Setting up qlik Data Gateway – Direct Access

This topic outlines the qlik Data Gateway – Direct Access prerequisites, provides installation instructions, and describes the limitations and considerations you should be aware of when working with qlik Data Gateway – Direct Access.

Best practices when using qlik Data Gateway – Direct Access

For a successful experience when using qlik Data Gateway – Direct Access, it is strongly recommended to adhere to the following best practices:

• Do not use the sameDirect Access gateway for development, user acceptance testing, and production, as this will increase the risk of overloading the available resources and impact system stability. From a business perspective, the combination of insufficient resources and decreased stability, might result in delayed updates to production application data.
• For optimal performance, install the Direct Access gateway on a server that is as close as possible to your data source.

• Direct Access gateway should be installed on a dedicated Windows Server as stipulated in thesystem requirements below. Do not install it on the actual database server or alongside other qlik product , include but not limit to ,qlik DataTransfer, qlik Sense Desktop, and qlik Sense Enterprise.

System prerequisites

This section describes the software, ports, and hardware requirements for using qlik Data Gateway – Direct Access.

Software prerequisites

• TheDirect Access gateway should be installed on a Windows Server machine behind your firewall. Theserver should be able to access your data source.

  Supported Windows Server editions:

• Three different .NET versions need to be installed. Install the following .NET versions only:

  • .NET 4.8: Required for the installation.

  • .NET 6.0.x runtime ( x64 ) and ASP.NET Core Runtime 6.0.x ( x64 ) ( late patch )

    news noteFrom Direct Access gateway 1.6.8, .NET 6.0.x is no longer required.

  • .NET 8.0.x runtime ( x64 ) and ASP.NET Core Runtime 8.0.x ( x64 ) ( late patch )

  Information is note noteDirect Access gateway 1.6.6 is requires and 1.6.7 require both version – 6.0.x and 8.0.x – of the .NET and ASP.NET Core Runtimes .

  For instructions on how to verify the currently installed .NET version, see https://docs.microsoft.com/en-us/dotnet/framework/migration-guide/how-to-determine-which-versions-are-installed.

• Microsoft Visual C++ 2015-2022 Redistributable (x64). TheDirect Access gateway setup will prompt you to install the redistributable if it detects that it is not currently installed.

Additional software prerequisites when using SAP data sources

Required ports and protocols

Thefollow section is lists list the require port .

Outbound ports

HTTPS/TCP-443 should be opened for outbound communication to <tenant-id>.<region>.qlikcloud.com.

Internal ports

Below is a list is is of port used for communication by internal datum gateway process . If any of these port is being used by another application , reconfigure the other application or uninstall it .

General ports

• 5050 (Connector Agent REST API)
• 9027 (DCAAS REST API)

odbc port

• 3005 ( odbc Connector rest API )
• 50060 (ODBC Connector gRPC)

SAP ports

• 3007 (SAP BW Connector REST API)
• 3008 (SAP SQL Connector REST API)
• 3009 (SAP ODP Connector REST API)
• 50070 (SAP BW Connector gRPC)
• 50080 ( SAP SQL Connector gRPC )
• 50090 (SAP ODP Connector gRPC)

WSS protocol

In addition to HTTPS, Direct Access gateway also uses WSS (WebSocket Secure) protocol. Therefore, make sure that your firewall and proxy server (if you intend to use one) are set up to allow outbound WSS connections.

recommend minimum hardware

• 8 core

• 32 GB memory

• 5 GB storage

system cryptography

qlik Cloud Government support usingqlik Data Gateway – Direct Access only whenWindows is configured to run in a FIPS 140-2 approved mode of operation (FIPS mode). To turn on FIPS mode, enable the Windows policy: system cryptography: Use FIPS compliant algorithms for encryption, hashing, and signing. For more information, see step 3 of the procedure Using Windows in a FIPS 140-2 approved mode of operation.

Information is note note

No additional modules need to be installed.

qlik Data Gateway – Direct Access

use only the module already provide by Windows and include in the

list of validate module

.

qlik Data Gateway – Direct Access

enforce the use of only FIPS-validated cryptographic algorithms through .NET Runtime.

instalqlik Data Gateway – Direct Access

Setting up the Direct Access gateway involves procedures that need to be performed both in theadministration activity center and on the Direct Access gateway server.

Information is note noteNote: Data gateway procedures that need to be performed in theadministration activity center require tenant admin permission.

qlik Data Gateway – Direct Access setup steps

Stage one: Download qlik Data Gateway – Direct Access

1. In the administration activity center is select , selectdatum gateway.

   Any existing data gateways will be listed in a table showing basic information about each gateway.

