0% found this document useful (0 votes)

293 views341 pages

Deploy Qlik Sense Enterprise On Windows

Uploaded by

harisomanath

We take content rights seriously. If you suspect this is your content, claim it here.

Available Formats

Download as DOCX, PDF, TXT or read online on Scribd

0% found this document useful (0 votes)

293 views341 pages

Deploy Qlik Sense Enterprise On Windows

Uploaded by

harisomanath

We take content rights seriously. If you suspect this is your content, claim it here.

Available Formats

Download as DOCX, PDF, TXT or read online on Scribd

You are on page 1/ 341

Deploy Qlik Sense Enterprise on Windows
Qlik Sense®
June 2020
Copyright © 1993-2021 QlikTech International AB. All rights reserved.

HELP.QLIK.COM
© 2021 QlikTech International AB. All rights reserved. Qlik®, Qlik Sense®, QlikView®, QlikTech®, Qlik
Cloud®, Qlik DataMarket®, Qlik Analytics Platform®, Qlik NPrinting®, Qlik Connectors®, Qlik
GeoAnalytics®, Qlik Core®, Associative Difference®, Lead with Data™, Qlik Data Catalyst™, Qlik Big Data
Index™ and the QlikTech logos are trademarks of QlikTech International AB that have been registered in
one or more countries. Other marks and logos mentioned herein are trademarks or registered trademarks
of their respective owners.
Contents

1   Planning your Qlik Sense 9
9
9
9
10
10
11
11
14
15
1.2  Before you install Qlik Sense 18
System requirements 19
27
Qlik Sense Enterprise 29
65
66
1.3  Qlik Sense Enterprise 68
Qlik Sense Enterprise 68
Qlik Sense Enterprise 69
Qlik Sense Enterprise 69
Qlik Sense Enterprise on Windows 69
Qlik Sense Enterprise 69
Qlik Sense Enterprise on 75
Qlik Sense Enterprise on 79
Qlik Sense Enterprise on Windows deployed to Google Cloud 82
Qlik Sense 86
Deploying Qlik Sense Enterprise in a multi-cloud 89
environment
2   Installing Qlik Sense 91
2.1  Installing 91
96
96
97
Modifying an 98
2.2  Installing Qlik 98
99
Allocating access to users 107
Adding a Qlik Sense node 108
Modifying an object bundles installation 110
2.3  Creating a file share 111
2.4  Configuring failover for central node resiliency 112
Failover considerations 112
Create a failover candidate node 113
Manually migrating the central node 115
2.5  Installing and configuring PostgreSQL 115
Installing PostgreSQL 116

Deploy Qlik Sense Enterprise on Windows - Qlik Sense, June 3

Conten
Creating a PostgreSQL database 117
Creating  login roles 118
Configuring PostgreSQL 119
2.6  Installing and configuring PostgreSQL on Azure 121
Setting up a PostgreSQL database in Azure 122
Connecting to the database using pgadmin 4.x 123
Installing Qlik Sense 124
2.7  Configuring a proxy for Qlik License Service communication in Qlik Sense Enterprise on
Windows 124
2.8  Configuring preferred cipher suites for  Qlik License Service in Qlik Sense Enterprise on
Windows 125
2.9  Changing the user account to run Qlik Sense services 126
Using an account without administrator privileges to run the Qlik Sense services during
the installation of a node 127
Changing the user account type to run the Qlik Sense services on an existing site 128
2.10  Performing a silent installation 129
Syntax 129
Commands 130
Arguments 130
Shared persistence configuration file syntax 132
Deprecated command line arguments 134
2.11  Setting up Qlik Sense Enterprise on Windows after installation 134
Connecting Qlik Sense to your user directory 134
Assigning licenses to users 135
Configuring the monitoring apps 135
How Qlik Sense uses HTTPS and certificates 136
Creating and opening apps 136
Working with streams, apps and publishing 136
3   Upgrading and updating Qlik Sense Enterprise on Windows 137
3.1  Upgrades and migrating persistence models 137
3.2  Upgrades and centralized logging 137
3.3  Upgrading 138
Qlik Sense apps 139
Multi-node deployments 139
Qlik Sense Repository Database 139
Upgrading Qlik Sense 140
Upgrading from Qlik Sense 3.1 SR2 or later to Qlik Sense June 2017 or later 141
Upgrading to Qlik Sense June 2017 or later from Qlik Sense versions earlier than 3.1 SR2 145
3.4  Upgrading and migrating from synchronized to shared persistence 148
Backing up a synchronized persistence site 148
Upgrading to a shared persistence deployment 149
3.5  Performing a silent upgrade 151
3.6  Repairing an installation 153
3.7  Performing a silent repair 153

Deploy Qlik Sense Enterprise on Windows - Qlik Sense, June 4

Conten
3.8  Patching Qlik Sense 15
4
Silent patching 15
6
3.9  Uninstalling Qlik Sense 15
7
4   Backup and restore Qlik Sense Enterprise on Windows158
4.1  Qlik Sense certificates 15
8
4.2  Qlik Sense Repository Database 15
8
4.3  Shared persistence file share 15
9
4.4  Backing up certificates 15
9
4.5  Restoring certificates 16
8
4.6  Backing up a Qlik Sense site 17
8
Backing up the Qlik Sense Repository Database after uninstalling Qlik Sense 17
9
4.7  Restoring a Qlik Sense site 18
0
Restoring a Qlik Sense site to a machine with a different hostname 18
1
5   Qlik Sense Enterprise on Windows security185
5.1  Certificates 18
5
5.2  Protecting the platform 18
6
Network security 18
6
Server security 18
7
Process security 18
8
App security 18
9
5.3  Authentication 19
0
Default authentication module 19
1
Certificate trust 19
1
Authentication solutions 19
6
5.4  Authorization 20
4
Access control 20
4
Data reduction 20
6
5.5  Auditing 21
2
5.6  Confidentiality 21

Deploy Qlik Sense Enterprise on Windows - Qlik Sense, June 5

Conten
2
5.7  Integrity 21
2
Database security 21
3
Data encryption 22
0
5.8  Availability 22
2
5.9  Security example: Opening an app 22
2
5.10  AWS and Azure security 22
3
Qlik Sense 22
3
AWS 22
4
Azure 22
4
6   Logging226
6.1  Updated logging framework 22
6
6.2  Legacy logging framework 22
6
6.3  Centralized logging framework 22
6
6.4  Reading and analyzing log files in Qlik Sense 22
6

Deploy Qlik Sense Enterprise on Windows - Qlik Sense, June 6

Conten
6.5  Centralized logging 22
6
6.6  Qlik Logging Service 22
7
Command line options 22
8
6.7  Qlik Logging Service – configuration and integration 23
1
Dynamic configuration 23
1
Qlogs statistics 23
5
Windows Event Log integration 23
5
Windows Performance Monitor integration 23
6
Export 24
0
Technical notes 24
1
6.8  Requirements 24
3
Securing the file system 24
3
Synchronizing time 24
3
Setting time zone 24
3
6.9  Storage 24
4
Log folder 24
4
Archived log files 24
8
6.10  Naming 24
8
6.11  Rows 24
9
6.12  Fields 24
9
Audit activity log 24
9
Audit security log 25
3
Server log 25
6
Qlik Sense engine service log fields 26
0
6.13  Trace logs 26
0
Storage 26
1
Naming 26
1
Rows 26
2

Deploy Qlik Sense Enterprise on Windows - Qlik Sense, June 7

Conten
Fields 26
2
6.14  Configuring the logging 27
2
Appenders 27
3
6.15  Telemetry logging 27
9
Enabling telemetry logging 27
9
Parameter descriptions 28
0
Reading the logs 28
1
Important Engine Operations 28
1
7   Troubleshooting - Deployment283
7.1  Understand the problem 28
3
7.2  Use the log files 28
4
Default log files 28
4
Archived log files 28
4
7.3  Qlik Sense client or application problems 28
5
7.4  Other resources 28
5
7.5  Cannot find the repository database superuser password 28
5

Deploy Qlik Sense Enterprise on Windows - Qlik Sense, June 8

Conten
7.6  Cannot access the hub or the QMC after installation286
7.7  Error message "No access path" after upgrade286
7.8  One or more Qlik Sense services did not start after installation286
7.9  Anti-virus software scanning affects performance287
7.10  Exit 288
7.11  Rim node loses connection to the central 289
7.12  Repository cannot connect to database after installation289
7.13  Unable to upgrade, reinstall or add a rim node due to password validation failur 289
e
7.14  Unable to upgrade Qlik Sense, missing database291
7.15  The database is unavailable, how do I find the Qlik logging service 291
7.16  Troubleshooting - database not configured for IP address or 291
7.17  Troubleshooting app distribution in multi-cloud292
Publishing is a little 292
Custom properties not in lowercase292
A temporary error occurred292
An unknown error occurred293
7.18  The logging database has grown 293
7.19  Cannot read or write to the logging database293
7.20  How can I debug if there are log entries missing in the database?294
7.21  How can I manage storage to fit our needs and the needs of the operational IT
department? 294
7.22  Qlik logging service database urgently needs to be reduced 295
7.23  Logging issues when trying clean up the database295
7.24  Upgrade fails with message "Qlik Sense Superuser password validation failure" 296
7.25  Failed to remove soft deleted records296
7.26  Issues with Qlik Sense Enterprise when not connected to the internet301
7.27  The Qlik Sense Mobile app encounters a network error and must 301
7.28  The Qlik Sense URL does not open within BlackBerry Access browser301
8   Deploying Qlik Sense Mobile303
8.1  The Qlik Sense Mobile 303
8.2  Enterprise Mobile Management (EMM) and Qlik Sense 303
8.3  Qlik Sense Mobile security304
Authentication304
Certificates304
Configuring the certificate validation policy for the Qlik Sense Mobile 305
8.4  Installing Qlik Sense 305
Qlik Sense Mobile and 306
Deploying the Qlik Sense Mobile app using AirWatch306
Deploying the Qlik Sense Mobile app using MobileIron310
Deploying Qlik Sense Mobile with Microsoft Azure and 316
Connecting to Qlik Sense using BlackBerry Access321
Connecting to Qlik Sense from the Qlik Sense Mobile 323
8.5  Deploying mashups to the Qlik Sense Mobile 324

Deploy Qlik Sense Enterprise on Windows - Qlik Sense, June 9

Conten
Why use mashups in the Qlik Sense Mobile app 32
5
Restricting access to mashups in the Qlik Sense Mobile app 32
5
8.6 Customizing Qlik Sense Mobile with AppConfig 32
6
Configurable settings in AppConfig 32
6
Setting a mashup as landing page 32
8
8.7 Qlik Sense Mobile for BlackBerry 32
9
Authentication configurations for Qlik Sense Mobile for BlackBerry 32
9
Deploying Qlik Sense Mobile for BlackBerry 33
0
Qlik Sense Mobile for BlackBerry policy settings 33
3
Activating Qlik Sense Mobile for BlackBerry 33
6

Deploy Qlik Sense Enterprise on Windows - Qlik Sense, June 1

1 Planning your Qlik Sense Enterprise

1 Planning your Qlik Sense Enterprise
deployment
To successfully plan and prepare for your Qlik Sense deployment, do the following:

Introducing Qlik Sense Enterprise
Get a brief introduction to Qlik Sense Enterprise.
Qlik Sense Enterprise deployment examples
See examples of different ways to deploy Qlik Sense Enterprise.
System requirements for Qlik Sense Enterprise
Review the Qlik Sense Enterprise system requirements.
Qlik product licenses
Understand how Qlik Sense uses license keys and LEF for site licensing.
Understand how Qlik Sense uses tokens for user access allocation (token-based
licensing).
Ensure that you have your Qlik Sense license key available.

1.1 Qlik product licenses
Here is a summary of the license options that are available for the different Qlik Sense relate
d products. Licensing allows you to manage the usage of the Qlik Sense software in your
organization.

For detailed information on Qlik Sense licensing options, see Qlik's legal terms, product terms, and Licensing
Service Reference Guide:
≤ Qlik Legal Terms
≤ Qlik Product Terms
≤ Qlik Licensing Service Reference Guide

Product activation
All Qlik products are entitled and enforced by a License Enabler File (LEF). The LEF is the artifact that is
downloaded during the production activation. A Qlik product is licensed and activated using either a serial and
control number, or a signed license key. The use of a signed license key is required for Qlik Sense Enterprise
SaaS and Qlik Sense Enterprise on Kubernetes deployments, and for the use of capacity based licenses.

With a signed license key, you need internet access (direct or through a proxy) to access the cloud-based
license backend, for user assignments, analytic time consumption, and product activations.

Unified license
As of the April 2019 releases of Q lik Sense and QlikView, Qlik Sense customers can use a unified license in
multiple deployments. A unified license shares the same signed key between:

Deploy Qlik Sense Enterprise on Windows - Qlik Sense, June 1

1 Planning your Qlik Sense Enterprise

 multiple Qlik Sense Enterprise deployments
 multiple QlikView Server deployments
 QlikView Server and Q lik Sense Enterprise deployments

Applying the same signed key to multiple deployments lets you share the same users and access types.
Users c an access all connected deployments using the same Professional or Analyzer access allocation.

Qlik Sense Enterprise
Qlik Sense Enterprise is the server version of Qlik Sense that you can deploy on a single node, or on multiple
nodes. Qlik Sense Enterprise deployments are licensed and activated using a serial and control number, or a
signed license key. Your Qlik Sense Enterprise license is based either on access types, or on tokens.

Access types
Access types licenses are the Professional and Analyzer Users licenses (user-based) and Analyzer Capacity
licenses (capacity-based). Y
ou can combine these for a subscription based license if you use the signed
license key when your deployment is activated. You can combine only user-based licenses if you are using a
perpetual license.

After changing to a license with a signed key, you cannot return to using the old LEF based license model.

Token
You use tokens to allocate access passes to users so that they can access Qlik Sense. T
he LEF determines
the number of tokens that you can allocate to different access passes. A user without an access pass cannot
access apps.

With a Qlik Sense Token license you use tokens to allocate access passes to users. You can allocate user
access and login access.

The token license is available only to customers with existing Qlik Sense Token licenses.

Core-based site
Qlik Sense Enterprise core-based sites are licensed based on the number of CPU cores o n which the
software will operate. A Core means a single processing unit within a processor or CPU, whether physical or
virtual, including a vCPU or virtual core, which is capable of executing a single software thread at a time.

Qlik DataMarket
Qlik DataMarket offers a collection of up-to-date data from external sources accessible directly from within
Qlik Sense. The available data includes current and historical weather and demographic data, currency
exchange rates, as well as business, economic, and societal data.

Deploy Qlik Sense Enterprise on Windows - Qlik Sense, June 1

1 Planning your Qlik Sense Enterprise
Qlik DataMarket h
as two license options, one free and one licensed. The free option gives you access to a
limited data set. The licensed option gives you access to premium data packages. You activate the license in
the same way as for Qlik Sense Enterprise by entering owner information, serial number, and control
number.

It is not necessary to accept Qlik DataMarket terms and conditions when using Qlik Sense Desktop. Access credentials are

Qlik NPrinting
You can install and configure Qlik NPrinting to connect to QlikView documents or Qlik Sense apps. The
licensing requirements and procedures are different depending on if you connect Qlik NPrinting to QlikView
or Qlik Sense.

Qlik NPrinting versions 16.0.0.0 and later are licensed by a LEF. If you are using an earlier version of Qlik
NPrinting, we suggest that you upgrade to Qlik NPrinting versions 16.0.0.0 or later.

A Qlik Sense token is not required for the Qlik NPrinting service account. However, because you often perform troubleshoo

Qlik Sense Licenses
Qlik Sense Enterprise is the server version of Qlik Sense that you can deploy on a single nod
e,
or on multiple nodes. Qlik Sense Enterprise licenses are based either on access types, or on
tokens.

If you want to set up Qlik Sense Enterprise SaaS or Qlik Sense Enterprise on Kubernetes, please contact your Qlik represe

Deploy Qlik Sense Enterprise on Windows - Qlik Sense, June 1

1 Planning your Qlik Sense Enterprise

 multiple Qlik Sense Enterprise deployments
 multiple QlikView Server deployments
 QlikView Server and Q lik Sense Enterprise deployments

Qlik Sense Enterprise
A Qlik Sense Enterprise deployment can be licensed using two different models: the serial and control
number and the signed license key. The License Enabler File (LEF) defines the terms of your license and the
access types that you can allocate to users. Y
our Qlik Sense Enterprise license is based either on access types, or on tokens. A core-
based license is also available. The use of a signed license key is required for Qlik
Sense Enterprise SaaS and Qlik Sense Enterprise on Kubernetes deployments, and for the use of capacity
based licenses.

With a signed license key, you need internet access (direct or through a proxy) to access the cloud-based
license backend, for user assignments, analytic time consumption, and product activations.

User-based and capacity-based licenses
A user-based license grants a predefined number of access allocations that can be assigned to unique and
identified users. In Qlik Sense Enterprise, user-based licenses are either Professional and Analyzer Users
licenses, o r User access passes allocated with a Token license.

A capacity-based license grants a predefined number of time allocations for accessing Qlik Sense Enterprise
that can be used by identified or anonymous users. In Qlik Sense, capacity-based licenses are either based
on Analyzer Capacity access, or Login access pass allocated with a Token license.

Access types
Access types licenses are the Professional and Analyzer Users licenses (user-based) and Analyzer Capacity
licenses (capacity-based). You can combine these for a subscription based license if you use the signed
license key when your deployment is activated. You can combine only user-based licenses if you are using a
perpetual license.

After changing to a license with a signed key, you cannot return to using the old serial and control number license model.

Professional and Analyzer Users license
A P rofessional and Analyzer Users license is composed of Professional and Analyzer access types.

 Professional access (user-based) is allocated to an identified user to a
llow the user to access streams
and apps within a Qlik Sense site. The professional access is intended for users who need access to
all features in a Qlik Sense installation. A user with professional access can create, edit, and publish
sheets or apps, and make full use of the available features, including administration of a Qlik Sense
site.
 Analyzer access is allocated to an identified user to a llow the user to access streams and apps in the
hub. The analyzer access is intended for users who consume sheets and apps created by others. A

Deploy Qlik Sense Enterprise on Windows - Qlik Sense, June 1

1 Planning your Qlik Sense Enterprise

user with analyzer access cannot create, edit, or publish sheets or apps, but can create and publish
stories, bookmarks and snapshots based on data in apps. The user can also create bookmarks, print
objects, stories, and sheets, and export data from an object to Excel.

Analyzer Capacity license
An A nalyzer Capacity license is composed of Analyzer Capacity access type.

 Analyzer capacity is a consumption-
based license type, which is similar to analyzer access regarding
available features. Users can access streams and apps in the hub and consume sheets and apps
created by others. Analyzer capacity access allows users to create and publish stories, bookmarks,
and snapshots based on data in apps. Creating, editing, or publishing sheets or apps is not possible.
With an analyzer capacity license, you subscribe to analyzer time, a defined amount of minutes per
month (calendar date). These minutes are shared between users and can be consumed by anyone
who is part of the user group, including anonymous users. Consumption is measured in units of 6
minutes. For each new 6-minute period, a unit is consumed.

Dynamic access assignment
Dynamic access assignment is available for Qlik Sense Enterprise on Kubernetes and Qlik Sense Enterprise
SaaS deployments and is managed in the management console.

Choose between four options:

 Dynamic assignment enabled for both professional and analyzer access:
Professional access is assigned, if available, otherwise analyzer access. If neither of those are
available, analyzer capacity is assigned, if available.
 Dynamic assignment enabled only for professional access:
Professional access is assigned, if available, otherwise analyzer capacity is assigned, if available.
 Dynamic assignment enabled only for analyzer access:
Analyzer access is assigned, if available, otherwise analyzer capacity is assigned, if available.
 Dynamic assignment disabled for both professional and analyzer access:
Analyzer capacity access is assigned, if available.

You can upgrade from analyzer access to professional access, but not downgrade from professional to
analyzer.

If you change to a new license key, all your assignments are removed, because they are associated with the
license, not the tenant. However, if you start using the old license key again, the assignments will be present.

Token
You use tokens to allocate access passes to users so that they can access Qlik Sense. T
he License Enabler
File (LEF) determines the number of tokens that you can allocate to different access passes. A user without
an access pass cannot access apps.

The token license is available only to customers with existing Qlik Sense Token licenses.

There are two types of access passes that can be allocated using tokens:

Deploy Qlik Sense Enterprise on Windows - Qlik Sense, June 1

1 Planning your Qlik Sense Enterprise

 User access pass (user-based) is assigned to unique and identified users allowing them unlimited
access to apps, streams, and other resources.
 Login access pass (capacity-based) allocates a block of passes to a group for infrequent or anonymous
access. Allows full access for a limited period.

When you allocate tokens, the number of available tokens is reduced. Each access type costs a certain
number of tokens, and if the token balance is zero or insufficient, you cannot allocate more to the access
types. You can free up tokens a nd choose to use the tokens differently. T he number of tokens for the Qlik
Sense site can be increased or decreased by activating a new license.

Core-based site
Qlik Sense Enterprise core-based sites are licensed based on the number of CPU cores o n which the
software will operate. The license is administered using a License Enabler File (LEF), which limits the
maximum number of cores on which the Qlik associative engine and its components may operate. A Core
means a single processing unit within a processor or CPU, whether physical or virtual, including a vCPU or
virtual core, which is capable of executing a single software thread at a time.

License Enabler File
In Qlik Sense there are two alternative license models: the serial and control number and t
he
signed license key. The License Enabler File (LEF) defines the terms of your license and t
he access types that you can allocate to users.

When licensing Qlik Sense using a serial and control number, the LEF can be downloaded when the serial
number and the control number have been entered in the Qlik Management Console (QMC). The LEF can
also be pasted directly into the QMC, if, for example, no network connection is available. There are two
license types that can be activated using a serial and control number: Professional and Analyzer Users
licenses, and Qlik Token licenses.

When licensing Qlik Sense using a signed key, the L EF file is stored in the License Backend.

If you want to set up Qlik Sense Enterprise SaaS or Qlik Sense Enterprise on Kubernetes, please contact your Qlik represe

Professional and Analyzer Users license
Professional and Analyzer Users licenses grant a predefined number Professional and Analyzer (user-based)
access type allocations. T he LEF file determines the allocation of the access types.

Analyzer Capacity licenses (capacity based) can only be licensed using a signed key. When combining professional, analy

Deploy Qlik Sense Enterprise on Windows - Qlik Sense, June 1

1 Planning your Qlik Sense Enterprise

Token license
You use tokens to allocate access passes to users so that they can access Qlik Sense. T he License Enabler
File (LEF) determines the number of tokens that you can allocate, and holds the number of tokens available
for the central node in a site. This means that a Qlik Sense site needs at least one (1) LEF. A user without an
access pass cannot access apps.

The token license is available only to customers with existing Qlik Sense Token licenses.

You cannot use QlikView CAL-based licenses with Qlik Sense as the tokens are not compatible with the Client Access L

Increase in tokens
When the number of tokens in the LEF increases (for example, when buying additional tokens), the new
tokens are added to the pool of unallocated tokens that can be used to allocate access passes that allow
users to access Qlik Sense.

Decrease in tokens
When the number of tokens in the LEF decreases, the following happens:

1. Unallocated tokens are removed.
2. If step 1 is not enough to meet the decreased number of tokens in the LEF, any tokens that are freed
up by removal of access passes cannot be used for new allocations until the number of allocated
tokens is below the new number set in the LEF.

Access assignment
Qlik Sense Enterprise licenses are based either on access types, or on tokens. Depending o
n
your license, you can allocate either access types or access passes to users, to allow them t
o access Qlik Sense.

 Access types licenses are the Professional and Analyzer Users licenses (user-
based) and Analyzer Capacity licenses (capacity-based).
With a Professional and Analyzer Users license you can allocate professional access and analyzer
access.
With an Analyzer Capacity license you can allocate analyzer capacity access, where consumption is
time based (analyzer time).
 With a Qlik Sense Token license you use tokens to allocate access passes to users. You can allocate
user access and login access.

Access types
Professional and Analyzer Users licenses and Analyzer Capacity licenses grant a predefined number of
access allocations. The License Enabler File (LEF) defines the terms of your license and the access types
that you can allocate to users. You can combine these for a subscription based license if you use the signed

Deploy Qlik Sense Enterprise on Windows - Qlik Sense, June 1

1 Planning your Qlik Sense Enterprise
license key when your deployment is activated. You can combine only user-based licenses if you are using a
perpetual license. Y
ou must use a license with a signed key if you are licensing analyzer capacity access.

Professional access
Professional access is allocated to an identified user to a llow the user to access streams and apps within a
Qlik Sense site. The professional access is intended for users who need access to all features in a Qlik Sense
installation. A user with professional access can create, edit, and publish sheets or apps, and make full use of
the available features, including administration of a Qlik Sense site.

For Qlik Sense installations licensed with a serial and control number, if you remove p
rofessional access
allocation from a user, the access type is put i n quarantine, if it has been used within the last seven days. If i
t
has not been used within the last seven days, the professional access is r eleased immediately. You can
reinstate q uarantined professional access, to the same user, within seven days.

Quarantine is not enforced on Qlik Sense installations that are licensed with a signed license key.

The maximum number of parallel user connections for a single user of this type of access pass is five (5).If
you use a license with a signed license key, accessing the QMC also counts and adds to the maximum
number of parallel sessions, which is five. To avoid unnecessary session consumption, the root admin should
not be allocated any type of access.

When a user with the maximum number of parallel user connections ends a connection (for example, by
logging out) five minutes must pass before the user can use the access pass to add another connection (for
example, by logging in).

Analyzer access
Analyzer access is allocated to an identified user to a llow the user to access streams and apps in the hub.
The analyzer access is intended for users who consume sheets and apps created by others. A user with
analyzer access cannot create, edit, or publish sheets or apps, but can create and publish stories, bookmarks
and snapshots based on data in apps. The user can also create bookmarks, print objects, stories, and sheets,
and export data from an object to Excel.

For Qlik Sense installations licensed with a serial and control number, if you remove a nalyzer access
allocation from a user, the access type is put i n quarantine, if it has been used within the last seven days. If it
has not been used within the last seven days, the analyzer access is r eleased immediately. You can reinstate
quarantined analyzer access, to the same user, within seven days.

Quarantine is not enforced on Qlik Sense installations that are licensed with a signed license key.

The maximum number of parallel user connections for a single user of this type of access pass is five
(5).When a user with the maximum number of parallel user connections ends a connection (for example, by
logging out) five minutes must pass before the user can use the access pass to add another connection (for
example, by logging in).

Analyzer capacity access
Analyzer capacity is a consumption-based license type, which is similar to analyzer access regarding
available features. Users can access streams and apps in the hub and consume sheets and apps created by
others. Analyzer capacity access allows users to create and publish stories, bookmarks, and snapshots based

Deploy Qlik Sense Enterprise on Windows - Qlik Sense, June 1

1 Planning your Qlik Sense Enterprise
on data in apps. Creating, editing, or publishing sheets or apps is not possible.

Deploy Qlik Sense Enterprise on Windows - Qlik Sense, June 1

1 Planning your Qlik Sense Enterprise
With an analyzer capacity license, you subscribe to analyzer time, a defined amount of minutes per month
(calendar date). These minutes are shared between users and can be consumed by anyone who is part of the
user group, including anonymous users. Consumption is measured in units of 6 minutes. For each new 6-
minute period, a unit is consumed.

Access passes
With a Qlik Sense Token license you use tokens to allocate access passes to users. The License Enabler File
(LEF) determines the number of tokens that you can allocate to different access passes. A user without an
access pass cannot access apps.

User access pass
This type of access pass allows a unique and identified user to access the hub.

The access pass is valid within an entire Qlik Sense site. For example, if a user first connects to a node in the
USA and then, at a later stage, connects to a node in the UK, the user consumes the same access pass, if
the two nodes are connected to the same central node.

One (1) token corresponds to one (1) access pass. The access passes are allocated using the Qli
k Management Console (QMC).

You can have both a user access pass and the possibility to consume login access passes. If you have five active session

Removing user access pass allocation
When a user access pass is removed, it enters a quarantine for seven (7) days, counting from the last time
that the access pass was used. For example, if the access pass is used on January 10, the tokens used to
allocate the access pass are not available for new allocations until January 18. During the quarantine period,
the original allocation of the access pass can be reinstated, which means that the quarantine period ends and
the user can start using the access pass again.

Login access pass
This type of access pass allows an identified or anonymous user to access the hub for a maximum of 60
continuous minutes per 28-day period. If the user exceeds the 60 minutes time limitation, the user connection
does not time out. Instead, another login access pass is used. If no more login access passes are available,
the user connection is discontinued.

 If an identified user is disconnected, the user can re-connect and continue to use the same access
pass, if re-connecting within the 60 minutes.
 If an anonymous user is disconnected, the user gets a new access pass when re-connecting.

Deploy Qlik Sense Enterprise on Windows - Qlik Sense, June 2

1 Planning your Qlik Sense Enterprise
The login access pass tracks the number of logins and runs over 28 days. For example, if 1000 logins are
assigned to Group A, the users in Group A can use 1000 logins over 28 days. If 100 logins are consumed on
Day 1, the 100 logins are available again on Day 29.

The maximum number of parallel user connections for a single user of this type of access pass is five (5).
Note that this only applies to identified users. An anonymous user can only have one (1) user connection.
When a user with the maximum number of parallel user connections ends a connection (for example, by
logging out) five minutes must pass before the user can use the access pass to add another connection (for
example, by logging in). However, a user can have more connections than allowed by a single access pass by
consuming additional access passes.

One (1) token corresponds to ten (10) access passes. The access passes are allocated using login access
groups in the QMC.

App reloads will extend the session and consume access passes also when the app is not actively used. If a browser pag

Removing login access pass allocation
When a login access group is removed, the tokens used to allocate the access pass become available in
accordance to the following procedure:

1. For every ten (10) unused login access passes, one (1) token is freed up.

2. For every ten (10) login access passes that leave the used state after the period specified in the Login
access pass (page 17) section above has passed, one (1) token is freed up.

Deploy Qlik Sense Enterprise on Windows - Qlik Sense, June 2

1 Planning your Qlik Sense Enterprise

Security
Understand how Qlik Sense Enterprise on Windows uses certificates for security.
Certificates are installed by default.
Performance
Basic information on performance to consider before you install Qlik Sense Enterprise
on Windows.
User accounts
Understand and set up the various user accounts required to install and run the Qlik
Sense Enterprise on Windows services.
If you intend to run Qlik Sense Enterprise on Windows services as a user without
administrator privileges, some additional configuration steps are required.

System requirements for Qlik Sense Enterprise
This section lists the requirements that must be fulfilled by the target system in order to successfully install
and run Qlik Sense.

Qlik Sense Enterprise on Windows
 Microsoft Windows Server 2012 R2
 Microsoft Windows Server 2016
 Microsoft Windows Server 2019

For development and testing purposes only:
Platforms
 Microsoft Windows 10 (64-bit version only)

These operating systems are supported by Qlik Sense. Third-party
software may require service packs to be installed.

Multi-core x64 compatible processors
Processors
(CPUs) We recommend that you use at least 4 cores per node in a Qlik Analytics Platform
deployment.

8 GB minimum (depending on data volumes, more may be required)
Memory Qlik Sense is an in-memory analysis technology. The memory requirements for the
Qlik Sense products are directly related to the amount of data being analyzed.

Disk space 5.0 GB total required to install

Deploy Qlik Sense Enterprise on Windows - Qlik Sense, June 2

1 Planning your Qlik Sense Enterprise


A network file share is required for the storage to be accessible by all servers
in the site. I n case of a single-server deployment, local disk storage may be
sufficient.
 Sufficient storage is required for the volume of apps and content used in the
Storage deployment.

Qlik periodically runs network file share performance tests on Qlik
Sense using WinShare, and FreeNAS with SMB 3.0. For more
information on network file share solutions, contact your Qlik
representative.
 Microsoft Active Directory
Security  Microsoft Windows Integrated Authentication
 Third-party security

Web browsers and infrastructure components (such as proxies and routers) must
WebSockets
support WebSockets.

.NET framework 4.5.2 or higher

PowerShell 4.0 or higher

PostgreSQL 9.6.x (included in the installer), 11.x (not included in the installer)

PostgreSQL is included in the Qlik Sense setup by default. However, you can also
download and install it manually.
Repository
database
The version of PostgreSQL 9.6.x installed with Qlik Sense does not
Centralized include pgAdmin tools. You can download and install them manually if
logging required.
database
PostgreSQL is an open source object-relational database management system. It is
released under the PostgreSQL license, which is a free and open source software
license.

 IPv4
Internet protocol  IPv6
 Dual stack (IPv4 and IPv6)

Network The configured hostname must resolve to an IP address on the host machine.

Deploy Qlik Sense Enterprise on Windows - Qlik Sense, June 2

1 Planning your Qlik Sense Enterprise

The following browsers are supported for accessing the QMC.

Supported Microsoft Windows browsers:

 Microsoft Internet Explorer 11
 Microsoft Edge (only for Microsoft Windows 10)
 Google Chrome
Qlik

Management Mozilla Firefox (requires hardware acceleration, not supported in virtual
Console (QMC), environments)
supported
browsers CefSharp embedded browser v55 or later (CefSharp allows you to embed the
Chromium open source browser inside .Net apps)

Supported Apple Mac OS browsers:

 Apple Safari 10 or later
 Google Chrome

Mozilla Firefox (requires hardware acceleration, not supported in virtual
environments)
QMC, minimum Desktops, laptops, and Apple Mac: 1024x768
screen
No mobile or small screen support.
resolution

QlikView It is not possible to install Qlik Sense on a machine with QlikView Server already
compatibility installed.

Natural Language Processing (NLP) support for Insights requires a CPU that
supports Advanced Vector Extensions (AVX) instructions. To find out if your
CPU supports AVX, download Coreinfo v3.5 from Microsoft to view your CPU and
memory topology.

Coreinfo v3.5 - Dump information on system CPU and memory topology

Intel(R) Core(TM) i7-9850H CPU @ 2.60GHz

Insights Intel64 Family 6 Model 158 Stepping 13, GenuineIntel
Microcode signature: 000000CA
HTT * Hyperthreading enabled
HYPERVISOR * Hypervisor is present
...
AES * Supports AES extensions
AVX * Supports AVX instruction extensions
FMA * Supports FMA extensions using YMM state
...
Logical Processor to Group Map:
************ Group 0

Deploy Qlik Sense Enterprise on Windows - Qlik Sense, June 2

1 Planning your Qlik Sense Enterprise

We do not recommend that you install Qlik Sense on domain controller machines, as group policies may prevent Qlik Sen

License activations request access to the Qlik Licensing Service. Open port 443 and allow outbound calls to license.qlik

Qlik Sense Enterprise SaaS
Maximum app size 500 MB

Total cloud storage 500 GB

Maximum concurrent reloads 5

Maximum reloads per day 100

When distributing to Qlik Cloud Services, your Qlik Sense Enterprise on Windows deployment must be either the current ve

Qlik Sense Enterprise on Kubernetes
The Kubernetes environment must have Internet access to the Qlik Helm and
Container Image repository.

Kubernetes service vendors:

 Microsoft Azure using Azure Kubernetes Service (AKS)
 Amazon Web Services (AWS) using Amazon Elastic Container Service
Kubernetes for Kubernetes (EKS)
environments  Amazon Web Services (AWS) deployed via Kubernetes Operations
(KOPs)
 Google Cloud using Google Kubernetes Engine (GKE)
 Red Hat OpenShift 4+

Non-managed Kubernetes deployments:

 Kubernetes cluster greater than v1.10.x and less than v1.16.x

Deploy Qlik Sense Enterprise on Windows - Qlik Sense, June 2

1 Planning your Qlik Sense Enterprise

Kubernetes package Helm greater than v2.12.0 and less than v2.15.x
manager

Windows: Minikube v0.33 +
Local/Evaluation/Test
Red Hat MiniShift v1.21.0+
environment
Mac: Docker for Desktop with Kubernetes enabled: v2.0.0.3

Database MongoDB 3.6+

Storage attached to the cluster that supports ReadWriteMany. This can be
File system
configured as a Storage Class or a Persistent Volume Claim

Processors (CPUs) Minimum 4 cores (additional depending on data volumes)

Memory Minimum 8 GB (additional depending on data volumes)

Disk space 5 GB total required to install

IDP For user authentication an OIDC compatible IDP is required

License activations request access to the Qlik Licensing Service. Open port 443 and allow outbound calls to license.qlikc

Deploy Qlik Sense Enterprise on Windows - Qlik Sense, June 2

1 Planning your Qlik Sense Enterprise

Qlik Sense Mobile app
iOS and iPadOS supported versions:

 iOS 11.2 or later
 iPadOS 13

iOS 11.0 or later is required for SAML authentication.

Device compatibility:

 iPad Air 2 or later
 iPad Pro or later
 iPhone 6 and 6 Plus
 iPhone 6S and 6S Plus
Qlik Sense  iPhone 7 and 7 Plus
Mobile for iOS
 iPhone 8 and 8 Plus
 iPhone X
 iPhone XR
 iPhone 11, 11 Pro and 11 Pro Max

Qlik Sense Mobile for iOS compatibility with Qlik Sense:

 Qlik Sense September 2017 and later releases
 Qlik Sense November 2018 or later is required to access mashups from the Qlik
Sense Mobile for iOS app.

Qlik Sense February 2018 or later is required to reduce the size of apps
for download to your iOS device.

Android OS supported versions:

 Android 6.0 or later with 64-

bit kernel Device compatibility:
Qlik Sense
Mobile for  64-bit CPU architecture (ARM)

Android  RAM: 2 GB or more is recommended
 Screen resolution: 720x1280 HDPI (267 ppi)

Qlik Sense Mobile for Android compatibility with Qlik Sense:

 Qlik SenseNovember 2018 and later releases

Deploy Qlik Sense Enterprise on Windows - Qlik Sense, June 2

1 Planning your Qlik Sense Enterprise

Qlik Sense Mobile per-app VPN through Enterprise Mobile Management (EMM) is
designed to work with the environments and versions l isted in this section.

Qlik Sense Enterprise November 2017 or later:

 iPad with iOS version 11.2.2 or later.
 iPhone with iOS version 11.2.2 or later.

Qlik Sense EnterpriseNovember 2018 or later:
Per-app VPN
support  Android version 6.0 or later.

Access to Qlik Sense Enterprise using AirWatch per-app VPN is supported on the
following browsers:

 VMware browser
 AppleSafari
 GoogleChrome
 MobileIron Web@Work

Qlik Sense Mobile for BlackBerry app
 iOS 11.2 or later
 iPadOS 13

OS support
Qlik Sense Mobile for BlackBerry April 2019 patch 1
(1.8.5) is required for compatibility with devices running
iOS 13 and later, or iPadOS 13 and later.

 BlackBerry UEM 12.9.1
BlackBerry UEM support
 BlackBerry UEM 12.10 or higher

We recommend using Apple devices powered by A10 processor or
higher:

 iPad Pro 2nd generation or later
Device compatibility  iPad (2018)
 iPhone 7 and 7 Plus
 iPhone 8 and 8 Plus
 iPhone X

For online functionality (accessing Qlik Sense apps online), Qlik
Sense Mobile for BlackBerry app is compatible with Qlik Sense
Qlik Sense Mobile for November 2018 and later releases.
BlackBerry app compatibility
with Qlik Sense For offline functionality (downloading and accessing Qlik Sense apps
offline), Qlik Sense Mobile for BlackBerry app is compatible with Qlik
Sense releases up to and including April 2019 Patch 1.

Deploy Qlik Sense Enterprise on Windows - Qlik Sense, June 2

1 Planning your Qlik Sense Enterprise

Qlik Sense Desktop
To successfully install and run Qlik Sense Desktop, the requirements listed in this section must be fulfilled.

Operating Microsoft Windows 10 (64-bit version only)
system

Processors Intel Core 2 Duo or higher recommended.
(CPUs)

4 GB minimum (depending on data volumes, more may be required).

Memory
Qlik Sense uses an in-memory analysis technology. The memory
requirements are directly related to the amount of data being analyzed.

Disk space 5.0 GB total required to install

.NET 4.5.2 or higher
framework

Minimum  Desktops, laptops and tablets: 1024x768
screen  Small screens: 320x568
resolution

 Microsoft Internet Explorer 11 or higher
 Microsoft Edge
 Google Chrome
 Mozilla Firefox

Browser By default, Qlik Sense Desktop runs in a window of its own. But you
support can also open it in a web browser.

Mozilla Firefox requires hardware acceleration, not supported in virtual
environments.

Deploy Qlik Sense Enterprise on Windows - Qlik Sense, June 2

1 Planning your Qlik Sense Enterprise

Qlik DataTransfer
 Microsoft Windows Server 2012 R2
 Microsoft Windows Server 2016
 Microsoft Windows Server 2019

For development and testing purposes only:
Platforms
 Microsoft Windows 10 (64-bit version only)

These operating systems are supported by Qlik Sense. Third-party
software may require service packs to be installed.

Processors Multi-core x64 compatible processors. We recommend a minimum of 4 cores.
(CPUs)

8 GB minimum
Memory The memory requirements for the Qlik Sense products are directly related to the amount
of data being analyzed.

Disk space 2 GB minimum

Sufficient storage is required for the volume of apps and content used in the
Storage
deployment.

Supported browsers
Qlik Sense is designed to work on the platform and web browser combinations described in this section, using
default browser settings.

Each Qlik Sense release is tested for compatibility with the latest publicly available browser versions. Due to
the frequency of browser version updates, Qlik does not include specific browser version numbers in the
system requirements.

Each Qlik Sense release is compatible with and supported on the latest iOS versions that are publicly
available at the time of the Qlik Sense release. Due to the frequency of iOS version updates, Qlik does not
include specific iOS version numbers in the system requirements.

Minimum screen resolution for desktops and laptops is 1024x768; tablets is 1024x768; small screens is 320x568.

Improving performance in Internet Explorer

Qlik will deprecate the support for Microsoft Internet Explorer 11 in May 2021.

Deploy Qlik Sense Enterprise on Windows - Qlik Sense, June 3

1 Planning your Qlik Sense Enterprise
Qlik Sense connects to your browser using WebSockets. Each new tab that you open uses additional
WebSocket connections. By default, Internet Explorer 11 limits the number of Websocket connections to 6
per Internet Explorer session. This can limit your ability to open new tabs or configuration windows.

Your Windows administrator can change this setting using the Local Group Policy Editor. The setting is
available u nder Administrative Templates > Windows Components > Internet Explorer > Security
Features > AJAX > Set the maximum number of WebSocket connections per server. Only your system
administrator should change this configuration.

You can also open apps in new Internet Explorer  sessions, instead of n ew tabs. If an app will not open in a
new tab, copy the url from the address bar in the Internet Explorer  tab. Select File > New Session from the
Internet Explorer  top menu. Paste the url in the address bar, and then press Enter. The app opens in the
Internet Explorer  new session window.

Supported Microsoft Windows browsers
The following browsers can be used on supported Microsoft Windows and Microsoft Windows Server
machines to access the Qlik Management Console (QMC) and the hub:

 Microsoft Internet Explorer 11

Qlik will deprecate the support for Microsoft Internet Explorer 11 in May 2021.

 Microsoft Edge (only for Microsoft Windows 10)
 Google Chrome
 Mozilla Firefox (requires hardware acceleration, not supported in virtual environments)

CefSharp embedded browser v55 or later (CefSharp allows you to embed the Chromium open source
browser inside .Net apps)

Supported Apple Mac OS browsers
The following browsers can be used on supported Apple Mac OS machines to access the Qlik Management
Console (QMC) and the hub:

 Apple Safari 10 or later
 Google Chrome
 Mozilla Firefox (requires hardware acceleration, not supported in virtual environments)

iOS
Version 11.2 or later (script editing is not supported on tablet devices)

Qlik Sense version: Qlik Sense EnterpriseSeptember 2017 or later.

Supported devices:

 iPad Air or later
 iPhone 5S or later

Supported browsers:

Deploy Qlik Sense Enterprise on Windows - Qlik Sense, June 3

1 Planning your Qlik Sense Enterprise

 Apple Safari
 VMware browser ( using AirWatch per-app VPN)
 BlackBerry Access 2.9.1 or later (using BlackBerry Dynamics platform)

iOS 11.3 is required for using BlackBerry Access browser.

Android
Version 6 .0, 7.1, 8.1 and 9.0 (script editing is not supported on tablet devices):

 Google Chrome
 BlackBerry Access 2.9.1 or later (using BlackBerry Dynamics platform)

Windows 10 phone
 Microsoft Edge

Qlik Sense Enterprise on Windows architecture
The Q lik Sense architecture consists of one or more nodes. Each node runs some or all of the software
services that perform specific roles in a Qlik Sense site. You can distribute services a
cross nodes for better
performance and scalability. The architecture is flexible enough to suit the needs of most organizations, and
can vary from small, single-server sites to large, multi-server installations.

A multi-node, distributed architecture offers the most flexibility, consisting of multiple nodes that together
form a scalable and high performance site. You define a central node as t he main point of control.

Sites
A Qlik Sense site is a collection of one or more nodes (servers) connected to a single repository database,
and sharing a single license. Each site also contains a common set of data in the form of apps and
configuration data.

Single-node sites
A single node site is the smallest site possible and consists of a single node (single server), which is also the
central node of the site. It contains the Qlik Sense services, the repository database, and the file share all on
a one server computer.

Multi-node sites
Multi-node sites offer more scalability options for larger organizations. In a multi-node environment, the Qlik
Sense site is distributed across two or more nodes that share the same set of data and the same license key.
In larger sites, you can configure one or more rim nodes to improve scalability, capacity, and resilience. All
rim nodes connect to a central node.
Benefits of multi-node sites include:

 Better scalability, making it easier to increase capacity
 Improved resilience and reliability

Deploy Qlik Sense Enterprise on Windows - Qlik Sense, June 3

1 Planning your Qlik Sense Enterprise

 Ability to move apps or roles to specific nodes
 Flexibility t o suit customer network deployments

Nodes
A node is a computer that performs a specific role in your Qlik Sense site. You can configure each node t o run
or combine a different set of Qlik Sense services, so that each node performs a specific role.

Typical node roles:

 Consumer or user node - delivers apps to end users
 Scheduler node - handles all app reloads
 Proxy node - manages authentication, session handling, and load balancing

You can also configure your site for failover so that it is not dependent on the central node. In this case, if
there is a failure, then one of the rim nodes in the site becomes the central node.

A typical multi-server Qlik Sense site consists of two main types of nodes:

 Central node - the minimum configuration. Every site includes a central node.


Rim node - you can configure rim nodes to perform different roles in your site.

Each node in a Qlik Sense site can:

 Perform different roles
 Deploy a set of Qlik Sense services
 Operate independently

You assign a purpose to each node depending on what you think it will be used for:

 Production
 Development
 Both

Configuring Qlik Sense nodes correctly increases system resilience, reduces the need for maintenance, and
increases deployment flexibility.

Storage
Qlik Sense uses the following default storage.

Repository database
A PostgreSQL database that contains the Qlik Sense app metadata, i ncluding the paths to the binary files in
the file share. This data is referred to as entity data and is usually small in size. The PostgreSQL database
can be installed locally or on a remote server and must be accessible to the central node.

File share
A file share is used to store app data as binary files and must be accessible to all nodes in your Qlik Sense
site. The file share stores application objects, such as visualizations, and dimensions and measures. Apps
are stored in the proprietary QVF portable format, for example <App name>.qvf. These files are referred to as

Deploy Qlik Sense Enterprise on Windows - Qlik Sense, June 3

1 Planning your Qlik Sense Enterprise
binary data and the data model element of the files can be large in size.

You can create a file share either on the same server as the central node or on another server.

Clients
You use Qlik Sense clients to communicate and interact with Qlik Sense sites.

Hub
The hub is where you find all the apps you have access rights to. It runs in a web browser. You use the hub t
o
access and publish apps in Qlik Sense. Hub traffic only travels between the node (delivering apps) and the
hub client unless the site i s on a single node.

Qlik Management Console
You use the Qlik Management Console (QMC) to configure and administer a Qlik Sense site.

The QMC only communicates logically with the central node. This means that:

 The QMC always uses the Qlik Sense Proxy Service (QPS) on the central node.
 For maximum performance within a multi-node site, you should not allow any user traffic on the
central node.

Apps
A Qlik Sense app is a collection of reusable data items (measures, dimensions, and visualizations), sheets,
and stories. It is a self-contained entity that includes the data you want to analyze in a structured data
model.

In Qlik Sense, the term app is equivalent to the term document in QlikView.

Services
The Qlik Sense services run as Microsoft Windows services, which you can deploy on a single server or on
separate server nodes that have dedicated roles in a Qlik Sense site. For example, you could deploy a
scheduler node t hat only runs the scheduler service and manages the reloads of apps.

The Qlik Sense services are as follows.

Qlik Sense Repository Service (QRS)
Required by all Qlik Sense services to run and serve apps, and connects to the repository database. The Qlik
Sense Repository Service manages persistence, licensing, security, and service configuration data. The QRS
is needed by all other Qlik Sense services to run and serve apps. In a multi-node site, one instance of the Qlik
Sense Repository Service (QRS) runs on each node, connecting it to the shared repository database.

In addition, the QRS stores the app structures and the paths to the binary files. The app data is stored as .qvf
files in the file share.

Paths
The following table lists the paths used by the Qlik Sense Repository Service (QRS).

Deploy Qlik Sense Enterprise on Windows - Qlik Sense, June 3

1 Planning your Qlik Sense Enterprise

Executable %ProgramFiles%\Qlik\Sense\Repository\Repository.exe

Data %ProgramData%\Qlik\Sense\Repository

%ProgramData%\Qlik\Sense\Log\Repository
Logs
See: Logging (page 226)

In a default Qlik Sense installation, the repository database is an instance of PostgreSQL
installed locally that runs its own database cluster specifically for the repository.
Repository
All files related to the repository database in a default Qlik Sense installation are stored in
database
the following folder:

%ProgramData%\Qlik\Sense\Repository\PostgreSQL

Bootstrap mode
You can use the following parameters to start the Q lik Sense Repository Service in bootstrap mode when you
need to deploy Qlik Sense with a service account that does not have administrator privileges.

See: Changing the user account to run Qlik Sense services (page 126)

 -bootstrap
Use this parameter to start Qlik Sense Repository Service in bootstrap mode.
 -bootstrap=install
Use this parameter to start Qlik Sense Repository Service in bootstrap mode when installing.
 -bootstrap=uninstall
Use this parameter when uninstalling Qlik Sense.
 -iscentral
Use this flag in addition to the bootstrap flag when installing or configuring a central node.

Do the following:

1. Stop all Qlik Sense services except Qlik Sense Repository Database.
2. Run repository.exe -bootstrap from an elevated command prompt. The Qlik Sense Service
Dispatcher must be running before the Repository.exe -bootstrap is executed.
3. Start all Qlik Sense services. You must start the Qlik Sense Service Dispatcher (QSD) before starting
the Qlik Sense Repository Service (QRS).

By default, when you are running Qlik Sense with an administrator account, bootstrap is executed each time the Qlik Sens

Metrics
This section lists the metrics related to the Qlik Sense Repository Service (QRS).

Deploy Qlik Sense Enterprise on Windows - Qlik Sense, June 3

1 Planning your Qlik Sense Enterprise
Selecting the metrics to display (page 40)

REST API metrics
The following metrics are available in the Performance Monitor in Microsoft Windows:

 Number of DELETE calls
 Number of GET calls
 Number of POST calls
 Number of PUT calls
 Number of HTTP status 200 (OK)
 Number of HTTP status 201 (Created)
 Number of HTTP status 400 (Bad request)
 Number of HTTP status 401 (Unauthorized)
 Number of HTTP status 403 (Forbidden)
 Number of HTTP status 406 (Not acceptable)
 Number of HTTP status 409 (Conflict)
 Number of HTTP status 415 (Unsupported media type)
 Number of HTTP status 500 (Internal server error)
 Number of HTTP status 503 (Service unavailable)

Qlik Sense Repository Database (QRD)
In a default Qlik Sense installation, the Qlik Sense Repository Service (QRS) uses the Qlik Sense Repository
Database (QRD) service to read and write data in the repository database. By default a PostgreSQL
database is installed locally with your Qlik Sense installation otherwise you can choose to install PostgreSQL
on a separate dedicated server.

Paths
The following table lists the paths used by the Qlik Sense Repository Database (QRD) service.

In a default Qlik Sense installation, the repository database is an instance of PostgreSQL
that creates its own database cluster.
Executable
The following folder contains the c ontains the PostgreSQL executable file for the QRD:

%ProgramFiles%\Qlik\Sense\Repository\PostgreSQL\<database version>\bin

Data %ProgramData%\Qlik\Sense\Repository\PostgreSQL

Logs There are no logs for the QRD service. Instead see the PostgreSQL log files.

Qlik Sense Proxy Service (QPS)
The Qlik Sense Proxy Service (QPS manages site authentication, session handling, and load balancing.

On the central node in a multi-node site, y ou should have a dedicated Qlik Sense Proxy Service (QPS) f or the
Qlik Management Console (QMC) and not for the hub.

Deploy Qlik Sense Enterprise on Windows - Qlik Sense, June 3

1 Planning your Qlik Sense Enterprise

Paths
The following table lists the paths used by the Qlik Sense Proxy Service (QPS).

Executable %ProgramFiles%\Qlik\Sense\Proxy\Proxy.exe

Data %ProgramData%\Qlik\Sense\Proxy

%ProgramData%\Qlik\Sense\Log\Proxy
Logs
See: Logging (page 226)

Bootstrap mode
You can use the following parameters to start the Qlik Sense Proxy Service in bootstrap mode when you
need to deploy Qlik Sense with a service account that does not have administrator privileges.

See: Changing the user account to run Qlik Sense services (page 126)

 -bootstrap
Use this parameter to start Qlik Sense Proxy Service in bootstrap mode.
 -bootstrap=install
Use this parameter to start Qlik Sense Proxy Service in bootstrap mode when installing.
 -bootstrap=uninstall
Use this parameter when uninstalling Qlik Sense.

Do the following:

1. Stop Qlik Sense services.
2. Run proxy.exe -bootstrap from an elevated command prompt.
3. Start Qlik Sense services.

Metrics
This section lists the metrics related to the Qlik Sense Proxy Service (QPS). The following metrics are
available in the Performance Monitor in Microsoft Windows:

See: Performance log (page 267)

See: Selecting the metrics to display (page 40)

 ActiveConnections: The number of active connections from the client.
A connection is a stream (or a socket) between a Qlik Sense client and the Qlik Sense Proxy Service
(QPS). This stream is often connected to another stream, which runs from the QPS to the Qlik Sense
Repository Service (QRS) or the Qlik Sense Engine Service (QES). The two streams allow the client
to communicate with the QRS or the QES.
 ActiveStreams: The number of active data streams (or sockets), either from the browser to the QPS
or from the QPS t o the QRS or the QES.
 ActiveSessions: The number of active sessions in the QPS.
A Qlik Sense user gets a proxy session when the user has been authenticated. The session is
terminated after a certain period of inactivity.
 LoadBalancingDecisions: The number of users who currently have at least one engine session.

Deploy Qlik Sense Enterprise on Windows - Qlik Sense, June 3

1 Planning your Qlik Sense Enterprise

 PrintingLoadBalancingDecisions: The number of users who have been load balanced to the Qlik
Sense Printing Service (QPR).
 Tickets: The number of issued login tickets that have not yet been consumed.
 ActiveClientWebsockets: The number of active WebSockets between the client and the QPS.
 ActiveEngineWebsockets: The number of active WebSockets between the QPS and the target Qlik
Sense service.

The metrics are also available as entries in the Performance log for the QPS.

Qlik Sense Scheduler Service (QSS)
The Qlik Sense Scheduler Service (QSS) manages the scheduled reloads of apps, as well as other types of
reload triggering based on task events. Depending on the type of deployment, the Qlik Sense Scheduler
Service runs as master, slave, or both on a node.

Master
There is only one master Qlik Sense Scheduler Service within a site and it is always located on the central
node, where the master Qlik Sense Repository Service runs. The central node must have the Qlik Sense
Scheduler Service installed even if more QSS nodes are added because the QSS on the central node
coordinates all QSS activities within the site.

The master QSS handles all task administration. For example, which tasks to execute and when to execute a
specific task. When the time comes to execute a task, the master QSS sends the task ID to a slave QSS
within the site. The load balancing operation performed by the master QSS determines which slave QSS to
distribute the task ID to.

When a slave QSS completes a task, it returns the task state (successful or fail) to the master QSS. The
master QSS uses the task state to perform task chaining. It uses the task state to determine if other events
are affected by the state of the completed task and need to be executed. You configure task chaining in the
Qlik Management Console (QMC).

If the slave QSS fails to perform the task, the master QSS repeatedly requests the same or another slave
QSS to perform the task until it has been completed or until the maximum number of attempts has been
reached.

Slave
If a Qlik Sense Scheduler Service (QSS) runs on a rim node, the QSS is considered to be a slave QSS.
When receiving a task ID from the master QSS, the slave QSS reads the task from the local repository
database and executes the task. When a slave QSS completes a task, it returns the task state (successful or
fail) to the master QSS.

Tasks
Tasks are used to perform a wide variety of operations and can be chained together in any arbitrary pattern.
The tasks are handled by the Qlik Sense Scheduler Service (QSS) and managed in the Qlik Management
Console (QMC).

Reload
The reload task is used to fully reload the data in an app from the source. Any old data is discarded.

Deploy Qlik Sense Enterprise on Windows - Qlik Sense, June 3

1 Planning your Qlik Sense Enterprise

Paths
The following table lists the paths used by the Qlik Sense Scheduler Service (QSS).

Executable %ProgramFiles%\Qlik\Sense\Scheduler\Scheduler.exe

Data -

%ProgramData%\Qlik\Sense\Log\Scheduler
Logs
See: Logging (page 226)

Bootstrap mode
You can use the following parameters to start the Qlik Sense Scheduler Service in bootstrap mode when you
need to deploy Qlik Sense with a service account that does not have administrator privileges.

See: Changing the user account to run Qlik Sense services (page 126)

 -bootstrap
Use this parameter to start Qlik Sense Scheduler Service in bootstrap mode.

 -bootstrap=install
Use this parameter to start Qlik Sense Scheduler Service in bootstrap mode when installing.

 -bootstrap=uninstall
Use this parameter when uninstalling Qlik Sense.

Do the following:

1. Stop Qlik Sense services.
2. Run scheduler.exe -bootstrap from an elevated command prompt.
3. Start Qlik Sense services.

Metrics
This section lists the metrics related to the Qlik Sense Scheduler Service (QSS). The following metrics are
available in the Performance Monitor in Microsoft Windows:

See: Selecting the metrics to display (page 40)

 Number of connected slaves

Number of Qlik Sense Engine Service (QES) instances that are running on a slave (this metric is only
available on the node where the QES instances run)
 Number of running processes
 Number of running tasks as understood by the master
 Number of running tasks on the slave
 Number of task messages that have been dispatched by the slave
 Number of task messages that have been received by the master
 Number of task retries
 Number of tasks that have completed successfully when executed by the slave

Deploy Qlik Sense Enterprise on Windows - Qlik Sense, June 3

1 Planning your Qlik Sense Enterprise

 Number of tasks that have failed when executed by the slave
 Number of tasks that the master has acknowledged as completed
 Number of tasks that the master has acknowledged as failed
 Number of times that the settings have been updated
 Number of tasks that have attempted to start
 Number of tasks that have attempted to stop

Qlik Sense Engine Service (QES)
The Qlik Sense Engine Service (QES) h andles all application calculations and logic. In a multi-node site, we
recommend that you have a dedicated Qlik Sense Engine Service (QES) on the central node that you use
specifically for the Qlik Management Console (QMC) and not for the hub.

Paths
The following table lists the paths used by the Qlik Sense Engine Service (QES).

Executable %ProgramFiles%\Qlik\Sense\Engine\Engine.exe

Data %ProgramData%\Qlik\Sense\Engine

%ProgramData%\Qlik\Sense\Log\Engine
Logs
See: Logging (page 226)

%ProgramData%\Qlik\Sense\Engine\Settings.ini
Configuration
This file contains the QES settings. The file is created when the service first runs.

Qlik Logging Service
The Qlik Sense services (proxy, scheduler, repository, and engine) transfer log messages to the Qlik Logging
Service. The Qlik Logging Service centralizes the logging by collecting all the messages and inserting them
into the PostgreSQL database.

Qlik Sense Printing Service (QPR)
This service manages export in Qlik Sense. In a multi-node site, one instance of the Qlik Sense Printing
Service (QPR) runs on each node. Export requests from clients are directed to the printing services in the
multi-node site using round robin load balancing. If the first export request is load balanced to the QPR
on node 1, the second export request is load balanced to the QPR on node 2, and so on.

Paths
The following table lists the paths used by the Qlik Sense Printing Service (QPR).

Executable %ProgramFiles%\Qlik\Sense\Printing\Printing.exe

Data %ProgramData%\Qlik\Sense\Printing

%ProgramData%\Qlik\Sense\Log\Printing
Logs
See: Logging (page 226)

Deploy Qlik Sense Enterprise on Windows - Qlik Sense, June 4

1 Planning your Qlik Sense Enterprise

Qlik Sense Service Dispatcher (QSD)
This is a service controller used to launch and manage the following Qlik Sense services:

o Broker Service: a cts as an interface to and an intermediary between services started by the Qlik
Sense Service Dispatcher(QSD). The service is launched and managed by the Qlik Sense Service
Dispatcher (QSD) when required.
o Data Profiling Service: i s used to access and modify the app load data model. It communicates
directly with the Qlik Sense Engine Service (QES) on the node. The service is launched and managed
by the Qlik Sense Service Dispatcher (QSD) when required.
o Hub Service: c
ontrols which content a user is allowed to see based on their access rights as defined in
the QMC. The service is launched and managed by the Qlik Sense Service Dispatcher(QSD) when
required.
o Migration Service: e nsures that your apps can be used in the currently installed version of Qlik Sense.
This service runs on all nodes in a site. The service is launched and managed by the Qlik Sense
Service Dispatcher (QSD) when required.
o Web Extension Service: i s used to control web extensions such as visualizations, mashups, and
widgets. The service is launched and managed by the Qlik Sense Service Dispatcher (QSD) when
required.
o Capability Service: i s used to handle Qlik Sense .NET SDK system feature configuration.
o Converter Service: is used by the QlikView converter tool.
o On-demand App S ervice: g enerates on-
demand apps that load subsets of data from very large data sets.
o Hybrid Deployment Service (HDS): m anages target deployments and credentials related to hybrid
connectivity between environments, specifically the distribution of apps from the QSE.
o Hybrid Setup Console (HSC): s erves the HSC user interface which is used to configure target
deployments and app distribution.
o App Distribution Service (ADS): distributes apps and associated metadata to defined distribution
targets, based on policy based app distribution rules.
o
Precedents Service: examines and captures precedents in the data models and field use in charts
from apps f or use in Insights. The service also captures user-learned feedback from Insights.

Paths
The following table lists the paths used by the Q lik Sense Service Dispatcher (QSD) and the services that are
launched and managed by the QSD.

 QSD:
%ProgramFiles%\Qlik\Sense\ServiceDispatcher\ServiceDispatcher.exe
Executables
 Services that are launched and managed by the QSD:
%ProgramFiles%\Qlik\Sense\ServiceDispatcher\node\node.exe

Deploy Qlik Sense Enterprise on Windows - Qlik Sense, June 4

1 Planning your Qlik Sense Enterprise

 Broker Service: %ProgramData%\Qlik\Sense\Log\BrokerService
 Data Profiling Service: %ProgramData%\Qlik\Sense\Log\DataProfiling
 Hub Service: %ProgramData%\Qlik\Sense\Log\HubService
 Migration Service: %ProgramData%\Qlik\Sense\Log\AppMigration
 Web Extension Service:
%ProgramData%\Qlik\Sense\Log\WebExtensionService
 On-demand App Service: %ProgramData%\Qlik\Sense\Log\OdagService
 Capability Service: %ProgramData%\Qlik\Sense\Log\CapabilityService
Logs
 Hybrid Deployment Service:
%ProgramData%\Qlik\Sense\Log\HybridDeploymentService
 Hybrid Setup Console:
%ProgramData%\Qlik\Sense\Log\HybridSetupConsole
 App Distribution Service:
%ProgramData%\Qlik\Sense\Log\AppDistributionService
 Precedents Service: %ProgramData%\Qlik\Sense\Log\PrecedentsService

See: Logging (page 226)

Qlik License Service
The Qlik License Service is included in Qlik Sense EnterpriseFebruary 2019 and later releases and is used
when Qlik Sense is activated using a signed key license. The Qlik License Service stores the information
about the license, and communicates with a License Back-end Service, hosted by Qlik, for product
activations and entitlement management. Port 443 is used for accessing the License Back-end Service and
retrieving license information.

In a Qlik Sense Enterprise on Windows multi-node deployment, the Qlik License Service is installed on every
node. You can manage the status of the Qlik License Service by starting and stopping the Qlik Sense Servic
e Dispatcher, listed in the list of services running in the Windows machine.

Deployment examples of nodes running Qlik Sense services
You can deploy Qlik Sense services to run individually or combine them on dedicated server nodes.

 Complete: A single-node deployment that includes all Qlik Sense services.
 Consumer node: A node that delivers Qlik Sense apps to end users. It includes the Qlik Sense Engine
Service service, the Qlik Sense Proxy Service, and the Qlik Repository service.
 Proxy node: A node that manages Qlik Sense authentication, session handling, and load balancing. It
includes the QRS, and the QPS services.
 Engine node: A node that provides the analytical power of Qlik Sense to the client. It includes the
QRS, and the QES services.
 Proxy and engine node: A combined node that includes the QRS, QPS, and QES service.
 Scheduler: A node that manages scheduled reloads of Qlik Sense apps and other types of reload
triggering. It includes the QRS, QSS, and QES services. In order to perform reloads the QSS requires
the QES to be running on the same node.

