Before ingesting Qlik Sense Enterprise metadata into Dawiso, prepare your environment by granting the scanning identity the required access, choosing an authentication method, and exporting the certificates Dawiso uses to connect.
Prerequisites
- Administrative access to the Qlik Management Console (QMC). You need
RootAdmin(orContentAdmin) rights to manage certificates and security rules, and to ensure the scanning identity can read all streams, apps, and data connections. - A scanning identity with read access to every app. The Qlik Engine API opens each app individually, so the identity supplied to Dawiso (see User identity below) must be able to open all apps you want to catalog. The built-in
sa_repositoryuser in theINTERNALdirectory usually has this; for restricted environments use a dedicated service account with an equivalent security rule. - Network access from the Dawiso ingestion host to the Qlik Sense central node. See Network requirements.
Prepare your host URL
Use the address of your Qlik Sense central node (not a rim node). Example: your-qlik-server.company.com.
In multi-node deployments, always point Dawiso at the central node, because that is where the Repository Service runs.
Choose an authentication method
Qlik Sense Enterprise supports two authentication methods for Dawiso:
| Method | How it connects | When to use |
|---|---|---|
| Certificate (recommended) | Direct connection to the Repository Service (port 4242) and the Engine (port 4747) using client certificates exported from the QMC. | Most deployments. Works regardless of whether the ingestion host is domain-joined. |
| Windows | Connection through the Qlik Proxy Service (typically port 443) using the Windows identity (NTLM) of the Dawiso ingestion service. | The ingestion host is domain-joined and the service account already has access in Qlik, and you prefer not to manage certificates. |
The steps below describe the certificate method. If you plan to use Windows authentication, no certificate export is needed — instead, make sure the Windows account running the Dawiso ingestion service is allowed through your virtual proxy and has the app access described above.
Export client certificates from the QMC
- In the QMC, open Certificates.
- In Machine name, enter the host name of the machine that will run the Dawiso scan (the ingestion host). This binds the exported certificate to that machine.
- Leave the certificate password empty for PEM export, or set one if you export PFX.
- Under Export file format for certificates, choose:
- Platform independent PEM-files — produces
client.pem,client_key.pem, androot.pem. Recommended. - Windows format — produces
client.pfxandroot.cer. Use this if you prefer a single password-protected file.
- Platform independent PEM-files — produces
- Click Export certificates. Qlik writes the files to the secure exchange folder on the central node (by default under
...\Qlik\Sense\Repository\Exported Certificates\<Machine name>\). - Copy the exported files to a secure location the Dawiso ingestion service can read.
The exported certificates grant API access to your Qlik environment. Store them securely, restrict file-system access to the ingestion service account, and rotate them if they are exposed.
PEM vs. PFX
| You exported | Provide to Dawiso |
|---|---|
| PEM | client.pem (Client Certificate), client_key.pem (Client Key), root.pem (Root Certificate). No password. |
| PFX | client.pfx (Client Certificate) and a Certificate Password, plus root.cer (Root Certificate). The Client Key is contained in the PFX, so it is not needed separately. |
Encrypted PEM private keys are not supported. If your key is password-protected, export in PFX format and supply the password instead.
Note the scanning identity
When using certificate authentication, Dawiso identifies the scanning user to Qlik through the X-Qlik-User header. The defaults are:
- User Directory:
INTERNAL - User ID:
sa_repository
Keep the defaults unless you created a dedicated service account, in which case use that account’s directory and ID. Whichever identity you choose must be able to open every app you want to catalog.
Network requirements
Open network access from the Dawiso ingestion host to the Qlik Sense central node on the ports for your chosen authentication method:
- Certificate authentication: TCP 4242 (Repository Service REST API) and TCP 4747 (Engine JSON API).
- Windows authentication: TCP 443 (Qlik Proxy Service), or your custom virtual-proxy port.
These ports are normally reachable only from inside the corporate network, so the ingestion host typically must sit on the same network or connect over VPN. If the server presents a certificate that is not trusted by the ingestion host’s operating system, you can enable Trust Server Certificate on the connection, or supply the Qlik root certificate so Dawiso can validate the chain.