Documenti di Didattica
Documenti di Professioni
Documenti di Cultura
QlikSense
3.0
Copyright1993-2016QlikTechInternationalAB.Allrightsreserved.
Contents
1 Introduction
1.1Conventions
Stylecoding
Environmentvariables
1.2Additionaldocumentation
2 Architecture
9
9
9
10
11
2.1Site
11
Singlenodesite
Multi-nodesite
2.2Node
11
12
13
2.3Services
13
QlikSenseRepositoryService
Paths
Metrics
RESTAPImetrics
Synchronizationmetrics
QlikSenseRepositoryDatabase
Paths
QlikSenseProxyService
Paths
Metrics
QlikSenseSchedulerService
Paths
Metrics
Tasks
Reload
Sync
QlikSenseEngineService
Paths
QlikSensePrintingService
Paths
QlikSenseServiceDispatcher
Paths
Servicedependencies
Repositorydatabase
Filesystem
Directoryservice
Startandrestartofservices
Start-upbehavior
Manualstart
Selectingthemetricstodisplay
2.4Clients
14
15
15
15
15
16
16
16
16
16
17
17
18
18
18
18
19
19
19
19
19
20
20
20
20
20
20
20
21
21
22
Hub
QlikManagementConsole
22
22
Contents
QlikDeploymentConsole
2.5Apps
22
22
Defaultstorage
Portableformat
2.6Portsoverview
22
23
23
Portsusedinternallywithinanode
Portsusedbetweenuserwebbrowsersandproxies
PortsusedbetweennodesandQlikSenseservices
Minimumportsusedforcommunicationinmulti-nodesites
Portsusedbetweenmasterandslaveschedulers
Portsusedbetweenaproxynodeandanenginenode
Portsusedbetweenaproxynodeandtheprintingservice
Portsexample:Multi-nodesite
Portsexamples
Singlenodesite
Proxynodeindemilitarizedzone
Separateproxyandenginenode
Highavailabilityproxyandenginenodes
Separateschedulernodeandhighavailabilityproxyandenginenodes
Separateproxyandschedulernodesandhighavailabilityenginenodes
Genericscaleout
3 Deployment
24
25
26
26
27
27
28
28
29
29
30
30
31
32
33
34
35
3.1Deployingsinglenodesites
35
Services
QlikSenseRepositoryService
QlikSenseSchedulerService
3.2Deployingmulti-nodesites
35
35
36
36
Synchronization
Datatosynchronize
Entitydatasynchronization
Binarydatasynchronization
Services
QlikSenseRepositoryService
Centralnode
Rimnodes
QlikSenseProxyService
QlikSenseSchedulerService
Master
Slave
Masterandslave
QlikSenseEngineService
QlikSensePrintingService
QlikSenseServiceDispatcher
BrokerService
36
37
37
37
37
37
38
38
38
39
39
39
39
39
39
40
40
Contents
DataProfilingService
HubService
MigrationService
Guidelinesfordeployingmulti-nodesites
Planningyourdeployment
Amountofcontenttosynchronize
Numberofnodes
Deploymenttopology
Recommendeddeploymentprinciples
Dedicatedrolesperserver
Dedicatedhardwareforthecentralnode(largedeploymentsonly)
Appdevelopment
Synchronizeonlywhatisneeded
Networkspeedandgeographicdeployments
Deploymentsize
Exampledeploymentscenarios
Multi-nodescenario:Productiondeployment
Nodelayout
Servicesoneachnode
Configurationsteps
Multi-nodescenario:Productiondeploymentallowingdevelopment
Nodelayout
Servicesoneachnode
Configurationsteps
Multi-nodescenario:Developmentsite
Nodelayout
Servicesoneachnode
Configurationsteps
Multi-nodescenario:Geographicallydispersedsite
Nodelayout
Guidelines
4 Backing up and restoring
4.1Backingupandrestoringasite
Backingupasitemanually
Itemstobackup
Backupprocedure
Restoringasitemanually
Itemstorestore
Restoreprocedure
Knownissues
UsingtheRepositorySnapshotManager
Requirements
Systemdowntime
Location
40
40
40
40
40
40
41
41
41
41
41
41
42
42
42
43
43
43
43
44
45
45
46
47
50
50
50
51
51
51
53
54
54
54
55
55
56
56
57
59
59
59
59
59
Contents
User
Arguments
Backup
Restore
Procedures
Backup
Restore
Logfiles
Knownissues
Backupprocesscompletes"successfully"withwrongdatabasepassword
Backupprocesshangsduring"Creatinglogincredentialsfilefordatabase..."
Cannotstartserviceoncomputer
Logfilesstoredoutsidethedefaultlocations
4.2Backingupandrestoringcertificates
59
59
59
60
62
62
62
64
64
64
64
64
65
65
Backingupcertificates
Restoringcertificates
4.3Movinganode
65
75
85
5 Security
94
5.1Protectingtheplatform
94
Networksecurity
Serversecurity
Processsecurity
Ruggedsoftware
Threatanalysis
Appsecurity
5.2Authentication
94
96
97
97
97
97
98
Defaultauthenticationmodule
Certificatetrust
Architecture
Requirements
General
Communicationports
Unlockingdistributedcertificates
ConfirmingcertificatesusingMicrosoftManagementConsole
Handlingofcertificateswhenaservicestarts
Clientcertificate
Servercertificate
Rootcertificate
Definitionofinvalidcertificate
Maximumnumberoftrustedrootcertificates
Authenticationsolutions
Ticketsolution
Sessionsolution
Headersolution
99
99
99
100
100
100
101
101
101
101
102
102
103
103
103
104
105
106
Contents
SAML
HowSAMLworks
SAMLinQlikSense
Anonymoususers
5.3Authorization
107
107
107
107
107
Accesscontrol
Resourceaccesscontrol
Rules
Streams
Administratoraccesscontrol
Datareduction
5.4Securitysummary
108
108
108
109
110
110
111
Authentication
Authorization
Auditing
Confidentiality
Integrity
Availability
Securityexample:Openinganapp
6 Logging
111
111
111
111
112
112
112
114
6.1Newloggingframework
114
6.2Legacyloggingframework
114
6.3ReadingandanalyzinglogfilesinQlikSense
114
6.4Requirements
114
Securingthefilesystem
Synchronizingtime
Settingtimezone
6.5Storage
114
115
115
115
Logfolder
Archivedlogfiles
6.6Naming
115
118
118
6.7Rows
119
6.8Fields
119
Auditactivitylog
Auditsecuritylog
Servicelog
QlikSenseEngineServicelogfields
6.9Tracelogs
119
123
126
130
130
Storage
Naming
Rows
Fields
Commonfields
131
131
132
132
132
Contents
Additionalfields
Applicationlog
Auditlog
Licenselog
Performancelog
QIXperformancelog
QlikManagementConsolelog
Sessionlog
Systemlog
Taskexecutionlog
Trafficlog
6.10Configuringthelogging
135
135
136
137
137
139
140
140
141
142
142
143
Appenders
QSRollingFileAppender
Configuringtheappender
Converters
Built-inlog4netappenders
Example:EventLogAppender
Example:SmtpAppender
Locallogconfigurationfile
Requirements
XMLschema
7 Licensing
143
143
143
144
145
145
146
146
146
146
149
7.1LicenseEnablerFile
149
Increaseintokens
Decreaseintokens
7.2Accesspasses
149
149
149
Allocationofaccesspasses
Loginandlogout
Login
Logout
Removingaccesspasses
Useraccesspass
Loginaccesspass
Disconnectednode
Multi-deploymentsites
Developmentsite
Testsite
Anonymoususers
7.3Licensingmetrics
150
151
151
151
152
152
152
152
152
152
152
153
153
1 Introduction
Introduction
InordertomakethemostofQlikSense,itisrecommendedtotakethefollowingintoconsiderationwhen
planningyourdeployment:
l Architecture:QlikSensefeaturesadistributedarchitecturethatconsistsofoneormorenodes(thatis,
servermachines)thattogetherformasite.Onenodeassumestheroleofcentralnode,whichisused
asthecentralpointofcontrol.
l Deployment:QlikSensecanbedeployedindifferentwaystosuitdifferentneeds.Youcan,for
example,setupproductionsites,developmentsites,andgeographicallydispersedsites.
l Backupandrestore:ItisrecommendedtobackupyourQlikSensesiteandthecertificatesusedon
thecentralnode,sothattheyareavailableincasearestoreisneeded.
l Security:Sitescanbedeployedinanumberofways.QlikSensehasthereforebeendesignedto
supportsecurityinmanydifferentways.
l Logmessages:ThelogmessagesproducedbyQlikSenseprovideimportantinformationthatcanbe
usedtodetectsecurityincidents,operationalproblems,andpolicyviolations.
l Licensing:ThelicensinginQlikSenseisbasedontokens,whichareusedtoallocateaccesspasses
thatallowuserstoaccessQlikSense.Therearedifferenttypesofaccesspassestochoosefromand
eachtypecorrespondstoaspecificconsumptionmodelforaccessingQlikSense.
ThisdocumentisderivedfromtheonlinehelpforQlikSense.Itisintendedforthosewhowanttoreadparts
ofthehelpofflineorprintpageseasily,anddoesnotincludeanyadditionalinformationcomparedwiththe
onlinehelp.
1.1 Conventions
ThefollowingconventionsareusedinthedocumentationforQlikSense.
Stylecoding
l Menucommandsanddialogoptionsarewritteninbold.
l FilenamesandpathsarewritteninItalics.
l SamplecodeiswritteninLucida Console.
Environmentvariables
ThepathsusedinthedocumentationforQlikSensemayuseenvironmentvariables.Thevariablesandthe
equivalentpathsintheMicrosoftWindowsoperatingsystemarelistedbelow.
Environment variable
Microsoft Windows
%LocalAppData%
C:\Users\<username>\AppData\Local
%ProgramData%
C:\ProgramData
%ProgramFiles%
C:\Program Files
%UserProfile%
C:\Users\<username>
1 Introduction
1.2 Additionaldocumentation
Besidesthisdocument,thefollowingrelateddocumentationisavailableforQlikSense:
l InstallandupgradeQlikSense:DescribeshowtoinstallQlikSense.
l ManageQlikSensesites:DescribeshowtomanageaQlikSensesite.
l QlikDeploymentConsole(QDC):DescribeshowtodeployQlikSensesitesincloudcomputing
environments.
10
2 Architecture
Architecture
QlikSensefeaturesadistributedarchitecturethatconsistsofoneormorenodes(thatis,servermachines)
thattogetherformasite.Onenodeassumestheroleofcentralnode,whichisusedasthecentralpointof
control.
Eachnodeinasite:
l Hasalocalrepositoryandfilesetthatcontainsallthedatathatthenodeneedstofulfillitsrole
l Synchronizesitscontentwiththeothernodesinthesite
l Canperformadifferentrolewithinthesite
l Operatesindependently,whichincreasesthesystemresilience,reducesmaintenance,andincreases
thedeploymentflexibility
l DeploysasetofQlikSenseservices
2.1 Site
AQlikSensesiteisacollectionofoneormorenodes(thatis,servermachines)connectedtoacommon
logicalrepositoryorcentralnode.
InatypicalQlikSenseinstallation,thereisonlyoneproductionsite,whichcontainsasinglecentralnodethat
containsdatafortheentiresiteand,optionally,oneormorerimnodesthatmaybeusedtoincreasecapacity
andresilience.Allrimnodesconnectwiththecentralnode.Appdataandallnecessarymeta-dataare
synchronizedbetweenthecentralnodeandtherimnodesusingasynchronouscommunication.
Singlenodesite
Asinglenodesiteisthesmallestsitepossibleasitconsistsofasinglenode(thatis,asingleservermachine),
whichisalsothecentralnodeofthesite.
11
2 Architecture
See also:
p
Multi-nodesite
Inamulti-nodesite,thesiteisspreadoutacrosstwoormorenodesthatsharethesamesetofdataand
licensekey.Multi-nodesitescanbeusedformanypurposes:
l Addcapacity
l Addresilience
l Moveappsorworkloadontoaspecificnode
l Fitwithcustomernetworkdeployments
Inamulti-nodesite,eachnodehasalocalcopyofthedatathatitneedstofulfillitsrole,whichmeansthat
thenodecanoperateindependentlyintheeventofaserverornetworkfailure.Eachnodecanreadandwrite
itslocaldataandasynchronizationmechanisminQlikSensedistributesthechangestoothernodesinthe
site.
12
2 Architecture
Onenodeisconfiguredtobethecentralnode,whichisresponsibleforcontrollingthemulti-nodesite.The
centralnodeisalsothepointthroughwhichtheothernodesinthesitesynchronizetheirdata.
Thesynchronizationinamulti-nodesiteistwo-way:
l Thecentralnoderequestsupdatesfromtherimnodesevery15seconds.
l Eachrimnodeinitiatesasynchronizationsessionwiththecentralnodeevery15seconds.
Whenchangesaremadeoneachnode,theresultingtransactionsarerecordedinatransactionlog.During
thesynchronization,thelatestsetoftransactionsfromthelogissenttotheothernodesandreplayed.
Thesynchronizationisnotvisibletotheusers,whocancontinuetoworkintheirappswhilenewdatais
synchronizedinthebackground.
See also:
p
2.2 Node
AQlikSensesiteconsistsofthefollowingtypesofnodes:
l Acentralnode:Thisistheminimumconfiguration;asitealwaysincludesacentralnode
l Zeroormorerimnodes:Usedtoincreasecapacityandresilience
Aslongasthenodesinasitemeetthesystemrequirements,theoperatingsystemonthenodesmaydiffer.
EachnodeinaQlikSensesiterunsasetofQlikSenseservices.Byconfiguringwhichservicestorunona
node,itcanbesetuptoperformaspecificrole(forexample,asaproxynodeorareloadnode)withinasite.
2.3 Services
TheQlikSenseservices,whichrunontheMicrosoftWindowsoperatingsystem,canbedeployedindifferent
waysonanodetosuitdifferentdeploymentpurposes.
TheQlikSenseservicesinclude:
13
2 Architecture
l TheQlikSenseRepositoryService(QRS)managespersistenceandsynchronizationofappsand
licensing,security,andserviceconfigurationdata.TheQRSisneededbyallotherQlikSenseservices
torunandserveapps.Itattachestoarepositorydatabaseandmanagestherepositorydatabase
synchronizationinmulti-nodesites.Inaddition,theQRSstorestheappstructuresandthepathsto
thebinaryfiles(thatis,theappdatastoredinthelocalfilesystem).
l InadefaultQlikSenseinstallation,theQlikSenseRepositoryService(QRS)usestheQlikSense
RepositoryDatabase(QRD)servicetoreadandwritedataintherepositorydatabase.APostgreSQL
databaseisusedbydefault.
l TheQlikSenseProxyService(QPS)managessiteauthentication,sessionhandling,andload
balancing.
l TheQlikSenseSchedulerService(QSS)managesthescheduledreloadsofappsaswellasother
typesofreloadtriggeringbasedontaskevents.
l TheQlikSenseEngineService(QES)istheapplicationservice,whichhandlesallapplication
calculationsandlogic.
l TheQlikSensePrintingService(QPR)managesexportinQlikSense.
l TheQlikSenseServiceDispatcher(QSD)isaservicecontrollerthatisusedtolaunchandmanage
thefollowingQlikSenseservices:
l BrokerService:TheBrokerServiceactsasanintermediarybetweenservicesstartedbythe
QlikSenseServiceDispatcher(QSD).
l ChartSharingService:TheChartSharingServiceisusedtosharechartsbetweenQlikSense
users.
l DataProfilingService:TheDataProfilingServiceisusedtoaccessandmodifytheapplication
loadmodel.
l HubService:TheHubServicecontrolswhichcontentauserisallowedtosee.
l MigrationService:TheMigrationServiceensuresthatyourappscanbeusedinthecurrently
installedversionofQlikSense.
QlikSenseRepositoryService
TheQlikSenseRepositoryService(QRS)managespersistenceandsynchronizationofappsandlicensing,
security,andserviceconfigurationdata.TheQRSisneededbyallotherQlikSenseservicestorunandserve
apps.Itattachestoarepositorydatabaseandmanagestherepositorydatabasesynchronizationinmulti-
14
2 Architecture
nodesites.Inaddition,theQRSstorestheappstructuresandthepathstothebinaryfiles(thatis,theapp
datastoredinthelocalfilesystem).
Paths
ThefollowingtableliststhepathsusedbytheQlikSenseRepositoryService(QRS).
Executable
%ProgramFiles%\Qlik\Sense\Repository\Repository.exe
Data
%ProgramData%\Qlik\Sense\Repository
%ProgramData%\Qlik\Sense\Log\Repository
Logs
See:Logging (page 114)
InadefaultQlikSenseinstallation,therepositorydatabaseisaspecificinstanceof
PostgreSQLthatrunsitsowndatabaseclusterspecificallyfortherepository.
Repository
database
AllfilesrelatedtotherepositorydatabaseinadefaultQlikSenseinstallationarestoredin
thefollowingfolder:
%ProgramData%\Qlik\Sense\Repository\PostgreSQL
Metrics
ThissectionliststhemetricsrelatedtotheQlikSenseRepositoryService(QRS).
RESTAPImetrics
ThefollowingmetricsareavailableinthePerformanceMonitorinMicrosoftWindows:
l NumberofDELETEcalls
l NumberofGETcalls
l NumberofPOSTcalls
l NumberofPUTcalls
l NumberofHTTPstatus200(OK)
l NumberofHTTPstatus201(Created)
l NumberofHTTPstatus400(Badrequest)
l NumberofHTTPstatus401(Unauthorized)
l NumberofHTTPstatus403(Forbidden)
l NumberofHTTPstatus406(Notacceptable)
l NumberofHTTPstatus409(Conflict)
l NumberofHTTPstatus415(Unsupportedmediatype)
l NumberofHTTPstatus500(Internalservererror)
l NumberofHTTPstatus503(Serviceunavailable)
Synchronizationmetrics
ThefollowingmetricsareavailableinthePerformanceMonitorinMicrosoftWindows:
15
2 Architecture
l Numberofsynchronizationsessions
l Numberofsynchronizationclients
l Synchronizationclientqueue
See also:
p
QlikSenseRepositoryDatabase
InadefaultQlikSenseinstallation,theQlikSenseRepositoryService(QRS)usestheQlikSenseRepository
Database(QRD)servicetoreadandwritedataintherepositorydatabase.APostgreSQLdatabaseisused
bydefault.
Paths
ThefollowingtableliststhepathsusedbytheQlikSenseRepositoryDatabase(QRD)service.
InadefaultQlikSenseinstallation,therepositorydatabaseisaspecificinstanceof
PostgreSQLthatrunsitsowndatabaseclusterspecificallyfortherepository.
Executable
TheQRDspawnsthePostgreSQLexecutablethatislocatedinthefollowingfolder:
%ProgramFiles%\Qlik\Sense\Repository\PostgreSQL\<database version>\bin
Data
%ProgramData%\Qlik\Sense\Repository\PostgreSQL
Logs
TherearenologsfortheQRDservice.
QlikSenseProxyService
TheQlikSenseProxyService(QPS)managessiteauthentication,sessionhandling,andloadbalancing.
Paths
ThefollowingtableliststhepathsusedbytheQlikSenseProxyService(QPS).
Executable
%ProgramFiles%\Qlik\Sense\Proxy\Proxy.exe
Data
%ProgramData%\Qlik\Sense\Proxy
%ProgramData%\Qlik\Sense\Log\Proxy
Logs
See:Logging (page 114)
Metrics
ThissectionliststhemetricsrelatedtotheQlikSenseProxyService(QPS).Thefollowingmetricsare
availableinthePerformanceMonitorinMicrosoftWindows:
16
2 Architecture
l ActiveConnections:Thenumberofactiveconnections(inanyformorshape)fromtheclient.
Aconnectionisastream(thatis,asocket)betweenaQlikSenseclientandtheQlikSenseProxy
Service(QPS).Thisstreamisoftenconnectedtoanotherstream,whichrunsfromtheQPStothe
QlikSenseRepositoryService(QRS)ortheQlikSenseEngineService(QES).Thetwostreamsallow
theclienttocommunicatewiththeQRSortheQES.
l ActiveStreams:Thenumberofactivedatastreams(thatis,sockets),eitherfromthebrowsertothe
QPSorfromtheQPStotheQRSortheQES.
l ActiveSessions:ThenumberofactivesessionsintheQPS.
AQlikSenseusergetsaproxysessionwhentheuserhasbeenauthenticated.Thesessionis
terminatedafteracertainperiodofinactivity.
l LoadBalancingDecisions:Thenumberofuserswhocurrentlyhaveatleastoneenginesession.
l PrintingLoadBalancingDecisions:ThenumberofuserswhohavebeenloadbalancedtotheQlik
SensePrintingService(QPR).
l Tickets:Thenumberofissuedloginticketsthathavenotyetbeenconsumed.
l ActiveClientWebsockets:ThenumberofactiveWebSocketsbetweentheclientandtheQPS.
l ActiveEngineWebsockets:ThenumberofactiveWebSocketsbetweentheQPSandthetargetQlik
Senseservice.
The metrics are also available as entries in the Performance log for the QPS.
See also:
p
p
QlikSenseSchedulerService
TheQlikSenseSchedulerService(QSS)managesthescheduledreloadsofappsaswellasothertypesof
reloadtriggeringbasedontaskevents.
Paths
ThefollowingtableliststhepathsusedbytheQlikSenseSchedulerService(QSS).
Executable
%ProgramFiles%\Qlik\Sense\Scheduler\Scheduler.exe
Data
%ProgramData%\Qlik\Sense\Log\Scheduler
Logs
See:Logging (page 114)
17
2 Architecture
Metrics
ThissectionliststhemetricsrelatedtotheQlikSenseSchedulerService(QSS).Thefollowingmetricsare
availableinthePerformanceMonitorinMicrosoftWindows:
l Numberofconnectedslaves
l NumberofQlikSenseEngineService(QES)instancesthatarerunningonaslave(thismetricisonly
availableonthenodewheretheQESinstancesrun)
l Numberofrunningprocesses
l Numberofrunningtasksasunderstoodbythemaster
l Numberofrunningtasksontheslave
l Numberoftaskmessagesthathavebeendispatchedbytheslave
l Numberoftaskmessagesthathavebeenreceivedbythemaster
l Numberoftaskretries
l Numberoftasksthathavecompletedsuccessfullywhenexecutedbytheslave
l Numberoftasksthathavefailedwhenexecutedbytheslave
l Numberoftasksthatthemasterhasacknowledgedascompleted
l Numberoftasksthatthemasterhasacknowledgedasfailed
l Numberoftimesthatthesettingshavebeenupdated
l Numberoftasksthathaveattemptedtostart
l Numberoftasksthathaveattemptedtostop
See also:
p
Tasks
Tasksareusedtoperformawidevarietyofoperationsandcanbechainedtogetherinanyarbitrarypattern.
ThetasksarehandledbytheQlikSenseSchedulerService(QSS)andmanagedintheQlikManagement
Console(QMC).
