Getting Started
I encourage you to gain a good understanding of the way jwt is actually used by Qlik Sense.
- You’ll need a Base64 RSA keypair (PEM Format).
- You have a few options here…
- You can export a keypair with the built -in certificate manager in the Qlik Sense QMC
- Generate your own private public keypair
- I personally prefer this tool, but this command works the same with openssl:
openssl genrsa -des3 -out jwt.private.pem 2048 && openssl rsa -in jwt.private.pem -outform PEM -pubout -out jwt.public.pem
- You have a few options here…
- Next go to jwt.io
- Create a keypair that matches the intended UserId field.
- Do the same for the UserDirectory field
- Repeat as needed for any additional attributes (e.g. Qlik Sense security rules derived from the user.environment namespace)
- Next, Configure your Qlik Sense virtual proxy for JWT Authentication for accepting the userId and UserDirectory you wish to impersonate.
- This requires you to match the parameters in the attribute configuration that aligns with what you did on jwt.io
- be sure to place the public certificate in the certificate area
- also, be sure to link the relevant engine nodes in the load balancing section
- finally link the proxy noides exposed to this configuration in the related section (bottom right)
- Finally, find a good extension to perform the header injection for the header used by the JWT virtual proxy
References
“OpenSSL GenPKey Command.” Accessed April 22, 2019. https://www.openssl.org/docs/manmaster/man1/genpkey.html.