Deploy Qlik Sense Enterprise on Windows - Qlik Sense, June 4

1 Planning your Qlik Sense Enterprise

Service dependencies
This section describes the dependencies related to the Qlik Sense services (for example, dependencies on
the operating system and other software).

Repository database
The Qlik Sense Repository Service (QRS) connects to the repository database to store and retrieve data
necessary for the Qlik Sense services on the node on which the QRS is running. In a default Qlik Sense
installation, the Qlik Sense Repository Service (QRS) uses the Qlik Sense Repository Database (QRD)
service to read and write data in the repository database. A PostgreSQL database is used by default.

File share
The file share stores the binary files for the Qlik Sense apps.

Directory service
The QRS and Qlik Sense Proxy Service (QPS) communicate with a configured directory service (for
example, Microsoft Active Directory) using, for example, LDAP or ODBC.

Start and restart of services
When a node starts up, the Qlik Sense services are started automatically.

Start-up behavior
The Qlik Sense Repository Database (QRD) and Qlik Sense Repository Service (QRS) are started first.

When any other Qlik Sense service starts, it contacts its local QRS to get configuration parameters. If the
service has not been configured to run, it periodically checks back with the local QRS.

Manual start
If you need to start services manually, start them in the following order:

a. Qlik Sense Repository Database (QRD)
b. Qlik Sense logging service
c. Qlik Sense Service Dispatcher (QSD)
d. Qlik Sense Repository Service (QRS)
e. Qlik Sense Proxy Service (QPS), Qlik Sense Engine Service (QES), Qlik Sense Scheduler Service
(QSS), and Qlik Sense Printing Service (QPR) in no specific order

The start-up order is important. During start-up the QRS must be able to contact the Qlik License Service,
which is managed by the QSD. The other services are dependent on the QRS. The QSD must therefore be
running when the QRS is started.

Selecting the metrics to display
To select which metrics to display for the Qlik Sense services in the Microsoft Windows, Performance
Monitor:

1. Select Start>Run.
2. Enter perfmon and click OK.

Deploy Qlik Sense Enterprise on Windows - Qlik Sense, June 4

1 Planning your Qlik Sense Enterprise

3. In the left panel, expand Monitoring Tools .
4. Select Performance Monitor.
The Performance Monitor is displayed in the right panel.
5. Click the + (plus) icon in the toolbar at the top of the Performance Monitor.
The Add Counters dialog is displayed.
6. Select the computer to add counters from in the Select counters from computer: drop-down list.
The Available counters list is populated with counters.
7. In the Available counters list, locate the following counter sets :
 Qlik Sense Proxy Service
 Qlik Sense Repository Service - REST API
 Qlik Sense Repository Service
 Qlik Sense Scheduler Service
8. Click the + (plus) sign next to a counter set to expand the set.
9. In the Performance Monitor, select the counters to display .
10. Click Add >> to add the counters.
11. The added counters are listed in the Added counters list.
12. Click OK.

The c ounters you added are now displayed in the Performance Monitor .

Multi-cloud services
You have several options when deploying a Qlik Sense Enterprise on Windows environment.. The services
that you need to run in a multi-cloud deployment can be categorized as follows.

Typically the services running in a Qlik Sense Enterprise SaaS deployment are similar to those running in a
Qlik Sense Enterprise on Kubernetes deployment but are not accessible, because Qlik manages the
infrastructure. You can connect to Qlik Sense Enterprise SaaS but do not have the same configuration
options as a Kubernetes deployment.

Services on Windows deployments
The services listed below are required if you use the multi-cloud capabilities in a Qlik Sense Enterprise on
Windows deployment.

Service Description

App Distribution Distributes apps and associated metadata to defined distribution targets, based on
Service policy-based app distribution rules.

Hybrid Stores configuration details including credentials and URLs for all target
Deployment environments in a multi-cloud deployment.
Service

Hybrid Setup Multi-cloud Setup Console UI functions for managing target environments configured
Console Service in a multi-cloud deployment including credentials and service URLs.
Resource Publishes i nstalled extensions and themes t o the Resource Library in each cloud

Deploy Qlik Sense Enterprise on Windows - Qlik Sense, June 4

1 Planning your Qlik Sense Enterprise

Distribution environment.
Service

Services on Kubernetes and Qlik Sense Enterprise SaaS deployments
The services that you run in Qlik Sense Enterprise on Kubernetes can vary depending on your deployment
requirements.

Service Description

Chronos Scheduler back end service.

Cloud hub Serves the hub functionality to users in Qlik Sense Enterprise SaaS and Qlik
Sense Enterprise on Kubernetes.

Collections Organizes and structures content supplied to the hub. It also applies access control
rules.

datafiles Allows user to upload/manage data files that can be accessed during reload of an
app.

edge-auth Service that works together with external Identity Providers to authenticate users
upon entry to the deployment. Also manages tickets that authorize secure acces
s to internal resources.

elastic-infra A collection containing non-Qlik services: MongoDB, Redis, and nginx-ingress. It
bootstraps an elastic-infra deployment on a Kubernetes cluster using the Helm
package manager. It starts up the basic resources needed to connect all the
components and functionality required in a cloud environment.

Engine Handles all application calculations and logic.

Feature Flags Responsible for toggling features on and off in advanced scenarios.

Insights REST service for the functionality behind the “Share” dialog on a sheet. The
service is responsible for sharing Qlik Sense insights by generating, tracking and
serving persistent permalinks to the shared resources. Permalinks can be shared in
various social media.

Licenses The license service is used to enforce user licensing in Qlik Sense Enterprise SaaS
and Qlik Sense Enterprise on Kubernetes.

Locale Handles user locale selection for the client.

Mira Provides a discovery service for Engines in the deployment, their current health,
and availability of applications.

ODAG Service for on-demand app generation of Qlik Sense apps.

Policy Decision Processes a set of rules on Qlik Sense Enterprise SaaS and Qlik Sense Enterprise
on Kubernetes that perform ABAC security evaluation against Qlik objects (for
example, apps). It is sometimes referred to as the Rules Service. It uses a REST
API for the rules engine and management API for rule based policies and replaces
the QRS Rules Engine, Policy Decision Service.

Deploy Qlik Sense Enterprise on Windows - Qlik Sense, June 4

1 Planning your Qlik Sense Enterprise

qix-data- Handles engine requests f or connection management.
connection

qix-sessions Responsible for routing user session traffic to the Engine services.

Reporting Implements the productions of Reports with data and chart images.

Resource Library A general-purpose resource storage service for supporting content such as themes
and extensions.

Tenant Used to store and return tenant (user) information.

temporary- Manages resources that are made available temporarily.
contents

User Responsible for managing and retrieving user information.

Sense Client The Desktop and web browser instance of the Qlik Sense client run by developers
on Qlik Sense Enterprise and by consumers on Qlik Sense Enterprise SaaS and
Qlik Sense Enterprise on Kubernetes.

Integrating Qlik Data Catalyst with Qlik Sense Enterprise
Follow the steps in this procedure to manually configure the integration of the Qlik Data Catalyst (QDC) with
Qlik Sense Enterprise.

Do the following:

1. Install Qlik Sense Enterprise on Windows on your test environment:
 See: Installing Qlik Sense Enterprise on Windows (page 91)

Remember to allocate access to yourself after installation.

2. Enable the QDC Catalog Service:
a. Open the services.conf file located here: C:\Program Files\Qlik\Sense\ServiceDispatcher.
b. In the qdc-catalog-service section, set Disabled=false.
c. Using the Services management console, restart the Qlik Sense Service Dispatcher.
3. Create a shared QVD repository:
a. On your C: drive, create a new folder called qvd_repository.
b. In the Windows Start menu, type Computer Management to open the app.
c. Open Local Users and Groups > Users.
d. Right-click and select New User.
e. Enter User name: qvd_scanner, Full name: QVD Scanner, and Description:
QVD Scanner.
f. Enter a password, and, optionally, modify the password settings.
g. Click Create.
h. Right-click your new folder qvd_repository and select Properties.

Deploy Qlik Sense Enterprise on Windows - Qlik Sense, June 4

1 Planning your Qlik Sense Enterprise

i. Open the Sharing tab and click Share.
j. Enter qvd_scanner and click Add.
k. For QVD Scanner, change the Permission Level to Read/Write.
l. Click Share and then Done.
4. Mount the file share:
a. Open the folder qvd_repository.
b. In the folder, right-click and select New > Rich Text Document.
c. Edit the file name and extension so that it reads readme.txt.
d. Open a command prompt and type net view \\<host name>.
e. Verify that qvd_repository is present as a shared resource.
f. Open Computer Management again and navigate to Local Users and Groups > Users.
g. Click qvd_scanner so that it is selected.
h. Open Bash.
i. Enter the following to create a mount point:
sudo mkdir - p /qvd_repositories/<windows_hostname>

j. Enter the following to create a permissions file:
sudo mkdir - p
/qvd_repositories/<windows_hostname> sudo touch
/root/.<windows_hostname>_credentials
username=<qvd_scanner>
domain=<domain>
password=<password>

k. Enter the following to create modify mounts:
sudo emacs /etc/fstab
//<windows_hostname>/qvd_repository /qvd_repositories/<windows_hostname> cifs
credentials=/root/.<windows_hostname>_credentials 0 0

5. Set up JWT access for QDC:
a. Navigate to the Qlik Management Console page: https://[installation host]/qmc and
authenticate.
b. On a new tab, navigate to the setup page for the QDC Catalog Service, located here: https://
[installation host]/api/qdc/v1/setup/ui/page.html.
c. Open the QDC JWT section.
d. Review the values for the different fields and click Generate.
A message is displayed: Successfully updated QDC-QSE security settings.
e. In the Qlik Management Console, open the Users section and verify that qlik-data-catalyst is
present.
f. Open the Security rules section and verify that Qlik Data Catalyst Security... is present.
g. Open the Tags section and verify that QVD Catalog is present.
h. Open the Virtual proxies section and verify that Qlik Data Catalyst is present.
6. Prepare the data connection:
a. Open the Qlik Sense hub.
b. Create a new app and open it.
c. Click Add data from files and other sources.

Deploy Qlik Sense Enterprise on Windows - Qlik Sense, June 4

1 Planning your Qlik Sense Enterprise

d. In the menu to the left, click File locations.
e. Navigate to your qvd_repository folder on your C: drive.
f. Open one of the QVDs and click Add data.
g. In the Qlik Management Console, open the section Data connections.
h. Select the qvd_repository data connection and click Edit.
i. In the Properties menu to the right, select Tags.
j. Click in the Tags field, select QVD Catalog and click Apply.
7. Configure the QDC server:
a. Log in to Qlik Data Catalyst.
b. Open Windows Firewall in the control panel.
c. Verify that Domain networks have the status Connected.
d. To the left, select Turn Windows Firewall on or off.
e. In the Domain network settings section, select Turn off Windows Firewall and click OK.
f. In Qlik Data Catalyst, open the Admin section.
g. Open the QVD Import section.
h. Click Add New Connector.
i. Enter Connector Name: <host name> and Default QVD Mount Point: /qvd_
repositories/<host name>.
j. Enter Host: <QMC host address> and Proxy: qdc.
k. Open the QDC Catalog Service.
l. Open the QDC JWT section and copy the JWT.
m. Return to the Qlik Data Catalyst admin section and paste the JWT in the field JSON Web
Token (JWT).
n. Click Test Connector.
A success message is displayed at the top of the screen.
o. Click Save.
p. Click Show QVD Paths.
q. Click Sync Paths.
A qvd_repository path appears.
r. Click the pen icon to enter the source name: <host> and click OK.
s. On the QVD Paths page, click Accept.
t. Open the QVD Import section.
u. In the Qlik Sense Connector window, select SCHEDULE.
v. Set Job Type to Full Reload and clear the Load Data selection.
w. Click Run.
x. In the menu to the left, open Catalog to verify that the QVDs are present.
y. On your C: drive, open the qvd_repository folder and verify that the five QVDs are present.
8. Configure the QDC Catalog Service:

Deploy Qlik Sense Enterprise on Windows - Qlik Sense, June 4

1 Planning your Qlik Sense Enterprise

a. Navigate to the setup page for the QDC Catalog Service.
b. Expand the PostgreSQL Server section and enter the information requested. These settings
can be the same ones used by Qlik Sense Repository Service. The settings provided can be
validated using the Test button. Use the Apply button to persist the settings.
c. Using the Services management console, restart the Qlik Sense Service Dispatcher.
d. Open Qlik Data Catalyst and copy the path.
e. Navigate to/reload the setup page for the QDC Catalog Service.
f. Expand the QDC Server section and enter the information requested.
g. Validate the settings using the Test button and then click Apply.
9. Use QDC Catalog from QSE:
a. Open the Qlik Sense hub.
b. Create a new app.
c. Click Add data from files and other sources.
d. In the menu to the left, click QVD Catalog.
The available QVDs are displayed.

Ports
Qlik Sense Enterprise u
ses ports to communicate between web browsers (users) and proxies, and between
services in single and multi-node deployments.

Qlik Sense Enterprise on Kubernetes runs on a Kubernetes cluster which has no specific port requirements that are differen

Ports overview
The following table is an overview of the ports used in a Qlik Sense deployment.

Qlik Sense Proxy Inbound: Outbound : Internal only:

Service (QPS)
80 (HTTP) 4239 (QRS websocket) 4244 (Windows
authentication)
443 (HTTPS) 4242 (QRS REST API)

4243 (REST API) 4747 (Engine)

4899 (Printing)

4900 (Broker)

4949 (Data profiling)

7070 (Logging service)

Deploy Qlik Sense Enterprise on Windows - Qlik Sense, June 4

1 Planning your Qlik Sense Enterprise

Qlik Sense Engine Inbound: Outbound : Internal only:

Service (QES)
4747 (QES listen 7070 (Logging service) 4242 (QRS REST API)
port)
4748 (notifications from
QRS)

Qlik Sense Inbound: Outbound : Internal only:

Repository Service
4242 (REST API) 4242 ( REST API) 4545 (Migration service)
(QRS)
4239 (from QPS - 4243 (Proxy REST API) 4570 (Certificate unlock)
websocket)
4444 (Setup API –
4444 (Setup API - outbound on central node)
inbound on rim
4747 (Engine)
nodes)
4748 (Engine notification
API)

5050 (Scheduler master
API)

7070 (Logging service)

9200 (License Service)

Qlik Sense Inbound: Outbound : No additional ports.

Scheduler Service
5050 (Master REST 4242 (QRS REST API)
(QSS)
API)
7070 (Logging Service)
5151 (Slave REST
5050 (Slave to Master)
API)
5151 (Master to Slave)
5252 (Monitoring API
- optional)

Qlik Sense Inbound: No additional ports.

Repository
4432 (default listen
Database (QRD)
port for database
connections)

Qlik Sense Printing Inbound: Internal only:

service (QPR)
4899 (QPR listen 443 (Sense web server -
port) proxy)

Deploy Qlik Sense Enterprise on Windows - Qlik Sense, June 5

1 Planning your Qlik Sense Enterprise

4242 (QRS REST API)

8088 (CEF debugging)

Qlik Sense Service Starts up the following services:
Dispatcher (QSD)
 Qlik License Service
 Broker service
 Data profiling service
 App Distribution Service

Qlik License Outbound : Internal only:

Service
443 (HTTPS) 9200

Broker service Inbound: Internal only:

4900 3003 (Converter service)

4545 (App migration)

4555 (Chart sharing)

4949 (Data profiling)

4950 (Precedents service)

5928 (QSE Event Processor)

9028 (Hub service)

9031 (Capability service)

9032 (About Service)

9041 (Connector registry proxy - server)

9051 (Connector registry proxy - desktop

) 9054 (Precedents service)

9079 (Depgraph service)

9080 (Web extension service)

9081 (Qlik Notifier Service)

9082 (Qlik Mobility Registrar)

Deploy Qlik Sense Enterprise on Windows - Qlik Sense, June 5

1 Planning your Qlik Sense Enterprise

9090 (DownloadPrep)

9098 (On-demand app service)

21060 (Resource Distribution Service)

46277 (Deployment based warnings service)

64210 (Open source graph database layer used by
Precedents service)

Data profiling Inbound: Internal only:

service
4949 (listen port for 4242 (QRS REST API)
REST API and
4747 (QES)
websocket)

App Distribution Outbound : No additional ports.

Service
5926

Hybrid Deployment Outbound : No additional ports.

Service
5927

Hybrid Setup Inbound: No additional ports.

Console - HS
5929
C
Logging Service Inbound:

7080

7081

QDC Catalog Inbound:
Service
4850

NL Parser Service Inbound:

4952

NL Broker Service Inbound:

4951

To allow access to the file share, ensure that you open the Microsoft Windows SMB port 445.

Ports used internally within a node
The ports in the following table are used between Qlik Sense services that run on the same node. I n most
cases, the ports do not have to be open through any firewalls.

Deploy Qlik Sense Enterprise on Windows - Qlik Sense, June 5

1 Planning your Qlik Sense Enterprise

Service Port Direction Purpose

Converter 3003 Internal This port is used by the Converter Service which is utilized by

Service QlikView converter.

QPS 4243 Inbound Qlik Sense Proxy Service (QPS) REST API listen port.

If web ticketing is used for security, this port is used by the
software or service that requests tickets for users. I f the
software or service is remote, this port needs to be open to
the location from which it is called.

QRD 4432 Internal Default listen port for the Qlik Sense Repository Database

(QRD).

With shared persistence, this port is used to listen for
connections from the Qlik Sense Repository Service (QRS).

Migration 4545 Internal This port is used by the Migration Service for app migration

Service purposes. The service is launched and managed by the Qli
k Sense Service Dispatcher (QSD) when required.

Chart Sharing 4555 Internal This port is used by the Chart Sharing Service for chart

Service sharing between Qlik Sense users. The service is launched
and managed by the Qlik Sense Service Dispatcher (QSD)
when required.

This port uses HTTPS for communication.

QRS 4570 Internal Certificate password verification port, only used within multi-

node sites by Qlik Sense Repository Services (QRSs) on rim
nodes to receive the password that unlocks a distributed
certificate. The port can only be accessed from localhost and
it is closed immediately after the certificate has been
unlocked. The communication is always unencrypted.

QES 4748 Internal This callback port is used by the Qlik Sense Repository

Service (QRS) for sending HTTP events to the Qlik Sense
Engine Service (QES).

Data Profiling 4949 Internal This port is used by the Data Profiling Service to access and

Service modify the app load data model. It communicates directly
with the Qlik Sense Engine Service (QES) on the node.

Broker Service 4900 Internal Default listen port for the Broker Service.

Hub Service 9028 Internal Default listen port for the Hub Service.

Capability 9031 Internal This port is used by the Capability Service to handle Qlik

Service Sense system feature configuration.

About Service 9032 Internal Default listen port for inbound calls to the About Service.

Deploy Qlik Sense Enterprise on Windows - Qlik Sense, June 5

1 Planning your Qlik Sense Enterprise

Depgraph 9079 Internal This port is used by the Service Dispatcher launched

Service microservices.

Web Extension 9080 Internal Default listen port for the Web Extension Service.

Service

DownloadPrep 9090 Internal This port is used by the Service Dispatcher launched

microservices.

On-demand 9098 Internal Default listen port for the On-demand App S ervice.

App Service

Connector 9041 Internal This port is used b y the distributed connectivity service for

registry proxy discovering and listing connectors.
(server)

Connector 9051 Internal This port is used b y the distributed connectivity service for

registry proxy discovering and listing connectors.
(desktop)

Qlik Notifier 9081 Internal This port is used by the Qlik Notifier Service, which handles

Service push notifications to mobile devices. It is installed on each
node in a Qlik Sense Enterprise deployment.

Qlik Mobility 9082 Internal This port is used by the Qlik Mobility Registrar, which is

Registrar installed on each node in a Qlik Sense Enterprise
deployment.

Ports used from user web browser
The default ports are exposed to the Qlik Sense users and need to be open through any firewalls in the site.

Service Port Direction Purpose Host

QPS 443 Inbound Inbound user web traffic when using HTTPS. Qlik Sense Proxy Service

(QPS) in the site.

QPS 80 Inbound Inbound user web traffic when using HTTP Qlik Sense Proxy Service

(optional). (QPS) in the site.

Map 443 Inbound User web traffic for standard map background. maps.qlikcloud.com

For users hosting their own map server, use
the name of the host server.

Map 443 Inbound User web traffic for satellite map background. services.arcgisonline.com

The following diagram shows the ports used for the communication between a web browser and as single
note site.

Deploy Qlik Sense Enterprise on Windows - Qlik Sense, June 5

1 Planning your Qlik Sense Enterprise

Ports used between nodes and Qlik Sense services
The ports in this section are used for communication between the Qlik Sense services.

In a single node site, all ports listed in this section are used by the various services, but do not need access
through firewalls.

In a multi-node site, the ports in use vary depending on the services installed and running on each node. The
ports need to be open in any firewalls between the nodes, but do not have to be open to the Qlik Sense users.

Minimum ports used for communication in multi-node sites
The following ports must always be open between the nodes in a multi-node site. The ports must be open to
allow for service health, and some specific operations.

Service Port Direction Purpose

Inbound ports indicate the listening ports for the services running on each node. Firewall rules must allow inbound traffic to
QRS 4242 Bi-directional between This port is used for a number of operations including new
the central node and user registration.
all p roxy nodes

QRD 4432 Inbound from Qlik The default listen port used by all nodes in a site for

Sense nodes to the connecting to the Qlik Sense Repository Database
repository database .

Deploy Qlik Sense Enterprise on Windows - Qlik Sense, June 5

1 Planning your Qlik Sense Enterprise

QRS 4444 Between the central This port has two functions:

node and all rim nodes

Security distribution port, only used by Qlik Sense
Repository Services (QRSs) on rim nodes to
receive a certificate from the master QRS on the
central node. The communication is always
unencrypted, but the transferred certificate
package is password-protected.

 Qlik Sense Repository Service (QRS) state port,
used to fetch the state of a QRS in a Qlik Sense
site. The state is fetched using
http://localhost:4444/status/servicestate.
The returned state is one of the following:
 0: Initializing. Once the node has been
initialized, the node state changes into one
of the other states.
 1: Certificates not installed. There are no
certificates installed on the node. The node
stays in this state until it has received the
certificate and the certificate password.
 2: Running. The node is up and running
and all APIs have been initiated.

Ports used between master and slave schedulers
The ports in the following table are used when a slave Qlik Sense Scheduler Service (QSS) is used.

Service Port Direction Purpose

QSS 5050 Inbound (from This port is used by the master QSS on the central node to issue

scheduler nodes commands to and receive replies from slave QSS nodes.
only)

QSS 5151 Inbound (from the A slave QSS runs on a slave scheduler node and is accessed only

central node only) by the master QSS on the central node.

Ports used between a proxy node and an engine node
The ports in the following table define the minimum needed to allow regular user traffic and load balancing
between a proxy node and an engine node.

Service Port Direction Purpose

Deploy Qlik Sense Enterprise on Windows - Qlik Sense, June 5

1 Planning your Qlik Sense Enterprise

QES 4747 Inbound Qlik Sense Engine Service (QES) listen port. This is the main port used by

(from the QES.
proxy
The port is used via the Qlik Sense Proxy Service (QPS) for
nodes)
communication with the Qlik Sense clients.

QRS 4239 Inbound Qlik Sense Repository Service (QRS) WebSocket port.

(from
proxy The port is used via the Qlik Sense Proxy Service (QPS) by the Qlik Sense
nodes) hub to obtain apps and stream lists.

QRS 4242 Inbound Qlik Sense Repository Service (QRS) REST API listen port.

(from
This port is mainly accessed by local Qlik Sense services. However, the
proxy
port must be open to all proxy nodes in a multi-node site to deliver images
nodes)
and static content.

Data 4949 Inbound This port is used by the Data Profiling Service when accessing and

Profiling (from modifying the application load model. The service is launched and
Service proxy managed by the Qlik Sense Service Dispatcher (QSD) when required.
nodes)
The port is access via the Qlik Sense Proxy Service (QPS).

Broker 4900 Inbound Default listen port for the Broker Service.

Service (from
proxy
nodes)

Hub 9028 Inbound Default listen port for the Hub Service. Open for local services such as the

Service (from broker service on the engine node.
proxy
nodes)

Ports used between a proxy node and a node running the printing service
The Qlik Sense Printing Service (QPR) may be installed on the same node as other services or on a separate
node. The ports in the following table must be accessible between a QPS and all QPRs to which the QPS
can load balance traffic.

Service Port Direction Purpose

QPR 4899 Inbound (from Qlik Sense Printing Service (QPR) port.

proxy nodes)
This port is used for printed export in Qlik Sense. The port is
accessed by any node that runs a QPS.

Qlik Sense Desktop ports
The following ports are used by Qlik Sense Desktop.

Component Port Direction

Deploy Qlik Sense Enterprise on Windows - Qlik Sense, June 5

1 Planning your Qlik Sense Enterprise

Qlik associative engine 9076 Internal

Migration Service 9074 Internal

DataPrep Service 9072 Internal

Broker Service (Desktop) 4848 Internal/inbound

Capability Service 9075 Internal

About Service 9078 Internal

Broker Service 9070 Internal

NPrinting 9073 Internal

Hub Service 9071 Internal

Converter Service 9077 Internal

Dependency Graph Service 9033 Internal

Web Extension Service 9034 Internal

Connector Registry Proxy 9051 Internal

NL Broker Service 9055 Internal

NL Parser Service 9056 Internal

Ports examples
This section provides examples of the ports that are used in different Qlik Sense deployments.

The diagrams in this section do not show all outbound proxy node ports. For a full list of proxy node ports see the table.

Single node site
This example shows the ports that are used in a single node site.

Deploy Qlik Sense Enterprise on Windows - Qlik Sense, June 5

1 Planning your Qlik Sense Enterprise

Multi-node site
The following is an example of the ports that are used in a multi-node site that consists of five nodes.

Inbound ports indicate the listening ports for the services running on each node. Firewall rules must allow
inbound traffic to these ports. O
utbound ports indicate the destination of the communication from one node
to other nodes in the environment. F irewall rules must allow the node to send outbound traffic to these
outbound ports.

Deploy Qlik Sense Enterprise on Windows - Qlik Sense, June 5

1 Planning your Qlik Sense Enterprise

Proxy node in demilitarized zone
This example shows the ports that are used in a multi-node site when deploying a proxy node in a
demilitarized zone.

Deploy Qlik Sense Enterprise on Windows - Qlik Sense, June 6

1 Planning your Qlik Sense Enterprise

Separate proxy and engine node
This example shows the ports that are used in a multi-node site when deploying a separate proxy and engine
node. The proxy load balancing excludes the engine on the central node.

Deploy Qlik Sense Enterprise on Windows - Qlik Sense, June 6

1 Planning your Qlik Sense Enterprise

High availability proxy and engine nodes
This example shows the ports that are used in a multi-node site when deploying more than one proxy and
engine node. The proxy load balancing excludes the engine on the central node.

Deploy Qlik Sense Enterprise on Windows - Qlik Sense, June 6

1 Planning your Qlik Sense Enterprise

Separate scheduler node and high availability proxy and engine nodes
This example shows the ports that are used in a multi-node site when deploying a separate scheduler node
and more than one proxy and engine node. The proxy load balancing excludes the engine on the central
node.

Deploy Qlik Sense Enterprise on Windows - Qlik Sense, June 6

1 Planning your Qlik Sense Enterprise
Inbound ports indicate the listening ports for the services running on each node. Firewall rules must allow
inbound traffic to these ports. O
utbound ports indicate the destination of the communication from one node
to other nodes in the environment. F irewall rules must allow the node to send outbound traffic to these
outbound ports.

Separate proxy and scheduler nodes and high availability engine nodes
This example shows the ports that are used in a multi-node site when deploying separate proxy and scheduler
nodes and more than one engine node. The proxy load balancing excludes the engine on the central node.

Deploy Qlik Sense Enterprise on Windows - Qlik Sense, June 6

Generic scale out
This example shows the ports that are used in a multi-node site when scaling the site by adding additional
proxy, engine, or scheduler nodes. The proxy load balancing excludes the engine on the central node.

Deploy Qlik Sense Enterprise on Windows - Qlik Sense, June 6

Persistence
A Qlik Sense site stores data to both a repository database, and a file share. The repository database stores
system and app meta data, while the file share stores binary application data such as, data models and app
content. In a single node deployment, both the repository database and the files share are usually located on
the same machine as the Qlik Sense services. I n a multi-node deployment, a cluster is formed around a
single repository database and file share. In many cases these may be on separate dedicated servers to
improve resilience or performance.

Deploy Qlik Sense Enterprise on Windows - Qlik Sense, June 6

1 Planning your Qlik Sense Enterprise

For best performance we recommend that you locate all your Qlik Sense servers in the same geographic location or data

File share
In a Qlik Sense site, a file share is used to the store the binary application data including data models a
nd the
app content. I t can be located on any one of the nodes in the Qlik Sense site or on a dedicated server for
better resilience and performance. You create this folder before you install Qlik Sense. See: Creating a file
share (page 111)

The requirements for the share are:

 The Qlik Sense nodes in the cluster must have network latency below 4 milliseconds to connect to the
file share server. Performance can degrade if this is not the case.
 The bandwidth to the file share must be appropriate for the amount of traffic on the site. The
frequency and size of the apps being saved after reloading, and opened into memory, drives this
requirement. 1 Gigabit networking is suggested.
 The file share can run on:

A Windows Server OS. The Windows server may have storage allocated to it from a storage
area network (SAN), use local disks, or virtual storage in the case of a virtual machine.
 A non-Windows device such as a Linux server or hardware NAS device that supports SMB 3.0.

Qlik periodically runs network file share performance tests on Qlik Sense using WinShare, and FreeNAS with

 The file storage must have a single read and write master. Storage can be replicated to standby
storage, but only one location can be used to read and write to.

Repository database
In a Qlik Sense site, a PostgreSQL repository database is used to store all data for the Qlik Sense Repository
Service including system and meta data. It can be located on one of the nodes in the Qlik Sense site or o n a
dedicated server for better resilience and performance. If you want to install it on a dedicated server, you do
this before installing Qlik Sense.

You have two options for the repository database:

 Install as a local database on a central node. This option can be used for both single-
node and multi-
node deployments, and is done during installation using the Qlik Sense setup program.
 Install as a remote database on a separate server. This option provides higher performance and
resilience, and is the recommended approach in a multi-node deployment. See: Installing and
configuring PostgreSQL (page 115)

The requirements for the database are:

Deploy Qlik Sense Enterprise on Windows - Qlik Sense, June 6

1 Planning your Qlik Sense Enterprise

 The Qlik Sense nodes in the cluster must have network latency below 4 milliseconds to connect to the
repository database server. Performance can degrade if this is not the case.
 If you run a PostgreSQL database on a dedicated server, it must use PostgreSQL version 9.6.

PostgreSQL can be run on various platforms including Windows, Linux, or cloud-hosted services such as Amazon R

Performance
This topic aims to provide some basic information on performance to consider before you install
Qlik Sense Enterprise on Windows. There are several different considerations to think about
when planning your Qlik Sense Enterprise on Windows deployment:

 Size of deployment - small single-node, medium, or large multi-node site?
 Number of nodes in your site?
 Local or dedicated repository database?
 Local or network file share?
 Number of CPU cores required for each node?
 RAM required for each node?

We also recommend scalability testing and engaging with Qlik consulting services for larger deployments.

Capacity and performance
Qlik Sense supports up to a maximum of 12 nodes. In addition to the number of n odes, there are other
factors that contribute to total capacity:

 Workload
 Hardware speed
 Network speed

For example, if the disk speed of the file share and the central node is too slow, you may expect low
performance during some operations, such as importing or duplicating apps.

DMZ deployments
All nodes in a site, including nodes without an engine, require access to both the database and file share. In
demilitarized zone (DMZ) deployments this may require opening additional ports, or taking an alternative
approach, compared to a DMZ deployment with synchronized persistence.

Geographical deployments
The current persistence model does not support geographical deployments. For best performance we
recommend that you locate all your Qlik Sense servers in the same geographic location or data center as the
repository database and the file share with a network latency below 4 milliseconds.

Deploy Qlik Sense Enterprise on Windows - Qlik Sense, June 6

1 Planning your Qlik Sense Enterprise

Central node dependencies
The central node is responsible for handling a number of vital operations on your site. If the central node fails,
some operations will fail to run, including:

 Master scheduler - responsible for triggering reloads
 License distribution - allowing new users to obtain a license
 Extension objects

To reduce the dependency on the central node you can configure one or more nodes as a failover candidate.
For more information, see Configuring failover for central node resiliency (page 112).

User accounts
In order to successfully install and deploy Qlik Sense you must set up some user accounts before you start
your Qlik Sense installation.

Windows user accounts are created and configured using your Windows server administration tools.

If you choose to manually install and configure your PostgreSQL repository database, users are created and
configured using your PostgreSQL database administration tools. If you choose to have Qlik Sense install the
repository database for you, the Qlik Sense setup wizard will create the users during installation.

The following are the users that you may need to create before you install Qlik Sense:

 Windows Qlik Sense services administrator
 Windows Qlik Sense services user that is not an administrator
 PostgreSQL database superuser
 Qlik Sense Repository Database administrator

You must create the required Windows user accounts before you install Qlik Sense b ecause you are
prompted to enter them during the installation. If you choose to install as a Windows local administrator and
wish to change to a Windows dedicated Qlik Sense service user after installation, see Changing the user
account to run Qlik Sense services (page 126).

When you create your W indows user accounts you must set a password for each one. Windows user account
passwords may expire in accordance with the Windows domain security rules settings. If you do not update
the passwords for each Windows service setting, the services will stop working. To avoid this, you can select
the Password never expires check box in the Windows user profile, if your security protocol allows it.

Windows Qlik Sense services administrator
We recommend that you use a dedicated Windows user account to run the Qlik Sense services. If your
dedicated Windows Qlik Sense services user is an administrator, you can login as that user to install Qlik
Sense. If your dedicated Windows Qlik Sense services user is not a local administrator, you must use an
administrator account to install Qlik Sense.

Deploy Qlik Sense Enterprise on Windows - Qlik Sense, June 6

1 Planning your Qlik Sense Enterprise

Windows Qlik Sense services user that is not an administrator
If you wish to use a dedicated Windows user account that is not an administrator to run the Qlik Sense
services, you must create that account before you install Qlik Sense. The Windows Qlik Sense services user
runs the following services:

 Qlik Sense Repository Service
 Qlik Sense Proxy Service
 Qlik Sense Engine Service
 Qlik Sense Scheduler Service
 Qlik Sense Printing Service
 Qlik Sense Service Dispatcher

For more information about services, see Services (page 31).

The Windows Qlik Sense services user that is not an administrator m ust meet the following requirements:

 Member of the Qlik Sense Service Users and Performance Monitor Users groups.
You add the Windows Qlik Sense services user that is not an administrator to these groups after you
install Qlik Sense.
 Only used for Qlik Sense Windows services. T his is necessary to avoid conflicts with other Windows
services in the same computer.

PostgreSQL database superuser
The PostgreSQL database superuser is a role t hat bypasses all permission checks, except the right to log in.
It is not a Windows, or Qlik Sense user, it is a PostgreSQL user configured in the repository database.

If you choose to install the PostgreSQL database m anually, you are prompted to create a PostgreSQL
database superuser and password during installation. That user ID and password are used to connect your
PostgreSQL database. For details about creating users with the PostgreSQL administration tools, see
Installing and configuring PostgreSQL (page 115).

If you choose to install the Qlik Sense Repository Database locally during the Qlik Sense installation, the
PostgreSQL installation is done automatically.

When you install Qlik Sense, if you select the Install local database option, the QSR, SenseServices, and QSMQ databa

Qlik Sense Repository Database administrator
The Qlik Sense Repository Database administrator role has full access to the Qlik Sense Repository
Database that contains all configuration data for the Qlik Sense site. It is not a Windows, or Qlik Sense user,
it is a PostgreSQL user configured in the repository database.

Deploy Qlik Sense Enterprise on Windows - Qlik Sense, June 7

1 Planning your Qlik Sense Enterprise
If you choose to install PostgreSQL manually, the Qlik Sense Repository Database administrator is also
created manually using the PostgreSQL administration tools. For details about creating users with the
PostgreSQL administration tools, see Installing and configuring PostgreSQL (page 115). You must enter the
location of the Qlik Sense Repository Database and the login credentails for the Qlik Sense Repository
Database administrator d uring the Qlik Sense setup on the Shared persistence database connections
settings page.

If you choose to install the Qlik Sense Repository Database locally using the Q lik Sense setup, you are
prompted to set a user name and password for the Qlik Sense Repository Database administrator during the
setup.

You must keep that password for backup and restore activities. It may also be needed for support.

User accounts for the logging database
Two user accounts, which use PostgreSQL password authentication, are automatically created during Qlik
Sense installation. User account qlogs_writer is used internally by the logging service to write to the
database. In fact, this user owns the logging database QLogs. User account qlogs_reader is used by the
monitoring apps to read from the database. There is also a user account called qlogs_users, which is
basically a group. It does not have a password and cannot be used to access the database. It exists only for
the purpose of managing network access to the PostgreSQL database.

The system administrator can change the passwords for these database users directly from PostgreSQL. The
logging service must also be updated with the new passwords using the update or setup command.

1.3 Qlik Sense Enterprise deployment examples
This section provides examples of different ways to deploy Qlik Sense Enterprise. The
examples are not guidelines or best practices for how to install your deployment, rather they ar
e to provide a high-
level view of how different organizational needs are achieved by different
deployment scenarios.

Qlik Sense Enterprise on Windows deployments
A Qlik Sense Enterprise on Windows deployment can be a single-node (server) site or a multi-node site. All
Qlik Sense sites must have a repository database, a single Qlik license key, and a common set of
configuration data and apps.

Single-node sites
A single-node site is the smallest site possible and consists of a single node (single server). In a single-node
site, site administration, app development, and app consumption happens on the same node. All Q lik Sense
services, the repository database, and the file share are hosted on the same node.

Deploy Qlik Sense Enterprise on Windows - Qlik Sense, June 7

1 Planning your Qlik Sense Enterprise

Multi-node sites
Multi-node sites offer more scalability options for large organizations. In a multi-node deployment, the Qlik
Sense site is distributed across several nodes. Nodes are connected to a common repository database, they
share a common set of data, and they share the same license key. In larger sites, you can add nodes to
improve scalability, capacity, and resilience. In a multi-node site, there is at least one central node and one or
more rim nodes that are connected to the central node.

Benefits of multi-node sites include:

 Better scalability, making it easier to increase capacity.
 Improved resilience and reliability.
 Ability to move apps or roles to specific nodes.
 Flexibility t o suit customer network deployments.

Qlik Sense Enterprise on Kubernetes deployments
Qlik Sense Enterprise on Kubernetes is a self-hosted implementation of Qlik Sense Enterprise that you
deploy onto a cloud provider of your choice. It comes with mostly the same capabilities as Qlik Sense
Enterprise on Windows, but it is deployed on an open-source architecture that leverages automatic scaling
and management of containerized microservices.

Qlik Sense Enterprise SaaS deployments
Qlik Sense Enterprise SaaS is a full SaaS deployment option for Qlik Sense Enterprise. The cloud
infrastructure is hosted and managed by Qlik. Qlik Sense Enterprise SaaS may be deployed independently or
as part of a multi-cloud deployment. See, Qlik Sense Enterprise on Windows multi-cloud deployments
(page 69).

Qlik Sense Enterprise on Windows multi-cloud deployments
Qlik Sense multi-cloud deployments refer to a deployment where one or more cloud instances are connected
to a Qlik Sense Enterprise on Windows site. Q lik Sense multi-cloud deployments are multi-node sites.

Benefits of multi-cloud sites include:

 Central node is managed on-premises.
 Users consume and develop apps from the cloud.
 Authentication for both on-premises and cloud is handled by a single identity provider.

Qlik Sense Enterprise on Windows on-premises
You can configure a Qlik Sense Enterprise on Windows deployment to meet the specific need
s
of your organization. As your requirements for performance and scalability increase, so too w
ill the size of your deployment.

The following terms are used in the deployment scenarios:

Deploy Qlik Sense Enterprise on Windows - Qlik Sense, June 7

1 Planning your Qlik Sense Enterprise

 Central node: t he central point for managing all nodes in a site.
 Failover candidate node: a redundant node that becomes the central node if the original central node
fails.
 Scheduler or Reload node: reloads apps on a schedule, but does not serve content to users.
 Consumer node: s erves apps to users, but is not used to create, process, or reload data.
 Development node: allows users to create and reload new apps, but does not serve normal consumer
traffic.
 Proxy node: provides load balancing of user traffic to other nodes but does not contain a Qlik Sense
Engine Service (QES).

An alternative to using a proxy node is to have a proxy installed on each consumer node and balance the traffic using a hard

Deployment scenarios
This section provides four deployment scenarios of Q
lik Sense Enterprise on Windows deployments. The
deployments described here are examples of a small, medium, large, and extra-large Qlik Sense Enterprise
on Windows scenarios. T hese examples provide an approximation of the type of workload a particular
deployment might need to handle. The figures are not intended to set a minimum or maximum limit on your
deployment.

If you e
xpect to have performance demands higher than any of the figures below (such as more reloads or
apps) then contact your Qlik partner and perform a full sizing exercise. F
or more general scalability and
performance information, see Performance (page 65) and QMC performance - best practices.

The following table provides some basic assumptions for each type of deployment scenario:

Single-node Multi-node Multi-node Multi-node

(small) (medium) (large) (extra-large)

Apps 50 100 1000 1000

Active apps per day 25 50 125 125

Total users (from UDC) 500 1000 50000 50000

Concurrent users (equals 50 100 500 1000

active users within the
same hour)

Maximum concurrent users 2 2 5 10
in the QMC

Average app size (in 0.1 0.1 0.1 0.1

gigabytes)

Maximum app size (in 1 2 5 5
gigabytes)

Deploy Qlik Sense Enterprise on Windows - Qlik Sense, June 7

1 Planning your Qlik Sense Enterprise

Content creation (objects 20 40 50 50
per hour)
Reloads per hour 10 20 400 400

The difference between a large and extra-large deployment in our examples is the number of concurrent users.

Single-node (small)
The following deployment example shows a Qlik Sense Enterprise on Windows single-node s

ite. In a single-node site, the Qlik Sense services are all running on the same node.

 Qlik Sense Repository Service
There is only one instance of the Qlik Sense Repository Service (QRS) running, and it has direct
access to the central repository database.
 Qlik Sense Scheduler Service
The Qlik Sense Scheduler Service (QSS) acts as both master and slave.

This kind of deployment works best in a single time zone, where data reloads can be done at night.

Multi-node (medium)
The following deployment example shows a medium-size, multi-node Qlik Sense Enterprise on Windows
production deployment comprising t hree nodes:

Deploy Qlik Sense Enterprise on Windows - Qlik Sense, June 7

1 Planning your Qlik Sense Enterprise

 One central node/reload node on which the Qlik services are running.
 Two consumer nodes to load balance user demand.

In this configuration, the central repository database, the file share, and the other Q lik Sense services are
running on the central node. The two consumer nodes handle app consumption.

Multi-node (large)
The following deployment example shows a large, multi-node Qlik Sense production deployment.
A deployment like this provides the ability to scale up app reloads and user load. This deployment consists of
the following nodes:

 Central node/reload node to handle the services
 Failover canadidate node to handle the services if the central node fails.
 Four consumer nodes to load balance user demand.
 One developer node for app development.
 The repository database (PostgreSQL) and the file share are installed on separate, dedicated servers.

Deploy Qlik Sense Enterprise on Windows - Qlik Sense, June 7

1 Planning your Qlik Sense Enterprise

The central node and failover node must have all services installed. Configure the proxy service on consumer
nodes to handle user traffic, and on both the central and failover nodes to handle admin traffic.

The Qlik services on both central and failover nodes are always active.

Multi-node (extra large)
The following deployment example shows an extra large, multi-node Qlik Sense production deployment
consisting of seven consumer nodes providing the ability to scale up app reloads and user load. Groups of
consumer nodes are dedicated t o different size apps. Each consumer node can be configured with security
and custom load balancing rules to restrict the size of the apps they can serve.

To ensure that the system can cope with the load, you can pre-load some apps in memory. For example, you
could pre-load all medium and large sized apps, ensuring that they can be loaded in less than two seconds,
even during peak hours.

Deploy Qlik Sense Enterprise on Windows - Qlik Sense, June 7

1 Planning your Qlik Sense Enterprise

With very large deployments, development of applications can be resource intensive. It may therefore be appropriate to h

This deployment consists of the following nodes:

 Active central node/reload node to handle the services.
 Failover candidate node to handle the services if the central node fails.
 Seven consumer nodes with node clusters dedicated to app size.
 Two developer nodes for app development.
 The repository database (PostgreSQL) and the file share are installed on separate, dedicated servers.

Deploy Qlik Sense Enterprise on Windows - Qlik Sense, June 7

1 Planning your Qlik Sense Enterprise

The Qlik services on both central and failover nodes are always active.

Qlik Sense Enterprise on Windows deployed to AWS
In an Amazon Web Services (AWS) deployment, you install Qlik Sense Enterprise on an Amazon virtual
private cloud infrastructure that is flexible, h igh performance, and q uick t o set up.

Deploying Qlik Sense Enterprise o
n AWS will enable you to quickly add new applications in a simple, and
scalable manner. You can do this with a basic knowledge of AWS security and scalability options but without
the need to follow complex on-premise installation and configuration procedures. U
sing AWS will enable you
to get your Qlik Sense infrastructure up and running in fraction of the time required for an on-premise
deployment, and will enable you to scale your deployment quickly and easily, regardless of unexpected
changes in demand.

You can deploy Qlik Sense to AWS manually, or you can use an Amazon Machine Image (AMI) available in
the AWS Marketplace that includes Qlik Sense preinstalled. However, predefined images do not include a
file share, so can only support single node Qlik Sense deployments.

Benefits of using AWS cloud
 A quick and effective way of deploying Qlik Sense to the cloud.
 Simple and cost-effective, reducing overall deployment times.
 Quick and easy to deploy Qlik Sense applications.
 Fewer hardware management overheads.
 Scalable, elastic storage that can be expanded and contracted on demand.
 Geographic deployment to multiple regions around the world makes lower latency possible.
 A reliable and high performance platform.

Components
To successfully deploy Qlik Sense on AWS cloud you need a basic understanding of the architecture and
services available in an AWS deployment. As part of a Qlik Sense deployment on AWS, y ou need t he
following components:

 An Amazon AWS account
 Amazon Management Console - available when you log in to your AWS account.
 VPC - Amazon Virtual Private Cloud
 EC2 - Amazon Elastic Cloud instance running on a VPC. Lets you scale your deployment by adding or
removing servers as your requirements change.

AWS services
You should also have a basic understanding of other AWS services that you can use for managing resources
and as data stores for your Qlik Sense applications:

 RDS - Managed relational database service as an alternative to a PostgreSQL repository database.
Provides high availability without the same complexity.

Deploy Qlik Sense Enterprise on Windows - Qlik Sense, June 7

1 Planning your Qlik Sense Enterprise

 S3 - Simple Storage Service. Scalable, object-based cloud storage.
 Dynamo DB - NoSQL database service
 Elastic IP - remapping of IP addresses
 EMR - Elastic MapReduce. Managed Hadoop service
 Redshift - Data warehouse
 Cloud formation - for managing resources automatically

For more information about AWS services, see the ≤ Amazon AWS

website.

Microsoft Windows versions
Your AWS instance needs to be running a Microsoft operating system onto which you can install a Qlik Sense
instance. Qlik Sense supports the following Windows operating systems for an AWS deployment:

 Microsoft Windows Server 2012 R2
 Microsoft Windows Server 2016
 Microsoft Windows Server 2019

Qlik Sense Enterprise
Install a single-node Qlik Sense server o n your EC2 instance.

Qlik Sense Enterprise configuration:
Use the QMC t o configure the following:

 Licensing
o Tokens (only token-based license)
o User access (token-based license) or Professional access (user-based license)
o CPU cores
 Security groups

Create a proxy setup for allowing HTTP access.

Other considerations
When you deploy Qlik Sense to AWS for the first time you should also consider the following.

Security
To configure security on an AWS deployment you need a good understanding of how to set up AWS security
groups, key pairs, and a lso security groups in Qlik Sense. You use the Amazon Management Console to
configure AWS security and the QMC to configure all security and authentication settings in Qlik Sense
Server.

For more information about security, see AWS and Azure security (page 223), and for more on Qlik Sense
security, see Qlik Sense Enterprise on Windows security (page 185)

Connectivity
AWS web services that you can use as data stores for Qlik Sense applications to retrieve data from when
building applications:

Deploy Qlik Sense Enterprise on Windows - Qlik Sense, June 7

1 Planning your Qlik Sense Enterprise

 Amazon DynamoDB – NoSQL database
 Amazon RDS – managed relational database service
 Amazon Redshift – data warehouse as a service
 Amazon Simple Storage Service (S3) – scalable, object-based cloud storage
 AWS Elastic Map Reduce (EMR) – managed Hadoop service

In an AWS deployment you can use the following connectivity mechanisms to connect to different data
sources:

 ODBC connection
 OLE DB connection
 REST API connection
 Native connector to a specific source

Connectivity scenarios:

 Qlik Sense instance that uses both data stored in Amazon RDS and Amazon Redshift.
 Qlik Sense instance that uses data coming from an AWS data source as well as a combination
between flat files and web based data sources (i.e. a web service data feed).
 Hybrid Qlik Sense instance - uses data stored in AWS data sources as well as data stored on premise.

Scalability
As environments grow in terms of number of users, number and size of applications, number of data sources
it is important to understand how to size the environment correctly and how to scale the environment
accordingly. You need to create a multi-node environment to effectively scale up or down, by creating
dedicated servers for different purposes. You can then allocate resources correctly across the following Qlik
Sense services.

 Engine Service – The QIX engine, provides in-memory Associative Data Indexing and calculation
supporting analysis.
 Proxy Service – Manages authentication, handles user sessions and load balancing.
 Repository Service –Manages Qlik Sense applications, controls access, and handles configuration.
 Scheduling Service – Manages reloads of Qlik Sense applications and other scheduled tasks.
 Service Dispatcher – Launch and manage the data profiling service for the data load model, migration
service to make sure the app can run in the installed version of Qlik.

For more information about scalability, see the Qlik Sense Performance Benchmark technical brief.

AWS deployment example
AWS provides a cloud infrastructure with all the services and computing power you need to provide a reliable,
cloud deployment platform for Qlik Sense that can performance, regardless of unexpected changes in
demand, and concurrency.

Qlik Sense single-node deployment on AWS
Components in a typical Qlik Sense single-node deployment on AWS:

Deploy Qlik Sense Enterprise on Windows - Qlik Sense, June 8

1 Planning your Qlik Sense Enterprise

 VPC - Virtual Private Cloud. A logically isolated virtual network that shares a common security
configuration that you define.
 Subnet - you need at least one subnet within the VPC. This could be a public, or private subnet.
 Public subnet - subnet with direct access to the internet.
 Private - a subnet that cannot be reached from the internet.
 RDS - Relational database service. Use this for the repository to provide high availability w ithout the
same complexity as a PostgreSQL database.
 NAT instance (optional) - r estricts traffic to private subnets but allows outgoing traffic to the internet.
For example, if an EC2 instance is launched inside the private network it can access the internet.
 Windows Server instance - deployed inside the default subnet to host your Qlik Sense installation.
 Security groups - act as a virtual firewall controlling which IP addresses can gain access to your
instance. Use the Amazon Management Console to create a security group called Qlik Sense.
 Key pair - a Qlik Sense.pem file that you create and store locally. This file handles authentication when
you connect to your AWS instance.
 IAM - Identity and Access Management. You need IAM to manage the fine-grained permissions
required for access to different AWS services.
 Qlik Sense Server node - a single node deployed on Windows Server inside the default subnet.

Deployment options:

 Qlik Sense node in a public subnet with direct Internet access.
 Qlik Sense node in a private subnet without Internet access.

The decision whether to choose a public or private subnet in your deployment depends on your overall
solution requirements.

The following example shows a complete Qlik Sense Enterprise, single node deployment on Amazon Virtual
Private Cloud.

Deploy Qlik Sense Enterprise on Windows - Qlik Sense, June 8

1 Planning your Qlik Sense Enterprise

Qlik Sense Enterprise on Windows deployed to Azure
In a Microsoft Azure deployment, you install Qlik Sense Enterprise on a
Azure cloud i nfrastructure that is flexible, h igh performance, and is quick t o set up.

Deploying Qlik Sense Enterprise o
n Azure will enable you to quickly add new applications in a simple, and
scalable manner. You can do this with a basic knowledge of Azure security and scalability options but without
the need to follow complex on-premise installation and configuration procedures. U
sing Azure will enable you
to get your Qlik Sense infrastructure up and running in fraction of the time required for an on-premise
deployment, and will enable you to scale your deployment quickly and easily, regardless of unexpected
changes in demand.

You can deploy Qlik Sense to Azure manually, or you can use an Virtual Hard Disk (VHD) available in the
Azure Marketplace that includes Qlik Sense preinstalled. However, predefined images do not include a file
share, so can only support single node Qlik Sense deployments.

Benefits of using Microsoft Azure cloud
 A quick and effective way of deploying Qlik Sense to the cloud.
 Simple and cost-effective, r educing overall deployment times.
 Quick and easy to deploy Qlik Sense applications.
 Microsoft Server Message Block (SMB) 3.0 file system - This makes theQlik Sense file share highly
resilient to failures, and AWS does not offer a similar alternative.
 Scalable, reliable and high performance cloud platform.
 Microsoft security and networking functionality.
 Geographic deployment to multiple regions around the world makes lower latency possible.
 A reliable and high performance platform.

Components
To successfully deploy Qlik Sense on Azure cloud you need a basic understanding of the architecture, and
services available in an Azure deployment. As part of a Qlik Sense deployment on Azure, y ou need the
following components:

 Azure Virtual Machine
 Azure SMB 3.0 file system storage
 Azure Virtual Network
 Azure Resource Group
 Azure Resource Manager

Azure services
You should also have a basic understanding of other Azure services that you can use for managing resources
and as data stores for your Qlik Sense applications:

 Azure Portal
 Azure Active Directory and Identity Management

Deploy Qlik Sense Enterprise on Windows - Qlik Sense, June 8

1 Planning your Qlik Sense Enterprise

 Azure SQL Database – SQL Server 2016 on the Cloud
 Azure SQL Data Warehouse – Enterprise level scale-
out, massively parallel processing, highly scalable database for both relational and non-
relational data.
 Azure Storage – scalable cloud storage (Blob Storage, Table Storage, Azure Queues and Azure Files)
 Azure HDInsight – elastic map reduce (Hadoop as Service)

For more information about Azure services, see the ≤ Microsoft Azure website.

Microsoft Windows versions
Your Azure instance needs to be running a Microsoft operating system onto which you can install a Qlik
Sense instance. Qlik Sense supports the following Windows operating systems for an Azure deployment:

 Microsoft Windows Server 2012 R2
 Microsoft Windows Server 2016
 Microsoft Windows Server 2019

Qlik Sense Enterprise
Install a single-node Qlik Sense server o n your Azure instance.

Qlik Sense Enterprise configuration:
Use the QMC t o configure the following:

 Licensing
o Tokens (only token-based license)
o User access (token-based license) or Professional access (user-based license)
o CPU cores
 Security groups

Create a proxy setup for allowing HTTP access.

Other considerations
When you deploy Qlik Sense to Azure for the first time you should also consider the following.

Security
Use the Resource Manager to configure Azure security and the QMC to configure all security groups and
authentication settings in Qlik Sense.

For more information about security, see AWS and Azure security (page 223), and for more on Qlik Sense
security, see Qlik Sense Enterprise on Windows security (page 185)

Connectivity
Qlik Sense applications can use the following Azure web services as data stores:

 Azure SQL Database – SQL Server 2016 on the Cloud
 Azure SQL Data Warehouse – enterprise level scale-out, massively parallel processing, highly scalable
database for both, relational and non-relational data

Deploy Qlik Sense Enterprise on Windows - Qlik Sense, June 8

1 Planning your Qlik Sense Enterprise

 Azure Storage – scalable cloud storage (Blob Storage, Table Storage, Azure Queues and Azure Files)
 Azure HDInsight – elastic map reduce (Hadoop as Service)

In an Azure deployment you can use the following connectivity mechanisms to connect to different data
sources:

 ODBC connection
 OLE DB connection
 REST API connection
 Native connector to a specific source

Connectivity scenarios:

 Qlik Sense instance that uses data stored in Azure SQL Database and Azure SQL Data Warehouse.
 Hybrid Qlik Sense instance - uses data stored in Azure data sources as well as data stored on
premise.

Scalability and sizing
As your environment grows in terms of number of users, number and size of applications, and the number of
data sources, it is important to understand how to size and scale your environment correctly. Resources need
to be allocated correctly across the following Qlik Sense services:

 Engine Service – The QIX engine, provides in-memory Associative Data Indexing and calculation
supporting analysis
 Proxy Service – Manages authentication, handles user sessions and load balancing
 Repository Service –Manages Qlik Sense applications, controls access, and handles configuration
 Scheduling Service – Manages reloads of Qlik Sense applications and other scheduled tasks
 Service Dispatcher – Launch and manage the data profiling service for data load model, migration
service to make sure the app can run in the installed version of Qlik (runs on the central node only) and
chart sharing between two users

For more information about scalability, see the Qlik Sense Performance Benchmark technical brief.

Azure deployment example
Microsoft Azure provides a cloud infrastructure with all the services and computing power you need to provide
a reliable, cloud deployment platform for Qlik Sense that can performance, regardless of unexpected
changes in demand, and concurrency.

Qlik Sense single-node deployment on Azure
Components in a typical Qlik Sense deployment on Azure:

 Azure Virtual Network (VNet) - a logically isolated area of the Azure cloud where you can launch Azure
resources in a virtual network that you define.
 Subnet - you need at least one subnet ( either public or private) within the Virtual Network. This could
be a public or private subnet.

Deploy Qlik Sense Enterprise on Windows - Qlik Sense, June 8

1 Planning your Qlik Sense Enterprise

 Public subnet - subnet with direct access to the internet.
 Private - a subnet that cannot be reached from the internet.
 Virtual Machine - A Windows Server virtual machine instance deployed in the default subnet onto
which you can install and configure your instance of Qlik Sense server.
 Resource Group/Resource Manager - enables you to deploy, manage, and monitor the different
components in your Microsoft Azure solution as a group. This makes it easier to deploy, update or
delete components in a single, coordinated operation using the Resource Manager.
 Network Security groups - a list of Access Control List (ACL) rules that allow or deny network traffic to
the Virtual Machine instances in a Virtual Network.
 Azure Active Directory and Identity Management - depending on the expected administration of the
environment, integration with Azure Active Directory and Identity Management may be needed to
manage fine-grained permissions for access to various Azure services involved in the deployment
process.
 Qlik Sense Server node - a single node deployed on Windows Server inside the default subnet.

Deployment options:

 Qlik Sense node in a public subnet with direct Internet access.
 Qlik Sense node in a private subnet without Internet access.

The decision whether to choose a public or private subnet in your deployment depends on your overall
solution requirements.

The following example shows a complete Qlik Sense Enterprise, single node deployment on Azure Cloud.

Qlik Sense Enterprise on Windows deployed to Google Cloud
In a Google Cloud deployment, you install Qlik Sense Enterprise on Windows on a Google Cloud
infrastructure that is flexible, h igh performance, and is quick t o set up.

Deploy Qlik Sense Enterprise on Windows - Qlik Sense, June 8

1 Planning your Qlik Sense Enterprise
Deploying Qlik Sense Enterprise on Windows o n Google Cloud will enable you to quickly add new
applications in a simple, and scalable manner. You can do this with a basic knowledge of Google Cloud
security and scalability options but without the need to follow complex on-premise installation and
configuration procedures. U
sing Google Cloud will enable you to get your Qlik Sense infrastructure up and
running in fraction of the time required for an on-premise deployment, and will enable you to scale your
deployment quickly and easily, regardless of unexpected changes in demand.

Components
To successfully deploy Qlik Sense Enterprise on Windows on Google Cloud you need a basic understanding
of the architecture, and services available in a Google Cloud deployment. As part of a Qlik Sense deployment
on Google Cloud, y ou need the following components:

 Compute Engine (GCE)
 Persistent Disk
 VPC - Virtual Private Cloud
 Cloud VPN

Google Cloud services
You should also have a basic understanding of other Google Cloud services that you can use for managing
resources and as data stores for your Qlik Sense applications:

 Cloud Deployment Manager
 Cloud SQL
 Persistent Disk
 Google BigQuery

For more information about Google Cloud services, see the ≤ Google Cloud

website.

Microsoft Windows versions
Your Google Cloud instance needs to be running a Microsoft operating system onto which you can install a
Qlik Sense instance. Qlik Sense supports the following Windows operating systems for a Google Cloud
deployment:

 Microsoft Windows Server 2012 R2
 Microsoft Windows Server 2016
 Microsoft Windows Server 2019

Qlik Sense Enterprise
Install a single-node Qlik Sense Enterprise on Windows server o n your Google Cloud instance.

Qlik Sense Enterprise configuration:
Use the QMC t o configure the following:

Deploy Qlik Sense Enterprise on Windows - Qlik Sense, June 8

1 Planning your Qlik Sense Enterprise

 Licensing
o Tokens (only token-based license)
o User access (token-based license) or Professional access (user-based license)
o CPU cores
 Security groups

Create a proxy setup for allowing HTTP access.

Other considerations
When you deploy Qlik Sense to Google Cloud for the first time you should also consider the following.

Security
Use t he QMC to configure all security groups and authentication settings in Qlik Sense. You can make your
on-premise Active Directory available in the VPC through an IPsec VPN tunnel to an external IdP with
Google Cloud VPN.

For more information about security, s

ee Qlik Sense Enterprise on Windows security (page 185)

For more information about Google Cloud security, s ee ≤ Google Cloud Security.

Connectivity
Qlik Sense applications can use the following Google Cloud web services as data stores:

 Cloud SQL for PostgreSQL
PostgreSQL version 11.5 is required.
 Google BigQuery
 Persistent Disk

In a Google Cloud deployment you can use the following connectivity mechanisms to connect to different
data sources:

 ODBC connection
 OLE DB connection
 REST API connection
 Native connector to a specific source

Connectivity scenarios:

 Qlik Sense instance that uses data stored in Cloud SQL and Google BigQuery.
 Hybrid Qlik Sense instance - uses data stored in Google Cloud data sources as well as data stored on
premise.

Deploy Qlik Sense Enterprise on Windows - Qlik Sense, June 8

1 Planning your Qlik Sense Enterprise

For more information about scalability, see the Qlik Sense Performance Benchmark technical brief.

Google Cloud Platform deployment example
Google Cloud Platform provides a cloud infrastructure with all the services and computing
power you need to provide a reliable, cloud deployment platform for Qlik Sense that can
perform regardless of unexpected changes in demand and concurrency.

Qlik Sense Enterprise on Windows single-node deployment on Google Cloud Platform
Components in a typical Qlik Sense Enterprise on Windows deployment on Google Cloud Platform:

 VPC - Virtual Private Cloud
A logically isolated virtual network that shares a common security configuration that you define.
 Subnet
You need at least one subnet within the VPC. This could be a public, or private subnet.
 Cloud SQL for PostgreSQL
You can use the PostgreSQL option of the Cloud SQL database service to provide high availability
a s
an alternative to the PostgreSQL repository database embedded in Qlik Sense. PostgreSQL version
11.5 is required.
 Persistent Disk
Block storage that may be attached to instances of Google Compute Engine. Use this to store apps,
log files and other common content.
 Compute Engine (GCE)
You deploy a GCE inside the default subnet to host your Qlik Sense installation.
 Cloud VPN
You can make your on-premise Active Directory available in the VPC through an IPsec VPN tunnel to
an external IdP.
 Google BigQuery
You can access data sources using the BigQuery data warehouse.
 Qlik Sense Server node
A single Qlik Sense Enterprise on Windows node deployed on Windows Server in the Compute
Engine. This includes the Engine, Proxy, Repository and Scheduler services.
 TCP Load Balancer
You can put your resources behind a single anycast IP and scale your resources w
ith intelligent autoscaling if you have deployed several nodes running the proxy service.

Deployment options:

Deploy Qlik Sense Enterprise on Windows - Qlik Sense, June 8

1 Planning your Qlik Sense Enterprise

 Qlik Sense node in a public subnet with direct Internet access.
 Qlik Sense node in a private subnet without Internet access.

The decision whether to choose a public or private subnet in your deployment depends on your overall
solution requirements.

The following example shows a complete Qlik Sense Enterprise on Windows single node deployment on
Google Cloud.

Qlik Sense Enterprise on Kubernetes
Qlik Sense Enterprise on Kubernetes is a self-hosted implementation of Qlik Sense Enterprise
that you deploy onto a cloud provider of your choice.

It provides a highly-available and scalable architecture that leverages containerization and container
orchestration technologies. There are several ways to configure your Qlik Sense Enterprise on Kubernetes
deployment and set up your Kubernetes cluster, depending on your business requirements.

Deployment considerations
Some important things to consider when planning your Qlik Sense Enterprise on Kubernetes deployment
are:

 Cost of hosting: will your deployment require a lot of infrastructure resources?
 Required up-time: do you need your apps to be available to users all the time?
 Ease of setup and deployment: can you devote more effort to set up a large deployment?