See:Qlik Management Console (page 22)
Reload
Thereloadtaskisusedtofullyreloadthedatainanappfromthesource.Anyolddataisdiscarded.
Sync
Withinamulti-nodesite,oneinstanceoftheQlikSenseRepositoryService(QRS)runsoneachnode.The
QRSrunningonthecentralnodeisconsideredtobethemaster.ThemasterQRShasdirectaccesstothe
centralrepositorydatabase,whereastheotherQRSsonlyhaveaccesstoalocalrepositorydatabaseonthe
nodewheretheyarerunning.ThemasterQRSsynchronizesthecentralrepositorydatabaseandthelocal
repositorydatabases.
18
2 Architecture
Thesynctaskisusedtoschedulethesynchronizationofthecentralrepositorydatabaseandthelocal
repositorydatabaseswithinamulti-nodesite.
QlikSenseEngineService
TheQlikSenseEngineService(QES)istheapplicationservice,whichhandlesallapplicationcalculations
andlogic.
Paths
ThefollowingtableliststhepathsusedbytheQlikSenseEngineService(QES).
Executable
%ProgramFiles%\Qlik\Sense\Engine\Engine.exe
Data
%ProgramData%\Qlik\Sense\Engine
%ProgramData%\Qlik\Sense\Log\Engine
Logs
See:Logging (page 114)
%ProgramData%\Qlik\Sense\Engine\Settings.ini
Configuration
ThisfilecontainstheQESsettings.Thefileiscreatedwhentheservicefirstruns.
QlikSensePrintingService
TheQlikSensePrintingService(QPR)managesexportinQlikSense.
Paths
ThefollowingtableliststhepathsusedbytheQlikSensePrintingService(QPR).
Executable
%ProgramFiles%\Qlik\Sense\Printing\Printing.exe
Data
%ProgramData%\Qlik\Sense\Printing
%ProgramData%\Qlik\Sense\Log\Printing
Logs
See:Logging (page 114)
QlikSenseServiceDispatcher
TheQlikSenseServiceDispatcher(QSD)isaservicecontrollerthatisusedtolaunchandmanagethe
followingQlikSenseservices:
l BrokerService:TheBrokerServiceactsasanintermediarybetweenservicesstartedbytheQlik
SenseServiceDispatcher(QSD).
l ChartSharingService:TheChartSharingServiceisusedtosharechartsbetweenQlikSenseusers.
l DataProfilingService:TheDataProfilingServiceisusedtoaccessandmodifytheapplicationload
model.
l HubService:TheHubServicecontrolswhichcontentauserisallowedtosee.
19
2 Architecture
l MigrationService:TheMigrationServiceensuresthatyourappscanbeusedinthecurrentlyinstalled
versionofQlikSense.
Paths
ThefollowingtableliststhepathsusedbytheQlikSenseServiceDispatcher(QSD)andtheservicesthatare
launchedandmanagedbytheQSD.
l QSD:%ProgramFiles%\Qlik\Sense\ServiceDispatcher\ServiceDispatcher.exe
Executables
l ServicesthatarelaunchedandmanagedbytheQSD:
%ProgramFiles%\Qlik\Sense\ServiceDispatcher\node\node.exe
l BrokerService:%ProgramData%\Qlik\Sense\Log\BrokerService
l ChartSharingService:%ProgramData%\Qlik\Sense\Log\QlikSenseCharts
l DataProfilingService:%ProgramData%\Qlik\Sense\Log\DataProfiling
Logs
l HubService:%ProgramData%\Qlik\Sense\Log\HubService
l MigrationService:%ProgramData%\Qlik\Sense\Log\AppMigration
See:Logging (page 114)
Servicedependencies
ThissectiondescribesthedependenciesrelatedtotheQlikSenseservices(forexample,dependencieson
theoperatingsystemandothersoftware).
Repositorydatabase
TheQlikSenseRepositoryService(QRS)connectstotherepositorydatabasetostoreandretrievedata
necessaryfortheQlikSenseservicesonthenodeonwhichtheQRSisrunning.InadefaultQlikSense
installation,theQlikSenseRepositoryService(QRS)usestheQlikSenseRepositoryDatabase(QRD)
servicetoreadandwritedataintherepositorydatabase.APostgreSQLdatabaseisusedbydefault.
Filesystem
ThefilesystemstoresthebinaryfilesfortheQlikSenseapps.
Directoryservice
TheQRSandQlikSenseProxyService(QPS)communicatewithaconfigureddirectoryservice(for
example,MicrosoftActiveDirectory)using,forexample,LDAPorODBC.
Startandrestartofservices
Normally,theQlikSenseservicesarestartedautomaticallyonanode.
Start-upbehavior
TheQlikSenseRepositoryDatabase(QRD)andQlikSenseRepositoryService(QRS)arestartedfirst.
WhenanyotherQlikSenseservicestarts,itcontactsitslocalQRStogetconfigurationparameters.Ifthe
serviceisnot(yet)configuredtorun,itperiodicallychecksbackwiththelocalQRS.
20
2 Architecture
Manualstart
Iftheservicesarestartedmanually,makesuretostarttheminthefollowingorder:
The user that installs and runs the Qlik Sense services must be local administrator on the
machine.
a. QlikSenseRepositoryDatabase(QRD)
b. QlikSenseRepositoryService(QRS)
c. QlikSenseProxyService(QPS),QlikSenseEngineService(QES),QlikSenseSchedulerService
(QSS),QlikSensePrintingService(QPR),andQlikSenseServiceDispatcher(QSD)innospecific
order
TheorderisimportantbecausetheQRSisdependentontheQRDandtherestoftheservicesaredependent
ontheQRS.
Selectingthemetricstodisplay
ProceedasfollowstoselectwhichmetricstodisplayfortheQlikSenseservicesinthePerformanceMonitor
inMicrosoftWindows:
1. SelectStart> Run.
2. EnterperfmonandclickOK.
3. ExpandMonitoring Toolsintheleftpanel.
4. SelectPerformance Monitor.
ThePerformanceMonitorisdisplayedintherightpanel.
5. Clickthe+(plus)iconinthetoolbaratthetopofthePerformanceMonitor.
TheAdd Countersdialogisdisplayed.
6. SelectthemachinetoaddcountersfromintheSelect counters from computer:drop-downlist.
TheAvailable counterslistispopulatedwithcounters.
7. LocatethefollowingcountersetsintheAvailable counterslist:
l QlikSenseProxyService
l QlikSenseRepositoryService-RESTAPI
l QlikSenseRepositoryService-Synchronization
l QlikSenseSchedulerService
8. Clickthe+(plus)signnexttoacountersettoexpandtheset.
9. SelectthecounterstodisplayinthePerformanceMonitor.
10. ClickAdd >>toaddthecountersinthePerformanceMonitor.
TheaddedcountersarelistedintheAdded counterslist.
21
2 Architecture
11. ClickOK.
TheaddedcountersaredisplayedinthePerformanceMonitor.
2.4 Clients
TheclientsareusedtocommunicateandinteractwithQlikSensesites.
Hub
ThehubisusedtoaccessandpublishappsinQlikSense.Thehubrunsinawebbrowser,sonosoftware
installationisrequired.
Onceestablished,thehubtrafficonlyinvolvesarimnode(unlessthesiteisasinglenodesite)andthehub.
QlikManagementConsole
TheQlikManagementConsole(QMC)isusedforconfigurationandadministrationofaQlikSensesite.
TheQMConlycommunicateslogicallywiththecentralnode.Thismeansthat:
l TheQMCalwaysusestheQlikSenseProxyService(QPS)onthecentralnode.
l Formaximumperformancewithinamulti-nodesite,itisrecommendednottoallowanyusertrafficon
thecentralnode.
QlikDeploymentConsole
TheQlikDeploymentConsole(QDC)isusedtocreateandmanageQlikSensesitesthataredeployedin
cloudcomputingenvironments.
UsingtheQDC,youcan:
l CreateandmanageQlikSensesites
l IncorporateexistingsitesforuseintheQDC
l Create,manage,clone,anddeletenodesinQlikSensesitesthataredeployedincloudcomputing
environments
2.5 Apps
AQlikSenseappisacollectionofreusabledataitems(measures,dimensions,andvisualizations),sheets,
andstories.Itisaself-containedentitythatincludesthedatatoanalyzeinastructureddatamodel.
TheappsreplacethedocumentsthatareusedinQlikView.
Defaultstorage
Bydefault,appsarestoredasfollows:
l Repositorydatabase:Containstheappstructure,includingthepathstothebinaryfilesinthelocalfile
system.Thisdataisreferredtoasentitydataandisusuallysmallinsize.
22
2 Architecture
l Localfilesystem:Storestheappdataasbinaryfiles.Thesefilesarereferredtoasbinarydataandthe
datamodelelementofthefilescanbelargeinsize.Thefilesarebydefaultstoredin
%ProgramData%\Qlik\Sense\Apps.
Portableformat
AnappcanbestoredinthelocalfilesystemintheproprietaryQVFformat,whichisaportableformat.
Asingleappisstoredas<App name>.qvf.
For an app to run in Qlik Sense, it must be stored in the repository database.
2.6 Portsoverview
QlikSenseusesportsforcommunicationbetweenwebbrowsers(users)andproxies,andbetweenservicesin
bothinternalandmulti-nodedeployments.
ThissectionprovidesanoverviewoftheportsthatareusedinQlikSense.
23
2 Architecture
Portsusedinternallywithinanode
TheportsinthefollowingtableareusedbetweenQlikSenseservicesthatrunonthesamenode.Theports
donothavetobeopenthroughanyfirewalls.
Service
Port
Direction
Purpose
QPS
4243
Inbound
QlikSenseProxyService(QPS)RESTAPIlistenport.
Ifwebticketingisusedforsecurity,thisportisusedbythesoftwareor
servicethatrequeststicketsforusers.I fthesoftwareorserviceisremote,
thisportneedstobeopentothelocationfromwhichitiscalled.
QRD
4432
Internal
DefaultlistenportfortheQlikSenseRepositoryDatabase(QRD).
TheportisusedtolistenforconnectionsfromtheQlikSenseRepository
Service(QRS).
24
2 Architecture
Migration 4545
Service
Internal
ThisportisusedbytheMigrationServiceforappmigrationpurposes.
TheserviceislaunchedandmanagedbytheQlikSenseService
Dispatcher(QSD)whenrequired.
TheMigrationServiceonlyrunsonthecentralnode.
Chart
Sharing
Service
4555
Internal
ThisportisusedbytheChartSharingServiceforchartsharingbetween
QlikSenseusers.TheserviceislaunchedandmanagedbytheQlik
SenseServiceDispatcher(QSD)whenrequired.
ThisportusesHTTPSforcommunication.
QRS
4570
Internal
Certificatepasswordverificationport,onlyusedwithinmulti-nodesitesby
QlikSenseRepositoryServices(QRSs)onrimnodestoreceivethe
passwordthatunlocksadistributedcertificate.Theportcanonlybe
accessedfromlocalhostanditisclosedimmediatelyafterthecertificate
hasbeenunlocked.Thecommunicationisalwaysunencrypted.
QES
4748
Internal
ThiscallbackportisusedbytheQlikSenseRepositoryService(QRS)for
sendingHTTPeventstotheQlikSenseEngineService(QES).
Broker
Service
4900
Internal
DefaultlistenportfortheBrokerService.
Hub
Service
9028
Internal
DefaultlistenportfortheHubService.
Portsusedbetweenuserwebbrowsersandproxies
ThedefaultportsareexposedtotheQlikSenseusersandneedtobeopenthroughanyfirewallstoeachQlik
SenseProxyService(QPS)inthesite.
Service
Port
Direction
Purpose
QPS
443
Inbound
InbounduserwebtrafficwhenusingHTTPS.
QPS
4244
Inbound
AuthenticationportwhenusingWindowsauthenticationoverHTTPS.
QPS
80
Inbound
InbounduserwebtrafficwhenusingHTTP(optional).
QPS
4248
Inbound
AuthenticationportwhenusingWindowsauthenticationoverHTTP
(optional).
25
2 Architecture
PortsusedbetweennodesandQlikSenseservices
TheportsinthissectionareusedforcommunicationbetweentheQlikSenseservices.
Inasinglenodesite,allportslistedinthissectionareusedbythevariousservices,butdonotneedaccess
throughfirewalls.
Inamulti-nodesite,theportsinusevarydependingontheservicesinstalledandrunningoneachnode.The
portsneedtobeopeninanyfirewallsbetweenthenodes,butdonothavetobeopentotheQlikSenseusers.
Minimumportsusedforcommunicationinmulti-nodesites
Thefollowingportsmustalwaysbeopenbetweenthenodesinamulti-nodesite.Theportsmustbeopento
allowforsynchronization,servicehealth,andsomespecificoperations.
Service
Port
Direction
Purpose
QRS
4241
Bi-directional
betweenall
nodes
Communicationportwithinmulti-nodesitesforQlikSenseRepository
Service(QRS)-to-QRSsynchronization.
ThisportusesHTTPSforcommunication.
QRS
4242
Bi-directional
betweenthe
centralnode
andallproxy
nodes
Thisportisusedforanumberofoperationsincludingnewuser
registration.
QRS
4444
Betweenthe
centralnode
andallrim
nodes
Thisporthastwofunctions:
l Securitydistributionport,onlyusedbyQlikSenseRepository
Services(QRSs)onrimnodestoreceiveacertificatefromthe
masterQRSonthecentralnode.Thecommunicationisalways
unencrypted,butthetransferredcertificatepackageis
password-protected.
l QlikSenseRepositoryService(QRS)stateport,usedtofetch
thestateofaQRSinaQlikSensesite.Thestateisfetched
usinghttp://localhost:4444/status/servicestate.
Thereturnedstateisoneofthefollowing:
l 0:Initializing.Oncethenodehasbeeninitialized,the
nodestatechangesintooneoftheotherstates.
l 1:Certificatesnotinstalled.Therearenocertificates
installedonthenode.Thenodestaysinthisstateuntil
ithasreceivedthecertificateandthecertificate
password.
l 2:Running.ThenodeisupandrunningandallAPIs
havebeeninitiated.
26
2 Architecture
Portsusedbetweenmasterandslaveschedulers
TheportsinthefollowingtableareusedwhenaslaveQlikSenseSchedulerService(QSS)isused.
Service
Port
Direction
Purpose
QSS
5050
Inbound(from
schedulernodes
only)
ThisportisusedbythemasterQSSonthecentralnodetoissue
commandstoandreceiverepliesfromslaveQSSnodes.
QSS
5151
Inbound(fromthe
centralnodeonly)
AslaveQSSrunsonaslaveschedulernodeandisaccessedonly
bythemasterQSSonthecentralnode.
Portsusedbetweenaproxynodeandanenginenode
Theportsinthefollowingtabledefinetheminimumneededtoallowregularusertrafficandloadbalancing
betweenaproxynodeandanenginenode.
Service
Port
Direction
Purpose
QES
4747
Inbound
(from
proxy
nodes)
QlikSenseEngineService(QES)listenport.Thisisthemainportusedby
theQES.
TheportisusedviatheQlikSenseProxyService(QPS)for
communicationwiththeQlikSenseclients.
27
2 Architecture
QRS
QRS
4239
4242
Data
4949
Profiling
Service
Inbound
(from
proxy
nodes)
QlikSenseRepositoryService(QRS)WebSocketport.
Inbound
(from
proxy
nodes)
QlikSenseRepositoryService(QRS)RESTAPIlistenport.
Inbound
(from
proxy
nodes)
ThisportisusedbytheDataProfilingServicewhenaccessingand
modifyingtheapplicationloadmodel.Theserviceislaunchedand
managedbytheQlikSenseServiceDispatcher(QSD)whenrequired.
TheportisusedviatheQlikSenseProxyService(QPS)bytheQlikSense
hubtoobtainappsandstreamlists.
ThisportismainlyaccessedbylocalQlikSenseservices.However,the
portmustbeopentoallproxynodesinamulti-nodesitetodeliverimages
andstaticcontent.
TheportisaccessviatheQlikSenseProxyService(QPS).
Portsusedbetweenaproxynodeandtheprintingservice
TheQlikSensePrintingService(QPR)maybeinstalledonthesamenodeasotherservicesoronaseparate
node.TheportsinthefollowingtablemustbeaccessiblebetweenaQPSandallQPRstowhichtheQPS
canloadbalancetraffic.
Service
Port
Direction
Purpose
QPR
4899
Inbound(from
proxynodes)
QlikSensePrintingService(QPR)port.
ThisportisusedforprintedexportinQlikSense.Theportis
accessedbyanynodethatrunsaQPS.
Portsexample:Multi-nodesite
Thefollowingisanexampleoftheportsthatareusedinamulti-nodesitethatconsistsoffivenodes.
28
2 Architecture
Portsexamples
ThissectionprovidesexamplesoftheportsthatareusedindifferentQlikSensedeployments.
ThefollowingiconsrepresenttheQlikSenseservicesdeployedoneachnode:
Singlenodesite
Thisexampleshowstheportsthatareusedinasinglenodesite.
See:Single node site (page 11)
29
2 Architecture
Proxynodeindemilitarizedzone
Thisexampleshowstheportsthatareusedinamulti-nodesitewhendeployingaproxynodeina
demilitarizedzone.
Separateproxyandenginenode
Thisexampleshowstheportsthatareusedinamulti-nodesitewhendeployingaseparateproxyandengine
node.
30
2 Architecture
Highavailabilityproxyandenginenodes
Thisexampleshowstheportsthatareusedinamulti-nodesitewhendeployingmorethanoneproxyand
enginenode.
31
2 Architecture
Separateschedulernodeandhighavailabilityproxyandenginenodes
Thisexampleshowstheportsthatareusedinamulti-nodesitewhendeployingaseparateschedulernode
andmorethanoneproxyandenginenode.
32
2 Architecture
Separateproxyandschedulernodesandhighavailabilityenginenodes
Thisexampleshowstheportsthatareusedinamulti-nodesitewhendeployingseparateproxyandscheduler
nodesandmorethanoneenginenode.
33
2 Architecture
Genericscaleout
Thisexampleshowstheportsthatareusedinamulti-nodesitewhenscalingthesitebyaddingadditional
proxy,engine,orschedulernodes.
34
3 Deployment
Deployment
TheQlikSensearchitectureisbasedontheconceptofsites.AQlikSensesiteisacollectionofoneormore
nodes(thatis,servermachines)connectedtoacommonlogicalrepositoryorcentralnode.
QlikSensecanbedeployedinmanyways.Thissectiondescribesdifferentdeploymentscenarios.
3.1 Deployingsinglenodesites
Inthisdeploymentscenario,allQlikSenseservicesrunonasinglenode.Thiskindofdeploymentworksbest
inasingletimezone,wherereloadsofdatacanbedoneduringthenight.
See also:
p
Services
ThissectiondescribeshowtheQlikSenseservicesbehavewhendeployedinsinglenodesites.
QlikSenseRepositoryService
Withinasinglenodesite,thereisonlyoneinstanceoftheQlikSenseRepositoryService(QRS)runningand
ithasdirectaccesstothecentralrepositorydatabase.
35
3 Deployment
QlikSenseSchedulerService
Whendeployedinasinglenodesite,theQlikSenseSchedulerService(QSS)actsasbothmasterandslave.
See:Master and slave (page 39)
3.2 Deployingmulti-nodesites
Inamulti-nodesite,thesiteisspreadoutacrosstwoormorenodesthatsharethesamesetofdataand
licensekey.
Thebasicstepsfordeployingamulti-nodesiteareasfollows:
1. Planthenodesthatareneededinthedeployment.
2. Installthefirstnodeinthesite.Thisnodebecomesthecentralnode,whichcontainsallappsthatare
needed.
See:InstallandupgradeQlikSense
3. Installanadditionalnodeasarimnode.
See:InstallandupgradeQlikSense
4. IntheQlikManagementConsole(QMC)onthecentralnode,addthenewnodetothesite.
See:ManageQlikSensesites
5. Waitforthefirstsynchronizationtocompleteandthentestthenewnode.
6. Continuetoinstalladditionalrimnodesoneatatimeasdescribedinstep3untilthemulti-node
siteiscomplete.
If you are installing custom connectors in a multi-node setup, the custom connectors must be
installed on each node.
See also:
p
Synchronization
Thesynchronizationinamulti-nodesiteistwo-way:
l Thecentralnoderequestsupdatesfromtherimnodesevery15seconds.
l Eachrimnodeinitiatesasynchronizationsessionwiththecentralnodeevery15seconds.
Whenchangesaremadeoneachnode,theresultingtransactionsarerecordedinatransactionlog.During
thesynchronization,thelatestsetoftransactionsfromthelogissenttotheothernodesandreplayed.
Thesynchronizationisnotvisibletotheusers,whocancontinuetoworkintheirappswhilenewdatais
synchronizedinthebackground.
36
3 Deployment
Datatosynchronize
Therearetwotypesofdatathatneedtobesynchronized:
l Entitydata:Therepositorydatabasecontainsthesystemconfigurationandallmetadataaboutapps.
Thisdataisreferredtoasentitydataandisusuallysmallinsize.Therepositorydatabaseiscontrolled
bytheQlikSenseRepositoryService(QRS).
l Binarydata:Theappdatafilescontainthedatamodelsandappdefinitions.Thesefilesarereferred
toasbinarydataandthedatamodelelementofthefilescanbelargeinsize.Theappdatafilesare
controlledbytheQlikSenseEngineService(QES).
Entitydatasynchronization
Ifthetransactionlogonlycontainsentitydata(thatis,changesintherepositorydatabase),anentitydata
synchronizationisperformed.Thechangesareappliedimmediatelyintherepositorydatabaseonthe
receivingnode.Ifaconflictoccurs,thelatesttransactionisused.
Example:
Auserconsumesalicenseonarimnode.Therecordiscommittedtotherepositorydatabaseanda
transactionisrecordedinthelog.Duringthenextsynchronization,thecentralnodeaskstherimnodeforits
latesttransactionsandappliesthemtoitslocaldatabase.Therestoftherimnodesgetthesameupdate
fromthecentralnodeduringtheirnextsynchronization.
Binarydatasynchronization
Ifthetransactionlogcontainsbinarydata(thatis,changestoappdatafiles),abinarydatasynchronization,
duringwhichthereceivingnodeobtainstheupdateddata,isinitiated.Theentireappdatafiledoesnothave
tobecopied,justthecomponentsthathavechanged.Thismeansthatsmalledits(forexample,anewsheet
inanapp)aresynchronizedquicklyandindependentlyfromalargeedits(forexample,adatamodelthatis
synchronizedafterareload).Duringbinarydatasynchronization,thenodesusepeer-to-peerreplicationto
speedupthesynchronizationoflargeappsandpreventnetworkbottlenecks.
Example:
Anappisreloadedonarimnode.Duringthenextsynchronization,thecentralnodechecksthetransaction
logandinitiatesabinarydatasynchronization.Therestoftherimnodesgetthesameupdateduringtheir
nextsynchronizationwiththecentralnode.However,therimnodescanobtainthebinarydatanotjustfrom
thecentralnode,butfromanyrimnodethatalreadyhastheupdates.
