Qlik Community

Knowledge

Search or browse our knowledge base to find answers to your questions ranging from account questions to troubleshooting error messages. The content is curated and updated by our global Support team

Announcements
Support Case Portal has moved to Qlik Community! Read the FAQs to start exploring Support resources.

Qlik Sense QRS API using Xrfkey header in PowerShell

Damien_Villaret
Support
Support

Qlik Sense QRS API using Xrfkey header in PowerShell




Qlik Sense Repository Service API (QRS API) contains all data and configuration information for a Qlik Sense site. The data is normally added and updated using the Qlik Management Console (QMC) or a Qlik Sense client, but it is also possible to communicate directly with the QRS using its API. This enables the automation of a range of tasks, for example:

  • Start tasks from an external scheduling tool
  • Change license configurations
  • Extract data about the system

 

Using Xrfkey header

A common vulnerability in web clients is cross-site request forgery, which lets an attacker impersonate a user when accessing a system. Thus we use the Xrfkey to prevent that, without Xrfkey being set in the URL the server will send back a message saying: XSRF prevention check failed. Possible XSRF discovered.


Environments:

 

Note: Please note that this example is related to token-based licenses and in case this is needed to be configured with Professional Analyser type of licenses you might need to use the following API calls:

  • /qrs/license/professionalaccesstype/full
  • /qrs/license/analyzeraccesstype/full

Furthermore, combining this with QlikCli and in case you need to monitor and more specifically remove users, the following link from community might be useful: Deallocation of Qlik Sense License 

 

 

Resolution:


This procedure has been tested in a range of Qlik Sense Enterprise on Windows versions.

  • PowerShell 3.0 or higher (Installed by default in Windows 8 / Windows Server 2012 and later)
  • Make sure the Qlik Repository service is up and running and port 4242 is open on the target server

 

Method 1: Authenticating through Qlik Proxy Service

  1. Go to PowerShell ISE and paste the following script
  2. In this example we are sending a GET request with a header of Xrfkey=12345678qwertyui and we are addressing the end point of /about. For more details on all end points, please refer to Connecting to the QRS API 
$hdrs = @{}
$hdrs.Add("X-Qlik-xrfkey","12345678qwertyui")
$url = "https://qlikserver1.domain.local/qrs/about?xrfkey=12345678qwertyui"
Invoke-RestMethod -Uri $url -Method Get -Headers $hdrs -UseDefaultCredentials

 

Method 2:  Use certificate and send direct request to Repository API

  1. Open Qlik Management Console and export the certificate. Please refer to Export client certificate and root certificate to make API calls with Postman for procedure.
  2. Make sure that port 4242 is open between the machine making the API call and the Qlik Sense server.
  3. Import the certificate on the machine you will use to make API calls. This must be imported in the personal certificate store of your user in MMC. The following PowerShell script is fetching automatically the Qlik Client certificate from the Certificate Personal store for the current user. You may need to modify the script if you have QlikClient certificates imported from different Qlik Sense servers in the store)
  4. Paste the below script in PowerShell ISE:
$hdrs = @{}
$hdrs.Add("X-Qlik-xrfkey","12345678qwertyui")
$hdrs.Add("X-Qlik-User","UserDirectory=DOMAIN;UserId=Administrator")
$cert = Get-ChildItem -Path "Cert:\CurrentUser\My" | Where {$_.Subject -like '*QlikClient*'}
$url = "https://qlikserver1.domain.local:4242/qrs/about?xrfkey=12345678qwertyui"
Invoke-RestMethod -Uri $url -Method Get -Headers $hdrs -Certificate $cert


Execute the command.

A possible response for the 2 above scripts may look like this (Note that the JSON string is automatically converted to a PSCustomObject by PowerShell) :
 

buildVersion      : 23.11.2.0
buildDate         : 9/20/2013 10:09:00 AM
databaseProvider  : Devart.Data.PostgreSql
nodeType          : 1
sharedPersistence : True
requiresBootstrap : False
singleNodeOnly    : False
schemaPath        : About

 

 

Related and advanced Content: 

If there are several certificates from different Qlik Sense server, these can not be fetched by subject as there will have several certificates with subject QlikClient and that script will fail as it will return as array of certificates instead of a single certificate. In that case, fetch the certificate by thumbprint. This required more Powershell knowledge, but an example can be found here: How to find certificates by thumbprint or name with powershell

 
Labels (1)
Version history
Revision #:
2 of 2
Last update:
‎2021-02-10 02:43 AM
Updated by:
 
Contributors