-
Notifications
You must be signed in to change notification settings - Fork 51
Establishing a connection
Table of Contents:
To connect to a Qlik Sense site using Qlik-Cli, the Connect-Qlik function will need to be executed. The valid parameters are:
-
ComputerName: Name of the Qlik Sense server to connect to. Note when using certicates -
TrustAllCerts: Disables validation of certificate trust -
Username: User ID value to use when using certificate authentication. Expected format domain\username -
Certificate: Client certificate to use for authentication. Parameter needed when usingUsername -
UseDefaultCredentials: Use credentials of the logged on user for authentication
In order to successfully connect, TCP port 4242 will need to be available from the computer executing the Qlik-Cli commands.
When interacting with Qlik Sense using the Qlik Sense Repository API, the permission to perform a given command will be dependent on the security rule evaluation for that user. For example, a RESTful API call to get an app list may return different values for a RootAdmin compared to a non-privileged user just as it would inside of the Qlik Sense Management Console. Example:
PS C:\> Get-PfxCertificate .\client.pfx | Connect-Qlik `
-ComputerName qlikserver01.domain.ad -UserName INTERNAL\sa_api `
-TrustAllCerts
PS C:\> (Get-QlikApp -full).count
2
PS C:\> Get-PfxCertificate .\client.pfx | Connect-Qlik `
-ComputerName qlikserver01.domain.ad -UserName RandomDomain\RandomUser `
-TrustAllCerts
PS C:\> (Get-QlikApp -full).count
0Since Qlik-Cli is just a PowerShell module which provides an interface to the Repository API, the ability to perform functions will depend on the authentication mechanism which is used. Using Windows authentication (UseDefaultCredentials) will require less configuration but will depend on the commands being issued by a user who has the necessary permissions in Qlik Sense. While certificate authentication requires more configuration, it does allow the command to be executed by an arbitrary account which will have the necessary permissions, potentially across distinct Qlik Sense sites (i.e. INTERNAL\sa_api who will have full access based on the ServiceAccount default security rule).
To connect to a Qlik Sense site using Windows authentication the ComputerName parameter needs to route to the virtual proxy configured for Windows authenication. A default Qlik Sense site will have a Windows virtual proxy configured without a prefix. If this is adjusted, then the ComputerName parameter will need to route to the prefix of the site that accepts Windows authentication. The UseDefaultCredentials credentials will pass along the credentials of the user who is executing the PowerShell commands.
Examples:
We are connecting to a computer named qlikserver1.domain.ad using Windows authentication of the logged on user and we are disregarding checking for the validity of the certificate presented by Qlik Sense. To determine which user the session will be authenticated as, run a command like the following: [System.Security.Principal.WindowsIdentity]::GetCurrent().Name
Connect-Qlik -ComputerName qlikserver01.domain.ad -UseDefaultCredentials -TrustAllCerts
To connect using Windows authentication to a Windows virtual proxy with a prefix.
Connect-Qlik -ComputerName qlikserver01.domain.ad/windows -UseDefaultCredentials -TrustAllCerts
To connect to a Qlik Sense site using certificates, the requests need to include the client certificate from the Qlik Sense server to trust the exchange. When using certificates, the UserName parameter is available which allows the commands to be executed as an arbitrary user.
Examples:
In this example, the Get-PfxCertificate command is used to access a client certificate file on disk which is then piped to the Connect-Qlik command:
Get-PfxCertificate .\client.pfx | Connect-Qlik -ComputerName qlikserver01.domain.ad -UserName INTERNAL\sa_api -TrustAllCerts
In this example, the gci command is used to query the users' local certificate store for a certificate that is issued by the Qlik Sense site which is then piped to the Connect-Qlik command:
gci cert:\CurrentUser\My | where {$_.issuer -eq 'CN=qlikserver01.domain.ad-CA'} | Connect-Qlik qlikserver01.domain.ad -UserName DOMAIN\svc_qliksense