Services
ThissectiondescribeshowtheQlikSenseservicesbehavewhendeployedinmulti-nodesites.
QlikSenseRepositoryService
TheQlikSenseRepositoryService(QRS)behavesdifferentlydependingonifitisdeployedonthecentral
nodeoronarimnode.
37
3 Deployment
Centralnode
Withinamulti-nodesite,oneinstanceoftheQlikSenseRepositoryService(QRS)runsoneachnode.The
QRSrunningonthecentralnodeisconsideredtobethemaster.ThemasterQRShasdirectaccesstothe
centralrepositorydatabase,whereastheotherQRSsonlyhaveaccesstoalocalrepositorydatabaseonthe
nodewheretheyarerunning.ThemasterQRSsynchronizesthecentralrepositorydatabaseandthelocal
repositorydatabases.
WhenthemasterQRSstarts,itconnectstothecentralrepositorydatabase.Ifnodatabaseexists,themaster
QRSbuildsthedatabaseandpopulatesitwithinitialdata.InadefaultQlikSenseinstallation,therepository
databaseisaspecificinstanceofPostgreSQLthatrunsitsowndatabaseclusterspecificallyforthe
repository.
Rimnodes
WhentheQlikSenseRepositoryService(QRS)onarimnodestarts,itconnectstothelocalrepository
databaseonthenode.Ifnolocalrepositorydatabaseexists,theQRSwaitsuntilitcommunicateswiththe
centralnode.
InadefaultQlikSenseinstallation,therepositorydatabaseisaspecificinstanceofPostgreSQLthatrunsits
owndatabaseclusterspecificallyfortherepository.
QlikSenseProxyService
Onthecentralnodeinamulti-nodesite,itisrecommendedtohaveadedicatedQlikSenseProxyService
(QPS)thatisusedspecificallyfortheQlikManagementConsole(QMC)andnotforthehub.
See also:
p
38
3 Deployment
QlikSenseSchedulerService
Dependingonthetypeofdeployment,theQlikSenseSchedulerService(QSS)runsasmaster,slave,or
bothonanode.
Master
ThereisonlyonemasterQlikSenseSchedulerService(QSS)withinasiteanditisalwayslocatedonthe
centralnode,wherethemasterQlikSenseRepositoryService(QRS)runs.Thismeansthatthecentralnode
musthavetheQlikSenseSchedulerService(QSS)installedevenifmoreQSSnodesareadded.Thisis
becausetheQSSonthecentralnodecoordinatesallQSSactivitieswithinthesite.
ThemasterQSShandlesalltaskadministration(forexample,whichtaskstoexecuteandwhentoexecutea
specifictask).Whenthetimecomestoexecuteatask,themasterQSSsendsthetaskIDtoaslaveQSS
withinthesite.WhichslaveQSStodistributethetaskIDtoisdeterminedbyaloadbalancingoperation
performedbythemasterQSS.
WhenaslaveQSScompletesatask,itreturnsthetaskstate(successfulorfail)tothemasterQSS.The
masterQSSusesthetaskstatetoperformtaskchaining,whichmeansthatitusesthetaskstateto
determineifothereventsareaffectedbythestateofthecompletedtaskandneedtobeexecuted.Thiscan
beconfiguredintheQlikManagementConsole(QMC).
IftheslaveQSSfailstoperformthetask,themasterQSSrepeatedlyrequeststhesameoranotherslave
QSStoperformthetaskuntilithasbeencompletedoruntilthemaximumnumberofattemptshasbeen
reached.
Slave
IfaQlikSenseSchedulerService(QSS)runsonarimnode,theQSSisconsideredtobeaslaveQSS.
WhenreceivingataskIDfromthemasterQSS,theslaveQSSreadsthetaskfromthelocalrepository
databaseandexecutesthetask.
WhenaslaveQSScompletesatask,itreturnsthetaskstate(successfulorfail)tothemasterQSS.
Masterandslave
Withinasinglenodesite,themasterQlikSenseSchedulerService(QSS)alsoactsasaslaveQSS.
QlikSenseEngineService
Onthecentralnodeinamulti-nodesite,itisrecommendedtohaveadedicatedQlikSenseEngineService
(QES)thatisusedspecificallyfortheQlikManagementConsole(QMC)andnotforthehub.
QlikSensePrintingService
Withinamulti-nodesite,oneinstanceoftheQlikSensePrintingService(QPR)runsoneachnode.
Exportrequestsfromclientsaredirectedtotheprintingservicesinthemulti-nodesiteusingroundrobinload
balancing.Forexample,ifthefirstexportrequestisloadbalancedtotheQPRonnode1,thesecondexport
requestisloadbalancedtotheQPRonnode2,andsoon.
39
3 Deployment
QlikSenseServiceDispatcher
BrokerService
TheBrokerServiceactsasanintermediarybetweenservicesstartedbytheQlikSenseServiceDispatcher
(QSD).
TheserviceislaunchedandmanagedbytheQlikSenseServiceDispatcher(QSD)whenrequired.
DataProfilingService
TheDataProfilingServicecommunicatesdirectlywiththeQlikSenseEngineService(QES)onthenode.
TheserviceislaunchedandmanagedbytheQlikSenseServiceDispatcher(QSD)whenrequired.
HubService
TheHubServicecontrolswhichcontentauserisallowedtosee.
TheserviceislaunchedandmanagedbytheQlikSenseServiceDispatcher(QSD)whenrequired.
MigrationService
TheMigrationServiceonlyrunsonthecentralnodeinasite.
TheserviceislaunchedandmanagedbytheQlikSenseServiceDispatcher(QSD)whenrequired.
Guidelinesfordeployingmulti-nodesites
Thissectionprovidesguidanceonwhattoconsiderwhenplanninganddesigningmulti-nodesites.
Planningyourdeployment
Whenplanningthedeploymentofamulti-nodesitetheareasdescribedinthissectionneedtobe
investigated.
Amountofcontenttosynchronize
Eachnodethatservesanappneedsacopyoftheentiredatamodellocallybeforeitcanallowusersaccess.
Eachtimetheappisreloadedthechangeddataissynchronized.
Thismeansthatthefactorsthataffectthetotalvolumetosynchronizeare:
l Thenumberofapps
l Thesizeoftheapps
l Thereloadfrequencyoftheapps(andspreadovertime)
Multipleappscanbesynchronizedsimultaneously.Ifanappisreloadedfasterthanitcanbesynchronizedto
theothernodes,thesynchronizationiscanceledandstartsover.
Basedontheinformationabove,itispossibletocalculatetheamountofdatathatneedstobesynchronized
eachhour.Thishastobecomparedtotheamountofdatathatcanbemovedeachhour,whichisaffectedby
factorssuchasnetworkspeed,thenumberofnodes,andtheQlikSensesoftwareitself.
40
3 Deployment
QVD files are not included in the synchronization and should not be considered as part of the
total.
Numberofnodes
Thenumberofnodesneededinamulti-nodesitedependsonwhetheryouwanttospreadtheloadover
fewer,butlarger,serversorovermore,butsmaller,servers.BecauseofthesynchronizationinQlikSense
usingfewer,butlarger,serversrequireslesssynchronizationtraffic.Theroleofeachserveralsoneedstobe
considered.
Deploymenttopology
QlikSenseisflexiblewhenitcomestohowthenodesarelaidoutandsupportsdifferentneedsforscale,
security,geography,andresilience.Inaddition,thesynchronizationrulescanbeusedtoconfiguretheroleof
eachnodeandthecontentthatitservestotheusers.Therequirementsforthisshouldbeidentifiedwhen
planningthetopologyofthedeployment.
Recommendeddeploymentprinciples
Itisrecommendedtoconsidertheprinciplesdescribedinthissectionwhenplanningthedeploymentofa
multi-nodesite.
Dedicatedrolesperserver
Itisrecommendedtogiveeachnodeaspecificrolewithinthedeploymentasthisallowsforbetterplanningof
resourcesandensuresconsistentperformancefortheusers.Forexample,specifyifanodeistorun
scheduledreloadsorservecontenttousers.
Dedicatedhardwareforthecentralnode(largedeploymentsonly)
Inlargemulti-nodesites,thecentralnodetakesontheloadofdistributingcontenttotherimnodes.
Dependingontheusage,itmaybegoodtodedicateresourcesforthecentralnode,sothatitdoesnothave
tocompeteforresourceswithuserorreloadtraffic.Theserverusedforthecentralnodecouldalsobea
candidateforvirtualization.
Appdevelopment
AppscanbedevelopedusingQlikSenseDesktoporinaQlikSenseserverenvironment.Thelatterprovides
advantagesintermsofdatagovernance,security,performance,andcollaboration.
Thedevelopmentofappsinvolvesbuildingloadscriptsandrunningreloadswhilebuildingthedatamodeland
assemblingtheuserinterface.Aseachiterationofchangesmadetoanappissynchronizedtotheother
nodes,asignificantloadcanbegeneratedonthesynchronizationprocess,especiallyiftheappislargeor
reloadedoften.Itisthereforerecommendedtocarefullychoosethenodesusedfordevelopmentandavoid
synchronizationofcontentthatdoesnotneedtobeprocesseduntiltheappisfinalized.
Therearetwowaystohandleappdevelopmentinamulti-nodesite:
l Isolatethedevelopmentactivitiesontoadedicateddevelopmentnodewithinaproductionsite.
l Specifyadedicatedsitefordevelopmentactivities.Theadvantageofthisapproachisthatitallowsan
organizationtofollowtheirpreferredprocessfortestingandreleasingnewapps.
41
3 Deployment
Iftheappdevelopmentisespeciallyintensive,itisrecommendedtouseadedicateddevelopmentsite.
It is primarily the reload of apps in development that needs to be considered. Adding the user
interface elements only has a minor effect on the synchronization of content.
Synchronizeonlywhatisneeded
Synchronizationrulescanbeusedtosignificantlyreducetheamountofdatatraffic.Forexample,an
unpublishedappthatisonlyusedbyadeveloperdoesnothavetobesynchronizedtonodesthatonlyserve
publishedappstoendusers.Inaddition,appsthatonlyreloadQVDfilesdonotneedtobesynchronized.
Networkspeedandgeographicdeployments
Theabilitytomoveappcontentinareasonabletimeisaffectedbythenetworkspeed.Thebetterthe
throughput,thefasterthesynchronizationcanbe.Forbestresults,thenodesshouldbeonthesamenetwork
or,ifinseparatedatacenters,connectedbyLANlikenetworkconnections.
Ifthenodesaregeographicallydispersedandonslowernetworks,thesynchronizationwillbeslower.This
mayalsoslowdownthesynchronizationofnodesthatareonfasterconnections.Inthiscase,thevolumeand
frequencyofthedatatosynchronizeneedtobeconsidered.
If the data is changed faster than the network or software can synchronize it to other nodes (for
example, by reloading again before the synchronization completes), the synchronization is
canceled. This may lead to nodes never being updated or synchronization queues that may
affect the user experience.
Deploymentsize
Thesize(thatis,thenumberofnodes)ofadeploymentdependsofthefollowingfactors:
l Theamountofdatatomove(perhour)
l Thenumberofnodesthatneedtoreceivethedata
l Thenetworkspeedavailabletotransferthecontent
l SomeoverheadforthesoftwareandavailableCPU
Itcanbedifficulttodefinethenumberofnodesorpossibledatatransferability,butthefollowingshouldbe
considered:
l Lessdata+fastnetwork=Youcanhavemorenodesandthesynchronizationtimewillbeshort
l Morenodes+slownetwork=Lessdatacanbesynchronizedwithoutdelays
Examples:
l Moving5GBofcontent(forexample,reloadedapps)orlessinanhourbetweeneightserversona
typicalcorporatenetworkshouldresultinquickupdatestothecontent.
l Movingasingle12GBappbetweentennodesonatypicalcorporatenetworkmaytakeupto30
minutes.Thismeansthatappsofthissizeshouldnotreloadfrequently.
42
3 Deployment
Exampledeploymentscenarios
Thissectionprovidesexamplesofhowmulti-nodesitescanbedeployed.
Thefollowingtermsareusedinthescenarios:
l Centralnode:Thenodethatisresponsibleformanagementactivitiesandsynchronization.
l Reload/schedulernode:Anodethatreloadsappsonaschedule,butservesnocontenttousers.
l Consumenode:Anodethatservesappstousers,butisnotusedtocreate,process,orreloaddata.
l Developmentnode:Anodethatallowsuserstocreateandreloadnewapps,butdoesnotserve
normalconsumertraffic.
l Proxynode:Anodethatprovidesloadbalancingofusertraffictoothernodes.Thisnodedoesnot
containaQlikSenseEngineService(QES).
An alternative to use a proxy node is to have a proxy installed on each consume node
and balance the traffic using a hardware load balancer.
Multi-nodescenario:Productiondeployment
Thisscenariodescribeshowtosetupatypicalinternalproductiondeployment,whichprovidestheabilityto
scaleupbothreloadsanduserload.
Nodelayout
Eachnodewithinthesiteonlycontainstheservicesanddatathatitneedstoperformitsrole.
Servicesoneachnode
ThetablebelowliststheQlikSenseservicesthataredeployedoneachnodeinthesite.
43
3 Deployment
Qlik Sense
Qlik Sense
Engine
Scheduler
Service
Service
Reload/scheduler x
node(s)
Consumenode
(s)
Proxynode
Node name
Service (mandatory)
Centralnode
Qlik Sense
Proxy Service
The table does not list Qlik Sense services that are deployed automatically on nodes, for
example, the Qlik Sense Printing Service (QPR) and the Qlik Sense Service Dispatcher
(QSD).
Configurationsteps
Basic installation
Proceedasfollowstoperformthebasicinstallation:
1. Startingwiththecentralnode,installtheQlikSensesoftwareandservicesasdescribedinthetable
above.
See:InstallandupgradeQlikSense
2. AddeachrimnodeviatheQlikManagementConsole(QMC)onthecentralnode.
See:ManageQlikSensesites
3. Whenallrimnodeshavebeenadded,checkthattheyaredisplayedasbeingonlineintheQMConthe
centralnode.
Load balancing
Proceedasfollowstoconfiguretheloadbalancing:
1. SelectVirtual proxiesintheQlikManagementConsoleonthecentralnode.
2. Editthesettingsfortheproxynode.
UnderLoad balancing nodes,specifythattheconsumenodesshouldbeused.
3. Checkthatthehubisaccessibleontheproxynode.Inaddition,checkthatthehubliststheapps.
44
3 Deployment
Qlik Sense Scheduler Service
ProceedasfollowstoconfiguretheQlikSenseSchedulerService(QSS):
l ConfiguretheQSSonthecentralnodetorunasmasteronly(thatis,donotrunreloadsonthecentral
node).Thereloadnodeshouldbesetasslave,whichmeansitwillhandleallreloads.
Multi-nodescenario:Productiondeploymentallowingdevelopment
Thisscenariodescribeshowtosetupatypicalinternalproductiondeploymentthatallowsappdevelopment
ondedicatednodesandusessynchronizationrulestoreducethesynchronizationtraffic.
Bothreloadsanduserloadcanbescaledup.Additionaldeveloper,reload,consume,andproxynodescanbe
addedaslongasthetotalnumberisinlinewiththerecommendations.
The synchronization rules described in this section are just examples. The exact approach
depends on the deployment needs.
Nodelayout
Eachnodewithinthesiteonlycontainstheservicesanddatathatitneedstoperformitsrole.
45
3 Deployment
Servicesoneachnode
ThetablebelowliststheQlikSenseservicesthataredeployedoneachnodeinthesite.
Qlik Sense
Qlik Sense
Engine
Scheduler
Service
Service
Reload/scheduler x
node(s)
Consumenode
(s)
Proxynode
Development
node
Node name
Centralnode
Qlik Sense
Proxy Service
The table does not list Qlik Sense services that are deployed automatically on nodes, for
example, the Qlik Sense Printing Service (QPR) and the Qlik Sense Service Dispatcher
(QSD).
46
3 Deployment
Configurationsteps
Basic installation
Proceedasfollowstoperformthebasicinstallation:
1. Startingwiththecentralnode,installtheQlikSensesoftwareandservicesasdescribedinthetable
above.
See:InstallandupgradeQlikSense
2. AddeachrimnodeviatheQlikManagementConsole(QMC)onthecentralnode.
See:ManageQlikSensesites
Specify the consume nodes to be Production nodes and the development node to be a
Development node.
3. Whenallrimnodeshavebeenadded,checkthattheyaredisplayedasbeingonlineintheQMConthe
centralnode.
DEVprefixalsomeansthatthedevelopmenttrafficcanbehandleddifferentlycomparedtothenormaluser
traffic.
Proceedasfollowstoconfiguretheloadbalancing:
1. SelectProxiesintheQlikManagementConsole(QMC)onthecentralnode.
2. Editthesettingsfortheproxynode.
3. SelectVirtual proxies,clickAdd,andthenselectCreate new.
4. ProvideadescriptionandtheDEVprefix.Ascookienameshavetobeunique,addDEVtotheendof
thesessioncookiefield.
5. UnderLoad balancing nodes,specifythatthedevelopmentnodeshouldbeused.
47
3 Deployment
6. CheckthatthedevelopmentnodeisavailableusingthefollowingURL:
https://<server address>/DEV/hub
Configuring custom properties
Custompropertiescanbeusedinthesynchronizationrulestodictatethenodestowhichtosynchronizeapps.
Proceedasfollowstoconfigurethecustomproperties:
1. SelectCustom propertiesintheQlikManagementConsole(QMC).
2. Addthefollowingcustomproperty:
l Name:NodeType
l Resource types:Nodes
l Values:Dev,Consume,Reload
3. SelectNodesintheQMC.
4. Foreachnodeinthesite,settheappropriatevalueforNodeTypeunderCustom properties.
48
3 Deployment
synchronizeittoanodewiththeNodeTypesettoDev.
d. Browsetothedevelopmentnodeproxyandchecktheresults.
2. Createaruletosynchronizepublishedappstotheconsumenodes:
a. CreateanewsynchronizationruleintheQMC.
b. Namethenewrulepublished apps to consumer nodesandthenselecttheAdvancedoption.
c. EnterthefollowingintheConditionsfieldandthensavetherule:
(node.@NodeType="Reload")
TheconditionstatesthatiftheNodeTypeissettoReload,allappsaresynchronizedtothe
node.
Tolimitthetraffictothesenodes,applycustompropertiestotheappsthatshouldbe
synchronizedtothenodes.Forexample,createacustompropertycalledapptypeandusea
rulelikethefollowing:
(node.@NodeType="Reload" and (resource.@AppType="QVDLoader" or
!resource.stream.name.Empty()))
ThisrulesynchronizesallpublishedappsandappstaggedasQVDloaders(thatis,alltheapps
torunscheduledreloadson)tothereloadnodes.
Qlik Sense Scheduler Service
ProceedasfollowstoconfiguretheQlikSenseSchedulerService(QSS):
l ConfiguretheQSSonthecentralnodetorunasmasteronly(thatis,donotrunreloadsonthecentral
node).Thereloadnodeshouldbesetasslave,whichmeansitwillhandleallreloads.
49
3 Deployment
Becauseofthewaymulti-nodeenvironmentsaresynchronizedandthewaylogsarearchived,theresultsof
reloadsmaynotbecompletelycurrent.ReloadsincludealllogsfromtheArchivedLogFolderfolderonthe
centralnodeandtheactive.txtlogfilesstoredintheSense\Logfolderonthecentralnode.
Multi-nodescenario:Developmentsite
Thisscenarioplacesthedevelopmentofappsontodedicatedresources.Thenumberofnodescanbe
adjustedtosupporttheamountofdevelopmentactivity(forexample,asinglenodecanbeused).
Ifmorethanonedevelopmentnodeisused,theycanbeloadbalancedusingaproxynode.However,when
creatinganewapptherecanbeashortdelaybeforetheappisaddedonallnodes,whichmeansthatthe
usersmayberoutedtoanodethathasnotyetreceivedthenewapp.
Nodelayout
Eachnodewithinthesiteonlycontainstheservicesanddatathatitneedstoperformitsrole.
Servicesoneachnode
ThetablebelowliststheQlikSenseservicesthataredeployedoneachnodeinthesite.
Node name
Centralnode
Qlik Sense
Service (mandatory)
Engine Service
Qlik Sense
Scheduler
Service
x
Qlik Sense
Proxy Service
x
50
3 Deployment
Node name
Qlik Sense
Service (mandatory)
Engine Service
Development x
node(s)
Qlik Sense
Scheduler
Service
Qlik Sense
Proxy Service
x
The table does not list Qlik Sense services that are deployed automatically on nodes, for
example, the Qlik Sense Printing Service (QPR) and the Qlik Sense Service Dispatcher
(QSD).
Configurationsteps
Basic installation
Proceedasfollowstoperformthebasicinstallation:
1. Startingwiththecentralnode,installtheQlikSensesoftwareandservicesasdescribedinthetable
above.
See:InstallandupgradeQlikSense
2. AddeachrimnodeviatheQlikManagementConsole(QMC)onthecentralnode.
See:ManageQlikSensesites
3. Whenallrimnodeshavebeenadded,checkthattheyaredisplayedasbeingonlineintheQMConthe
centralnode.
Load balancing
Proceedasfollowstoconfiguretheloadbalancing:
1. SelectVirtual proxiesintheQlikManagementConsoleonthecentralnode.
2. Editthesettingsfortheproxynode.
UnderLoad balancing nodes,specifythatthelocalQlikSenseEngineService(QES)shouldbe
usedforeachproxy.
3. Checkthatthehubisaccessibleonthedevelopmentnodes.Inaddition,checkthatthehubliststhe
appsonthenodesandthatnewappscanbecreated.
Multi-nodescenario:Geographicallydispersedsite
Thisscenarioprovidesguidelinesforhowtoplangeographicallydispersedsiteswheresynchronizationhasto
beperformedacrosstwoormoreregions.
Nodelayout
Inthisexample,thegeographicallydispersedsiteissetupasfollows:
51
3 Deployment
l Thesiteconsistsofnodesintwogeographicalregions.ThecentralnodeislocatedinregionA.
l Usersfrombothregionsaccessappsinthesite:
l Greenappsareaccessedbyallusers.
l BlueappsareonlyaccessedbyusersinregionB.
l Yellowappsareaccessedbyallusers.
l Theappsarecharacterizedbythefollowing:
l Greenandblueappsarelargeappswherethesourcedataislocatedintherespectiveregion.
l Yellowappsareeithersmallorfairlystatic(thatis,theyarenotreloadedoften).
Green apps
Thegreenappsarelargeenoughtoimpactthenetworktrafficduringthesynchronization.Itisthereforea
goodideatoplacethemclosetothedatasourcetoavoidsynchronizationacrossregions.Whenusersfrom
regionBaccessthegreenapps,theyareroutedthroughtheproxytotheAregion.
Blue apps
Thegreenandblueapps-thelargeapps-shouldbeplacedonnodesclosetothedatasourcetoavoid
synchronizationacrossregions.However,asallappsmustbeavailableonthecentralnode,some
synchronizationacrossregionsisneededfortheblueapps.
