Before ingesting Qlik Sense Enterprise metadata into Dawiso, prepare your environment by granting the scanning identity the required access, choosing an authentication method, and exporting the certificates Dawiso uses to connect.

Prerequisites

  • Administrative access to the Qlik Management Console (QMC). You need RootAdmin (or ContentAdmin) rights to manage certificates and security rules, and to ensure the scanning identity can read all streams, apps, and data connections.
  • A scanning identity with read access to every app. The Qlik Engine API opens each app individually, so the identity supplied to Dawiso (see User identity below) must be able to open all apps you want to catalog. The built-in sa_repository user in the INTERNAL directory usually has this; for restricted environments use a dedicated service account with an equivalent security rule.
  • Network access from the Dawiso ingestion host to the Qlik Sense central node. See Network requirements.

Prepare your host URL

Use the address of your Qlik Sense central node (not a rim node). Example: your-qlik-server.company.com.

In multi-node deployments, always point Dawiso at the central node, because that is where the Repository Service runs.

Choose an authentication method

Qlik Sense Enterprise supports two authentication methods for Dawiso:

MethodHow it connectsWhen to use
Certificate (recommended)Direct connection to the Repository Service (port 4242) and the Engine (port 4747) using client certificates exported from the QMC.Most deployments. Works regardless of whether the ingestion host is domain-joined.
WindowsConnection through the Qlik Proxy Service (typically port 443) using the Windows identity (NTLM) of the Dawiso ingestion service.The ingestion host is domain-joined and the service account already has access in Qlik, and you prefer not to manage certificates.

The steps below describe the certificate method. If you plan to use Windows authentication, no certificate export is needed — instead, make sure the Windows account running the Dawiso ingestion service is allowed through your virtual proxy and has the app access described above.

Export client certificates from the QMC

  1. In the QMC, open Certificates.
  2. In Machine name, enter the host name of the machine that will run the Dawiso scan (the ingestion host). This binds the exported certificate to that machine.
  3. Leave the certificate password empty for PEM export, or set one if you export PFX.
  4. Under Export file format for certificates, choose:
    • Platform independent PEM-files — produces client.pem, client_key.pem, and root.pem. Recommended.
    • Windows format — produces client.pfx and root.cer. Use this if you prefer a single password-protected file.
  5. Click Export certificates. Qlik writes the files to the secure exchange folder on the central node (by default under ...\Qlik\Sense\Repository\Exported Certificates\<Machine name>\).
  6. Copy the exported files to a secure location the Dawiso ingestion service can read.
Warning

The exported certificates grant API access to your Qlik environment. Store them securely, restrict file-system access to the ingestion service account, and rotate them if they are exposed.

PEM vs. PFX

You exportedProvide to Dawiso
PEMclient.pem (Client Certificate), client_key.pem (Client Key), root.pem (Root Certificate). No password.
PFXclient.pfx (Client Certificate) and a Certificate Password, plus root.cer (Root Certificate). The Client Key is contained in the PFX, so it is not needed separately.
Tip

Encrypted PEM private keys are not supported. If your key is password-protected, export in PFX format and supply the password instead.

Note the scanning identity

When using certificate authentication, Dawiso identifies the scanning user to Qlik through the X-Qlik-User header. The defaults are:

  • User Directory: INTERNAL
  • User ID: sa_repository

Keep the defaults unless you created a dedicated service account, in which case use that account’s directory and ID. Whichever identity you choose must be able to open every app you want to catalog.

Network requirements

Open network access from the Dawiso ingestion host to the Qlik Sense central node on the ports for your chosen authentication method:

  • Certificate authentication: TCP 4242 (Repository Service REST API) and TCP 4747 (Engine JSON API).
  • Windows authentication: TCP 443 (Qlik Proxy Service), or your custom virtual-proxy port.

These ports are normally reachable only from inside the corporate network, so the ingestion host typically must sit on the same network or connect over VPN. If the server presents a certificate that is not trusted by the ingestion host’s operating system, you can enable Trust Server Certificate on the connection, or supply the Qlik root certificate so Dawiso can validate the chain.