Scalability and resilience: will there be a large number of users, and will the load be constant or will it
vary?

Security considerations
When you deploy Qlik Sense Enterprise on Kubernetes, you should consider the following.

Deploy Qlik Sense Enterprise on Windows - Qlik Sense, June 8

1 Planning your Qlik Sense Enterprise

CSRF security for Qlik Sense Enterprise on Kubernetes
Cross-site request forgery (CSRF) is when someone attacks a user’s web application by taking advantage of
that user’s authentication. For example, if a user is authenticated on a secure web application, and they click
a malicious link during their web session, an attacker can then use their authentication to perform tasks or
actions without the user's permission or knowledge.

To ensure that Qlik Sense Enterprise on Kubernetes APIs are protected against CSRF security risks, Qlik
has implemented token-based anti-CSRF security for its APIs that will prevent CSRF attacks.

This token is generated on the server-side and is linked to a specific session by the web server, which is then
used as a hidden value in every web application form. Because the token is on the server side, and not in th
e web session, a hacker cannot access that token because they do not have access to the server.

Qlik Sense Enterprise on Kubernetes minimal deployment
The diagram below shows a minimal Qlik Sense Enterprise on Kubernetes deployment. A
minimal deployment is the smallest Qlik Sense Enterprise on Kubernetes deployment, and
illustrates most simply the Kubernetes deployment with a single master/controller node and a
single worker node.

The characteristics of a minimal Qlik Sense Enterprise on Kubernetes deployment are:

 A single master/controller node.
 A single worker node onto which the pods are deployed.
 Both master/controller and worker node are in a single availability zone.
 Users are authenticated through the identity provider.

Deploy Qlik Sense Enterprise on Windows - Qlik Sense, June 9

1 Planning your Qlik Sense Enterprise

 A MongoDB and a persistent data store are configured to store metadata and regular data
respectively.

Who should consider this type of Qlik Sense Enterprise on Kubernetes deployment:


If you want to keep hosting costs to a minimum as a small deployment like this uses far fewer
resources than a large multi-node deployment.
 If you are less concerned with maximum up-time.
 If you want the easiest deployment to set up and configure.

The deployment example above can be scaled out with multiple nodes and pod replication.

Qlik Sense Enterprise on Kubernetes enterprise deployment
The Qlik Sense Enterprise on Kubernetes diagram below shows a larger and more robust
deployment example that is adapted to an enterprise that requires near 100% up-time, and that
can scale to meet large workloads.

Deploy Qlik Sense Enterprise on Windows - Qlik Sense, June 9

1 Planning your Qlik Sense Enterprise

Availability zones can be substituted for update domains or fault domains.

The characteristics of an enterprise Qlik Sense Enterprise on Kubernetes deployment are:

 Master/controller nodes distributed across availability zones as needed.
 Worker nodes distributed across availability zones and replicated within availability zones as needed.
 Pods are replicated within availability zones and distributed across availability zones as needed.
 Users are authenticated through the identity provider.
 Resilient data volumes and MongoDB.

Who should consider this type of Qlik Sense Enterprise on Kubernetes deployment:

 If you want a highly-available deployment that delivers near 100% up-time.
 If you expect to support a high volume of users.

Configuration requirements for an enterprise deployment
To successfully set up an enterprise deployment, you should configure your Kubernetes deployment scale
both horizontally and vertically as needed. Ultimately, it is up to you how you achieve full scalability to achieve
your required level of high-availability. Here are some of the ways you can achieve an enterprise deployment
as described above by configuring the Kubernetes autoscalers:


Configure the Kubernetes Horizontal Pod Autoscaler to scale your pods up or down based on custom
metrics.
 Configure the Kubernetes Vertical Pod Autoscaler to allocate more or less resources to pods.
 Configure the Cluster Autoscaler to allocate or deallocate nodes to the cluster.

Deploying Qlik Sense Enterprise in a multi-cloud environment
A Qlik Sense Enterprise multi-cloud deployment lets you deploy both Qlik Sense Enterprise
on- premises and Qlik Sense Enterprise on cloud so users can develop apps on-
premises and access them from the cloud.

The primary components of a multi-cloud deployment are:

 Qlik Sense Enterprise on Windows, deployed on-premises.
 Qlik Sense Enterprise on Kubernetes deployed to a public or private customer-managed cloud
infrastructure.
 Qlik Sense Enterprise SaaS, deployed to a Qlik-managed cloud infrastructure.

After you install your Qlik Sense Enterprise on Windows on-premises, you can chose to configure multi-cloud
with Qlik Sense Enterprise SaaS or with Qlik Sense Enterprise on Kubernetes. Once your multi-cloud
deployment is configured, you can distribute Qlik Sense apps that you create in Qlik Sense Enterprise on
Windows to the cloud for consumption. Users are integrated through the identity provider and consume a
single license regardless of whether they connect through the Qlik Sense Enterprise on Windows hub or the
cloud hub.

Deploy Qlik Sense Enterprise on Windows - Qlik Sense, June 9

1 Planning your Qlik Sense Enterprise

The characteristics of a multi-cloud deployment are:

 Qlik Sense Enterprise on Windows installed on-premises.
 At least one of:
 Qlik Sense Enterprise SaaS.
 Qlik Sense Enterprise on Kubernetes installed onto a customer-managed cloud infrastructure.
 An identity provider that supports OIDC and SAML to integrate user authentication between on-
premises and cloud.

Who should consider a multi-cloud deployment:

 You have Qlik Sense Enterprise on Windows running on-premises and you want to expand to the
cloud.
 You want to develop apps in a Windows environment and allow users who cannot access your
Windows environment to consume apps.
 You want to scale out the number of users consuming apps using cloud resources.
 You want to set up a distribution policy for groups of users consuming apps on the cloud.

Deploy Qlik Sense Enterprise on Windows - Qlik Sense, June 9

2 Installing Qlik Sense Enterprise on

2 Installing Qlik Sense Enterprise on Windows
When you install Qlik Sense you have several deployment options depending on the size and requirements of
your organization. Before you begin the installation process choose the appropriate architecture for your
needs. Consider scalability and performance and factors such as how many apps you want to run, how many
concurrent users you need, or how many reloads you want per hour.

Size of organization Qlik Sense deployment

Small Single-node

Medium Single-node or multi-node
Large Multi-node

2.1 Installing Qlik Sense on a single node
A basic installation of Q
lik Sense can be done by installing all of the Qlik Sense services on a single node.
This kind of deployment works best in a single time zone, where reloads of data can be done during the night.
To determine if a single-node installation is the right choice for you, see Planning your Qlik Sense Enterprise
deployment (page 9).

For information about multi-node deployments of Qlik Sense, see Installing Qlik Sense in a multi-node site
(page 98).

Before you install:

 Check that your environment meets the system requirements.
See: System requirements for Qlik Sense Enterprise (page 19)

Check that the required ports are available.
See: Ports  (page 46)
 Check that your browser is supported.
See: Supported browsers (page 27)
 Prepare the user accounts required to run the Qlik Sense services.
See:User accounts (page 66)
 Understand how Qlik Sense uses LEF for site licensing and user access allocation, and have your
license key available.
See: Qlik Sense Licenses (page 11)

Do the following:

1. Log in to the computer where you plan to install Qlik Sense as a local Windows administrator.
See: User accounts (page 66).
2. Create a file share before you run the Qlik Sense setup. The file share is a shared folder that stores all
the Qlik Sense application data.
a. Create a new folder.
b. Right click on the folder, and click Properties.

Deploy Qlik Sense Enterprise on Windows - Qlik Sense, June 9

2 Installing Qlik Sense Enterprise on

c. On the Sharing tab, and click Share.
d. Enter the names of Windows users that you want to share the folder with, and click Add.
Share this folder with your Windows Qlik Sense administrator and your Windows Qlik Sense
services user. For more information, see User accounts (page 66).
e. In the Permission level column, select Read/Write, and click Share.

Make note of the network path displayed on the confirmation screen. You will enter this information during th

3. Download the Qlik_Sense_setup.exe file and launch the setup.
See: Downloads
4. Do the following:
a. Accept the license agreement, and click Next.
b. On the Create or join a cluster screen, click Create cluster.
c. On the Host Name screen, enter the name of the computer that you are installing Qlik Sense
on and click Next.

Deploy Qlik Sense Enterprise on Windows - Qlik Sense, June 9

2 Installing Qlik Sense Enterprise on

d. On the Shared persistence database connections settings screen, select the Install
local database check box if you want to install a local repository or leave the check box
unchecked if you want to connect to an existing repository database.
For information about installing a local database, see: Installing and configuring PostgreSQL
(page 115)

If you want to connect to an existing repository database, then enter the following values:
Field name Value

Database host
Enter the full URL to your repository database.
name
Database port 4432

Database user Enter the username that will be used to access the database.

Database user
password
Do not enter the username postgres.

Create your own database user password to access your r epository
database in the PostgreSQL database.

e. On the Database configuration screen, click Next.
There is no need to configure the database service to allow connections from other nodes in a
single-node installation.
f. On the Service Credentials screen, enter the domain and user name in the format domain\
username. Enter the password for the account that you want to use to run the Qlik
Sense services, and click Next.

If you enter a username that is more than 20 characters long, it must be in UPN format, and must include the

g. On the Shared persistence storage screen, enter the path or URL to your file share, for
example, \\<domain>\QlikShare, and click Next. Your file share can either be a local folder or
a remote folder.
h. On the Centralized Logging screen, leave the Configure centralized logging check box
selected if you want to set up centralized logging, or clear the check box if you want logs to be
written to files. If you decide not to set up centralized logging at this time, you can set it up later
by using the logging service utility; see Qlik Logging Service (page 227).

Deploy Qlik Sense Enterprise on Windows - Qlik Sense, June 9

2 Installing Qlik Sense Enterprise on

If you want to write logs to a new database that is installed with Qlik Sense, click New logging
database. Enter the following values and click Next.

Field name Value

Log writer Create a password for the qlogs_writer user to access the centralized
password PostgreSQL database.

Log reader Create a password for the qlogs_reader user to access the centralized
password PostgreSQL database.

If you want to write logs to an existing database on the same node that you are installing Qlik
Sense on or on another node, click Standalone logging database. Enter the following
values and click Next.

Field name Value
Hostname Enter the host name or IP of the centralized PostgreSQL database.

Deploy Qlik Sense Enterprise on Windows - Qlik Sense, June 9

2 Installing Qlik Sense Enterprise on

Port 4432

Log writer Enter the password for the qlogs_writer user to access the centralized
password PostgreSQL database.

Log reader Enter the password f or the qlogs_reader user to access the centralized
password PostgreSQL database.

If you use a logging database on another node, ensure that this is a new and empty logging
database before proceeding with the installation. If a QLogs db is already present on the
remote database the schemas may be incompatible.
See: Installing and configuring PostgreSQL (page 115)

i. On the Installation location screen, choose your own installation location or install Qlik Sense
to the default location on the C:\ drive, and click Next.
j. On the Repository Database Superuser Password screen, enter a password for the
PostgreSQL repository database superuser. Confirm the password and click Next.
See, User accounts (page 66).
k. On the Ready to install screen, optionally select to create desktop shortcuts and automatic
start of the Qlik Sense services when the setup is complete.

If you selected local system as the user account type in the Service Credentials screen, but want to use a d

l. In the Supported object bundles section, o ptionally select to install the object bundles.

Then, select which object bundles you want to install from the list of those available for your
Qlik Sense installation.
You can always add or remove object bundles from your Qlik Sense installation at a later
moment. See: Modifying an object bundles installation (page 98)

m. In the Help Us Improve section, optionally select if you want to share system data with Qlik in
anonymous form. You can learn more about what data Qlik collects by clicking the link in the
message.
n. If you have chosen not to install the object bundles, click Install. Otherwise, click Next.
o. If you are installing any of the object bundles, accept the object bundles license agreement.
Then, click Install.
5. You will see a message indicating that Qlik Sense has been installed successfully.
Click Finish.

6. If you selected local system as the user account type in the Service Credentials screen, but wish to
use a dedicated service account to run the Qlik Sense services, change the user account type and
manually start the Qlik Sense services now. See Changing the user account to run Qlik Sense
services (page 126)

Deploy Qlik Sense Enterprise on Windows - Qlik Sense, June 9

2 Installing Qlik Sense Enterprise on
You are r eady to license your Qlik Sense installation.

Licensing Qlik Sense
Before you can start using Qlik Sense you must activate your site license.

Do the following:

1. Open the Qlik Management Console (QMC) by entering the QMC address in your browser.
By default, the QMC address is https://<QPS server name>/qmc.
The QMC displays the Site license properties screen the first time you open it.
2. Enter the license information from the License Enabling File (LEF).
The property group Site license contains properties related to the license for the Qlik Sense system.
All fields are mandatory and must not be empty.

Property name Description
If you want to set up Qlik Sense Enterprise SaaS or Qlik Sense Enterprise on Kubernetes, please contact your Qli
Owner name The user name of the Qlik Sense product owner.

Owner organization The name of the organization that the Qlik Sense product owner is a
member of.

Serial number The serial number assigned to the Qlik Sense software.

Control number The control number assigned to the Qlik Sense software.

3. Expand LEF access and click Get LEF and preview the license. If you received your LEF via
email, you can copy and paste the information into the text field.

Failed to get LEF from server is displayed if the serial number or control number is incorrect.

4. Click Apply.
Successfully licensed is displayed.

You have a ctivated your Qlik Sense site license.

You are ready to connect to a user directory (optional), allocate user access or professional access, and set
up permissions.

Allocating access to users
Your license is either based on access types, with professional access allocation as an option, or on tokens,
with user access allocation as an option.

Deploy Qlik Sense Enterprise on Windows - Qlik Sense, June 9

2 Installing Qlik Sense Enterprise on

Access types license
Your Qlik Sense license includes a number of professional access allocations that are used to grant users in
your organization access to Qlik Sense.

Do the following:

1. In the QMC, from the Start menu, click L icense management.

The License usage summary screen is displayed.
2. Click the P rofessional access allocations tab.
3. Click the + Allocate button.
The Users screen is displayed.
4. Select the users that you want to provide access to from the list and c lick Allocate .

Allocate is disabled if the number of available allocations is insufficient for the number of selected users.

The users that you allocated access to appear in the Professional access allocations overview table.

Token-based license
Your Qlik Sense license includes a number of tokens that are used to allocate Qlik Sense access to users in
your organization.

Do the following:

1. In the QMC, from the Start menu, click L icense management.

The License usage summary screen is displayed.
2. Click the U ser access allocations tab.
3. Click the + Allocate button.
The Users screen is displayed.
4. Select the users that you want to provide access to from the list and c lick Allocate .

Allocate is disabled if the number of tokens available for allocation is insufficient for the number of selected users.

The users that you allocated access to appear in the User access allocations overview table.

Additional configuration
After you install Q lik Sense, you may want to:

 Create load balancing rules in the QMC to improve resilience and performance in a multi-node site.
 Configure the virtual proxy advanced settings to add your own hosts names to the white list.


Configure the user directory connector to r etrieve users from a user directory.

You are now ready to start using Qlik Sense.

Deploy Qlik Sense Enterprise on Windows - Qlik Sense, June 1

2 Installing Qlik Sense Enterprise on

Modifying an object bundles installation
You can add or remove object bundles from your Qlik Sense deployment at any moment. If you have a multi-
node installation, object bundles are installed on the central node.

You can see which extensions are installed in your deployment by checking the Extensions section in the Qlik Manageme

Do the following:

1. In Control Panel, open Programs and Features.
2. In the list of programs, double-click the object bundle that you want to modify.
3. The Object Bundle Setup Wizard opens. Click Next.
4. Select Change.
5. On the Custom setup screen, click on the bundle icon to select how to modify the bundle installation:
o If the bundle is installed, select Entire feature will be unavailable to uninstall it.
o If the bundle is not installed, select Entire feature will be installed on local hard drive to
install it.
Then, click Next.
6. Click Change.
7. When the setup modification is complete, a message invites you to manually restart the Qlik Sense
Repository Service.
8. Click Finish to close the Object Bundle Setup Wizard.
9. Manually restart the Qlik Sense Repository Service to make the changes effective.

You can verify that the changes have been correctly applied by checking the Extensions section in the QMC.

2.2 Installing Qlik Sense in a multi-node site
A Qlik Sense multi-node deployment offers more configuration options than single node deployments. In a
multi-node site, you can distribute Qlik Sense services across one or more server nodes to optimize scalability
and performance.

Preparing a large, enterprise multi-node deployment requires careful planning, so first ensure that you have
considered all the architecture and configuration options a vailable.

For more information about single-node deployments of Qlik Sense, see Installing Qlik Sense on a single
node (page 91).

For more information on multi-node architecture and configuration options see:

 Planning your Qlik Sense Enterprise deployment (page 9)
 Qlik Sense Enterprise on Windows architecture (page 29)

Deploy Qlik Sense Enterprise on Windows - Qlik Sense, June 1

2 Installing Qlik Sense Enterprise on

 Qlik Sense Enterprise on Windows security (page 185)
 Performance (page 65)

Before you install:

 Check that your planned environment meets the system requirements.
See: System requirements for Qlik Sense Enterprise (page 19)

 Prepare the user accounts required to run the Qlik Sense services o n the computer where you plan to
install Qlik Sense.
See: User accounts (page 66)

Important: If during the installation, you want to run the Qlik Sense services as a local user, without administrator rig

 Ensure that your firewall is enabled and you have created the appropriate rules to allow rim nodes to
communicate with the central node.
See: Ports (page 46) for a full list of ports.

 Repository database - if you already have a Qlik Sense repository database on another server f rom a
previous installation, you can continue to use this i n your new deployment. If you do not intend to us
e this database then remove it before you start.
 Create a local file share to store your Qlik Sense application data.
See: Creating a file share (page 111)

 Understand how Qlik Sense uses the License Enabler File (LEF) for licensing, and have your license
key available.
See: Qlik Sense Licenses (page 11)

This topic includes the following sections:

 Installing Qlik Sense (page 99)
 Adding a Qlik Sense node (page 108)

Installing Q lik Sense
You can install a Qlik Sense server as either a central node or as a rim node. In a multi-server site, rim nodes
must be connected to a central node. See: Qlik Sense Enterprise on Windows architecture (page 29). If yo
u
are installing a central node, you may also wish to configure a failover candidate. You only have the option to
create a failover candidate when you are creating a node.

To install a node:

1.
Create a file share before you run the Qlik Sense setup. The file share is a shared folder that stores a
ll
the Qlik application data and must be accessible to all nodes in your Qlik Sense site. You can create a
file share either on the same server computer as the central node or on another s erver.
See: Creating a file share (page 111)

Deploy Qlik Sense Enterprise on Windows - Qlik Sense, June 1

2 Installing Qlik Sense Enterprise on

2. Log in to the computer where you plan to install Qlik Sense as a domain or local Windows
administrator. You must have full administrator rights to run the Qlik Sense setup. You can start the
Qlik Sense services as either an administrator or a local user without administrator privileges.
See: User accounts (page 66).
3. Download the Qlik_Sense_setup.exe file.
See: Downloads
4. Run the installation program as an administrator, and on the first screen click Install.
5. Read the License agreement screen. If you agree, select the check box and click Next.
6. On the Create or join a cluster screen, you have two options:
 Create cluster - To install a central node. All the other nodes in your site will connect to this
node.
 Join cluster - To install a r im node that connects to a central node (if you choose this option,
fewer screens are displayed in the setup).
7. On the Host Name screen, enter the address for the Qlik Sense node that you are installing, and click
Next. The address must be in a format that other nodes can use when connecting to this node,
otherwise the connection will fail.
For example:

 IP address: 10.1.123.234
 Machine name: WIN-QS1BOL9FM99D
 Fully qualified machine name: WIN-QS1BOL9FM99D.CUSTOMER.COM

Deploy Qlik Sense Enterprise on Windows - Qlik Sense, June 1

2 Installing Qlik Sense Enterprise on

Ensure that the recommended server node name displayed in the Enter the address for this machine field matche

8. On the Shared persistence database connections settings screen, select the Install local
database check box if you want to install a local repository database, or leave the check box
unchecked if you want to connect to an existing repository database hosted on another server.
Installing and configuring PostgreSQL (page 115)
If you want to install a local repository database, then enter the following values:

Field name Value

Database host name localhost

Database port 4432
Database user qliksenserepository

Deploy Qlik Sense Enterprise on Windows - Qlik Sense, June 1

2 Installing Qlik Sense Enterprise on

Field name Value

Do not enter the username postgres.

Database user password Create a password to access the local r epository database.

If you want to connect to an existing repository database on another server, then enter the following
values:

Field name Value

Database host name Enter the full URL to your repository database.

Database port 4432

Database user qliksenserepository

This is the login role you created in the PostgreSQL database (QSR)
Database user password Enter the password you created in PostgreSQL.

Make a note of these values as you will need them again when you install a rim node.

All Qlik Sense servers must be in the same geographic location or data center as the repository database and the fil

9. On the Database configuration screen, under Advanced settings, configure the listen addresses,
IP ranges, and max connections from other nodes, and click Next. This is an optional step if you
install a local repository database. You can also configure the database service listener directly in your
PostgreSQL repository database. See: Installing and configuring PostgreSQL (page 115)
Enter the following values:

Field Example
Description
name Value

Listen The IP address(es) to listen on. *
addresses
Use the value * to allow access for all IP addresses. If entering
multiple listen addresses use a comma separated list.

IP ranges To allow all servers to access the repository database, use the 0.0.0.0/0,::/0

value 0.0.0.0/0 (for all IPv4 addresses) and : :/0 (for all IPv6
addresses).

If entering multiple IP addresses use a comma separated list.

Max Specify the maximum number of concurrent connections to the 100

connections database. The default value for a single server is 100.
320

Deploy Qlik Sense Enterprise on Windows - Qlik Sense, June 1

2 Installing Qlik Sense Enterprise on

Field Example
Description
name Value
For optimal performance, for machines with low number of cores
use the default value. For machines with high number of cores, to
calculate this value, multiply the number of cores by 5 (5 x number
of cores).

The second example value is calculated for a server with 64 cores.

This screen does not appear if you are using a remote PostgreSQL database or if your are installing a rim node (Jo

10. On the Service Credentials page, enter the domain, user name and password for the account that
you want use to run the Qlik Sense services, and click Next.
User accounts (page 66)

If you enter a username that is more than 20 characters long, it must be in UPN format, and must include the full dom

11. On the Shared persistence storage screen, enter the path or URL to your file share, for example
\\<domain>\QlikShare and click Next. Y
our file share can either be a local folder or a remote folder on another server.
Creating a file share (page 111)

This screen does not appear if you are installing a rim node (Join cluster option).

12. On the Centralized Logging screen, leave the Configure centralized logging check box selected
if you want to set up centralized logging, or clear the check box if you want logs to be written to files. If
you decide not to set up centralized logging at this time, you can set it up later by using the logging
service utility; see Qlik Logging Service (page 227).

Deploy Qlik Sense Enterprise on Windows - Qlik Sense, June 1

2 Installing Qlik Sense Enterprise on

If you are installing Qlik Sense on a central node and you want to write logs to the d atabase that is
installed with Qlik Sense, click New logging database. Enter the following values and click Next.

Field name Value

Log writer Create a password for the qlogs_writer user to access the centralized
password PostgreSQL database.

Log reader Create a password for the qlogs_reader user to access the centralized
password PostgreSQL database.

Do not use mixed character sets when creating a password.

If you want to write logs to an existing database on another node, click Standalone logging
database. Enter the following values and click Next.

Field name Value

Deploy Qlik Sense Enterprise on Windows - Qlik Sense, June 1

2 Installing Qlik Sense Enterprise on

Hostname Enter the hostname or IP address of the standalone logging database.

Port Enter the port number that you specified for the standalone logging
database.

Log writer password Enter the password f or the qlogs_writer user.
Log reader Enter the password f or the qlogs_reader user.
password
I f you use a logging database on another node, ensure that this is a new and empty logging database
before proceeding with the installation. If a QLogs db is already present on the remote database the
schemas may be incompatible.
See: Installing and configuring PostgreSQL (page 115)
13. On the Installation location screen, choose a location to install Qlik Sense or use the default location
on the C:\ drive, and click Next.
14. On the Repository Database Superuser Password screen, create a superuser password for the
PostgreSQL database, and click Next.

This screen does not appear if you are using a remote PostgreSQL database or if your are installing a rim node (Join

15. On the Ready to install screen, optionally select to create desktop shortcuts and automatic start of
the Qlik Sense services when the setup is complete.

If you want to use a dedicated service account to run the Qlik Sense services, clear the Start the Qlik Sense servi

16. In the Supported object bundles section, o ptionally select to install the object bundles. Then, select

which object bundles you want to install from the list of those available for your Qlik Sense installation.
You can always add or remove object bundles from your Qlik Sense installation at a later moment.
See: Modifying an object bundles installation (page 110)

17. In the Help Us Improve section, optionally select if you want to share system data with Qlik in
anonymous form. You can learn more about what data Qlik collects by clicking the link in the
message.
18. If you have chosen not to install the extension bundles, click Install. Otherwise, click Next.
19. If you are installing any of the extension bundles, accept the extension bundle license agreement.
Then, click Install.
20. You will see a message indicating that Qlik Sense has been installed successfully.
Click Finish.

21. If you selected local system as the user account type in the Service Credentials screen, but wish to
use a dedicated service account to run the Qlik Sense services, change the user account type and
manually start the Qlik Sense services now. See User accounts (page 66)

Deploy Qlik Sense Enterprise on Windows - Qlik Sense, June 1

2 Installing Qlik Sense Enterprise on

Configuring PostgreSQL multi-node connections
In the postgresql.conf configuration file, you need to edit the max_connections setting, d epending on how
many nodes you require in your site. If you do not configure this setting correctly, and reach the connection
pool limit, then PostgreSQL will reject any further connections.

To configure the max_connections setting:

1. Stop the Q lik Sense services.

2. Navigate to the postgresql.conf file in
C:\ProgramData\Qlik\Sense\Repository\PostgreSQL\<version> of your Qlik Sense installation.
3. To edit this setting, open the file in a text editor as an administrator.
4. Make the following configuration changes:
Example
Setting Description
Value
max_connections To calculate this value: Sum of max_connections o
n all nodes 600

+ (10 x number of nodes).

For example, 1320 = 4 nodes with max_connections set to
320 for each node.

5. Save your changes.
6. Start the Q lik Sense services.

You are r eady to license your Qlik Sense installation.

Licensing Qlik Sense
Before you can start using Qlik Sense you must activate your site license.

To activate your license:

1. Open the Qlik Management Console (QMC) by entering the QMC address in your browser.
By default, the QMC address is https://<QPS server name>/qmc.
The QMC displays the Site license properties screen the first time you open it.
2. Enter the license information from the License Enabler File (page 14) (LEF).
The property group Site license contains properties related to the license for the Qlik Sense system.
All fields are mandatory and must not be empty.

If you want to set up Qlik Sense Enterprise SaaS or Qlik Sense Enterprise on Kubernetes, please contact your Qli

Deploy Qlik Sense Enterprise on Windows - Qlik Sense, June 1

2 Installing Qlik Sense Enterprise on

Property name Description

Owner name The user name of the Qlik Sense product owner.

Owner organization The name of the organization that the Qlik Sense product owner is a
member of.

Serial number The serial number assigned to the Qlik Sense software.

Control number The control number assigned to the Qlik Sense software.

3. Expand LEF access and click Get LEF and preview the license. If you received your LEF via
email, you can copy and paste the information into the text field.

Failed to get LEF from server is displayed if the serial number or control number is incorrect.

4. Click Apply.
Successfully licensed is displayed.
5. Click Close.

You have a ctivated your Qlik Sense site license.

You are ready to connect to a user directory (optional), allocate user access or professional access, and set
up permissions.

Allocating access to users
Your license is either based on access types, with professional access allocation as an option, or on tokens,
with user access allocation as an option.

Access types license
Your Qlik Sense license includes a number of professional access allocations that are used to grant users in
your organization access to Qlik Sense.

Do the following:

1. In the QMC, from the Start menu, click L icense management.

Allocate is disabled if the number of allocations available is insufficient for the number of selected users.

The users that you allocated access to appear in the Professional access allocations overview table.

Deploy Qlik Sense Enterprise on Windows - Qlik Sense, June 1

2 Installing Qlik Sense Enterprise on

In a multi-node site, all nodes share the same license, so you only need to activate your license once on the central node.

If you have created a rim node, you are now ready to register the rim node with the central node.

Token-based license
Your Qlik Sense license includes a number of tokens that are used to allocate Qlik Sense access to users in
your organization.

Do the following:

1. In the QMC, from the Start menu, click L icense management.

Allocate is disabled if the number of tokens available for allocation is insufficient for the number of selected users.

The users that you allocated access to appear in the User access allocations overview table.

In a multi-node site, all nodes share the same license, so you only need to activate your license once on the central node.

If you have created a rim node, you are now ready to register the rim node with the central node.

Adding a Qlik Sense node
After installing a central node and a rim node, configure the central node to connect to the rim node. Before
you can verify that a rim node is running correctly you must connect it to the central node. Use the QMC on
the central node to register a rim node.

To configure a central node to connect to a rim node:

1. On the central node, open the QMC, and click Nodes.
2. Click Create new.
3. In the Edit node window, enter the following configuration details about the node you want to connect
to:
Field name Description Example value

Deploy Qlik Sense Enterprise on Windows - Qlik Sense, June 1

2 Installing Qlik Sense Enterprise on

Name Provide a suitable name for the node. For example,

Consumer node 1

Host name Enter the full URL of the node you want to connect to. For example,

<domain>-<server-
name>.qliktech.com

Node Choose a suitable purpose for the node: For example, choose

purpose Production for a
 Production
scheduler node or
 Development Development for a
 Both developer node used
for creating apps.

Check that your
license supports the
node purpose that
you have chosen.

Node Select this node as a failover candidate. For example, if you

configuration select this node as a
failover candidate it
means that this node
can perform the
same role as the
central node if the
central node fails.
See: Configuring
failover for central
node resiliency
(page 112)

Service Select the services you want to run on this server node: For example, if you

activation are installing a
 Repository
consumer node,
 Engine select the
 Printing Repository and
 Proxy Engine services.
 Scheduler
For more information
on which services to
run on different types
of nodes, see: Qlik
Sense Enterprise on
Windows
architecture (page
29) and Services
(page 31)

Deploy Qlik Sense Enterprise on Windows - Qlik Sense, June 1

2 Installing Qlik Sense Enterprise on

4. Click Apply. The central node generates a certificate that you use to register the rim node. If the
central node cannot connect to the rim node you will see a Node registration error message. If you
get this error, first check that you have opened port 4444 on the central and rim nodes to allow
certificates to be sent.
5. The Install certificates pop-up window then opens providing you with a URL and a password to
authorize the certificate on the rim node.
6. On the rim node, paste the URL into a new browser window.
7. On the Install certificates page (in your browser), enter the password and click Submit. If successful,
you see the Successfully licensed message.
8. Follow the same authorization procedure for each node that you want to add to your deployment.
9. To verify that all rim nodes are configured correctly, open the QMC, click Nodes and you can see the
status of all the nodes in your deployment.

Verify your installation
To verify that Qlik Sense has installed correctly:

1. Open the Qlik Management Console (QMC).
2. Open the Qlik Sense Hub.

If the QMC and Hub open without any security warnings displayed in the browser, then you have installed Qlik
Sense correctly.

Additional configuration
After you have installed and verified that Qlik Sense is running correctly, you may find the following
configuration information useful:

 Load balancing - create load balancing rules in the QMC to improve resilience and performance in a
multi-node site.
 Host white list - configure the virtual proxy advanced settings to add your own hosts names to the
white list.
 User imports (UDC) - configure the user directory connector to r etrieve users from a user directory .

If you are installing custom connectors in a multi-node setup, the custom connectors must be installed on each node.

You are now ready to start using Qlik Sense.

Deploy Qlik Sense Enterprise on Windows - Qlik Sense, June 1

2 Installing Qlik Sense Enterprise on

You can see which extensions are installed in your deployment by checking the Extensions section in the Qlik Managem

Do the following:

You can verify that the changes have been correctly applied by checking the Extensions section in the QMC.

2.3 Creating a file share
Creating a file share or shared folder is a necessary prerequisite before you install Qlik Sense. The file share
is used to store all the Qlik application data and must be accessible to all nodes in your Qlik Sense site. You
can create a file share either on the same server as the central node or on a separate server. If you have
a large multi-node site we recommend that you configure the file share on a dedicated server for better
resilience and performance.

If you create the file share on a separate server then you can follow the same steps as for a central node but
you must ensure that t he same Windows domain user that you use to run the Qlik services has read and write
access to the file share folder.

To create a file share and share the folder with specific users:

1. Create a local folder on your server computer. For example, create a folder called QlikShare on the
C:\ drive.
2. Right click the folder, and then click Properties.
3. Click the Sharing tab, and then click Share.
4. Enter the name of your Windows user, and click Add.
5. In the Permission level column, select Read/Write, then click Share.

Deploy Qlik Sense Enterprise on Windows - Qlik Sense, June 1

2 Installing Qlik Sense Enterprise on

Make a note of the network path shown in the confirmation screen as you use this later during setup of your shared persis

Ensure that permissions on the folder, subfolders, and files are set to full control for the user account you
selected.

To do this:

1. Click the Security tab.
2. Select the user account you want to use for the installation.
3. Click Advanced and check that your user has full control and that this permission applies to the
folder, subfolders, and files.
4. Click the Effective Access tab and then click Select a user and enter your user account name.
5. Click View effective access and check i n the Permission column that your user has full control.

2.4 Configuring failover for central node resiliency
In a multi-node site, you can assign a node to be a failover candidate. A failover candidate
can
perform the same role as the central node in the case where the central node fails. A multi-
node
site with a designated failover candidate can help you achieve a more resilient and highly-
available deployment.

Failover considerations
Before you create a failover candidate node, it is important to consider your deployment architecture. A
failover candidate node can help you maintain a resilient and highly available deployment by minimizing the
downtime of your site if the central node fails. However, the failover candidate node provides failover capacity
only for the Qlik Sense services running on the central node. If you want to create a highly available
deployment, you must add resiliency to the storage layer as well.

Each node in your multi-node site must meet the minimum system requirements. For a complete list, see System requirem

Storage layer resiliency
If the storage components reside on the central node when it fails, they become unavailable because the
failover candidate node does not provide failover for the storage components. You can add resiliency to your
repository database and the file share by deploying them on a separate node from your central node. Other
options to add resiliency are:

 Deploy a standalone database on a virtual machine and take advantage of the resiliency options
provided by the virtualization platform.

Deploy Qlik Sense Enterprise on Windows - Qlik Sense, June 1

2 Installing Qlik Sense Enterprise on

 Host the file share in a network file location or a storage area network (SAN), or use resilient storage
provided by a cloud platform.

For information about database replication and failover, see D atabase replication and failover (page 218).

Create a failover candidate node
When you create your multi-node site, you first create the central node and then you join additional nodes to
the cluster. From the QMC, you can set one of these non-central nodes to be the failover candidate. T
he
failover candidate will take over the responsibility of the central node if it fails. To set a failover candidate
node, see Create a node.

The failover candidate node can have different functions depending on your deployment. For example, the node that is desig

Once you add more nodes to your site, you can assign one or more of them to be a failover candidate. For a
node to be a failover candidate, it must run the following services:

 Qlik Sense Repository Service
 Qlik Sense Engine Service
 Qlik Sense Proxy Service
 Qlik Sense Scheduler Service

Automatic failover
In a multi-node site, each node regularly checks the central node for a heartbeat. If after 10 minutes (the
default timeout period is 10 minutes) there is no response from the central node, the site will automatically
fail over to the failover candidate node. If there is more than one failover candidate node, the first node to get
a lock on the database field becomes the central node. If the node that was previously the central node
comes back online, it becomes a failover candidate node.

You can view the status of the nodes that make up your multi-node site in the QMC. The default view does
not include the node type, but you can customize the node information that is displayed. To see the node
information, and to configure the information displayed about each node, see Nodes.

The default timeout period for the central node is 10 minutes, but you can change it in the QMC. To change
the default timeout, see Cluster settings.

Failover candidate node with inbound and outbound ports
As mentioned above, the failover candidate can have different roles, depending on your organizational
needs. The example below shows a multi-node site with a single failover candidate node that is running as
the slave scheduler in this site. T
he failover candidate must have the same inbound and outbound ports open
as the central node. As the failover node acts as the slave scheduler, therefore, port 5151 and 5050 must be
open inbound and outbound on their respective nodes for scheduling jobs to the failover candidate node.

Deploy Qlik Sense Enterprise on Windows - Qlik Sense, June 1

2 Installing Qlik Sense Enterprise on

Inbound ports indicate the listening ports for the services running on each node. Firewall rules must allow inbound traffic t

Deploy Qlik Sense Enterprise on Windows - Qlik Sense, June 1

2 Installing Qlik Sense Enterprise on
For a complete list of inbound and outbound ports for all services, and to see more deployment examples,
see Ports (page 46).

Manually migrating the central node
You cannot use the QMC to change which node in your site is the central node. You can, however, use the
QRS REST API to do this. Before manually reassigning a f ailover candidate node to a central node role, you
must ensure that it is running the necessary services for the central node.

Use the following REST API calls:

 Run a GET to /qrs/serverNodeConfiguration to return a list of server GUIDs.

 Run an empty POST to / qrs/failover/tonode/{serverNodeConfigurationID} where
{serverNodeConfigurationID} is the ID of the node you want to become the central node.

2.5 Installing and configuring PostgreSQL
To improve performance in a Qlik Sense multi-node deployment, you have the option to
install
your repository (QSR), SenseServices, QSMQ, QLogs logging, and Licenses databases on
a dedicated, remote PostgreSQL server.

The QSR, SenseServices, QSMQ , and Licenses databases share the same login role and must be installed
on the same PostgreSQL instance. If you already have a PostgreSQL database installed as part of a
previous deployment, you can continue to use it.

In Qlik Sense Enterprise, configuring all the components of a Multi-Cloud deployment is optional. However, all deployme

If Qlik Sense uses a PostgreSQL database on a dedicated infrastructure, then it can use supported versions of Postgre
You can run the instance of PostgreSQL on platforms including Windows, Linux or cloud hosted services, such as Am

The Qlik Sense repository database (QSR)
The QSR is the primary database in your Q lik Sense deployment.

If you want to install the QSR database on a dedicated PostgreSQL server, you must install a nd configure
PostgreSQL before you install Qlik Sense, as you will need to enter the PostgreSQL server/host details in the
Qlik Sense installer.

Deploy Qlik Sense Enterprise on Windows - Qlik Sense, June 1

2 Installing Qlik Sense Enterprise on

The Qlik Sense services database (SenseServices)
The SenseServices d atabase contains schemas for each of the Qlik Sense services and allows growth
independently of the Qlik Sense Repository Database, while still sharing the same PostgreSQL instance and
login role.

The Qlik Sense message queue database (QSMQ)
The QSMQ database provides a light-weight method of passing messages internally between services in Qlik
Sense Enterprise. T
he NOTIFY and LISTEN functionality in PostgreSQL allows services to be notified about
new messages that have been written to the messaging table.

The Qlik Sense logging database (QLogs)
The QLogs database centralizes logging by collecting l og messages from all Qlik Sense nodes in your
deployment and stores them in a PostgreSQL database.

When you install the QLogs database as a standalone logging database, you can configure it either before or
after you install Qlik Sense.

 If you install t he QLogs database before t he Qlik Sense installation, then you will need to create the
QLogs database login roles manually.
 If you install t he QLogs database after installing Qlik Sense, use the Qlik.Logging.Service.exe
setup
command. When you run this command, you specify a remote host and the script will automatically
create the QLogs database and login roles for you. For more information, s
ee: Qlik Logging Service (page 227)

The licenses service database (Licenses)
The licenses database contains a local copy of license data to allow faster response times and more
robustness. It is only accessed by the licenses service.

To install a dedicated PostgreSQL server with QSR, SenseServices, QSMQ, QLogs, and Licenses
database:

 Install PostgreSQL
 Create the PostgreSQL databases, and configure login roles.
 Edit the configuration files to allow access from Qlik Sense nodes.
 Verify that the database has installed and is running correctly.

Installing PostgreSQL
Before installing a dedicated PostgreSQL server instance, check that your server fulfills the system
requirements on www.postgresql.org.

If you are installing on Microsoft Azure with an Azure database for PostgreSQL, follow the instructions in .

To install PostgreSQL on a dedicated server:

Deploy Qlik Sense Enterprise on Windows - Qlik Sense, June 1

2 Installing Qlik Sense Enterprise on

1. Log in to the server where you want to install PostgreSQL as an administrator.
See: User accounts (page 66)
2. Download PostgreSQL EnterpriseDB version 9.6 from the PostgreSQL website.
To know which versions of PostgreSQL are supported in Qlik Sense, see: System requirements for
Qlik Sense Enterprise
3. Run the PostgreSQL setup wizard.
4. On the Installation Directory and Data Directory screens, accept the default paths.
5. On the Password screen, create a password for the PostgreSQL superuser.
You will use this password w hen you connect to the PostgreSQL database and you will also be
prompted for it when you run the Qlik Sense setup.
6. On the Port screen, specify port 4432. This port is required for communication between a
ll the nodes in a site.
7. In the Advanced Options screen, accept the default locale.
8. In the Ready to Install screen, click Next to run the setup.
9. After running the setup, you have the option to install S
tack Builder. Clear the check box if you want to install this later.
10. Click Finish to complete the installation.

When you install PostgreSQL EnterpriseDB, the pgAdmin tool is included.

Creating a PostgreSQL database
You can create a repository QSR, SenseServices, QSMQ, QLogs (logging), and Licenses database manually
with the pgAdmin tool or using a script.

To create a new, empty PostgreSQL database using the pgAdmin tool:

1. Open the pgAdmin tool.
2. In the pgAdmin Browser, under Servers, right-click the PostgreSQL node and then click Connect
Server.
3. Enter your PostgreSQL superuser password to make a connection. A green status bar appears in the
lower right corner of your screen when the server connection is successful.
4. Right-click the Databases node, click Create, and then click Database.
5. Enter the name of the database you are creating, and then click Save.

To create a new, empty PostgreSQL database by running a script in the pgAdmin tool:

1. Open the Query Tool. First select an existing database, such as postgres, to display the Query
Tool option in the Tools menu.
2. Execute the following script:
CREATE DATABASE "<databasename>" ENCODING = 'UTF8'; --creates an empty database.
Replace <databasename> with QSR for the repository database, SenseServices for the SenseServices
database, QSMQ for the message queue database, Licenses for the license service, and QLogs if you are
creating a logging database.

Deploy Qlik Sense Enterprise on Windows - Qlik Sense, June 1

2 Installing Qlik Sense Enterprise on

Creating l ogin roles
You need to create login roles for users when you create a PostgreSQL database. You can create login roles
using the pgAdmin tool or by running a script.

The QSR, SenseServices, QSMQ, and Licenses login role
To create login roles u sing the pgAdmin tool:

1. Right-click the Login/Group Roles node. To create a new database user, click Create, and then
click Login/Group Role.
2. In the Create - Login/Group Role window, in the General tab, enter the name
qliksenserepository.
3. In the Privileges tab, enable Can login? and leave the other default privileges unchanged.
4. In the Definition tab, enter a password of your choice, and click Save.
When you run the Qlik Sense setup, in the Shared persistence database connections settings
screen, you are asked to enter t he Database user password that you created here so that Qlik Sense
can connect to the repository database.
5. Make qliksenserepository the owner of the QSR, SenseServices, QSMQ, and Licenses
databases. To do this, right-click the QSR, SenseServices, QSMQ, and Licenses databases you
created earlier, and then click Properties.
6. In the General tab, in the Owner drop-down, select qliksenserepository as Owner of the QSR,
SenseServices, QSMQ, and Licenses databases and click Save.

To create login roles by running a script in the pgAdmin tool:

Open the Query Tool. Select an existing database, t o display the Query Tool option in the Tools menu.

Run the following script:

CREATE ROLE "qliksenserepository" WITH LOGIN NOINHERIT NOSUPERUSER NOCREATEDB NOCREATEROLE

NOREPLICATION VALID UNTIL 'infinity'; -- change <qliksenserepository_user_pass> to your password
for the repository service user
ALTER ROLE "qliksenserepository" WITH ENCRYPTED PASSWORD '<qliksenserepository_user_pass>';
GRANT qliksenserepository TO postgres;

ALTER DATABASE "QSR" OWNER TO "qliksenserepository";

ALTER DATABASE "SenseServices" OWNER TO "qliksenserepository";
ALTER DATABASE "QSMQ" OWNER TO "qliksenserepository";
ALTER DATABASE "Licenses" OWNER TO qliksenserepository;

GRANT TEMPORARY, CONNECT ON DATABASE "QSMQ" TO PUBLIC;

GRANT ALL ON DATABASE "QSMQ" TO postgres;
GRANT CREATE ON DATABASE "QSMQ" TO "qliksenserepository";
GRANT TEMPORARY, CONNECT ON DATABASE "SenseServices" TO
PUBLIC;
GRANT ALL ON DATABASE "SenseServices" TO postgres;
GRANT CREATE ON DATABASE "SenseServices" TO "qliksenserepository";

GRANT TEMPORARY, CONNECT ON DATABASE "Licenses" TO PUBLIC;

GRANT ALL ON DATABASE "Licenses" TO postgres;
GRANT CREATE ON DATABASE "Licenses" TO qliksenserepository;

Deploy Qlik Sense Enterprise on Windows - Qlik Sense, June 1

2 Installing Qlik Sense Enterprise on

Include a password for qliksenserepository as you will be prompted for this when you install Qlik Sense.

The QLogs login role
To create login roles for the QLogs database by running a script i n the pgAdmin tool:

1. Open the Query Tool. Select an existing database, t o display the Query Tool option in the Tools
menu.
2. Run the following script:
CREATE ROLE qlogs_users WITH NOLOGIN NOINHERIT NOSUPERUSER NOCREATEDB NOCREATEROLE
NOREPLICATION VALID UNTIL 'infinity';
CREATE ROLE qlogs_reader WITH LOGIN NOINHERIT NOSUPERUSER NOCREATEDB NOCREATEROLE
NOREPLICATION VALID UNTIL 'infinity';
CREATE ROLE qlogs_writer WITH LOGIN NOINHERIT NOSUPERUSER NOCREATEDB NOCREATEROLE
NOREPLICATION VALID UNTIL 'infinity'; --creates users and assigns privileges
ALTER ROLE qlogs_reader WITH ENCRYPTED PASSWORD '<qlogs_reader_password>'; --assigns
password to qlogs_reader
ALTER ROLE qlogs_writer WITH ENCRYPTED PASSWORD '<qlogs_writer_password>'; --assigns
password to qlogs_writer
GRANT qlogs_users TO qlogs_reader;
GRANT qlogs_users TO qlogs_writer; --adds qlogs_reader and qlogs_writer to qlogs_users
group ALTER DATABASE "QLogs" OWNER TO qlogs_writer; --sets qlogs_writer as an owner of
QLogs database

Include a password for qlogs_reader and qlogs_writer as you will be prompted for these when you install Qlik Sense.

Configuring PostgreSQL
To allow communication between your PostgreSQL repository database a nd your Qlik Sense nodes, edit the
pga_hba.conf and postgresql.conf configuration files.

Make a backup copy of the postgresql.conf and pg_hba.conf files before you start, so that you have the option to revert ba

The paths in the instructions are adapted to a default PostgreSQL installation used as database on a dedicated serve

Deploy Qlik Sense Enterprise on Windows - Qlik Sense, June 1

2 Installing Qlik Sense Enterprise on

postgresql.conf
The postgresql.conf file enables you to specify general parameters for your PostgreSQL server, such as for
auditing, authentication, and encryption. Edit this file to control which Qlik Sense nodes can access your
PostgreSQL database server.

To edit the postgresql.conf file:

1. Navigate to the postgresql.conf file in C:\Program Files\PostgreSQL\<version>\data of your
PostgreSQL installation.
2. Open the file in a text editor as an administrator.
3. Make the following configuration changes:
Example
Setting Description
Value
listen_ Enter the IP address(es) to listen on. If entering multiple listen *
addresses
addresses, use a comma separated list.
Enter * to listen for connections from all IP addresses.
max_ Defines the maximum number of client connections allowed. 600
connections 1320
To calculate this value: Sum of max_connections o
n all nodes + (10 x number of nodes).
The second example value calculates the max_connections for a
deployment of 4 nodes with max_connections set to 320 for each node
.

4. Save your changes.

For more detailed information about setting these parameters, see the PostgreSQL documentation.

pg_hba.conf
The pg_hba.conf file handles client authentication. Each record specifies a connection type, such as a client
IP address range, database name, user name, and the authentication method used.

To edit the pg_hba.conf file:

1. Navigate to the pg_hba.conf file in C:\Program Files\PostgreSQL\<version>\data of your
PostgreSQL installation.
2. Open the file in a text editor as an administrator.
3. Locate the following line:
host all all 127.0.0.1/32 md5
This line determines which servers can access the r epository database server. The default address
setting, 127.0.0.1/32, only allows local host to access the database.
4.
Replace 127.0.0.1/32 with a sub net specification that covers all the IP addresses of the nodes in your
site. When specifying these settings, add one row for each node, using /
32 as a suffix for each address, or
add a sub net that covers all addresses using, for example, /24 as a suffix:

Deploy Qlik Sense Enterprise on Windows - Qlik Sense, June 1

2 Installing Qlik Sense Enterprise on

 IPv4 (32-bit addresses):
o To specify a single address: 192.168.1.0/24, or 172.20.143.89/32
o For a small network: 172.20.143.0/24, or 10.6.0.0/16 for a larger one.
o To allow access from all IPv4 addresses: 0.0.0.0/0
 IPv6 (128-bit numeric addresses):
o For a single host: ::1/128 ( in this case the IPv6 loopback address)
o For a small network: fe80::7a31:c1ff:0000:0000/96
o To allow access from all I Pv6 addresses: ::/0

When you add the IPv6 connections and use hostname in the address column, both the forward and reverse nslook

5. Save your changes.

For more information on how to set a more restrictive IP address, see the PostgreSQL documentation.

You have installed and configured a PostgreSQL database on a separate server. You are now ready to
resume your installation of Qlik Sense.

2.6 Installing and configuring PostgreSQL on Azure
This topic describes how to install and configure PostgreSQL on Microsoft Azure. For more general
instructions regarding PostgreSQL installation and configuration, see Installing and configuring PostgreSQL
(page 115).

To improve performance in a Qlik Sense multi-node deployment, you have the option to install your
repository (QSR), SenseServices, QSMQ, and Licenses databases on a dedicated, remote PostgreSQL
server.

In Qlik Sense Enterprise, configuring all the components of a Multi-Cloud deployment is optional. However, all deployme

The Qlik Sense repository database (QSR)
The QSR is the primary database in your Q lik Sense deployment.

Deploy Qlik Sense Enterprise on Windows - Qlik Sense, June 1

2 Installing Qlik Sense Enterprise on

The licenses service database (Licenses)
The licenses database contains a local copy of license data to allow faster response times and more
robustness. It is only accessed by the licenses service.

The QSR, SenseServices, QSMQ, and Licenses databases share the same login role and must be installed on the same P

If you already have a PostgreSQL database installed as part of a previous deployment, then you can continue to use it.

If Qlik Sense uses a PostgreSQL database on a dedicated infrastructure, then it can use PostgreSQL version 9.6. You

Setting up a PostgreSQL database in Azure
Before you install Qlik Sense, you need to set up a database in Azure

. Do the following:

1. Go to the Azure portal: https://portal.azure.com.
2. Search for Azure Database for PostgreSQL.
3. For the PostgreSQL server input fields, enter your values. The following three values must be filled
in:
Server name: <your unique instance name, example: qliksensedemo>
Server admin login name: postgres
Version: 9.6

Deploy Qlik Sense Enterprise on Windows - Qlik Sense, June 1

2 Installing Qlik Sense Enterprise on

4. Under C onnection security , click Add client IP to whitelist the connection.

5. Disable SSL encryption.

Connecting to the database using pgadmin 4.x
Do the following:

1. If not already installed, download and install the pgAdmin tool from the following site:
https://www.pgadmin.org/download/pgadmin-4-windows/.
2. Create a connection to the instance you checked out, in this case:
qliksensedemo.postgres.database.azure.com.
3. Enter user: postgres@qliksensedemo
4. Enter the password that you used when setting up the database.

When installing the Sense database, you need to specify the user as qliksenserepository@dbinstance, while remai

5. Once connected to the Azure instance, open up a database and open the query tool.
6. In the Query Editor, add the following lines of code:
-- one by one, for creating the DB

CREATE DATABASE "QSR" ENCODING = 'UTF8';

CREATE DATABASE "SenseServices" ENCODING = 'UTF8';
CREATE DATABASE "QSMQ" ENCODING = 'UTF8';
CREATE DATABASE "Licenses" ENCODING = 'UTF8'; //one at a time

-- from here the whole script

CREATE ROLE "qliksenserepository" WITH LOGIN NOINHERIT NOSUPERUSER NOCREATEDB NOCREATEROLE

NOREPLICATION VALID UNTIL 'infinity'; -- change <qliksenserepository_user_pass> to your
password for the repository service user
ALTER ROLE "qliksenserepository" WITH ENCRYPTED PASSWORD '<qliksenserepository_user_pass>';
GRANT qliksenserepository TO postgres;

ALTER DATABASE "QSR" OWNER TO "qliksenserepository";

ALTER DATABASE "SenseServices" OWNER TO
"qliksenserepository"; ALTER DATABASE "QSMQ" OWNER TO
"qliksenserepository";
ALTER DATABASE "Licenses" OWNER TO qliksenserepository;

GRANT TEMPORARY, CONNECT ON DATABASE "QSMQ" TO PUBLIC;

GRANT TEMPORARY, CONNECT ON DATABASE "Licenses" TO PUBLIC;

GRANT ALL ON DATABASE "Licenses" TO postgres;
GRANT CREATE ON DATABASE "Licenses" TO qliksenserepository;

Deploy Qlik Sense Enterprise on Windows - Qlik Sense, June 1

2 Installing Qlik Sense Enterprise on

The new script does not include Qlogs, because Qlik Sense logging service does not support PostgreSQL in cloud deploy

Installing Qlik Sense
Now that you have set up the PostgreSQL database on Azure, you can install Qlik Sense.

Do the following:

1. Follow the installation instructions in Installing Qlik Sense on a single node (page 91)The following
values must be used on the appropriate pages:
2. On the page Shared persistence database connection settings:
Database host name: qliksensedemo.postgres.database.azure.com
Database port: 5432
Database user: qliksenserepository@qliksensedemo

When you have installed Qlik Sense your setup is complete.

2.7 Configuring a proxy for Qlik License Service
communication in Qlik Sense Enterprise on Windows
You can handle the communication between the Qlik License Service and the License Back-
end with a proxy.

The Qlik License Service is included in Qlik Sense Enterprise February 2019 and later releases and is used
when Qlik Sense is activated using a signed key license. The Q
lik License Service stores the information about the license, and communicates with a License Back-
end Service, hosted by Qlik, for product
activations and entitlement management. Port 443 is used for accessing the License Back-end Service and
retrieving license information.

With Qlik Sense June 2019 or later you can configure the communication between Qlik License service and
the Qlik License Back-end to be handled by a proxy.

In Qlik Sense Enterprise on Windows, configuration of a proxy for the Qlik License Service is done using
command line parameters. Both HTTP and HTTPS scheme are supported.

With Qlik Sense June 2020 or later NTLM and basic authentication capabilities to the licenses service when
communicating over a HTTP tunnel are available. This allows you to require authentication on tunneling
proxies to configure a more secure environment.

Do the following:

Deploy Qlik Sense Enterprise on Windows - Qlik Sense, June 1

2 Installing Qlik Sense Enterprise on

1. Stop the Qlik Sense Service Dispatcher, which handles the execution of the Qlik License Service.
2. Navigate to the services.conf file, which by default is located in:
%Program Files%\Qlik\Sense\ServiceDispatcher\services.conf

3. Locate the section [licenses.parameters], which by default contains the following lines:
[licenses.parameters]
-qsefw-mode
-app-settings="..\Licenses\appsettings.json"

4. Add the line -proxy-uri=http://myproxy.example.com:8888 as shown below:
[licenses.parameters]
-qsefw-mode
-proxy-uri=http://myproxy.example.com:8888
-app-settings="..\Licenses\appsettings.json"
Where "http://myproxy.example.com" is the address of your company's proxy, and "8888" is the port
used by the proxy.

5. Run Encrypt-Password.ps1 -password [user password] and insert the output of the script in the next

step.
6. To require authentication on tunneling proxies add the following lines:
-proxy-uri=[the uri of the proxy]
-proxy-auth-mode=ntlm|basic|(leave empty for no authentication)
-proxy-user=[username without domain]
-proxy-encrypted-password=[password]
-proxy-domain=[the domain] (only for NTLM)

7. Save the file and close.
8. Restart the Qlik Sense Service Dispatcher.
9. If you have a multi-node installation, repeat these steps for all the nodes in your installation.

After a version upgrade, you may need to add the settings back to the services.conf file, see .

2.8 Configuring preferred cipher suites for Q lik License

Service in Qlik Sense Enterprise on Windows
You can rank the preferred cipher suites that Qlik License Service uses to encrypt and decrypt
the signed key license.

The Qlik License Service is included in Qlik Sense Enterprise on Windows February 2020 and in later
releases.

The Qlik License Service uses Mutual TLS Authentication (mTLS) to ensure requests coming from both the
server and client are trusted. The Qlik License Service listens on port 9200.

TLS 1.2 is supported since June 2017.

Deploy Qlik Sense Enterprise on Windows - Qlik Sense, June 1

2 Installing Qlik Sense Enterprise on
The following list shows the supported cipher suites:

 TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256
 TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384
 TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA25
 TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384
 TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305
 TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305
 TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA
 TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA
 TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA
 TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA
 TLS_RSA_WITH_AES_128_GCM_SHA256
 TLS_RSA_WITH_AES_256_GCM_SHA384
 TLS_RSA_WITH_AES_128_CBC_SHA
 TLS_RSA_WITH_AES_256_CBC_SHA
 TLS_ECDHE_RSA_WITH_3DES_EDE_CBC_SHA
 TLS_RSA_WITH_3DES_EDE_CBC_SHA

To configure the preferred cipher suites for the Qlik License Service, do the following:

1. Open the service.conf file. The default path is %Program Files%\Qlik\Sense\ServiceDispatcher\

service.conf.
2. Go to the following section:
[license.parameters]
-qsefw-mode
-app-settings="..\Licenses\appsettings.json"

3. Add a comma-separated list of ciphers to his section, as shown below:
[license.parameters]
-qsefw-mode
-cipher-suites=TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256,TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA
-app-settings="..\Licenses\appsettings.json"

4. Save the file and close.
5. Restart the Qlik Sense Service Dispatcher, which handles execution of the Qlik License Service.
6. If you have a multi-node environment, repeat the steps above for each node.

2.9 Changing the user account to run Qlik Sense services
Before you install, change or upgrade your Qlik Sense installation, you must choose an administrator or non-
administrator account to run the Qlik Sense services. For example your company policy may require you to
run the Qlik Sense services as a user without administrator privileges.

Deploy Qlik Sense Enterprise on Windows - Qlik Sense, June 1

2 Installing Qlik Sense Enterprise on

If you want to upgrade from Qlik Sense 3.1 SR2 or later to Qlik Sense June 2017 you must use a service user account (loc
See:

Using an account without administrator privileges to run the Qlik
Sense services during the installation of a node
To install a rim node in this way you need to run an additional bootstrap command from an elevated
command prompt to register the rim node o n the central node.

If you are installing a central node you can follow the same procedure as a regular administrator installation.

To install a node:

1. Log in to the computer where you plan to install Qlik Sense as an administrator.
See: User accounts (page 66)
2. Download the Qlik_Sense_setup.exe file.
See: Downloads
3. On the Create or join a cluster screen, s elect Join cluster .
4. On the Shared persistence database connections settings screen, ensure that you specify the
correct hostname and password to the repository database that you want to connect to.
See: Installing Qlik Sense (page 99)

5. On the Service Credentials screen, enter your non-administrator user account, user name, and
password. For example, enter your user name as follows: .\senseserviceuser or domain\
senseserviceuser.

If you enter a username that is more than 20 characters long, it must be in UPN format, and must include the full dom

On the final screen of the installation program, you do not have the option to start the Qlik Sense services,
instead the following message is displayed: The service user does not have administrator privileges.
See the documentation for more information.

Next, run the bootstrap command in an elevated command prompt while registering the rim node with a
certificate.

To run the bootstrap command:

Deploy Qlik Sense Enterprise on Windows - Qlik Sense, June 1

2 Installing Qlik Sense Enterprise on

1. On the rim node, open an elevated command prompt window. The bootstrap command elevates your
rights enabling you to perform tasks that require an administrator, such as installing certificates and
adding performance counters.
2. In the command prompt, navigate to the installed location: Program Files\Qlik\Sense\Repository
and run the Repository.exe -bootstrap command. The Qlik Sense Service Dispatcher must be
running before the Repository.exe -bootstrap is executed. While the bootstrap is running, i n the QMC
on the central node, register the rim node with a certificate that is generated.
3. On the central node, register the rim node in the QMC, see: Adding a Qlik Sense node (page 108).
After you have registered the rim node the bootstrap process will terminate.
4. Exit the command prompt.
5. In Windows, Services, start all Qlik Sense services. You must start the Qlik Sense Service
Dispatcher (QSD) before starting the Qlik Sense Repository Service (QRS).

Changing the user account type to run the Qlik Sense services on an
existing site
Follow the instructions in this section if you used an administrator user account when installing Qlik Sense,
and later wish to change to use an account without administrator privileges to run the Qlik Sense services.

Do the following:

1. In Windows, either create a new or use an existing domain or local user account to run the Qlik Sense
services.
2. If the service account user does not have administrator privileges, you must add the user to the
following groups i n Computer Management > System Tools > Local Users and Groups >
Groups.
 Qlik Sense Service Users
 Performance Monitor Users
The service account user also needs access to shared folders.
3. Open the Control Panel and then select System and Security>Administrative Tools>Services.
4. Stop all services except the Repository Database.
5. Assign Full control permission for the dedicated service account to the folder
%ProgramData%\Qlik\Sense.
6. As an administrator, open an elevated command prompt.
7. Navigate to the Program Files\Qlik\Sense\Proxy folder and run Proxy.exe -bootstrap.
8. Navigate to the Program Files\Qlik\Sense\Scheduler folder and run Scheduler.exe -bootstrap.
9. Navigate to the Program Files\Qlik\Sense\Repository folder and run Repository.exe -bootstrap.
If you are changing the user account on your primary or central node, run Repository.exe -bootstrap
- iscentral. The Qlik Sense Service Dispatcher must be running before the Repository.exe -
bootstrap is executed.
10. Close the elevated command prompt.

Deploy Qlik Sense Enterprise on Windows - Qlik Sense, June 1

2 Installing Qlik Sense Enterprise on

11. Change the log on credentials for each of the Qlik Sense services as follows:
a. Right-click the s ervice and select Properties.
b. Select the Log On tab and then This account.
c. Enter the credentials for the dedicated service account and click OK.

If you are using a user account with administrative privileges, keep the Qlik Sense Repository Database running unde

Depending on your setup some of the services may not be available.

12. Start the Qlik Sense Service Dispatcher, and then the Qlik Sense Repository Service (QRS).
13. Start the rest of the Qlik Sense services.

2.10 Performing a silent installation
When running a silent installation, Qlik Sense is installed with no dialogs at all. This means all features,
properties and user selections have to be known before performing a silent installation. All setup options that
are available in the user interface of the installer can be performed with silent operations.

Do the following:

Elevation will take place if run from an unelevated process and the UAC is on.

Syntax
Qlik_Sense_setup.exe [-silent] [-uninstall] {-log "path\filename"}
{layout="path"} {accepteula=1|0} {desktopshortcut=1|0}
{skipstartservices=1|0} {installdir="path"}
{userwithdomain="domain\user"} {userpassword="password}
{dbpassword="password"} {hostname="www.machinename.domain.com"}
{cleanup=1|0} {sharedpersistenceconfig="configfilepath"} {senddata=1|0}
{skipvalidation=1|0} {databasedumpfile="path"}

Qlik_Sense_setup.exe -? or -h Brings up the on-screen silent setup help.

Deploy Qlik Sense Enterprise on Windows - Qlik Sense, June 1

2 Installing Qlik Sense Enterprise on

Commands
-silent (or Command line-driven setup without UI (mandatory).
-s)
- Uninstall the product silently. It must be used with -silent
uninstall command.

-log (or -l) [log file name with Log file directory and log file name.

path]

The user must have access to this directory.

-layout [destination Extracts files (including .msi files) to the destination directory.

directory]

This argument should not be combined with other
command line arguments.

Arguments
Arguments are separated by space and presented in the form [Argument]="[Value]". The double quotes can
normally be omitted but may be needed, for example, when a path contains spaces.

The default values are the same as those used in the setup user interface.

accepteula 1|0 Accepts the Qlik User License Agreement.

This argument is mandatory
when installing or
upgrading,
and you must accept the
QULA to install successfully.
desktopshortcut 1|0 (defaults to 1 on Installs desktop shortcuts.
clean installs)

skipstartservices 1|0 (defaults to 0 on Skips starting services after the installation

clean installs, has finished.
otherwise the current
state.)

installdir [path to custom install Defines the directory if the default install

directory] directory will not be used (%ProgramFiles
%\Qlik\Sense).