ThetotaltimeneededfortheblueappstobecomeavailableonthenodesinregionBwillbelongerthanthe
timeneededforthegreenappstobecomeavailableonthenodesinregionA.Thisisbecauseofthewaythat
thesynchronizationworks:
52
3 Deployment
1. Asynchronizationoftheupdateddataisinitializedwhenareloadoperationfinishes.
2. Assoonassomesegmentsoftheupdateddataareavailableonthecentralnode,thenodesinregion
Bcanfetchthosesegments.
3. Assynchronizationacrossregions(forexample,betweenEuropeandNorthAmerica)takeslonger
timethanfetchingdatafromnearbynodes,thetimeneededtosynchronizeanappincreasesandthe
centralnodebecomesabottleneck.
Thisisnotaproblemwhensynchronizingthegreenappsasalldatasegmentstosynchronizeare
availableonnearbynodesinthesameregion.
Yellow apps
Thetimeneededtosynchronizetheyellowappsisshortastheyareeithersmallornotreloadedveryoften,
whichmeansthattheirimpactonthenetworktrafficislow.Theyellowappscanthereforebelocatedon
nodesclosetotheusers,minimizingthetimeittakestoaccesstheapps.
Guidelines
Dependingonthenetworkcapacityandtheappreloadfrequency,thebestconfigurationmaydiffer.
However,thefollowingguidelinesshouldbetakenintoconsiderationwhendeployingageographically
dispersedsite:
l Sendaslittledataaspossibleoverthenetworkandtrytoavoidbottleneckswhenthenetworkcapacity
orbandwidthislow.
l Appsthataresmallorarenotreloadedtoooftencanbelocatedonanyorallnodesastheydonot
significantlyimpactthesynchronizationperformanceortheuseraccesstotheapps.
l Performreloadswherethesourcedatais.
l Ifanappisverylargeorneedstobereloadoften,keeptheappclosetoitsdatasourceandonthe
localnetwork.Directanyusertrafficfromaremoteproxyacrossthewideareanetwork.
l Inessence,configurethesitesoaslittleaspossiblebinarydataisshuffledaroundinthenetwork.
53
Backingupandrestoring
ThissectiondescribeshowtobackupandrestoreQlikSensesitesandcertificatesandhowtomoveanode
toanewmachine.
4.1 Backingupandrestoringasite
ThissectiondescribeshowtobackupandrestoreaQlikSensesite.Thiscanbedonemanuallyorusingthe
RepositorySnapshotManager(RSM):
l Manually:SeeBacking up a site manually (page 54)andRestoring a site manually (page 56)
l UsingtheRSM:SeeUsing the Repository Snapshot Manager (page 59)
These instructions define the minimum steps required. The use of specific backup software
may further extend the options for backup and restore.
Inasinglenodesite,thesinglenodeisreferredtoasthecentralnode.
Inamulti-nodesite,thecentralnodeisthemasterrecordthatcontainsalldataaboutthesite.Therimnodes
inthemulti-nodesitecontaineitherafullcopyoralimitedsubsetofthedata,whichismaintainedbythe
synchronizationmechanism.Thismeansthatthecentralnodeistheonlynodethatneedstobebackedupin
ordertokeepthedataandconfigurationsafe.Therimnodescanberestoredbysimplyre-addingthemas
newnodes,sincetheywillhavetheirdatarestoredbythesynchronizationmechanism.
Rimnodesmaintainlocallogfilesthatmaybeworthbackingupinordertoidentifyandinvestigateissues.It
mayalsobeworthbackingupanygeneraloperatingsystemdatathatmayberequired.
See also:
p
p
Backingupasitemanually
ThissectiondescribeshowtobackupaQlikSensesiteinadefaultinstallationwhereaPostgreSQL
databaseisusedastherepositorydatabase.
The instructions in this section are only applicable to the central node of a Qlik Sense site.
See: Backing up and restoring a site (page 54)
TheproceduredescribedinthissectioncanalsobeperformedusingtheRepositorySnapshotManager
(RSM).
See:Using the Repository Snapshot Manager (page 59)
54
Backupprocedure
ProceedasfollowstobackupaQlikSensesite:
1. MakeabackupofthecertificatesusedtosecuretheQlikSenseservices.Thisonlyneedstobedone
once.
See:Backing up certificates (page 65)
2. StopallQlikSenseservicesexcepttheQlikSenseRepositoryDatabase(QRD).
3. Makeabackupoftherepositorydatabase:
a. OpenaCommandPromptwithadministratorprivilegesinMicrosoftWindows.
b. Produceadumpfilefortherepositorydatabase(thatis,asinglefilefortheentiredatabase):
i. Navigatetotheinstallationlocation:
cd "<Path>\Qlik\Sense\Repository\PostgreSQL\<database version>\bin"
ii. pg_dump.exe -h localhost -p 4432 -U postgres -b -F t -f "c:\QSR_backup.tar" QSR
IfyouarepromptedforthePostgreSQLsuperuserpassword,enterthepasswordthat
wasgivenduringtheinstallationofQlikSense.
To avoid being prompted for the password (for example, if you want to
automate the Qlik Sense backup process), you can use the pgpass
functionality in PostgreSQL. See the PostgreSQL documentation for
more information.
iii. Makeabackupofthedumpfilefortherepositorydatabase.
4. Makeabackupofthefollowingfolders:
l %ProgramData%\Qlik\Sense\Log
l %ProgramData%\Qlik\Sense\Apps
l %ProgramData%\Qlik\Sense\Repository\Content
l %ProgramData%\Qlik\Sense\Repository\Extensions
l %ProgramData%\Qlik\Sense\Repository\AppContent(ifavailable)
55
The user that installs and runs the Qlik Sense services must be local administrator on
the machine.
a. QlikSenseRepositoryService(QRS)
b. QlikSenseProxyService(QPS),QlikSenseEngineService(QES),QlikSenseScheduler
Service(QSS),QlikSensePrintingService(QPR),andQlikSenseServiceDispatcher(QSD)
innospecificorder
TheorderisimportantbecausetheQRSisdependentontheQRDandtherestoftheservicesare
dependentontheQRS.
See also:
p
Restoringasitemanually
ThissectiondescribeshowtorestoreaQlikSensesiteinadefaultinstallationwhereaPostgreSQLdatabase
isusedastherepositorydatabase.
The instructions in this section are only applicable to the central node of a Qlik Sense site.
See: Backing up and restoring a site (page 54)
TheproceduredescribedinthissectioncanalsobeperformedusingtheRepositorySnapshotManager
(RSM).
See:Using the Repository Snapshot Manager (page 59)
Itemstorestore
Thefollowingitemsneedtobeconsideredwhenrestoringasite:
l QlikSensesoftware
l Repositorydatabase:Thedatabasecontainsallconfigurationdataforthesite.
l CertificatesfortheQlikSenseservices:Thecertificatesareusedtoencryptthetrafficbetweenthe
servicesandtheusers.Makesuretobackupthecertificatesinordernottoloseanyencrypteddata
(forexample,passwordsfordataconnections).
l Logdata
l Applicationdata:ThedatamodelsintheQlikSenseapps.
l Anycontentthatsupportstheapps(forexample,QVDfiles)
56
A restore can occur onto a machine with a different name than the one from which the
data was backed up. However, if the machine is a central node in a multi-node site,
changing the machine name requires all rim nodes to be reset, which means that the
nodes will have to be re-added.
Make sure to deselect Start the Qlik Sense services when the installation has
completed during the installation setup. If the services are started, new certificates and
a new repository database are created and they must be removed before proceeding
with the restore procedure.
2. RestorethecertificatesusedtosecuretheQlikSenseservices.
See:Restoring certificates (page 75)
Do not start the Qlik Sense services at the end of the Restoring certificates (page 75)
procedure.
3. StarttheQlikSenseRepositoryDatabase(QRD).
4. Restoretherepositorydatabase:
a. Placethebackeduprepositorydatabaseonthemachinetargetedfortherestore.
b. OpenaCommandPromptwithadministratorprivilegesinMicrosoftWindows.
c. Runthefollowingcommandstorestoretherepositorydatabase(adjustthepathsasneeded):
i. cd "C:\Program Files\Qlik\Sense\Repository\PostgreSQL\<database version>\bin"
ii. createdb -h localhost -p 4432 -U postgres -T template0 QSR
Ifthecommandfailsbecauseadatabasealreadyexists,runthefollowingcommand
andthenrepeatthecreatedbcommand:
dropdb -h localhost -p 4432 -U postgres QSR
iii. pg_restore.exe -h localhost -p 4432 -U postgres -d QSR "c:\QSR_backup.tar"
5. Restorethecontenttothefollowingfolders:
57
The user that installs and runs the Qlik Sense services must be local administrator on
the machine.
a. QlikSenseRepositoryService(QRS)
b. QlikSenseProxyService(QPS),QlikSenseEngineService(QES),QlikSenseScheduler
Service(QSS),QlikSensePrintingService(QPR),andQlikSenseServiceDispatcher(QSD)
innospecificorder
TheorderisimportantbecausetheQRSisdependentontheQRDandtherestoftheservicesare
dependentontheQRS.
8. Ifyouarerestoringamulti-nodesite,youmustdetermineifthecontentontherimnodesshouldbe
kept:
data foldersoptionselected.
3. Ontherimnode,installQlikSenseagain.
4. IntheQMConthecentralnode,addthenewlyinstalledrimnodetothesiteusingthe
normalprocedure.
l Ifarimnodecontainsdatathata)wasaddedafterthebackup,andb)isstillrequiredtobe
kept,thenthesynchronizationprocessneedstobenotifiedtoresendthemissingdatafromthe
rimnodetotherestoredcentralnode.
Ontherimnode,connecttotheQRSAPIandcallthePOST /qrs/sync/snapshot/restore
endpointwithoutanyparametersorbody.ThisendpointinstructstheQlikSenseRepository
Service(QRS)topushdatabacktothecentralnode.
58
See also:
p
UsingtheRepositorySnapshotManager
TheRepositorySnapshotManager(RSM)automatesthemanualbackupandrestoreproceduresdescribed
inthefollowingsections:
p Backing up a site manually (page 54)
p Restoring a site manually (page 56)
Requirements
Systemdowntime
Thebackupandrestoreoperationsrequiresystemdowntime.Theamountoftimeneededtobackupor
restoreasitedependsonthenumberofapps,theirsize,andthenumberofothersupportingcontentfiles,
suchasQVDfilesandscripts.
Location
TheRSMisavailablein%ProgramFiles%\Qlik\Sense\Repository\Util\RepositorySnapshotManagerafter
installationoftheQlikSensesoftware.
WerecommendthatyoucopytheRSMtoanotherfolderandrunitfromthereforbothbackupandrestore
operations,sincetheRSMlogfilesarestoredinthefolderfromwhichtheRSMruns.
See:Log files (page 64)
User
TheuserwhorunstheRSMmustbethesameastheuserwhorunstheQlikSenseservices.
Arguments
ThissectiondescribestheargumentstopasstotheRSMwhenbackinguporrestoringaQlikSensesite.
Backup
ThesyntaxoftheRSMwhenbackingupaQlikSensesiteisasfollows:
59
Mandatory
Description
-<Operation>
Yes
Typeofoperation.Forbackup,
theargumentis-backup.
-path
Yes
Pathtothefolderwhereto
storethebackup.
-ver
Optional,onlyneedediftheautomatic
versioncheckfails
QlikSenseproductversion
runningatthetimeofthe
backup(forexample,2.2.0).
supportingContentLocation
Optional,onlyneededifthereis
supportingcontenttoincludeinthe
backup
Pathtothefolderinwhich
supportingcontentforyourQlik
Sensesiteisstored.
-certificatePassword
Optional,onlyneededifyouwantto
password-protectthecertificatesinthe
backup
Passwordusedtoprotectthe
certificatesinthebackup.
-databasePassword
Optional,onlyneededifapasswordwas
assignedtotherepositorydatabase
duringtheinstallationoftheQlikSense
software
Passwordassignedtothe
repositorydatabaseduringthe
installationoftheQlikSense
software.
See:Known issues (page 64)
-f
Optional,onlyneededifyouwanttorun
thebackupoperationsilently
Silentbackup.Werecommend
thatyoutestyourbackup
operationbeforeusingthis
argument.
-h(or-help)
Notapplicable
Displayinformationonthe
RSM.
This argument is
not used to run an
operation.
Restore
ThesyntaxoftheRSMwhenrestoringaQlikSensesiteisasfollows:
60
Mandatory
Description
-<Operation>
Yes
Typeofoperation.Forrestore,theargumentis
-restore.
-path
Yes
Pathtothebackupfolderfromwhichtorestore
theQlikSensesite.
-installer
Yes
PathtothefolderinwhichtheQlikSense
installerislocated.
supportingContentLocation
Optional,onlyneededif
supportingcontentisto
berestoredtoanother
locationthanfromwhich
itwasbackedup
Pathtotherestorelocationforthesupporting
content.Ifthisargumentisleftout,the
supportingcontentisrestoredtothelocation
fromwhichitwasbackedup.
-certificatePassword
Optional,onlyneededif
thecertificateswere
password-protected
duringthebackup
Passwordthatwasusedtoprotectthe
certificatesinthebackup.
-databasePassword
Optional,onlyneededif
youwanttopasswordprotecttherepository
database
Passwordusedtoprotecttherepository
database.
-u
Optional,onlyneededif
anotheruseraccount
thanthelocalservice
accountistobeusedto
restoreandstarttheQlik
Sensesoftware
Useronthehostwithadministrativeprivileges
forthedomain(forexample,COMPANY_
DOMAIN\USER).Ifnousercredentialsare
provided,theQlikSensesoftwarewillbe
restoredandstartedusingthelocalservice
accountcredentials.
-p
Optional,onlyneededif
anotheruseraccount
thanthelocalservice
accountistobeusedto
restoreandstarttheQlik
Sensesoftware
Passwordfortheuserassociatedwiththe
domain.Ifnousercredentialsareprovided,the
QlikSensesoftwarewillberestoredandstarted
usingthelocalserviceaccountcredentials.
-installdir
Optional,onlyneededif
youwanttorestorethe
QlikSensesoftwareto
anotherfolderthanthe
defaultinstallation
directory
PathtothefolderinwhichtorestoretheQlik
Sensesoftware.Ifthisargumentisleftout,the
defaultinstallationdirectoryisused.
61
Mandatory
Description
-h(or-help)
Notapplicable
DisplayinformationontheRSM.
Procedures
Backup
ProceedasfollowstobackupaQlikSensesiteusingtheRSM:
1. MakesurethattheQlikSensesiteisfullyoperational.
2. Scheduleandprepareasystemmaintenancewindowwithenoughdowntime.
3. Prepareabasebackupfolder(forexample,F:\Qlik\Backups).
4. IftheQlikSenserepositorydatabaseispassword-protected,makesurethatyouhavethepassword
available.
See:Known issues (page 64)
5. Ifyouwanttopassword-protectyourcertificates,makesuretopassthepasswordasanargumentto
theRSM.
6. Gatherallsupportingcontent.Allsuchcontent(forexample,QVDfiles,scripts,andotherfiles)must
bestoredinonelocationonthehostwheretheRSMwillbeexecuted.Createafolder(forexample,
F:\Qlik\Additional\Files)andplacethesupportingcontentinthatfolder.
7. RuntheRSMandperformthebackupoperation.
8. Waitforthebackupoperationtofinishandreviewthelogfiles.
See:Log files (page 64)
9. ManuallyverifyyourbackupbeforestartingautomatedbackupsusingtheRSM.
Example: Backing up a site with a database password and supporting content (additional files)
RepositorySnapshotManager.exe -backup -path=F:\Qlik\Backups supportingContentLocation=F:\Qlik\Additional\QVDFiles -databasePassword=dfgg45Fr800
You may need to provide quotes ("") around certain arguments for the command shell to
interpret the arguments correctly. For example, if you have "&|<" or similar characters in a
password, the entire password must be surrounded by quotes. This means that a password
like test#% must be passed to the RSM as "test#%". In addition, do not use a backslash at the
end of paths as this may invalidate the final quote.
Restore
ProceedasfollowstorestoreaQlikSensesiteusingtheRSM:
62
12.57.10-Z.backup).
4. Ifyouwanttopassword-protectyourrepositorydatabase,makesuretopassthepasswordasan
argumenttotheRSM.
5. Ifyoupassword-protectedyourcertificatesduringthebackup,makesuretopassthepasswordasan
argumenttotheRSM.
6. RuntheRSMandperformtherestoreoperation.
7. Waitfortherestoreoperationtofinishandreviewthelogfiles.
During a restore operation a command prompt may open with the results from the
database restore operations. Errors indicating that the object to drop did not exist can
safely be ignored.
If the restore operation is performed on a multi-node site, the log file should contain the
text "snapshot/restore has been invoked on <host> (ok)" for each rim node. Verify that
any content created on those rim nodes after the backup set was created is
synchronized to the central node.
8. TesttheQlikSensesite(forexample,openthehub,reloadanapp,openasheet,etc).
9. Ifthesystemismalfunctioningaftertherestoreoperation,contactQlikSupportandprovidealllog
filesinthelogsfolder.
See:Log files (page 64)
63
You may need to provide quotes ("") around certain arguments for the command shell to
interpret the arguments correctly. For example, if you have "&|<" or similar characters in a
password, the entire password must be surrounded by quotes. This means that a password
like test#% must be passed to the RSM as "test#%". In addition, do not use a backslash at the
end of paths as this may invalidate the final quote.
Logfiles
TheRSMlogsthebackupandrestoreoperationsinasub-folder,logs,ofthefolderinwhichtheRSMruns.If
theRSMcannotcreatethesub-folderinthecurrentworkingfolder,thesub-folderiscreatedintheWindows
tempfolder(typicallyC:\Windows\Temp)instead.
Makesuretoalwayscheckthelogfolderafterabackuporrestoreoperation,whethertheoperationwas
successfulornot.
If the restore operation is performed on a multi-node site, the log file should contain the text
"snapshot/restore has been invoked on <host> (ok)" for each rim node. Verify that any content
created on those rim nodes after the backup set was created is synchronized to the central
node.
Knownissues
Backupprocesscompletes"successfully"withwrongdatabasepassword
Ifthepasswordprovidedwiththe-databasePasswordargumentdoesnotmatchthepasswordofthe
repositorydatabase,theresultingbackupfilewillbeemptyeventhoughthebackupprocessappearstohave
finishedsuccessfully.YoumustthereforeverifythattheQSR_backup.tarfileintheDatabasefolderofyour
backupisnotempty.
Backupprocesshangsduring"Creatinglogincredentialsfilefordatabase..."
Therepositorydatabaseispassword-protected,butthe-databasePasswordargumentwasnotprovided.
Cannotstartserviceoncomputer
If"CannotstartserviceQlikSenseRepositoryDatabaseoncomputer"isreportedatthecommandpromptorin
thelogfile,itismostlikelyduetoproblemswiththeusercredentials(thatis,theusernameandpassword).
Thefollowingcircumstancesareknowntocausesuchproblems:
l TheQlikSensesoftwarewasinstalledwithusercredentials,butisrestoredwithoutthem.
l TheQlikSensesoftwarewasinstalledwithoutusercredentials,butisrestoredwiththem.
l Theusernameorpasswordcontainsspecialcharacters,suchas"&%$",andwasnotquotedduring
thebackuporrecoveryoperation.
l Theusernameorpasswordisincorrect.
l TheQlikSenseinstallerreturned"Unabletocreatesiblingprocess".
Ifthishappens,contactQlikSupport.
64
4.2 Backingupandrestoringcertificates
ItisrecommendedthatyoubackupthecertificatesonthecentralnodeinaQlikSensesitesothattheycan
berestored,ifneeded.
Thebackedupcertificatescanbeusedfordifferentpurposes:
l Restorethecertificatesonthesamenodeastheywereexportedfrom.
l Moveanodetoanothernodeinthesite.Thismeansthattherepositorydatabaseanditsassociated
cryptokeyarereusedonanothernode,butwithnewcertificatesforcommunication.
Backingupcertificates
ProceedasfollowstomakeabackupofthecertificatesonthecentralnodeinaQlikSensesite:
1. SelectStart> Run.
2. EntermmcandclickOK.
65
5. SelectComputer accountandclickNext.
66
7. Double-clickCertificates.
67
9. ClickOK.
68
13. ClickNext.
69
70
71
17. Enterandconfirmapassword.ThenclickNext.
Thepasswordisneededwhenimportingthecertificate.
72
18. Enterafilenameforthe.pfxfileandclickNext.
It is recommended to include the server name in the file name to avoid confusion with
other certificate files.
73
19. ClickFinish.
The.pfxfilethatcontainstheCAforallnodesintheQlikSensesiteisstoredintheselectedlocation.
74
20. Startingatstep11,repeattheprocedureandexporttheservercertificate(thatis,theSSLcertificate),
whichislocatedunderCertificates (Local Computer)> Personal> Certificates.Theserver
certificatea)hasthesamenameastheDomainNameSystem(DNS)nameofthemachine,andb)is
signedbytheCAforallnodesinthesite.
21. Startingatstep11,repeattheprocedureandexporttheclientcertificate(thatis,theIDoftheclient),
whichislocatedunderCertificates - Current User> Personal> Certificates.Theclientcertificateis
namedQlikClientandissignedbytheCAforallnodesinthesite.
22. ClosetheMMCconsole.
Nochangeshavetobesaved.
Restoringcertificates
Incaseofasystemcrash,thecertificatesmayhavetoberestoredonthecentralnodeintheQlikSensesite.
Proceedasfollowstorestorethecertificatesonthecentralnodeinasite:
1. OpentheTaskManagerinMicrosoftWindowsandstopallQlikSenseservicesexcepttheQlikSense
RepositoryDatabase(QRD)service.
75
If you are restoring the certificates as part of the Restoring a site manually (page 56)
procedure, skip this step.
2. SelectStart> Run.
3. EntermmcandclickOK.
6. SelectComputer accountandclickNext.
76
7. SelectLocal computerandclickFinish.
8. Double-clickCertificates.
77
10. ClickOK.
78
79
13. ClickNext.
14. BrowsetothefilethatcontainsthebackedupCertificateAuthority(CA)forallnodesinthesiteand
thenclickNext.TheCAisnamed<machine_that_issued_the_certificate>-CAbydefault.
80
15. Enterthepasswordforthe.pfxfile(thatis,thepasswordthatwasgivenwhenthefilewasexported).
16. SelectMark this key as exportableandInclude all extended properties.ThenclickNext.
81
82
18. ClickFinish.
83
Certification Authoritiesfolder.
20. Startingatstep11,repeattheprocedureandimporttheservercertificatetoCertificates (Local
If you are restoring the certificates as part of the Restoring a site manually (page 56)
procedure, do not start the Qlik Sense services.
The user that installs and runs the Qlik Sense services must be local administrator on
the machine.
84
4.3 Movinganode
AbackedupservercertificatecanbeusedtomoveanodeinaQlikSensesitetoanothernodeinthesame
sitebymovingtheexistingrepositorydatabaseanditsassociatedcryptokeytothenewnode.