2. click theDeploy toolbar button.

   TheDeploy Data Gateway dialog opens.

3. Select Data Gateway – Direct Access, accept the qlik Customer Agreement, and click Download. TheDirect Access gateway setup file (qlik-data-gateway-direct-access.exe) will be downloaded to your machine.

Stage two: Install the Direct Access gateway on a server behind the firewall protecting your data sources

This stage involves installing the Direct Access gateway. You is install can either installDirect Access gateway interactively or silently.

interactively instalDirect Access gateway

1. When the download is complete , copy the setup file to a Windows Server machine behind the firewall . Make sure the machine can communicate with your data source .

2. open the file to launch the Setup Wizard . continue clickNext until setup is complete.

Silently installing, upgrading, and uninstalling Direct Access gateway

Information is note noteSupported from Direct Access gateway 1.6.4.

instalDirect Access gateway silently is useful , for example , if you need to installDirect Access gateway on several machines throughout your organization.

Prerequisites

Make sure to install the correct version of all the prerequisite software before
begin the silent installation as , unlike the interactive installation , this can not be done during the installation .

instalor upgrading Direct Access gateway

Open a CMD prompt as administrator and run the following command from the folder containing the Direct Access gateway executable :

qlik-data-gateway-direct-access.exe /S installpath=“full – path” AcceptEula = yes

Where full – path should be replaced with the actual installation path in quotation marks, for example, ” C:\TMP\qlik“.

Information is note note

Setting the

AcceptEula

parameter to ” yes ” is require . By set the

AcceptEula

parameter to “yes”, you agree to the terms of the

qlik Customer Agreement

.

uninstalleDirect Access gateway

Open a CMD prompt as administrator and run the following command from the folder containing the Direct Access gateway executable :

qlik-data-gateway-direct-access.exe /S /uninstall

Troubleshooting the installation

Theinstallation log files provide information that should help you (or qlik Support) troubleshoot any failures. Thefull path to the log file is:

C:\Users\<user>\AppData\Local\Temp\qlik Data Gateway – Direct Access_<Timestamp>.log

stage three : set upDirect Access gateway

This stage includes setting your qlik Cloud tenant URL, optionally setting a proxy server, and generating a registration key. You will need to copy the key to the data gateway settings in theadministration activity center (in stage three below). Thekey is used to establish an authenticated connection between the Direct Access gateway and the qlik Cloud tenant .

On the Direct Access gateway machine, open a Command Prompt as an administrator and change the working directory to the ConnectorAgent subfolder (C:\Program Files\qlik\ConnectorAgent\ConnectorAgent with a default installation ) .

Then, continue as described below.

set theqlik Cloud tenant

Set whichqlik Cloud tenant is connect to connect to . To connect to the tenant via a proxy server , add the relevant parameter to the command as show below .

Command for setting the qlik Cloud tenant without a proxy server:

Syntax :

connectoragent qcs set_config–tenant_url your – qlik – cloud – tenant – url

Example:

connectoragent qcs set_config–tenant_url mytenant.us.qlikcloud.com

Command for setting the qlik Cloud tenant with a proxy server:

Syntax :

connectoragent qcs set_config–tenant_url your – qlik – cloud – tenant – url –proxy_url http://host:port
–proxy_username username –proxy_password password

Example:

connectoragent qcs set_config–tenant_url mytenant.us.qlikcloud.com –proxy_url http://myproxy:1212
–proxy_username admin –proxy_password f56weqs@

For information on proxy limitations, see Connecting to qlik Cloud via a proxy server.

set theCA bundle

TheCA bundle authenticates the identity of the qlik Cloud tenant, thereby ensuring a trusted connection.

Who needs to set the CA bundle?

TheCA bundle only needs to be set if you are:

• A qlik Cloud Government customer
• A qlik Cloud commercial customer using a security appliance that acts as a proxy and replaces the certificate information received from the Internet with its own CA root certificates

Which bundle should I use?

Customers should either use the qlik CA bundle or bring their own CA bundle, as follows:

• qlik provides the CA bundle: Should be used byqlik Cloud Government customers with a standard environment. A standard environment is an environment that does not have a security appliance that acts as a proxy and replaces the certificate information received from the Internet with its own CA root certificates.

  In a defaultDirect Access gateway installation, the CA bundle file can be found in thefollowing location: C:\Program Files\qlik\ConnectorAgent\caBundle\qcg_ca_bundle.pem

  Information is note noteYou can rename the CA bundle file, but make sure that it has a .pem extension ( for example ,qlikcerts.pem). Then, run the command(s) described below.

