array of certificates instead of a single certificate. In that case, fetch the certificate by thumbprint. This required more Powershell knowledge, but an example can be found here: How to find certificates by thumbprint or name with powershell