Proceedasfollowstoinstallthecryptokeyfortherepositorydatabaseonanewnodeinthesite:
1. OpentheTaskManagerinMicrosoftWindowsandstopallQlikSenseservicesexcepttheQlikSense
RepositoryDatabase(QRD)service.
2. SelectStart> Run.
3. EntermmcandclickOK.
85
6. SelectComputer accountandclickNext.
7. SelectLocal computerandclickFinish.
86
8. ClickOK.
87
11. ClickNext.
88
12. Browsetothefilethatcontainsthebackedupservercertificate.Theservercertificatea)hasthesame
nameastheDomainNameSystem(DNS)nameofthemachine,andb)issignedbytheCAforall
nodesinthesite.ThenclickNext.
89
13. Enterthepasswordforthe.pfxfile(thatis,thepasswordthatwasgivenwhenthefilewasexported).
14. SelectMark this key as exportableandInclude all extended properties.ThenclickNext.
90
91
16. ClickFinish.
92
Personalfolder.
18. ClosetheMMCconsole.
Nochangeshavetobesaved.
19. StarttheQlikSenseservices.Iftheservicesarestartedmanually,starttheminthefollowingorder:
The user that installs and runs the Qlik Sense services must be local administrator on
the machine.
a. QlikSenseRepositoryService(QRS)
b. QlikSenseProxyService(QPS),QlikSenseEngineService(QES),QlikSenseScheduler
Service(QSS),QlikSensePrintingService(QPR),andQlikSenseServiceDispatcher(QSD)
innospecificorder
TheorderisimportantbecausetheQRSisdependentontheQRDandtherestoftheservicesare
dependentontheQRS.
See also:
p
93
5 Security
Security
ThesecurityinQlikSenseconsistsofthefollowingparts:
l Protectionoftheplatform:HowtheQlikSenseplatformitselfisprotectedandhowitcommunicates
andoperates.
l Authentication:Whoistheuserandhowcantheuserproveit?QlikSenseusesstandard
authenticationprotocols(forexample,IntegratedWindowsAuthentication),HTTPheaders,and
ticketingtoauthenticateeveryuserrequestingaccesstodata.
l Authorization:Whatdoestheuserhaveaccessto?Authorizationistheprocedureofgrantingor
denyingusersaccesstoresources.
5.1 Protectingtheplatform
ThesecurityinQlikSensedoesnotdependonlyontheQlikSensesoftware.Italsoreliesonthesecurityof
theenvironmentthatQlikSenseoperatesin.Thismeansthatthesecurityof,forexample,theoperating
systemandthecryptographicprotocols(suchasTLS/SSL)hastobesetupandconfiguredtoprovidethe
securityneededforQlikSense.
Thefigurebelowshowsthecomponentsthathavetobeconsideredinordertomaximizethesecurity.
Networksecurity
ForallQlikSensecomponentstocommunicatewitheachotherinasecureway,theyneedtobuildtrust.
94
5 Security
InQlikSense,allcommunicationbetweentheQlikSenseservicesandclientsisbasedonwebprotocols.The
webprotocolsuseTransportLayerSecurity(TLS)forencryptionandexchangeofinformationandkeysand
certificatesforauthenticationofthecommunicatingparties.
TLSprovidesawaytobuildencryptedtunnelsbetweenidentifiedserversorservices.Thepartiesthat
communicateareidentifiedusingcertificates.Eachtunnelneedstwocertificates;onetoprovetotheclient
thatitiscommunicatingwiththerightserverandonetoprovetotheserverthattheclientisallowedto
communicatewiththeserver.
So,howtomakesurethatthecertificatesarefromthesameQlikSensetrustzone?Allcertificatesthat
belongtoatrustzonearesignedwiththesamesignature.Ifthesignatureexistsinthecertificate,itis
acceptedasproofthatthecertificatebelongstothetrustzone.
Whentheprotectedtunnelsandthecorrectcertificatesareinplace,theQlikSenseserviceshaveatrustzone
tooperatewithin.Withinthetrustzone,onlyservicesthatbelongtothespecificQlikSensesitecan
communicatewitheachother.
TheQlikSenseclientsareconsideredtobeoutsideoftheQlikSensetrustzonebecausetheyoftenrunon
lesstrustedend-userdevices.TheQlikSenseProxyService(QPS)canbridgethetwozonesandallow
communicationbetweentheclientsandtheQlikSenseservices,iftheuserisauthenticatedtothesystem.
TLS-protectedtunnelscanbeusedtosecurethecommunicationbetweentheQlikSenseclientsandthe
QPS.AstheclientsareoutsideoftheQlikSensetrustzone,thecommunicationbetweentheclientsandthe
QPSusesacertificatewithadifferentsignaturethantheoneusedwithinthetrustzone.
See also:
p
95
5 Security
Serversecurity
QlikSenseusestheserveroperatingsystemtogainaccesstoresources.Theoperatingsystemprovidesa
securitysystemthatcontrolstheuseoftheserverresources(forexample,storage,memory,andCPU).Qlik
Senseusesthesecuritysystemcontrolstoprotectitsresources(forexample,files,memory,processes,and
certificates)ontheserver.
Throughtheuseofaccesscontrol,thesecuritysystemgrantsaccesstoQlikSensefiles(forexample,log
files,databasefiles,certificates,andapps)onlytocertainusersontheserver.
Thesecuritysystemalsoprotectstheservermemory,sothatonlyauthorizedprocessesareallowedtowrite
totheQlikSensepartofthememory.
Inaddition,thesecuritysystemisresponsibleforassigninguserstoprocesses.Thisisusedtorestrictwhois
allowedtointeractwiththeQlikSenseprocessesontheserver.Theprocessesarealsorestrictedintermsof
whichpartsoftheoperatingsystemtheyareallowedtoaccess.
96
5 Security
So,byusingthecontrolsinthesecuritysystem,asecureandprotectedenvironmentcanbeconfiguredfor
theQlikSenseprocessesandfiles.
Processsecurity
Eachprocessexecutesinanenvironmentthatposesdifferentthreatstotheprocess.Inthislayerofthe
securitymodel,thefocusisonensuringthatthesoftwareisrobustandthoroughlyanalyzedfromasecurity
perspective.
Ruggedsoftware
Forsoftwaretobeconsideredasrugged,itmustcopewithallpotentialthreatstotheconfidentiality,integrity,
andavailabilityoftheinformation,andberobustwhenusedinwaysnotanticipated.
SeveralmitigatingactionshavebeenimplementedintheQlikSensesoftwareinordertomakeitrugged:
l Authorizationofcommunicationusingcertificates
l Validationofallexternaldatathatissenttothesystem
l Encodingofcontenttoavoidinjectionofmaliciouscode
l Useofprotectedmemory
l Encryptionofdata
l Auditlogging
l Useofchecksums
l Isolatedexecutionofexternalcomponents
l EscapingofSQLdata
Threatanalysis
ToensurethattheQlikSensesoftwareissecureandrugged,threatanalysisofthedesignhasbeen
performedaspartofthedevelopmentprocess.Thefollowingthreatareas,oftenabbreviatedasSTRIDE,
havebeencovered:
l Spoofing
l Tampering
l Repudiation
l Informationdisclosure
l Denialofservice
l Elevationofprivilege
Inadditiontothethreatanalyses,exploratorysecuritytestinghasalsobeenperformedontheQlikSense
software.
Appsecurity
ThemajorcomponentsoftheQlikSenseappsecurityare:
97
5 Security
l Accesscontrolsystem:TheaccesscontrolsystemgrantsusersaccesstotheresourcesinQlikSense.
l Datareduction:Thedatareductionfunctionalityisawaytodynamicallychangewhichdataausercan
view.Thismakesitpossibletobuildappsthatcanbeconsumedbymanyusers,butwithdifferent
datasetsthataredynamicallycreatedbasedonuserinformation.Thereductionofdataisperformed
bytheQlikSenseEngineService(QES).
Usingthesecomponents,theresourcesanddata(thatis,thecontent)consumedbytheQlikSenseuserscan
besecured.
5.2 Authentication
AllauthenticationinQlikSenseismanagedbytheQlikSenseProxyService(QPS).TheQPSauthenticates
allusersregardlessofQlikSenseclienttype.ThismeansthattheQPSalsoauthenticatesusersoftheQlik
ManagementConsole(QMC).
In Qlik Sense, authentication and authorization are two distinct, unconnected actions. In
addition, the sources of information used for authentication do not have to be the same as for
authorization, and the other way around.
QlikSensealwaysasksanexternalsystemtoverifywhotheuserisandiftheusercanproveit.The
interactionbetweenQlikSenseandtheexternalidentityproviderishandledbyauthenticationmodules.
ForamoduletocommunicatewithQlikSense,ithastobetrusted.TransportLayerSecurity(TLS)and
certificateauthenticationareusedtoauthorizeexternalcomponentsforcommunicationwithQlikSense.
InQlikSense,theauthenticationofauserconsistsofthreedistinctsteps:
1. Authenticationmodule:Gettheuseridentityandcredentials.
2. Authenticationmodule:Requestanexternalsystemtoverifytheuseridentityusingthecredentials.
3. TransfertheusertoQlikSenseusingtheTicketAPI,theSessionAPI,headers,orSAML.
Thefirsttwostepsarealwayshandledbytheauthenticationmodule.Itisuptotheauthenticationmoduleto
verifytheuserinanappropriateway.
Thethirdstepcanbeperformedinthefollowingways:
l UsingtheTicketAPI,whichtransferstheuserandtheuser'spropertiesusingaone-timeticket.
l UsingtheSessionAPI,wherebyanexternalmodulecantransferwebsessionsthatidentifytheuser
andtheuser'spropertiestoQlikSense.
l Usingheaders,withwhichatrustedsystemcantransfertheuserusingHTTPheaders.Thisisa
commonsolutionforintegratingwithSingleSign-On(SSO)systems.
l QlikSensecanbeconfiguredtoallowanonymoususers(using,forexample,SAML).
See also:
p
98
5 Security
Defaultauthenticationmodule
AfteradefaultinstallationofQlikSense,theQlikSenseProxyService(QPS)includesamodulethathandles
authenticationofMicrosoftWindowsusers.ThemodulesupportstheuseofKerberos,NTLM,andbasic
authentication.
The default authentication module requires that the proxy that handles the authentication is part
of the Microsoft Windows domain.
Certificatetrust
QlikSenseusescertificatesforauthentication.Acertificateprovidestrustbetweennodeswithinasite.
ThissectiondescribeshowtodeploycertificatesforuseinQlikSense.
Architecture
CertificatesareusedwithinaQlikSensesitetoauthenticatecommunicationbetweenservicesthatresideon
differentnodes.Inaddition,certificatescanbeusedtobuildatrustdomainbetweenservicesthatarelocated
indifferentdomainsorareas(forexample,internalnetworks,extranets,andInternet)withouthavingtoshare
aMicrosoftActiveDirectory(AD)orotheruserdirectories.
ThearchitectureisbasedonthemasterQlikSenseRepositoryService(QRS)onthecentralnodeactingas
thecertificatemanagerorCertificateAuthority(CA).ThemasterQRScreatesanddistributescertificatesto
allnodeswithinasite.ThemasterQRSisthereforeanimportantpartofthesecuritysolutionandhastobe
managedfromasecurelocationtokeepthecertificatesolutionsecure.
Therootcertificatefortheinstallationisstoredonthecentralnodeinthesite,wherethemasterQRSruns.
AllnodeswithQlikSenseservicesthataretobeusedwithinthesitereceivecertificatessignedwiththeroot
certificatewhenaddedtothemasterQRS.ThemasterQRS(thatis,theCA)issuesdigitalcertificatesthat
containkeysandtheidentityoftheowner.Theprivatekeyisnotmadepubliclyavailableitiskeptsecretby
99
5 Security
thenodes.ThecertificateenablestheservicesinaQlikSensedeploymenttovalidatetheauthenticityofthe
otherservices.ThismeansthatthemasterQRSisresponsibleformakingsurethataservicethatisdeployed
onanodeisaservicewithinthesite.
Afterthenodeshavereceivedcertificates,thecommunicationbetweentheQlikSenseservicesisencrypted
usingTransportLayerSecurity(TLS)encryption.
Requirements
Therequirementsdescribedinthissectionmustbefulfilledforthecertificatetrusttofunctionproperly.
General
WhenusingTransportLayerSecurity(TLS)inMicrosoftWindowsenvironments,theprivatekeymustbe
storedtogetherwiththecertificateintheWindowscertificatestore.Inaddition,theaccountthatisusedto
runtheQlikSenseservicesmusthavepermissiontoaccessthecertificateprivatekey.
Communicationports
Tosetupcertificatetrust,theQlikSenseRepositoryServices(QRSs)requirethattheportslistedinthe
followingtablecanbeopenedandusedforcommunication.Ifanycommunicationpassesthroughanetwork
firewall,theportsinthefirewallmustbeopenedandconfiguredfortheservices.
Port
no.
4570
Description
Certificatepasswordverificationport,onlyusedwithinmulti-nodesitesbyQlikSenseRepository
Services(QRSs)onrimnodestoreceivethepasswordthatunlocksadistributedcertificate.The
portcanonlybeaccessedfromlocalhostanditisclosedimmediatelyafterthecertificatehasbeen
unlocked.Thecommunicationisalwaysunencrypted.
ThisportusesHTTPforcommunication.
100
5 Security
Port
no.
4444
Description
Securitydistributionport,onlyusedbyQlikSenseRepositoryServices(QRSs)onrimnodesto
receiveacertificatefromthemasterQRSonthecentralnode.Thecommunicationisalways
unencrypted,butthetransferredcertificatepackageispassword-protected.
ThisportusesHTTPforcommunication.
Unlockingdistributedcertificates
Whenaddinganewrimnodetoasite,thedistributedcertificateneedstobeunlocked.
See:ManageQlikSensesites
See also:
p
ConfirmingcertificatesusingMicrosoftManagementConsole
CertificatescanbevisuallyconfirmedintheMicrosoftManagementConsole(MMC)withthecertificatesnapinadded.
Ifthecertificateshavebeenproperlydeployed,theyareavailableinthelocationslistedinthetable.
Certificate
Location
QlikClient
<fullcomputername>CA
<fullcomputername>CA
<computername>
Handlingofcertificateswhenaservicestarts
ThissectiondescribeshowthecertificatesarehandledwhenaQlikSenseservicestarts.
Clientcertificate
ThissectiondescribeshowthemasterQlikSenseRepositoryService(QRS)onthecentralnodeinasite
handlestheclientcertificatewhenaQlikSenseservicestarts.
TheclientcertificateislocatedinthefollowingplaceintheMicrosoftWindowscertificatestore:
101
5 Security
WhenaQlikSenseservicestarts,theQRSsearchesthecertificatestoretoseeifthereareanyQlikSense
certificates.Dependingontheresultsofthesearch,theQRSdoesthefollowing:
l Ifnoclientcertificateisfound,theQRScreatesanewcertificate.
l Ifonlyoneclientcertificateisfound,theQRSchecksifitisvalid.Ifthecertificateisnotvalid,theQRS
deletesthecertificateandcreatesanewone.Inaddition,theQRSlogsthataninvalidcertificatewas
foundanddeleted.
l Ifmorethanoneclientcertificateisfound,theQRSdeletesallcertificatesandcreatesanewone.
Duplicatesarenotallowed.Inaddition,theQRSlogsthenumberofvalidandinvalidcertificatesthat
werefoundanddeleted.
Servercertificate
ThissectiondescribeshowthemasterQlikSenseRepositoryService(QRS)onthecentralnodeinasite
handlestheservercertificatewhenaQlikSenseservicestarts.
TheservercertificateislocatedinthefollowingplaceintheMicrosoftWindowscertificatestore:
Rootcertificate
ThissectiondescribeshowthemasterQlikSenseRepositoryService(QRS)onthecentralnodeinasite
handlestherootcertificatewhenaQlikSenseservicestarts.
TherootcertificateislocatedinthefollowingplacesintheMicrosoftWindowscertificatestore:
102
5 Security
l Ifmorethanonerootcertificateisfound,theQRSlogsafatalerrorthataninvalidrootcertificatewas
found,whichmeansthattheserviceisshutdownandthattheadministratormanuallyhastodelete
anyunwantedcertificates.Inaddition,theQRSlogsinformationonthecertificatesthatareaffected
bythis.
In order not to break any certificate trust between machines, the QRS does not remove any
root certificates. It is up to the administrator to decide on what to do with invalid root
certificates.
See also:
p
Definitionofinvalidcertificate
Thedefinitionofaninvalidcertificateisasfollows:
l Theoperatingsystemconsidersthecertificatetobetoooldorthecertificatechainisincorrector
incomplete.
l TheQlikSensecertificateextension(OID1.3.6.1.5.5.7.13.3)ismissingordoesnotreflectthe
locationofthecertificate:
l CurrentUser/Personalcertificatelocation:Client
l LocalMachine/Personalcertificatelocation:Server
l LocalMachine/TrustedRootcertificatelocation:Root
l CurrentUser/TrustedRootcertificatelocation:Root
l Theserver,client,androotcertificatesonthecentralnodedonothaveaprivatekeythattheoperating
systemallowsthemtoaccess.
l Theserverandclientcertificatesarenotsignedbytherootcertificateonthemachine.
Maximumnumberoftrustedrootcertificates
WhenaQlikSenseservicestarts,itchecksthenumberoftrustedrootcertificatesonthemachinewhereitis
running.Iftherearemorethat300certificatesonthemachine,warningmessagescontainingthefollowing
informationarelogged:
l Therearetoomanyrootcertificatesfortheservicetotrust.
l TheMicrosoftWindowsoperatingsystemwilltruncatethelistofcertificatesduringtheTransport
LayerSecurity(TLS)handshake.
IftheQlikSenserootcertificate(<host-machine>-CA)thattheQlikSenseclientcertificatebelongstois
deletedfromthelistofcertificatesbecauseofthetruncation,theservicecannotbeauthenticated.
Tomanuallyviewtherootcertificatesonamachine,opentheMicrosoftManagementConsole(MMC)andgo
toCertificates (Local Computer)> Trusted Root Certification Authorities.
Authenticationsolutions
ThissectiondescribesvariousauthenticationsolutionsforQlikSense.
103
5 Security
Ticketsolution
Theticketsolutionissimilartoanormalticket.Theuserreceivesaticketafterhavingbeenverified.Theuser
thenbringsthetickettoQlikSenseand,iftheticketisvalid,isauthenticated.Inordertokeepthetickets
secure,thefollowingrestrictionsapply:
l Aticketisonlyvalidforashortperiodoftime.
l Aticketisonlyvalidonce.
l Aticketisrandomandthereforehardtoguess.
AllcommunicationbetweentheauthenticationmoduleandtheQlikSenseProxyService(QPS)uses
TransportLayerSecurity(TLS)andmustbeauthorizedusingcertificates.
Thefigurebelowshowsatypicalflowforauthenticatingauserwithtickets.
1. TheuseraccessesQlikSense.
2. QlikSenseredirectstheusertotheauthenticationmodule.Theauthenticationmoduleverifiesthe
useridentityandcredentialswithanidentityprovider.
3. Oncethecredentialshavebeenverified,aticketisrequestedfromtheQPS.Additionalproperties
maybesuppliedintherequest.
4. Theauthenticationmodulereceivesaticket.
104
5 Security
5. TheuserisredirectedbacktotheQPSwiththeticket.TheQPSchecksthattheticketisvalidandhas
nottimedout.
6. Aproxysessioniscreatedfortheuser.
7. Theuserisnowauthenticated.
Sessionsolution
ThesessionsolutionallowstheQlikSenseProxyService(QPS)touseasessionfromanexternalsystemto
validatewhotheuseris.
AllcommunicationbetweentheauthenticationmoduleandtheQPSusesTransportLayerSecurity(TLS)
andmustbeauthorizedusingcertificates.
Thefigurebelowshowsatypicalflowforauthenticatingauserusingasessionfromanexternalsystem.
1. Theuseraccessestheidentityprovider,which,forexample,canbeintegratedintoaportal.The
identityprovidergetstheuseridentityandcredentialsandthenverifiesthem.Afterthat,theidentity
providercreatesanewsession.
2. TheidentityproviderregistersthesessiontokenwiththeQlikSensesessionmodule.
3. Theidentityprovidersetsthesessiontokenasasessioncookie.
4. TheuseraccessestheQPStogetcontent(forexample,throughaniframeintheportal).
5. TheQPSvalidatesthesessiontothesessionmodule.
6. Ifthesessionisvalidandhasnotyettimedout,theuserisauthenticated.
105
5 Security
The name of the session cookie used by the authentication module can be configured in the
Qlik Management Console (QMC).
Headersolution
HeaderauthenticationisoftenusedinconjunctionwithaSingleSign-On(SSO)systemthatsuppliesa
reverseproxyorfilterforauthenticatingtheuser.
Thefigurebelowshowsatypicalflowforauthenticatingauserusingheaderauthentication.
1. Theuseraccessesthesystemandauthenticatestothereverseproxy.
2. ThereverseproxyinjectstheusernameintoadefinedHTTPheader.Theheadermustbeincludedin
everyrequesttotheQlikSenseProxyService(QPS).
3. Theuserisauthenticated.
For this solution to be secure, the end-user must not be able to communicate directly with the
QPS but instead be forced to go through the reverse proxy/filter.
The name of the HTTP header used for the user can be configured in the Qlik Management
Console (QMC).
106
5 Security
SAML
SecurityAssertionMarkupLanguage(SAML)isanXML-based,open-standarddataformatforexchanging
authenticationandauthorizationdatabetweenparties(forexample,betweenanidentityprovideranda
serviceprovider).SAMListypicallyusedforwebbrowserSingleSign-On(SSO).
HowSAMLworks
TheSAMLspecificationdefinesthreeroles:
l Principal:Typicallyauser
l IdP:Theidentityprovider
l SP:Theserviceprovider
TheprincipalrequestsaservicefromtheSP,whichrequestsandobtainsanidentityassertionfromtheIdP.
Basedontheassertion,theSPdecideswhetherornottoperformtheservicerequestedbytheprincipal.
SAMLinQlikSense
QlikSensesupportsSAMLV2.0by:
l ImplementinganSPthatcanintegratewithexternalIdPs
l SupportingHTTPRedirectBindingandHTTPPOSTBinding
l SupportingSAMLpropertiesforaccesscontrolofresourcesanddata
Anonymoususers
IfanonymoususeofQlikSenseisallowed,userswhoarenotauthenticatedarenotautomaticallyredirected
toanauthenticationmodule.Instead,theuserfirstgetsanonymousaccessandisthen,iftheuserchoosesto
signin,redirectedtotheauthenticationmoduletosupplyuseridentityandcredentials.
5.3 Authorization
Authorizationistheprocedureofgrantingordenyingusersaccesstoresources.
In Qlik Sense, authentication and authorization are two distinct, unconnected actions. In
addition, the sources of information used for authentication do not have to be the same as for
authorization, and the other way around.