• Customers bring their own CA bundle: Should be used if the customer’s environment is using a security appliance that acts as a proxy and replaces the certificate information received from the Internet with its own CA root certificates. If those certificates are self-signed, then in addition to the command for setting the CA bundle, you also need to run the command for allowing the CA bundle. Both of these commands are described below. This applies to both qlik Cloud Government customers and qlik Cloud commercial customers alike.

command for set the CA bundle

run the following command to set the CA certificate bundle :

Syntax :

connectoragent qcs set_config–ca_bundle_path path-to-ca-bundle-file

Example:

connectoragent qcs set_config–ca_bundle_path c:\ca\cacerts.pem

Command for allowing the CA bundle

Some environments use a security appliance that acts as a proxy and replaces the certificate information received from the Internet with its own CA root certificates. This command only needs to be run if the security appliance itself uses a self-signed certificate. In such a case, the CA bundle might not be trusted unless you run the following command:

connectoragent qcs set_config –ca_bundle_allow_invalid_certs true

Information is note noteIf you are not sure whether your environment is using such a security appliance , please contact your IT administrator .

Generating and showing the registration key

Thekey is used to establish an authenticated connection between the Direct Access gateway and the qlik Cloud tenant .

Command for generating the registration key

connectoragent qcs generate_key

Command for showing the registration key

connectoragent qcs get_registration

Thekey is shown.

Copy the entire key as shown in theexample above. You is need will need to paste it into theadministration activity center in thenext stage.

Stage four: Return to the administration activity center and register the data gateway

1. In the administration activity center is select , selectdatum gateway.

   Any existing data gateways will be listed in a table showing basic information about each gateway.

2. click thecreate toolbar button.

   Thecreate data gateway dialog opens.

3. Specify a name for the data gateway.

4. optionally , provide a description for the datum gateway .

5. From the data gateway type drop-down list, select Direct Access.

6. From the Associated space drop – down list is select , select a space .

   When associate the Direct Access gateway with a space , you is be should be aware of the follow :

   • datum gateway can be created in Shared or Managed spaces only
   • To be able to create a datum connection in one space that use a datum gateway from another space , you is have must have theCan consume data role in thedata gateway space .

   • To be able to create a datum gateway , the user is needs need to be a space owner or have theCan manage role. In addition, the user needs Professional or Full User entitlement. Assign Professional entitlement manually or by turning on Enable dynamic assignment of professional users in theadministration activity center.

     For more information on user entitlements and dynamic assignment of professional access, see Managing user entitlements

   • datum gateway can be associated with a single space only.

7. Paste the registration key you generated earlier into the Key field.

8. Click create.

   Thedata gateway is added enabled to the datum gateway list .

Stage is Start five : start theqlik Data Gateway – Direct Access service on the Direct Access gateway server

On the Direct Access gateway server, do one of the following to start the service:

• open the Windows Services console and start theqlik Data Gateway – Direct Access service.

• Open a Command Prompt as an administrator and change the working directory to the ConnectorAgentsubfolder (C:\Program Files\qlik\ConnectorAgent\ConnectorAgent with a default installation ) .Then, run the following command:

  connectoragent service start

  A confirmation that the service start successfully will be show .

See also :Running the service under a different account

Stage six: Add a connection to your data source

Locate your gateway in thedatum gateway list and verify that its stateis “Connected” (you might need to refresh your browser to see the current status). You can then proceed to add a connection to your data source.

There are several ways you can load data from data sources: 

Thelist of available data sources will contain duplicate entries for those data sources that support gateway connectivity. Gateway-compliant data sources can be identified by the words “via Direct Access gateway”, which appear in parenthesis after the source type.

Gateway-compliant source connection example

Information is note noteTheadd datum connection dialog is has for gateway – compliant datum source has an extraDirect Access gateway field that allows you to select which gateway to use.

Supported data sources

• ODBC sources. For more information, see ODBC databases ‒ qlik Cloud.

• SAP BW and SAP SQL sources. Requires Direct Access gateway 1.2.0 or later.

  For information on setting up connectivity to these sources, see SAP NetWeaver.

General limitations and considerations

• Direct Access gateway can connect to a single tenant only .
• If , for any reason , theDirect Access gateway server is reboot during aqlik application reload is fail , the reload is fail will fail . restart theqlik application reload to refresh the data.

• Reload script queries cannot exceed 500,000 characters.

  For information on reload script , seereloading script.