Deploy Qlik Sense Enterprise on Windows - Qlik Sense, June 1

2 Installing Qlik Sense Enterprise on

userwithdomain [domain\username] Adds the username to run the Qlik Sense

services.

userpassword [password] Adds the password torun the services.

dbpassword [password] Adds the password for the database

superuser that creates the user that runs
the database.

hostname [address of the central Define the address for the central node.

node] The central node uses certificates to
communicate securely with other servers.
Leave blank to use the default.

cleanup 1|0 (defaults to 0 on Deletes Qlik Sense certificates and any files

uninstall) in the ProgramData\Qlik\Sense directory
after the uninstall is completed.

This argument must be used
with the silent install
commands.
Example: -silent -
uninstall cleanup=1.

sharedpersistenceconfig [path to configuration Activates setup of shared persistence as

(or spc) file including the storage method. All settings for shared
filename] persistence must be in the configuration file
referenced here.

This is a parameter must be
configured to install
successfully.

Shared persistence configuration file
syntax (page 132)
senddata 1|0 (defaults to 0) Shares system data with Qlik in anonymous
form.

skipvalidation 1|0 (defaults to 0) Skips password validation process for

service user and shared folder access. For
silent installation, database connection
tests are also skipped.

databasedumpfile [path to database Sets path d atabase backup dump file.

dump file]

bundleinstall dashboard,visualization Includes the dashboard and visualization

bundles.

Deploy Qlik Sense Enterprise on Windows - Qlik Sense, June 1

2 Installing Qlik Sense Enterprise on

If you enter a username that is more than 20 characters long, it must be in UPN format, and must include the full domain

Example 1: To install Qlik Sense

Qlik_Sense_setup.exe -s spc="\\configpath\spc.cfg"
Example 2: To install Qlik Sense while redirecting the installation and log files to a different location
userwithdomain=mydomain\myUser userpassword=myPassword
dbpassword=mydbpassword
Qlik_Sense_setup.exe -s -l "c:\mylogpath" spc="\\configpath\spc.cfg"
Shared persistence configuration file syntax
installdir="c:\mycustompath" userwithdomain=mydomain\myUser
userpassword=myPassword dbpassword=mydbpassword
Configure the shared persistence storage model, using the sharedpersistenceconfig argument, and
point to a configuration file that contains the settings to be used in the installation.

Example:

Qlik_Sense_setup.exe -s spc="\\configpath\spc.cfg" userwithdomain=domain\yourserviceuser

userpassword=yourserviceuserpassword dbpassword=yoursuperuserpassword

The configuration file is in XML format. You need to create the file according to the example described here.

<?xml version="1.0"?>
<SharedPersistenceConfiguration xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
xmlns:xsd="http://www.w3.org/2001/XMLSchema">
<DbUserName>username</DbUserName>
<DbUserPassword>password</DbUserPassword>
<DbHost>IP or Hostname</DbHost>
<DbPort>4432</DbPort>
<RootDir>\\server\share</RootDir>
<StaticContentRootDir>\\server\share\StaticContent</StaticContentRootDir>
<ArchivedLogsDir>\\server\share\ArchivedLogs</ArchivedLogsDir>
<AppsDir>\\server\share\Apps</AppsDir>
<CreateCluster>true</CreateCluster>
<InstallLocalDb>false</InstallLocalDb>
<ConfigureDbListener>true</ConfigureDbListener>
<ListenAddresses>*</ListenAddresses>
<IpRange>0.0.0.0/0,::/0</IpRange>
<MaxConnections>100</MaxConnections>

<ConfigureLogging>true</ConfigureLogging>
<SetupLocalLoggingDb>true</SetupLocalLoggingDb>
<QLogsWriterPassword>writerpw</QLogsWriterPassword>
<QLogsReaderPassword>readerpw</QLogsReaderPassword>
<QLogsHostname>ip/hostname</QLogsHostname>

Deploy Qlik Sense Enterprise on Windows - Qlik Sense, June 1

2 Installing Qlik Sense Enterprise on
<QLogsPort>4432</QLogsPort>
</SharedPersistenceConfiguration>

Configuration file syntax
Setting Description

DbUserName User name of the repository database user.

DbUserPassword Password of the repository database user.

DbHost Hostname of the machine running the r epository database.

DbPort Port used to communicate with t he repository database.

RootDir Root directory for the file share to use as content storage. We recommend
that you keep the content in this folder's sub-directories, but this can be
changed in the StaticContentRootDir a nd ArchivedLogsDir settings.

AppsDir Directory to store apps in.

StaticContentRootDir Root directory for all static content of the site.

ArchivedLogsDir Directory to save archived log files in.

CreateCluster Set CreateCluster to true if you want to create a new cluster, or set
JoinCluster JoinCluster to true if you want to join an existing cluster. You can only use
one of these settings in the configuration file. The other setting needs to be
removed, or commented out like .

InstallLocalDb Set to true if you want to install a local PostgreSQL database on the node
when you create a new cluster. This setting can only be used together with
the CreateCluster setting.

ConfigureDbListener Set to true if you want to configure the PostgreSQL database installed by
Qlik Sense to listen to database connections from other nodes.

You need to configure the ListenAddresses and IpRange settings.

ListenAddresses Addresses that the database service should listen to.

You can supply a comma separated list of IPv4 or IPv6 addresses, or
0.0.0.0 (for all IPv4 addresses), : :/0 (for all IPv6 addresses) or * (for all
addresses).

IpRange Subnet specification that covers the IP addresses of all nodes in your site.
Either add one row for each node, using /32 as suffix for each address, or
add a subnet that covers all addresses using, for example, /24 as suffix. To
allow all servers to access the repository database, use 0.0.0.0/0. If entering
multiple IP addresses or ranges, use a comma separated list. A
range can be either IPv4 or IPv6.

Deploy Qlik Sense Enterprise on Windows - Qlik Sense, June 1

2 Installing Qlik Sense Enterprise on

Setting Description

MaxConnections Specify the maximum number of concurrent connections to the database.
The default value is 100. If you have a multi-node site multiple this value by
the number of nodes in the cluster. For example,
<MaxConnections>100</MaxConnections> is a single server deployment.

ConfigureLogging Set ConfigureLogging to true if you want to set up centralized database
logging.

SetupLocalLoggingDb Setting SetupLocalLoggingDb to true is equivalent to clicking New
Logging Database in the installer UI. A new logging database will be
installed with Qlik Sense.

QLogsWriterPassword Password of the qlogs_writer user account.

QLogsReaderPassword Password of the qlogs_reader user account.

QLogsHostname Host name of the logging database. Set QLogsHostname when
SetupLocalLoggingDb is set to false.

QLogsPort Port number of the logging database. Set QLogsPort when
SetupLocalLoggingDb is set to false.

Deprecated command line arguments
The use of the following command line arguments is no longer recommended.

rimnode Determines the Repository role.

-rimnodetype (or - Installs all the features required for the rim node type selected. The node type
rnt) can be any one of:

Complete, Proxy, Engine, Scheduler.

2.11 Setting up Qlik Sense Enterprise on Windows after
installation
This section guides you through the process of setting up your Qlik Sense site after installing. You can
configure the server to fit with your organization’s particular needs. Below are the common task most
deployments will require.

Connecting Qlik Sense to your user directory
Qlik Sense has a range of methods for authenticating users. Windows authentication is the default method.

When a user connects to Qlik Sense for the first time a user record is created to identify that user. Once this
record is created, the administrator can track the user’s activity and assign her a license and permissions.

Deploy Qlik Sense Enterprise on Windows - Qlik Sense, June 1

2 Installing Qlik Sense Enterprise on
Administrators can also connect to a user directory (for example, Active Directory or LDAP) to obtain further
information about that user (such as user groups). The user information can be fetched in advance and then
kept in sync with the user directory. This is optional but recommended since it will provide you with the best
management experience.

See the following sections in the Manage Qlik Sense sites guide:

 Setting up a user directory connector and schedule by task
 Managing users

Assigning licenses to users
Users need a license to open an app.

Your license is either based on access types, with professional access allocation as an option, or on tokens,
with user access allocation as an option.


Access types: you can allocate professional access and analyzer access. Depending on how you have
licenses Qlik Sense, t he distribution of t he two access types is determined by the LEF file or by the
signed key.
 Token-based license: you can allocate user access and login access. The LEF determines the number
of tokens that you can allocate to the two access types.

User-based licenses
User-based licenses grant a predefined number of professional a nd analyzer access allocations. The
distribution of the access types is determined by the LEF.

See the following sections in the Manage Qlik Sense sites guide:

 Managing licenses
 Allocating professional access
 Allocating analyzer access

Token-based licenses
Qlik Sense offers a token-based system that allows the administrator to assign the most suitable license type
to each user. L
icenses can be allocated on an individual basis or automatically by using rules to define who is
allowed to obtain a license, for example, all users in a specific department.

See the following sections in the Manage Qlik Sense sites guide:

 Managing licenses
 Allocating user access
 Creating new login access rules

Configuring the monitoring apps
All installations of Qlik Sense (single node and multi-node) require configuration of the monitoring apps for
them to work properly.

Deploy Qlik Sense Enterprise on Windows - Qlik Sense, June 1

2 Installing Qlik Sense Enterprise on
See the following sections in the Monitor Qlik Sense sites guide:

Deploy Qlik Sense Enterprise on Windows - Qlik Sense, June 1

2 Installing Qlik Sense Enterprise on

 Configuring the monitoring apps

How Qlik Sense uses HTTPS and certificates
Qlik Sense deploys securely by default when it is installed. It uses self-sign certificates to ensure that data is
transferred to users in a secure way. When users access the system they by default receive a warning that th
e certificate used by the site is not trusted. T
he user can then accept the certificate and proceed to use Qlik Sense securely.

There are two options to prevent the warning; one is to use a trusted certificate from either a trusted provider
or an internal corporate source. The other option is to run the site using HTTP only. Both options are
available as settings on the Qlik Sense Proxy Service (QPS).

Regardless of which option you choose, the services in Qlik Sense always use encryption when
communicating.

See the following sections in the Manage Qlik Sense sites guide:

 Changing proxy certificate
 Editing proxies

Creating and opening apps
To create and open apps on the server users must browse to the Qlik Sense hub using their web browser. T
he
hub lists two areas: Work contains the apps belonging to the user who has logged in, and Streams contains
the other apps the user has access to. A fter the installation the administrators see two built-in monitoring
apps, while all other users do not see any apps. C
lick on an existing app to open it. To create a new app, click Create new app.

Working with streams, apps and publishing
A stream is a way to group together apps that have similar permissions. O
nce an app has been created, an
administrator can publish it to a stream. The app then becomes visible to users who have access to that
stream. A pps, streams and publishing are managed in the Qlik Management Console (QMC).

See the following sections in the Manage Qlik Sense sites guide:

 Managing streams
 Managing apps
 Publishing app

Deploy Qlik Sense Enterprise on Windows - Qlik Sense, June 1

3 Upgrading and updating Qlik Sense Enterprise on

3 Upgrading and updating Qlik Sense
Enterprise on Windows
In this section you can read about how to upgrade and update your Qlik Sense installation. The
upgrade procedure is different depending on whether you are upgrading from Qlik Sense 3.1
SR1 or earlier, or from Qlik Sense 3.1 SR2 or later.

You can upgrade from Qlik Sense 3.1 SR2 to Qlik Sense June 2017 or later using the Qlik Sense setup
program. To upgrade to Qlik Sense June 2017 or later, see Upgrading (page 138).

Upgrading from any version of Qlik Sense earlier than 3.1 SR2 to Qlik Sense June 2017 or later cannot be
done using the setup program. If you wan to upgrade from Qlik Sense 3.1 SR1 or earlier to Qlik Sense June
2017 or later, you must first upgrade to Qlik Sense June 2017. Once your environment is on version June
2017 of Qlik Sense, you can upgrade to any newer version using the Qlik Sense setup program. See:
Upgrading to Qlik Sense June 2017 or later from Qlik Sense versions earlier than 3.1 SR2 (page 145).

You can update your Qlik Sense deployment by applying patches. A patch primarily includes software
updates and fixes that are applied to the existing Qlik Sense version. For more information, see Patching
Qlik Sense (page 154).

3.1 Upgrades and migrating persistence models
Qlik Sense June 2017 or later only supports the shared persistence model. It does not support the
synchronized persistence model. When you upgrade your Qlik Sense 3.1 SR2 deployment to Qlik Sense
June 2017 or later, you will be migrated to a shared persistence model.

You can upgrade from synchronized persistence to shared persistence if the existing deployment is running
Qlik Sense version 3.1 SR2. See, Upgrading and migrating from synchronized to shared persistence (page
148).

When upgrading a central node from synchronized persistence to shared persistence, the existing repository
database is shared with all nodes. If you want to setup a dedicated repository database on a separate
machine, you must perform a new installation. For more information, see Installing and configuring
PostgreSQL (page 115), and Installing Qlik Sense in a multi-node site (page 98).

3.2 Upgrades and centralized logging
Upgrading from Qlik Sense June 2017 or earlier provides the option to configure centralized logging through
the installer wizard. Upgrading from Qlik Sense September 2017 or later does not provide this option. During
the upgrade, centralized logging will be set up only if it was configured in the earlier Qlik Sense version. If
centralized logging was not set up, the logging service will still be installed and running but without the
database.

Deploy Qlik Sense Enterprise on Windows - Qlik Sense, June 1

3 Upgrading and updating Qlik Sense Enterprise on

3.3 Upgrading
You can upgrade from Qlik Sense 3.1 SR2 or later to Qlik Sense June 2017 or later using the Qlik Sense
setup program. When upgrading, the previous version is completely replaced by the new version.

To upgrade from Qlik Sense 3.1 SR2 or later with a shared persistence model to Qlik Sense June 2017 or
later, see Upgrading from Qlik Sense 3.1 SR2 or later to Qlik Sense June 2017 or later (page 141).

Do not uninstall Qlik Sense before upgrading to Qlik Sense June 2017 or later. If you are upgrading to Qlik Sense June

Qlik Sense June 2017 and later versions do not support the synchronized persistence model. To upgrade
from Qlik Sense 3.1 SR2 or later to Qlik Sense June 2017 or later and migrate from a synchronized
persistence model to a shared persistence model, see Upgrading and migrating from synchronized to shared
persistence (page 148).

Upgrading from any version of Qlik Sense earlier than 3.1 SR2 to Qlik Sense June 2017 or later cannot be
done using the setup program. To upgrade from earlier versions of Qlik Sense with a synchronized
persistence model to Qlik Sense June 2017 or later, see Upgrading to Qlik Sense June 2017 or later from
Qlik Sense versions earlier than 3.1 SR2 (page 145).

When you upgrade to a newer version of Qlik Sense, you will not get the option to configure centralized logging in the insta

Qlik Sense November 2017 and later versions do not support soft deleted records. Qlik Sense will clean up all soft deleted

During upgrade, configuration files are overwritten with the default settings. If a configuration file was manually changed in yo
%ProgramFiles%\Qlik\Sense\Repository\Repository.exe.config,
%ProgramFiles%\Qlik\Sense\Proxy\Proxy.exe.config,
%ProgramFiles%\Qlik\Sense\Scheduler\Scheduler.exe.config, and
%ProgramFiles%\Qlik\Sense\ServiceDispatcher\services.conf.

Deploy Qlik Sense Enterprise on Windows - Qlik Sense, June 1

3 Upgrading and updating Qlik Sense Enterprise on

Any custom manual configurations that you make to the PostgreSQL database must be manually reproduced after the up

Qlik Sense apps
When you upgrade Qlik Sense, all existing apps need to be migrated to ensure compatibility between the
versions. A
pp migration is not performed automatically when starting Qlik Sense. An app with an engine
version later than 12.0 is migrated on the fly when you open it in the hub. On the apps overview page in the
QMC you can see if there are apps that require manual migration. The text Migration needed is displayed in
the Migration column for apps that need to be migrated. The Migration column is not displayed by default.
Use the column selector to display the field. Use the Migrate button to perform manual migration.

Multi-node deployments
In a multi-node deployment, all nodes must run the same version of Qlik Sense to be able to communicate
with each other. It is recommended to upgrade with all nodes offline, and to start with the central node.

When upgrading a rim node, ensure that you use the same log-in account as was used for the initial installation of that node.

Qlik Sense Repository Database
Qlik Sense June 2017 and later versions use PostgreSQL version 9.6 for the Qlik Sense Repository
Database. If you upgrade in place without uninstalling Qlik Sense t he Qlik Sense Repository Database is
upgraded to PostgreSQL version 9.6 and your data, and standard settings are carried forward. If you have
made custom configurations to your PostgreSQL installation, those must be recreated in the PostgreSQL
after upgrade.

PostgreSQL version 9.6 is installed with the latest version of Qlik Sense. If you have uninstalled Qlik Sense
but maintained your PostgreSQL database, and you want to upgrade your Qlik Sense deployment, you must
create a database dump file and restore the PostgreSQL database manually. You will also need to manually
reconfigure any custom parameters.

The Qlik Sense installer cannot use SSL encryption for establishing connection to PostgreSQL. When SSL encryption is

The PostgreSQL installation included in the Qlik Sense June 2017 or later setup does not include pgAdmin
tools. For information about manually installing the PostgreSQL database, see Installing and configuring
PostgreSQL (page 115).

Deploy Qlik Sense Enterprise on Windows - Qlik Sense, June 1

3 Upgrading and updating Qlik Sense Enterprise on

Upgrading Qlik Sense
Before you upgrade Qlik Sense, do the following:

 Review S ystem requirements for Qlik Sense Enterprise (page 19).
 Download the Qlik_Sense_setup.exe file.
See: Downloads
 Make sure you have logged on as an administrator using an account that has an actual password
defined, that is, not a blank password.
 If you are running the Qlik Sense services with a LocalSystem account then you must change to a
service user account before begining the upgrade.
See: Upgrading from Qlik Sense 3.1 SR2 or later to Qlik Sense June 2017 or later (page 141)
 Create a backup of your Qlik Sense deployment before upgrading.
 Optionally, remove the Root certificate from the Central node and all certificates from the non-central
nodes.

Do the following:

1. Stop your Qlik Sense services on all nodes in the deployment.
2. Upgrade your central node by launching the Qlik Sense setup file (Qlik_Sense_setup.exe) as an
administrator.
3. If an unsupported Qlik Sense root certificate is detected on the central node, the root certificate must
be removed as part of the upgrade. You cannot proceed with the upgrade if you do not select to
remove the root certificate.
Select Remove certificate(s) and click Next.

Selecting Remove certificate(s) and clicking Next will delete the Qlik Sense root certificate from this node. The ce

4. Select Upgrade to upgrade your existing shared persistence deployment.
5. Accept the license agreement and click Next.
6. On the Service Credentials page, enter the U sername and Password for your Windows Qlik
Sense service user account.
If the user is member of a domain, enter the service account as <domain>\<username>. For more
information, see U ser accounts (page 66).
7. On the Ready to upgrade page, select the appropriate check boxes if you want the setup to create
desktop shortcuts and a
utomatically start the Qlik Sense services when the setup is complete, and click Upgrade.
8. Check that all of the Qlik Sense services have started successfully.
9. Check the Apps overview page in the Qlik Management Console. The text Migration needed is
displayed in the Migration column for apps that require migration.
10. Upgrade the remaining nodes by following the applicable steps above for all nodes in the Qlik Sense

Deploy Qlik Sense Enterprise on Windows - Qlik Sense, June 1

3 Upgrading and updating Qlik Sense Enterprise on

cluster.
If an unsupported Qlik Sense root certificate is detected on non-central node, all Qlik Sense
certificates must be removed as part of the upgrade.

Selecting Remove certificate(s) and clicking Next will delete all Qlik Sense certificates from this node. The certificate
Make sure that you have already upgraded the Central node.

11. If you removed the Qlik Sense certificates as described in the previous step, perform one of the
following two steps depending on your setup.
 Account running the Qlik Sense services has administrator privileges:
a. Open the Qlik Management Console (QMC) and r edistribute the certificates according
to Redistributing a certificate.
b.
Restart all the services on the node and make sure they are using the newly distributed
certificates.
 Account running the Qlik Sense service does not have administrator privileges:
a. In the command prompt, navigate to the install location, for example Program Files\Qlik\Sense\
Repository, and run Repository.exe -bootstrap.

b. When the Waiting for certificates to be installed.. message is displayed, redistribute
the certificates according to Redistributing a certificate.
c. Once the bootstrap mode has terminated, start the Qlik Sense Service Dispatcher, then
start the Qlik Sense Repository Service (QRS), and finally the remaining Qlik Sense
services.

Upgrading from Qlik Sense 3.1 SR2 or later to Qlik Sense June 2017
or later
Before you upgrade, if your Qlik Sense 3.1 SR2 or later installation is running services using a Local System
account, you need to change this to use a service user account (local or domain) before upgrading to Qlik
Sense June 2017 or later. If you continue to use a Local System account to run the s ervices when upgrading
you will get an error.

Changing the user account type to run the Qlik Sense services on a central
node
Do the following:

Deploy Qlik Sense Enterprise on Windows - Qlik Sense, June 1

3 Upgrading and updating Qlik Sense Enterprise on

 Qlik Sense Service Users
 Performance Monitor Users
The service account user also needs access to shared folders.
3. Open the Control Panel and then select System and Security>Administrative Tools>Services.
4. Stop all services except the Repository Database.
5. Assign Full control permission for the dedicated service account to the folder
%ProgramData%\Qlik\Sense.
6. As an administrator, open an elevated command prompt.
7. Navigate to the Program Files\Qlik\Sense\Proxy folder and run Proxy.exe -bootstrap.
8. Navigate to the Program Files\Qlik\Sense\Scheduler folder and run Scheduler.exe -bootstrap.
9. Navigate to the Program Files\Qlik\Sense\Repository folder and run Repository.exe -bootstrap.
If you are changing the user account on your primary or central node, run Repository.exe -bootstrap
- iscentral. The Qlik Sense Service Dispatcher must be running before the Repository.exe -
bootstrap is executed.
10. Close the elevated command prompt.
11. Change the log on credentials for each of the Qlik Sense services as follows:
a. Right-click the s ervice and select Properties.
b. Select the Log On tab and then This account.
c. Enter the credentials for the dedicated service account and click OK.

If you are using a user account with administrative privileges, keep the Qlik Sense Repository Database running unde

Depending on your setup some of the services may not be available.

12. Start the Qlik Sense Service Dispatcher, and then the Qlik Sense Repository Service (QRS).
13. Start the rest of the Qlik Sense services.

Upgrading from Qlik Sense 3.1 SR2 or later with a shared persistence model
to Qlik Sense June 2017 or later
Do the following:

1. Stop your Qlik Sense services on all nodes in the deployment.
2. Upgrade your central node by launching the Qlik Sense setup file (Qlik_Sense_setup.exe) a s an
administrator.
3. If an unsupported Qlik Sense root certificate is detected on the central node, the root certificate must
be removed as part of the upgrade. You cannot proceed with the upgrade if you do not select to
remove the root certificate.
Select Remove certificate(s) and click Next.

Deploy Qlik Sense Enterprise on Windows - Qlik Sense, June 1

3 Upgrading and updating Qlik Sense Enterprise on

Selecting Remove certificate(s) and clicking Next will delete the Qlik Sense root certificate from this node. The c

4. Select Upgrade to upgrade your existing shared persistence deployment.
5. Accept the license agreement and click Next.
6. On the Service Credentials page, enter the U sername  and Password for your Windows Qlik
Sense service user account.
If the user is member of a domain, enter the service account as <domain>\<username>. For more
information, see  User accounts (page 66).
7. On the Ready to upgrade page, select the appropriate check boxes if you want the setup to create
desktop shortcuts and a
utomatically start the Qlik Sense services when the setup is complete, and click Upgrade.
8. Check that all of the Qlik Sense services have started successfully.
9. Check the Apps overview page in the Qlik Management Console. The text Migration needed is
displayed in the Migration column for apps that require migration.
10. Upgrade the remaining nodes by following the applicable steps above for all nodes in the Qlik Sense
cluster.
If an unsupported Qlik Sense root certificate is detected on non-central node, all Qlik Sense
certificates must be removed as part of the upgrade.

Selecting Remove certificate(s) and clicking Next will delete all Qlik Sense certificates from this node. The certificate
Make sure that you have already upgraded the Central node.

Deploy Qlik Sense Enterprise on Windows - Qlik Sense, June 1

3 Upgrading and updating Qlik Sense Enterprise on

Any custom manual configurations that you make to the PostgreSQL database must be manually reproduced afte

Upgrading to Qlik Sense June 2017 or later after uninstalling Qlik Sense 3.1
SR2 or later
If you have uninstalled Qlik Sense but maintained your PostgreSQL database, and you want to upgrade to
Qlik Sense June 2017 or later, you must create a database dump file and restore the PostgreSQL database
manually. You will also need to manually reconfigure any custom parameters.

Do the following:

1. Copy the PostgreSQL folder from % ProgramData%\Qlik\Sense\Repository\PostgreSQL to a

temporary location outside of the %ProgramData% folder.
2. Download and install PostgreSQL version 9.6 from the PostgreSQL website. For more information,
see I nstalling and configuring PostgreSQL (page 115).
3. Open a Command Prompt in Microsoft Windows.

The pg_ctl.exe command should not be run as an administrator.

4. Navigate to the location where the PostgreSQL repository database is installed,
%ProgramFiles%\PostgreSQL\<database version>\bin, and run the following commands:
a. pg_ctl.exe start -w -D "C:\SenseDB\9.6"

b. set PGUSER=postgres

c. set PGPASSWORD=password

d. pg_dumpall.exe > [<path to dump file>]

e. pg_ctl.exe stop -w -D "C:\SenseDB\9.6"

5. In the Command Prompt window, navigate to the folder containing the Qlik_Sense_setup.exe file.
6. Run t he following command to install Qlik Sense and restore your Qlik Sense Repository Database.
Qlik_Sense_setup.exe databasedumpfile=<path_to_dump_file>

The path to the dump file must be entered as an absolute path, using a relative path will result in an installation failur

7. Follow the setup to complete the installation.

Deploy Qlik Sense Enterprise on Windows - Qlik Sense, June 1

3 Upgrading and updating Qlik Sense Enterprise on

Upgrading to Qlik Sense June 2017 or later from Qlik Sense
versions earlier than 3.1 SR2
Qlik Sense June 2017 and later versions do not support the synchronized persistence model.
To upgrade to Qlik Sense June 2017 or later from any version of Qlik Sense earlier than
3.1
SR2 and migrate from a synchronized to shared persistence model, follow the instructions on
this page.

If you attempt to upgrade from Qlik Sense versions earlier than 3.1 SR2 to Qlik Sense June 2017 using the setup program y

The new hostname must match the one used before the upgrade. Using a different hostname will cause a mismatch in the
- Checking the certificate name
- Checking the file C:\Programdata\Qlik\Sense\Host.cfg (String encoded based64) See also Restoring a central node

Do the following:

1. Create a backup of your existing Qlik Sense deployment. For more information, see the help for the
version of Qlik Sense that you are currently running.
2. Change the PostgreSQL authentication mode in the configuration settings to allow the password to
be changed.
a. Stop the Qlik Sense Repository Database service.
b. Open the Client Authentication file located in
ProgramData\Qlik\Sense\Repository\PostgreSQL\<database version>\pg_hba.conf .
c. Change the ADDRESS to 127.0.0.1/32, and change the METHOD to trust for for IPv4
local connections and local host replication.
d. Change the ADDRESS to ::1/128, and change the METHOD to trust for IPv6 local
connections and local host replication.
e. Start the Qlik Sense Repository Database service.
3. Change the Qlik Sense Repository Database password.
To change the password using PostgreSQL command line:

Deploy Qlik Sense Enterprise on Windows - Qlik Sense, June 1

3 Upgrading and updating Qlik Sense Enterprise on

a. Open a command prompt and navigate to
ProgramFiles\Qlik\Sense\Repository\PostgreSQL\<database version>\bin.
b. Connect to the database by entering the following command:
psql.exe -p 4432 -U postgres.
c. Enter the following command to set the new user password:
ALTER USER qliksenserepository WITH PASSWORD '<newpassword>';
ALTER ROLE is displayed after successfully changing the password.

To change the password using the pgAdmin tool:
a. Launch p gAdmin and connect to the Qlik Sense Repository Database.
b. Expand the tree in the left pane and click L ogin Roles >  qliksenserepository .
c. Right-click on  qliksenserepository and select Properties.
d. Click the Definition tab, and enter a Password.
4. Reset the PostgreSQL authentication mode in the configuration settings to require authentication.
a. Stop the Qlik Sense Repository Database service.
b. Open the Client Authentication file located in
ProgramData\Qlik\Sense\Repository\PostgreSQL\<database version>\pg_hba.conf .
c. Change the METHOD back to md5.
d. Start the Qlik Sense Repository Database service.
5. Create a database dump file.
If Qlik Sense is installed:
a. Stop all Qlik Sense services except Qlik Sense Repository Database service. Ensure that the
Qlik Sense Repository Database service is running.
b. Open a command prompt and navigate to the location where the PostgreSQL database is
installed, and enter the following commands:
 set PGUSER=postgres
 set PGPASSWORD=[superuserpassword]
 pg_dumpall.exe -p 4432 > [path to dump file]

If Qlik Sense has been uninstalled:
a. Copy the PostgreSQL folder from % ProgramData%\Qlik\Sense\Repository\PostgreSQL\9.6
to a temporary location outside of the %ProgramData%\Qlik folder.
b. Download and install PostgreSQL version 9.6 from the PostgreSQL website. For more
information, see I nstalling and configuring PostgreSQL (page 115).
c. Open a Command Prompt in Microsoft Windows.
d. Navigate to the location where the PostgreSQL repository database is installed, cd "%ProgramFiles%\
PostgreSQL\9.6\data\bin", and run the following commands:
 pg_ctl.exe start -w -D "C:\SenseDB\9.6"
 set PGUSER=postgres

 set PGPASSWORD=password

 pg_dumpall.exe > [path to dump file]

 pg_ctl.exe stop -w -D "C:\SenseDB\9.6"

Deploy Qlik Sense Enterprise on Windows - Qlik Sense, June 1

3 Upgrading and updating Qlik Sense Enterprise on

6. Make a backup of log and application data in the following folders:
 %ProgramData%\Qlik\Sense\Log
 %ProgramData%\Qlik\Sense\Apps
 %ProgramData%\Qlik\Sense\Repository\Content
 %ProgramData%\Qlik\Sense\Repository\Extensions
 %ProgramData%\Qlik\Sense\Repository\AppContent (if available)
 %ProgramData%\Qlik\Sense\Repository\SharedContent (if available)
7. Make a backup of any locations where content that supports the Qlik Sense environment may be kept
(for example, QVD files created by load scripts).
8. Create a file share, see Creating a file share (page 111).
9. Create the following sub-folders in the file share:
 Apps
 ArchivedLogs
 StaticContent
10. Copy following content from your synchronized persistence deployment to the file share:
Content Copy from To subfolder

Apps ..\ProgramData\Qlik\Sense\Apps Apps

Logs ..\ProgramData\Qlik\Sense\Repository\Archived Logs ArchivedLogs

(optional)

Static ..\ProgramData\Qlik\Sense\Repository\AppContent StaticContent

content ..\ProgramData\Qlik\Sense\Repository\Content
..\ProgramData\Qlik\Sense\Repository\DefaultContent
..\ProgramData\Qlik\Sense\Repository\Extensions
..\ProgramData\Qlik\Sense\Repository\DefaultApps
..\ProgramData\Qlik\Sense\Repository\SharedContent

Each of these folders must be added as a sub-folder
of the StaticContent folder.

11. Ensure that all Qlik Sense nodes are synchronized, and take all n odes offline by stopping the Qlik

Sense services in Windows.
12. Uninstall Qlik Sense. Accept the defaults when uninstalling to preserve the certificates settings.
13. In the Command Prompt window, navigate to the folder containing the Qlik_Sense_setup.exe file.
14. Run t he following command to install Qlik Sense and restore your Qlik Sense Repository Database.
Qlik_Sense_setup.exe databasedumpfile=<path_to_dump_file>

The path to the dump file must be entered as an absolute path, using a relative path will result in an installation failur

Deploy Qlik Sense Enterprise on Windows - Qlik Sense, June 1

3 Upgrading and updating Qlik Sense Enterprise on

15. Uninstall Qlik Sense on each of your rim nodes in multi-node deployment. Select the option to
completely uninstall Qlik Sense when you uninstall on the rim nodes.
16. Install Qlik Sense on each of the rim nodes.
17. Connect the rim nodes in the QMC, select each node, and click the Redistribute button.

3.4 Upgrading and migrating from synchronized to
shared persistence
You can upgrade and migrate from synchronized persistence to shared persistence if the existing deployment
is running Qlik Sense version 3.1 SR2 or later. For more information about persistence models, see
Persistence (page 63).

The files that are persisted in a Qlik Sense deployment must be available to all nodes via the file share. They
can be stored on any of the nodes in the cluster, or on another server. If you are migrating from a
synchronized persistence deployment to a shared persistence deployment, you must first create the file share
to use as shared storage, and copy your data from the synchronized persistence deployment into the file
share folders. For instructions on how to create a file share, see Creating a file share (page 111).

Before you upgrade Qlik Sense, do the following:

 Review S ystem requirements for Qlik Sense Enterprise (page 19).
 Download the Qlik_Sense_setup.exe file.
See: Downloads
 Create a backup of your Qlik Sense deployment before upgrading.

It is recommended that you run the Qlik Sense Enterprise cleanup script before upgrading to Qlik Sense Enterprise 2.2 or

Backing up a synchronized persistence site
Proceed as follows to backup a Qlik Sense site deployed with the synchronized persistence model:

1. Make a backup of the certificates used to secure the Qlik Sense services. This only needs to be done
once.
Backing up certificates (page 159)

2. Stop all Qlik Sense services except the Qlik Sense Repository Database (QRD).

Deploy Qlik Sense Enterprise on Windows - Qlik Sense, June 1

3 Upgrading and updating Qlik Sense Enterprise on

3. Make a backup of the repository database.
a. Open a Command Prompt with administrator privileges in Microsoft Windows.
b. Produce a dumpfile for the repository database (that is, a single file for the entire database):
i. Navigate to the installation location.
%ProgramFiles%\Qlik\Sense\Repository\PostgreSQL\<database version>\bin
ii. pg_dump.exe -h localhost -p 4432 -U postgres -b -F t -f "c:\QSR_backup.tar" QSR
If you are prompted for the PostgreSQL super user password, enter the password that
was given during the installation of Qlik Sense.

To avoid being prompted for the password (for example, if you want to automate the Qlik Sense backu

c. Make a backup of the dumpfile for the repository database.
4. Make a backup of log and application data in the following folders:
 %ProgramData%\Qlik\Sense\Log
 %ProgramData%\Qlik\Sense\Apps
 %ProgramData%\Qlik\Sense\Repository\Content
 %ProgramData%\Qlik\Sense\Repository\Extensions
 %ProgramData%\Qlik\Sense\Repository\AppContent (if available)
 %ProgramData%\Qlik\Sense\Repository\SharedContent (if available)
5. Make a backup of any locations where content that supports the Qlik Sense environment may be kept
(for example, QVD files created by load scripts).
6. Start the Qlik Sense services. If the services are started manually, start them in the following order:
a. Qlik Sense Service Dispatcher(QSD)
b. Qlik Sense Repository Service (QRS)
If the user running Qlik Sense services is not local administrator on the machine, you need to
start Repository.exe from an elevated command prompt using the -bootstrap parameter.
Services (page 31)
c. Qlik Sense Proxy Service (QPS), Qlik Sense Engine Service (QES), Qlik Sense Scheduler
Service (QSS), and Qlik Sense Printing Service (QPR) in no specific order
The start-up order is important. During start-up the QRS must be able to contact the Qlik License
Service, which is managed by the QSD. The other services are dependent on the QRS. The QS
D must therefore be running when the QRS is started.

Upgrading to a shared persistence deployment
Do the following:

1. Create a file share, see Creating a file share (page 111).
2. Create the following sub-folders in the file share:

Deploy Qlik Sense Enterprise on Windows - Qlik Sense, June 1

3 Upgrading and updating Qlik Sense Enterprise on

 Apps
 ArchivedLogs
 StaticContent
3. Ensure that all Qlik Sense nodes are synchronized, and take all n odes offline by stopping the Qlik
Sense services in Windows.
4. Copy following content from your synchronized persistence deployment to the file share:
Content Copy from To subfolder

Apps ..\ProgramData\Qlik\Sense\Apps Apps

Logs ..\ProgramData\Qlik\Sense\Repository\Archived Logs ArchivedLogs

(optional)

Static ..\ProgramData\Qlik\Sense\Repository\AppContent StaticContent

Each of these folders must be added as a sub-folder
of the StaticContent folder.

5. Upgrade your central node by launching the Qlik Sense setup file (Qlik_Sense_setup.exe).
6. Accept the license agreement and click Next.
7. On the Shared persistence storage page, enter the path or URL to your file share folders that you
prepared and click Next.
8. On the Database service listener page, if you have a multi-node deployment, enter the following:
 Listen addresses - add the addresses that the database service should listen to.
You can enter a comma separated list of IPv4 or IPv6 addresses, or 0.0.0.0 (for all IPv4
addresses), ::/0 (for all IPv6 addresses) or * (for all addresses).
 IP ranges - add a subnet specification that covers the IP addresses of all nodes in your site.
Either add one row for each node, using /32 as suffix for each address, or add a subnet that
covers all addresses using, for example, /24 as suffix. To allow all servers to access the
repository database, use 0.0.0.0/0. You can also enter a comma separated list of multiple IP
addresses.
 Max connections - specify the maximum number of concurrent connections to the database.
The default value is 100 multiplied by the number of nodes in the cluster (this field is only
available in Qlik Sense February 2018, and later).
9. On the Service Credentials page, enter the U sername , and Password for your WindowsQlik
Sense service user account. If the user is member of a domain, enter the service account as <domain>\
<username>. See: User accounts (page 66).

Deploy Qlik Sense Enterprise on Windows - Qlik Sense, June 1

3 Upgrading and updating Qlik Sense Enterprise on

10. On the Repository Database Superuser Password page, enter the password for your repository
database superuser. See: User accounts (page 66).
If you cannot find the password, see the troubleshooting topic:Cannot find the repository database
superuser password (page 285)
11. On the Ready to upgrade page, select the appropriate check boxes if you want the setup to create
desktop shortcuts and a
utomatically start the Qlik Sense services when the setup is complete, and click Upgrade.
12. Check that all of the Qlik Sense services have started successfully.
13. Check the Apps overview page in the Qlik Management Console. The text Migration needed is
displayed in the Migration column for apps that require migration.
14. In a multi-node deployment, uninstall Qlik Sense on each of the rim nodes. Select the option to
remove certificates and data folders when you uninstall on the rim nodes.
15. Install Qlik Sense w ith shared persistence on the remaining nodes, and join the existing cluster
created when you upgraded the central node.

3.5 Performing a silent upgrade
You can silently upgrade the current Qlik Sense installation. All setup options that are available in the user
interface of the installer can be performed with silent operations.

Do the following:

1. Select Start > All Programs > Accessories > Command Prompt.
The Command Prompt window is displayed.
2. In the Command Prompt window, navigate to the folder containing the Qlik_Sense_setup.exe file.
3. Enter Qlik_Sense_setup.exe followed by the silent installation syntax preferred.
4. If applicable, recreate the Qlik Sense root certificate according to this Support article: ≤
https://support.qlik.com/articles/000094071.
Applicable for all Qlik Sense deployments originally installed with version June 2019 or earlier.

Note that elevation will take place if run from an unelevated process and the UAC is on.

Syntax
Qlik_Sense_setup.exe [-silent] {-log "path\filename"} {accepteula=1|0}
{desktopshortcut=1|0} {skipstartservices=1|0} {installdir="path"}
{userpassword="password} {dbpassword="password"}

Qlik_Sense_setup.exe -? or -h Brings up the on-screen silent setup help.

Commands
-silent (or -s) Command line-driven setup without UI.(mandatory).

Deploy Qlik Sense Enterprise on Windows - Qlik Sense, June 1

3 Upgrading and updating Qlik Sense Enterprise on

-log (or -l) [log file name with path] Log file directory and log file name.

The user must have access to this
directory.

Arguments
Arguments are separated by space and presented in the form [Argument]="[Value]". The double quotes can
normally be omitted but may be needed, for example, when a path contains spaces.

The default values are the same as those used in the setup user interface.

accepteula 1|0 Accepts the Qlik User License Agreement.

This argument is mandatory, and
you must accept the QULA to
upgrade successfully.

desktopshortcut 1|0 (defaults to 1 on clean Installs desktop shortcuts.

installs)

skipstartservices 1|0 (defaults to 0 on clean To skip starting services after the installation

installs, otherwise the current has finished.
state.)

installdir [path to custom install Need only be defined if the default install

directory] directory will not be used
(%ProgramFiles%\Qlik\Sense).

userpassword [password] The password of the user used to run the

services.

dbpassword [password] Password for the database superuser that

creates the user that runs the database.

bundleinstall dashboard,visualization Includes the dashboard and visualization

bundles.

The default values are the same as those used in the setup user interface.

Example: Upgrading the installation

This example shows how to silently upgrade an installation and add desktop shortcuts.

Qlik_Sense_setup.exe -s desktopshortcut=1

Deprecated command line arguments
For a list of the command line arguments that are no longer recommended, see Installing silently.

Deploy Qlik Sense Enterprise on Windows - Qlik Sense, June 1

3 Upgrading and updating Qlik Sense Enterprise on

3.6 Repairing an installation
The Repair option restores all missing files, shortcuts and registry values without any credentials being
changed.

If patches have been applied to Qlik Sense, the Repair option is disabled. You must uninstall all patches before you can us

Do the following:

1. To start repairing the installation, open the Control Panel and select Uninstall a program. Then
select Qlik Sense from the list of programs and click Change.

The Qlik Sense Setup maintenance screen is displayed.

You can also perform this action by double-clicking the Qlik_Sense_setup.exe file. In that case, you must use the co

2. Click Repair.
The Ready to repair screen is displayed.
3. Click Repair.
 If UAC is enabled, the User Account Control screen is displayed.
 If UAC is disabled, the repair process starts.
4. Click Yes to start repairing your Qlik Sense installation.

This is only applicable if UAC is enabled.

The progress is displayed.

When finished, click Repair Summary to confirm that Qlik Sense has been restored successfully.
Click Back.

5. Click Finish.

You have now successfully repaired your Qlik Sense installation.

3.7 Performing a silent repair
You can silently repair the current Qlik Sense installation. All setup options that are available in the user
interface of the installer can be performed with silent operations.

Do the following:

Deploy Qlik Sense Enterprise on Windows - Qlik Sense, June 1

3 Upgrading and updating Qlik Sense Enterprise on

Syntax
Qlik_Sense_setup.exe [-silent] [-repair] {-log "path\filename"}

Qlik_Sense_setup.exe -? or -h Brings up the on-screen silent setup help.

Commands
-silent (or - Trigger the silent mode (mandatory).
s)

-repair Repair the product silently.

-log (or -l) Log file directory and log file name.

The user must have access to this directory.

If this option is not defined, the log file will be stored with the default name in the default
location.

Example:

This example shows how to silently repair the Qlik Sense installation.

Qlik_Sense_setup.exe -s -repair

3.8 Patching Qlik Sense
You can update your Qlik Sense deployment when a patch of the software is available for installation. A
patch primarily includes software updates and fixes that are applied to the existing Qlik Sense version.

Patches are installed without the need to remove earlier updates or the major release. Qlik Sense patches are cumulative.

When you uninstall a patch, the individual updates from the installed version of Qlik Sense are removed.

In a multi-node site, all nodes must run the same version of Qlik Sense. We recommend installing patches
with all nodes offline, and starting with the central node.

Before you install a patch Qlik Sense, do the following:

Deploy Qlik Sense Enterprise on Windows - Qlik Sense, June 1

3 Upgrading and updating Qlik Sense Enterprise on

 Review S ystem requirements for Qlik Sense Enterprise (page 19).
 Download the Qlik_Sense_update.exe file.
 Make sure you have logged on with Administrator rights using an account that has an actual password
defined, that is, not a blank password.
 Create a backup of your Qlik Sense deployment. If Qlik Sense is installed on a Virtual Machine (VM) it
may be sufficient to take a snapshot of the machine before upgrading. For more information, see
Backing up a Qlik Sense site (page 178).

When updating a rim node, ensure that you use the same log-in account as was used for the initial installation of that node. F

Do the following:

1. Stop the Qlik Sense services.
2. Run the setup to install a patch on the central node.
When the installation is complete, the Summary is displayed.
If applicable, after the patching has completed, recreate the Qlik Sense root certificate according to
this Support article: ≤ https://support.qlik.com/articles/000094071.
Applicable for the following and later Qlik Sense patches:
 February 2019 Patch 8
 April 2019 Patch 8
 June 2019 Patch 11
 September 2019 Patch 7
 November 2019 Patch 6
3. Click Finish to close the Summary.

If the patch did not install successfully, the Failed screen is displayed. For more detailed information, see the insta

You have successfully applied a patch to your Q lik Sense deployment.

4. Start the Qlik Sense services.
5. Repeat this procedure for each of the remaining nodes.

You cannot repair an installation using the repair option on the setup program once patches have been applied. The repair o

Follow the same procedure to uninstall patches.

Deploy Qlik Sense Enterprise on Windows - Qlik Sense, June 1

3 Upgrading and updating Qlik Sense Enterprise on

Silent patching
When a software patch i s available for your Qlik Sense installation, you can use the command line tool to
silently install the updates. P
atches include software updates and fixes that are applied to the existing Qlik Sense version.

Commands
Use the following commands to silently run patch updates.

Command Description
install Runs a command line-driven install without a user interface. For feedback, see the
log files, and the return values.
uninstall Runs a command line-driven uninstall without a user interface. For feedback, see
the log files, and the return values.
startservices Used with [install], or [uninstall], this command determines whether the services
should be started automatically or not.
log=[path to Specifies the location for the patch to writes log files.
logfile]

unpack=[path] Unpacks the patch contents without installing.
help (or -h, /h, Opens the help dialog.
-?, /?)

To troubleshoot silent patching, start by examining the installation log files. The default l ocation of the log files is: C:\Users\
[username]\AppData\Local\Temp.

Recreating root certificates
If applicable, after the patching has completed, recreate the Qlik Sense root certificate according to this
Support article: ≤ https://support.qlik.com/articles/000094071 .

Applicable for the following and later Qlik Sense patches:

 February 2019 Patch 8
 April 2019 Patch 8
 June 2019 Patch 11
 September 2019 Patch 7
 November 2019 Patch 6

Example
The following command is an example of the syntax you can use for running a patch update file:

Qlik_Sense_update.exe install startservices

This command installs the update, and restores the services to the same state they were in before the
update.

Deploy Qlik Sense Enterprise on Windows - Qlik Sense, June 1

3 Upgrading and updating Qlik Sense Enterprise on

3.9 Uninstalling Qlik Sense

If any updates have been applied to Qlik Sense since installation, the Uninstall option will also remove all the updates.

Do the following:

1. To start uninstalling, open the Control Panel and select Uninstall a program. Then select Qlik
Sense from the list of programs and click Uninstall.
A confirmation screen is displayed asking if you are sure that you want to uninstall Qlik Sense from
your computer. Select the Remove Qlik Sense certificates and data folders checkbox if you want
to remove all files from the machine ready for a new configuration.

If the machine is a central node in a Qlik Sense site, there may be rim nodes on other machines that require access

You can also uninstall Qlik Sense by double-clicking the Qlik_Sense_setup.exe file and then selecting Uninstall fro

2. Click Uninstall to start uninstalling Qlik Sense.
If User Account Control (UAC) is disabled, the uninstall starts.
If UAC is enabled, the User Account Control dialog is displayed.
Click Yes to start the uninstall.

The progress of the uninstall process is displayed. When finished the uninstall dialog confirms that
Qlik Sense has been uninstalled successfully.
3. Click Finish.

You have now uninstalled Qlik Sense.

Deploy Qlik Sense Enterprise on Windows - Qlik Sense, June 1

4 Backup and restore Qlik Sense Enterprise on

4 Backup and restore Qlik Sense Enterprise on
Windows
To ensure that your Qlik Sense site can be recovered in the event of a system failure or when a node in your
deployment needs to be moved or replaced, we recommend that you create regular backups. These backups
are used to restore your Qlik Sense site when needed.

If you creating a backup to upgrade from a synchronized persistence deployment to a shared persistence
deployment, see Upgrading and migrating from synchronized to shared persistence (page 148).

To back up a deployment running Qlik Sense 3.2.x or earlier, refer to the documentation for the release that
you are running.

To backup a Qlik Sense site, you must back up the following:

 Qlik Sense certificates
 Qlik Sense Repository Database
 Shared persistence file share

4.1 Qlik Sense certificates
Qlik Sense uses certificates to secure communication between components that are installed on different
computers. It is recommended that you back up the certificates on the central node in a Qlik Sense site
immediately after installation, s o that they can be restored if needed.

Backed up certificates can be used to restore certificates on the same node as they were exported from. A
backed up server certificate can also be moved from one node of a Qlik Sense site to another node in the
same site. For more information, see Restoring certificates (page 168).

For more information about how to back up the Qlik Sense certificates, see Backing up a Qlik Sense site
(page 178).

4.2 Qlik Sense Repository Database
The Qlik Sense Repository Database is a PostgreSQL database that contains system data and meta data
about apps. The Qlik Sense Repository Database can reside on the central node or on another computer. If
the Qlik Sense Repository Database was installed during setup it will be located on the central node. If the
Qlik Sense Repository Database was installed manually, it may be located on another computer.

The Qlik Sense Repository Database should be backed up on a regular basis to avoid data loss.

For more information about how to back up the Qlik Sense Repository Database, see Backing up a Qlik
Sense site (page 178).

For more information about how to restore the Qlik Sense Repository Database, see Restoring a Qlik Sense
site (page 180).

Deploy Qlik Sense Enterprise on Windows - Qlik Sense, June 1

4 Backup and restore Qlik Sense Enterprise on

4.3 Shared persistence file share
The shared persistence file share is used to store Q lik Sense app data, such as visualizations, and
dimensions and measures. It also stores static content, such as images and extensions, as well as system
logs. It is accessible to all nodes in your Qlik Sense site. The file share can reside either on the same server
as the central node or on another server.

The file share should be backed up on a regular basis to avoid data loss.

For more information about how to back up the file share, see Backing up a Qlik Sense site (page 178).

For more information about how to restore the file share, see Restoring a Qlik Sense site (page 180).

Rim nodes maintain local log files that may be worth backing up in order to identify and investigate issues. It may also be

4.4 Backing up certificates
When you install Qlik Sense, you should create a backup of the certificates on the central node.

Do the following:

1. Open a command prompt, and launch the Microsoft Management Console (mmc) as the user that
runs the Qlik Sense services.
2. Select File>Add/Remove Snap-in.
3. Double-click Certificates.

Deploy Qlik Sense Enterprise on Windows - Qlik Sense, June 1

4 Backup and restore Qlik Sense Enterprise on

4. Select Computer account and click Next.

Deploy Qlik Sense Enterprise on Windows - Qlik Sense, June 1

4 Backup and restore Qlik Sense Enterprise on

5. Select Local computer and click Finish.

6. Double-click Certificates.

Deploy Qlik Sense Enterprise on Windows - Qlik Sense, June 1

4 Backup and restore Qlik Sense Enterprise on

7. Select My user account and click Finish.

8. Click OK.

Deploy Qlik Sense Enterprise on Windows - Qlik Sense, June 1

4 Backup and restore Qlik Sense Enterprise on

9. Expand Certificates (Local Computer) in the left panel.

10. Expand the Trusted Root Certification Authorities folder and select the Certificates folder.
11. Right-click the certificate that is Certificate Authority (CA) for all nodes in the Qlik Sense site and
select All Tasks>Export. The CA is named <computer_that_issued_the_certificate>-CA by default.

12. Click Next.

Deploy Qlik Sense Enterprise on Windows - Qlik Sense, June 1

4 Backup and restore Qlik Sense Enterprise on

13. Select Yes, export the private key and click Next.

Deploy Qlik Sense Enterprise on Windows - Qlik Sense, June 1

4 Backup and restore Qlik Sense Enterprise on

14. Select Personal Information Exchange.
15. Tick the Export all extended properties box and then click Next.

Deploy Qlik Sense Enterprise on Windows - Qlik Sense, June 1

4 Backup and restore Qlik Sense Enterprise on

16. Enter and confirm a password. Then click Next.
The password is needed when importing the certificate.

Deploy Qlik Sense Enterprise on Windows - Qlik Sense, June 1

4 Backup and restore Qlik Sense Enterprise on

17. Enter a file name for the .pfx file and click Next.

It is recommended to include the server name in the file name to avoid confusion with other certificate files.

Deploy Qlik Sense Enterprise on Windows - Qlik Sense, June 1

4 Backup and restore Qlik Sense Enterprise on

18. Click Finish.
The .pfx file that contains the CA for all nodes in the Qlik Sense site is stored in the selected location.

19. Starting at step 11, repeat the procedure and export the server certificate (that is, the SSL certificate),
which is located under Certificates (Local Computer)>Personal>Certificates. The server
certificate a) has the same name as the Domain Name System (DNS) name of the machine, and b) is
signed by the CA for all nodes in the site.
20. Starting at step 11, repeat the procedure and export the client certificate (that is, the ID of the client),
which is located under Certificates - Current User>Personal>Certificates. The client certificate is
named QlikClient and is signed by the CA for all nodes in the site.
21. Close the MMC console.
No changes need to be saved.

4.5 Restoring certificates
In case of a system crash, the certificates may need to be restored on the central node of your Qlik Sense
site.

Do the following:

Deploy Qlik Sense Enterprise on Windows - Qlik Sense, June 1

4 Backup and restore Qlik Sense Enterprise on

1. Open the Task Manager in Microsoft Windows and stop all Qlik Sense services except the Qlik Sense
Repository Database (QRD) service.
2. Open a command prompt, and launch the Microsoft Management Console (mmc) as the user that
runs the Qlik Sense services..
3. Select File>Add/Remove Snap-in.
4. Double-click Certificates.

5. Select Computer account and click Next.

Deploy Qlik Sense Enterprise on Windows - Qlik Sense, June 1

4 Backup and restore Qlik Sense Enterprise on

6. Select Local computer and click Finish.

7. Double-click Certificates.

Deploy Qlik Sense Enterprise on Windows - Qlik Sense, June 1

4 Backup and restore Qlik Sense Enterprise on

8. Select My user account and click Finish.

9. Click OK.

Deploy Qlik Sense Enterprise on Windows - Qlik Sense, June 1

4 Backup and restore Qlik Sense Enterprise on

10. Expand Certificates (Local Computer) in the left panel.

11. Right-click the Trusted Root Certification Authorities folder and select All Tasks>Import.

Deploy Qlik Sense Enterprise on Windows - Qlik Sense, June 1

4 Backup and restore Qlik Sense Enterprise on

12. Click Next.

13. Browse to the file that contains the backed up Certificate Authority (CA) for all nodes in the site and
then click Next. The CA is named <computer_that_issued_the_certificate>-CA by default.

Deploy Qlik Sense Enterprise on Windows - Qlik Sense, June 1

4 Backup and restore Qlik Sense Enterprise on

14. Enter the password for the .pfx file (that is, the password that was given when the file was exported).
15. Select Mark this key as exportable and Include all extended properties. Then click Next.

Deploy Qlik Sense Enterprise on Windows - Qlik Sense, June 1

4 Backup and restore Qlik Sense Enterprise on

16. Select Place all certificates in the following store and click Next.

Deploy Qlik Sense Enterprise on Windows - Qlik Sense, June 1

4 Backup and restore Qlik Sense Enterprise on

17. Click Finish.

Deploy Qlik Sense Enterprise on Windows - Qlik Sense, June 1

4 Backup and restore Qlik Sense Enterprise on

18. Click the Refresh button ( ) and check that the imported CA is available in the Trusted Root

Certification Authorities folder.
19. Starting at step 11, repeat the procedure and import the server certificate to Certificates (Local
Computer)>Personal>Certificates. The server certificate a) has the same name as the Domain
Name System (DNS) name of the machine, and b) is signed by the CA for all nodes in the site.
20. Starting at step 11, repeat the procedure and import the client certificate (that is, the ID of the client)
to Certificates - Current User>Personal>Certificates. The client certificate is named QlikClient
and is signed by the CA for all nodes in the site.
21. Close the MMC console.
No changes have to be saved.

22. Start the Qlik Sense services. If the services are started manually, start them in the following order:

If you are restoring the certificates as part of the procedure, do not start the Qlik Sense services.

a. Qlik Sense Service Dispatcher(QSD)
b. Qlik Sense Repository Service (QRS)

Deploy Qlik Sense Enterprise on Windows - Qlik Sense, June 1

4 Backup and restore Qlik Sense Enterprise on

If the user running Qlik Sense services is not local administrator on the machine, you need to
start Repository.exe from an elevated command prompt using the -bootstrap parameter.
Services (page 31)
c. Qlik Sense Proxy Service (QPS), Qlik Sense Engine Service (QES), Qlik Sense Scheduler
Service (QSS), and Qlik Sense Printing Service (QPR) in no specific order
The start-up order is important. During start-up the QRS must be able to contact the Qlik License
Service, which is managed by the QSD. The other services are dependent on the QRS. The QS
D must therefore be running when the QRS is started.

4.6 Backing up a Qlik Sense site
Backing up a Qlik Sense site includes backing up the following:

 Repository database: The database contains all configuration data for the site
 Log data: The centralized logging database
 The file share: The shared folder in that contains application data, such as data models used in the
Qlik Sense apps, and QVD files

To restore your Qlik Sense deployment you will also need a back up of your Qlik Sense certificates. For more
information, see Backing up certificates (page 159).

You must perform this backup procedure on each of the nodes that host the components listed above.

Rim nodes maintain local log files that may be worth backing up in order to identify and investigate issues. It may also be

Do the following:

1. Stop all Qlik Sense services except the Qlik Sense Repository Database (QRD), on every node in your
deployment.
2. Make a backup of the repository database by creating a database dump file:
a. Open a Command Prompt in Microsoft Windows.
b. Navigate to the location where the PostgreSQL repository database is installed.

If your deployment includes a local database on the central node that was installed using the Qlik Sense setu
%ProgramFiles%\Qlik\Sense\Repository\PostgreSQL\<database version>\bin.

If you installed PostgreSQL manually, the location will be:
%ProgramFiles%\PostgreSQL\<database version>\bin.

Deploy Qlik Sense Enterprise on Windows - Qlik Sense, June 1

4 Backup and restore Qlik Sense Enterprise on

c. Run the following command:
pg_dump.exe -h localhost -p 4432 -U postgres -b -F t -f "c:\QSR_backup.tar" QSR
If you are prompted for the PostgreSQL super user password, enter the password that was
created during the Qlik Sense setup.

To avoid being prompted for the password (for example, if you want to automate the Qlik Sense backup proc

3. Make a backup of all of the content in the file share.
4. If you have centralized logging configured, make a backup of the centralized logging database by
running the following command:
pg_dump.exe -h localhost -p 4432 -U postgres -b -F t -f "c:\QLogs_backup.tar" QLogs

5. Make a backup of any locations where content that supports the Qlik Sense environment may be kept
(for example, QVD files created by load scripts).
6. Restart the Qlik Sense services.

Backing up the Qlik Sense Repository Database after uninstalling
Qlik Sense

We recommend creating your database dump file before you uninstall Qlik Sense.

If you uninstall Qlik Sense before creating the database dump file, do the following:

1. Copy the PostgreSQL folder from % ProgramData%\Qlik\Sense\Repository\PostgreSQL to a

temporary location outside of the %ProgramData% folder.
2. Download and install PostgreSQL version 9.6 from the PostgreSQL website. See: Installing and
configuring PostgreSQL (page 115).
3. Open a Command Prompt in Microsoft Windows.

The pg_ctl.exe command should not be run as an administrator.

4. Navigate to the location where the PostgreSQL repository database is installed.

If your deployment includes a local database on the central node that was installed using the Qlik Sense setup progr
%ProgramFiles%\Qlik\Sense\Repository\PostgreSQL\<database version>\bin.

If you installed PostgreSQL manually, the location will be:
%ProgramFiles%\PostgreSQL\<database version>\bin.

Deploy Qlik Sense Enterprise on Windows - Qlik Sense, June 1

4 Backup and restore Qlik Sense Enterprise on

4. Run the following commands:
a. pg_ctl.exe start -w -D "C:\SenseDB\9.6"

b. set PGUSER=postgres

c. set PGPASSWORD=password

d. pg_dumpall.exe > [<path to dump file>]

e. pg_ctl.exe stop -w -D "C:\SenseDB\9.6"

If you are prompted for the PostgreSQL super user password, enter the password that was created
during the Qlik Sense setup.

To avoid being prompted for the password (for example, if you want to automate the Qlik Sense backup process), yo

4.7 Restoring a Qlik Sense site
Consider the following when restoring a site:

 Qlik Sense software
 If you want to restore the site to a central node with a new hostname, see Restoring a Qlik Sense site
to a machine with a different hostname (page 181).

 Repository database: The database contains all configuration data for the site.
 Certificates for the Qlik Sense services: The certificates are used to encrypt the traffic between the
services and the users. Make sure to backup the certificates in order not to lose any encrypted dat
a (for example, passwords for data connections).
 Log data
 Application data: The data models in the Qlik Sense apps.
 Any content that supports the apps (for example, QVD files)

When performing the procedure below you must log in using an account that had the Root Admin role when
the site was backed up. If you log in using a local admin account and the machine name is different, your
permissions will not follow through.

Do the following:

1. Restore the certificates used to secure the Qlik Sense services.
Restoring certificates (page 168)

2. Install Qlik Sense on the computer where you plan to restore.

Make sure to deselect Start the Qlik Sense services when the installation has completed during the installation s

Deploy Qlik Sense Enterprise on Windows - Qlik Sense, June 1

4 Backup and restore Qlik Sense Enterprise on

3. Start the Qlik Sense Repository Database (QRD).
4. Restore the repository database:
a. Place the backed up repository database on the machine targeted for the restore.
b. Open a Command Prompt with administrator privileges in Microsoft Windows.
c. Run the following commands to restore the repository database (adjust the paths as needed):
i. cd "%ProgramFiles%\Qlik\Sense\Repository\PostgreSQL\<database version>\bin"
ii. createdb -h localhost -p 4432 -U postgres -T template0 QSR
If the command fails because a database already exists, run the following command
and then repeat the createdb command:
dropdb -h localhost -p 4432 -U postgres QSR
iii. pg_restore.exe -h localhost -p 4432 -U postgres -d QSR "c:\QSR_backup.tar"
5. Restore log and application data to t he file share used for storage of log and application data.
6. Restore any supporting content to its original location as required.
7. Start the Qlik Sense services. If the services are started manually, start them in the following order:
a. Qlik Sense Service Dispatcher(QSD)
b. Qlik Sense Repository Service (QRS)
If the user running Qlik Sense services is not local administrator on the machine, you need to
start Repository.exe from an elevated command prompt using the -bootstrap parameter.
Services (page 31)
c. Qlik Sense Proxy Service (QPS), Qlik Sense Engine Service (QES), Qlik Sense Scheduler
Service (QSS), and Qlik Sense Printing Service (QPR) in no specific order
The start-up order is important. During start-up the QRS must be able to contact the Qlik License
Service, which is managed by the QSD. The other services are dependent on the QRS. The QS
D must therefore be running when the QRS is started.

Restoring a Qlik Sense site to a machine with a different hostname
You can restore a Qlik Sense site to a machine with a host name that is different from the site that you
backed up. However, if the machine is a central node in a multi-node site, you need to slightly adapt the
procedure as follows:

 All rim nodes need to be reset, that is, you need to remove them and then add them again.
 Run repository.exe -bootstrap -standalone -restorehostname from an elevated command prompt to
start the Qlik Sense Repository Service (QRS). When QRS is up and running, restart the QRS without
-restorehostname.
See: Services (page 31)

The parameter '-standalone' means that Repository runs as a normal executable process (as opposed to running as a serv

When restoring your site, you must log in using an account that had the Root Admin role when the site was
backed up. If you log in using a local admin account and the machine name is different, your permissions will
not follow through.

Deploy Qlik Sense Enterprise on Windows - Qlik Sense, June 1

4 Backup and restore Qlik Sense Enterprise on

Backing up the current server
Perform the following steps on the server machine that you want to restore to a different server.

1. Create a local folder called Backup or something similar to store the files you want to restore later. For example: C:\

ProgramData\Qlik\Sense\Repository\Backup.
2. Open the Qlik Management Console (QMC) by entering the QMC address in your browser.
By default, the QMC address is https://<QPS server name>/qmc.
3. In QMC, go to the Certificates section and export new certificates using the FQDN of the new server.
Ensure that you include the private key and the certificates must be in the Windows format.
4. Backup your certificates using the Microsoft Management Console (MMC). For detailed steps, see
Backing up certificates (page 159). On your original server, export the following certificates from the
QMC to your Backup folder. Ensure that you export the private key.
 client
 root
 server

5. On the service cluster, open the your backup location QMC, Cluster Settings, copy the full UNC path
of the QlikShare (the full path name including back slashes), for example \\<computer_ name>\
QlikShare
6. In Windows, Services, stop all services, except the Qlik Sense Repository Database.
7. Backup the QSR database. For detailed instructions, see Backing up a Qlik Sense site (page 178).
Copy the database dump file to your backup folder.
8. Copy all sub folders from the QlikShare (the path specified in the Service Cluster section of the
QMC) to your backup folder.
9. Copy your Backup folder from the current folder to the same location on your target machine.

Restoring to a machine with a different host name
Perform the following steps on the target server machine, where you want to restore Qlik Sense.