InQlikSense,therearetwoauthorizationsystems:
l Accesscontrol:TheaccesscontrolsystemgrantsusersaccesstotheresourcesinQlikSense.The
accesscontrolsystemisimplementedintheQlikSenseRepositoryService(QRS)andindependent
oftheoperatingsystem.
l Datareduction:Thedatareductionfunctionalityisawaytodynamicallychangewhichdataausercan
view.Thismakesitpossibletobuildappsthatcanbeconsumedbymanyusers,butwithdifferent
datasetsthataredynamicallycreatedbasedonuserinformation.Thereductionofdataisperformed
bytheQlikSenseEngineService(QES).
Thetwoauthorizationsystemsareunconnectedandconfiguredseparately.
107
5 Security
Accesscontrol
Thissectiondescribesthedifferenttypesofaccesscontrol:
l Resourceaccesscontrol:Istheuserallowedtoaccesstheapp?Whichfunctionsintheappistheuser
allowedtouse(forexample,printing,exporting,andsnapshots)?
l Administratoraccesscontrol:Whichaccessrightsareneededforthedifferentrolesand
responsibilitiesoftheadministrators?
Resourceaccesscontrol
TheresourceaccesscontrolsysteminQlikSenseisbasedonproperties.Thismeansthattheaccessis
basedonrulesthatrefertopropertiesconnectedtoresourcesandusersinQlikSense.
AllauthorizationtoresourcesisenforcedbytheQlikSenseRepositoryService(QRS).TheQRSonlygives
otherQlikSenseservicesaccesstoresourcesthatthecurrentuserisallowedtoaccess.
Theresourceaccesscontrolsystemdeterminestheaccessbasedonthefollowingparameters:
l Usernameanduserproperties:TheusernameanduserpropertiesaresuppliedbytheQlikSense
ProxyService(QPS)thatauthenticatedtheuser.
l Action:Themethodthattheuseristryingtoperformonaresource(forexample,create,read,or
print).
l Resource:Theentitythattheuseristryingtoperformanactionon(forexample,app,sheet,or
object).
l Environment:TheenvironmentissuppliedbytheQPSanddescribes,forexample,time,location,
protection,andthetypeofQlikSenseclientused.
Rules
Thesystemadministratorcansetuprulesfortheresourcesaccesscontrol.Therulesaredividedintothree
parts:
l Resourcefilter:Theresourcesthattheruleappliesto.
l Condition:Alogicalconditionthat,ifevaluatedastrue,grantsaccess.
l Action:Theactionthattheuserisallowedtoperform,iftheconditionistrue.
Propertiesconnectedtoresourcesorusersmaybeusedintherules.Examplesofpropertiesincludethe
nameofuserorresource,typeofresource,andActiveDirectorygroupsforusersorcustom-defined
properties.
108
5 Security
Streams
TomakethemanagementoftheQlikSenseauthorizationsystemsefficient,appscanbegroupedinto
streams.Fromanauthorizationperspective,astreamisagroupingofappsthatagroupofusershasread
(oftenreferredtoassubscription)orpublishaccessto.
Bydefault,QlikSenseincludesthefollowingstreams:
l Everyone:Allusershavereadandpublishrightstothisstream.
l Monitoringapps:ContainsanumberofappsformonitoringofQlikSense.
StreamsarecreatedandmanagedintheQlikManagementConsole(QMC).
109
5 Security
Administratoraccesscontrol
Inadditiontosettinguptheaccesscontrolfortheusers,itisimportanttoconfiguretheaccesscontrolforthe
administratorssothattheygetaccessrightsintheQlikManagementConsole(QMC)thatcorrespondtotheir
rolesandresponsibilities.
Commonadministratorrolesinclude:
l RootAdmin:FullaccesstoallQlikSenseresources.
l AuditAdmin:Readaccesstoallresources.
l ContentAdmin:Fullaccesstoallresourcesexceptnodes,engines,repositories,schedulers,and
syncs.
l DeploymentAdmin:Fullaccesstoapps,tasks,licenses,nodes,repositories,schedulers,proxies,
virtualproxies,andengines.
l SecurityAdmin:SameasContentAdmin,butwithfullaccesstoproxiesandvirtualproxiesandno
accesstotasks.
Datareduction
Datareductionisusedtodeterminewhichdataauserisallowedtosee:allofitorjustpartsofit?
Thedatareductionfunctionalityisawaytodynamicallychangewhichdataausercanview.Thismakesit
possibletobuildappsthatcanbeconsumedbymanyusers,butwithdifferentdatasetsthataredynamically
createdbasedonuserinformation.ThereductionofdataisperformedbytheQlikSenseEngineService
(QES).
Thedefinitionofaccessrightsforsectionaccessismaintainedintheappsandconfiguredthroughtheload
script.
110
5 Security
5.4 Securitysummary
ThissectionprovidesasummaryoftheQlikSensesecuritysystem.
Authentication
QlikSensesupportsauthenticationinthefollowingways:
l TheusersareauthenticatedbytheQlikSenseProxyService(QPS).
l TheQPSsupportstheuseofmultipleproxiesandeachproxycanusemultipleauthentication
methodsoveranetworkprotectedbyTransportLayerSecurity(TLS).
Authorization
QlikSensesupportsauthorizationinthefollowingways:
l Inter-servercommunicationisauthorizedthroughTransportLayerSecurity(TLS)usingcertificatesfor
authentication.
l TheQlikSenseRepositoryService(QRS)providesproperty-basedaccesscontrolofusercontent.
l Authorizationtodataismanagedusingsectionaccess.
Auditing
QlikSensesupportsauditinginthefollowingways:
l Therepositorydatabasestoresinformationaboutwhenthedatabasewaslastchangedandwho
madethechange.
l Theloggingframeworkprovidesauditandsecuritylogs.
l Thelogsarecentrallystored.
l ThelogformatisresistanttoinjectionfromtheQlikSenseclients.
l Thelicenselogsaresignedwithasignaturetoprotectthemfromtampering.
Confidentiality
QlikSensesupportsconfidentialityinthefollowingways:
l ThenetworkusesTransportLayerSecurity(TLS)forencryptionandcertificatesforauthentication.
l Thelocallystoredinformationonanode,includingQlikSensecontent,isprotectedbytheoperating
systemusingserveraccesscontrolandfilesystemcontrols.
l TheprocessmemoryandloadeddataforQlikSenseareprotectedbythephysicalserverandthe
operatingsystemcontrols.
l Theappsaresecuredusingaccesscontrolontheresourcelevel.
l Sensitiveinformation(forexample,passwordsandconnectionstrings)thatisusedtoaccessexternal
datasourcesisstoredwithencryption.
l Theappdataisprotectedusingdatareduction.
111
5 Security
Integrity
QlikSensesupportsintegrityinthefollowingways:
l Storeddataisprotectedusingtheoperatingsystemcontrols(forexample,thefilesystem).
l Sensitiveinformation(forexample,passwordsandconnectionstrings)thatisusedtoaccessexternal
datasourcesisstoredwithencryption.
l QlikSensedoesnotsupportwritebacktothesourcesystem(thatis,theQlikSenseclientscannot
editthedatasources).
Availability
QlikSensesupportsavailabilityinthefollowingways:
l Thenodesinamulti-nodesiteareresilientbydesign.Eachnodehasalocalcopyofthedatathatit
needstofulfillitsrole,whichmeansthatthenodecanoperateindependentlyintheeventofaserver
ornetworkfailure.
l TheQlikSenseprotocolsaredesignedtobefaulttolerant.
l QlikSensesupportsloadsharingandfailoverbetweenservers.
Securityexample:Openinganapp
ThefigurebelowshowstheflowintheQlikSensesecuritysystemwhenauserlogsinandopensanapp.
112
5 Security
1. Authentication:TheauthenticationmoduleintheQlikSenseProxyService(QPS)handlesthe
authentication.Thecredentialsprovidedbytheuserareverifiedagainstinformationfromtheidentity
provider(forexample,adirectoryservicesuchasMicrosoftActiveDirectory).
2. Sessioncreation:Whentheusercredentialshavebeensuccessfullyverifiedbytheauthentication
module,asessioniscreatedfortheuserbythesessionmoduleintheQPS.
3. Accesscontrolsystem:Whentheusertriestoopenanapp,theQlikSenseEngineService(QES)
requeststheQlikSenseRepositoryService(QRS)tocheckiftheuserisauthorizedtoperformthe
action.TheQRSthencheckstherepositorydatabase,where,amongotherthings,allusersand
accessrightsarestored.
TheusersareimportedintotherepositorydatabasefromoneormoreUserDirectories(UDs)(for
example,MicrosoftActiveDirectory)usingQlikSenseUserDirectoryConnectors(UDCs).Theimport
istriggeredbytheQlikSenseSchedulerService(QSS)andtheintervalsin-betweenimportscanbe
scheduled.
4. Dynamicdatareduction:WhentheuserhasbeensuccessfullyauthorizedbytheQRS,theappis
opened.Beforethedataisdisplayedtotheuser,theQESperformsadynamicdatareduction,where
thedatathattheuserisallowedtoseeisprepared.
See also:
p
113
6 Logging
Logging
ThelogmessagesproducedbyQlikSenseprovideimportantinformationthatcanbeusedtodetectsecurity
incidents,operationalproblems,andpolicyviolations.
Theloggingisbasedonthelog4netcomponentinApacheLoggingServices.ThismeansthatQlikSense
usesastandardizedloggingframeworkandconformstostandardloggingprocedures.
6.1 Newloggingframework
AnewloggingframeworkwasintroducedinQlikSenseversion2.0.Unlessotherwisestated,the
documentationdescribesthenewloggingframework.
6.2 Legacyloggingframework
ThelegacyloggingframeworkisstillavailableinQlikSense,butthelogsareasofQlikSenseversion2.0
referredtoastracelogs.Thelogfilesremainthesame,buttheyarestoredinanewlocation.
See:Trace logs (page 130)
6.3 ReadingandanalyzinglogfilesinQlikSense
ThelogfilescanbereadandanalyzedusingQlikSense,whichincludesthefollowingpre-defined,log-related
dataconnectionsafterinstallation:
l ServerLogFolder:Linkstotheactivelogfiles.
l ArchivedLogsFolder:Linkstothearchivedlogfiles.
ThedataconnectionscanbeeditedintheQlikManagementConsole(QMC).
Inaddition,userswithroot,security,content,ordeploymentadministratorrightscanusetheQlikSenselog
datainappsbyselectingoneofthedataconnectionslistedaboveinthedataloadeditor.
See also:
ApacheLoggingServices
6.4 Requirements
TherequirementsdescribedinthissectionmustbefulfilledfortheQlikSenseloggingtofunctionproperly.
Securingthefilesystem
Thesystemadministratormustsecurethefilesystemsothatthelogfilescannotbetamperedwith.
114
6 Logging
By default, the account used for the Qlik Sense installation gets full permissions for the log
folder, %ProgramData%\Qlik\Sense\Log, whereas the Users group only gets read permission.
No other accounts or users get any permissions for the log folder.
Synchronizingtime
ThenodeswithinaQlikSensesitemusthavesynchronizedtime.
Forthedateandtimestampstobecorrect,allnodeswithinasitemustbeconfiguredtosynchronizetheir
systemclockswitheitheraninternaloranexternalNetworkTimeProtocol(NTP)servicetoensurethatalllog
entriesaretime-stampedaccurately.NTPisanetworkingprotocolforsynchronizingtheclocksofcomputer
systemsoverpacket-switched,variable-latencydatanetworks.
Settingtimezone
ItisrecommendedthateverynodewithinaQlikSensesiteissettothecorrecttimezonesothatthetime
zonecorrespondstothegeographicallocationofthenode.
6.5 Storage
Thedefaultlogfilesarestoredinfoldersunder%ProgramData%\Qlik\Sense\Log.Thelocallog
configurationfilecanbeusedtosetuptheloggingsothatthelogfilesarealsostoredinanotherlocation.
Logfolder
Thefollowingtabledescribesthecontentsofthe%ProgramData%\Qlik\Sense\Logfolder.
Folder
Subfolder
Files
Description
\AppMigration
Thisfoldercontainslogfilesrelatedtothe
MigrationService.
\BrokerService
ThisfoldercontainslogfilesrelatedtotheBroker
Service.
\DataProfiling
ThisfoldercontainslogfilesrelatedtotheData
ProfilingService.
\Engine
<MachineName>_
Thisisatemporarylogfilethatisusedbythethe
QlikSenseEngineService(QES)untilthelogpipe
totheQlikSenseRepositoryService(QRS)isup
andrunning.
Exit_Engine_
<Date>.txt
Thislogfileisnotarchived.
115
6 Logging
Folder
Subfolder
Files
Description
<MachineName>_
Thisisatemporarylogfilethatisusedbythethe
QlikSenseEngineService(QES)untilthelogpipe
totheQlikSenseRepositoryService(QRS)isup
andrunning.
Start_Engine_
<Date>.txt
Thislogfileisnotarchived.
\Audit
<MachineName>_
Thislogtracksuser-relatedactions.
AuditActivity_
<Service>.txt
<MachineName>_
AuditSecurity_
Thislogcontainsinformationonsecurity-related
actions.
<Service>.txt
\System
<MachineName>_
Service_
Thislogcontainsinformationonserviceand
systemoperations,includingallerrors.
<Service>.txt
\Trace
<MachineName>_
<Facility>_
<Service>.txt
Thetracelogfilesarestoredinthisfolder.
See:Trace logs (page 130)
\HubService
ThisfoldercontainslogfilesrelatedtotheHub
Service.
\Printing
\Audit
<MachineName>_
Thislogtracksuser-relatedactions.
AuditActivity_
<Service>.txt
<MachineName>_
AuditSecurity_
Thislogcontainsinformationonsecurity-related
actions.
<Service>.txt
\System
<MachineName>_
Service_
Thislogcontainsinformationonserviceand
systemoperations,includingallerrors.
<Service>.txt
\Trace
<MachineName>_
<Facility>_
<Service>.txt
\Proxy
\Audit
<MachineName>_
Thetracelogfilesarestoredinthisfolder.
See:Trace logs (page 130)
Thislogtracksuser-relatedactions.
AuditActivity_
<Service>.txt
116
6 Logging
Folder
Subfolder
Files
Description
<MachineName>_
Thislogcontainsinformationonsecurity-related
actions.
AuditSecurity_
<Service>.txt
\System
<MachineName>_
Service_
Thislogcontainsinformationonserviceand
systemoperations,includingallerrors.
<Service>.txt
\Trace
<MachineName>_
<Facility>_
<Service>.txt
Thetracelogfilesarestoredinthisfolder.
See:Trace logs (page 130)
\QlikSenseCharts
ThisfoldercontainslogfilesrelatedtotheChart
SharingService.
\Repository
\Audit
<MachineName>_
Thislogtracksuser-relatedactions.
AuditActivity_
<Service>.txt
<MachineName>_
AuditSecurity_
Thislogcontainsinformationonsecurity-related
actions.
<Service>.txt
\System
<MachineName>_
Service_
Thislogcontainsinformationonserviceand
systemoperations,includingallerrors.
<Service>.txt
\Trace
<MachineName>_
<Facility>_
<Service>.txt
\Scheduler
\Audit
<MachineName>_
Thetracelogfilesarestoredinthisfolder.
See:Trace logs (page 130)
Thislogtracksuser-relatedactions.
AuditActivity_
<Service>.txt
<MachineName>_
AuditSecurity_
Thislogcontainsinformationonsecurity-related
actions.
<Service>.txt
\System
<MachineName>_
Service_
Thislogcontainsinformationonserviceand
systemoperations,includingallerrors.
<Service>.txt
\Trace
<MachineName>_
<Facility>_
<Service>.txt
\Script
Thetracelogfilesarestoredinthisfolder.
See:Trace logs (page 130)
Thisfoldercontainslogfilesrelatedtoappreloads.
117
6 Logging
Archivedlogfiles
Archivedlogfilesarebydefaultstoredin%ProgramData%\Qlik\Sense\Repository\Archived Logsonthe
centralnodeintheQlikSensesite.Archivedlogfileshavethefileextension.log,whereasactivelogfiles
havetheextension.txt.
See also:
p
6.6 Naming
TheQlikSenselogfilesarenamedinaccordancetothefollowingfilerolloverprocedure:
1. Thelogisstoredinafilenamed<MachineName>_<LogType>_<Service>.txt.
2. Whenthefileisfullorapre-definedamountoftimehaspassed,thefileextensionisautomatically
changedto.logandatimestampisappendedtothefilenameforuniquenessandarchiving.This
meansthatthenewfilenamebecomes<MachineName>_<LogType>_<Service>_<YYYY-MM-
DDTHH.mm.ss>Z.log.Thefileisthenmovedtotherepositorydatabaseonthecentralnodebythe
QlikSenseRepositoryService(QRS)andarchived.
3. Anewlogfile,named<MachineName>_<LogType>_<Service>.txt,iscreated.
If the .log file is deleted before being copied to the repository database on the central node, the
file is lost and cannot be recreated.
Theformatofthefilenameisasfollows:
l <MachineName>=Nameoftheserverwherethelogwascreated.
l <LogType>=Thetypeofeventsthatarecoveredbythelog.
l <Service>=Theservicethatthelogoriginatesfrom(forexample,ProxyorRepository).
l <YYYY-MM-DDTHH.mm.ss>Z=Timestampforwhenthelogfilewasclosedfornewentries,
where:
l YYYY:Year
l MM:Month
l DD:Dayinmonth
l T:Delimiter,timedesignator
l HH:Hour
l mm:Minutes
l ss:Seconds
l Z:UTCdesignator,indicatesthatthetimestampisinUTCformat
118
6 Logging
6.7 Rows
Thefirstrowofeachlogfilecontainsaheaderthat,inturn,containsthenamesofallfields,separatedby
tabs.
EachlogentryisonerowandthecharacterslistedinthefollowingtablearereplacedwithUnicode
characters.
Character
Unicode replacement
Description
\t
\u21d4
Symbolforhorizontaltabulation,HT.
\n
\u2193
Symbolforlinefeed,LF.
\f
\u2192
Symbolforformfeed,FF.
\r
\u21b5
Symbolforcarriagereturn,CR.
6.8 Fields
ThissectiondescribesthefieldsintheQlikSenselogfiles.
Auditactivitylog
Thefollowingtableliststhefieldsintheauditactivitylog,<MachineName>_AuditActivity_<Service>.txt.
The Audit activity log does not include a Severity field. This is because all rows in the log have
the same log level.
Field
Format
Description
Sequence#
Int
1-2147483647bydefault,butcanbeconfiguredusingcustomlogging
asdescribedinAppenders (page 143).Eachrowinthelogstartswitha
sequencenumberthatisusedtoensurethatthelogisnottampered
with(thatis,thatnorowsareinsertedordeleted).Thesequence
numberwrapsa)whenthelastsequencenumberisreached,orb)when
thelogging,forsomereason,isrestartedwithoutthelastsequence
numberbeingreached.
ProductVersion
String
TheversionnumberoftheQlikSenseservice(forexample,1.2.1.3).
119
6 Logging
Field
Format
Description
Timestamp
ISO
8601
TimestampinISO8601format,YYYYMMDDThhmmss.fffK,where:
l YYYY:Year
l MM:Month
l DD:Dayinmonth
l T:Delimiter
l hh:Hour
l mm:Minutes
l ss:Seconds
l fff:Milliseconds
l K:Timezoneoffset
Forexample,20110805T145657.000+0200meansyear2011,month8,
day5at14:56:57GMT+2.
Hostname
String
Thenameoftheserver.
Id
String
Auniqueidentifierofthelogentry(addedbyLog4net).
Description
String
Ahuman-readablemessagethatsummarizestheactioninthesystem.
Format:
Command=<CommandName>;Result=<ReturnCode
(Int)>;ResultText=<Description,Success,orErrormessage>
ProxySessionId
String
TheIDoftheproxysession.
0=Internalsystemcommandoracommandthatdoesnotgothrough
theQPS
ProxyPackageId
String
AuniqueIDofeachHTTP(S)packagethatpassesthroughtheQlik
SenseProxyService(QPS).
0=Internalsystemcommandoracommandthatdoesnotgothrough
theQPS
120
6 Logging
Field
Format
Description
RequestSequenceId
String
ThecombinationofRequestSequenceIdandProxyPackageIdisunique
foreveryrowinalogfileandcreatesthetimelinefortheproxysession.
Thecombinationalsoformsaprimarykeyinthelogfile.
TheinitialRequestSequenceIdisaninteger.Subrequestsarelinkedto
theinitialrequestbyaddingadotandanIDforthesubrequest:
l Initialrequest:RequestSequenceId=1
l Subrequest1basedontheinitialrequest:
RequestSequenceId=1.0
l Subrequest2basedontheinitialrequest:
RequestSequenceId=1.1
0=Internalsystemcommandoracommandthatdoesnotgothrough
theQlikSenseEngineService(QES)
UserDirectory
String
TheuserdirectorylinkedtotheloggedinQlikSenseuser.
UserId
String
TheQlikSenseuserthatinitiatedthecommand.
System=Internalsystemcommand
ObjectId
String
TheinternalIDoftheobject.Usedtolinksystemactionstouseractions.
0=CannotgettheIDoftheobject
InsomecasestheObjectIdfieldcontainsmultipleIDs,separatedbythe
"|"(pipe)sign.
121
6 Logging
Field
Format
Description
ObjectName
String
Thehuman-readablenameoftheobject.TheObjectNameislinkedto
theObjectId.
Notavailable=CannotlinktheObjectNametotheObjectIdorthe
ObjectIdismissing
InsomecasestheObjectNamefieldcontainsmultiplenames.
String
TheQlikSenseserviceontheserverthathoststheprocess.
Origin
String
Theoriginoftherequest:
l AppAccess
l ManagementAccess
l Notavailable
Context
String
Thecontextofthecommand.
ThecontextcanbeaURLthatislinkedtothecommandorashort
versionofthemodulepathlinkedtothecommand.
Command
String
Thecorenameoftheusecaseorsystemcommand.
Result
String
Returncode:
l 0,200-226:Success
l Anyothernumber:Error
Message
String
Textthatdescribesthelogentry.Iftherequestissuccessful,thisfield
contains"success".
Id2
String
Auniquerowidentifier(thechecksumisaddedbyLog4Net).
122
6 Logging
Auditsecuritylog
Thefollowingtableliststhefieldsintheauditsecuritylog,<MachineName>_AuditSecurity_<Service>.txt.
This log is not available for the Qlik Sense Engine Service (QES).
The Audit security log does not include a Severity field. This is because all rows in the log have
the same log level.
Field
Format
Description
Sequence#
Int
1-2147483647bydefault,butcanbeconfiguredusingcustomlogging
asdescribedinAppenders (page 143).Eachrowinthelogstartswitha
sequencenumberthatisusedtoensurethatthelogisnottampered
with(thatis,thatnorowsareinsertedordeleted).Thesequence
numberwrapsa)whenthelastsequencenumberisreached,orb)when
thelogging,forsomereason,isrestartedwithoutthelastsequence
numberbeingreached.
ProductVersion
String
TheversionnumberoftheQlikSenseservice(forexample,1.2.1.3).
Timestamp
ISO
8601
TimestampinISO8601format,YYYYMMDDThhmmss.fffK,where:
l YYYY:Year
l MM:Month
l DD:Dayinmonth
l T:Delimiter
l hh:Hour
l mm:Minutes
l ss:Seconds
l fff:Milliseconds
l K:Timezoneoffset
Forexample,20110805T145657.000+0200meansyear2011,month8,
day5at14:56:57GMT+2.
HostName
String
Thenameoftheserver.
Id
GUID
Auniqueidentifierofthelogentry(addedbyLog4net).
Description
String
Ahuman-readablemessagethatsummarizestheactioninthesystem.
Format:
Command=<CommandName>;Result=<ReturnCode
(Int)>;ResultText=<Description,Success,orErrormessage>
123
6 Logging
Field
Format
Description
ProxySessionId
String
TheIDoftheproxysession.
0=Internalsystemcommandoracommandthatdoesnotgothrough
theQPS
ProxyPackageId
String
AuniqueIDofeachHTTP(S)packagethatpassesthroughtheQlik
SenseProxyService(QPS).
0=Internalsystemcommandoracommandthatdoesnotgothrough
theQPS
RequestSequenceId
String
ThecombinationofRequestSequenceIdandProxyPackageIdisunique
foreveryrowinalogfileandcreatesthetimelinefortheproxysession.
Thecombinationalsoformsaprimarykeyinthelogfile.
TheinitialRequestSequenceIdisaninteger.Subrequestsarelinkedto
theinitialrequestbyaddingadotandanIDforthesubrequest:
l Initialrequest:RequestSequenceId=1
l Subrequest1basedontheinitialrequest:
RequestSequenceId=1.0
l Subrequest2basedontheinitialrequest:
RequestSequenceId=1.1
0=Internalsystemcommandoracommandthatdoesnotgothrough
theQlikSenseEngineService(QES)
UserDirectory
String
TheuserdirectorylinkedtotheloggedinQlikSenseuser.
System=Internalsystemcommand
UserId
String
TheQlikSenseuserthatinitiatedthecommand.
System=Internalsystemcommand
124
6 Logging
Field
Format
Description
ObjectId
String
TheinternalIDoftheobject.Usedtolinksystemactionstouseractions.
0=CannotgettheIDoftheobject
InsomecasestheObjectIdfieldcontainsmultipleIDs,separatedbythe
"|"(pipe)sign.
String
Thehuman-readablenameoftheobject.TheObjectNameislinkedto
theObjectId.
Notavailable=CannotlinktheObjectNametotheObjectIdorthe
ObjectIdismissing
InsomecasestheObjectNamefieldcontainsmultiplenames.
String
Acategorizationofthesecurity-relatedinformation:
l Security:Accesstoresources,authentication,authorization
l License:Licenseaccess,licenseusage,licenseallocation
l Certificate:Certificate-relatedinformation
ClientHostAddress
String
Thehostname/IPaddressoftheclient.
125
6 Logging
Field
Format
Description
Service
String
TheQlikSenseserviceontheserverthathoststheprocess.
Origin
String
Theoriginoftherequest:
l AppAccess
l ManagementAccess
l Notavailable
Context
String
Thecontextofthecommand.
ThecontextcanbeaURLthatislinkedtothecommandorashort
versionofthemodulepathlinkedtothecommand.
Command
String
Thecorenameoftheusecaseorsystemcommand.
Result
String
Returncode:
l 0,200-226:Success
l Anyothernumber:Error
Message
String
Textthatdescribesthelogentry.Iftherequestissuccessful,thisfield
contains"success".
Checksum
ID
Eachrowhasachecksum.Thesecuritylogfilealsoincludesafile
signature.
Servicelog
Thefollowingtableliststhefieldsintheservicelog,<MachineName>_Service_<Service>.txt.
Field
Format
Description
Sequence#
Int
1-2147483647bydefault,butcanbeconfiguredusingcustomlogging
asdescribedinAppenders (page 143).Eachrowinthelogstartswitha
sequencenumberthatisusedtoensurethatthelogisnottampered
with(thatis,thatnorowsareinsertedordeleted).Thesequence
numberwrapsa)whenthelastsequencenumberisreached,orb)when
thelogging,forsomereason,isrestartedwithoutthelastsequence
numberbeingreached.
ProductVersion
String
TheversionnumberoftheQlikSenseservice(forexample,1.2.1.3).
126
6 Logging
Field
Format
Description
Timestamp
ISO
8601
TimestampinISO8601format,YYYYMMDDThhmmss.fffK,where:
l YYYY:Year
l MM:Month
l DD:Dayinmonth
l T:Delimiter
l hh:Hour
l mm:Minutes
l ss:Seconds
l fff:Milliseconds
l K:Timezoneoffset
Forexample,20110805T145657.000+0200meansyear2011,month8,
day5at14:56:57GMT+2.
Severity
String
Rowloglevel,canbeconfiguredusingcustomloggingasdescribedin
Appenders (page 143):
l Debug:Informationusefultodevelopersfordebugging
purposes.Thislevelisnotusefulduringnormaloperationasit
generatesvastamountsoflogginginformation.
l Info:Normaloperationalmessagesthatmaybeharvestedfor
reporting,measuringthroughput,andsoon.Noactionis
required.
l Warn:Notanerrormessage,butanindicationthatanerrorwill
occur,ifnoactionistaken(forexample,thefilesystemis85%
full).
l Error:Messagesregardingunexpectedsituationsanderrorsthat
preventtheserverfromoperatingnormally.
l Fatal:MessagesthattheQlikSenseserviceorapplicationhasto
shutdowninordertopreventdataloss.
HostName
String
Thehostnameoftheserverthatrunstheprocessorexecutesthetask.
Id
GUID
Auniqueidentifierofthelogentry(addedbyLog4net).
Description
String
Ahuman-readablemessagethatsummarizestheactioninthesystem.
Format:
Command=<CommandName>;Result=<ReturnCode
(Int)>;ResultText=<Description,Success,orErrormessage>
127
6 Logging
Field
Format
Description
ProxySessionId
String
TheIDoftheproxysession.
0=Internalsystemcommandoracommandthatdoesnotgothrough
theQPS
ProxyPackageId
String
AuniqueIDofeachHTTP(S)packagethatpassesthroughtheQlik
SenseProxyService(QPS).
0=Internalsystemcommandoracommandthatdoesnotgothrough
theQPS
RequestSequenceId
String
ThecombinationofRequestSequenceIdandProxyPackageIdisunique
foreveryrowinalogfileandcreatesthetimelinefortheproxysession.
Thecombinationalsoformsaprimarykeyinthelogfile.
TheinitialRequestSequenceIdisaninteger.Subrequestsarelinkedto
theinitialrequestbyaddingadotandanIDforthesubrequest:
l Initialrequest:RequestSequenceId=1
l Subrequest1basedontheinitialrequest:
RequestSequenceId=1.0
l Subrequest2basedontheinitialrequest:
RequestSequenceId=1.1
0=Internalsystemcommandoracommandthatdoesnotgothrough
theQlikSenseEngineService(QES)
UserDirectory
String
TheuserdirectorylinkedtotheloggedinQlikSenseuser.
System=Internalsystemcommand
UserId
String
TheQlikSenseuserthatinitiatedthecommand.
System=Internalsystemcommand
128
6 Logging
Field
Format
Description
ObjectId
String
TheinternalIDoftheobject.Usedtolinksystemactionstouseractions.
0=CannotgettheIDoftheobject
InsomecasestheObjectIdfieldcontainsmultipleIDs,separatedbythe
"|"(pipe)sign.
String
Thehuman-readablenameoftheobject.TheObjectNameislinkedto
theObjectId.
Notavailable=CannotlinktheObjectNametotheObjectIdorthe
ObjectIdismissing
InsomecasestheObjectNamefieldcontainsmultiplenames.
String
TheQlikSenseserviceontheserverthathoststheprocess.
Origin
String
Theoriginoftherequest:
l AppAccess
l ManagementAccess
l Notavailable
129
6 Logging
Field
Format
Description
Context
String
Thecontextofthecommand.
ThecontextcanbeInternalSystemcommandorUserActivity
command(basedonURLforthecommand).
Command
String
Thecorenameoftheusecaseorsystemcommand.
Result
Int
Returncode:
l 0,200-226:Success
l Anyothernumber:Error
Message
String
Textthatdescribesthelogentry.Iftherequestissuccessful,thisfield
contains"success".
Id2
String
Auniquerowidentifier(thechecksumisaddedbyLog4Net).
QlikSenseEngineServicelogfields
ThefollowingtableliststhefieldsthatareuniquefortheQlikSenseEngineService(QES)logs.
Field
Format
Description
EngineTimestamp
ISO
8601
ThedateandtimewhentheQESwrotethelogmessagetofile.
TimestampinISO8601format,YYYYMMDDThhmmss.fffK,where:
l YYYY:Year
l MM:Month
l DD:Dayinmonth
l T:Delimiter
l hh:Hour
l mm:Minutes
l ss:Seconds
l fff:Milliseconds
l K:Timezoneoffset
Forexample,20110805T145657.000+0200meansyear2011,month8,
day5at14:56:57GMT+2.
EngineVersion
String
TheversionnumberoftheQESthatexecutedtherequest.
6.9 Tracelogs
ThelegacyloggingframeworkisstillavailableinQlikSense,butthelogsareasofQlikSenseversion2.0
referredtoastracelogs.Thelogfilesremainthesame,buttheyarestoredinanewlocation.
130
6 Logging
Storage
Thetracelogfilesarestoredinthe%ProgramData%\Qlik\Sense\Log\<Service>\Tracefolder.
Naming
Thetracelogfilesarenamedinaccordancetothefollowingfilerolloverprocedure:
1. Thelogisstoredinafilenamed<MachineName>_<Facility>_<Service>.txt.
2. Whenthefileisfullorapre-definedamountoftimehaspassed,thefileextensionisautomatically
changedto.logandatimestampisappendedtothefilenameforuniquenessandarchiving.This
meansthatthenewfilenamebecomes<MachineName>_<Facility>_<Service>_<YYYY-MM-
DDTHH.mm.ss>Z.log.Thefileisthenmovedtotherepositorydatabaseonthecentralnodebythe
QlikSenseRepositoryService(QRS)andarchived.
3. Anewlogfile,named<MachineName>_<Facility>_<Service>.txt,iscreated.
If the .log file is deleted before being copied to the repository database on the central node, the
file is lost and cannot be recreated.
Theformatofthefilenameisasfollows:
l <Machine>=Nameoftheserverwherethelogwascreated.
l <Facility>=Thetypeofeventsthatarecoveredbythelog.
See:Logger (page 134)
l <Service>=Theservicethatthelogoriginatesfrom(forexample,ProxyorRepository).
l <YYYY-MM-DDTHH.mm.ss>Z=Timestampforwhenthelogfilewasclosedfornewentries,
where:
l YYYY:Year
l MM:Month
l DD:Dayinmonth
l T:Delimiter,timedesignator
l HH:Hour
l mm:Minutes
l ss:Seconds
l Z:UTCdesignator,indicatesthatthetimestampisinUTCformat
See also:
p
131
6 Logging
Rows
Thefirstrowofeachlogfilecontainsaheaderthat,inturn,containsthenamesofallfields,separatedby
tabs.
EachlogentryisonerowandthecharacterslistedinthefollowingtablearereplacedwithUnicode
characters.
Character
Unicode replacement
Description
\t
\u21d4
Symbolforhorizontaltabulation,HT.
\n
\u2193
Symbolforlinefeed,LF.
\f
\u2192
Symbolforformfeed,FF.
\r
\u21b5
Symbolforcarriagereturn,CR.
Fields
Thissectiondescribesthefieldsinthetracelogfiles.
Commonfields
Thefollowingtableliststhefields(inorderofappearance)includedinalltracelogfiles.
Field
Description
Sequence#
1-2147483647bydefault,butcanbeconfiguredusingcustomloggingasdescribedin
Appenders (page 143).Eachrowinthelogstartswithasequencenumberthatisused
toensurethatthelogisnottamperedwith(thatis,thatnorowsareinsertedordeleted).
Thesequencenumberwrapseitherwhenthelastsequencenumberisreachedorwhen
thelogging,forsomereason,isrestartedwithoutthelastsequencenumberbeing
reached.
Timestamp
TimestampinISO8601format,YYYYMMDDThhmmss.fffK,where:
l YYYY:Year
l MM:Month
l DD:Dayinmonth
l T:Delimiter
l hh:Hour
l mm:Minutes
l ss:Seconds
l fff:Milliseconds
l K:Timezoneoffset
Forexample,20110805T145657.000+0200meansyear2011,month8,day5at
14:56:57GMT+2.
132
6 Logging
Field
Description
Level
Rowloglevel,canbeconfiguredusingcustomloggingasdescribedinAppenders (page
143):
l Debug:Informationusefultodevelopersfordebuggingpurposes.Thislevelis
notusefulduringnormaloperationsinceitgeneratesvastamountsoflogging
information.
l Info:Normaloperationalmessagesthatmaybeharvestedforreporting,
measuringthroughput,andsoon.Noactionrequired.
l Warn:Notanerrormessage,butanindicationthatanerrormayoccur,ifno
actionistaken(forexample,thefilesystemis85%full).Eachitemmustbe
resolvedwithinagiventime.
l Error:Non-urgentfailuresthatarerelayedtodevelopersoradministrators.Each
itemmustberesolvedwithinagiventime.
l Fatal:Indicatesafailureinaprimarysystem(forexample,lossofprimaryISP
connection)andmustbecorrectedimmediately.
l Off:Nologs,exceptforlicenselogs,areproduced.
Hostname
Servername.
133
6 Logging
Field
Description
Logger
Thread
ThreadnameorManagedThreadID(ifavailable).
Id
GloballyUniqueIdentifier(GUID)forthelogmessage.
ServiceUser
NameoftheuseroraccountusedbytheQlikSenseservice.
Message
Logmessage.
134
6 Logging
Field
Description
Exception
Exceptionmessage.
AtracetotheplaceinQlikSensewheretheexceptionoccurred.
TheIDoftheproxysessionfortheuser.
ThelastfieldinalogentryeithercontainsanId2oraChecksum:
l Id2:LogmessageGUID(sameasIddescribedearlier).Thisisthenormalvalue.
l Checksum:Toprotectlogsthatcontainsensitiveinformation(forexample,
audit,security,andlicenselogs)fromtampering,thelastfieldinsuchlogentries
containsacryptographichashoftheentirerowuptothehashitself.
See also:
p
Additionalfields
Thecommonfieldsarepresentinalltracelogfiles.Sometracelogscontainadditionalfields,whicharelisted
inthissection.Inaddition,optionalfieldscanbedefined.
Applicationlog
Qlik Sense Repository Service (QRS)
ThefollowingfieldsarespecifictotheApplicationlogfortheQRS:
l Application:Thenameoftheapplication(ifthereisanametoassociatewiththelogentry).
See also:
p
135
6 Logging
Auditlog
Qlik Sense Repository Service (QRS)
ThefollowingfieldsarespecifictotheAuditlogfortheQRS:
l Action:Theactionthattheuserperformed(add,update,delete,export).
l ActiveUserDirectory:Theuserdirectoryfortheuser.
l ActiveUserId:TheIDoftheuser.
l ResourceId:TheIDoftheresourceonwhichtheuserperformedtheaction.
See also:
p
136
6 Logging
Licenselog
Qlik Sense Repository Service (QRS)
ThefollowingfieldsarespecifictotheLicenselogfortheQRS:
l AccessTypeId:TheIDoftheaccesstypeentity.
l AccessType:Thenameoftheaccesstype(LoginAccessorUserAccess).
l Operation:Theoperationthatwasperformed(Add,Update,Delete,UsageGranted,UsageDenied,
Available,Timedout,orUnquarantined).
l UserName:Thenameoftheuser(who,forexample,usesanaccesspass).
l UserId:TheIDoftheuserinQlikSense.
See also:
p
Performancelog
Qlik Sense Repository Service (QRS)
ThefollowingfieldsarespecifictothePerformancelogfortheQRS:
l Tracenumber:AuniqueIDforthecalltotheQRSRESTAPI.
l Httpmethod:TheHTTPmethodthatwasused(Get,Put,Post,orDelete).
l Url:TheURLthatwasused.
l Resourcetype:Thetypeofresource.
l Method:Thebackendcodethatwascalled.
l Elapsedmilliseconds:Thetime(inmilliseconds)tocompletethecalltotheQRSRESTAPI.
137
6 Logging
l ActiveStreams:Thenumberofactivedatastreams(thatis,sockets),eitherfromthebrowsertothe
QPSorfromtheQPStotheQRSortheQES.
l ActiveSessions:ThenumberofactivesessionsintheQPS.
AQlikSenseusergetsaproxysessionwhentheuserhasbeenauthenticated.Thesessionis
terminatedafteracertainperiodofinactivity.
l LoadBalancingDecisions:Thenumberofuserswhocurrentlyhaveatleastoneenginesession.
l PrintingLoadBalancingDecisions:ThenumberofuserswhohavebeenloadbalancedtotheQlik
SensePrintingService(QPR).
l Tickets:Thenumberofissuedloginticketsthathavenotyetbeenconsumed.
l ActiveClientWebsockets:ThenumberofactiveWebSocketsbetweentheclientandtheQPS.
l ActiveEngineWebsockets:ThenumberofactiveWebSocketsbetweentheQPSandthetargetQlik
Senseservice.
The logging entries are also available as metrics; see Metrics (page 16).
Qlik Sense Engine Service (QES)
Eachentry(thatis,row)inthePerformancelogcorrespondstoasnapshot(thatis,anumberof
measurements)oftheperformanceoftheQESatthegivenpointintime.
ThefollowingfieldsarespecifictothePerformancelogfortheQES:
l ActiveUserDirectory:Theuserdirectoryfortheuser.
l ActiveUserId:TheIDoftheuser.
l EngineTimestamp:ThetimewhentheQESwrotethelogmessagetofile.
l EngineThread:TheIDofthethreadthatwasusedwhentheQESwrotethelogmessagetofile.
l ProcessId:TheIDoftheQESprocessfromwhichthelogmessageoriginates.
l ExeType:Theconfigurationtype(releaseordebugversion)oftheQESprocess.
l ExeVersion:TheversionnumberoftheQESprocess.
l ServerStarted:ThetimewhentheQESstarted.
l EntryType:Thereason(ServerStarting,Normal,orServerShuttingDown)forthelogentryinthe
Performancelog.
l ActiveDocSessions:Thenumberofactiveenginesessionsatthegivenpointintime.
l DocSessions:Thenumberofenginesessionsatthegivenpointintime.
l ActiveAnonymousDocSessions:Thenumberofactiveanonymousenginesessionsatthegivenpoint
intime.
l AnonymousDocSessions:Thenumberofanonymousenginesessionsatthegivenpointintime.
l ActiveTunneledDocSessions:Thenumberofactivetunneledenginesessionsatthegivenpointin
time.
l TunneledDocSessions:Thenumberoftunneledenginesessionsatthegivenpointintime.
l DocSessionStarts:Thenumberofstartedenginesessionssincetheprevioussnapshot.
l ActiveDocs:ThenumberofactiveappsintheQESatthegivenpointintime.
138
6 Logging
l RefDocs:ThenumberofappsintheQESatthegivenpointintime.
l LoadedDocs:ThenumberofloadedappsintheQESatthegivenpointintime.
l DocLoads:ThenumberofapploadsintheQESsincetheprevioussnapshot.
l DocLoadFails:ThenumberoffailedapploadsintheQESsincetheprevioussnapshot.
l Calls:ThenumberofcallstotheQESsincetheprevioussnapshot.
l Selections:ThenumberofselectionsintheQESsincetheprevioussnapshot.
l ActiveIpAddrs:ThenumberofIPaddressesofactiveconnectedclientsintheQESatthegivenpoint
intime.
l IpAddrs:ThenumberofIPaddressesofallconnectedclientsintheQESatthegivenpointintime.
l ActiveUsers:ThenumberofactiveusersintheQESatthegivenpointintime.
l Users:ThetotalnumberofusersintheQESatthegivenpointintime.
l CPULoad:AmeasurementoftheloadontheCPUonwhichtheQESrunsatthegivenpointintime.
l VMCommitted(MB):ThecommittedVirtualMemory(inmegabytes)atthegivenpointintime.
l VMAllocated(MB):TheallocatedVirtualMemory(inmegabytes)atthegivenpointintime.
l VMFree(MB):ThefreedVirtualMemory(inmegabytes)atthegivenpointintime.
l VMLargestFreeBlock(MB):ThelargestfreedVirtualMemoryblock(inmegabytes)atthegivenpoint
intime.
See also:
p
QIXperformancelog
Qlik Sense Engine Service (QES)
ThefollowingfieldsarespecifictotheQIXperformancelogfortheQES:
l ActiveUserDirectory:Theuserdirectoryfortheuser.
l ActiveUserId:TheIDoftheuser.
l EngineTimestamp:ThetimewhentheQESwrotethelogmessagetofile.
l EngineThread:TheIDofthethreadthatwasusedwhentheQESwrotethelogmessagetofile.
l ProcessId:TheIDoftheQESprocessfromwhichthelogmessageoriginates.
l CServerId:TheIDoftheserverinstancethathandledtherequest.
l SessionId:TheIDoftheenginesessionforwhichtheQIXmethodcallwasmade.
l ServerStarted:ThetimewhentheQESstarted.
l Method:ThenameoftheQIXmethodthatwascalled.
l RequestId:TheIDoftherequestinwhichtheQIXmethodcallwashandled.
l Target:ThememoryaddressofthetargetfortheQIXmethodcall.
l RequestException:TheIDofanexception(ifany)thatoccurredasaresultoftheQIXmethodcall.
l ProcessTime:Theamountoftimethatwasneededtoprocesstherequest.
l WorkTime:Theamountoftimethattherequestdidactualwork.
l LockTime:Theamountoftimethattherequesthadtowaitforaninternallock.
139
6 Logging
l ValidateTime:Theamountoftimethattherequestusedforvalidation.
l Handle:TheIDoftheinterfacethathandledtherequest.TheinterfacecanbeGlobal,acertainsheet,
acertainobject,orsimilar.
See also:
p
QlikManagementConsolelog
The Qlik Management Console log is not created until there is an event (for example, an error
message) for the Qlik Management Console (QMC) to write in the log.
Qlik Sense Repository Service (QRS)
ThefollowingfieldsarespecifictotheQlikManagementConsolelogfortheQRS:
l Browser:ThewebbrowserthatisusedtoruntheQMC.