1. Create a QlikShare folder on the target server computer. For example, create a folder called
QlikShare on the C:\ drive.
2. Move your backup folder and database dump file to your target server machine.
3. Restore the the following backed up certificates from the old machine used to secure the Qlik Sense
services:
 client
 root
 server
Use the MMC to import them to your target server. Ensure that you mark the certificates as
exportable. For detailed steps, see Restoring certificates (page 168)
4. Install the same version of Qlik Sense on the computer where you plan to restore. Do not start the
services until you have finished the configuration steps.

Deploy Qlik Sense Enterprise on Windows - Qlik Sense, June 1

4 Backup and restore Qlik Sense Enterprise on

Make sure to deselect Start the Qlik Sense services when the installation has completed during the installation

5. Start the Qlik Sense Repository Database (QRD) service.
6. Restore the backup copy of the repository database:
a. Open a Command Prompt with administrator privileges in Microsoft Windows.
b. Run the following command to restore the repository database on a clean server:
 "pg_restore.exe -h localhost -p 4432 -U postgres -d QSR "c:\QSR_backup.tar"

You may need to adjust the path "c:\QSR_backup.tar" depending on where you backed up your database dum

If running this command on a server where a repository database may have been previously
installed, you may get the following error message:
pg_restore: [archiver (db)] connection to database "QSR" failed: FATAL: database "QSR"
does not exist
If you get this error, follow the steps below:
i. Navigate to: cd "%ProgramFiles%\Qlik\Sense\Repository\PostgreSQL\<database
version>\bin"

ii. Run createdb -h localhost -p 4432 -U postgres -T template0 QSR.

If the command fails because a database already exists, you get the following error
message: createdb: database creation failed: ERROR: database "QSR" already
exists

iii. Run dropdb -h localhost -p 4432 -U postgres QSR to drop the database.

iv. Execute the createdb command again. createdb -h localhost -p 4432 -U postgres
-T template0 QSR

7. Restore the log and application data to t he QlikShare folder.
8. To launch Qlik Sense with the new hostname:
a. Open a Command Prompt with administrator privileges in Microsoft Windows.
b. Change the directory to the Repository installation path
 Default path: C:\"Program Files"\Qlik\Sense\Repository
c. Execute the following command:
Repository.exe -bootstrap -standalone -restorehostname
When the command has completed successfully check for erros in the logs and the following
message is displayed:
Bootstrap mode has terminated. Press ENTER to exit..
9. Start the Qlik Sense services. If the services are started manually, start them in the following order:
 Qlik Sense Service Dispatcher
 Qlik Logging Service
 Qlik Sense Repository Service
 Qlik Sense Proxy Service
 Qlik Sense Engine Service

Deploy Qlik Sense Enterprise on Windows - Qlik Sense, June 1

4 Backup and restore Qlik Sense Enterprise on

 Qlik Sense Scheduler Service
 Qlik Sense Printing Service
10. Try to access the QMC or the Hub to verify that the migration has been successful. Also, from the Qlik
Management Console reload the monitoring apps to verify that your certificates have been installed
correctly.

Deploy Qlik Sense Enterprise on Windows - Qlik Sense, June 1

5 Qlik Sense Enterprise on Windows

5 Qlik Sense Enterprise on Windows security
Security in Qlik Sense Enterprise on Windows consists of the following:

 Protection of the platform
How the Qlik Sense platform itself is protected and how it communicates and operates.
 Authentication
Who is the user and how can the user prove it? Qlik Sense uses standard authentication protocols (for
example, Integrated Windows Authentication), HTTP headers, and ticketing to authenticate every
user requesting access to data.
 Authorization
What does the user have access to? Authorization is the procedure of granting or denying users
access to resources.
 Auditing
The Qlik Sense platform tracks changes in the repository database, provides comprehensive a udit and
security logging, and monitors applications.
 Confidentiality
Qlik Sense protects confidentiality by:
 encrypting network connections with Transport Layer Security (TLS)
 leveraging the operating system file system and server access controls to protect content on
Qlik Sense nodes
 protecting memory using operating system controls
 securing application access at the resource level
 encrypting sensitive information (e.g. passwords and data connection strings) with AES-256
encryption
 protecting app data using data reduction and data encryption
 Integrity
Operating system controls like the file system are leveraged to provide integrity by protecting data at
rest, encrypting sensitive information, and preventing data write back to the source system.
 Availability
Qlik Sense deployed in a multi-node environment is designed for resiliency and reliability.

5.1 Certificates
A certificate is a data file that contains keys that are used to encrypt communication between a client and a
server in a domain. Certificates also confirm that the domain is known by the organization that issued the
certificate. A certificate includes information about the keys, information about the identity of the owner, and
the digital signature of an organization that has verified that the content of the certificate is correct. The pair
of keys (public and private keys) are used to encrypt communication.

Qlik products use certificates when they communicate with each other. They also use certificates within
products, for communication between components that are installed on different computers. These are
standard TLS certificates.

Deploy Qlik Sense Enterprise on Windows - Qlik Sense, June 1

5 Qlik Sense Enterprise on Windows
The organization that issues the certificate, the certificate authority, is said to “sign” the certificate. You can
arrange to get certificates from a certificate authority, to show your domain is known. You can also issue and
sign your own (“self-signed certificates”).

Some common errors

Because it generally important for security to know whether a site is known, browsers will display error
messages related to certificates and might block communication.

Some common errors are related to the certificate authority. For example, if there is no certificate authority or
if the certificate has expired, the default level of security in most browsers will stop communication with a
message about “ unsigned certificates”, “expired certificates”, or similar terms. If your security administrators
know that the certificate is still good, you can create an exception so the error is ignored for that certificate.

Other common errors are related to how the domain is named. For example, companyname.com is a
different domain from www.companyname.com, and localhost is a different domain from a server name. A
fully qualified domain name is an unambiguous name for a domain. For example, a server at
companyname.com might be named mktg-SGK, and can be referred to that way, but the fully qualified
domain name is mktg-SGK.companyname.com. (This is called whitelisting.)

Encryption and keys

The kind of encryption used in certificates in Qlik products requires a pair of keys (asymmetric encryption).
One key, the public key, is shared. The other key, the private key, is used only by the owner.

PEM is an ASCII text format for public certificates. It is portable across platforms.

You can get certificates and key pairs from certificate authorities or you can generate them. To get a
certificate signed, you will need to also generate a signing request.

5.2 Protecting the platform
The security in Qlik Sense does not depend only on the Qlik Sense software. It also relies on the security of
the environment that Qlik Sense operates in. This means that the security of, for example, the operating
system and the cryptographic protocols (such as TLS/SSL) has to be set up and configured to provide the
security needed for Qlik Sense.

Network security
For all Qlik Sense components to communicate with each other in a secure way, they need to build trust.

In Qlik Sense, all communication between the Qlik Sense services and clients is based on web protocols. The
web protocols use Transport Layer Security (TLS) for encryption and exchange of information and keys and
certificates for authentication of the communicating parties.

TLS provides a way to build encrypted tunnels between identified servers or services. The parties that
communicate are identified using certificates. Each tunnel needs two certificates; one to prove to the client
that it is communicating with the right server and one to prove to the server that the client is allowed to
communicate with the server.

Deploy Qlik Sense Enterprise on Windows - Qlik Sense, June 1

5 Qlik Sense Enterprise on Windows
So, how to make sure that the certificates are from the same Qlik Sense trust zone? All certificates that
belong to a trust zone are signed with the same signature. If the signature exists in the certificate, it is
accepted as proof that the certificate belongs to the trust zone.

When the protected tunnels and the correct certificates are in place, the Qlik Sense services have a trust zone
to operate within. Within the trust zone, only services that belong to the specific Qlik Sense site can
communicate with each other.

The Qlik Sense clients are considered to be outside of the Qlik Sense trust zone because they often run on
less trusted end-user devices. The Qlik Sense Proxy Service (QPS) can bridge the two zones and allow
communication between the clients and the Qlik Sense services, if the user is authenticated to the system.

TLS-protected tunnels can be used to secure the communication between the Qlik Sense clients and the
QPS. As the clients are outside of the Qlik Sense trust zone, the communication between the clients and the
QPS uses a certificate with a different signature than the one used within the trust zone.

Server security
Qlik Sense uses the server operating system to gain access to resources. The operating system provides a
security system that controls the use of the server resources (for example, storage, memory, and CPU). Qlik
Sense uses the security system controls to protect its resources (for example, files, memory, processes, and
certificates) on the server.

Deploy Qlik Sense Enterprise on Windows - Qlik Sense, June 1

5 Qlik Sense Enterprise on Windows

Through the use of access control, the security system grants access to Qlik Sense files (for example, log
files, database files, certificates, and apps) only to certain users on the server.

The security system also protects the server memory, so that only authorized processes are allowed to write
to the Qlik Sense part of the memory.

In addition, the security system is responsible for assigning users to processes. This is used to restrict who is
allowed to interact with the Qlik Sense processes on the server. The processes are also restricted in terms of
which parts of the operating system they are allowed to access.

So, by using the controls in the security system, a secure and protected environment can be configured for
the Qlik Sense processes and files.

Process security
Each process executes in an environment that poses different threats to the process. In this layer of the
security model, the focus is on ensuring that the software is robust and thoroughly analyzed from a security
perspective.

Deploy Qlik Sense Enterprise on Windows - Qlik Sense, June 1

5 Qlik Sense Enterprise on Windows

Rugged software
For software to be considered as rugged, it must cope with all potential threats to the confidentiality, integrity,
and availability of the information, and be robust when used in ways not anticipated.

Several mitigating actions have been implemented in the Qlik Sense software in order to make it rugged:

 Authorization of communication using certificates
 Validation of all external data that is sent to the system
 Encoding of content to avoid injection of malicious code
 Use of protected memory
 Encryption of data
 Audit logging
 Use of checksums
 Isolated execution of external components
 Escaping of SQL data

Threat analysis
To ensure that the Qlik Sense software is secure and rugged, threat analysis of the design has been
performed as part of the development process. The following threat areas, often abbreviated as STRIDE,
have been covered:

 Spoofing
 Tampering
 Repudiation
 Information disclosure
 Denial of service
 Elevation of privilege

In addition to the threat analyses, exploratory security testing has also been performed on the Qlik Sense
software.

App security
The major components of the Qlik Sense app security are:

 Access control system: The access control system grants users access to the resources in Qlik Sense.
See Access control

Data reduction: The data reduction functionality is based on the concept of section access, which is a
way to dynamically change which data a user can view. This makes it possible to build a
pps that can
be used by many users, but with different data sets that are dynamically created based on user
information. The reduction of data is performed by the Qlik Sense Engine Service (QES).
See Data reduction
 Data encryption: Sensitive data in QVF and QVD files is encrypted with customer supplied key pairs
which allows you to control who gets access to your data. The encryption keys are managed through

Deploy Qlik Sense Enterprise on Windows - Qlik Sense, June 1

5 Qlik Sense Enterprise on Windows

certificates, that must be stored in a certificate store for the user running the Qlik Sense Engine
Service (QES).
See Data encryption

Using these components, the resources and data (that is, the content) consumed by the Qlik Sense users can
be secured.

5.3 Authentication
All authentication in Qlik Sense is managed by the Qlik Sense Proxy Service (QPS). The QPS authenticates
all users regardless of Qlik Sense client type. This means that the QPS also authenticates users of the Qlik
Management Console (QMC).

In Qlik Sense, authentication and authorization are two distinct, unconnected actions. In addition, the sources of informati

Qlik Sense always asks an external system to verify who the user is and if the user can prove it. The
interaction between Qlik Sense and the external identity provider is handled by authentication modules.

For a module to communicate with Qlik Sense, it has to be trusted. Transport Layer Security (TLS) and
certificate authentication are used to authorize external components for communication with Qlik Sense.

In Qlik Sense, the authentication of a user consists of three distinct steps:

1. Authentication module: Get the user identity and credentials.
2. Authentication module: Request an external system to verify the user identity using the credentials.
3. Transfer the user to Qlik Sense using the Ticket API, the Session API, headers, or SAML.

The first two steps are always handled by the authentication module. It is up to the authentication module to
verify the user in an appropriate way.

The third step can be performed in the following ways:

 Using the Ticket API, which transfers the user and the user's properties using a one-time ticket.
 Using the Session API, whereby an external module can transfer web sessions that identify the user
and the user's properties to Qlik Sense.
 Using headers, with which a trusted system can transfer the user using HTTP headers. This is a
common solution for integrating with Single Sign-On (SSO) systems.
 Qlik Sense can be configured to allow anonymous users (using, for example, SAML).

See also:
p Protecting the platform (page 186)

Deploy Qlik Sense Enterprise on Windows - Qlik Sense, June 1

5 Qlik Sense Enterprise on Windows

Default authentication module
After a default installation of Qlik Sense, the Qlik Sense Proxy Service (QPS) includes a module that handles
authentication of Microsoft Windows users. The module supports the use of Kerberos and NTLM.

If you want to use Kerberos authentication, you need to make sure that browsers that are used to access the
Qlik Sense are configured to support Kerberos.

The default authentication module requires that the proxy that handles the authentication is part of the Microsoft Windows d

Certificate trust
Qlik Sense uses certificates for authentication. A certificate provides trust between nodes within a site.

Certificate trust requirements
The requirements described in this section must be fulfilled for the certificate trust to function properly.

When using Transport Layer Security (TLS) in Microsoft Windows environments, the private key must be
stored together with the certificate in the Windows certificate store. In addition, the account that is used to
run the Qlik Sense services must have permission to access the certificate private key.

If you want to use TLS 1.2 authentication, you need to enable TLS 1.2 support in the Windows registry of the
server machine. You should consider the impact of enabling TLS 1.2, as this is a global system setting.

Communication ports
To set up certificate trust, the Qlik Sense Repository Services (QRSs) require that the ports listed in the
following table can be opened and used for communication. If any communication passes through a network
firewall, the ports in the firewall must be opened and configured for the services.

Port
Description
no.
4570 Certificate password verification port, only used within multi-node sites by Qlik Sense Repository
Services (QRSs) on rim nodes to receive the password that unlocks a distributed certificate. The
port can only be accessed from localhost and it is closed immediately after the certificate has been
unlocked. The communication is always unencrypted.

This port uses HTTP for communication.

4444 Security distribution port, only used by Qlik Sense Repository Services (QRSs) on rim nodes to
receive a certificate from the master QRS on the central node. The communication is always
unencrypted, but the transferred certificate package is password-protected.

This port uses HTTP for communication.

Ports (page 46)

Deploy Qlik Sense Enterprise on Windows - Qlik Sense, June 1

5 Qlik Sense Enterprise on Windows

Unlocking distributed certificates
When adding a new rim node to a site, the distributed certificate needs to be unlocked.

Certificate trust architecture
Certificates are used within a Qlik Sense site to authenticate communication between services that reside on
different nodes. In addition, certificates can be used to build a trust domain between services that are located
in different domains or areas (for example, internal networks, extranets, and Internet) without having to share
a Microsoft Active Directory (AD) or other user directories.

The architecture is based on the master Qlik Sense Repository Service (QRS) on the central node acting as
the certificate manager or Certificate Authority (CA). The master QRS creates and distributes certificates to
all nodes within a site. The master QRS is therefore an important part of the security solution and has to be
managed from a secure location to keep the certificate solution secure.

The root certificate for the installation is stored on the central node in the site, where the master QRS runs.
All nodes with Qlik Sense services that are to be used within the site receive certificates signed with the root
certificate when added to the master QRS. The master QRS (that is, the CA) issues digital certificates that
contain keys and the identity of the owner. The private key is not made publicly available – it is kept secret by
the nodes. The certificate enables the services in a Qlik Sense deployment to validate the authenticity of the
other services. This means that the master QRS is responsible for making sure that a service that is deployed
on a node is a service within the site.

Deploy Qlik Sense Enterprise on Windows - Qlik Sense, June 1

5 Qlik Sense Enterprise on Windows

After the nodes have received certificates, the communication between the Qlik Sense services is encrypted
using Transport Layer Security (TLS) encryption.

Confirming certificates using Microsoft Management Console
Certificates can be visually confirmed in the Microsoft Management Console (MMC) with the certificate snap-
in added.

If the certificates have been properly deployed, they are available in the locations listed in the table.

Certificate Location

QlikClient Certificates - Current User>Personal>Certificates

<full computer name>- Certificates - Current User>Trusted Root Certification
CA Authorities>Certificates

<full computer name>- Certificates (Local Computer)>Trusted Root Certification
CA Authorities>Certificates

<computer name> Certificates (Local Computer)>Personal>Certificates

Certificate handling
This section describes how the certificates are handled when a Qlik Sense service starts.

Client certificate
This section describes how the master Qlik Sense Repository Service (QRS) on the central node in a site
handles the client certificate when a Qlik Sense service starts.

The client certificate is located in the following place in the Microsoft Windows certificate store:

Current User>Personal>Certificates

Deploy Qlik Sense Enterprise on Windows - Qlik Sense, June 1

5 Qlik Sense Enterprise on Windows
When a Qlik Sense service starts, the QRS searches the certificate store to see if there are any Qlik Sense
certificates. Depending on the results of the search, the QRS does the following:

 If no client certificate is found, the QRS logs that no certificate was found.
 If only one client certificate is found, the QRS checks if it is valid. If the certificate is not valid, the QRS
logs that an invalid certificate was found.
 If more than one client certificate is found, the QRS deletes all certificates. Duplicates are not
allowed. In addition, the QRS logs the number of valid and invalid certificates that were found and
deleted.

If certificates are found to be missing or invalid, you must run the QRS in bootstrap mode to recreate the
certificates. For more information, see Services (page 31).

Server certificate
This section describes how the master Qlik Sense Repository Service (QRS) on the central node in a site
handles the server certificate when a Qlik Sense service starts.

The server certificate is located in the following place in the Microsoft Windows certificate store:

Local Computer>Personal>Certificates

When a Qlik Sense service starts, the QRS searches the certificate store to see if there are any Qlik Sense
certificates. Depending on the results of the search, the QRS does the following:

 If no server certificate is found, the QRS logs that no certificate was found.
 If only one server certificate is found, the QRS checks if it is valid. If the certificate is not valid, the
QRS logs that an invalid certificate was found.
 If more than one server certificate is found, the QRS deletes all certificates. Duplicates are not
allowed. In addition, the QRS logs the number of valid and invalid certificates that were found and
deleted.

If certificates are found to be missing or invalid, you must run the QRS in bootstrap mode to recreate the
certificates. For more information, see Services (page 31).

Root certificate
This section describes how the master Qlik Sense Repository Service (QRS) on the central node in a site
handles the root certificate when a Qlik Sense service starts.

The root certificate is located in the following places in the Microsoft Windows certificate store:

Current User>Trusted Root Certification Authorities>Certificates

Local Computer>Trusted Root Certification Authorities>Certificates

When a Qlik Sense service starts, the QRS searches the certificate store to see if there are any Qlik Sense
certificates. Depending on the results of the search, the QRS does the following:

Deploy Qlik Sense Enterprise on Windows - Qlik Sense, June 1

5 Qlik Sense Enterprise on Windows

 If no root certificate is found, the QRS logs that no certificate was found.
 If only one root certificate is found, the QRS checks if it is valid. If it is not valid, the QRS logs a fatal
error that an invalid root certificate was found, which means that the service is shut down, and that the
administrator must manually delete any unwanted certificates. In addition, the QRS logs information
abput the certificates that are affected by this.
 If more than one root certificate is found, the QRS logs a fatal error that an invalid root certificate was
found, which means that the service is shut down and that the administrator manually has to delete
any unwanted certificates. In addition, the QRS logs information on the certificates that are affected
by this.

If certificates are found to be missing or invalid, you must run the QRS in bootstrap mode to recreate the
certificates. For more information, see Services (page 31).

In order not to break any certificate trust between machines, the QRS does not remove any root certificates. It is up to the a

Invalid certificate
The definition of an invalid certificate is as follows:

 The operating system considers the certificate to be too old or the certificate chain is incorrect or
incomplete.
 The Qlik Sense certificate extension (OID “1.3.6.1.5.5.7.13.3”) is missing or does not reflect the
location of the certificate:
 Current User/Personal certificate location: Client
 Local Machine/Personal certificate location: Server
 Local Machine/Trusted Root certificate location: Root
 Current User/Trusted Root certificate location: Root
 The server, client, and root certificates on the central node do not have a private key that the operating
system allows them to access.
 The server and client certificates are not signed by the root certificate on the machine.

Maximum number of trusted root certificates
When a Qlik Sense service starts, it checks the number of trusted root certificates on the machine where it is
running. If there are more that 300 certificates on the machine, warning messages containing the following
information are logged:

 There are too many root certificates for the service to trust.
 The Microsoft Windows operating system will truncate the list of certificates during the Transport
Layer Security (TLS) handshake.

If the Qlik Sense root certificate (<host-machine>-CA) that the Qlik Sense client certificate belongs to is
deleted from the list of certificates because of the truncation, the service cannot be authenticated.

Deploy Qlik Sense Enterprise on Windows - Qlik Sense, June 1

5 Qlik Sense Enterprise on Windows
To manually view the root certificates on a machine, open the Microsoft Management Console (MMC) and go
to Certificates (Local Computer)>Trusted Root Certification Authorities.

Authentication solutions
Qlik Sense authentication can be managed with any of the following solutions:

 Ticket solution
 Session solution
 Header solution
 SAML
 JWT
 Anonymous users
 Configuring single sign-on (SSO) from Microsoft SQL (MSSQL) server

Ticket solution
The ticket solution is similar to a normal ticket. The user receives a ticket after having been verified. The user
then brings the ticket to Qlik Sense and, if the ticket is valid, is authenticated. In order to keep the tickets
secure, the following restrictions apply:

 A ticket is only valid for a short period of time.
 A ticket is only valid once.
 A ticket is random and therefore hard to guess.

All communication between the authentication module and the Qlik Sense Proxy Service (QPS) uses
Transport Layer Security (TLS) and must be authorized using certificates.

The figure below shows a typical flow for authenticating a user with tickets.

Deploy Qlik Sense Enterprise on Windows - Qlik Sense, June 2

5 Qlik Sense Enterprise on Windows

1. The user accesses Qlik Sense.
2. Qlik Sense redirects the user to the authentication module. The authentication module verifies the
user identity and credentials with an identity provider.
3. Once the credentials have been verified, a ticket is requested from the QPS. Additional properties
may be supplied in the request.
4. The authentication module receives a ticket.
5. The user is redirected back to the QPS with the ticket. The QPS checks that the ticket is valid and has
not timed out.
6. A proxy session is created for the user.
7. The user is now authenticated.

Session solution
The session solution allows the Qlik Sense Proxy Service (QPS) to use a session from an external system to
validate who the user is.

All communication between the authentication module and the QPS uses Transport Layer Security (TLS)
and must be authorized using certificates.

The figure below shows a typical flow for authenticating a user using a session from an external system.

Deploy Qlik Sense Enterprise on Windows - Qlik Sense, June 2

5 Qlik Sense Enterprise on Windows

1. The user accesses the identity provider, which, for example, can be integrated into a portal. The
identity provider gets the user identity and credentials and then verifies them. After that, the identity
provider creates a new session.
2. The identity provider registers the session token with the Qlik Sense session module.
3. The identity provider sets the session token as a session cookie.
4. The user accesses the QPS to get content (for example, through an iframe in the portal).
5. The QPS validates the session to the session module.
6. If the session is valid and has not yet timed out, the user is authenticated.

The name of the session cookie used by the authentication module can be configured in the Qlik Management Console (QM

Header solution
Header authentication is often used in conjunction with a Single Sign-On (SSO) system that supplies a
reverse proxy or filter for authenticating the user.

The figure below shows a typical flow for authenticating a user using header authentication.

Deploy Qlik Sense Enterprise on Windows - Qlik Sense, June 2

5 Qlik Sense Enterprise on Windows

1. The user accesses the system and authenticates to the reverse proxy.
2. The reverse proxy injects the username into a defined HTTP header. The header must be included in
every request to the Qlik Sense Proxy Service (QPS).
3. The user is authenticated.

For this solution to be secure, the end-user must not be able to communicate directly with the QPS but instead be forced to

The reverse proxy/filter must be configured to preserve the host name, that is, the host header from the client must not be

The name of the HTTP header used for the user can be configured in the Qlik Management Console (QMC).

SAML
Security Assertion Markup Language (SAML) is an XML-based, open-standard data format for exchanging
authentication and authorization data between parties (for example, between an identity provider and a
service provider). SAML is typically used for web browser single sign-on (SSO).

How SAML works
The SAML specification defines three roles:

Deploy Qlik Sense Enterprise on Windows - Qlik Sense, June 2

5 Qlik Sense Enterprise on Windows

 Principal: Typically a user
 IdP: The identity provider
 SP: The service provider

The principal requests a service from the SP, which requests and obtains an identity assertion from the IdP.
Based on the assertion, the SP decides whether or not to perform the service requested by the principal.

SAML in Qlik Sense
Qlik Sense supports SAML V2.0 by:

 Implementing an SP that can integrate with external IdPs
 Supporting HTTP Redirect Binding for SAML requests
 Supporting HTTP Redirect Binding and HTTP POST Binding for SAML responses
 Supporting SAML properties for access control of resources and data

Limitations:
 Qlik Sense does not support SAML message signature validation.

JSON Web Token (JWT)
JSON Web Token (JWT) is an open standard for secure transmission of information between two parties as a
JavaScript Object Notation (JSON) object. J
WT is used for authentication and authorization. Because JWT enables single sign-
on (SSO), it minimizes the number of times a user has to log on to cloud applications and websites.

How JWT works
A JWT consists of three parts: a header, a payload, and a signature.

 The header usually consists of two parts: type (typ) and algorithm (alg). The algorithm is used to

generate the signature.
 The payload is a JSON object that consists of the claims that you want to make. Claims are
statements about an entity (usually the user) and additional metadata.
 The signature is used to verify the identity of the JWT sender a nd to ensure that the message has not
been tampered with.

Authentication is performed by verifying the signature. If the signature is valid, access is granted to Qlik
Sense.

Limitations
The following limitations exist:

 Encrypted JWTs are not supported.

When using HTTPS, all traffic, including JWTs, are encrypted during transport.

Deploy Qlik Sense Enterprise on Windows - Qlik Sense, June 2

5 Qlik Sense Enterprise on Windows

 Only the following signing algorithms are supported:
o RS256 - RSA signature with SHA256
o RS384 - RSA signature with SHA384
o RS512 - RSA signature with SHA512

Anonymous users
If anonymous use of Qlik Sense is allowed, users who are not authenticated are not automatically redirected
to an authentication module. Instead, the user first gets anonymous access and is then, if the user chooses to
sign in, redirected to the authentication module to supply user identity and credentials.

Configuring single sign-on (SSO) for Microsoft SQL (MS SQL) Server
If your database files access data from MS SQL Server, you can configure t he host server to enable SSO.
ODBC data source single sign-on permits clients to use one Windows authenticated login to access d
ata in shared files.

To configure SSO for M S SQL Server, a Windows domain administrator must do the following:

 Create service principal names (SPN) in Active Directory
 Configure delegation for the Qlik Sense services administrator account
 Configure the Qlik Sense server for SSO
 Configure the MS SQL Server for SSO

The Microsoft SQL Server Connector in the Qlik ODBC Connector Package also supports SSO. If you are using the conn

The same Qlik Sense services administrator account used during the Qlik Sense (central node) installation must be used.

Creating service principal names (SPN) in Active Directory
A service principal name (SPN) is a unique identifier of a service instance. SPNs are used during
authentication to associate a service instance with a service logon account. This allows a client application to
request that a service authenticate an account even if the client does not have the account name. A SPN
always includes the name of the host computer on which the service instance is running, so a service instance
might register a SPN for each name or alias of its host.

Before the authentication service can use a SPN to authenticate a service, the SPN must be registered on
the account object that the service instance uses to log on. A given SPN can be registered on only one
account. For Win32 services, a service installer specifies the logon account when an instance of the service is

Deploy Qlik Sense Enterprise on Windows - Qlik Sense, June 2

5 Qlik Sense Enterprise on Windows
installed. The installer then composes the SPNs and writes them as a property of the account object in Active
Directory Domain Services. If the account of a service instance changes, the SPNs must be re-registered
under the new account.

When a client connects to a service, it locates an instance of the service, composes an SPN for that instance,
connects to the service, and presents the SPN for the service to authenticate.

To set up SSO for MS SQL server, you must create SPNs for the Q

lik Sense services administrator account. Do the following:

1. Log on as a domain administrator.
2. Open an elevated command prompt.
3. Enter the following to create a SPN for the Qlik Sense services administrator:
setspn -A HTTP/<Qlik_Sense_server>:<port> <domain>\<Qlik_Sense_services_administrator>

The <Qlik_Sense_server> must be entered as the fully qualified domain name of the server.

The <Qlik_Sense_server> is the central node where the Qlik Sense is running.

4. Enter the following to create a SPN for the MS SQL Server services administrator:
setspn -A MSSQLSvc/<server_name>:<port> <domain>\<services_administrator>

The <server_name> must be entered as the fully qualified domain name of the server.

5. Enter the following commands to verify the result of your SPN setup:
a. setspn -L <domain>\<Qlik_Sense_services_administrator> to verify the Q
lik Sense services administrator.
b. setspn -L <domain>\<MS_Sql _server_services_administrator> to verify the MS SQL Server
services administrator.

Configuring delegation for the Qlik Sense services administrator account
Delegation allows a front-end service to forward client requests to a back-end service so that the back-end
service can also impersonate the client. Impersonation is used to check whether a client is authorized to
perform a particular action, while delegation is a way of flowing impersonation capabilities, along with the
client’s identity, to a back-end service.

To configure SSO for M S SQL Server, you must set up delegation rights to the MS SQL Server service for
the Qlik Sense services administrator.

A Windows domain administrator can change the delegation tab on the Qlik Sense services administrator
account properties page.

Do the following:

Deploy Qlik Sense Enterprise on Windows - Qlik Sense, June 2

5 Qlik Sense Enterprise on Windows

1. Log on as a Windows domain administrator.
2. Right click on your Qlik Sense services administrator account and click Properties.
3. Go to the Delegation tab, and select Trust this user for delegation to specified services only,
then select Use any authentication protocol.
4. Click A dd....
5. On the Add Services window, click U sers or Computers....
6. On the Select Users or Computers window, enter the domain and user name of the Microsoft SQL
Server services administrator and click OK.
7. On the Add Services window, select the MS SQL Server service and click OK.

You can verify your delegation configuration on the Delegation tab. The MS SQL Server service should now
be set as the service to which the Qlik Sense services administrator c an present delegation credentials.

Configuring the Qlik Sense server for SSO
To configure the Qlik Sense server for SSO with MS SQL Server, you must:

 Add the Qlik Sense services administrator to the Administrator group on the Qlik Sense server if it's
not already part of that group.
 Add Qlik Sense services administrator as part of the Act as part of the operating system role in the
Local Security Policy.

Do the following:

1. Log on to the Qlik Sense server as an administrator.
2. Open Local Security Policy, and go to Security Settings > Local Policies > User Rights
Assignment.
3. Under Policy, right click on Act as part of the operating system and select Properties.
4. On the Local Security Setting tab, click Add User or Group....
5. Add the Qlik Sense services administrator account, and click OK.

Configuring MS SQL Server
To configure the MS SQL Server for SSO, you must ensure that the MS SQL Server service runs as the MS
SQL Server services administrator.

Do the following:

1. Log on to the MS SQL Server as an administrator.
2. Open the Sql Server Configuration Manager.
3. Select SQL Server Services.
4. Select SQL Server in the right pane and verify that the Log On As column is populated with your
MS SQL Server services administrator account.

You must reboot after making changes to remove the SQL self registration of the SPN under machine account and register

Deploy Qlik Sense Enterprise on Windows - Qlik Sense, June 2

5 Qlik Sense Enterprise on Windows

5.4 Authorization
Authorization is the procedure of granting or denying users access to resources.

In Qlik Sense, authentication and authorization are two distinct, unconnected actions. In addition, the sources of informati

In Qlik Sense, there are two authorization systems:

 Access control: The access control system grants users access to the resources in Qlik Sense. T he
access control system is implemented in the Qlik Sense Repository Service (QRS) and independent
of the operating system.
 Data reduction: The data reduction functionality is based on the concept of section access, which is a
way to dynamically change which data a user can view. This makes it possible to build a pps that can
be used by many users, but with different data sets that are dynamically created based on user
information. The reduction of data is performed by the Qlik Sense Engine Service (QES).

The two authorization systems are unconnected and configured separately.

Access control
This section describes the different types of access control:

 Resource access control: Is the user allowed to access the app? Which functions in the app is the user
allowed to use (for example, printing, exporting, and snapshots)?

Administrator access control: Which access rights are needed for the different roles and
responsibilities of the administrators?

Resource access control
The resource access control system in Qlik Sense is based on properties. This means that the access is
based on rules that refer to properties connected to resources and users in Qlik Sense.

All authorization to resources is enforced by the Qlik Sense Repository Service (QRS). The QRS only gives
other Qlik Sense services access to resources that the current user is allowed to access.

The resource access control system determines the access based on the following parameters:

 User name and user properties: The user name and user properties are supplied by the Qlik Sense
Proxy Service (QPS) that authenticated the user.
 Action: The method that the user is trying to perform on a resource (for example, create, read, or
print).
 Resource: The entity that the user is trying to perform an action on (for example, app, sheet, or
object).
 Environment: The environment is supplied by the QPS and describes, for example, time, location,
protection, and the type of Qlik Sense client used.

Deploy Qlik Sense Enterprise on Windows - Qlik Sense, June 2

5 Qlik Sense Enterprise on Windows

Resource access control rules
The system administrator can set up rules for the resources access control. The rules are divided into three
parts:

 Resource filter: The resources that the rule applies to.
 Condition: A logical condition that, if evaluated as true, grants access.
 Action: The action that the user is allowed to perform, if the condition is true.

Properties connected to resources or users may be used in the rules. Examples of properties include the
name of user or resource, type of resource, and Active Directory groups for users or custom-defined
properties.

Resource access control streams
To make the management of the Qlik Sense authorization systems efficient, apps can be grouped into
streams. From an authorization perspective, a stream is a grouping of apps that a group of users has read
(often referred to as “subscription”) or publish access to.

By default, Qlik Sense includes the following streams:

Deploy Qlik Sense Enterprise on Windows - Qlik Sense, June 2

5 Qlik Sense Enterprise on Windows

 Everyone: All users have read and publish rights to this stream.
 Monitoring apps: Contains a number of apps for monitoring of Qlik Sense.

Streams are created and managed in the Qlik Management Console (QMC).

Administrator access control
In addition to setting up the access control for the users, it is important to configure the access control for the
administrators so that they get access rights in the Qlik Management Console (QMC) that correspond to thei
r roles and responsibilities.

Common administrator roles include the following:

 RootAdmin
 AuditAdmin
 ContentAdmin
 DeploymentAdmin
 SecurityAdmin

For a presentation of the access rights for the respective administrator roles, see the topic Default
administration roles in the document Manage Qlik Sense sites.

Data reduction
Data reduction is used to determine which data a user is allowed to see: all of it or just parts of it?

Deploy Qlik Sense Enterprise on Windows - Qlik Sense, June 2

5 Qlik Sense Enterprise on Windows
The data reduction functionality is based on the concept of section access, which is a way to dynamically
change which data a user can view. This makes it possible to build a pps that can be used by many users, but
with different data sets that are dynamically created based on user information. The reduction of data is
performed by the Qlik Sense Engine Service (QES).

The definition of access rights for section access is maintained in the apps and configured through the load
script.

Managing security with section access
You can use section access in the data load script to handle security. In this way, a single file can be used to
hold the data for a number of users or user groups. Qlik Sense uses the information in the section access for
authentication and authorization, and dynamically reduces the data, so that users only see their own data
.

The security is built into the file itself, which means a downloaded file is also protected, to some extent.
However, if security demands are high, downloading of files and offline use should be prevented, and files
should be published by the Qlik Sense server only. A s all data is kept in one file, the size of this file can
potentially be very large.

To avoid exposing restricted data, remove all attached files with section access settings before publishing the app.
Attached files are included when the app is published. If the published app is copied, the attached files are included in the

You must not assign colors to master dimension values if you use section access or work with sensitive data, because th

Sections in the script
Access control is managed through one or several security tables loaded in the same way that Qlik Sense

A snapshot shows data according to the access rights of the user who takes the snapshot, and the snapshot can then be sha
normally loads data. This makes it possible to store these tables in a normal database. The script statements
managing the security tables are given within the access section, which in the script is initiated by the
statement Section Access.

If an access section is defined in the script, the part of the script loading the app data must be put in a
different section, initiated by the statement Section Application.

Deploy Qlik Sense Enterprise on Windows - Qlik Sense, June 2

5 Qlik Sense Enterprise on Windows

Example:

Section
Access; LOAD *
inline [
ACCESS, USERID
USER, User_ID
];
Section Application;
LOAD... ... from...
...

Section access system fields
The access levels are assigned to users in one or several tables loaded within the section access. These
tables can contain several different user-specific system fields, typically USERID, and the field defining the
access level, ACCESS. All section access s
ystem fields will be used for authentication or authorization. The
full set of section access system fields is described below.

ACCESS

Defines what access the corresponding user should have.

Access to Qlik Sense apps can be authorized for specified users or groups of users. In the security table,
users can be assigned to the access levels ADMIN or USER. If no valid access level is assigned, the user
cannot open the a pp.

A person with ADMIN privileges has access to all data in the app. A person with USER privileges can only
access data as defined in the security table.

If section access is used in an on-demand app generation (ODAG) scenario in the template app, the INTERNAL\
SA_API user must be included as ADMIN in the section access table. For example:

Section
Access; LOAD *
inline [
ACCESS, USERID
ADMIN, INTERNAL\SA_API
];

USERID

Contains a string corresponding to a Qlik Sense user name. Q lik Sense will get the login information from the
proxy and compare it to the value in this field.

GROUP

Contains a string corresponding to a group in Qlik Sense. Qlik Sense will resolve the user supplied by the
proxy against this group.

When you use groups to reduce data and want to Qlik Management Console, the INTERNAL\SA_SCHEDULER account u

Deploy Qlik Sense Enterprise on Windows - Qlik Sense, June 2

5 Qlik Sense Enterprise on Windows

OMIT

Contains the name of the field that is to be omitted for this specific user. Wildcards may be used and the field
may be empty. An easy way of doing this is to use a sub field.

We recommend that you do not apply OMIT on key fields. Key fields that are omitted are visible in the data model viewer,

Qlik Sense will compare the user supplied by the proxy with UserID and resolve the user against groups in the
table. If the user belongs to a group that is allowed access, or the user matches, they will get access to
the app.

If you have locked yourself out of an app by setting section access, you can open the app without data, and edit the access

As the same internal logic that is the hallmark of Qlik Sense is also used in the access section, the security
fields can be put in different tables. All the fields listed in LOAD or SELECT statements in the section
access must be written in UPPER CASE. Convert any field name containing lower case letters in the
database to upper case using the Upper function b efore reading the field by the LOAD or SELECT
statement.

A wildcard, * , is interpreted as all (listed) values of this field, that is. a value listed elsewhere in this table. If
used in one of the system fields (USERID, GROUP) in a table loaded in the access section of the script, it is
interpreted as all (also not listed) possible values of this field.

When loading data from a QVD file, the use of the upper function will slow down the loading speed.

If you have enabled section access, you cannot use the section access system field names listed here as field names in

Example:

In this example, only users in the finance group can open the document.

Access to document
Access Group

USER Finance

Deploy Qlik Sense Enterprise on Windows - Qlik Sense, June 2

5 Qlik Sense Enterprise on Windows

Dynamic data reduction
Qlik Sense supports dynamic data reduction, in which some of the data in an app can be hidden from a user,
based on the section access login:

 Fields (columns) can be hidden by using the system field OMIT.
 Records (rows) can be hidden by linking the section access data with the real data: The selection of
values to be shown or excluded is controlled by having one or more fields with common names in
section access and section application. After user login, Qlik Sense will attempt to match the
selections in fields in the section access to any fields in the section application with exactly the same
field names (the field names must be written in UPPER CASE). After the selections have been made,
Qlik Sense will permanently hide all data excluded by these selections from the user.

All field names used in the transfer described above and all field values in these fields must be upper case, because all field

If you want to enable reload of the script in a Qlik Management Console task, the INTERNAL\SA_SCHEDULER account

Example: Data reduction based on user id

Section Access;
LOAD * inline
[
ACCESS, USERID, REDUCTION,
OMIT USER, AD_DOMAIN\ADMIN, *,
USER, AD_DOMAIN\A, 1,
USER, AD_DOMAIN\B, 2, NUM
USER, AD_DOMAIN\C, 3,
ALPHA
ADMIN, INTERNAL\SA_SCHEDULER, *,
];
section application;
T1:
LOAD *,
NUM AS
REDUCTION; LOAD
Chr( RecNo()+ord('A')-1) AS ALPHA,
RecNo() AS NUM
AUTOGENERATE 3;
The field REDUCTION (upper case) now exists in both section access and section application (all field values
are also upper case). The two fields would normally be totally different and separated, but using section
access, these fields a re linked and the number of records displayed to the user is reduced.

The field OMIT, in section access, defines the fields that should be hidden from the user.

The result will be:

Deploy Qlik Sense Enterprise on Windows - Qlik Sense, June 2

5 Qlik Sense Enterprise on Windows

 User ADMIN can see all fields and only those records other users can see in this example when
REDUCTION is 1,2, or 3.
 User A can see all fields, but only those records associated to REDUCTION=1.
 User B can see all fields except NUM, and only those records associated to REDUCTION=2.
 User C can see all fields except ALPHA, and only those records associated to REDUCTION=3.

Example: Data reduction based on user groups

Section Access;
LOAD * inline
[
ACCESS, USERID, GROUP, REDUCTION, OMIT
USER, *, ADMIN, *,
USER, *, A, 1,
USER, *, B, 2, NUM
USER, *, C, 3,
ALPHA USER, *,
GROUP1, 3,
ADMIN, INTERNAL\SA_SCHEDULER, *, *,
];
section application;
T1:
LOAD *,
NUM AS
REDUCTION; LOAD
Chr( RecNo()+ord('A')-1) AS ALPHA,
RecNo() AS NUM
AUTOGENERATE 3;
The result will be:

 Users belonging to the ADMIN group are allowed to see all data and all fields.
 Users belonging to the A group are allowed to see d ata associated to REDUCTION=1 across all
fields.
 Users belonging to the B group are allowed to see data associated to REDUCTION=2, but not in the
NUM field

Users belonging to the C group are allowed to see data associated to REDUCTION=3, but not in the
ALPHA field

Users belonging to the GROUP1 group are allowed to see data associated to REDUCTION=3 across
all fields
 The user INTERNAL\SA_SCHEDULER does not to belong to any groups but is allowed to see all
data in all fields.

The wildcard, character *, in this row refers only to all values within the section access table. If there are values in th

Inherited access restrictions
A binary load will cause the access restrictions to be inherited by the new Qlik Sense app.

Deploy Qlik Sense Enterprise on Windows - Qlik Sense, June 2

5 Qlik Sense Enterprise on Windows

5.5 Auditing
Governance is critical in enterprise business intelligence. Qlik Sense delivers auditing, monitoring and
logging using the QMC, applications, and log files to inform administrators and mitigate risks in deployments.

Qlik Sense supports auditing in the following ways:

 The repository database stores information about when the database was last changed and who
made the change.
 The logging framework provides audit and security logs.
 The logs are centrally stored.
 The log format is resistant to injection from the Qlik Sense clients.
 The license logs are signed with a signature to protect them from tampering.

5.6 Confidentiality
Qlik Sense provides confidentiality by encrypting network connections with TLS, leveraging the operating
system file system and server access controls to protect content on Qlik Sense nodes, protecting memory
using operating system controls, securing application access at the resource level, encrypting sensitive
information (e.g. passwords and data connection strings), and protecting app data using data reduction.

Qlik Sense supports confidentiality in the following ways:

 The network uses Transport Layer Security (TLS) for encryption and certificates for authentication.
 The information stored in the file share and the repository database, including Qlik Sense content, is
protected by the operating system using server access control and file system controls.
 The process memory and loaded data for Qlik Sense are protected by the physical server and the
operating system controls.
 The apps are secured using access control on the resource level.

Sensitive information (for example, passwords and connection strings) that is used to access external
data sources is stored with AES-256 encryption.
 The app data is protected using data reduction and data encryption.

5.7 Integrity
Qlik Sense provides integrity through operating system controls like the file system to protect data at rest,
encrypt sensitive information, and prevent data write back to the source system.

Qlik Sense supports integrity in the following ways:

 Stored data is protected using the operating system controls (for example, the file system).

Sensitive information (for example, passwords and connection strings) that is used to access external
data sources is stored with AES-256 encryption.

Qlik Sense does not support write back to the source system (that is, the Qlik Sense clients cannot
edit the data sources).

Deploy Qlik Sense Enterprise on Windows - Qlik Sense, June 2

5 Qlik Sense Enterprise on Windows

Database security
In shared persistence deployments the network traffic between the servers, the database and
the file share is not encrypted by default after an installation. You may also need to consider
setting up replication of the database to handle cases where the central database fails.

Maintaining database password integrity
Here are some guidelines to maintain password integrity in a Qlik Sense shared persistence deployment.

 It is important that you disable the Store password option for your user in PostgreSQL. If this option
is enabled, the password is stored in a file, and incoming connections without a password will be able
to connect to the database.
 Change password by executing this query in the PostgreSQL database:
ALTER USER <user> WITH PASSWORD '<newpassword>';
ALTER ROLE is displayed after successfully changing the password.
Do not change password in the PostgreSQL user interface for the same reasons as above.
 Use md5 hashing.
 Do not set your password to PASSWORD '', that is, an empty string, since this is not handled well in
PostgreSQL.

Database traffic encryption
Qlik Sense supports database traffic encryption using SSL, but you need to perform some manual
configuration to setup SSL and MD5 password protection in a shared persistence deployment.

The Qlik Sense installer cannot use SSL encryption for establishing connection to PostgreSQL. When SSL encryption is

Do the following:

1. Edit the following values in postgresql.conf:
listen_addresses =
'*' port = 4432
ssl = on
ssl_cert_file = 'server.pem'
ssl_key_file = 'server_key.pem'
#ssl_ca_file = ''
#ssl_crl_file = ''

2. Add the following lines in pg_hba.conf
hostssl all all all md5

3. Remove any other lines starting with hostssl or host in pg_hba.conf.

Deploy Qlik Sense Enterprise on Windows - Qlik Sense, June 2

5 Qlik Sense Enterprise on Windows

4. Copy server.pem, and server_key.pem from
%PROGRAMDATA%\Qlik\Sense\Repository\Exported Certificates\.Local Certificates to
%PROGRAMDATA%\Qlik\Sense\Repository\PostgreSQL\9.6 .
5. Use the Connection String Editor to add the following setting to the repository.exe.config on the
central node, and all rim nodes that belong to the cluster. To open the Connection String Editor, navigate to C:\
Program Files\Qlik\Sense\Repository\Util\QlikSenseUtil and open t he QlikSenseUtil.exe file as an administrator.
6. In the Connection String Editor tab, click Read to open the Repository.exe file connection string.
7. Add ‘Ssl Mode=Require;’ to the connection string:
<add name="QSR" connectionString="User ID=qliksenserepository;Ssl
Mode=Require;Host='fullhostname.com';Port='4432';Database=QSR;Pooling=true;Min Pool Size=0;Max
Pool Size=90;Connection Lifetime=3600;Unicode=true;Password='randompass';"
providerName="Devart.Data.PostgreSql" />
<add name="QSMQ" connectionString="User ID=qliksenserepository;Ssl
Mode=Require;Host='fullhostname.com';Port='4432';Database=QSMQ;Pooling=true;Min Pool
Size=0;Max Pool Size=90;Connection Lifetime=3600;Unicode=true;Password='randompass';"
providerName="Devart.Data.PostgreSql" />

8. Click Save value in config file encrypted to save your changes.
9. Start all Qlik Sense services and verify that everything works.
10. Verify the authentication using the pgAdmin tool in PostgreSQL:
Users postgres and qliksenserepository must enter a valid password to connect.

Forcing the database connection to use TLS 1.2 only
You can configure the database connection to support TLS 1.2 only, and block connections using TLS 1.1 or
lower.

Do the following:

 Add the following parameter to the connection string: "SSL TLS Protocol=1.2"

We recommend these additional configuration changes to maintain database integrity:

 Configure the database to only accept connections from servers where the repository is running.
 Configure SSL to reject weak cipher suites by adding this line to the file postgresql.conf:
ssl_ciphers = 'DEFAULT:!LOW:!EXP:!eNULL:!aNULL:!MD5:!RC2:!RC4:!DES:@STRENGTH'

Encrypting database connection for services controlled by the Qlik Sense
Service Dispatcher
The following code snippets can be used to enable database encryption for the following services controlled
by the Qlik Sense Service Dispatcher.

1. Licenses service: In C:\Program Files\Qlik\Sense\

Licenses\appsettings.json:

{
"licenses": {
"host": "localhost",
"port": 4432,

Deploy Qlik Sense Enterprise on Windows - Qlik Sense, June 2

5 Qlik Sense Enterprise on Windows
"dbName": "Licenses",
"user": "qliksenserepository",
"password":
"AQAAANCMnd8BFdERjHoAwE/Cl+sBAAAABuvYPntQ2k+cR8K7frd+MQQAAAACAAAAAAAQZgAAAAEAACAAAAD8/TGvNzoDOPCleEy
nZCIfw+q/cpFaHRLcsRuR2cXjSgAAAAAOgAAAAAIAACAAAABSZavuu/lRWW2s92wdDbOeUW2sHSZP8sXI0PfPyAT7ZSAAAAD4GqZ
dVQacn/SzaN03617zNLfzg1owMethVPGOp2bv2UAAAADsFbcNkIOY4CEBJ/jh2djgfVEWu0L2Q8nipfWxyMg3NO5xLEGxUTpZ0ri
J+J9LRX9WyW84tkAToP4pexntagZ+",
"sslMode": "require"
},
"messageQueue": {
"host": "localhost",
"port": 4432,
"dbName": "QSMQ",
"user": "qliksenserepository",
"password":
"AQAAANCMnd8BFdERjHoAwE/Cl+sBAAAABuvYPntQ2k+cR8K7frd+MQQAAAACAAAAAAAQZgAAAAEAACAAAAA78d6YdDM+L1OGg0C
/d1irzf3Ml4/cskYQxB4A/DvyfwAAAAAOgAAAAAIAACAAAACTpVvY32teeFMJbZNsSSC/4xqaOF5j5BT7TlCA/RWkgiAAAADaOOt
bEjL6DpP1sPh8optOF+diHuM2gpxFzmmfDtubF0AAAAD9ujXzsYyW53yVVUQUMtJNfoZnz6y40wdU0LcSoMACuCSt4W5vryetKdR
AQF7jn1P1b5RNt4+xONi17d4bPJsl",
"sslMode": "require"
}
}
2. App distribution service: In C:\Program Files\Qlik\Sense\

AppDistributionService\appsettings.json:

"Postgres": {
"Host": "localhost",
"Port": 4432,
"Database": "SenseServices",
"Username": "qliksenserepository",
"Password":
"AQAAANCMnd8BFdERjHoAwE/Cl+sBAAAABuvYPntQ2k+cR8K7frd+MQQAAAACAAAAAAAQZgAAAAEAACAAAACEws1dK+PEB5TNRkr
MpmMguUuMYKQx/StRpcT08T4mSgAAAAAOgAAAAAIAACAAAAD9CE26tQn2no6qttNjzyqeBZQkgIYl49lw98Fvy6TyriAAAAA2LiB
pizUuEgfSlXKZHgrD4bdy12ErkG3zD3afabBmBkAAAAAZGqqheCccUlCnhEMiMjCbIEcyPfLQKmtJ5cXHNHSN2S9kTdAJjnZi5N9
DiQi+0PhxgHFFPapwsqvSvJbDrgXs",
"ConnectionRetryPolicy": {
"MaxRetries": 10,
"RetryTimeMs": 100
},
"Security": {
"Enable":
true,
"ServerCertificate": {
"Path": "C:\\ProgramData\\Qlik\\Sense\\Repository\\Exported Certificates\\.Local
Certificates\\server.pem",
"PrivateKeyPath": "C:\\ProgramData\\Qlik\\Sense\\Repository\\Exported Certificates\\.Local Certificates\\
server_key.pem"
},
"RootCertificate": {
"Path": "C:\\ProgramData\\Qlik\\Sense\\Repository\\Exported Certificates\\.Local
Certificates\\root.pem"
}
}
},
3. Hybrid deployment service:

Deploy Qlik Sense Enterprise on Windows - Qlik Sense, June 2

5 Qlik Sense Enterprise on Windows
In C:\Program Files\Qlik\Sense\HybridDeploymentService\appsettings.json :

"Postgres": {
"Host": "localhost",
"Port": 4432,
"Database": "SenseServices",
"Username": "qliksenserepository",
"Password":
"AQAAANCMnd8BFdERjHoAwE/Cl+sBAAAABuvYPntQ2k+cR8K7frd+MQQAAAACAAAAAAAQZgAAAAEAACAAAADKcv4roLbsaB0VW9X
BLAyHp+d/+C7m31sSQg0vhBIKdAAAAAAOgAAAAAIAACAAAADce1TO9aFSv0NgUHYt5fjvKd/W+vTEnsfXT4uXAcKpUiAAAAAHZVo
Gx2tMg/zUVqykZVtAVngR2BtNcrklz0zG2z90QUAAAACQUSC0gv71htU90HA51n1VVXSTUBlGfVTo0nc/zqoIujyAcMi8svRQHJL
ZlaE9OhQM+SnKUTlYvs7JkQ4FquSg",
"Security": {
"Enable":
true,
"ServerCertificate": {
"Path": "C:\\ProgramData\\Qlik\\Sense\\Repository\\Exported Certificates\\.Local
Certificates\\server.pem",
"PrivateKeyPath": "C:\\ProgramData\\Qlik\\Sense\\Repository\\Exported Certificates\\.Local Certificates\\
server_key.pem"
},
"RootCertificate": {
"Path": "C:\\ProgramData\\Qlik\\Sense\\Repository\\Exported Certificates\\.Local
Certificates\\root.pem"
}
}
},
4. Precedents service: In C:\Program Files\Qlik\Sense\

PrecedentsService\appsettings.json:

"Postgres": {
"Host": "localhost",
"Port": 4432,
"Database": "SenseServices",
"Schema": "precedents_service",
"Username": "qliksenserepository",
"Password":
"AQAAANCMnd8BFdERjHoAwE/Cl+sBAAAABuvYPntQ2k+cR8K7frd+MQQAAAACAAAAAAAQZgAAAAEAACAAAAACA3w4vDFBOOzXIqT
dnacAgNMivnBG7hKwyRtFcNfSzAAAAAAOgAAAAAIAACAAAADLvmc6D5Jbkt+mN3DJwBCTZTIu72BTbCPTD1qh6b5ToiAAAACw+tq
wiH2adN8FslbdQg3hm4ShT6fv8kbBSMqapTJ6d0AAAACiSEovBVjcN8Y65jj7EoupznENLc+JPvh6iDVt3G9PuaAVMBEBF5VF9YC
5h+JFOZgbRbesppullY8/E9tcjBff",
"Secure": {
"Enable":
true
}
},
5. Notifier service: In C:\Program Files\Qlik\Sense\

NotifierService\appsettings.json:

{
"qsmq": {
"host": "localhost",
"port": 4432,
"database": "QSMQ",
"user": "qliksenserepository",
"password":

Deploy Qlik Sense Enterprise on Windows - Qlik Sense, June 2

5 Qlik Sense Enterprise on Windows
"AQAAANCMnd8BFdERjHoAwE/Cl+sBAAAAr/UQ7Qw2UkKeUZc0tKzpuAQAAAACAAAAAAAQZgAAAAEAACAAAACH6Y8cTrKGnDeaCwn
DdIG5GVZyVs8FWozTBMJdysKTzQAAAAAOgAAAAAIAACAAAADTJstqSpIU9o6n3xzLXRqJFHgx3chZqxnssHJvV7bkdRAAAABP7Qc
qZrgEe9F4K5AoAGBZQAAAAP+8Sewi+NlB6TOBS+pSlxMKyTKJD1vqa8TzcOdep54sBJfiEjLu2qlq0YKN4DnI/KCMMLMVHdaMm1q
zk9wlolM=",
"ssl": "true"
},
"senseServices": {
"host": "localhost",
"port": 4432,
"database": "SenseServices",
"user": "qliksenserepository",
"password":
"AQAAANCMnd8BFdERjHoAwE/Cl+sBAAAAr/UQ7Qw2UkKeUZc0tKzpuAQAAAACAAAAAAAQZgAAAAEAACAAAABHh7YWG9F996GbE1J
bry6B7Jiytn8432DsQ0VmgIxKGQAAAAAOgAAAAAIAACAAAACYxIKEvBO7aXFgGINUuWLD76jskNNK6DbiBaBvnRUkGBAAAABqzh9
FMFbJDxWd532nEukBQAAAAHjGKDYs+/BNlFhMqBd77GOtXN/i5LAc96mWZahRZ4hE/Ve7aa2Uqx2/SwdwMUIr6g8xhu9CJ56QwRk
ukj7pRXc=",
"ssl": "true"
},
6. Mobility registrar service: In C:\Program Files\Qlik\Sense\

MobilityRegistrarService\appsettings.json:

{
"Postgres": {
"Host": "localhost",
"Port": 4432,
"Database": "SenseServices",
"Schema": "qlik_mobility_registrar_service",
"Username": "qliksenserepository",
"Password":
"AQAAANCMnd8BFdERjHoAwE/Cl+sBAAAAr/UQ7Qw2UkKeUZc0tKzpuAQAAAACAAAAAAAQZgAAAAEAACAAAAA6L9dGr9oeIaqpdxz
9W4BP2QmUHtxaFzGfzx051sUrnQAAAAAOgAAAAAIAACAAAAAoXU1esPxGwBi+Xs4eH3qB3WXUDPm4QbWbiAWBnlfW9hAAAADamUq
8qBtA6qhQUzmcPl2MQAAAAHYky7wdQgBw20cXPN6wK0Oxnp+Iizw+MeMhqDQPH0iUnnkcLQo40jCFlijHwXeDcxVEGirCje1xCvB
v/Itf94k=",
"SSL": "true"
}
}
For each node.js service, it is also possible to configure https communication with the service with additional
--ssl parameter in the C:\Program Files\Qlik\Sense\ServiceDispatcher\services.conf. In the following
example, TLS 1.2 is configured for Resource distribution service:

[resource-distribution]
Identity=Qlik.resource-distribution
DisplayName=Resource Distribution
ExePath=Node\node.exe
Script=..\ResourceDistributionService\server.js

[resource-distribution.parameters]
--secure
--wes-port=${WESPort}
--mode=server
--log-path=${LogPath}
--log-level=info
--ssl=369098752

Deploy Qlik Sense Enterprise on Windows - Qlik Sense, June 2

5 Qlik Sense Enterprise on Windows
The following node.js code generates the number 369098752 to be used to configure OpenSSL according to
OpenSSL Options:

const crypto = require("crypto");

console.log(crypto.constants.SSL_OP_NO_SSLv2 |
crypto.constants.SSL_OP_NO_SSLv3 | crypto.constants.SSL_OP_NO_TLSv1 |
crypto.constants.SSL_OP_NO_TLSv1_1);

The generated number might differ depending on the node.js version shipped with Qlik Sense: C:\Program Files\Qlik\Sense\

Database replication and failover
This section describes how to set up database replication and failover in a shared persistence environment.
Additionally, the file storage content will also need to be replicated. To fail over to a standby node in case the
central database or node is lost, one or more standby databases can be configured for streaming replication
from the database on the primary node.

When editing text files related to the Qlik Sense installation, do the following:

1. Copy the file to another location on the server.
2. Edit the file and save the changes.
3. Copy the updated file back to its original location.

Setting up replication to standby nodes for failover
The instructions in this section describe how to set up asynchronous streaming replication to one or more
standby nodes. Before starting, ensure that the environment is configured and running, and install
PostgreSQL on a standby machine.

The paths in the instructions are adapted to a default PostgreSQL installation used as database on a dedicated machine
%ProgramData%\Qlik\Sense\Repository\PostgreSQL\<version>\.
Configure the primary database server
On the primary database server, do the following:

1. Open the file %ProgramFiles%\PostgreSQL\9.6\data\postgresql.conf
Locate and set the following settings
wal_level = replica
max_wal_senders =
3
wal_keep_segments =
8 hot_standby = on
2. Create a user account that can be used for replication. To do so from a command prompt, run the
following command. Adjust the hostname as needed, and specify a suitable password. Y ou may be
prompted for a password, this is the password that was specified during installation.

Deploy Qlik Sense Enterprise on Windows - Qlik Sense, June 2

5 Qlik Sense Enterprise on Windows
"C:\Program Files\PostgreSQL\9.6\bin\psql.exe" -h <machinename> -p 4432 -W -c "CREATE USER
replicator REPLICATION LOGIN ENCRYPTED PASSWORD 'secretpassword';"

3. Open the file %ProgramFiles%\PostgreSQL\9.6\data\pg_hba.conf.
At the bottom of the file add:
host replication replicator 0.0.0.0/0 md5
You can restrict the subnet access further, if required.
4. Restart the PostgreSQL service.

Configure the standby database server
On the standby PostgreSQL database server, do the following:

1. Stop the Postgres service.
2. Delete all content from %ProgramFiles%\PostgreSQL\9.6\data.
3. From the command line run the following command adjusted to use the name of the primary server:
"C:\Program Files\PostgreSQL\9.6\bin\pg_basebackup.exe" -h <primaryServer> -D "C:\Program Files\PostgreSQL\
9.6\data" -U replicator -v -P -p 4432 You can ignore any warnings about copying files manually.

4. In a text editor, create a file called recovery.conf and place it in
%ProgramFiles%\PostgreSQL\9.6\data.
5. Open recovery.conf a nd add the following text, adjusting the hostname and port:
standby_mode = 'on'
primary_conninfo = 'host=< primaryServer > port=4432 user=replicator
password=secretpassword' trigger_file = 'failover'
recovery_target_timeline = 'latest'

6. Start the PostgreSQL service.

You should now be able to connect to the database and view the data being streamed over from the primary
node in read only mode.

Manual database failover
If the database on primary node is lost, a standby node needs to take over.

Do the following:

1. On the standby node that is to become the new primary node, create a file called failover in the folder
%ProgramFiles%\PostgreSQL\9.6\data

The failover file should have no file extension.

The file triggers PostgreSQL to cease recovery and enter read/write mode. PostgreSQL also changes
the name of the file recovery.conf to recovery.done to reflect the transition.
2. On each node, change the repository database connection string to point to the hostname or IP
address of the new database node. As the connection string is encrypted in the config file, you need to
use the Connection String Editor t o decrypt the string, edit it, and write back an encrypted string.
a. To open the Connection String Editor, navigate to C:\Program Files\Qlik\Sense\Repository\Util\
QlikSenseUtil and open t he QlikSenseUtil.exe file as an

Deploy Qlik Sense Enterprise on Windows - Qlik Sense, June 2

5 Qlik Sense Enterprise on Windows

administrator.
b. In the Connection String Editor tab, click Read to open the Repository.exe file connection
string.
The decrypted database connection string is displayed.
c. Replace the value for Host with the hostname or IP address of the new database node.
d. Click Save value in config file encrypted to save your changes.

Data encryption
You can encrypt sensitive data in QVF and QVD files with customer supplied key pairs which allows you to
control who gets access to your data. The encryption keys are managed through certificates, that must be
stored in a certificate store for the user running the Engine service.

The encryption is configured in the Qlik Management Console (QMC), where encryption is enabled and the
certificate thumbprint is added. Data encryption is not enabled by default.

The engine reads and then uses the thumbprint to get the key from the Windows CNG key store. The engine
then generates a new data encryption key (DEK) which is used to encrypt the data.

A DEK is never reused which ensures that if one file is compromised, the encryption is still valid for all other files.

QVF encryption
The following is encrypted:

 data (tables and fields)
 bookmarks

The following is not encrypted:

 objects, for example sheets and stories
 static content, such as images

You must reload an existing QVF for it to be encrypted after QVF encryption has been enabled in the QMC.

QVD encryption
The following is encrypted:

 Data (tables and fields)

The QVD header is not encrypted. Encryption parameters are stored in the QVD header as extra meta-

data.

Deploy Qlik Sense Enterprise on Windows - Qlik Sense, June 2

5 Qlik Sense Enterprise on Windows

You must reload an existing QVD for it to be encrypted after QVD encryption has been enabled in the QMC.

Older versions of Qlik Sense and QlikView returns an error when reading encrypted QVDs files.

Encryption certificates
Encryption keys are best managed through certificates. The certificates must be stored in a certificate store
for the user running the Engine service.

The encryption certificate functions as a shell around the encryption key. The key can be fetched even if the
certificate has expired, and therefore there is no need to renew an expired encryption certificate.

Make sure to back up the certificate. You may not be able to open your encrypted app if the certificate is lost. It is your resp

If your organization has a key rotation policy, you may need to update the thumbprint definition when the key is changed.

Encryption keys
The encryption solution uses two types of keys:

 Data encryption keys
 Key encryption keys

Data encryption keys
Data encryption keys (DEK) are auto-generated keys for AES-256 encryption of the data. A new key is
generated for each object that is encrypted.

Key encryption keys
Key encryption keys (KEK) are private and public key pair for secure, asymmetric encryption of the data
encryption keys. The public key is used to encrypt the data and the private key is used to decrypt the data
encrypted by the public key.

Only keys using the RSA algorithm are supported.

The key used for key encryption is specified in the Qlik Management Console (QMC) Data encryption section
of the Service cluster resource.

Deploy Qlik Sense Enterprise on Windows - Qlik Sense, June 2

5 Qlik Sense Enterprise on Windows
It is stored in a Microsoft Cryptography Next Generation (CNG) Key Storage Provider and it is contained in a
certificate stored in a Windows Certificate Store.

For details of how to enable and manage encryption certificates, see Encryption certificates.

5.8 Availability
Qlik Sense supports availability in the following ways:

 The nodes in a multi-node site are resilient by design. Each node connects to a central node to access
the data it needs to fulfill its role.
 The Qlik Sense protocols are designed to be fault tolerant.

5.9 Security example: Opening an app
The figure below shows the flow in the Qlik Sense security system when a user logs in and opens an app.

1. Authentication: The authentication module in the Qlik Sense Proxy Service (QPS) handles the
authentication. The credentials provided by the user are verified against information from the identity
provider (for example, a directory service such as Microsoft Active Directory).
2. Session creation: When the user credentials have been successfully verified by the authentication
module, a session is created for the user by the session module in the QPS.

Deploy Qlik Sense Enterprise on Windows - Qlik Sense, June 2

5 Qlik Sense Enterprise on Windows

3. Access control system: When the user tries to open an app, the Qlik Sense Engine Service (QES)
requests the Qlik Sense Repository Service (QRS) to check if the user is authorized to perform the
action. The QRS then checks the repository database, where, among other things, all users and
access rules are stored.

A user is imported into the repository database from a User Directory (UD) (for example, Microsoft Active Directory) u

4. Dynamic data reduction: When the user has been successfully authorized by the QRS, the app is
opened. Before the data is displayed to the user, the QES performs a dynamic data reduction, where
the data that the user is allowed to see is prepared.

5.10 AWS and Azure security
Before you deploy Qlik Sense on AWS or Azure you need to get an overview of the basic security
implications. In AWS and Azure there are specific tools that you use during setup to configure permissions
and to set security options. Once you have deployed Qlik Sense to your chosen cloud e
nvironment, you use
the Qlik Management Console to configure security in the same way as you would in an on-premise Qlik
Sense deployment.

Qlik Sense
An overview of your Qlik Sense security considerations:

 In Qlik Sense, you manage all security and authentication settings from the Qlik Management
Console.
 A module in the Qlik Sense Proxy Service handles authentication of Microsoft Windows users.
 Authentication is often used in conjunction with a single sign-on (SSO) system that supplies a reverse
proxy or filter for authentication of the user.
 Other authentication methods are available, and it is possible to implement your own customized
solutions for different authentication scenarios.

Resources managed directly from the QMC:

 Admin roles to grant QMC users administrator level access to various sections
 Proxy certificate for communication between the web browser and the proxy component
 Virtual proxies to allow different modules based on the URI to be used to access the Qlik Sense
environment
 Custom properties enabling you to use your own values in security rules
 Access control and security rules to grant users access to Qlik Sense resources

Authentication methods used by Qlik Sense:

Deploy Qlik Sense Enterprise on Windows - Qlik Sense, June 2

5 Qlik Sense Enterprise on Windows

 NTLM/Kerberos
 Security Assertion Markup Language (SAML)
 Anonymous authentication
 Session/Ticket API

For more information about Qlik Sense security, see Qlik Sense Enterprise on Windows security (page 185)

AWS
To configure security in an AWS deployment you need a basic understanding of how to set up AWS security
groups, key pairs, and Q
lik Sense security groups. Use the Amazon Management Console to configure AWS
security, and the Qlik Management Console to configure all security and authentication settings in Qlik
Sense. A module in the Proxy Service (QPS) handles the authentication of Microsoft Windows users. If
required, it is also possible to implement your own custom authentication solutions.

Use the Amazon Management Console to configure:

 AWS security groups - configure access rules for an initial Qlik Sense security group for your E
C2 instance.
 Key pair - In the AWS console, create a Qlik Sense key pair. Save the Qlik Sense.pem keypair file
locally, as you will need it later to access your instance.

You can use AWS Directory Services to set up security and authentication on the Qlik Sense server side. T
his
service makes it easier to setup and run Microsoft Active Directory (AD) in the AWS cloud, or connect your
AWS resources to an existing on-premises Microsoft Active Directory.

AWS Directory Service provides you with the following three directory types:

 AWS Directory Service for Microsoft Active Directory (Enterprise Edition), also referred to as Microsoft
AD
 Simple AD
 AD Connector

AWS Directory Services makes it possible to connect AWS resources to an on-premises directory using the
same corporate credentials. This option uses the Microsoft Security Support Provider Interface (SSPI) to
read the Windows user name and password working in a similar way to single sign-on. I f you have multiple
nodes in the Qlik Sense Server environment, all nodes need to be part of the same domain.

For more information, see AWS security.

Azure
Use the Resource Manager to configure Azure security and the QMC to configure all security groups and
authentication settings in Qlik Sense. In Azure, to configure security you first set up a subnet, a virtual
network, an IP address for an instance, and network security rules. This is similar to configuring ports in a
firewall. You then set up a network interface that your instance can use, and bind it to the previously set up
network and subnet. A module in the Qlik Sense Proxy Service (QPS) handles the authentication of
Microsoft Windows users. If required, it is also possible to implement your own custom authentication
solutions.

Deploy Qlik Sense Enterprise on Windows - Qlik Sense, June 2

5 Qlik Sense Enterprise on Windows
Use the Azure Resource Manager to configure:

 Azure security groups
 Azure Active Directory and Identity Management

Azure Active Directory (Azure AD) is Microsoft’s multi-tenant cloud based directory and identity management
service. For IT administrators, Azure AD provides an easy to use solution to give users single sign-on (SSO)
access to other cloud SaaS Applications, such as Office365, Salesforce.com, and Concur. Azure AD also
includes a full suite of identity management capabilities including multi-factor authentication, device
registration, self-service password management, self-service group management, privileged account
management, role based access control, application usage monitoring, rich auditing, and security monitoring
and alerting.

For more information, see Azure security.

Deploy Qlik Sense Enterprise on Windows - Qlik Sense, June 2

6 Logging
The log messages produced by Qlik Sense provide important information about the general well-being of the
deployment.

The logging is based on the log4net component in Apache Logging Services. This means that Qlik Sense
uses a standardized logging framework and conforms to standard logging procedures.

6.1 Updated logging framework
An updated logging framework was introduced in Qlik Sense version 2.0. Unless otherwise stated, the
documentation describes the updated logging framework.

6.2 Legacy logging framework
The legacy logging framework is still available in Qlik Sense, but the logs are as of Qlik Sense version 2.0
referred to as trace logs. The log files remain the same, in the old logging format, but they are stored in a new
location.

See: Trace logs (page 260)

6.3 Centralized logging framework
As of the September 2017 release of Qlik Sense, centralized logging gives you the ability to log directly into a
PostgreSQL database. With all logs in one place it will be easier for you find the relevant logs. If you install
Qlik Sense with centralized logging, which is included in a default installation, log entries are persisted in two
locations: the existing log files and the centralized logging database.

6.4 Reading and analyzing log files in Qlik Sense
The log files can be read and analyzed using Qlik Sense, which includes the following pre-defined, log-related
data connections after installation:

 ServerLogFolder: Links to the active log files.
 ArchivedLogsFolder: Links to the archived log files.

The data connections can be edited in the Qlik Management Console (QMC).

In addition, users with root, security, content, or deployment administrator rights can use the Qlik Sense log
data in apps by selecting one of the data connections listed above in the data load editor.

6.5 Centralized logging
With the introduction of shared persistence, all nodes have direct access to a common database and file
system. The Qlik Sense services (proxy, scheduler, repository, and engine) transfer log messages to the Qlik
Logging Service. The Qlik Logging Service centralizes the logging by collecting all the messages and

Deploy Qlik Sense Enterprise on Windows - Qlik Sense, June 2

6
inserting them into the PostgreSQL database.

Centralized logging uses the log4net library to write log information to the database. The Qlik Sense
Repository, Proxy, and Scheduler services use the RemotingAppender from log4net to transfer log messages
to a remote logging sink that is read by the Qlik Logging Service. The Engine loggers use a pipe connection
to the Repository service, which, in turn, persists the data to the Qlik Logging Service. All services use TCP
localhost port 7070 to establish communication. The Qlik Logging Service collects all messages and inserts
them into the PostgreSQL database named QLogs using a custom AdoNetAppender. T he configuration for
the Qlik Logging Service is stored in an XML file named QlikCentralizedLogging.config. As part of the
centralized logging database feature, the Monitoring Apps include an ODBC (PostgreSQL) d ata connection.
By default, this data connection points to the QLogs database on localhost port 4432. This data connection is
not used when only file logging is enabled.

Centralized logging uses the log4net library to persist log information collected from Qlik Sense services to the
database.

Built-in log4net appenders (page 275)

6.6 Qlik Logging Service
The Qlik Logging Service is used to centralize logging, which makes it easier for you to find the log that you
are looking for.

When centralized logging (the Qlik Logging Service) is on, file logging is also on, by default. Log entries from
the Qlik Sense services (repository, proxy, scheduler, and engine) are persisted in two locations – the existing
log files and the centralized logging database. The legacy log files do not have any built-in file management
to clear up hard disk space.

Deploy Qlik Sense Enterprise on Windows - Qlik Sense, June 2

6
Although the Qlik Logging Service will be installed as a Windows service, you can use it directly as a
command line tool to configure or change the database settings. The available commands are included in
this topic, and the default installation location is %Program Files%\Qlik\Sense\Logging.

The Qlik Logging Service does not support streaming messages to third-party tools or customers. You can view the log data

Command line options
These are the available commands for the Qlik Logging Service.

Usage: Qlik.Logging.Service.exe <action> [<args>]

The following commands can be used to set up, update, or validate the logging database:

setup - creates the logging database and sets up roles and access permissions.

update - updates the connection string parameters for the logging database with user-provided values.

validate - validates connection string parameters from the configuration file and database connectivity.

archive - moves database entries to the archive table.

purge - removes (permanently) database entries from the archive table.

version - displays version information for the service.

help - displays help message.

Setting up the logging database
The setup command is typically used by the installer at the time of the Qlik Sense installation. The setup
command creates the logging database and sets up access roles and required permissions.

Usage: Qlik.Logging.Service.exe setup [<options>]

Options
--hostname or -h (Required)

Name of the machine where the logging database is hosted.

--port or -p (Required)

Port number used to access the logging database

--postgres_user or -u (Required)

PostgreSQL user name credentials required to create the logging database.

--postgres_pswd or -x (Required)

PostgreSQL password required to create the logging database.

Deploy Qlik Sense Enterprise on Windows - Qlik Sense, June 2

6
--reader_pswd or -r (Required)

Password for qlogs_reader user role, used for reading logging database entries.

--writer_pswd or -w (Required)

Password for qlogs_writer user role, used for writing to the logging database

--force or -f (Optional)

Drop the existing database and users, if present

Updating the connection string parameters
The update command is used to modify the connection, the configuration settings of the logging database, or
both.

Usage: Qlik.Logging.Service.exe update [<options>]

Options
--hostname or -h (Optional)

Name of the machine where the logging database is hosted.

--port or -p (Optional)

Port number used to access the logging database

--reader_pswd or -r (Optional)

Password for qlogs_reader user role, used for reading logging database entries.

--writer_pswd or -w (Optional)

Password for qlogs_writer user role, used for writing to the logging database

--archive_age or -a (Optional)

Sets value for archive age. The value is specified in days. Specify --hours to interpret archive age as hours,
for example, --archive_age X --hours.

--purge_age or -q (Optional)

Sets value for purge age. The value is specified in days. Specify --hours to interpret purge age as hours, for
example, --purge_age X --hours.

--file_logging or -f (Optional)

Switches on or off file logging. Valid values are 'on' or 'off'

Deploy Qlik Sense Enterprise on Windows - Qlik Sense, June 2

6
.

--database_logging or -d (Optional)

Switches on or off database logging. Valid values are 'on' or 'off'.

--maximum_db_size_in_gb or -s (Optional)

Deploy Qlik Sense Enterprise on Windows - Qlik Sense, June 2

6
Sets value for maximum database size. The value is specified in GB. A value less than two (2) disables the
functionality that limits the database size.

Validating the logging database connection
Usage: Qlik.Logging.Service.exe validate [<options>]

Options
None. The connection string is read from the logging configuration and is used to validate the state of the
database and the connection.

Archiving the log entries
Archives all the log entries that are older than the specified cutoff time (in days).

Usage: Qlik.Logging.Service.exe archive [<options>]

Options
--cutoff or -c (Required)

--hours (Optional)

Cutoff time in days. Specify --hours option to interpret cutoff time as hours, for example, archive --cutoff X
--hours. Specify zero (0) to archive all the entries.

Purging log entries
Purges all the archived log entries that are older than the specified cutoff time (in days).

Purge is an irreversible operation. Log entries are removed from the database and cannot be restored. This operation does n

Usage: Qlik.Logging.Service.exe purge [<options>]

Options
--cutoff or -c (Required)

--hours (Optional)

Cutoff time in days. Specify --hours option to interpret cutoff time as hours, for example, purge --cutoff X -
-hours. Specify zero (0) to purge all the entries.

Version
Usage: Qlik.Logging.Service.exe version [<options>]

Options
None. Displays Qlik Logging Service and logging database versions.

Help
Usage: Qlik.Logging.Service.exe help [<options>]

Deploy Qlik Sense Enterprise on Windows - Qlik Sense, June 2

Options
None. Displays usage.

6.7 Qlik Logging Service – configuration and integration
This topic describes the configuration and integration features that are available for the Qlik Logging Service.
The features should be considered "Advanced Features" to be used in the context of troubleshooting issues
with the assistance of Qlik technical support.

Dynamic configuration
Most of the functionality provided by the Qlik Logging Service is controlled by the configuration file:
QlikCentralizedLogging.config typically located here: C:\ProgramData\Qlik\Sense\Log. This file contains all
the settings recognized by the Qlik Logging Service in xml format and is typically modified directly by the Qlik
Logging Service when executing the update or setup commands during command line invocation.

The "Dynamic Configuration" feature introduces a new setting:
CentralizedLoggingConfigurationNotificationEnabled, its default value is "False". This setting is always
dynamic, meaning that changing its value by directly modifying the configuration file and saving it will cause
the Qlik Logging Service to read and use its new value. When this setting is set to "False", the default value,
changes to other settings in the configuration file are not detected by the Qlik Logging Service and will require
a service restart to take effect. When the setting is set to "True", changes to any of the settings below will be
detected and applied immediately by the Qlik Logging Service after saving the configuration file.

Key Description Range

CentralizedLoggingLogMaxFileSizeMb The logging service logs to a file, this 1...

setting controls the maximum size in MB
of the log file before it is rolled over.

CentralizedLoggingLogEnabled Turns on/off logging to file by the logging True, False

service.

CentralizedLoggingEnabled Enables or disables the logging service True, False

functionality. When True, the service
accepts incoming log entries, when
False, the service continues to run, but it

does not offer any logging functionality.

CentralizedLoggingServerBufferSize Sets the size in log entries of the internal 1...

buffer. Writes to the database occur
when the internal buffer is full. For
example if set to 10, writes to the
database will occur when 10 log entries
are received.

CentralizedLoggingServerTimeoutSecond Sets the timeout in seconds required to 1...

s trigger a database write. On an idle

Deploy Qlik Sense Enterprise on Windows - Qlik Sense, June 2

system log entries may not accumulate
often. This threshold will force a
database write even if the internal buffer
is not full.

CentralizedLoggingLogLevel Controls the verbosity level of the log. Off, Fatal, Error,

Warn, Info,
Debug, All

MaximumDatabaseSizeInGB Sets the maximum size for the database 0...

in GB, when the size of the database
exceeds this number, the logging service
will trim/remove entries from the
database until the size of the database
goes below the maximum set.

A value less than 2 disables
the functionality.

CentralizedLoggingConfigurationNotificati Enables or disables dynamic True, False

onEnabled configuration settings. When set to True,
changes to a dynamic configuration
setting take effect immediately without
requiring a service re-start. When False,
a re-start is required for the new setting
value to take effect. Notice that this
setting is always dynamic.

CentralizedLoggingDBSizeCheckPeriod Sets how often to check the size of the 0,
database. The quantity is expressed i 600000..214748
n milliseconds. 3646

A value of zero (0) disables
the functionality, 600000
(ten minutes) is the
minimum value accepted.
Values less than that are
automatically set to that
minimum and 2147483646
(~596 hours) is the
maximum.

CentralizedLoggingDBArchiveCheckPerio Sets how often to check for the need to 0,
d archive log entries, the quantity is 600000..214748
expressed in milliseconds. 3646

Deploy Qlik Sense Enterprise on Windows - Qlik Sense, June 2

CentralizedLoggingDBPurgeCheckPeriod Sets how often to check for the need to 0,
purge archived entries, the quantity is 600000..214748
expressed in milliseconds. 3646

CentralizedLoggingDBStatsCheckPeriod Sets how often to retrieve database 0,
statistics. The quantity is expressed in 300000..214748
milliseconds. 3646

A value of zero(0) disables
the functionality, 300000
(five minutes) is the
minimum value accepted.
Values less than that are
automatically set to that
minimum and 2147483646
(~596 hours) is the
maximum.

CentralizedLoggingPlatformPerformance Sets how often to retrieve platform 0,
CheckPeriod performance metrics, the quantity is 1000..21474836
expressed in milliseconds. 46

Deploy Qlik Sense Enterprise on Windows - Qlik Sense, June 2

A value of zero (0) disables
the functionality, 1000 (one
second) is the minimum
value accepted. Values
less than that are
automatically set to that
minimum and 2147483646
(~596 hours) is the
maximum.

CentralizedLoggingProcessPerformanceC Sets how often to retrieve process 0,
heckPeriod performance metrics, the quantity is 1000..21474836
expressed in milliseconds. 46

CentralizedLoggingPlatformPerformance Set of platform performance counters to
Counters collect every
CentralizedLoggingPlatformPerformance
CheckPeriod period. The format expected
is:

Database payload key; Counter
Category; Counter Name [;] [Counter
Instance] |

Database payload key...

CentralizedLoggingProcessPerformance Set of processes to collect performance
counter for every
CentralizedLoggingProcessPerformanceC
heckPeriod period.

The format expected is:

Process Name | Process Name | ...

Deploy Qlik Sense Enterprise on Windows - Qlik Sense, June 2

Process Name is the simple name for
the process for example the default
value of this setting is:
engine|proxy|repository|scheduler

CentralizedLoggingPlatformEvents Set of platform events to monitor T he

format expected is:

EventLogX, [EventSourceX]:EventID0,
EventID1, ..., EventIDn|

EventLogY, [EventSourceY]:EventID0,
..., EventIDn

Qlogs statistics
The Qlik Logging Service periodically collects statistics about the Qlogs database, which is the database
used for all logging entries. How often these statistics are collected is controlled by the
CentralizedLoggingDBStatsCheckPeriod setting. Setting its value to zero(0) disables collection and its default
value is ten (10) minutes expressed in milliseconds (10 * 60 * 1000 = 600000). The information collected
contains record counts and size information and can be viewed with the following query:

SELECT * FROM public.view_db_stats;

Windows Event Log integration
Integration with the Windows Event Log is a new feature that allows the Qlik Logging Service to collect
information about configured Windows events. The set of events monitored by the Qlik Logging Service is set
via the CentralizedLoggingPlatformEvents setting. Clearing its value disables the feature. Its default value is:

<add key="CentralizedLoggingPlatformEvents" value="System:1074,6013,36888,36874,2013,7031,4202|

Application, Engine:300|Application, .NET Runtime:1026|Application, PostgreSQL:0" />

This is an explanation of the events configured by default.

Event log Event source Event ID Description

System 1074 User initiated system re-start

System 6013 System uptime

System 36888 Schannel (TLS protocol) errors

System 36874 Schannel (TLS protocol) errors

System 2013 Low disk space

System 7031 Service terminated unexpectedly

System 4202 TCP/IP network configuration issue

Application Engine 300 Engine caught unexpected exception

Application PostgreSQL 0 PostgreSQL error

Application .NET Runtime 1026 .NET process terminated

Deploy Qlik Sense Enterprise on Windows - Qlik Sense, June 2

6
Additional events may be monitor by modifying the value of the CentralizedLoggingPlatformEvents setting as
follows:

As shown above, the Event Log is one (1), the Event Source is two (2) and the Event ID is three (3). To
capture the event highlighted above, the value "Application, Perflib: 1008" would need to be appended to
the CentralizedLoggingPlatformEvents setting as shown below:

<add key="CentralizedLoggingPlatformEvents" value="System:1074,6013,36888,36874,2013,7031,4202|

Application, Engine:300|Application, .NET Runtime:1026|Application, PostgreSQL:0|Application,
Perflib: 1008" />

Notice that the Event Source is optional, but useful when multiple event sources may use the same event ID.
For the example above, omitting the event source "Perflib" would have resulted in the monitoring of event ID
1008 for ALL applications. Multiple event IDs may be monitored for the same Event Log and Event Source
and they are separated by commas "," and multiple Event Log and Event Sources may be monitored and
they are separated by the bar "|" character.

Any Windows events captured by the Qlik Logging Service may be viewed by executing the following query
against the Qlogs database:

SELECT * FROM public.view_platform_events;

Windows Performance Monitor integration
The Qlik Logging Service integrates with the Windows Performance Monitor, it periodically queries the
system for configured metrics. The integration is divided into two sections, one that monitors configured
platform metrics and one that monitors configured processes.

Platform metrics
The period used to monitor platform metrics is controlled by the
CentralizedLoggingPlatformPerformanceCheckPeriod setting. A value of zero (0) disables this functionality and
its default value is five (5) minutes expressed in milliseconds (5 * 60 * 1000 = 300000).

The metrics or performance counters collected are configured in the setting
CentralizedLoggingPlatformPerformanceCounters and its default value is:

<add key="CentralizedLoggingPlatformPerformanceCounters" value="CPUUtilizationPercent;Processor;%

Processor Time;_Total|CPUUserUtilizationPercent;Processor;% User Time;_ Total|
CPUInterruptPercent;Processor;% Interrupt Time;_Total|CPUQueueLength;System;Processor Queue Length|
DiskFreeSpacePercent;LogicalDisk;% Free Space;_Total|DiskIdleTimePercent;PhysicalDisk;% Idle
Time;_Total|DiskTimePerReadSeconds;PhysicalDisk;Avg. Disk sec/Read;_ Total|
DiskTimePerWriteSeconds;PhysicalDisk;Avg. Disk sec/Write;_ Total|
DiskIOQueueLength;PhysicalDisk;Avg. Disk Queue Length;_Total|MemoryCacheBytes;Memory;Cache

Deploy Qlik Sense Enterprise on Windows - Qlik Sense, June 2

6
Bytes|MemoryCommittedBytesInUsePercent;Memory;% Committed Bytes In Use|
MemoryAvailableMBytes;Memory;Available MBytes|MemoryFreePageEntries;Memory;Free System Page Table
Entries|MemoryPoolNonPagedBytes;Memory;Pool Nonpaged Bytes|MemoryPoolPagedBytes;Memory;Pool Paged
Bytes|MemoryPagesPerSecond;Memory;Pages/sec|NetworkBytesPerSecond;Network Interface;Bytes
Total/sec;*|NetworkOutputQueueLength;Network Interface;Output Queue Length;*|" />

Default value table
Counter Counter
Database field Counter name
Category instance

CPUInterruptPercent Processor % Interrupt Time _Total

CPUQueueLength System Processor Queue Length

CPUUserUtilizationPercent Processor % User Time _Total

CPUUtilizationPercent Processor % Processor Time _Total

DiskFreeSpacePercent LogicalDisk % Free Space _Total

DiskIdleTimePercent PhysicalDisk % Idle Time _Total

DiskIOQueueLength PhysicalDisk Avg. Disk Queue Length _Total

DiskTimePerReadSeconds PhysicalDisk Avg. Disk sec/Read _Total

DiskTimePerWriteSeconds PhysicalDisk Avg. Disk sec/Write _Total

MemoryAvailableMBytes Memory Available MBytes

MemoryCacheBytes Memory Cache Bytes

MemoryCommittedBytesInUsePercent Memory % Committed Bytes In

Use

MemoryFreePageEntries Memory Free System Page Table

Entries

MemoryPagesPerSecond Memory Pages/sec

MemoryPoolNonPagedBytes Memory Pool Nonpaged Bytes

NetworkBytesPerSecond Network Bytes Total/sec *

Interface

NetworkOutputQueueLength Network Output Queue Length *

Interface

The format of the CentralizedLoggingPlatformPerformanceCounters setting value follows the naming and
structure used by the Windows Performance Monitor as shown below:

Deploy Qlik Sense Enterprise on Windows - Qlik Sense, June 2

Additional performance counters may be added by modifying the value of the
CentralizedLoggingPlatformPerformanceCounters setting. The value of the setting uses the following format:

 Each performance counter is separated by the bar "|" character.
 Each performance counter is made up of four fields separated by the semicolon ";" character and
whitespace can be added freely to improve readability.
o The first field is optional and corresponds to the name that will be used to store the
performance counter in the database. If the field is not provided, the name of the counter is
used instead.
o The second field is the counter category and corresponds to one (1) on the image above.
o The third field is the counter and corresponds to two (2) on the image above.
o The fourth field is the counter instance and corresponds to three (3) on the image above, this
field is optional and when set to the wildcard character "*" or not provided all instances
available are collected.

To add the counter shown above, the following would need to be appended to the
CentralizedLoggingPlatformPerformanceCounters setting: "| Test1 ; ICMP ; Messages/sec ; *". The
performance counter will now be collected based on the period set by the
CentralizedLoggingPlatformPerformanceCheckPeriod setting and can be retrieved from the database using
the following query against the Qlogs database:

Deploy Qlik Sense Enterprise on Windows - Qlik Sense, June 2

6
SELECT
BTRIM(e.payload->>'Test1', '"')::INTEGER AS icmp_msg_per_sec
FROM public.log_entries e
WHERE e.logger = 'Qlik.Logging.Service.Platform.Performance'
Platform metrics may be viewed by executing the following query against the Qlogs database:

SELECT * FROM public.view_platform_metrics;

Process metrics
The period used to monitor process metrics is controlled by the
CentralizedLoggingProcessPerformanceCheckPeriod setting. A value of zero(0) disables this functionality and
its default value is five (5) minutes expressed in milliseconds (5 * 60 * 1000 = 300000).

Performance metrics are collected for the processes configured via the
CentralizedLoggingProcessPerformance setting and its default value is:

<add key="CentralizedLoggingProcessPerformance" value="engine|proxy|repository|scheduler" />

The format of the setting also follows the naming and structure used by the Windows Performance Monitor
as shown below:

All performance counters available are collected for each process listed with each process separated by the
bar "|" character. To collect metrics for additional processes, the "simple name" of the process would need to
be appended to the CentralizedLoggingProcessPerformance setting, for example to add chrome as shown
above, the string "| chrome" would be appended to the CentralizedLoggingProcessPerformance setting.

Process metrics may be viewed by executing the following query against the QLogs database:

Deploy Qlik Sense Enterprise on Windows - Qlik Sense, June 2

6
SELECT * FROM public.view_process_metrics;

Export
The Qlik Logging Service is able to export the log data it manages. T his complementary feature will make it
easier to share log data with Qlik's tech support. The export command is available when using the Qlik
Logging Service as a command line tool.

Usage: Qlik.Logging.Service.exe <export> [[export_options]]

Although the exported data is not encrypted, it is in binary format due to compression and not readable by
tools other than the Qlik Logging Service.

Export
The "export" command will copy all log data managed by the Qlik Logging Service to a destination. The
following command options can be used to control what gets exported and where to:

--output_file or -o (Required): Identifies the location where exported data should be persisted. The location
can be a disk file or the address of a Qlik Logging Service that is listening for exported data. When specifying
a file, the export process will create or replace the target file. When specifying a waiting service the format is
:
<hostname or host ip address>[: port], that is the name of the host or its ip address optionally followed by a
colon (":") and the port number used by the listening host. If no port is specified, the default 7081 will be used.

--hostname or -h: Limits the exported data to the subset that originated from the specified host. The
comparison is case insensitive.

--level or -l: Limits the exported data to the subset that is equal to the specified level. The comparison is
case insensitive.

--to_timestamp: Limits the exported data to the subset created before the specified date. See "Date Format"
section below for more details.

--from_timestamp: Limits the exported data to the subset created after the specified date. See "Date Format"
section below for more details.

--process_name: Limits the exported data to the subset that originated from the specified process. The
comparison is case insensitive.

Examples
These commands where tested from a "Command Prompt" without elevated permissions.

To export all contents to a file:

Qlik.Logging.Service export --output_file C:\Temp\qlogs.bin

To export all content originating from host "Node1" between 09/01/2018 and 09/02/2018 at 10:00PM to a
waiting network reachable host listening on port 80:

Qlik.Logging.Service export --from_timestamp "2018-09-01" --to_timestamp "2018-09-02 22:00:00" --

hostname node1 --otuput_file somehost.domain.com:80

Deploy Qlik Sense Enterprise on Windows - Qlik Sense, June 2

Date format
The format expected is "YYYY-MM-DD [[HH:MM:SS]]", the date portion is required while the time portion is
optional and when omitted defaults to "00:00:00".

 Date
o YYYY: year, 4 digits
o MM: month, 2 digits, 01 through 12
o DD: day of the month, 2 digits, 01 through 31
 Time
o HH: hour, 2 digits, 00 through 23
o MM: minute, 2 digits, 00 through 59
o SS: second, 2 digits, 00 through 59

Technical notes
Unicode null character
Processes using the Qlik Logging Service may under very rare circumstances log entries containing the
Unicode character NULL (\u0000). This character is problematic for many tools as it is most commonly used
to denote the end of a string. When a Unicode character has been inserted into the QLogs database, you may
see error messages like this one from PostgreSQL:

ERROR: unsupported Unicode escape sequence

DETAIL: \u0000 cannot be converted to text.
CONTEXT: JSON data, line 1: {"Message":...
STATEMENT: fetch 200 in "SQL_CUR4"
Executing the following script against the Qlogs database will replace all occurrences of the Unicode NULL character "\
u0000" with the string "<UNICODE_NULL>"

SET statement_timeout =
0; SET lock_timeout = 0;
SET client_encoding = 'UTF8';
SET standard_conforming_strings =
on; SET check_function_bodies =
false; SET client_min_messages =
warning;

CREATE OR REPLACE FUNCTION public.validate_payload(IN payload JSON) RETURNS TEXT AS $$

BEGIN
RETURN payload->>'XXXXX';
EXCEPTION
WHEN OTHERS THEN RETURN
'XXXXX'; END
$$ LANGUAGE plpgsql;

DO $$
BEGIN
UPDATE public.log_entries
SET payload = REGEXP_REPLACE(payload::TEXT, '\\u0000', '<UNICODE_NULL>', 'g')::JSON
WHERE id IN (
SELECT d.id
FROM (

Deploy Qlik Sense Enterprise on Windows - Qlik Sense, June 2

6
SELECT id, validate_payload(payload) AS payload
FROM public.log_entries
) AS d
WHERE d.payload = 'XXXXX'
);
UPDATE public.archive_entries
SET payload = REGEXP_REPLACE(payload::TEXT, '\\u0000', '<UNICODE_NULL>', 'g')::JSON
WHERE id IN (
SELECT d.id
FROM (
SELECT id, validate_payload(payload) AS payload
FROM public.archive_entries
) AS d
WHERE d.payload = 'XXXXX'
);
END $$ LANGUAGE plpgsql;

DROP FUNCTION IF EXISTS public.validate_payload(IN payload JSON);

Configuration file reset
If for some reason the Qlik Logging Service configuration file QlikCentralizedLogging.config becomes
corrupt or in some way unreadable, it can be deleted and a new file with default values will be created the
next time the service is started. The same is true for individual settings, removing a setting from the
configuration file will trigger its replacement with default values during the next service start sequence.

Multi-node configuration
In a multi-node environment, the u sually runs on all nodes.

In a multi-node environment, the Qlik Logging Service usually runs on all nodes. With the default
configuration, all nodes will be executing database management functions. This is not a problem, but a more
efficient configuration would designate a single node as the one in charge of maintaining the database. For
example, on a three (3) node deployment, the Qlik Logging Service running on each node could be
configured as follows:

Central node and rim node 1

Deploy Qlik Sense Enterprise on Windows - Qlik Sense, June 2

Rim node 2 (Database management)

6.8 Requirements
The requirements described in this section must be fulfilled for the Qlik Sense logging to function properly.

Securing the file system
The system administrator must secure the file system so that the log files cannot be tampered with.

By default, the account used for the Qlik Sense installation gets full permissions for the log folder, %ProgramData%\Qlik\

Synchronizing time
The nodes within a Qlik Sense site must have synchronized time.

For the date and time stamps to be correct, all nodes within a site must be configured to synchronize their
system clocks with either an internal or an external Network Time Protocol (NTP) service to ensure that all log
entries are time-stamped accurately. NTP is a networking protocol for synchronizing the clocks of computer
systems over packet-switched, variable-latency data networks.

Setting time zone
It is recommended that every node within a Qlik Sense site is set to the correct time zone so that the time
zone corresponds to the geographical location of the node.

Deploy Qlik Sense Enterprise on Windows - Qlik Sense, June 2

6.9 Storage
The default log files are stored in folders under %ProgramData%\Qlik\Sense\Log. The local log
configuration file can be used to set up the logging so that the log files are also stored in another location.

Log folder
The following table describes the contents of the %ProgramData%\Qlik\Sense\Log folder.

Sub-
Folder Files Description
folder

\AboutService This folder contains log files
related to the About Service.

\AppDistributionService \Trace This folder contains log files

related to the App
Distribution Service.

\AppMigration This folder contains log files
related to the Migration
Service.

\BrokerService This folder contains log files
related to the Broker Service.

\CapabilityService This folder contains log files
related to the Capability
Service.

\ConnectorRegistryProxy This folder contains log files
related to the Connector
Registry Proxy.

\ConverterService This folder contains log files
related to the Converter
Service.

\DataProfiling This folder contains log files
related to the Data Profiling
Service.

\DepGraphService This folder contains log files
related to the Dependency
Graph Service.

\DeploymentBased This folder contains log files
WarningsService related to the Deployment
Based Warnings Service.

Deploy Qlik Sense Enterprise on Windows - Qlik Sense, June 2

Sub-
Folder Files Description
folder

\DownloadPrepService This folder contains log files
related to the Download Prep
Service.

\Engine <MachineName>_Exit_ NewSet. is a temporary log

Engine_<Date>.txt file that is used by the the
Qlik Sense Engine Service
(QES) until the log pipe to
the Qlik Sense Repository
Service (QRS) is up and
running.

NewSet. log file is not
archived.

<MachineName>_Start_ NewSet. is a temporary log
Engine_<Date>.txt file that is used by the the
Qlik Sense Engine Service
(QES) until the log pipe to
the Qlik Sense Repository
Service (QRS) is up and
running.

NewSet. log file is not
archived.

\Audit <MachineName>_ This log tracks user-related

AuditActivity_<Service>.txt actions.

<MachineName>_ This log contains information
AuditSecurity_<Service>.txt on security-related actions.

\System <MachineName>_Service_ This log contains information

<Service>.txt on service and system
operations, including all
errors.

\Trace <MachineName>_ The trace log files are stored

<Facility>_<Service>.txt in this folder.

See: Trace logs (page 260)

\ExtensionBundles This folder contains log files
related to the Extension
Bundles Service.

\HubService This folder contains log files
related to the Hub Service.

Deploy Qlik Sense Enterprise on Windows - Qlik Sense, June 2

Sub-
Folder Files Description
folder

\HybridDeploymentService \Trace This folder contains log files

related to the Hybrid
Deployment Service.

\HybridSetupConsoleBff This folder contains log files
related to the Hybrid Setup
Console Service.

\Licenses This folder contains log files
related to the License
Service.

\OdagService This folder contains log files
related to the ODAG Service.

\PrecedentsService This folder contains log files
related to the Precedents
Service.

\Printing This folder contains log files
related to the Qlik Sense
Printing Service (QPR).

\Printing \Audit <MachineName>_ This log tracks user-related

AuditActivity_<Service>.txt actions.

<MachineName>_ This log contains information
AuditSecurity_<Service>.txt on security-related actions.

\System <MachineName>_Service_ This log contains information

<Service>.txt on service and system
operations, including all
errors.

\Trace <MachineName>_ The trace log files are stored

<Facility>_<Service>.txt in this folder.

See: Trace logs (page 260)

\Proxy \Audit <MachineName>_ This log tracks user-related

AuditActivity_<Service>.txt actions.

<MachineName>_ This log contains information
AuditSecurity_<Service>.txt on security-related actions.

\System <MachineName>_Service_ This log contains information

<Service>.txt on service and system
operations, including all
errors.

Deploy Qlik Sense Enterprise on Windows - Qlik Sense, June 2

Sub-
Folder Files Description
folder

\Trace <MachineName>_ The trace log files are stored

<Facility>_<Service>.txt in this folder.

See: Trace logs (page 260)

\QdcCatalogService \Trace This folder contains log files

related to the Qdc Catalog
Service.

\QlikMobilityRegistrar This folder contains log files
related to the Qlik Mobility
Registrar.

\QlikNotifierService This folder contains log files
related to the Qlik Notifier
Service.

\Repository \Audit <MachineName>_ This log tracks user-related

AuditActivity_<Service>.txt actions.

<MachineName>_ This log contains information
AuditSecurity_<Service>.txt on security-related actions.

\System <MachineName>_Service_ This log contains information

<Service>.txt on service and system
operations, including all
errors.

\Trace <MachineName>_ The trace log files are stored

<Facility>_<Service>.txt in this folder.

See: Trace logs (page 260)

\ResourceDistributionService This folder contains log files
related to the Resource
Distribution Service.

\Scheduler \Audit <MachineName>_ This log tracks user-related

AuditActivity_<Service>.txt actions.

<MachineName>_ This log contains information
AuditSecurity_<Service>.txt on security-related actions.

\System <MachineName>_Service_ This log contains information

<Service>.txt on service and system
operations, including all
errors.

Deploy Qlik Sense Enterprise on Windows - Qlik Sense, June 2

Sub-
Folder Files Description
folder

\Trace <MachineName>_ The trace log files are stored

<Facility>_<Service>.txt in this folder.

See: Trace logs (page 260)

\Script This folder contains log files
related to app reloads.

\WebExtensionService This folder contains log files
related to the Web Extension
Service.

Archived log files
Archived log files are by default stored in the \\<server>\<share>\ArchivedLogs folder. You define the
location of the file share folder during installation. Archived log files have the file extension .log, whereas
active log files have the extension .txt.

See also:
p Local log configuration file (page 276)

6.10 Naming
The Qlik Sense log files are named in accordance to the following file rollover procedure:
1. The log is stored in a file named <MachineName>_<LogType>_<Service>.txt.
2. When the file is full or a pre-defined amount of time has passed, the file extension is automatically
changed to .log and a time stamp is appended to the file name for uniqueness and archiving. This
means that the new file name becomes <MachineName>_<LogType>_<Service>_
<YYYYMMDDTHHmmss>Z.log. The file is then moved to the repository database on the central
node by the Qlik Sense Repository Service (QRS) and archived.
3. A new log file, named <MachineName>_<LogType>_<Service>.txt, is created.

If the .log file is deleted before being copied to the repository database on the central node, the file is lost and cannot be rec

The format of the file name is as follows:

 <MachineName> = Name of the server where the log was created.
 <LogType> = The type of events that are covered by the log.
 <Service> = The service that the log originates from (for example, Proxy or Repository).

Deploy Qlik Sense Enterprise on Windows - Qlik Sense, June 2

 <YYYYMMDDTHHmmss>Z = Time stamp for when the log file was closed for new entries, where:
 YYYY: Year
 MM: Month
 DD: Day in month
 T: Delimiter, time designator
 HH: Hour
 mm: Minutes
 ss: Seconds
 Z: UTC designator, indicates that the time stamp is in UTC format

6.11 Rows
The first row of each log file contains a header that, in turn, contains the names of all fields, separated by
tabs.

Each log entry is one row and the characters listed in the following table are replaced with Unicode
characters.

Character Unicode replacement Description

\t \u21d4 Symbol for horizontal tabulation, HT.

\n \u2193 Symbol for line feed, LF.

\f \u2192 Symbol for form feed, FF.

\r \u21b5 Symbol for carriage return, CR.

6.12 Fields
This section describes the fields in the Qlik Sense log files.

Audit activity log
The following table lists the fields in the audit activity log, <MachineName>_AuditActivity_<Service>.txt.

The Audit activity log does not include a Severity field. This is because all rows in the log have the same log level.

Deploy Qlik Sense Enterprise on Windows - Qlik Sense, June 2

Field Format Description

Sequence# Int 1 - 2147483647 by default, but can be configured using custom logging

as described in Appenders (page 273). Each row in the log starts with a
sequence number that is used to ensure that the log is not tampered
with (that is, that no rows are inserted or deleted). The sequence
number wraps a) when the last sequence number is reached, or b) when
the logging, for some reason, is restarted without the last sequence
number being reached.

ProductVersion String The version number of the Qlik Sense service (for example, 1.2.1.3).

Timestamp ISO Timestamp in ISO 8601 format, YYYYMMDDThhmmss.fffK, where:

8601
 YYYY: Year
 MM: Month
 DD: Day in month
 T: Delimiter
 hh: Hour
 mm: Minutes
 ss: Seconds
 fff: Milliseconds
 K: Time zone offset

For example, 20110805T145657.000+0200 means year 2011, month 8,
day 5 at 14:56:57 GMT+2.

Hostname String The name of the server.

Id String A unique identifier of the log entry (added by Log4net).

Description String A human-readable message that summarizes the action in the system.

Format:

Command=<CommandName>;Result=<ReturnCode
(Int)>;ResultText=<Description, Success, or Error message>

ProxySessionId String The ID of the proxy session.

0 = Internal system command or a command that does not go through
the QPS

ProxyPackageId String A unique ID of each HTTP(S) package that passes through the Qlik

Sense Proxy Service (QPS).

0 = Internal system command or a command that does not go through
the QPS

Deploy Qlik Sense Enterprise on Windows - Qlik Sense, June 2

Field Format Description

RequestSequenceId String The combination of RequestSequenceId and ProxyPackageId is unique

for every row in a log file and creates the timeline for the proxy s
ession. The combination also forms a primary key in the log file.

The initial RequestSequenceId is an integer. Subrequests are linked to
the initial request by adding a dot and an ID for the subrequest:

 Initial request: RequestSequenceId = 1
 Subrequest 1 based on the initial request:
RequestSequenceId = 1.0
 Subrequest 2 based on the initial request:
RequestSequenceId = 1.1

0 = Internal system command or a command that does not go through
the Qlik Sense Engine Service (QES)

UserDirectory String The user directory linked to the logged in Qlik Sense user.

UserId String The Qlik Sense user that initiated the command.

System = Internal system command

ObjectId String The internal ID of the object. Used to link system actions to user actions.

0 = Cannot get the ID of the object

In some cases the ObjectId field contains multiple IDs, separated by the
"|" (pipe) sign.

Example: ObjectId field containing multiple IDs

Log event: Start reload task

Contents of the ObjectId field: ed5715cd-2d7f-44ec-825f-
44084efb3443|d63c7e4e-6089-4314-b60f-ed47ba6c35cc

 First ID: The ID of the task.
 Second ID: The ID of the app.

Deploy Qlik Sense Enterprise on Windows - Qlik Sense, June 2

Field Format Description

ObjectName String The human-readable name of the object. The ObjectName is linked to

the ObjectId.

Not available = Cannot link the ObjectName to the ObjectId or the
ObjectId is missing

In some cases the ObjectName field contains multiple names.

Example: ObjectName field containing multiple names

Log event: Start reload task

Contents of the ObjectName field: MyReload|MyApp

 First identifier (MyReload): The name of the task.
 Second identifier (MyApp): The name of the app.

The list of ObjectNames always matches the list of ObjectIds, meaning
that the ObjectName in the first position is identified by the ID in the
corresponding position of the ObjectId field. In this example the
following IDs apply (see also the description of the ObjectId field):

 MyReload = ed5715cd-2d7f-44ec-825f-44084efb3443
 MyApp = d63c7e4e-6089-4314-b60f-ed47ba6c35cc

Service String The Qlik Sense service on the server that hosts the process.

Origin String The origin of the request:

 AppAccess
 ManagementAccess
 Not available

Context String The context of the command.

The context can be a URL that is linked to the command or a short
version of the module path linked to the command.

Command String The core name of the use case or system command.

Result String Return code:

 0, 200 - 226: Success
 Any other number: Error

Message String Text that describes the log entry. If the request is successful, this field

contains "success".

Id2 String A unique row identifier (the checksum is added by Log4Net).

Deploy Qlik Sense Enterprise on Windows - Qlik Sense, June 2

Audit security log
The following table lists the fields in the audit security log, <MachineName>_AuditSecurity_<Service>.txt.

This log is not available for the Qlik Sense Engine Service (QES).

The Audit security log does not include a Severity field. This is because all rows in the log have the same log level.

Field Format Description

Sequence# Int 1 - 2147483647 by default, but can be configured using custom logging

ProductVersion String The version number of the Qlik Sense service (for example, 1.2.1.3).

Timestamp ISO Timestamp in ISO 8601 format, YYYYMMDDThhmmss.fffK, where:

8601
 YYYY: Year
 MM: Month
 DD: Day in month
 T: Delimiter
 hh: Hour
 mm: Minutes
 ss: Seconds
 fff: Milliseconds
 K: Time zone offset

For example, 20110805T145657.000+0200 means year 2011, month 8,
day 5 at 14:56:57 GMT+2.

HostName String The name of the server.

Id GUID A unique identifier of the log entry (added by Log4net).

Description String A human-readable message that summarizes the action in the system.

Format:

Command=<CommandName>;Result=<ReturnCode
(Int)>;ResultText=<Description, Success, or Error message>

Deploy Qlik Sense Enterprise on Windows - Qlik Sense, June 2

Field Format Description

ProxySessionId String The ID of the proxy session.

0 = Internal system command or a command that does not go through
the QPS

ProxyPackageId String A unique ID of each HTTP(S) package that passes through the Qlik

Sense Proxy Service (QPS).

0 = Internal system command or a command that does not go through
the QPS

RequestSequenceId String The combination of RequestSequenceId and ProxyPackageId is unique

for every row in a log file and creates the timeline for the proxy s
ession. The combination also forms a primary key in the log file.

The initial RequestSequenceId is an integer. Subrequests are linked to
the initial request by adding a dot and an ID for the subrequest:

 Initial request: RequestSequenceId = 1
 Subrequest 1 based on the initial request:
RequestSequenceId = 1.0
 Subrequest 2 based on the initial request:
RequestSequenceId = 1.1

0 = Internal system command or a command that does not go through
the Qlik Sense Engine Service (QES)

UserDirectory String The user directory linked to the logged in Qlik Sense user.

System = Internal system command

UserId String The Qlik Sense user that initiated the command.

System = Internal system command

Deploy Qlik Sense Enterprise on Windows - Qlik Sense, June 2

Field Format Description

ObjectId String The internal ID of the object. Used to link system actions to user actions.

0 = Cannot get the ID of the object

In some cases the ObjectId field contains multiple IDs, separated by the
"|" (pipe) sign.

Example: ObjectId field containing multiple IDs

Log event: Start reload task

Contents of the ObjectId field: ed5715cd-2d7f-44ec-825f-
44084efb3443|d63c7e4e-6089-4314-b60f-ed47ba6c35cc

 First ID: The ID of the task.
 Second ID: The ID of the app.

ObjectName String The human-readable name of the object. The ObjectName is linked to

the ObjectId.

Not available = Cannot link the ObjectName to the ObjectId or the
ObjectId is missing

In some cases the ObjectName field contains multiple names.

Example: ObjectName field containing multiple names

Log event: Start reload task

Contents of the ObjectName field: MyReload|MyApp

 First identifier (MyReload): The name of the task.
 Second identifier (MyApp): The name of the app.

 MyReload = ed5715cd-2d7f-44ec-825f-44084efb3443
 MyApp = d63c7e4e-6089-4314-b60f-ed47ba6c35cc

SecurityClass String A categorization of the security-related information:

 Security: Access to resources, authentication, authorization
 License: License access, license usage, license allocation
 Certificate: Certificate-related information

ClientHostAddress String The hostname/IP address of the client.

Deploy Qlik Sense Enterprise on Windows - Qlik Sense, June 2

Field Format Description

Service String The Qlik Sense service on the server that hosts the process.

Origin String The origin of the request:

 AppAccess
 ManagementAccess
 Not available

Context String The context of the command.

The context can be a URL that is linked to the command or a short
version of the module path linked to the command.

Command String The core name of the use case or system command.

Result String Return code:

 0, 200 - 226: Success
 Any other number: Error

Message String Text that describes the log entry. If the request is successful, this field

contains "success".

Checksum ID Each row has a checksum. The security log file also includes a file
signature.

Server log
The following table lists the fields in the service log, <MachineName>_Service_<Service>.txt.

Field Format Description

Sequence# Int 1 - 2147483647 by default, but can be configured using custom logging

ProductVersion String The version number of the Qlik Sense service (for example, 1.2.1.3).

Deploy Qlik Sense Enterprise on Windows - Qlik Sense, June 2

Field Format Description

Timestamp ISO Timestamp in ISO 8601 format, YYYYMMDDThhmmss.fffK, where:

8601
 YYYY: Year
 MM: Month
 DD: Day in month
 T: Delimiter
 hh: Hour
 mm: Minutes
 ss: Seconds
 fff: Milliseconds
 K: Time zone offset

For example, 20110805T145657.000+0200 means year 2011, month 8,
day 5 at 14:56:57 GMT+2.

Severity String Row log level, can be configured using custom logging as described in

Appenders (page 273):

 Debug: Information useful to developers for debugging
purposes. This level is not useful during normal operation as it
generates vast amounts of logging information.
 Info: Normal operational messages that may be harvested for
reporting, measuring throughput, and so on. No action is
required.
 Warn: Not an error message, but an indication that an error will
occur, if no action is taken (for example, the file system is 85%
full).
 Error: Messages regarding unexpected situations and errors that
prevent the server from operating normally.
 Fatal: Messages that the Qlik Sense service or application has to
shut down in order to prevent data loss.

HostName String The hostname of the server that runs the process or executes the task.

Id GUID A unique identifier of the log entry (added by Log4net).

Description String A human-readable message that summarizes the action in the system.

Format:

Command=<CommandName>;Result=<ReturnCode
(Int)>;ResultText=<Description, Success, or Error message>

Deploy Qlik Sense Enterprise on Windows - Qlik Sense, June 2

Field Format Description

ProxySessionId String The ID of the proxy session.

0 = Internal system command or a command that does not go through
the QPS

ProxyPackageId String A unique ID of each HTTP(S) package that passes through the Qlik

Sense Proxy Service (QPS).

0 = Internal system command or a command that does not go through
the QPS

RequestSequenceId String The combination of RequestSequenceId and ProxyPackageId is unique

for every row in a log file and creates the timeline for the proxy s
ession. The combination also forms a primary key in the log file.

The initial RequestSequenceId is an integer. Subrequests are linked to
the initial request by adding a dot and an ID for the subrequest:

 Initial request: RequestSequenceId = 1
 Subrequest 1 based on the initial request:
RequestSequenceId = 1.0
 Subrequest 2 based on the initial request:
RequestSequenceId = 1.1

0 = Internal system command or a command that does not go through
the Qlik Sense Engine Service (QES)

UserDirectory String The user directory linked to the logged in Qlik Sense user.

System = Internal system command

UserId String The Qlik Sense user that initiated the command.

System = Internal system command

Deploy Qlik Sense Enterprise on Windows - Qlik Sense, June 2

Field Format Description

ObjectId String The internal ID of the object. Used to link system actions to user actions.

0 = Cannot get the ID of the object

In some cases the ObjectId field contains multiple IDs, separated by the
"|" (pipe) sign.

Example: ObjectId field containing multiple IDs

Log event: Start reload task

Contents of the ObjectId field: ed5715cd-2d7f-44ec-825f-
44084efb3443|d63c7e4e-6089-4314-b60f-ed47ba6c35cc

 First ID: The ID of the task.
 Second ID: The ID of the app.

ObjectName String The human-readable name of the object. The ObjectName is linked to

the ObjectId.

Not available = Cannot link the ObjectName to the ObjectId or the
ObjectId is missing

In some cases the ObjectName field contains multiple names.

Example: ObjectName field containing multiple names

Log event: Start reload task

Contents of the ObjectName field: MyReload|MyApp

 First identifier (MyReload): The name of the task.
 Second identifier (MyApp): The name of the app.

 MyReload = ed5715cd-2d7f-44ec-825f-44084efb3443
 MyApp = d63c7e4e-6089-4314-b60f-ed47ba6c35cc

Service String The Qlik Sense service on the server that hosts the process.

Origin String The origin of the request:

 AppAccess
 ManagementAccess
 Not available

Deploy Qlik Sense Enterprise on Windows - Qlik Sense, June 2

Field Format Description

Context String The context of the command.

The context can be Internal System command or User Activity
command (based on URL for the command).

Command String The core name of the use case or system command.

Result Int Return code:

 0, 200 - 226: Success
 Any other number: Error

Message String Text that describes the log entry. If the request is successful, this field

contains "success".

Id2 String A unique row identifier (the checksum is added by Log4Net).

Qlik Sense engine service log fields
The following table lists the fields that are unique for the Qlik Sense Engine Service (QES) logs.

Field Format Description

EngineTimestamp ISO The date and time when the QES wrote the log message to file.

8601
Timestamp in ISO 8601 format, YYYYMMDDThhmmss.fffK, where:

 YYYY: Year
 MM: Month
 DD: Day in month
 T: Delimiter
 hh: Hour
 mm: Minutes
 ss: Seconds
 fff: Milliseconds
 K: Time zone offset

For example, 20110805T145657.000+0200 means year 2011, month 8,
day 5 at 14:56:57 GMT+2.

EngineVersion String The version number of the QES that executed the request.

6.13 Trace logs
The legacy logging framework is still available in Qlik Sense, but the logs are as of Qlik Sense version 2.0
referred to as trace logs. The log files remain the same, in the old logging format, but they are stored in a new
location.

Deploy Qlik Sense Enterprise on Windows - Qlik Sense, June 2

Storage
The trace log files are stored in the %ProgramData%\Qlik\Sense\Log\<Service>\Trace folder.

Naming
The trace log files are named in accordance to the following file rollover procedure:
1. The log is stored in a file named <MachineName>_<Facility>_<Service>.txt.
2. When the file is full or a pre-defined amount of time has passed, the file extension is automatically
changed to .log and a time stamp is appended to the file name for uniqueness and archiving. This
means that the new file name becomes <MachineName>_<Facility>_<Service>_<YYYY-MM-
DDTHH.mm.ss>Z.log. The file is then moved to the repository database on the central node by the
Qlik Sense Repository Service (QRS) and archived.
3. A new log file, named <MachineName>_<Facility>_<Service>.txt, is created.

If the .log file is deleted before being copied to the repository database on the central node, the file is lost and cannot be rec

The format of the file name is as follows:

 <Machine> = Name of the server where the log was created.
 <Facility> = The type of events that are covered by the log.
Logger (page 264)

 <Service> = The service that the log originates from (for example, Proxy or Repository).
 <YYYY-MM-DDTHH.mm.ss>Z = Time stamp for when the log file was closed for new entries,
where:
 YYYY: Year
 MM: Month
 DD: Day in month
 T: Delimiter, time designator
 HH: Hour
 mm: Minutes
 ss: Seconds
 Z: UTC designator, indicates that the time stamp is in UTC format

Deploy Qlik Sense Enterprise on Windows - Qlik Sense, June 2

Rows
The first row of each log file contains a header that, in turn, contains the names of all fields, separated by
tabs.

Each log entry is one row and the characters listed in the following table are replaced with Unicode
characters.

Character Unicode replacement Description

\t \u21d4 Symbol for horizontal tabulation, HT.

\n \u2193 Symbol for line feed, LF.

\f \u2192 Symbol for form feed, FF.

\r \u21b5 Symbol for carriage return, CR.

Fields
This section describes the fields in the trace log files.

Common fields
The following table lists the fields (in order of appearance) included in all trace log files.

Field Description

Sequence# 1 - 2147483647 by default, but can be configured using custom logging as described in
Qlik Sense Appenders (page 273). Each row in the log starts with a sequence number
that is used to ensure that the log is not tampered with (that is, that no rows are inserted
or deleted). The sequence number wraps either when the last sequence number is
reached or when the logging, for some reason, is restarted without the last sequence
number being reached.

Timestamp Timestamp in ISO 8601 format, YYYYMMDDThhmmss.fffK, where:
 YYYY: Year
 MM: Month
 DD: Day in month
 T: Delimiter
 hh: Hour
 mm: Minutes
 ss: Seconds
 fff: Milliseconds
 K: Time zone offset
For example, 20110805T145657.000+0200 means year 2011, month 8, day 5 at
14:56:57 GMT+2.

Deploy Qlik Sense Enterprise on Windows - Qlik Sense, June 2

Field Description

Level Row log level, can be configured using custom logging as described in Qlik Sense
Appenders (page 273):
 Debug: Information useful to developers for debugging purposes. This level is
not useful during normal operation since it generates vast amounts of logging
information.
 Info: Normal operational messages that may be harvested for reporting,
measuring throughput, and so on. No action required.
 Warn: Not an error message, but an indication that an error may occur, if no
action is taken (for example, the file system is 85% full). Each item must be
resolved within a given time.
 Error: Non-urgent failures that are relayed to developers or administrators. Each
item must be resolved within a given time.
 Fatal: Indicates a failure in a primary system (for example, loss of primary ISP
connection) and must be corrected immediately.
 Off: No logs, except for license logs, are produced.

Hostname Server name.

Deploy Qlik Sense Enterprise on Windows - Qlik Sense, June 2

Field Description

Logger Logger in <Facility>.<Service>.<Fully qualified name of class> format, where:

 <Facility>:
 Application: Log events that are related to the app running in Qlik Sense.
 Audit: Log events that provide an audit trail of a user’s activities and
administration of the Qlik Sense platform.
 Exit: Log events that are related to the shutdown of the Qlik Sense
Engine Service (QES).
 License: Log events that are related to the Qlik Sense license.
 ManagementConsole: Log events that are related to the Qlik
Management Console (QMC).
 Performance: Log events that are related to the performance of the Qlik
Sense platform or app.
 QixPerformance: Log events that are related to the performance of the
QIX protocol in the QES.
 Security: Log events that are related to security issues.
 Session: Log events that are related to the termination of a proxy
session.
 SSE: Log events that are related to server-side extensions.
 Synchronization: Log events that are related to the synchronization of the
Qlik Sense Repository Service (QRS) instances in a m ulti-node site.
 System: Log events that are related to the Qlik Sense platform and not to
the app running on the platform (for example, log messages related to
the QMC, QRS, Qlik Sense Proxy Service (QPS), and so on).
 TaskExecution: Log events that are related to the execution of tasks by
the Qlik Sense Scheduler Service (QSS).
 Traffic: Log events that are related to debugging.
 UserManagement: Log events that are related to the management of the
users.
 <Service>: The Qlik Sense service that the log originates from (for example,
QRS or QPS).
 <Fully qualified name of class>: Indicates the part of the service that
generated the log message.

Thread Thread name or Managed Thread ID (if available).

Id Globally Unique Identifier (GUID) for the log message.

ServiceUser Name of the user or account used by the Qlik Sense service.

Message Log message.

Deploy Qlik Sense Enterprise on Windows - Qlik Sense, June 2

Field Description

Exception Exception message.

This field is only present when there is an exception message.

StackTrace A trace to the place in Qlik Sense where the exception occurred.

This field is only present when the Exception field is present.

ProxySessionId The ID of the proxy session for the user.

This field is not present in all log files.

Id2 or The last field in a log entry either contains an Id2 or a Checksum:
Checksum  Id2: Log message GUID (same as Id described earlier). This is the normal value.
 Checksum: To protect logs that contain sensitive information (for example,
audit, security, and license logs) from tampering, the last field in such log entries
contains a cryptographic hash of the entire row up to the hash itself.

Additional fields
The common fields are present in all trace log files. Some trace logs contain additional fields, which are listed
in this section. In addition, optional fields can be defined.

Application log

Qlik Sense Repository Service (QRS)
The following fields are specific to the Application log for the QRS:

 Application: The name of the application (if there is a name to associate with the log entry).

Qlik Sense Scheduler Service (QSS)
The following fields are specific to the Application log for the QSS:

 Application: The name of the application (if there is a name to associate with the log entry).
p Common fields (page 262)

Audit log

Qlik Sense Repository Service (QRS)
The following fields are specific to the Audit log for the QRS:

 Action: The action that the user performed (add, update, delete, export).
 ActiveUserDirectory: The user directory for the user.

Deploy Qlik Sense Enterprise on Windows - Qlik Sense, June 2

 ActiveUserId: The ID of the user.
 ResourceId: The ID of the resource on which the user performed the action.

Qlik Sense Proxy Service (QPS)
The following fields are specific to the Audit log for the QPS:

 ConnectionId: The ID of the connection.
ActiveConnections field in Performance log (page 267)

 ActiveUserDirectory: The user directory for the user.
 ActiveUserId: The ID of the user.

TicketId: The ID of the login ticket that was issued for the user. The ticket ID exists until it is consumed
by the QPS.
 IpAddress: The IP address of the client.
 AppId: The ID of the app (empty if no app is loaded).
 TargetHost: The call from the client is forwarded to a Qlik Sense Engine Service (QES) or QRS. This
field contains the name of the machine on which the service is running.
 VirtualProxy: The virtual proxy prefix in {prefix} format.

Qlik Sense Engine Service (QES)
The following fields are specific to the Audit log for the QES:

License log

Qlik Sense Repository Service (QRS)
The following fields are specific to the License log for the QRS:

 AccessTypeId: The ID of the access type entity.
 AccessType: The name of the access type (LoginAccess or UserAccess).
 Operation: The operation that was performed (Add, Update, Delete, UsageGranted, UsageDenied,
Available, Timedout, or Unquarantined).
 UserName: The name of the user (who, for example, uses an access pass).
 UserId: The ID of the user in Qlik Sense.

Deploy Qlik Sense Enterprise on Windows - Qlik Sense, June 2

6
p Common fields (page 262)

Performance log

Qlik Sense Repository Service (QRS)
The following fields are specific to the Performance log for the QRS:

 Tracenumber: A unique ID for the call to the QRS REST API.
 Httpmethod: The HTTP method that was used (Get, Put, Post, or Delete).
 Url: The URL that was used.
 Resourcetype: The type of resource.
 Method: The backend code that was called.
 Elapsedmilliseconds: The time (in milliseconds) to complete the call to the QRS REST API.

Example: Get http://mytest/cars/4

 Httpmethod: Get
 Url: http://mytest/cars/4
 Resourcetype: cars
 Method: get/cars/{0}

Qlik Sense Proxy Service (QPS)
The following fields are specific to the Performance log for the QPS:

 ActiveConnections: The number of active connections (in any form or shape) from the client.
A connection is a stream (that is, a socket) between a Qlik Sense client and the Qlik Sense Proxy
Service (QPS). This stream is often connected to another stream, which runs from the QPS to the
Qlik Sense Repository Service (QRS) or the Qlik Sense Engine Service (QES). The two streams allow
the client to communicate with the QRS or the QES.

 ActiveStreams: The number of active data streams (that is, sockets), either from the browser to the
QPS or from the QPS to the QRS or the QES.
 ActiveSessions: The number of active sessions in the QPS.
A Qlik Sense user gets a proxy session when the user has been authenticated. The session is
terminated after a certain period of inactivity.

 LoadBalancingDecisions: The number of users who currently have at least one engine session.
 PrintingLoadBalancingDecisions: The number of users who have been load balanced to the Qlik
Sense Printing Service (QPR).
 Tickets: The number of issued login tickets that have not yet been consumed.
 ActiveClientWebsockets: The number of active WebSockets between the client and the QPS.
 ActiveEngineWebsockets: The number of active WebSockets between the QPS and the target Qlik
Sense service.

The logging entries are also available as metrics; see .

Deploy Qlik Sense Enterprise on Windows - Qlik Sense, June 2

Qlik Sense Engine Service (QES)
Each entry (that is, row) in the Performance log corresponds to a snapshot (that is, a number of
measurements) of the performance of the QES at the given point in time.

The following fields are specific to the Performance log for the QES:

 ActiveUserDirectory: The user directory for the user.
 ActiveUserId: The ID of the user.
 EngineTimestamp: The time when the QES wrote the log message to file.
 EngineThread: The ID of the thread that was used when the QES wrote the log message to file.
 ProcessId: The ID of the QES process from which the log message originates.
 Exe Type: The configuration type (release or debug version) of the QES process.
 Exe Version: The version number of the QES process.
 Server Started: The time when the QES started.
 Entry Type: The reason (Server Starting, Normal, or Server Shutting Down) for the log entry in the
Performance log.
 ActiveDocSessions: The number of active engine sessions at the given point in time.
 DocSessions: The number of engine sessions at the given point in time.
 ActiveAnonymousDocSessions: The number of active anonymous engine sessions at the given point
in time.
 AnonymousDocSessions: The number of anonymous engine sessions at the given point in time.
 ActiveTunneledDocSessions: The number of active tunneled engine sessions at the given point in
time.
 TunneledDocSessions: The number of tunneled engine sessions at the given point in time.
 DocSessionStarts: The number of started engine sessions since the previous snapshot.
 ActiveDocs: The number of active apps in the QES at the given point in time.
 RefDocs: The number of apps in the QES at the given point in time.
 LoadedDocs: The number of loaded apps in the QES at the given point in time.
 DocLoads: The number of app loads in the QES since the previous snapshot.
 DocLoadFails: The number of failed app loads in the QES since the previous snapshot.
 Calls: The number of calls to the QES since the previous snapshot.
 Selections: The number of selections in the QES since the previous snapshot.