See also:
p
Sessionlog
Qlik Sense Engine Service (QES)
ThefollowingfieldsarespecifictotheSessionlogfortheQES:
l ActiveUserDirectory:Theuserdirectoryfortheuser.
l ActiveUserId:TheIDoftheuser.
l EngineTimestamp:ThetimewhentheQESwrotethelogmessagetofile.
l EngineThread:TheIDofthethreadthatwasusedwhentheQESwrotethelogmessagetofile.
l ProcessId:TheIDoftheQESprocessfromwhichthelogmessageoriginates.
l ExeType:Theconfigurationtype(releaseordebugversion)oftheQESprocess.
l ExeVersion:TheversionnumberoftheQESprocess.
l ServerStarted:ThetimewhentheQESstarted.
l AppId:TheIDoftheappthatwasloadedbythefinishedenginesession.
l AppTitle:Thetitleoftheloadedappthatwasusedduringthefinishedenginesession.
l DocTimestamp:Thelastmodifiedtimestampoftheappthatwasloadedbythefinishedengine
session.
l QlikSenseUser:Theuserthatstartedthefinishedenginesession.
l ExitReason:Thereasonfortheenginesessiontofinish.
l SessionStart:Thetimewhentheenginesessionstarted.
l SessionDuration:Theduration(inmilliseconds)ofthefinishedenginesession.
140
6 Logging
l CPUSpent(s):TheCPUtime(inseconds)thatwasspenthandlingrequestsduringthefinished
enginesession.
l BytesReceived:Thenumberofbytesofdatathatwerereceivedduringtheenginesession.
l BytesSent:Thenumberofbytesofdatathatweresentduringtheenginesession.
l Calls:Thenumberofcallsthatweremadeduringtheenginesession.
l Selections:Thenumberofselectionsthatweremadeduringtheenginesession.
l AuthenticatedUser:Theauthenticateduserthatusedtheenginesession.
l ClientMachineIdentification:TheIDoftheclientmachinethatopenedtheenginesession.
l SerialNumber:Theserialnumberthatwasusedduringtheenginesession.
l ClientType:Thetypeofclientthatwasusedfortheenginesession.
l ClientBuildVersion:Thebuildversionoftheclient.
l SecureProtocol:Anon/offflagthatindicateswhethertheprotocolwasrunoverasecureconnection.
See also:
p
Systemlog
Qlik Sense Scheduler Service (QSS)
ThefollowingfieldsarespecifictotheSystemlogfortheQSS:
l TaskName:Thenameofthetaskthatwasexecuted.
l TaskId:TheIDofthetaskthatwasexecuted.
l User:Thenameoftheuserwhoexecutedthetask.WhentheQSSstartsascheduledexecutionofa
task,theQSSislistedasuser.
l ExecutionId:AuniqueIDthatidentifiestheexecutionofthetask.AtaskgetsanewExecutionIdevery
timeitisexecuted.
l AppName:Thenameoftheappthatexecutedthetask(ifany).
l AppId:TheIDoftheappthatexecutedthetask(ifany).
141
6 Logging
See also:
p
Taskexecutionlog
Qlik Sense Scheduler Service (QSS)
ThefollowingfieldsarespecifictotheTaskexecutionlogfortheQSS:
l TaskId:AuniqueIDofthetaskthatwasexecuted.
l TaskName:Thenameofthetaskthatwasexecuted.
l AppId:AuniqueIDoftheappthatexecutedthetask(ifany).
l AppName:Thenameoftheappthatexecutedthetask(ifany).
l ExecutionId:AuniqueIDthatidentifiestheexecutionofatask.AtaskgetsanewExecutionIdevery
timeitisexecuted.
l ExecutionNodeId:AuniqueIDthatidentifiesthenodeinthesiteonwhichthespecificexecutionof
thetaskwasperformed.
l Status:Theresultoftheexecutionofthetask(successful,failed,aborted,skipped,orretry).
l StartTime:Thetimewhentheexecutionofthetaskstarted.
l StopTime:Thetimewhentheexecutionofthetaskstopped.
l Duration:Thetime(inmilliseconds)fortheexecutionofthetasktobecompleted.
l FailureReason:Empty,unlessanerroroccurredduringtheexecutionofthetask.
See also:
p
Trafficlog
Qlik Sense Engine Service (QES)
ThefollowingfieldsarespecifictothetrafficlogfortheQES:
l ActiveUserDirectory:Theuserdirectoryfortheuser.
l ActiveUserId:TheIDoftheuser.
l EngineTimestamp:ThetimewhentheQESwrotethelogmessagetofile.
l EngineThread:TheIDofthethreadthatwasusedwhentheQESwrotethelogmessagetofile.
l ProcessId:TheIDoftheQESprocessfromwhichthelogmessageoriginates.
See also:
p
142
6 Logging
6.10 Configuringthelogging
ThestandardlogginginQlikSenseisconfiguredusingtheQlikManagementConsole(QMC).
Customizedloggingissetupusingappendersandthelocallogconfigurationfile,LocalLogConfig.xml.
Appenders
ThelogginginQlikSenseimplementsacustomappender,QSRollingFileAppender,whichisbasedonthe
log4netcomponent.ThecustomappenderisusedinternallybytheQlikSenseloggingsystem.
QSRollingFileAppenderandsomeofthebuilt-in,predefinedappendersinthelog4netframeworkcanbe
usedtoconfigurecustomizedlogging,whichisspecifiedinthelocallogconfigurationfile,
LocalLogConfig.xml.
QSRollingFileAppendercanalsologeventsinthelocallogfile(forexample,theMicrosoftWindowsevent
log)orsendloginformationtoaremotelogserver.
QSRollingFileAppender
QSRollingFileAppenderinheritsfromlog4net.Appenders.FileAppenderandallparameters,exceptfor
AppendToFile,arealsoavailabletoQSRollingFileAppender.QSRollingFileAppenderstoresthelogfilesin
accordancetotheMaxFileSizeandMaxFileTimeparameters.
Configuringtheappender
TheQSRollingFileAppenderconfigurationisasfollows:
<appender name="MyQSRollingFileAppender"
type="Qlik.Sense.Logging.log4net.Appender.QSRollingFileAppender">
<param name="threshold" value="info" />
<param name="encoding" value="utf-8" />
<param name="file" value="C:/ProgramData/Qlik/Sense/Log/output.log"/>
<param name="maximumfiletime" value="720" />
<param name="maximumfilesize" value="512KB" />
<layout type="log4net.Layout.PatternLayout">
<converter>
<param name="name" value="rownum" />
<param name="type" value="Qlik.Sense.Logging.log4net.Layout.Pattern.CounterPatternConverter" />
</converter>
<converter>
<param name="name" value="longIso8601date" />
<param name="type"
value="Qlik.Sense.Logging.log4net.Layout.Pattern.Iso8601TimeOffsetPatternConverter" />
</converter>
<converter>
<param name="name" value="hostname" />
<param name="type" value="Qlik.Sense.Logging.log4net.Layout.Pattern.HostNamePatternConverter" />
</converter>
<converter>
<param name="name" value="guid" />
<param name="type" value="Qlik.Sense.Logging.log4net.Layout.Pattern.GuidPatternConverter" />
</converter>
143
6 Logging
<converter>
<param name="name" value="user" />
<param name="type"
value="Qlik.Sense.Logging.log4net.Layout.Pattern.ServiceUserNameCachedPatternConverter" />
</converter>
<converter>
<param name="name" value="encodedmessage" />
<param name="type" value="Qlik.Sense.Logging.log4net.Layout.Pattern.EncodedMessagePatternConverter"
/>
</converter>
<converter>
<param name="name" value="encodedexception" />
<param name="type"
value="Qlik.Sense.Logging.log4net.Layout.Pattern.EncodedExceptionPatternConverter" />
</converter>
<param name="ignoresexception" value="false" />
<param name="header"
value="Sequence#	Timestamp	Level	Hostname	Logger	Thread	Id	User	
Message	Exception	Id2
" />
<param name="conversionpattern" value="%rownum
{9999}	%longIso8601date	%level	%hostname	%logger	%thread	
%guid	%user	%encodedmessage	%encodedexception{innermostmessage}	%guid%newline" />
</layout>
</appender>
Converters
log4net.Layout.PatternLayoutandacoupleofcustomconvertersareusedtoformatrowsinlogsbasedon
QSRollingFileAppender:
l Qlik.Sense.Logging.log4net.Layout.Pattern.CounterPatternConverter:Addasequencenumberto
thelogrow.Parameter:
l Integer:Thelastnumberofthesequencebeforeitisreset.
l Qlik.Sense.Logging.log4net.Layout.Pattern.Iso8601TimeOffsetPatternConverter:Addatimestamp
(localtimewithtimeoffsetinISO8601format)tothelogrow.
l Qlik.Sense.Logging.log4net.Layout.Pattern.HostNamePatternConverter:Addthehostnametothelog
row.
l Qlik.Sense.Logging.log4net.Layout.Pattern.GuidPatternConverter:AddaGUIDtothelogrow.
l Qlik.Sense.Logging.log4net.Layout.Pattern.ServiceUserNameCachedPatternConverter:Addthe
usernametothelogrow.
l Qlik.Sense.Logging.log4net.Layout.Pattern.EncodedMessagePatternConverter:Addtheencoded
messagetothelogrow.
l Qlik.Sense.Logging.log4net.Layout.Pattern.EncodedExceptionPatternConverter:Addinformationon
theloggedexceptiontothelogrow.Parameter(oneofthefollowing):
l MESSAGE:Themessageintheloggedexception.
l INNERMOSTMESSAGE:Themessageintheinnermostexceptionoftheloggedexception.
l SOURCE:Thesourceoftheexception(thatis,thenameoftheapportheobjectthatcaused
theerror).
l STACKTRACE:Thestacktracefortheexception.
144
6 Logging
l TARGETSITE:Thetargetsitefortheexception(thatis,themethodthatthrewthecurrent
exception).
l HELPLINK:Linktothehelpfileassociatedwiththeexception.
Built-inlog4netappenders
InadditiontotheQlikSensecustomappender,QSRollingFileAppender,thelog4netframeworkcomeswith
asetofbuilt-inpredefinedappendersthatalsocanbeusedinthelocallogconfigurationfile,
LocalLogConfig.xml:
l AdoNetAppender
l AnsiColorTerminalAppender
l AspNetTraceAppender
l ColoredConsoleAppender
l ConsoleAppender
l EventLogAppender
l FileAppender
l NetSendAppender
l RemoteSyslogAppender
l RemotingAppender
l RollingFileAppender
l SmtpAppender
l SmtpPickupDirAppender
l TelnetAppender
l UdpAppender
Eachappenderhasitsownsetofparameterstocontroltheoutput.
See also:
ApacheLoggingServices
Example:EventLogAppender
ThefollowingexampleshowshowtousetheEventLogAppenderinthelocallogconfigurationfile,
LocalLogConfig.xml,fortheQlikSenseProxyService(QPS).Intheexample,allQPSauditlogentriesat
warninglevelaresenttotheMicrosoftWindowseventlog.
<appender name="EventLogAppender" type="log4net.Appender.EventLogAppender" >
<param name="threshold" value="warn" />
<param name="applicationName" value="Qlik Sense Proxy Service" />
<layout type="log4net.Layout.PatternLayout">
<param name="conversionPattern" value="%message" />
</layout>
</appender>
<logger name="Audit.Proxy">
<appender-ref ref="EventLogAppender" />
</logger>
145
6 Logging
Example:SmtpAppender
ThefollowingexampleshowshowtousetheSmtpAppenderinthelocallogconfigurationfile,
LocalLogConfig.xml,fortheQlikSenseProxyService(QPS).Intheexample,allQPSauditlogentriesat
warninglevelaresenttoanemailaddress(to@domain.com).
<appender name="MyMailAppender" type="log4net.Appender.SmtpAppender">
<param name="threshold" value="warn" />
<param name="to" value="to@domain.com" />
<param name="from" value="from@domain.com" />
<param name="subject" value="test logging message" />
<param name="smtpHost" value="SMTPServer.domain.com" />
<param name="port" value="25" />
<param name="bufferSize" value="512" />
<param name="lossy" value="true" />
<layout type="log4net.Layout.PatternLayout">
<param name="conversionPattern" value="%newline%date %-5level %message%newline%newline%newline" />
</layout>
</appender>
<logger name="Audit.Proxy">
<appender-ref ref="MyMailAppender" />
</logger>
Locallogconfigurationfile
ThelogginginQlikSensecanbesetuptoproducecustomizedloggingasanadditiontothedefaultlogging.
Tosetupcustomizedlogging,createalocallogconfigurationfilenamedLocalLogConfig.xmlinthe
%ProgramData%\Qlik\Sense\<Service>\folder.
The logging defined by the local log configuration file does not affect the default logging.
Requirements
Therequirementsdescribedinthissectionmustbefulfilledforthecustomizedloggingtofunctionproperly.
XMLschema
TheXMLschemaforthelocallogconfigurationfile,LocalLogConfig.xml,isasfollows:
146
6 Logging
In this example, the local log configuration file is configured to write the system logs at debug
level in %ProgramData%\Qlik\Sense\Log\Proxy\Debug_System_Proxy.txt.
<?xml version="1.0"?>
<configuration>
<appender name="LocalApp_AppenderSystem"
type="Qlik.Sense.Logging.log4net.Appender.QSRollingFileAppender">
<param name="threshold" value="debug" />
<param name="encoding" value="utf-8" />
<param name="file" value="C:\ProgramData\Qlik\Sense\Log\Proxy\Debug_System_Proxy.txt" />
<param name="maximumfiletime" value="720" />
<param name="maximumfilesize" value="512KB" />
<layout type="log4net.Layout.PatternLayout">
<converter>
<param name="name" value="rownum" />
<param name="type"
value="Qlik.Sense.Logging.log4net.Layout.Pattern.CounterPatternConverter" />
</converter>
<converter>
<param name="name" value="longIso8601date" />
<param name="type"
value="Qlik.Sense.Logging.log4net.Layout.Pattern.Iso8601TimeOffsetPatternConverter" />
</converter>
<converter>
<param name="name" value="hostname" />
<param name="type"
value="Qlik.Sense.Logging.log4net.Layout.Pattern.HostNamePatternConverter" />
</converter>
<converter>
<param name="name" value="guid" />
<param name="type" value="Qlik.Sense.Logging.log4net.Layout.Pattern.GuidPatternConverter"
/>
</converter>
<converter>
<param name="name" value="serviceuser" />
<param name="type"
value="Qlik.Sense.Logging.log4net.Layout.Pattern.ServiceUserNameCachedPatternConverter" />
</converter>
<converter>
<param name="name" value="encodedmessage" />
<param name="type"
value="Qlik.Sense.Logging.log4net.Layout.Pattern.EncodedMessagePatternConverter" />
</converter>
<converter>
<param name="name" value="encodedexception" />
<param name="type"
value="Qlik.Sense.Logging.log4net.Layout.Pattern.EncodedExceptionPatternConverter" />
</converter>
<param name="ignoresexception" value="false" />
<param name="header" value="Sequence#	Timestamp	Level	Hostname	
Logger	Thread	Id	ServiceUser	Message	Exception	
ActiveUserDirectory	ActiveUserId	ProxyTimestamp	ProxyThread	
147
6 Logging
Id2
" />
<param name="conversionpattern" value="%rownum{9999}	%longIso8601date	
%level	%hostname	%logger	%thread	%guid	%serviceuser	
%encodedmessage{1000000}	%encodedexception{innermostmessage:1000000}	
%property{ActiveUserDirectory}	%property{ActiveUserId}	
%property{ProxyTimestamp}	%property{ProxyThread}	%guid%newline" />
</layout>
</appender>
<logger name="System.Proxy">
<appender-ref ref="LocalApp_AppenderSystem" />
</logger>
</configuration>
See also:
p
148
7 Licensing
Licensing
ThelicensinginQlikSenseisbasedontokens,whichareusedtoallocateaccesspassesthatallowusersto
accessQlikSense.Therearedifferenttypesofaccesspassestochoosefromandeachtypecorrespondstoa
specificconsumptionmodelforaccessingQlikSense.
The tokens used in Qlik Sense are not compatible with the Client Access Licenses (CALs)
used in QlikView. In addition, QlikView licenses cannot be used in Qlik Sense.
7.1 LicenseEnablerFile
TheQlikSenselicensingisadministeredusingaLicenseEnablerFile(LEF),whichholdsthenumberof
tokensavailableforthecentralnodeinasite.ThismeansthataQlikSensesiteneedsatleastone(1)LEF.
TheLEFcanbedownloadedwhentheserialnumberandthecontrolnumberhavebeenenteredintheQlik
ManagementConsole(QMC).TheLEFcanalsobepasteddirectlyintotheQMC,if,forexample,nonetwork
connectionisavailable.
Increaseintokens
WhenthenumberoftokensintheLEFincreases(forexample,whenbuyingadditionaltokens),thenew
tokensareaddedtothepoolofunallocatedtokensthatcanbeusedtoallocateaccesspassesthatallow
userstoaccessQlikSense.
Decreaseintokens
WhenthenumberoftokensintheLEFdecreases,thefollowinghappens:
1. Unallocatedtokensareremoved.
2. Ifstep1isnotenoughtomeetthedecreasednumberoftokensintheLEF,anytokensthatarefreed
upbyremovalofaccesspassescannotbeusedfornewallocationsuntilthenumberofallocated
tokensisbelowthenewnumbersetintheLEF.
See:Removing access passes (page 152)
7.2 Accesspasses
ThelicensinginQlikSenseisbasedontokens,whichareusedtoallocateaccesspassesthatallowusersto
accessQlikSense.Therearedifferenttypesofaccesspassestochoosefromandeachtypecorrespondstoa
specificconsumptionmodelforaccessingQlikSense.
AuserconnectionisthecombinationofdeviceandbrowserthatisusedbyasingleusertoconnecttoQlik
Sense.IfauserwhoalreadyhasauserconnectionconnectstoQlikSensefromanotherbrowserordevice,
anadditionaluserconnectionisestablished.
ThefollowingtableliststhetypesofaccesspassesthatareavailableinQlikSense.
149
7 Licensing
Access
type
User
access
pass
Description
Thistypeofaccesspassallowsauniqueandidentifiedusertoaccessthehub.
TheaccesspassisvalidwithinanentireQlikSensesite.Forexample,ifauserfirstconnectsto
anodeintheUSAandthen,atalaterstage,connectstoanodeintheUK,theuserconsumes
thesameaccesspass,ifthetwonodesareconnectedtothesamecentralnode.
See:Site (page 11)
Themaximumnumberofparalleluserconnectionsforasingleuserofthistypeofaccesspass
isfive(5).Whenauserwiththemaximumnumberofparalleluserconnectionsendsa
connection(forexample,byloggingout)fiveminutesmustpassbeforetheusercanusethe
accesspasstoaddanotherconnection(forexample,byloggingin).
One(1)tokencorrespondstoone(1)accesspass.Theaccesspassesareallocatedusingthe
QlikManagementConsole(QMC).
Login
access
pass
Thistypeofaccesspassallowsanidentifiedoranonymoususertoaccessthehubfora
maximumof60continuousminutesper28-dayperiod.Iftheuserexceedsthe60minutestime
limitation,theuserconnectiondoesnottimeout.Instead,anotherloginaccesspassisused.If
nomoreloginaccesspassesareavailable,theuserconnectionisdiscontinued.
Ifanidentifieduserisdisconnected,theusercanre-connectandcontinuetousethesame
accesspass,ifre-connectingwithinthe60minutes.Ifananonymoususerisdisconnected,the
usergetsanewaccesspasswhenre-connecting.
Theloginaccesspasstracksthenumberofloginsandrunsover28days.Forexample,if1000
loginsareassignedtoGroupA,theusersinGroupAcanuse1000loginsover28days.If100
loginsareconsumedonDay1,the100loginsareavailableagainonDay29.
Themaximumnumberofparalleluserconnectionsforasingleuserofthistypeofaccesspass
isfive(5).Notethatthisonlyappliestoidentifiedusers.Ananonymoususercanonlyhaveone
(1)userconnection.Whenauserwiththemaximumnumberofparalleluserconnectionsendsa
connection(forexample,byloggingout)fiveminutesmustpassbeforetheusercanusethe
accesspasstoaddanotherconnection(forexample,byloggingin).However,ausercanhave
moreconnectionsthanallowedbyasingleaccesspassbyconsumingadditionalaccesspasses.
One(1)tokencorrespondstoten(10)accesspasses.Theaccesspassesareallocatedusing
loginaccessgroupsintheQMC.
Allocationofaccesspasses
ThefollowingfigureshowshowtheQlikManagementConsole(QMC)isusedtomanagetheallocationof
accesspasses.
150
7 Licensing
Loginandlogout
Login
WhenauserlogsintoQlikSense,anaccesspassoftheapplicabletypeisusedtoprovidetheuserwith
accesstoQlikSense.
Logout
WhenauserlogsoutofQlikSense,thefollowinghappensdependingonthetypeofaccesspassused:
151
7 Licensing
l Useraccesspass:Theaccesspassisnotaffectedwhentheuserlogsout.
l Loginaccesspass:TheaccesspassthatwasusedtoaccessQlikSenseisconsideredtobeusedand
willnotbeavailableforanewloginuntiltheperiodspecifiedinLogin access pass (page 150)has
passed.
Removingaccesspasses
Thissectiondescribeshowtofreeuptokensfornewallocationsofaccesspassesbyremovingexisting
accesspassesintheQlikManagementConsole(QMC).
Useraccesspass
Whenauseraccesspassisremoved,itentersaquarantineforseven(7)days,countingfromthelasttime
thattheaccesspasswasused.Forexample,iftheaccesspassisusedonJanuary10,thetokensusedto
allocatetheaccesspassarenotavailablefornewallocationsuntilJanuary18.
Duringthequarantineperiod,theoriginalallocationoftheaccesspasscanbereinstated,whichmeansthat
thequarantineperiodendsandtheusercanstartusingtheaccesspassagain.
Loginaccesspass
Whenaloginaccessgroupisremoved,thetokensusedtoallocatetheaccesspassbecomeavailablein
accordancetothefollowingprocedure:
1. Foreveryten(10)unusedloginaccesspasses,one(1)tokenisfreedup.
2. Foreveryten(10)loginaccesspassesthatleavetheusedstateaftertheperiodspecifiedinLogin
Disconnectednode
AdisconnectednodeisarimnodethatfailstosynchronizewiththecentralnodeinaQlikSensesite.A
disconnectednodecontinuestoserveuserstothebestofitsabilitywhilewaitingforasynchronizationwith
thecentralnodetotakeplace.
Multi-deploymentsites
ThissectiondescribeshowtheQlikSenselicensingishandledwithinmulti-deploymentsites,whereappsare
promotedfromadevelopmentsitetoatestsiteandfinallytoaproductionsite.
Developmentsite
InaQlikSensedeploymentthatincludesadevelopmentsiteandaproductionsite,two(2)LicenseEnabler
Files(LEF)areneeded(thatis,onepersite).
Eachnodewithinthedevelopmentsiteislicensedwithone(1)accesspasstype(forexample,useraccess
passes),ifonlydisconnectedusersareexpected.
Testsite
TheLEFforatestsitemirrorstheLEFforadevelopmentsite.
152
7 Licensing
See also:
p
Anonymoususers
Anonymoususersonlyuseloginaccesspasses.
See also:
p
7.3 Licensingmetrics
Licensemetricsforthesoftwareareavailableatwww.qlik.com/license-terms.
153