ActiveIpAddrs: The number of IP addresses of active connected clients in the QES at the given point
in time.
 IpAddrs: The number of IP addresses of all connected clients in the QES at the given point in time.
 ActiveUsers: The number of active users in the QES at the given point in time.
 Users: The total number of users in the QES at the given point in time.
 CPULoad: A measurement of the load on the CPU on which the QES runs at the given point in time.
 VMCommitted(MB): The committed Virtual Memory (in megabytes) at the given point in time.
 VMAllocated(MB): The allocated Virtual Memory (in megabytes) at the given point in time.
 VMFree(MB): The freed Virtual Memory (in megabytes) at the given point in time.

Deploy Qlik Sense Enterprise on Windows - Qlik Sense, June 2

 VMLargestFreeBlock(MB): The largest freed Virtual Memory block (in megabytes) at the given point
in time.
p Common fields (page 262)

QIX performance log

Qlik Sense Engine Service (QES)
The following fields are specific to the QIX performance log for the QES:

Qlik Management Consolelog

The Qlik Management Console log is not created until there is an event (for example, an error message) for the Qlik Manage

Deploy Qlik Sense Enterprise on Windows - Qlik Sense, June 2

Qlik Sense Repository Service (QRS)
The following fields are specific to the Qlik Management Console log for the QRS:

 Browser: The web browser that is used to run the QMC.
p Common fields (page 262)

Server-side extension log

Qlik Sense Engine Service (QES)
The following fields are specific to the server-side extension (SSE) log for the QES:

Session log

Qlik Sense Engine Service (QES)
The following fields are specific to the Session log for the QES:

Deploy Qlik Sense Enterprise on Windows - Qlik Sense, June 2

 AppId: The ID of the app that was loaded by the finished engine session.
 App Title: The title of the loaded app that was used during the finished engine session.
 Doc Timestamp: The last modified timestamp of the app that was loaded by the finished engine
session.
 Exit Reason: The reason for the engine session to finish.
 Session Start: The time when the engine session started.
 Session Duration: The duration (in milliseconds) of the finished engine session.
 CPU Spent (s): The CPU time (in seconds) that was spent handling requests during the finished
engine session.
 Bytes Received: The number of bytes of data that were received during the engine session.
 Bytes Sent: The number of bytes of data that were sent during the engine session.
 Calls: The number of calls that were made during the engine session.
 Selections: The number of selections that were made during the engine session.
 Authenticated User: The authenticated user that used the engine session.
 Secure Protocol: An on/off flag that indicates whether the protocol was run over a secure connection.
p Common fields (page 262)

System log

Qlik Sense Scheduler Service (QSS)
The following fields are specific to the System log for the QSS:

 TaskName: The name of the task that was executed.
 TaskId: The ID of the task that was executed.
 User: The name of the user who executed the task. When the QSS starts a scheduled execution of a
task, the QSS is listed as user.
 ExecutionId: A unique ID that identifies the execution of the task. A task gets a new ExecutionId every
time it is executed.
 AppName: The name of the app that executed the task (if any).
 AppId: The ID of the app that executed the task (if any).

Qlik Sense Engine Service (QES)
The following fields are specific to the System log for the QES:

 ActiveUserDirectory: The user directory for the active user who was logged in when the log message
was generated in the QES.

ActiveUserId: The user ID for the active user who was logged in when the log message was generated
in the QES.
 EngineTimestamp: The time when the QES wrote the log message to file.
 EngineThread: The ID of the thread that was used when the QES wrote the log message to file.
 ProcessId: The ID of the QES process from which the log message originates.
 Server Started: The time when the QES started.
p Common fields (page 262)

Deploy Qlik Sense Enterprise on Windows - Qlik Sense, June 2

Task execution log

Qlik Sense Scheduler Service (QSS)
The following fields are specific to the Task execution log for the QSS:

 TaskId: A unique ID of the task that was executed.
 TaskName: The name of the task that was executed.
 AppId: A unique ID of the app that executed the task (if any).
 AppName: The name of the app that executed the task (if any).
 ExecutionId: A unique ID that identifies the execution of a task. A task gets a new ExecutionId every
time it is executed.
 ExecutionNodeId: A unique ID that identifies the node in the site on which the specific execution of
the task was performed.
 Status: The result of the execution of the task (successful, failed, aborted, skipped, or retry).
 StartTime: The time when the execution of the task started.
 StopTime: The time when the execution of the task stopped.
 Duration: The time (in milliseconds) for the execution of the task to be completed.
 FailureReason: Empty, unless an error occurred during the execution of the task.
p Common fields (page 262)

Traffic log

Qlik Sense Engine Service (QES)
The following fields are specific to the traffic log for the QES:

6.14 Configuring the logging
The standard logging in Qlik Sense is managed from the Qlik Management Console (QMC) for each Qlik
Sense service.

Services (page 31)

Customized logging is setup using appenders and the local log configuration file, LocalLogConfig.xml.

Appenders (page 273)

Deploy Qlik Sense Enterprise on Windows - Qlik Sense, June 2

Appenders
The logging in Qlik Sense implements a custom appender, QSRollingFileAppender, which is based on the
log4net component. The custom appender is used internally by the Qlik Sense logging system.

QSRollingFileAppender and some of the built-in, predefined appenders in the log4net framework can be
used to configure customized logging, which is specified in the local log configuration file,
LocalLogConfig.xml.

QSRollingFileAppender can also log events in the local log file (for example, the Microsoft Windows event
log) or send log information to a remote log server.

QSRollingFileAppender
QSRollingFileAppender inherits from log4net.Appenders.FileAppender and all parameters, except for
AppendToFile, are also available to QSRollingFileAppender. QSRollingFileAppender stores the log files in
accordance to the MaxFileSize and MaxFileTime parameters.

Configuring the appender
The QSRollingFileAppender configuration is as follows:

Deploy Qlik Sense Enterprise on Windows - Qlik Sense, June 2

6
<param name="name" value="encodedmessage" />
<param name="type" value="Qlik.Sense.Logging.log4net.Layout.Pattern.EncodedMessagePatternConverter"
/>
</converter>
<converter>
<param name="name" value="encodedexception" />
<param name="type"
value="Qlik.Sense.Logging.log4net.Layout.Pattern.EncodedExceptionPatternConverter" />
</converter>
<param name="ignoresexception" value="false" />
<param name="header"
value="Sequence#	Timestamp	Level	Hostname	Logger	Thread	Id	User	
Message	Exception	Id2
" />
<param name="conversionpattern" value="%rownum
{9999}	%longIso8601date	%level	%hostname	%logger	%thread	
%guid	%user	%encodedmessage	%encodedexception{innermostmessage}	%guid%newline" />
</layout>
</appender>

Converters
log4net.Layout.PatternLayout and a couple of custom converters are used to format rows in logs based on
QSRollingFileAppender:

 Qlik.Sense.Logging.log4net.Layout.Pattern.CounterPatternConverter: Add a sequence number to
the log row. Parameter:
 Integer: The last number of the sequence before it is reset.
 Qlik.Sense.Logging.log4net.Layout.Pattern.Iso8601TimeOffsetPatternConverter : Add a time stamp
(local time with time offset in ISO 8601 format) to the log row.

Qlik.Sense.Logging.log4net.Layout.Pattern.HostNamePatternConverter : Add the host name to the log
row.
 Qlik.Sense.Logging.log4net.Layout.Pattern.GuidPatternConverter: Add a GUID to the log row.
 Qlik.Sense.Logging.log4net.Layout.Pattern.ServiceUserNameCachedPatternConverter : Add the
username to the log row.
 Qlik.Sense.Logging.log4net.Layout.Pattern.EncodedMessagePatternConverter : Add the encoded
message to the log row.
 Qlik.Sense.Logging.log4net.Layout.Pattern.EncodedExceptionPatternConverter : Add information on
the logged exception to the log row. Parameter (one of the following):
 MESSAGE: The message in the logged exception.
 INNERMOSTMESSAGE: The message in the innermost exception of the logged exception.
 SOURCE: The source of the exception (that is, the name of the app or the object that caused
the error).
 STACKTRACE: The stack trace for the exception.
 TARGETSITE: The target site for the exception (that is, the method that threw the current
exception).
 HELPLINK: Link to the help file associated with the exception.

Deploy Qlik Sense Enterprise on Windows - Qlik Sense, June 2

Built-in log4net appenders
In addition to the Qlik Sense custom appender, QSRollingFileAppender, the log4net framework comes with
a set of built-in predefined appenders that also can be used in the local log configuration file,
LocalLogConfig.xml:

 AdoNetAppender
 AnsiColorTerminalAppender
 AspNetTraceAppender
 ColoredConsoleAppender
 ConsoleAppender
 EventLogAppender
 FileAppender
 NetSendAppender
 RemoteSyslogAppender
 RemotingAppender
 RollingFileAppender
 SmtpAppender
 SmtpPickupDirAppender
 TelnetAppender
 UdpAppender

Each appender has its own set of parameters to control the output.

<appender name="EventLogAppender" type="log4net.Appender.EventLogAppender" >

Deploy Qlik Sense Enterprise on Windows - Qlik Sense, June 2

Example: SmtpAppender
The following example shows how to use the SmtpAppender in the local log configuration file,
LocalLogConfig.xml, for the Qlik Sense Proxy Service (QPS). In the example, all QPS audit log entries at
warning level are sent to an email address ([email protected]).

<appender name="MyMailAppender" type="log4net.Appender.SmtpAppender">

Local log configuration file
The logging in Qlik Sense can be set up to produce customized logging as an addition to the default logging.

To set up customized logging, create a local log configuration file named LocalLogConfig.xml in the
%ProgramData%\Qlik\Sense\<Service>\ folder.

The logging defined by the local log configuration file does not affect the default logging.

Requirements
The requirements described in this section must be fulfilled for the customized logging to function properly.

Conforming to the XML schema
The local log configuration file must conform to the XML schema because the Qlik Sense Repository Service
(QRS), Qlik Sense Proxy Service (QPS), and Qlik Sense Scheduler Service (QSS) have built-in schema
validation.

If the local log configuration file is not accepted by the services, an error is logged in the System log.

Maximum file size
The size of the local log configuration file must not exceed 1 MB.

XML schema
The XML schema for the local log configuration file, LocalLogConfig.xml, is as follows:

<?xml version="1.0" encoding="utf-8" ?>

<xs:schema xmlns:xs="http://www.w3.org/2001/XMLSchema">

Deploy Qlik Sense Enterprise on Windows - Qlik Sense, June 2

<xs:complexType name="ParamType">
<xs:attribute name="name" type="xs:string" use="required"/>
<xs:attribute name="value" type="xs:string" use="required"/>
</xs:complexType>

<xs:simpleType name="AppenderNameType">
<xs:restriction base="xs:string">
<xs:pattern value="[^$].*"/> 
</xs:restriction>
</xs:simpleType>

<xs:complexType name="ConverterType">
<xs:sequence>
<xs:element name="param" minOccurs="0" maxOccurs="unbounded" type="ParamType" />
</xs:sequence>
</xs:complexType>

<xs:complexType name="FilterType">
<xs:sequence>
<xs:element name="param" minOccurs="0" maxOccurs="unbounded" type="ParamType" />
</xs:sequence>
<xs:attribute name="class" type="xs:string" use="optional"/> 
<xs:attribute name="type" type="xs:string" use="optional"/> 
</xs:complexType>

<xs:complexType name="EvaluatorType">
<xs:sequence>
<xs:element name="param" minOccurs="0" maxOccurs="unbounded" type="ParamType" />
</xs:sequence>
<xs:attribute name="class" type="xs:string" use="optional"/> 
<xs:attribute name="type" type="xs:string" use="optional"/> 
</xs:complexType>

<xs:complexType name="LayoutType">
<xs:sequence>
<xs:element name="converter" minOccurs="0" maxOccurs="unbounded" type="ConverterType" />
<xs:element name="param" minOccurs="0" maxOccurs="unbounded" type="ParamType" />
</xs:sequence>
<xs:attribute name="class" type="xs:string" use="optional"/> 
<xs:attribute name="type" type="xs:string" use="optional"/> 
</xs:complexType>

<xs:complexType name="AppenderType">
<xs:sequence>
<xs:element name="filter" minOccurs="0" maxOccurs="unbounded" type="FilterType" />
<xs:element name="evaluator" minOccurs="0" type="EvaluatorType" />
<xs:element name="lossyevaluator" minOccurs="0" type="EvaluatorType" /> 
<xs:element name="param" minOccurs="0" maxOccurs="unbounded" type="ParamType" />
<xs:element name="layout" minOccurs="1" type="LayoutType" />
</xs:sequence>
<xs:attribute name="name" type="AppenderNameType" use="required"/>
<xs:attribute name="class" type="xs:string" use="optional"/> 
<xs:attribute name="type" type="xs:string" use="optional"/> 
</xs:complexType>

Deploy Qlik Sense Enterprise on Windows - Qlik Sense, June 2

6
<xs:complexType name="AppenderRefType">
<xs:attribute name="ref" type="AppenderNameType" use="required"/>
</xs:complexType>

<xs:complexType name="RootType">
<xs:sequence>
<xs:element name="appender-ref" type="AppenderRefType" minOccurs="0" maxOccurs="unbounded"
/>
</xs:sequence>
</xs:complexType>

<xs:complexType name="LoggerType">
<xs:sequence>
<xs:element name="appender-ref" type="AppenderRefType" minOccurs="0" maxOccurs="unbounded"
/>
</xs:sequence>
<xs:attribute name="name" type="AppenderNameType" use="required"/>
</xs:complexType>

<xs:element name="configuration">
<xs:complexType>
<xs:sequence>
<xs:element name="appender" type="AppenderType" minOccurs="0" maxOccurs="unbounded"
/>
<xs:element name="root" type="RootType" minOccurs="0" />
<xs:element name="logger" type="LoggerType" minOccurs="0" maxOccurs="unbounded" />
</xs:sequence>
</xs:complexType>
</xs:element>
</xs:schema>

Example:

In this example, the local log configuration file is configured to write the system logs at debug level in
%ProgramData%\Qlik\Sense\Log\Proxy\Debug_System_Proxy.txt .

<?xml version="1.0"?>
<configuration>
<appender name="LocalApp_AppenderSystem"
type="Qlik.Sense.Logging.log4net.Appender.QSRollingFileAppender">
<param name="threshold" value="debug" />
<param name="encoding" value="utf-8" />
<param name="file" value="C:\ProgramData\Qlik\Sense\Log\Proxy\Debug_System_Proxy.txt" />
<param name="maximumfiletime" value="720" />
<param name="maximumfilesize" value="512KB" />
<layout type="log4net.Layout.PatternLayout">
<converter>
<param name="name" value="rownum" />
<param name="type"
value="Qlik.Sense.Logging.log4net.Layout.Pattern.CounterPatternConverter" />
</converter>
<converter>
<param name="name" value="longIso8601date" />
<param name="type"
value="Qlik.Sense.Logging.log4net.Layout.Pattern.Iso8601TimeOffsetPatternConverter" />
</converter>
<converter>

Deploy Qlik Sense Enterprise on Windows - Qlik Sense, June 2

6
<param name="name" value="hostname" />
<param name="type"
value="Qlik.Sense.Logging.log4net.Layout.Pattern.HostNamePatternConverter" />
</converter>
<converter>
<param name="name" value="guid" />
<param name="type" value="Qlik.Sense.Logging.log4net.Layout.Pattern.GuidPatternConverter"
/>
</converter>
<converter>
<param name="name" value="serviceuser" />
<param name="type"
value="Qlik.Sense.Logging.log4net.Layout.Pattern.ServiceUserNameCachedPatternConverter" />
</converter>
<converter>
<param name="name" value="encodedmessage" />
<param name="type"
value="Qlik.Sense.Logging.log4net.Layout.Pattern.EncodedMessagePatternConverter" />
</converter>
<converter>
<param name="name" value="encodedexception" />
<param name="type"
value="Qlik.Sense.Logging.log4net.Layout.Pattern.EncodedExceptionPatternConverter" />
</converter>
<param name="ignoresexception" value="false" />
<param name="header" value="Sequence#	Timestamp	Level	Hostname	
Logger	Thread	Id	ServiceUser	Message	Exception	
ActiveUserDirectory	ActiveUserId	ProxyTimestamp	ProxyThread	
Id2
" />
<param name="conversionpattern" value="%rownum{9999}	%longIso8601date	
%level	%hostname	%logger	%thread	%guid	%serviceuser	
%encodedmessage{1000000}	%encodedexception{innermostmessage:1000000}	
%property{ActiveUserDirectory}	%property{ActiveUserId}	
%property{ProxyTimestamp}	%property{ProxyThread}	%guid%newline" />
</layout>
</appender>
<logger name="System.Proxy">
<appender-ref ref="LocalApp_AppenderSystem" />
</logger>
</configuration>
p Converters (page 274)

6.15 Telemetry logging
With the February 2018 release of Qlik Sense, you can capture granular usage metrics from the Qlik in-
memory engine based on configurable thresholds. This provides, among other things, the ability to capture
CPU and RAM usage of individual chart objects and CPU and RAM usage of reload tasks.

Enabling telemetry logging
Do the following:

1. Open the Qlik Management Console (QMC) by entering the QMC address in your browser.
By default, the QMC address is https://<QPS server name>/qmc.

Deploy Qlik Sense Enterprise on Windows - Qlik Sense, June 2

2. In the QMC, navigate to Engines, select an engine and go the setting QIX performance log level
under Logging.
3. Choose one of the following values:
 Off: No logging will occur.
 Error: Activity meeting the error threshold is logged. Recommended option.
 Warning: Activity meeting the error and warning thresholds is logged. Recommended option.
 Info: All activity is logged. Only recommended during troubleshooting because the log files
may become very big.

The options Fatal and Debug are not applicable in this scenario.

4. Repeat steps 1 and 2 for each engine for which you want to enable telemetry.
5. Set threshold parameters. Edit C:\ProgramData\Qlik\Sense\Engine\Settings.ini. If the file does not
exist, create it. You may need to open the file as an administrator to make changes.
Set the values according to the following list. We recommend that you start with these threshold
values and increase or decrease them as you become more aware of how your particular environment
performs. Too low values will create very large log files.
[Settings 7]
ErrorPeakMemory=2147483648
WarningPeakMemory=1073741824
ErrorProcessTimeMs=60000
WarningProcessTimeMs=30000
6. Save and close the file.
7. Restart the Qlik Sense Engine Service.
8. Repeat steps 4-6 f or each engine for which you want to enable telemetry.

Parameter descriptions
ErrorPeakMemory: Default 2147483648 bytes (2 Gb). If an engine operation requires more than this value of
Peak Memory, a record is logged with log level error. Peak
Memory is the maximum, transient amount of RAM an operation uses.

WarningPeakMemory: Default 1073741824 bytes (1 Gb). If an engine operation requires more than this value of
Peak Memory, a record is logged with log level warning. Peak Memory is the maximum, transient amount of
RAM an operation uses.

ErrorProcessTimeMs: Default 60000 millisecond (60 seconds). If an engine operation requires more than this
value of Process Time, a record is logged with log level error. Process Time is the end-to-end clock time of a
request.

WarningProcessTimeMs : Default 30000 millisecond (30 seconds). If an engine operation requires more than this
value of Process Time, a record is logged with log level warning. Process Time is the end-to-
end clock time of a request.

Deploy Qlik Sense Enterprise on Windows - Qlik Sense, June 2

You can only track either process time or peak memory. It is not required to track both metrics. However, if you set ErrorP

Reading the logs

Currently telemetry is only written to log files. It does not yet leverage the centralized logging to database capabilities.

Telemetry data is logged to C:\ProgramData\Qlik\Sense\Log\Engine\Trace\<hostname>_
QixPerformance_Engine.txt and rolls to the ArchiveLog folder in your ServiceCluster share.

In addition to the common fields found described, fields relevant to telemetry are the following:

Level: The logging level threshold the engine operation met.

ActiveUserId: The User ID of the user performing the operation.

Method: The engine operation itself, seeImportant Engine Operations (page 281).

DocId: The ID of the Qlik application.

ObjectId: For chart objects, the Object ID of chart object.

PeakRAM: The maximum RAM an engine operation used.

NetRAM: The net RAM an engine operation used. For hypercubes that support a chart object, the net RAM is
often lower than Peak RAM as temporary RAM can be used to perform set analysis, intermediate
aggregations, and other calculations.

ProcessTime: The end-to-end clock time for a request including internal engine operations to return the result.

WorkTime: Effectively the same as ProcessTime, excluding internal engine operations to return the result. Will
report very slightly shorter time than ProcessTime.

TraverseTime: Time spent running the inference engine (that is, the green, white, and gray).

Important Engine Operations
The Method column details each engine operation and are too numerous to completely detail. The most
relevant methods to investigate are as follows and will be the most common methods that show up in the logs
if a Warning or Error log entry is written.

Method Description
Global::OpenApp - Opening an application

Doc::DoReload, Doc::DoReloadEx - Reloading an applicatio

n Doc::DoSave - Saving an application

Deploy Qlik Sense Enterprise on Windows - Qlik Sense, June 2

6
GenericObject::GetLayout - Calculating a hypercube (that is, a chart object)

Comments
For best overall representation of the time it takes for an operation to complete, use ProcessTime.

About Error and Warning log level designations: These designations were used because they conveniently fit
into the existing logging and QMC frameworks. A row of telemetry information written out as an error or
warning does not at all mean the engine had a warning or error condition that should require investigation or
remedy unless you are interested in optimizing performance. It is simply a means of reporting on the
thresholds set within the engine Settings.ini file and it provides a means to log relevant information without
generating overly verbose log files.

In addition to the above information, once the logs mentioned above are created, the Telemetry Dashboard
for Qlik Sense can be downloaded and installed to read the log files and analyze the information.

The Telemetry Dashboard provides the ability to capture CPU and RAM usage of individual chart objects,
CPU and RAM usage of reload tasks, and more.

The dashboard can be downloaded at: Telemetry Dashboard for Qlik Sense.

Do the following:

1. Run the installer, the files are installed at C:\Program Files\Qlik\Sense.

2. Once installed, you will see two new tasks, two data connections, and one new app in the QMC.
3. In the QMC, change the ownership of the application to yourself, or the user you want to open the app
with.
4. Open the Tasks section in the QMC, select TelemetryDashboard-1-Generate-Metadata, and click
Start at the bottom. This task will run, and automatically reload the app upon completion.
5. Use the application from the hub to browse the information by sheets.

Deploy Qlik Sense Enterprise on Windows - Qlik Sense, June 2

7 Troubleshooting -

7 Troubleshooting - Deployment
There are several things you can do to troubleshoot and resolve problems before logging a case with product
support. The general guidance here is designed to help you to understand the problem and know where to
look for possible errors and potential solutions.

Before you call support:

 Understand the problem (page 283)
 Use the log files (page 284)
 Study the Qlik Sense Help.
 Read the troubleshooting topics in this section.

If you cannot find a solution in the product help, then follow the general guidance in this topic.

7.1 Understand the problem
Understanding the problem may help you to find a solution, and will enable you to provide Qlik support with
the i nformation needed to process your case more effectively. Ensure that you u
nderstand the problem and can describe it as fully as possible before seeking further support:

Questions to ask Answers - that may lead to a better understanding of
the problem

Who experienced the problem? What type of users were affected, and how many?
This can help you to determine if it is a global issue, a
configuration problem, a component problem, or due to
user configuration.

What happened after an action was performed? Pay attention to any symptoms, behavior, and error
messages.
This can help you to identify which component is
causing the error, and which log files to use.

When did the problem first occur? When is it triggered, and what user action or system
action causes it?
For example, is it due to a trigger reload, or if a user
clicks on an object in an app.

Have you experienced this issue before? If yes, how often has the problem occurred?

Where did this issue occur first? Describe where in the system or environment the
problem occurs? Is it on the client side, server backend,
or in a specific application.
For example, does the end user have a direct
connection to the Qlik Sense hub, or are they passing
through a third-party reverse proxy before reaching the
hub?

Deploy Qlik Sense Enterprise on Windows - Qlik Sense, June 2

7 Troubleshooting -

Why do you think it happened? Gather the relevant log files. Compare log files that
include the problem with those that do not. For
example, compare a successful reload with an
unsuccessful reload of the same app. For log file
locations, see the individual product help pages.

7.2 Use the log files
To troubleshoot and resolve issues effectively you need to understand how to use the log files. You also need
to know when to use the default logs, and when to use the archived log files.

When you get an error message, the following steps can help you to identify which component has failed:

1. Read the error message carefully as it can tell you which component has failed.
2. Navigate to the default log files, or the archived logs folder for the failed component.
3. When you have navigated to the correct folder, search for errors in the log file to identify the issue.

Default log files
In Qlik Sense, the log files are by default stored in C:\ProgramData\Qlik\Sense\log. After 12 hours they are
moved to the archived logs folder.

There is one Log folder per machine, and the following sub-folders for each component (engine, repository,
proxy, and scheduler):

 Audit - High level user action logs. For example, open app, reload app, get ticket, and login success.
 System - Service logs including all errors, and system or service operations.
 Trace - Debug diagnostics. For example, user selections, https redirects, method work times, and
session information.

If you are running a multi-node environment, ensure you are connected to the correct node.

Criteria for moving the default logs to the archived logs folder:

 On service restart or crash
 If the file is larger than a predefined size
 If the file is more than 1 2 hours old

Archived log files
The archived logs folder is located in the Qlik Sense file share that you created as part of the Qlik Sense
installation. Use the archived log files if the problem occurred more than 12 hours ago.

To find the archived logs, open the QMC and go to Service Cluster, Cluster Settings, and you can see the
path that you specified during installation.

Unlike the standard logs, the archived log files are stored in a central, shared location, so if you are running a
multi-node environment, you will f ind one sub-folder per node. Like the default log files, the archived log
files also contain Audit, System, and Trace sub-folders for each main component.

Deploy Qlik Sense Enterprise on Windows - Qlik Sense, June 2

7 Troubleshooting -
For more information on the location of the log files for each component, see: Storage (page 244)

In Qlik Sense Sept 2017 and later centralized logging replaces the synchronized persistence logging framework.

7.3 Qlik Sense client or application problems
If you get an error in a Qlik Sense application, the following questions can help you to narrow down the issue:

 Was the application working before the error occurred?
 Is the issue present in the Qlik Sense Desktop client?
 Is the issue specific to a browser, or is it present in all browsers?
 Does this issue affect a specific user, user group, or all users?
 Does this issue occur in one application, or every application?

7.4 Other resources
Once you have gathered all the information you need, use the following links to research other possible
solutions:

 Knowledge base
 Community website
 Log a case with product support.

7.5 Cannot find the repository database superuser
password
Possible cause

In your Qlik Sense installation, you cannot find your repository database superuser password.

Proposed action

You can find the repository database superuser password u sing the Connection String Editor which is

included in the Qlik Sense diagnostic tools.

To open the Connection String Editor:

1. Navigate to C:\Program Files\Qlik\Sense\Repository\Util\QlikSenseUtil and double-click the
QlikSenseUtil.exe file.
2. In the LogOnForm screen, enter the database user and password that you used during the Qlik
Sense installation.
3. In the Diagnostics Tool, click the Connection String Editor tab.
4. In the Connection String Editor click Read to see the encrypted connection string.

Deploy Qlik Sense Enterprise on Windows - Qlik Sense, June 2

7 Troubleshooting -

7.6 Cannot access the hub or the QMC after installation
Possible cause

After you have installed Qlik Sense, the services are started automatically, which can take a few minutes.
You cannot access the Hub or the Qlik Management Console u ntil the services have started up correctly.

Proposed action

Check that the services have started and that the appropriate ports are available.

Do the following:

1. In Windows, open the Task Manager and check that all Qlik Sense services have started.
2. Check that the ports needed by Qlik Sense are available.
Plan and deploy Qlik Sense

7.7 Error message "No access path" after upgrade
You have set up an environment which requires proxy settings to connect to the Internet, as described in
Configuring a proxy for Qlik License Service communication in Qlik Sense Enterprise on Windows (page
124). After a version upgrade you get the error message "No access path" when you open the hub.

Possible cause

After the upgrade, the proxy settings in the services.conf file are reset to default values.

Proposed action

Edit the configuration file by adding back the settings they had before the upgrade. Path: C:\

Program Files\Qlik\Sense\ServiceDispatcher\services.conf

This has to be done on every node in the cluster, followed by a restart of the Qlik Sense Service Dispatcher.

7.8 One or more Qlik Sense services did not start after
installation
Possible cause

The Qlik Sense Repository Service (QRS) cannot start if there is no repository database, and if the QRS is
not running, none of the other Qlik Sense services can start.

After installation the services are started automatically, which can take a few minutes. This means there may be a short de

Deploy Qlik Sense Enterprise on Windows - Qlik Sense, June 2

7 Troubleshooting -

Proposed action

Restart the service, check the user account, restart the server, or check the logs.

Do the following:

1. Stop the service and start it again.
You can also try changing the Start Type of the failing service from Automatic to A utomatic
(Delayed Start) in the Task Manager in Windows.

2. Check that the user that runs the Qlik Sense services is member of the Local Administrators group.
If you are using a domain administrator account, check that there is no problem related to the User
Account Control (UAC).

3. Restart the server on which Qlik Sense is running.
4. Check the log files for the service to see if there is any information regarding why the service has not
started.
The log files are available in the %ProgramData%\Qlik\Sense\Log\<Service> folder.

Set the ServicesPipeTimeout setting in the Registry Editor in Windows to 120000 milliseconds (that
is, two minutes). This is needed to give the Qlik Sense Repository Service (QRS) enough time to
start.

≤ Microsoft Knowledge Base: 884495

Serious problems might occur if you modify the registry incorrectly by using the Registry Editor or by using another m

5. If the steps in this topic do not solve the problem, u ninstall and reinstall Qlik Sense.

7.9 Anti-virus software scanning affects performance
Possible cause

Anti-virus software scanning can have an effect on the performance of Qlik Sense.

Proposed action

Configure the anti-virus software scanning so that it does not interfere with Qlik Sense. Make sure that
regular scans and live/real-time scans are turned off for the following locations:

 %ProgramData%\Qlik
 All executables under %ProgramFiles%\Qlik\Sense
 All executables under %ProgramFiles%\Common Files\Qlik\Custom Data
 The file share location

Deploy Qlik Sense Enterprise on Windows - Qlik Sense, June 2

7 Troubleshooting -

 Any additional folder path configured for storing QVF files, except for the Service cluster Apps folder (Share\
Apps) which should be included in scans as it could contain user uploads.

7.10 Exit codes
Exit codes can be particularly useful when using the silent mode operations. The e xit code can be viewed in
the command prompt window by using the following command:

Echo %errorlevel%

The following table contains a complete list of the exit codes.

Code Description

0 Success

-1 General fatal error

-2 Command line parsing error

-3 Not implemented error

-4 Downgrade

-5 Malformed bundle XML

-6 Install condition not met

-7 Unknown upgrade scenario

-8 Pending reboot must be applied first

-9 Patch run with no baseline installed

-10 Disallowed setup process running

-11 Unsupported minor upgrade error

-12 Invalid policy

-13 User validation failed

-14 Database superuser password validation error

-15 Not supported error

-16 Host name from certificate retrieval error

-17 Inconsistent upgrade

-18 General silent workflow error

-19 OS bitness not supported

-20 OS too old

-21 OS type not supported

-22 Patch is superseded

Deploy Qlik Sense Enterprise on Windows - Qlik Sense, June 2

7 Troubleshooting -

-23 General MSI Error

-24 Disabled services exist

-1335 CAB is corrupt

-1601 Disk space

-1602 User exit

-1923 Cannot install service

-7777 Unknown dark process exception

7.11 Rim node loses connection to the central node
Possible cause

The Windows setting "System cryptography: Force strong key protection for user keys stored on the
computer" is enabled. This setting is not supported by Qlik Sense.

Proposed action

Disable "System cryptography: Force strong key protection for user keys stored on the computer".

7.12 Repository cannot connect to database after
installation
The installation was successful, but when the repository service is started it fails to connect to the database.

Possible cause

You used a database username and/or password that contains characters from mixed character sets.

Proposed action

1. Uninstall Qlik Sense and select Remove Qlik Sense certificates and data folders at the end of
the installation.
2. Reinstall using a database username and password with characters from the same character set.

7.13 Unable to upgrade, reinstall or add a rim node due to
password validation failure
Possible cause

When you install Qlik Sense with the setup program and choose to install a local database, you also create a
database user (qliksenserepository) and a password. If you previously installed Qlik Sense with synchronized
persistence then the database user will have a randomly generated password.

Deploy Qlik Sense Enterprise on Windows - Qlik Sense, June 2

7 Troubleshooting -
When you upgrade, reinstall, o
r add a rim node to your installation you to need to use this password again. If
you did not create a super user password when you installed PostgreSQL or cannot remember the database
user password, then y ou cannot continue to upgrade, reinstall, o r add a rim node unless you change this
password.

Proposed action

Use the command prompt to change the PostgreSQL database user password.

Do the following:

Change the client authentication settings to trust so you can change the password.

To do this:

1. In Services, stop the Qlik Sense Repository Database service, if it is running.
2. In PostgreSQL, change the authentication mode in the configuration settings to allow the password to
be changed. To do this, navigate to ProgramData\Qlik\Sense\Repository\PostgreSQL\<database
version> and open the pg_hba.conf file in a text editor.
3. Change the PostgreSQL client authentication method from md5 to trust.

The client authentication settings are case sensitive.

4. Save your changes.
5. Start the Qlik Sense Repository Database service.

To change the password open a command prompt and do the following:

1. Enter the following commands:
a. To navigate to your repository database installation:
cd C:\Program Files\Qlik\Sense\Repository\PostgreSQL\9.6\bin

b. To connect to the database:
psql.exe -h 127.0.0.1 -p 4432 -U postgres

c. To set your new user password:
ALTER USER qliksenserepository WITH PASSWORD '<newpassword>';

This is either qliksenserepository or the user you set manually during the first installation of
PostgreSQL.
ALTER ROLE is displayed after successfully changing the password.

2. Stop the Qlik Sense Repository Database service.
3. Revert the pg_hba.conf authentication mode method back to md5.
4. Start the Qlik Sense Repository Database service.

Update the connection string for the Qlik Sense Repository Database using the Connection String Editor
which is included in the Qlik Sense diagnostic tools.
To do this:

1. In your Qlik Sense installation, to open the Connection String Editor, navigate to C:\Program

Deploy Qlik Sense Enterprise on Windows - Qlik Sense, June 2

7 Troubleshooting -

Files\Qlik\Sense\Repository\Util\QlikSenseUtil and double-click the QlikSenseUtil.exe file.
2. In the LogOnForm screen, enter the database user and password that you used during the Qlik
Sense installation.
3. In the Diagnostics Tool, click the Connection String Editor tab.
4. In the Connection String Editor, click Read to see the encrypted connection string.
5. Update the connection string credentials w ith name="QSR" with your new repository database password.
6. Click Save value above in config file encrypted to save your changes.
7. Start the Qlik Sense Repository Database service.

You can now continue to upgrade, reinstall, o r add a rim node to your Qlik Sense installation.

7.14 Unable to upgrade Qlik Sense, missing database
Possible cause

During upgrade, Secure Sockets Layer (SSL) encryption is enabled, and then the installer does not recognize
any already installed PostgreSQL databases. Databases for SenseServices, QSMQ, and Licenses are
reported missing.

Proposed action

During upgrade, temporarily disable SSL, see Database security (page 213).

7.15 The database is unavailable, how do I find the Qlik
logging service files
Possible cause

The database is temporarily unavailable.

Proposed action

1. Check that all the Qlik Sense services are running. If the Qlik Sense Repository Database service has
stopped, then try to restart it.
2. Check the log files for possible errors. The repository logs will indicate if there are any start-up
problems. In Qlik Sense, navigate to C:\ProgramData\Qlik\Sense\Log to view the log files.

7.16 Troubleshooting - database not configured for
IP address or range
If you find the following error message in the installation logs: "psql: FATAL: no pg_hba.conf entry for host
[ipv4 or ipv6]", it means the database needs to be configured.

Possible cause

The database is not configured to allow connection from that IP address or range.

Deploy Qlik Sense Enterprise on Windows - Qlik Sense, June 2

7 Troubleshooting -

Proposed action

Add an IP address or range in the Shared Persistence configuration file, see Shared persistence
configuration file syntax (page 132), or in the installation UI, see step 9 in Installing Qlik Sense (page 99)

7.17 Troubleshooting app distribution in multi-cloud
There is more than one possible cause when app distribution fails in a multi-cloud environment. You could
encounter problems on the QSEoW side (with custom properties), at the IdP (with names and groups), during
the actual distribution, and after distribution (with apps not being displayed).

Publishing is a little slow
Possible cause

You have published an app, and when checking the collection, the app is not present.

Proposed action

Allow some time to pass before troubleshooting why an app does not appear in a collection, publishing is not
instantaneous.

Custom properties not in lowercase
You have created distribution policies and published an app to a multi-cloud collection. The app does not
show up and no error message is displayed.

Possible cause

The custom properties you use in distribution policies are not in lowercase.

Proposed action

Use only lowercase letters for custom properties in distribution policies.

A temporary error occurred
Possible cause

A temporary error occurred.

Proposed action

Restart the Qlik Sense Service Dispatcher.

Do the following:

1. In Windows, open Services.
2. Scroll down and right-click the Qlik Sense Service Dispatcher. Select Restart.

Deploy Qlik Sense Enterprise on Windows - Qlik Sense, June 2

7 Troubleshooting -

An unknown error occurred
Possible cause

An error occurred and you do not know why.

Proposed action

Investigate the log files for multi-cloud services, for example, the App Distribution Service and Hybrid
Deployment Service.

7.18 The logging database has grown too big
Possible cause

The size of the logging database can grow so much that it needs to be reduced in size.

Proposed action

Choose one of the following alternatives to reduce the size of the l ogging database:

 Decrease the archive and the purge time frame. Run the following command:
Qlik.Logging.Service.exe update --archive_age 15 --purge_age 30.

 Set the maximum database size. Run the following command:
Qlik.Logging.Service.exe update --maximum_db_size_in_gb n.
Where n is a positive integer.

If n is a value less than two (2), the enforcement functionality is disabled. If n is equal to or greater than two (2), the

 Manually purge the database.
 Turn off database logging. Run the following command:
Qlik.Logging.Service.exe update --database_logging off.

7.19 Cannot read or write to the logging database
You have installed Qlik Sense successfully, but you cannot connect to the logging database.

Possible cause

You used a password that contains characters from mixed character sets. The log writer and log reader
password cannot handle all mixed characters.

Deploy Qlik Sense Enterprise on Windows - Qlik Sense, June 2

7 Troubleshooting -

Proposed action

1. Uninstall Qlik Sense and select Remove Qlik Sense certificates and data folders at the end of
the installation.
2. Reinstall using a password with characters from the same character set .

7.20
How can I debug if there are log entries missing in the
database?
Possible cause

Some log messages are missing in the database.

Proposed action

Turn on error logging in the QlikCentralizedLogging.config file to enable all log file messages to be collected.

Do the following:

1. Go to C:\ProgramData\Qlik\Sense\Log\QlikCentralizedLogging.config.
2. Change the value of the following line to "True":
<"DllErrorLoggingEnabled" value="False" />

3. Restart the Qlik Logging Service.
4. Go to C:\ProgramData\Qlik\Sense\Log.
5. Open the file named <hostname>.Qlik.Sense.Logging.DLL.Errors.
6. Monitor this file for errors generated due to Qlik Logging Service issues.

7.21 How can I manage storage to fit our needs and the
needs of the operational IT department?
Possible cause

Storage of log data has become a concern.

Proposed action

There is more than one possible solution to this problem.

Do the following:

a. Make use of the archive and purge functionality by adjusting the rate at which both events occur
against the logging database only. File logging does not provide file management controls.
1. Open a command prompt with administrator privileges.
2. Go to C:\Program Files\Qlik\Sense\Logging.
3. Run Qlik.Logging.Service.exe update --archive_age X (where X is the number of days).

Deploy Qlik Sense Enterprise on Windows - Qlik Sense, June 2

7 Troubleshooting -

4. Run Qlik.Logging.Service.exe update --purge_age X (where X is the number of days).

5. Restart the Qlik Logging Service.
b. Set a maximum database size so that the Qlik Logging Service can automatically trim older rows out
of the database to maintain overhead.
1. Open a command prompt with administrator privileges.
2. Go to C:\Program Files\Qlik\Sense\Logging.
3. Run Qlik.Logging.Service.exe update --maximum_db_size_in_gb X (where X is the size in GB).
4. Restart the Qlik Logging Service.

7.22 Qlik logging service database urgently needs to be
reduced in size
Possible cause

The database admin has identified an immediate need to clear space.

Proposed action

The database admin can use the manual purge option offered through the Qlik Logging Service.

Do the following:

1. Open a command prompt with administrator privileges.
2. Go to C:\Program Files\Qlik\Sense\Logging.
3. Run Qlik.Logging.Service.exe archive --cutoff X --hours (where X is the number of hours).
4. Run Qlik.Logging.Service.exe purge --cutoff X --hours (where X is the number of hours).
5. If presented with a message stating the system is too busy, retry the command.
6. If the second try generates the same message, try again at a less busy time on the server.
7. Restart the Qlik Logging Service.

7.23 Logging issues when trying clean up the database
Possible cause

The size of the Qlogs database has grown too large and the database admin is having resource issues when
trying to clean up the database.

Proposed action

Shut off database logging to clean up the storage problem.

This solution should only be used as a last resort. All purges are permanent.

Do the following:

Deploy Qlik Sense Enterprise on Windows - Qlik Sense, June 3

7 Troubleshooting -

1. In Windows, open Services.
2. Stop the following services:
 Qlik Sense Engine Service
 Qlik Sense Proxy Service
 Qlik Sense Scheduler Service
 Qlik Sense Repository Service
3. Open a command prompt with administrator privileges.
4. Go to C:\Program Files\Qlik\Sense\Logging.
5. Run Qlik.Logging.Service.exe archive --cutoff_in_hours X (where X is the number of hours).
6. Run Qlik.Logging.Service.exe purge --cutoff_in_hours X (where X is the number of hours).
7. Restart the Qlik Logging Service.
8. Verify the reclaimed data storage.
9. Start all stopped Qlik Sense services, beginning with the Qlik Sense Repository Service.

7.24 Upgrade fails with message "Qlik Sense Superuser
password validation failure"
When upgrading Qlik Sense 3.2 or earlier to June 2017 or later, the installation fails and you get the following
error message: "Qlik Sense Superuser password validation failure". Despite using the correct password, you
get the same error every time you attempt the upgrade.

Possible cause

The upgrade failed because you entered an incorrect superuser or repository password during the first
upgrade attempt.

Although you inserted an incorrect password, you were still able to create the PostgreSQL 9.6 version of the
database, and the wrong password was registered in the settings. Therefore, later upgrade attempts will fail
because the passwords in PostgreSQL 9.6 no longer match.

Proposed action

Delete the c:\ProgramData\Qlik\Sense\Repository\PostgreSQL\9.6 folder and try running the upgrade
procedure again. Make sure you enter the correct password.

7.25 Failed to remove soft deleted records
When upgrading Qlik Sense to November 2017 or later, the installation fails and you get the following error
message: "Failed to remove soft deleted records. An exception was thrown while invoking the constructor
'Void .ctor()' on type 'DatabaseContext'".

Possible cause

The database contains soft deleted records that generate an error when upgrading to a version of Qlik Sense
without soft deletes, that is, November 2017 or later.

Deploy Qlik Sense Enterprise on Windows - Qlik Sense, June 3

7 Troubleshooting -

Proposed action

Run a script to delete the soft deleted records.

VERY IMPORTANT! Back up the whole QRS database before executing the script. If an error occurs, restore the backup, fi

Do the following:

1. Stop all the services, except the Qlik Sense Repository Database.
2. Save the script below to a file as recurse_cleanup.sql.
3. Move the file recurse_cleanup.sql to
%ProgramFiles%\Qlik\Sense\Repository\PostgreSQL\<database version>\bin.
4. Open a command prompt with elevated privileges.
5. Navigate to %ProgramFiles%\Qlik\Sense\Repository\PostgreSQL\<database version>\bin, for
example: cd C:\"Program Files"\Qlik\Sense\Repository\PostgreSQL\9.6\bin.

If you installed PostgreSQL manually, the location where to place and run the script from will be: %ProgramFiles%\P

6. Run .\psql.exe -h localhost -d QSR -U postgres -p 4432 -a -f recurse_cleanup.sql

7. If prompted, enter database superuser password.
8. Restart Qlik Sense Service Dispatcher, then start the Qlik Sense Repository Service in the given
order.

When running the script on a non-English OS, you may encounter errors during the script execution. The errors can be ca

Script for deleting soft deleted records in the Qlik Sense Repository Database
/*
####################################################################################################
##########################
Script Name: Recurse cleanup
Description: the script is intended to delete all entities marked as soft deleted in the QRS
database
Caution: BACKUP the whole QRS database before executing the script!

Deploy Qlik Sense Enterprise on Windows - Qlik Sense, June 3

7 Troubleshooting -
####################################################################################################
##########################
*/

/* Step 1. Update records according to QRS special logics

####################################################################################################
##########################
*/
-- Step 1.1 Update Owner to sa_repository if Owner is deleted

-- Step 1.1.1 Get all Qlik Sense Tables

CREATE OR REPLACE FUNCTION get_all_sense_tables() RETURNS SETOF information_schema.tables AS
$BODY$
BEGIN
RETURN QUERY SELECT *
FROM information_schema.tables
WHERE table_schema='public'
AND table_type='BASE TABLE'
AND table_catalog='QSR'
AND table_name <> ' MigrationHistory';
RETURN;
END
$BODY$
LANGUAGE plpgsql;

-- Step 1.1.2 Filter Qlik Sense Tables with name of column

CREATE OR REPLACE FUNCTION get_tables(columnname varchar)
RETURNS SETOF information_schema.columns AS $$
BEGIN
RETURN QUERY SELECT DISTINCT * FROM information_schema.columns as isc WHERE isc.column_name =
columnname And isc.table_name IN (SELECT ts.table_name FROM get_all_sense_tables() as ts);
RETURN;
END
$$
LANGUAGE plpgsql;

-- Step 1.1.3 Change ownership of soft deleted users to sa_repository

CREATE OR REPLACE FUNCTION fix_orphan_owners() RETURNS void AS
$BODY$
DECLARE username character varying;
DECLARE
tables CURSOR FOR
SELECT * FROM get_tables('Owner_ID');

BEGIN
SELECT E'\'sa_repository\'' INTO
username; FOR table_record IN tables
LOOP
EXECUTE 'UPDATE "' || table_record.table_name || '" SET "Owner_ID" = (SELECT "ID" FROM "Users"
WHERE "UserId" = ' || username || ') WHERE "Owner_ID" IN (SELECT "ID" FROM "Users" WHERE "Deleted" =
true)';
END LOOP;
END
$BODY$
LANGUAGE 'plpgsql';

Deploy Qlik Sense Enterprise on Windows - Qlik Sense, June 3

7 Troubleshooting -
SELECT * FROM fix_orphan_owners();

-- Step 1.1.4 Remove created DB functions for fixing ownership relations

DROP FUNCTION fix_orphan_owners();
DROP FUNCTION get_tables(columnname varchar);
DROP FUNCTION get_all_sense_tables();

-- Step 1.2 Unpublish App if Steam is

deleted UPDATE "Apps"
SET "Stream_ID" = null, "Published" = false
WHERE "Stream_ID" IN (SELECT "ID" FROM "Streams" where "Deleted" = true);

UPDATE "AppObjects"
SET "Approved" = false, "Published" = false
WHERE "App_ID" IN (SELECT "ID" FROM "Apps" where "Published" = false);

/* Step 2. Prepare for deletion: Alter foreign keys to Casacade Delete

####################################################################################################
##########################
*/

CREATE TABLE temp_foreign_key (

constraint_name VARCHAR,
table_name VARCHAR,
column_name VARCHAR,
ref_table_name VARCHAR,
ref_column_name VARCHAR
);

INSERT INTO temp_foreign_key (constraint_name, table_name, column_name, ref_table_name,

ref_column_ name)
SELECT fk.constraint_name, child.table_name, child.column_name, parent.table_name, parent.column_
name
FROM information_schema.referential_constraints fk
JOIN information_schema.key_column_usage AS child ON fk.constraint_name = child.constraint_
name
JOIN information_schema.key_column_usage AS parent ON fk.unique_constraint_name =
parent.constraint_name
WHERE fk.constraint_schema = 'public'
AND child.position_in_unique_constraint = parent.ordinal_position
AND fk.delete_rule = 'NO ACTION';

-- Step 2.2 Create a function the replace foreign keys with new on DELETE option
CREATE OR REPLACE FUNCTION replace_foreign_key (new_option VARCHAR) RETURNS void AS
$BODY$
DECLARE
fks CURSOR FOR
SELECT * FROM temp_foreign_key;
BEGIN
FOR rec IN fks LOOP
EXECUTE 'alter table "' || rec.table_name || '" '
|| 'drop constraint "' || rec.constraint_name || '" ,'
|| 'add constraint "' || rec.constraint_name || '" FOREIGN KEY ("' || rec.column_name || '")
REFERENCES "' || rec.ref_table_name || '" ("' || rec.ref_column_name || '") ' || new_option || ';' ;
END LOOP;

Deploy Qlik Sense Enterprise on Windows - Qlik Sense, June 3

7 Troubleshooting -
END;
$BODY$
LANGUAGE plpgsql;

-- Step 2.3 execute the function to replace all foreign keys with CASCADE on Delete
SELECT *
FROM replace_foreign_key('on delete cascade');

/* Step 3. Delete entities marked as Soft Deleted

####################################################################################################
##########################
*/
-- 3.1 Create a function to delete all SoftDeleted records
CREATE OR REPLACE FUNCTION delete_softdeleted_records(keep_for_days int) RETURNS void AS
$BODY$
DECLARE
entity_tables CURSOR
FOR SELECT
table_name
FROM information_schema.columns
WHERE table_schema='public'
AND column_name='Deleted';
BEGIN
FOR tbl IN entity_tables LOOP
EXECUTE 'delete from "' || tbl.table_name || '" where "Deleted" = true and "ModifiedDate"
<= CURRENT_DATE - ' || keep_for_days || ';';
END LOOP;
END;
$BODY$
LANGUAGE plpgsql;

-- Step 3.2 execute the function to delete entities

SELECT *
FROM delete_softdeleted_records(3);

/* Step 4. Resume foreign keys to No Action on Delete

####################################################################################################
##########################
*/
SELECT *
FROM replace_foreign_key('');

/* Step 5. Drop temp objects

####################################################################################################
##########################
*/
DROP FUNCTION delete_softdeleted_records(keep_for_days int);
DROP FUNCTION replace_foreign_key(new_option varchar);
DROP TABLE temp_foreign_key;

Deploy Qlik Sense Enterprise on Windows - Qlik Sense, June 3

7 Troubleshooting -

7.26 Issues with Qlik Sense Enterprise when not
connected to the internet
Internet access is not a requirement when working with Qlik Sense Enterprise, but the following issues can
occur when a Qlik Sense Enterprise server cannot connect to the internet:

 Apps are not opened, or open very slowly.
 Data reloads run infinitely.

Possible cause

No internet connection.

Proposed action

 Connect to the internet whenever possible to avoid potential issues.
 Disable Qlik DataMarket.
 Remove the Qlik DataMarket and Qlik ODBC Connector Package folders.

7.27 The Qlik Sense Mobile app encounters a network
error and must close
Possible cause

If your Qlik Sense Mobile app was deployed using the VMware Tunnel for per-app VPN security, and the per-
app VPN is later disabled in the iOS Settings, the following error will appear the next time the Qlik Sense
Mobile app is launched:

The Qlik Sense Mobile app has encountered a network error and must stop. Restart the mobile
app.

Proposed action

Ensure that the VMware Tunnel is enabled on your device

. Do the following:

1. On your iOS device, go to Settings > VPN > VMware Tunnel > Connect On Demand and toggle
it on.

7.28 The Qlik Sense URL does not open within BlackBerry
Access browser
The following error might appear when you try and open a qliksenselink:// URL from the BlackBerry Access
browser or the BlackBerry Work mail client: This URL scheme is not supported.

Deploy Qlik Sense Enterprise on Windows - Qlik Sense, June 3

7 Troubleshooting -

Proposed action

Enable 3rd party applications in BlackBerry Access and enter the URL scheme for the Qlik Sense application

. Do the following:

1. In the BlackBerry UEM Console, navigate to Apps > BlackBerry Access > App Configuration,
select the applicable app configuration, and then select the General tab.
2. Make sure Enable 3rd Party Applications is selected and add qliksenselink into the URL scheme
entry field.
If you will share URLs to open Qlik content explicitly using BlackBerry Access instead of the using the
default browser, also add access into the URL scheme entry field.
3. Scroll down to the bottom and type the current date and time in YYMMDDhhmm format in the entry
field to force policy update to the device.
4. Click Save.

Deploy Qlik Sense Enterprise on Windows - Qlik Sense, June 3

8 Deploying Qlik Sense

8 Deploying Qlik Sense Mobile
The Qlik Sense Mobile app allows you to securely connect to your Qlik Sense Enterprise deployment from a
supported mobile device. The Qlik Sense Mobile app can be deployed and managed using Enterprise Mobile
Management (EMM) software.

For more information about deploying and managing Qlik Sense Mobile, see Installing Qlik Sense Mobile
(page 305).

8.1 The Qlik Sense Mobile app
The Qlik Sense Mobile app can be installed on supported devices running compatible versions of iOS or
Android OS, and connected to a Qlik Sense Enterprise deployment.

For a detailed list of devices, OS versions, and Qlik Sense versions supported, see System requirements for
Qlik Sense Enterprise (page 19)

The Qlik Sense Mobile app connects to a Qlik Sense Enterprise hub. W hen connected, you can view and
consume Qlik Sense apps and mashups available on the Qlik Sense Enterprise installation. Qlik Sense
Mobile supports offline access to Qlik Sense apps. You can download the Qlik Sense apps for use offline
when no internet connection is available. The Qlik Sense administrator controls which apps are available to
download for offline use, using the QMC.

Developing Qlik Sense apps offline using the Qlik Sense Mobile app is not currently supported.

When you log into the Qlik Sense Mobile app for the first time, you must authenticate your credentials
against the Qlik Sense Enterprise server. For more information, see Connecting to Qlik Sense from the Qlik
Sense Mobile app (page 323). Once you have authenticated your credentials and logged in to the app, you
may choose to have the Qlik Sense Mobile app remember your credentials. To protect your data, ensure that
the d
evice is protected by a password and locked when not in use. For more information, see Qlik Sense
Mobile security (page 304).

To connect to a Qlik Sense Enterprise deployment from Qlik Sense Mobile, users must be allocated the appropriate acc

8.2 Enterprise Mobile Management (EMM) and Qlik
Sense Mobile
Using a supported EMM, you can remotely deploy and manage the Qlik Sense Mobile app on all of your
organization's supported mobile devices. Using an EMM console you can:

Deploy Qlik Sense Enterprise on Windows - Qlik Sense, June 3

8 Deploying Qlik Sense

 Distribute the Qlik Sense Mobile app to mobile devices.
 Configure the Qlik Sense hub list in the Qlik Sense Mobile app.
 Configure the certificate validation policy.
For more information about configuring the certificate validation policy, see Configuring the certificate
validation policy for the Qlik Sense Mobile app (page 305).

For more information about deploying and managing Qlik Sense Mobile with AirWatch, see Deploying the
Qlik Sense Mobile app using AirWatch (page 306).

8.3 Qlik Sense Mobile security
Qlik Sense Mobile connects to a Qlik Sense Enterprise hub. When you are connected, you ca
n
view Qlik Sense apps and mashups, and download Qlik Sense apps using the Qlik Sense
Mobile app.

Authentication
When you log into the Qlik Sense Mobile app for the first time, you must authenticate your credentials
against the Qlik Sense Enterprise server. Once you have authenticated your credentials, and logged in to the
Qlik Sense Mobile app, you may choose to have the Qlik Sense Mobile app remember your credentials. To
protect your data, ensure that the device is protected by a password and locked when not in use. This can be
configured through your Enterprise Mobile Management (EMM) console.

To connect to a Qlik Sense Enterprise deployment from Qlik Sense Mobile, users must be allocated the appropriate acc

The Qlik Sense Mobile app can be used offline for up to 10 days (240 hours). This time period starts when the
Qlik Sense Mobile app is first launched f ollowing the last log in to the Qlik Sense Enterprise server. When the
10 day period expires, you must to log back into the Qlik Sense Enterprise server to continue using the Qlik
Sense Mobile app.

Section access in the data load script can also be used for security. A single file can be used to hold the data
for a number of users or user groups. Qlik Sense then uses the information in the section access for
authentication and authorization on the Qlik Sense Enterprise server, and dynamically reduces the data, so
that users only see their own data. The security is built into the file itself, which means downloaded files are
also protected.

Certificates
When Qlik Sense is deployed over SSL, the Qlik Sense Mobile app obtains a certificate from the Qlik Sense
server and verifies that it is valid. T
his allows the Qlik Sense Mobile app to trust that the server it is talking to
is a legitimate Qlik Sense server. The Qlik Sense Mobile app will always reject the certificate if it is not valid.
Every Qlik Sense hub that you add to the hub list must therefore have a valid certificate.

Deploy Qlik Sense Enterprise on Windows - Qlik Sense, June 3

8 Deploying Qlik Sense
To ensure that a certificate is valid, you need to check that the certificate:

 Is signed by a c ertificate authority, such as VeriSign, or s igned by a certificate authority that has been

added to the l ist of trusted certificate authority for the device (either manually added to the device or
pushed to the device from an EMM console).
 Is not expired.
 Has a common name or a name that matches the domain name of the Qlik Sense hub.

Configuring the certificate validation policy for the Qlik Sense Mobile
app
The certificate validation policy applies when Qlik Sense is deployed over SSL, and the Qlik Sense Mobil
e
app encounters invalid certificates from a Qlik Sense server that has been added to the hub list by the device
user.

You can configure the certificate settings from your EMM console.

Do the following:

1. Make sure the Qlik Sense Mobile app has been installed on the device.
2. If the Qlik Sense server has a certificate that is not signed by a trusted certificate authority, make sure
that the certificate that was used to sign the server certificate is added to the l ist of trusted certificate
authorities for the device either manually or using your EMM.
a. Configure the certificate from your EMM console.
If your EMM console does not have this functionality, you can use this software to make the
edits and then upload the changes to your EMM console:
The available settings are:
 Ask user
 Always allow
 Always reject
b. Push the changes to the device.

8.4 Installing Qlik Sense Mobile
The Qlik Sense Mobile app can be downloaded and installed directly from the Apple App Store or Google
Play Store. The Qlik Sense Mobile app includes a Qlik Sense demo server that is hosted by Qlik, and allows
you to view and download apps. You can connect to the Qlik Sense demo server without Qlik Sense
Enterprise account credentials. To connect the Qlik Sense Mobile app to your Qlik Sense Enterprise
deployment, your Qlik Sense administrator must configure the connection and deploy to users.

Qlik Sense Mobile can be deployed and managed using either Enterprise Mobile Management (EMM)
software, or Apple Developer Enterprise Program tools.

Deploy Qlik Sense Enterprise on Windows - Qlik Sense, June 3

8 Deploying Qlik Sense

To deploy using Apple Developer Enterprise Program tools, you must be a member of the Apple Developer Enterprise Pro

Using a supported EMM, you can remotely deploy and manage the Qlik Sense Mobile app on all of your
organization's mobile devices. From an EMM console you can:

 Distribute the Qlik Sense Mobile app to mobile devices.
 Configure the Qlik Sense hub list.
 Configure the certificate validation policy.
For more information about configuring the certificate validation policy, see Configuring the certificate
validation policy for the Qlik Sense Mobile app (page 305).

Qlik Sense Mobile and VPP
Qlik Sense Mobile can be deployed using the Apple Volume Purchase Program (VPP).

The Apple Volume Purchase Program (VPP) is a service that allows registered organizations t o purchase
iOS apps in bulk. After making a bulk purchase, the organization receives redemption codes for each app
bought. Those app codes can then be distributed to individual users, who use the codes to download public
apps from the Apple App Store. Codes can be distributed to users through email, a web portal, or Enterprise
Mobile Management (EMM) software. Instead of pushing software and profiles out to devices, organizations
can push licenses to devices while downloading apps directly from the Apple App Store.

Volume-purchased software and licenses can be distributed to users in the following ways:

 Email redemption URLs directly to users, which allows them to download and install the app.
 Post redemption URLs on an enterprise-hosted web page that is accessible only to authorized users.
 Use the Apple Configurator utility to push redemption codes to local connected devices.

Note that this method is only recommended for small work groups.

 Push redemption codes to remotely managed devices using EMM software to push redemption codes
to remotely managed devices.

The Apple Volume Purchase Program allows businesses and schools to retain ownership of purchased apps,
so apps can be reclaimed and redistributed as needed.

Deploying the Qlik Sense Mobile app using AirWatch
The Qlik Sense Mobile app can be deployed using AirWatch. To deploy using AirWatch, add the app to your
AirWatch Catalog. Once the app is added to your AirWatch Catalog, you can choose to either push the app
directly to your users' devices, or allow them to install the app manually.

Deploy Qlik Sense Enterprise on Windows - Qlik Sense, June 3

8 Deploying Qlik Sense
To deploy the app using AirWatch:

1. Open your A irWatch Management Console.

2. Go to Apps & Books > Applications > List View > Public and select Add Application.
3. Select the Platform.
4. Select E nter URL and enter the URL to download the Qlik Sense Mobile app.
5. Click Next.
6. Configure options on the Details tab.
7. Assign the application to smart groups on the Assignment tab.
8. Configure the App Delivery Method:
 On Demand - Deploys the app to a catalog and lets the user decide if and when to install it.
 Automatic - Deploys the app to a catalog on a device upon enrollment. After the device enrolls,
the user is prompted to install.
9. Select Send Application Configuration if you want to populate the Qlik Sense Mobile app with links
to your Qlik Sense hub.
10. Assign a Required Terms of Use for the application on the Terms of Use tab.
11. Select Save & Publish to view the device assignment page that lists the assigned devices.
12. Select Publish to deploy the application.

For details about how users download and install the app manually using AirWatch, see Connecting to Qlik
Sense using AirWatch (page 309).

Qlik Sense Mobile and per-app VPN support
The Qlik Sense Mobile app supports per-app VPN tunneling when deployed using AirWatch.

Per-app VPN functionality, provides endpoint security by limiting connections at the application level, instead
of at a device level. The VMware Tunnel restricts app access to white-listed domains, and specific databases
that white-listed domains can access.

The following are the current minimum requirements for AirWatch support:

 AirWatch Agent v ersion 5.5.1
 VMware Tunnel version 2.0.4

To enable per-app VPN tunneling support for Qlik Sense Mobile in AirWatch you will need to customize your
VMware Tunnel configuration. For more information, see Configuring AirWatch for per-app VPN (page
307).

Configuring AirWatch for per-app VPN
The Qlik Sense Mobile app supports per-app VPN tunneling when deployed using AirWatch. To enable
per- app VPN tunneling, you must add network traffic rules so that app-
internal TCP traffic within Qlik Sense Mobile bypasses the VMware Tunnel and remains on the device.

Add VMware Tunnel rules
Do the following:

Deploy Qlik Sense Enterprise on Windows - Qlik Sense, June 3

8 Deploying Qlik Sense

1. Open your A irWatch Management Console.

2. From the Settings menu, g
o to System > Enterprise Integration > VMware Tunnel > Network Traffic Rules.
3. On the Device Traffic Rules tab, add the following rules:
Rank Application Action Destination Hostname

1 Qlik Sense Mobile-iOS Bypass 127.0.0.1

2 Qlik Sense Mobile-iOS Tunnel *

Once you have configured A irWatch for per-
app VPN support of the Qlik Sense Mobile app, you can proceed
with your deployment. For more information, see Deploying the Qlik Sense Mobile app using AirWatch
(page 306).

Configuring the Qlik Sense Mobile app hub list using AirWatch
When you deploy the Qlik Sense Mobile app using AirWatch, you can choose to push the link to the Qlik
Sense Enterprise hub directly to your users using AirWatch.

Do the following:

1. Open your A irWatch Management Console.

2. Go to Apps & Books > Applications.
3. Select the Qlik Sense Mobile app.
4. Click Assign.
5. Select the radio button for the group that you want to deploy the application configuration file to a
nd click Edit.
6. On the Add Assignment page, expand the ADVANCED section, then expand the APPLICATION
CONFIGURATION section.
7. In the Configuration Key field, enter mdm.
8. Ensure that the Value Type is set to String.
9. In the Configuration Value field, enter name and URL for each Qlik Sense Enterprise hub in the
following format:
{ "Accounts" : [ {"name":"Account 1","url":"http://www.ahub.com"},
{"name":"Account 2","url":"http://www.asecondhub.com"} ] }
10. Click Add.
11. Click Save & Publish.
12. Click Publish.
13. Go to the More menu and select Send Application Configuration.

The Qlik Sense Enterprise hubs that you added will appear in the your users' Qlik Sense Mobile app list under
Select an account the next time that they open the app.

Deploy Qlik Sense Enterprise on Windows - Qlik Sense, June 3

8 Deploying Qlik Sense

Connecting to Qlik Sense using AirWatch
To connect to Qlik Sense from a mobile device using AirWatch per-app VPN, you must:

 Download the AirWatch Agent app
 Register the device
 Install a supported app or browser

To connect to Qlik Sense using AirWatch on iOS:

1. Download the AirWatch Agent app.
2. Open AirWatch Agent and enroll using one of the available options:
 Email address
 Server details
 QR code
3. On the Authenticate screen, enter your user name and password and select Next.
4. On the Secure screen, select Redirect & Enable to enable management of your device by installing
the Device Manager configuration profile. You are redirected and asked for permission to open
Settings. Select Allow.
5. In Settings, select Install to install the Device Manager configuration profile, and then select Trust to
confirm that you allow your device to be enrolled into remote management.
6. Once the installation of t he Device Manager configuration profile is complete, select Done. You will
be redirected to AirWatch Agent where a Configure screen confirms that the authentication
procedure is complete. Select Done.

If a pop-up appears asking to install VMware Tunnel, select Install to allow the installation of the VMware Tunnel a

7. In AirWatch Agent you can now manage your enrolled devices in the My Device portal.

You may be asked to create a device passcode to access AirWatch Agent. The passcode will be required every time

8. Close AirWatch Agent.
9. If you haven't installed VMware Tunnel already, open A
irWatch Catalog, which has now been added to y our device, and install it.
10. Open VMware Tunnel app and select Continue to enable it.

Deploy Qlik Sense Enterprise on Windows - Qlik Sense, June 3

8 Deploying Qlik Sense

11. Open AirWatch Catalog and install the Qlik Sense Mobile app or one of the supported browsers.
For a list of mobile browsers that support the connection to Qlik Sense Enterprise through AirWatch
per-app VPN, see System requirements for Qlik Sense.

The Qlik Sense Mobile app allows you to download Qlik Sense apps for offline use.

Your AirWatch Agent administrator may have already populated the hub list with your Qlik Sense server connectio

12. To connect to Qlik Sense for the first time using the Qlik Sense Mobile app, see Connecting to Qlik
Sense from the Qlik Sense Mobile app (page 323).

To connect to Qlik Sense using AirWatch on Android, follow the instruction for your specific device found
here: AirWatch Agent for Android.

Deploying the Qlik Sense Mobile app using MobileIron
You can deploy the Qlik Sense Mobile app using MobileIron Cloud or MobileIron Core by adding the app to
your MobileIron App Catalog. Once you have added the app to your MobileIron App Catalog, you can choose
to either push the app directly to your users' devices, or allow them to install the app manually. You can also
configure the Qlik Sense Hub URLs that the user sees.

MobileIron Cloud
Follow the steps below to deploy the Qlik Sense Mobile app using MobileIron Cloud.

Do the following:

1. Open your MobileIron Management Console.
2. Go to Apps > App Catalog and click Add.
3. Select the Platform then select Search App Store and type Qlik Sense Mobile.
4. Select Qlik Sense Mobile from the apps that match this search term, then click Next.
5. Adjust the Category, then click Next.
6. Choose whether to Delegate this app to all spaces, then click Next.
7. Choose one of the Distribution Options, then click Next.
8. Do the following in App Configurations:
a. Configure the Install on device:
 Off: the user decides if and when to install it from the App Catalog
 On: after the device enrolls, the user is prompted to install immediately.
Enable Convert to Managed App, then click Next.
b. Configure the iOS App Settings that control whether to prevent backups, and remove apps on
un-enrollment of the device, then click Next.

Deploy Qlik Sense Enterprise on Windows - Qlik Sense, June 3

8 Deploying Qlik Sense

c. Select iOS Managed App Configuration if you want to populate the Qlik Sense Mobile app
with links to your Qlik Sense hub.
d. Configure the Per App VPN if you want to enable connectivity to any Qlik Sense hub via
MobileIron Tunnel, then click Next.
9. Click Done.

MobileIron Core
Follow the steps below to deploy the Qlik Sense Mobile app using MobileIron Cloud.

Do the following:

1. Open your MobileIron Management Console.
2. Go to Apps > App Catalog and click Add.
3. Select the Platform then select Application name, then type Qlik Sense Mobile and click Search.
4. Select Qlik Sense Mobile from the apps that match this search term, then click Next.
5. Adjust the Category, then click Next.
6. Choose whether to hide or feature this app in the Apps@Work catalog, and conversion of app from
unmanaged to managed, then click Next.
7. Do the following in the App Configurations section:
 Configure the Per App VPN if you want to enable connectivity to any Qlik Sense hub via
MobileIron Tunnel, then click Next.
 Configure the Managed App Settings that control whether to prevent backups, and remove
the app when the MDM profile is removed.
8. Click Finish.

Qlik Sense Mobile and per-app VPN support for MobileIron
The Qlik Sense Mobile app supports per-app VPN tunneling when deployed using MobileIron Core or
MobileIron Cloud.

Together with MobileIron Sentry, the MobileIron Tunnel delivers per-app VPN functionality which provides
endpoint security by limiting connections at the application level, instead of at a device level.

The following are the current minimum requirements for MobileIron support:

 MobileIron Tunnel version 4.0
 One of:
 iOS version 13.4, 64bit
 Android version 9, 64bit

Starting with MobileIron Tunnel 4.0, applications using localhost or the loopback IP 127.0.0.1 are now
supported for Per App VPN if one of the following conditions are true:

 The ProviderType in the VPN config is set to use the Layer-3 packet-tunnel.

Deploy Qlik Sense Enterprise on Windows - Qlik Sense, June 3

8 Deploying Qlik Sense

 The ProviderType in the VPN config is set to use the Layer-4 app-proxy and a new key-value pair
DirectLocalhost = True is added to the Tunnel config to prevent the VPN client from routing app-
internal TCP traffic to the VPN.

Idle connections from the mobile device to Qlik Sense may be prematurely terminated, interrupting the Qlik
user experience, unless TcpIdleTmoMs = 300000 is added to the Custom Data key-value pairs. Note that
this must be explicitly configured, and is different from the Disconnection Timeout that is also visible.

Sentry Service
Provider Type Custom Data iOS Android
Type

packet-tunnel IP_ANY TcpIdleTmoMs=300000 Supported Supported

(recommended)

app-proxy TCP_ANY DirectLocalhost=True Supported Not

Applicable
TcpIdleTmoMs=300000

Customizing the MobileIron Sentry configuration
The Sentry Profile must include a MobileIron Tunnel service configured with the Service Type above,
corresponding with the Provider Type that will be used by MobileIron Tunnel.

Customizing the MobileIron Tunnel configuration
Follow the steps below to customize the MobileIron Tunnel configuration.

Do the following:

1. Create a MobileIron Tunnel Per App VPN configuration.
2. Select the Provider Type.
3. Select the Sentry Profile.
4. Select the Sentry Service that corresponds with the Provider Type:
 IP_ANY for packet-tunnel
 TCP_ANY for app-proxy
5. Select the SCEP Identity that is used by the MobileIron Tunnel client to authenticate to the
MobileIron Sentry.
6. Identify your internal DNS Servers in the DNS Resolver IP, for example 172.16.0.100;172.16.0.101
7. Record your Domain Names in Match Domains, for example example.com;example.local.
8. Add Custom Data key-pairs:
 TcpIdleTmoMs=300000
 DirectLocalhost=true
9. Add Safari Domains that will be routed through VPN, for example:
 *.example.com
 *.example.local

Deploy Qlik Sense Enterprise on Windows - Qlik Sense, June 3

8 Deploying Qlik Sense

10. Click Next.
11. In Distribution rules, select the devices this configuration is distributed to.
12. Click Done.

Configuring the Qlik Sense Mobile app hub list using MobileIron
When you deploy the Qlik Sense Mobile app using MobileIron, you can choose to push one or several Qlik
Sense Enterprise hub links directly to your users using Managed App Configuration. This can be performed
via the App Catalog, or as a PLIST (MobileIron Core only).

MobileIron Cloud
Follow the steps below to configure the Qlik Sense Mobile app hub list using the App Catalog mechanism
for MobileIron Cloud.

Do the following:

1. Open your MobileIron Cloud Console.
2. Go to Apps > App Catalog.
3. Select the Qlik Sense Mobile app.
4. Click App Configurations.
5. Select the iOS Managed App Configuration and do the following:
a. Navigate to the Configuration section.
b. Enter a JSON string into the mdm variable that identifies an array of named Hub URLs in the
following format:
{
"Accounts" : [
{ "name": "United Kingdom", "url": "https://sense.uk.example.com" },
{ "name": "Brazil", "url": "https://sense.br.example.com" }
]
}
Ensure that the JSON content is properly quoted and well-structured by validating it at
https://jsonlint.com/.
c. Choose a Distribution option.
d. Click Update.

The Qlik Sense Enterprise hubs that you added now appear in the users' Qlik Sense Mobile app list under
Select an account the next time that they open the app

MobileIron Core
In MobileIron Core you can configure the Qlik Sense Mobile app hub list via t he App Catalog, or as a PLIST

App Catalog
Follow the steps below to configure the Qlik Sense Mobile app hub list using the App Catalog mechanism
for MobileIron Core.

Do the following:

Deploy Qlik Sense Enterprise on Windows - Qlik Sense, June 3

8 Deploying Qlik Sense

1. Open your MobileIron Cloud Console.
2. Go to Apps > App Catalog.
3. Select the Qlik Sense Mobile app and click Edit.
4. Do the following:
a. Navigate to the Managed App Configurations section and select Default Configuration
for Qlik Sense Mobile.
b. Enter a JSON string into the mdm variable that identifies an array of named Hub URLs in the
following format:
{
"Accounts" : [
{ "name": "United Kingdom", "url": "https://sense.uk.example.com" },
{ "name": "Brazil", "url": "https://sense.br.example.com" }
]
}
Ensure that the JSON content is properly quoted and well-structured by validating it at
https://jsonlint.com/.
Click Save.

The Qlik Sense Enterprise hubs that you added now appear in the users' Qlik Sense Mobile app list under
Select an account the next time that they open the app

PLIST
Follow the steps below to configure the Qlik Sense Mobile app hub list using the PLIST mechanism for
MobileIron Core.

Do the following:

1. Create a PLIST file in the following format that provides a JSON array of named Hub URLs in the
mdm string variable:
<?xml version="1.0" encoding="utf-8" ?>
<!DOCTYPE plist PUBLIC "-//Apple//DTF PLISR 1.0//EN"
"http://www.apple.com/DTDs/PropertyList- 1.0.dtd">
<plist version="1.0">
<dict>
<key>mdm</key>
<string>{ "Accounts" : [ { "name": "United Kingdom", "url": "https://sense.uk.example.com"
}, { "name": "Brazil", "url": "https://sense.br.example.com" } ] }</string>
</dict>
</plist>
Ensure that the JSON content is properly quoted and well-structured by validating it at
https://jsonlint.com/ however the string value MUST be supplied on a single line without any
embedded newline characters.
2. Open your MobileIron Core Console.
3. Go to Policies & Configs.
4. Select Add New > Apple > iOS / tvOS > Managed App Config and then do the following:
a. Enter a name for this Managed App Config that uniquely identifies it.
b. Enter com.qlik.qliksense.mobile in the BundleId field.

Deploy Qlik Sense Enterprise on Windows - Qlik Sense, June 3

8 Deploying Qlik Sense

c. Select the PLIST file you created in the first step above.
d. Click Save.
5. Click Actions > Apply to Label to deliver the configuration to applicable registered devices.

The Qlik Sense Enterprise hubs that you added now appear in the users' Qlik Sense Mobile app list under
Select an account the next time that they open the app

Connecting to Qlik Sense Mobile using MobileIron
To connect to Qlik Sense from a mobile device using MobileIron per-app VPN, you must:

 Download the MobileIron MDM Agent app.
 Register the device.
 Install the MobileIron Tunnel VPN Client app
 Install a supported app or browser.

Review the list of mobile browsers that support the connection to Qlik Sense Enterprise through
MobileIron per-app VPN: System requirements for Qlik Sense Enterprise.

Do the following:

1. Download the MobileIron MDM Agent app:
 If using MobileIron Cloud, download MobileIron Go from the Apple App Store or Google Play
store.
 If using MobileIron Core, download MobileIron Mobile@Work from the Apple App Store or
Google Play store.
2. Start the Device Registration procedure:
 If using MobileIron Cloud, browse to https://mobileiron.com/go.
 If using MobileIron Core, start MobileIron Mobile@Work.
Follow the prompts, supply the authentication and server details that your MobileIron administrator
has supplied to you
3. Download the configuration profile when prompted.
If you are using iOS, you must then navigate to Settings > General > Profiles to proceed.
4. In Settings, select the Downloaded Profile and click Install to install the Device Manager
configuration profile. Accept the prompts and warnings to Install and Trust to enroll your device into
remote management.
5. Click Done.
6. Once the installation of the Device Manager configuration profile is complete, the Apps@Work
catalog and several other applications are automatically installed.

If a pop-up appears asking to install MobileIron Tunnel, select Install to allow the installation of the VPN client app. If

7. Open MobileIron Tunnel app and Enable the VPN.

Deploy Qlik Sense Enterprise on Windows - Qlik Sense, June 3

8 Deploying Qlik Sense

8. Open Apps@Work and install the Qlik Sense Mobile app or one of the supported browsers.

The Qlik Sense Mobile app allows you to download Qlik Sense apps for offline use.

Your MobileIron administrator may have already populated the hub list with your Qlik Sense server connection

9. To connect to Qlik Sense for the first time using the Qlik Sense Mobile app, see Connecting to Qlik
Sense from the Qlik Sense Mobile app (page 323).

Deploying Qlik Sense Mobile with Microsoft Azure and Intune
The Qlik Sense Mobile app can be deployed using Microsoft Azure and Intune. Some configuration changes
are required in the Microsoft Azure portal to enable Single Sign On (SSO) and Intune management of Qlik
Sense Mobile.

Before you begin:

 Azure AD Connect must be configured to replicate your primary domain (Active Directory) and the
Azure Portal (Azure Active Directory).
 Azure AD Application Proxy Connector must be installed and configured.

To deploy the app using Microsoft Azure and Intune:

 Set up a Qlik Sense Enterprise virtual proxy
 Set up Kerberos constrained delegation in Active Directory
 Add an Azure enterprise application for Qlik Sense Enterprise virtual proxy
 Add an Azure app registration for Qlik Sense Mobile
 Add the Qlik Sense Mobile app to the Intune Company Portal
 Define a Qlik Sense Mobile app protection policy
 Define a Qlik Sense Mobile configuration policy
 Deploy the Qlik Sense Mobile app

Set up a Qlik Sense Enterprise virtual proxy
1. Open the Qlik Management Console (QMC) on the Qlik Sense Enterprise server by entering the QMC
address in your browser.
By default, the QMC address is https://<QPS server name>/qmc.
2. Go to Proxies > Central Proxy.
3. Enable Kerberos Authentication.
4. From the QMC home page, go to Virtual Proxies.
5. Click Create new Virtual Proxy.

Deploy Qlik Sense Enterprise on Windows - Qlik Sense, June 3

8 Deploying Qlik Sense

6. Enter the following information:
 Identification
 Authentication
 Load Balancing
 Host white list sections

Note the prefix used, it will be used later in the Azure Portal configuration (https://sense_server_fqdn/prefix).

The Windows Authentication pattern must be set to Mozilla.

7. Click Save.

Set up Kerberos constrained delegation in Active Directory
1. Log in to a server that has access to Active Directory in your primary domain.
2. Open a Windows Power Shell as an administrator.
3. Create a Service Principal Name (SPN) for the Qlik Sense Enterprise installation using the following
command:
setspn.exe -U -S HTTP/sense_server_fqdn domain\sense_server_service_account
4. Open Active Directory Users and Computer.
5. Find the computer that hosts the Azure AD App Proxy, to modify the machine properties.
6. Go to the Delegation tab and choose Trust the computer for delegation to specified services
only.
7. Select Use any authentication protocol and add the SPN created.
8. Open ADSI, confirm that the Azure AD app proxy host is set to delegate to the Qlik Sense server.

Add an Azure enterprise application for Qlik Sense Enterprise virtual proxy
1. Log in to the Azure portal and select Azure Active Directory Service.
2. Select Application Proxy and confirm there is at least one active application proxy.
3. Select Enterprise Applications.
4. Click New application.
5. Select On-premises application.
6. Enter a name for the new application.
7. Enter the URL for the server where Qlik Sense Enterprise is installed.

Include the QSE virtual proxy prefix is in the URL path. For example: https://sense_server_fqdn/prefix

Deploy Qlik Sense Enterprise on Windows - Qlik Sense, June 3

8 Deploying Qlik Sense

8. Setup the External URL.

This will be used later for the App Registration for Microsoft Intune. For example, https://sensekcd-qlikemmnet.msap
Note: The URL consists of a prefix (sensekcd-) followed by your tenant name followed by msappproxy.net followed
9. Ensure that the application is using Azure Active Directory for its Pre-Authentication method.
10. Ensure that a valid Connector Group is selected to direct traffic to the application proxy.
11. Select Single sign-on properties for the Enterprise Application.
12. Choose Integrated Windows Authentication for Single Sign-on Mode.
13. Enter the SPN you created earlier.
14. Choose On-premises user principal name for Delegated Login Identity.
15. Click Save.
16. Select the enterprise application you added and click Properties.
17. Set User assignment required to Yes, and click Save.

Add an Azure app registration for Qlik Sense Mobile
1. Log in to the Azure portal and select Azure Active Directory Service.
2. Select Apps Registrations.
3. Click New Application Registration.
4. Enter a Name.
5. Enter an App registration type of native.
6. Enter a Redirect URL of msauth://com.qlik.qliksense.mobile/17PV4mdIRAc
%2F3SeFXILsSWg1aDU%3D.
7. For the App Registration click Settings and select Redirect URLs.
8. Add an additional redirect URL of qliksense-intune://com.qlik.qliksense.mobile and click Save.
9. Take note of this app registration's Application ID.
10. Add and grant the following delegated permissions:

 Microsoft Mobile Application Management- Read and Write the User's App Management data
 The Web app / API defined above - Access <Web App / API name>
 Microsoft Graph – Read Directory Data
 Windows Azure Active Directory – Sign in and read user profile

Some of these permissions require Admin permissions. The first person to log in to Qlik Sense Mobile must be a user

Deploy Qlik Sense Enterprise on Windows - Qlik Sense, June 3

8 Deploying Qlik Sense

Add the Qlik Sense Mobile app to the Intune Company Portal
1. Log in to the Azure portal and select the Intune service.
2. Select Client Apps.
3. Select Apps.
4. Click Add.
5. Select an App type of Android Store App for Android, or iOS Store App for iOS.
6. Click Configure and enter the following:
 Name
 Description
 Publisher
 App store URL: enter the link to the Qlik Sense Mobile app on the Apple App Store for iOS
devices, or the Google Play Store for Android devices.
 Minimum operating system

7. Click OK.
8. Once the app is uploaded, click Assignments and ensure that the appropriate users and devices are
assigned to the app.
9. Refresh the list of apps. You should see the new app of type Managed Android Store App for
Android, or Managed iOS Store App for iOS, with an Assigned value of YES.

Define a Qlik Sense Mobile app protection policy
1. Log in to the Azure portal and select the Intune service.
2. Select Client Apps.
3. Select App protection policies.
4. Click Create Policy.
5. Enter a Name and Description.
6. Enter a Platform of Android or iOS.
7. Enter a value of Yes for target to all app types.
8. Click on Select Required Apps and select the Qlik Sense Mobile for Android or iOS app added
above.

For iOS you must add the Qlik Sense Mobile app via its bundle id com.qlik.qliksense.mobile. For Android you add t

9. Click Settings and configure the various settings, then click Save.
10. If the protection policy is configured to limit data transfer from Qlik Sense Mobile then the limitation
should be set to policy managed apps so that Qlik Sense Mobile can send diagnostics emails.

Deploy Qlik Sense Enterprise on Windows - Qlik Sense, June 3

8 Deploying Qlik Sense

For Android use a browser to display help and use a PDF viewer to display the Qlik Sense Mobile Terms and Con

For iOS protection policy a similar setting is required to allow Qlik Sense Mobile to send diagnostic emails. Help and

Define a Qlik Sense Mobile configuration policy
1. Log in to the Azure portal and select the Intune service.
2. Select Client Apps.
3. Select App configuration policies.
4. Click Add.
5. Enter a Name and Description.
6. Select an enrollment type of Managed Apps for Android or Managed Devices for iOS.
7. Click Assignments and assign the appropriate users or user groups.
8. Click Select the required app and select the Qlik Sense Mobile app added to the Company Portal.
9. Click Configuration settings and enter a name of mdm.
10. For Value enter the json document { "Accounts" : [ {"name":"Your server name","url":"<external
URL>", "config": { "AADAppId" : "<the Application Id noted above>"} } ] }
11. Click Save.
12. Ensure that the app configuration shows as assigned with an enrollment type of Managed apps for
Android, or Managed devices for iOS.

Deploy the Qlik Sense Mobile app to Android devices
1. On an Intune enrolled Android device open the Company Portal and install Qlik Sense Mobile.
2. Launch Qlik Sense Mobile.
3. You should be prompted to indicate that the app is being managed. If you don't then there is likely a
configuration issue with the App protection policy.
4. You should see your Qlik Sense Mobile deployment in the Qlik Sense Mobile server list. If you don't
then there is likely a configuration or a user assignment issue.
5. Logging in to Qlik Sense Mobile deployment should follow the Azure SSO login flow.

Deploy the Qlik Sense Mobile app to iOS devices
1. On an Intune enrolled iOS device open the Company Portal and install Qlik Sense Mobile.
Intune will present a dialog asking to manage Qlik Sense Mobile.
2. Click Yes or Manage.

Deploy Qlik Sense Enterprise on Windows - Qlik Sense, June 3

8 Deploying Qlik Sense

3. Launch Qlik Sense Mobile.
You should see the Qlik Sense Mobile server you defined above. If you don't then there is likely a
configuration or a user assignment issue.
4. Click on the server and log in using SSO if required.
5. You will see an Intune dialog indicating that the App data is managed. Click OK. Qlik Sense Mobile
will exit.
6. Logging in to Qlik Sense Mobile deployment should follow the Azure SSO login flow.

Connecting to Qlik Sense using BlackBerry Access
You can access Qlik Sense and consume apps from a mobile device using BlackBerry Access browser. A
BlackBerry Access administrator must first set up a BlackBerry Dynamics deployment and configure URL
connections to one or multiple Qlik Sense servers. The administrator then registers users and generates
secret keys that users must use to access the BlackBerry server from their mobile devices. Once inside the
BlackBerry Dynamics environment, users can reach their Qlik Sense hubs.

Configuring BlackBerry Dynamics
Prerequisites
 Qlik Sense Enterprise June 2018 or later must be installed.
 See BlackBerry documentation for BlackBerry Access system requirements.

Allocating access rights
The Qlik Sense administrator must allocate access rights to users in the Qlik Sense Management Console
(QMC), before deploying BlackBerry Dynamics.

Do the following:

1. Open the QMC: https://<QPS server name>/qmc
2. In the QMC, select License management on the start page or from the StartS drop-down menu to
display the overview.
3. Select User access allocations in the panel to the right.
4. Click P Allocate in the action bar.
The Users dialog opens.
5. Select users in the list and click Allocate.

Allocate is disabled if the number of tokens available for allocation is insufficient for the number of selected users.

The dialog is closed and the users are added in the User access allocations overview table.

Deploying BlackBerry Dynamics
Do the following:

Deploy Qlik Sense Enterprise on Windows - Qlik Sense, June 3

8 Deploying Qlik Sense

1. Set up a BlackBerry Dynamics deployment. Using BlackBerry server services, set up a new
BlackBerry Dynamics deployment. Once your deployment is set up, log in using BlackBerry Access
administrator credentials to access the BlackBerry Dynamics dashboard.
2. Register users. You can synchronize your Dynamics deployment with an active directory to import
and update users’ information, such as email addresses, in the BlackBerry Dynamic environment.
Every user registered in your BlackBerry Dynamics deployment is listed under USERS, Users and
Groups.
3. Create apps. Users use apps to connect to different Qlik Sense servers for which they have been
granted access. To create a new app:
 Go to the section APPS, Manage Apps of the Dynamics dashboard.
 Click on the Add App button.
 Select Web from the list of app types. A web app consists of an URL address that users reach
using the BlackBerry Access browser.

Insert the URL address of the Qlik Sense Enterprise server for which you have allocated access
rights to users.
Further to web apps, in a BlackBerry Dynamics environment you can create Public apps, (apps
compatible with BlackBerry EMM environment), Custom apps, or assign GD Entitlement ID. For more
information, see BlackBerry Dynamics documentation.
4. Add apps to App groups . A pps can be grouped together in App groups. You can create and
manage App groups from the Dynamics dashboard under APPS, App Groups.
5. Grant users access to specific apps or app groups. Under APPS, App Groups, you can assign
users to one or multiple App groups, therefore granting these users access to the set of apps that are
included in a specific App group. You can also set restrictions to prevent users from accessing specific
apps or App groups.

You must also grant your users access to the BlackBerry Access browser app.

6. Assign users to policy sets. You can assign different policy sets to different users. Users are
clustered in groups based on which policy set is assigned to them. A policy set defines access rights
and restrictions. Users registered with a certain policy set can access certain apps or App groups, and
are prevented from accessing others, if restrictions are applied.
7. Assign unique access keys to users. Once a user has been registered with specific policy sets and
granted access to apps and App groups, the administrator must generate access keys and provide
them to the user.

Generating access keys
An access key is needed to activate the BlackBerry Access browser app and allow the connection to the
BlackBerry Dynamics deployment. If the environment is properly set up, users will receive their access keys
via email as soon as they are generated. Once an access key is in use, it disappears from the list of available
access keys in the BlackBerry Dynamics dashboard. An access key is only active for a limited time. By
default, an access key expires after 30 days from the last log-in into the BlackBerry Dynamics environment
from the device.

Deploy Qlik Sense Enterprise on Windows - Qlik Sense, June 3

8 Deploying Qlik Sense

Accessing Qlik Sense using BlackBerry Access
Registered users can use BlackBerry Access on a mobile device and reach Qlik Sense via browser.

Prerequisites
 For a detailed list of BlackBerry Access app, iOS, and Android supported versions, see Supported
browsers.
 An access key to enroll your device. If you have not received any access key, contact the BlackBerry
Access administrator.

Connecting to Qlik Sense from a mobile device using BlackBerry Access
Do the following:

1. Download the BlackBerry Access app from the Apple App Store or the Google Play Store.
2. Open BlackBerry Access and choose to enroll.
3.
Enter the email address which received your access key. Enter the access key you received, and clic
k OK.
4. Create a password when prompted.
5. Once inside the BlackBerry Dynamics environment, select the app, which is the Qlik Sense server
URL address, you want to access. You can also type the URL of the Qlik Sense server you want reach
in the address bar at the top.
6. Insert your Qlik credentials to access the Qlik Sense hub.

Connecting to Qlik Sense from the Qlik Sense Mobile app
When you install and launch the Qlik Sense Mobile app for the first time you are p rompted to select either the
Qlik Sense demo server or a Qlik Sense Enterprise server to connect to.

The Qlik Sense demo server is hosted by Qlik, and allows you to view Qlik Sense apps and mashups, and
download apps. You can connect to the Q lik Sense demo server without Qlik Sense Enterprise account
credentials.

You must connect to the Qlik Sense demo server at least once while online before you can access content while offline.

To connect to a Qlik Sense Enterprise server, you must log in w ith your Qlik Sense Enterprise account
credentials. Before you can connect to a Qlik Sense server and log in with your Qlik Sense Enterprise account
credentials from the Qlik Sense Mobile app you will need to authenticate your credentials against the Qlik
Sense Enterprise server.

The Qlik Sense Enterprise authentication link must be generated by your administrator in the Qlik
Management Console. Your Qlik Sense administrator will provide you with information about how you can
receive the link using one of the following methods:

 Retrieving the authentication link from your Qlik Sense Enterprise hub
 Receiving the authentication link from your administrator

Deploy Qlik Sense Enterprise on Windows - Qlik Sense, June 3

8 Deploying Qlik Sense

If your Qlik Sense Mobile app is deployed and managed through an EMM, the hub list may already be populated for you, in

To connect to a Qlik Sense Enterprise deployment from Qlik Sense Mobile, users must be allocated the appropriate acc

Retrieving an authentication link from the Qlik Sense Enterprise hub
Do the following:

1. Open your mobile browser and enter the URL for your Qlik Sense Enterprise hub.
2. Click ... in the top toolbar of the hub, and then click Client authentication.
3. A dialog box opens asking you to confirm that you want to open the authentication link using the Qlik
Sense. Click Open to confirm.
4. The Qlik Sense Mobile app opens and the server is added to the welcome page.
5. Click the server name to log in. You may be asked to enter your Qlik Sense Enterprise credentials.

After this, when you launch the Qlik Sense Mobile app, you can click the server name and log in using your
Qlik Sense Enterprise credentials without authenticating against the Qlik Sense Enterprise hub each time.

Receiving the authentication link from your administrator
Do the following:

1. Click the authentication link provided by your Qlik Sense administrator. If you cannot click the link,
copy the link into your mobile browser.
2. A dialog box opens asking you to confirm that you want to open the authentication link using the Qlik
Sense. Click Open to confirm.
3. The Qlik Sense Mobile app opens and the server is added to the welcome page.
4. Click the server name to log in. You may be asked to enter your Qlik Sense Enterprise credentials.

8.5 Deploying mashups to the Qlik Sense Mobile app
Qlik Sense mashups are webpages that contain Qlik Sense app objects, such as charts and
data. When a mashup is published in the Qlik Sense Enterprise hub, it can be also access
ed from the Qlik Sense Mobile app.

Deploy Qlik Sense Enterprise on Windows - Qlik Sense, June 3

8 Deploying Qlik Sense

Why use mashups in the Qlik Sense Mobile app
Using mashups in the Qlik Sense Mobile app enables faster loading and reduced data consumption for the
mobile device. Mashups are generally less resource intense than Qlik Sense apps. This means that less data
has to be retrieved from the Qlik Sense Enterprise server when loading a mashup in the Qlik Sense Mobile
app.

A mashup retrieves the necessary data from the Qlik Sense server every time it is opened. This ensures that
the m ashup is always up to date with the Qlik Sense Enterprise installation.

Qlik Sense November 2018 or later is required to access mashups from the Qlik Sense Mobile app.

The use of Qlik Sense mashups is not supported in Qlik Sense Mobile for BlackBerry app.

Only mashups published in Qlik Sense can be accessed from the Qlik Sense Mobile. In the Qlik Sense
Mobile app, mashups are listed in a dedicated Mashups stream. All public mashups in a Qlik Sense
Enterprise installation are visible in the Qlik Sense Mobile app. An admin can restrict access to specific users
by creating a security rule in the Qlik Management Console. See: Restricting access to mashups in the Qlik
Sense Mobile app (page 325).

Restricting access to mashups in the Qlik Sense Mobile app
To restrict access to mashups in the Qlik Sense Mobile app to specific users, the Qlik Sense Enterprise
administrator must setup a security rule in the Qlik Management Console (QMC).

Do the following:

1. Open the QMC: https://<QPS server name>/qmc
2. In the QMC, create a custom property by doing the following:
 Set a name for the new custom property, for example, "StreamAccess".
 In the Resource Types section, select the Extension and Users check boxes to apply the
custom property to these resource types.
 In the Value section, create a new custom property value, for example,"MyMashup".
See: "Creating a custom property" in the Manage Qlik Sense sites guide.
3. To allow access to mashups to specific users, apply the custom property created in step 1 to the
selected users. In the QMC, go in the Users section and edit users by adding "MyMashup" in the
StreamAccess field.
4. To allow access to extensions to specific users, apply the custom property created in step 1 to the
selected users. In the QMC, go in the Extension section and edit extensions by adding "MyMashup"
in the StreamAccess field.
5. Create a new stream. Add to the stream the Qlik Sense apps that contain the data used in the
mashups.

Deploy Qlik Sense Enterprise on Windows - Qlik Sense, June 3

8 Deploying Qlik Sense

6. To prevent users from accessing a mashup, change the extension security rule as follows:
 Create a copy of the default extension security rule.
 Edit the copy you created by adding the condition ((resource.name!="MyMashup")), where
"MyMashup" is the custom property you created in step 1.
 Disable the default extension security rule to make the new one effective.
See: "Security rules installed in Qlik Sense" in the Manage Qlik Sense sites guide.
7. Create the following security rule for extensions: ((user.@StreamAccess="MyMashup")) to allow
specific users to access all extensions.
See: "Creating security rules" in the Manage Qlik Sense sites guide.
8. Apply the same security rule ((user.@StreamAccess="MyMashup")) to the stream you created in step
4 to allow specific users to access the stream.
See: "Editing streams" in the Manage Qlik Sense sites guide.

8.6 Customizing Qlik Sense Mobile with AppConfig
When administering Qlik Sense Mobile in an Enterprise Mobile Management (EMM)
environment, you can customize the Qlik Sense Mobile experience for your users by editing
the AppConfig file.

The AppConfig is a .json or .xml configuration file that can be edited using a Mobile Device Manager system.
By editing the AppConfig file, you can for example change the default stream shown when Qlik Sense Mobile
is launched, hide the demo server, or set a mashup as landing page. The way you modify the AppConfig file
may vary depending on which Mobile Device Manager you use.

Configurable settings in AppConfig
The following are the configurable settings in the AppConfig file.

Settings
Type: Object

The settings object has the following properties:

hideDemoServer
Type: Boolean

If set to true, the demo server is hid from the account list.

hideAnalytics
Type: Boolean

If set to true, analytics are not displayed nor sent to Qlik.

If set to false, the end user can choose to send analytics to Qlik.

useBundledResources
Type: Boolean

Deploy Qlik Sense Enterprise on Windows - Qlik Sense, June 3

8 Deploying Qlik Sense
If set to true, t his setting e nables to use the visualization client included in the Qlik Sense Mobile app when
consuming apps online, making the online consumption of app ore efficient. The visualization client is
s m used by default when consuming apps offline.

By default, this setting is absent and disabled. To be enabled, it needs to be manually added in the
AppConfig and set to true.

For compatibility reasons, make sure to use the same version of Qlik Sense Enterprise and Qlik Sense
Mobile when enabling this setting.

Accounts
Type: Object

The Accounts object is a JSON formatted list of accounts. Each item has a name that is shown to the user
and a url used to authenticate the user. The value is formatted as follows:

{"name":"Account 1","url":"http://www.hub-A.com"}, {"name":"Account 2","url":"http://www.hub-B.com"}

The Accounts object has the following properties:

name
Type: string

The name of the account for which these settings are to be applied.

url
Type: string

The URL to the Qlik Sense hub.

config
Type: Object

The config object has the following properties:

 DefaultStream
Type: string
Changes the default stream that is selected when the Qlik Sense hub is loaded.
 LandingPage
Type: string
The path to a resource, such as a mashup, that should be loaded in place of the hub when a user
successfully accesses Qlik Sense.
 AADAppId
Type: string
Used for Microsoft Azure Single Sign On. The value for this key is a string equal to the QSM Azure
Active Directory App registration Application/Client ID.

AppConfig example
{
"Settings":{

Deploy Qlik Sense Enterprise on Windows - Qlik Sense, June 3

8 Deploying Qlik Sense
"hideDemoServer": true,
"hideAnalytics": true,
"useBundledResources": true
},
"Accounts":[
{
"name":"Everyone account",
"url":"https://acme.com/vprefix",
"config": {
"DefaultStream": "Everyone",
"AADAppId": "95c232bc-5ab2-4954-8640-2a865eeb8597"
}
},
{
"name":"Mashup account",
"url":"https://acme.com/vprefix",
"config": {
"DefaultStream": "mashups",
"LandingPage": "/extensions/LandingPageMashup/LandingPageMashup.html"
}
}
]
}

Setting a mashup as landing page
By editing the AppConfig file, you can set a mashup or a mashup stream as the landing page for users
accessing Qlik Sense.

In the Configuration Value field, enter the following:

{
"name":"Mashup account",
"url":"https://acme.com/vprefix",
"config": {
"DefaultStream": "mashups",
"LandingPage": "/extensions/LandingPageMashup/LandingPageMashup.html"
}
}
Where:

 "Mashup account" and "https://acme.com/vprefix" are the account and Sense hub to
which these settings will be applied.
 "/extensions/LandingPageMashup/LandingPageMashup.html" is the path to the
mashup to be used as landing page.
 "mashups" is the ID for a default stream that is loaded when accessing Qlik Sense.

Deploy Qlik Sense Enterprise on Windows - Qlik Sense, June 3

8 Deploying Qlik Sense

8.7 Qlik Sense Mobile for BlackBerry
Qlik Sense Mobile for BlackBerry is the Qlik Sense mobile application running on iOS and
integrated with the BlackBerry Dynamics platform. Qlik Sense Mobile for BlackBerry allows
you to access and consume Qlik Sense apps from within the secure BlackBerry Dynamics
EMM environment.

The administrator sets up and configures the BlackBerry Dynamics environment.

Users activate Qlik Sense Mobile for BlackBerry. Once installed and activated, Qlik Sense Mobile for
BlackBerry works the same way as the Qlik Sense Mobile app.

For a list of system requirements for Qlik Sense Mobile for BlackBerry, see: System requirements for Qlik
Sense.

Qlik Sense Mobile for BlackBerry is based on the Qlik Sense Mobile February 2020 release. Qlik Sense Mobile specific fun

Authentication configurations for Qlik Sense Mobile for BlackBerry
Users must identify themselves when connecting to Qlik Sense Enterprise from Qlik Sense
Mobile for BlackBerry.

Qlik Sense Mobile for BlackBerry supports a subset of the authentication solutions configurable on the Virtual
Proxy:

 Ticket solution: The user must enters their Qlik credentials (domain\user name and password) to
access Qlik Sense Enterprise.
 SAML authentication: The user is redirected to a third-party identity provider for being
authenticated.
 Windows Integrated Authentication: The user authenticates via a Kerberos protocol. See
Windows Integrated Authentication (page 329).

Additional authentication solutions may be compatible with Qlik Sense Mobile for BlackBerry, but they are not officially sup

Windows Integrated Authentication
The Virtual Proxy can be configured to recognize any string from the HTTP User Agent of Qlik Sense Mobile
for BlackBerry in the Windows authentication pattern. In this case, the Windows Integrated Authentication is
attempted between the client and the Qlik Sense Hub.

Deploy Qlik Sense Enterprise on Windows - Qlik Sense, June 3

8 Deploying Qlik Sense

Kerberos authentication solution
To allow Kerberos authentication, the following is required:

 Kerberos authentication must be enabled in the QMC.
 A Kerberos SPN (Service Principal Name) associates the host URL with the Windows identity of the
Qlik Sense Proxy Service.

Kerberos Constrained Delegation
If the BlackBerry infrastructure is configured to support Kerberos Constrained Delegation (KCD), users are
not prompted to enter their credentials. The authentication procedure is handled using the credentials used
for activating Qlik Sense Mobile for BlackBerry.

To implement Kerberos Constrained Delegation, contact BlackBerry.

If Kerberos Constrained Delegation is not enabled within the BlackBerry Dynamics EMM environment, users
are required to enter their Windows User Principal Name (UPN) and password.

If Kerberos authentication is disabled in the QMC, or the required Kerberos SPN (Service Principal Name) is
missing, users are required to enter their Windows user name and password.

Deploying Qlik Sense Mobile for BlackBerry
Qlik Sense Mobile for BlackBerry lets users access Qlik Sense from a secure BlackBerry
Dynamics EMM environment. With Qlik Sense Mobile for BlackBerry, you can manage data
flow, deploy Qlik Sense apps, and set security and compliance policies for specific users or
groups.

This document covers settings specific to a Qlik Sense Mobile deployment in the BlackBerry Dynamics
environment. For a complete guide, check BlackBerry's documentation. For an overview of the BlackBerry
Dynamics platform and architecture, see the following BlackBerry documentation: BlackBerry Dynamics.

Prerequisites
Set up a BlackBerry UEM environment
To access Qlik Sense using the Qlik Sense Mobile for BlackBerry app, an a
dministrator must first set up a
BlackBerry Dynamics environment by installing and configuring BlackBerry UEM.

For d etailed documentation on how to install and configure BlackBerry UEM, see the following BlackBerry
documentation: BlackBerry UEM.

Enable BlackBerry Dynamics Direct Connect
To use Q lik Sense Mobile for BlackBerry, the BlackBerry Dynamics administrator must enable BlackBerry
Dynamics Direct Connect in the BlackBerry UEM admin console. For further information, see the following
BlackBerry documentation: What is Direct Connect?.

Deploy Qlik Sense Enterprise on Windows - Qlik Sense, June 3

8 Deploying Qlik Sense

Configuring Qlik Sense Mobile for BlackBerry
The BlackBerry Dynamics administrator can enable and configure Qlik Sense Mobile for BlackBerry from the
BlackBerry UEM admin console.

The BlackBerry Dynamics administrator must do the following to allow users to c onsume Qlik Sense apps:

 Add Qlik Sense Mobile for BlackBerry in the BlackBerry Dynamics environment.
 Configure Qlik Sense Mobile for BlackBerry.
 Assign Qlik Sense Mobile for BlackBerry to users or groups of users.

Adding Qlik Sense Mobile for BlackBerry in the BlackBerry Dynamics environment
The BlackBerry Dynamics administrator must add Qlik Sense Mobile for BlackBerry to the list of permitted
apps i n the BlackBerry Dynamics environment.

Do the following:

1. In the BlackBerry UEM admin console, navigate to Apps and click the "Add an app" icon, located on
the right of the search tab. A pop-up window opens.
2. Select the Apple App Store icon.
3. Enter "Qlik Sense Mobile for BlackBerry” in the App name, vendor or URL search field and select
the appropriate geographic App Store. Then, select Search.
4. Select the Add button beside Qlik Sense Mobile for BlackBerry to add the app.
5. Adjust category and other properties of the app as required and select Add.
6. Qlik Sense Mobile for BlackBerry is now on the list of permitted apps in the BlackBerry Dynamics
environment.

Creating App configurations
App configurations allow you to configure the list of Qlik Sense servers that the users will be granted access
to. The list of server is displayed when a user launches the Qlik Sense Mobile for BlackBerry app.

In Qlik Sense Mobile for BlackBerry it is not possible to configure client authentication links for adding Qlik Sense servers. Q

Do the following:

1. In the BlackBerry UEM admin console, navigate to Apps and select Qlik Sense Mobile for BlackBerry
from the list of available apps. A dedicated window opens.
2. In the Settings tab, under BlackBerry Dynamics, create a new app configuration by clicking the "+"
button. A pop-up window opens.
3. In the App configuration window:
a. Enter a name for the App configuration profile.
b. Choose whether you want to allow HTTP traffic.

Deploy Qlik Sense Enterprise on Windows - Qlik Sense, June 3

8 Deploying Qlik Sense

c. Insert the list of Qlik Sense servers you want to connect to the Qlik Sense Mobile for
BlackBerry app, including the Virtual Proxy used for authentication. For more information on
authentication solutions for Qlik Sense Mobile for BlackBerry, see: Authentication
configurations for Qlik Sense Mobile for BlackBerry (page 329).
For each server, enter a label as shown below. The label will be shown in the list of servers
displayed in Qlik Sense Mobile for BlackBerry.
Server-1 ; https://<Server-1 address>/VirtualProxy/

The hosts must be added separately to a Connectivity Profile in the BlackBerry UEM admin console.

d. Click Save. This saves and closes the App configuration window.
4. Click Save. This saves and closes the Qlik Sense Mobile for BlackBerry window.

Creating a BlackBerry Dynamic connectivity profile
When a user selects a Qlik Sense server from the list in Qlik Sense Mobile for BlackBerry, an access request
is sent to the selected server. For the request to successfully reach the server, you must create specific
BlackBerry Dynamics connectivity profiles.

For i nstructions on how to create a BlackBerry Dynamics connectivity profile, see the following BlackBerry
documentation: Add an app server to a BlackBerry Dynamics connectivity profile.

Assigning Qlik Sense Mobile for BlackBerry to users or user groups
You must assign Qlik Sense Mobile for BlackBerry to single users or groups of users to allow users to activate
the app on their devices, . You can also create app groups containing multiple apps and assign those to users
and user groups instead.

See: Users and groups in the BlackBerry documentation.

App groups
App groups are collections of permitted apps in the BlackBerry Dynamics environment. You can create an
app group that contains Qlik Sense Mobile for BlackBerry and other permitted apps, assign specific app
configuration policies, and assign the app group to users or groups of users. All the apps included in the app
group are assigned to the selected users.

To learn how to create and edit app groups, see the following BlackBerry documentation: Managing app
groups.

Assign Qlik Sense Mobile for BlackBerry to a user
Do the following:

1. In the BlackBerry UEM admin console, navigate to Users, open the All users sub-section, and select
a user from the list.
2. In the dedicated user screen, open the Apps drop-down section and click on the " +" button.
3. In the list, select the Qlik Sense Mobile for BlackBerry app or an app group that contains it, and click
Next.

Deploy Qlik Sense Enterprise on Windows - Qlik Sense, June 3

8 Deploying Qlik Sense

4. Select the app configuration profile and the other settings, or leave the default options.
5. Click on Assign.
6. Qlik Sense Mobile for BlackBerry is now assigned to the selected user.

Assign Qlik Sense Mobile for BlackBerry to a user group
Do the following:

1. In the BlackBerry UEM admin console, navigate to Groups, open the Users sub-section, and select
a user group from the list.
2. In the dedicated user group screen, under A ssigned apps click on the " +" button.
3. In the list, select the Qlik Sense Mobile for BlackBerry app or an app group that contains it, and click
Next.
4. Configure the required settings, or leave the default options.
5. Click on Assign.
6. Qlik Sense Mobile for BlackBerry is now assigned to the selected user group.

Post-installation configuration
You can access Qlik Sense content using Qlik Sense Mobile for BlackBerry directly from pseudo-URLs on a
web-page or email, beginning with the URL Scheme qliksenselink:// instead of https://.

The rest of the URL is formed with guidance from the Qlik App Integration API. To open these URLs directly
from the BlackBerry Access browser, make sure the URL scheme is a recognized 3rd party application in th
e configuration of BlackBerry Access within the BlackBerry UEM Console.

Do the following:

Qlik App Integration API

≤ BlackBerry Access Administration Guide: Allow users to open custom URL schemes

Qlik Sense Mobile for BlackBerry policy settings
The BlackBerry Dynamics administrator controls security configurations by editing policy
profiles and user settings in the BlackBerry UEM admin console.

Deploy Qlik Sense Enterprise on Windows - Qlik Sense, June 3

8 Deploying Qlik Sense
This document covers settings specific for a Qlik Sense Mobile deployment in the BlackBerry Dynamics
environment. For a complete overview on policies and profiles settings, see the following BlackBerry
documentation: BlackBerry Dynamics profile settings.

Data leakage prevention
The BlackBerry Dynamics administrator can prevent users from copying data outside the BlackBerry
Dynamics environment.

Do the following:

1. In the BlackBerry UEM admin console, navigate to Policies and profiles and open the Managed
devices section.
2. In the Policy drop-down menu, select BlackBerry Dynamics.
3. Select the policy profile that you want to edit from the list of available policies.
4. Click on the edit icon.
5. Navigate to the Data leakage prevention section.
6. Select Do not allow copying data from BlackBerry Dynamics apps into non BlackBerry
Dynamics apps to prevent users from sharing data outside the BlackBerry Dynamics environment.
7. Select Do not allow copying data from non BlackBerry Dynamics apps into BlackBerry
Dynamics apps to prevent users from adding d ata copied from apps that are not part of the
BlackBerry Dynamics environment.
8. Click on Save to apply the changes.

Diagnostic and logging
Users can send application diagnostics using BlackBerry Work or a different email client such as the native
iOS client. A mail client different from BlackBerry Work can only be used if the BlackBerry Dynamics
administrator allows users to copy data outside of the BlackBerry Dynamics environment. See: Data leakage
prevention (page 334).

Sending application diagnostics from the Qlik Sense Mobile for BlackBerry app
Do the following:

1. In the Qlik Sense Mobile for BlackBerry app, tap on the BlackBerry Launcher icon.
2. In the Launcher menu, open the settings menu.
3. In the settings menu select Diagnostic.
4. Select Send application diagnostics.
5. The email client opens.

Sending application diagnostic when data leakage prevention is enforced
If the BlackBerry Dynamics administrator has enabled the data leakage prevention configuration, u sers can
only send diagnostics using the BlackBerry Work email client. If the user selects Send application
diagnostics and BlackBerry Work is not installed on the device, a n error message invites the user to
configure an email service.

Deploy Qlik Sense Enterprise on Windows - Qlik Sense, June 3

8 Deploying Qlik Sense

Configuring detailed diagnostics
The BlackBerry Dynamics administrator can enable or prevent users from sending detailed diagnostics from
the Qlik Sense Mobile for BlackBerry app. Detailed diagnostics are enabled at application level by editing a
policy profile, or at device level by editing the registered device for a specific user.

Configuring detailed diagnostics in the policy profile
Do the following:

1. In the BlackBerry UEM admin console, navigate to the Policies and profiles section and open the
Managed devices sub-section.
2. In the Policy drop-down menu select BlackBerry Dynamics.
3. Select the policy profile that you want to edit from the list of available policies.
4. Click the edit icon.
5. Navigate to the Detailed logging section.
o To enable detailed diagnostics, select Enable detailed logging for BlackBerry Dynamics
apps.
The Detailed diagnostics option is made available in the diagnostics settings for Qlik Sense
Mobile for BlackBerry. The user can turn on detailed diagnostics using the toggle.
o To disable detailed diagnostics, select Prevent users from turning on detailed logging in
BlackBerry Dynamics apps.
Only the Send application diagnostics option is visible in the Qlik Sense Mobile for
BlackBerry app.

Configuring detailed diagnostics for a specific device
Do the following:

1. In the policy editing window, leave both Enable detailed logging for BlackBerry Dynamics apps
and Prevent users from turning on detailed logging in BlackBerry Dynamics apps unselected.
For detailed instructions see: Configuring detailed diagnostics in the policy profile (page 335).
2. In the BlackBerry UEM admin console, navigate to Users and open the All users sub-section.
3. Select a user from the list.
4. In the user profile window, select one of the activated devices available for the selected user. You
select a device by clicking on the correspondent tab.
5. In the tab for the device you selected, open the BlackBerry Dynamics apps drop-down menu.
6. Locate the Qlik Sense Mobile for BlackBerry app. If Qlik Sense Mobile for BlackBerry is not listed in
this section, it is not assigned for that user on the selected device.
7. In the App actions column for Qlik Sense Mobile for BlackBerry, open the drop-down menu.
o Select Logging on to enable detailed diagnostics.
The user can turn on detailed diagnostics using the toggle.
o Select Logging off to prevent detailed diagnostics.
Only the Send application diagnostics option is visible in the Qlik Sense Mobile for
BlackBerry app.

Deploy Qlik Sense Enterprise on Windows - Qlik Sense, June 3

8 Deploying Qlik Sense

Activating Qlik Sense Mobile for BlackBerry
You can activate the Qlik Sense Mobile for BlackBerry app by entering your credentials and an
access key. Once Qlik Sense Mobile for BlackBerry has been activated, you can access and
consume Qlik Sense applications.

To activate Qlik Sense Mobile for BlackBerry you must:

 Download Qlik Sense Mobile for BlackBerry.
 Activate it using an access key.
 Create a password for the app.

Do the following:

1. Download Qlik Sense Mobile for BlackBerry from the Apple App Store.
2. In a web browser, navigate to BlackBerry UEM Self-Service console website for the BlackBerry
Dynamics domain you are registered in.
For example: https://bbuem.<yourBlackBerryDynamicsdomain>.com, where
<yourBlackBerryDynamicsdomain> is the name of your registered BlackBerry Dynamics domain.
If you do not know the correct BlackBerry Dynamics domain, contact your BlackBerry Dynamics
administrator.
3. In the log-in screen, enter your user name and password. If you do not know your user name or your
password, contact your BlackBerry Dynamics administrator.
4. In the BlackBerry UEM Self-Service console, navigate to Access keys.
5. Click on the "+" button to generate a new access key.
6. On the mobile device, launch Qlik Sense Mobile for BlackBerry.
7. Enter the email address you used to register with the BlackBerry Dynamics environment. If you do not
know which email address you should use, contact your BlackBerry Dynamics administrator.
8. Enter the access key you generated in the BlackBerry UEM Self-Service console. Do not add the dash
characters.
9. If requested, create a password for accessing Qlik Sense Mobile for BlackBerry. This password will be
requested every time you launch the app or after the time out period.
10. Qlik Sense Mobile for BlackBerry is now activated. S elect a hub from the list and enter your Qlik
credentials to access the streams and documents in that Qlik Sense Enterprise site.

Deploy Qlik Sense Enterprise on Windows - Qlik Sense, June 3

Develop Section
No ratings yet
Develop Section
5,882 pages
Percona Monitoring and Management Documentation: Date .Getfullyear )
No ratings yet
Percona Monitoring and Management Documentation: Date .Getfullyear )
589 pages
QuantAnalysis 5.0 User Manual
No ratings yet
QuantAnalysis 5.0 User Manual
92 pages
Manage Qlik Sense Sites - Apr 2018
No ratings yet
Manage Qlik Sense Sites - Apr 2018
518 pages
Chhattisgarh Analytics Empanelment RFP - Final
No ratings yet
Chhattisgarh Analytics Empanelment RFP - Final
91 pages
DI Advanced
No ratings yet
DI Advanced
194 pages
Analytic Manager Automation Report
No ratings yet
Analytic Manager Automation Report
56 pages
HvrUserManual-5 5 PDF
No ratings yet
HvrUserManual-5 5 PDF
586 pages
RWD Uperform 3.0 - Administration
No ratings yet
RWD Uperform 3.0 - Administration
235 pages
p6 Eppm Upgrade Config
No ratings yet
p6 Eppm Upgrade Config
56 pages
Installation Guide
No ratings yet
Installation Guide
45 pages
Vdocuments - MX Emc Documentum XCP 22 Self Paced Tutorial v10
No ratings yet
Vdocuments - MX Emc Documentum XCP 22 Self Paced Tutorial v10
217 pages
Tutorial - Building An App
No ratings yet
Tutorial - Building An App
52 pages
Introduction To Programming Arcobjects U
No ratings yet
Introduction To Programming Arcobjects U
539 pages
Page No
No ratings yet
Page No
73 pages
FortiOS 7.2.5 Administration Guide
No ratings yet
FortiOS 7.2.5 Administration Guide
3,117 pages
Introduction To Programming With Xojo
No ratings yet
Introduction To Programming With Xojo
363 pages
(eBook PDF) Accounting Information Systems, Global Edition 15th Edition instant download
100% (1)
(eBook PDF) Accounting Information Systems, Global Edition 15th Edition instant download
44 pages
Installation and Deployment Guide Template
No ratings yet
Installation and Deployment Guide Template
16 pages
Administer Qlik Sense Enterprise On Windows
No ratings yet
Administer Qlik Sense Enterprise On Windows
734 pages
Optimisation and Forecasting of Building Maintenance and Renewals For Various Types of Local Government Buildings
No ratings yet
Optimisation and Forecasting of Building Maintenance and Renewals For Various Types of Local Government Buildings
143 pages
Get (eBook PDF) LPIC-1: Linux Professional Institute Certification Study Guide 4th Edition PDF ebook with Full Chapters Now
100% (1)
Get (eBook PDF) LPIC-1: Linux Professional Institute Certification Study Guide 4th Edition PDF ebook with Full Chapters Now
43 pages
Introduction To Programming With Xojo PDF
No ratings yet
Introduction To Programming With Xojo PDF
363 pages
IS4S Installation and User Guide
No ratings yet
IS4S Installation and User Guide
50 pages
CICS VSE Technical Presentation
No ratings yet
CICS VSE Technical Presentation
38 pages
The Comprehensive Product Launch Guide by Solveo
No ratings yet
The Comprehensive Product Launch Guide by Solveo
30 pages
Visqman PDF
No ratings yet
Visqman PDF
27 pages
File Name
No ratings yet
File Name
454 pages
Install and Upgrade Qlik Sense
No ratings yet
Install and Upgrade Qlik Sense
45 pages
SQL Server Notes
No ratings yet
SQL Server Notes
396 pages
Tru64 Unix Und Hp-Ux
No ratings yet
Tru64 Unix Und Hp-Ux
20 pages
IRR Fallohara Cup
No ratings yet
IRR Fallohara Cup
23 pages
WingScan Developers Guide
0% (1)
WingScan Developers Guide
69 pages
Ai Deep Dive Brochure
No ratings yet
Ai Deep Dive Brochure
29 pages
Migration Plan Smartinno Digital ocean to azure
No ratings yet
Migration Plan Smartinno Digital ocean to azure
8 pages
0000703revb Ruskin User Guide Large Loggers
No ratings yet
0000703revb Ruskin User Guide Large Loggers
123 pages
Sqlmap Cheat Sheet
No ratings yet
Sqlmap Cheat Sheet
1 page
B.voc sem2 (205) unit 3
No ratings yet
B.voc sem2 (205) unit 3
5 pages
CH#8 - Introduction To Software Development
No ratings yet
CH#8 - Introduction To Software Development
24 pages
SAP T-Codes Module IS - DFPS Defense Forces and Public Security
100% (1)
SAP T-Codes Module IS - DFPS Defense Forces and Public Security
39 pages
Investor Pitch Deck - L
No ratings yet
Investor Pitch Deck - L
10 pages
9_Building Microservices--Building Microservices
No ratings yet
9_Building Microservices--Building Microservices
2 pages
Chapter 5
No ratings yet
Chapter 5
10 pages
02.CA (CL) - IT - (Module-1) - (2) Components of Information Systems
No ratings yet
02.CA (CL) - IT - (Module-1) - (2) Components of Information Systems
11 pages
16-RenatoCumani Cadastre Module - FAO Presentation - V1
No ratings yet
16-RenatoCumani Cadastre Module - FAO Presentation - V1
18 pages
Payment System Thesis Documentation
100% (3)
Payment System Thesis Documentation
7 pages
B14 SQL Server DBA Notes
100% (3)
B14 SQL Server DBA Notes
403 pages
Sushovan_Solution Architect
No ratings yet
Sushovan_Solution Architect
3 pages
User Manual: Security Space
No ratings yet
User Manual: Security Space
136 pages
CKMM Change Material Price Determination
No ratings yet
CKMM Change Material Price Determination
8 pages
2336176
No ratings yet
2336176
39 pages
Minimax Profile - 070903 PDF
No ratings yet
Minimax Profile - 070903 PDF
12 pages
HubSpot - Buyer Persona Templates
No ratings yet
HubSpot - Buyer Persona Templates
10 pages
SQL Server Interview Questions: Explain The Use of Keyword WITH ENCRYPTION. Create A Store Procedure With Encryption
No ratings yet
SQL Server Interview Questions: Explain The Use of Keyword WITH ENCRYPTION. Create A Store Procedure With Encryption
10 pages
RSL10 Sample Code Users Guide
No ratings yet
RSL10 Sample Code Users Guide
22 pages
Apscheck 092614
No ratings yet
Apscheck 092614
571 pages
Ahmed Refaat Rizk - Steel Detailing Eng
No ratings yet
Ahmed Refaat Rizk - Steel Detailing Eng
3 pages
'GitHub - Raphire_Win11Debloat_ A simple, easy to use PowerShell script to remove pre-installed apps from Windows, disable telemetry, r_' - github.com
No ratings yet
'GitHub - Raphire_Win11Debloat_ A simple, easy to use PowerShell script to remove pre-installed apps from Windows, disable telemetry, r_' - github.com
3 pages
VisQ Queue Manager System Guide Version 10.3
100% (1)
VisQ Queue Manager System Guide Version 10.3
27 pages
White Paper: Business Analytics and The Data Complexity Matrix
No ratings yet
White Paper: Business Analytics and The Data Complexity Matrix
6 pages
Artificial Intelligence With Lab: Report: Machine Learning
No ratings yet
Artificial Intelligence With Lab: Report: Machine Learning
6 pages
Telscalesmscdatasheet
No ratings yet
Telscalesmscdatasheet
3 pages
"Tours and Travels/Tour and Travel Management System": Project Report ON
No ratings yet
"Tours and Travels/Tour and Travel Management System": Project Report ON
6 pages
Jobvacancyresult Com
No ratings yet
Jobvacancyresult Com
4 pages
Project Scope Management: 1 WWW - Cahyo.web - Id IT Project Management, Third Edition Chapter 5
100% (1)
Project Scope Management: 1 WWW - Cahyo.web - Id IT Project Management, Third Edition Chapter 5
43 pages
Project Title - : Submitted To-Mrs. Mona Adlakha
No ratings yet
Project Title - : Submitted To-Mrs. Mona Adlakha
20 pages
Qlik Sense Installation Guide
No ratings yet
Qlik Sense Installation Guide
63 pages
Object Oriented Analysis and Design - Part1 (Analysis) : Ibm Ooad 833
No ratings yet
Object Oriented Analysis and Design - Part1 (Analysis) : Ibm Ooad 833
11 pages
SELicense Caire Consult
No ratings yet
SELicense Caire Consult
1 page
Defense and Security Workshop Logistics and Maintenance
No ratings yet
Defense and Security Workshop Logistics and Maintenance
2 pages
Changeman: Version Control Tool
No ratings yet
Changeman: Version Control Tool
34 pages
6058 Food Order Processing Management
No ratings yet
6058 Food Order Processing Management
29 pages
Readme For Dos
No ratings yet
Readme For Dos
5 pages
Feasibility Analysis Course Code: CSE-401 Course Title: System Analysis and Design On Calchamp
No ratings yet
Feasibility Analysis Course Code: CSE-401 Course Title: System Analysis and Design On Calchamp
8 pages
SPSS&EXCEL
No ratings yet
SPSS&EXCEL
1 page
PC Config A Ration
No ratings yet
PC Config A Ration
3 pages
Alteryx Topic
No ratings yet
Alteryx Topic
2 pages
Mastering NGINX on Linux: A Practical Guide to Installing, Configuring, Securing, and Optimizing NGINX on Linux Servers
From Everand
Mastering NGINX on Linux: A Practical Guide to Installing, Configuring, Securing, and Optimizing NGINX on Linux Servers
Dargslan
No ratings yet
Kubernetes Deployment: Advanced Strategies
From Everand
Kubernetes Deployment: Advanced Strategies
William Jones
No ratings yet
Kubernetes Clusters with KIND: Definitive Reference for Developers and Engineers
From Everand
Kubernetes Clusters with KIND: Definitive Reference for Developers and Engineers
Richard Johnson
No ratings yet
Architectural Principles for Cloud-Native Systems: A Comprehensive Guide
From Everand
Architectural Principles for Cloud-Native Systems: A Comprehensive Guide
Peter Jones
No ratings yet
Jenkins, Docker, and Kubernetes: Mastering DevOps Automation
From Everand
Jenkins, Docker, and Kubernetes: Mastering DevOps Automation
Peter Jones
No ratings yet
Red Hat Enterprise Linux 9 Essentials: Learn to Install, Administer, and Deploy RHEL 9 Systems
From Everand
Red Hat Enterprise Linux 9 Essentials: Learn to Install, Administer, and Deploy RHEL 9 Systems
Smyth
No ratings yet
Zero Downtime Deployments: Mastering Kubernetes and Istio
From Everand
Zero Downtime Deployments: Mastering Kubernetes and Istio
Peter Jones
No ratings yet
Mastering Kubernetes: From Basics to Advanced Cluster Orchestration
From Everand
Mastering Kubernetes: From Basics to Advanced Cluster Orchestration
Dargslan
No ratings yet
Jenkins, Docker, and Kubernetes: Mastering DevOps Automatio
From Everand
Jenkins, Docker, and Kubernetes: Mastering DevOps Automatio
Peter Jones
No ratings yet
Hands-On Multi-Cloud Kubernetes: Multi-cluster kubernetes deployment and scaling with FluxCD, Virtual Kubelet, Submariner and KubeFed
From Everand
Hands-On Multi-Cloud Kubernetes: Multi-cluster kubernetes deployment and scaling with FluxCD, Virtual Kubelet, Submariner and KubeFed
Joe Brian
No ratings yet
Mastering Kubernetes: From Basics to Expert Proficiency
From Everand
Mastering Kubernetes: From Basics to Expert Proficiency
William Smith
No ratings yet
Knative in Cloud-Native Infrastructure: Definitive Reference for Developers and Engineers
From Everand
Knative in Cloud-Native Infrastructure: Definitive Reference for Developers and Engineers
Richard Johnson
No ratings yet
Mastering Kubernetes
From Everand
Mastering Kubernetes
Manish Soni
No ratings yet
Kubernetes from basic to advanced levels
From Everand
Kubernetes from basic to advanced levels
Alex Carvalho
No ratings yet
AlmaLinux 9 Essentials: Learn to Install, Administer, and Deploy Rocky Linux 9 Systems
From Everand
AlmaLinux 9 Essentials: Learn to Install, Administer, and Deploy Rocky Linux 9 Systems
Neil Smyth
No ratings yet
Google Cloud Platform an Architect's Guide
From Everand
Google Cloud Platform an Architect's Guide
alasdair gilchrist
5/5 (1)
Google Cloud Professional Cloud Security Engineer 100+ Practice Exam Questions with Detailed Answers
From Everand
Google Cloud Professional Cloud Security Engineer 100+ Practice Exam Questions with Detailed Answers
vivian njoroge
No ratings yet