This step is only necessary in Qlik Extension installations. You can skip it if you are installing either the Tableau Extension or Quill Extensions API.

A few steps are necessary to allow the Qlik extension(s) on the Extensions server(s) to communicate with your target Qlik server(s):

  1. Retrieve the root cert used to sign Qlik servers and install it on Extension servers
  2. Set up virtual proxy headers within Qlik Admin console
  3. Perform sample curl from Extensions server

1. Retrieve the root cert used to sign Qlik servers

If you have access to the root certificate used to sign the Qlik Server certificate, you should install it on the server that contains the licensing agent. This will allow requests to the Qlik Repository Service to trust the Qlik SSL certificate. 


  1. Install the ca-certificates package:
    yum install -y ca-certificates
  2. Enable the dynamic CA configuration feature:
    update-ca-trust force-enable
  3. Copy the root certificate to CentOS's certificate source folder:
    cp root.crt /etc/pki/ca-trust/source/anchors/
  4. Run command:
    update-ca-trust extract

You can verify that the certificate was successfully added to the certificate bundle by searching for a fragment of the certificate in the extracted file:

  • grep <line in root.crt> /etc/pki/ca-trust/extracted/pem/tls-ca-bundle.pem

If the above command outputs a found line (exit code 0), the certificate installation was successful.

2. Set up virtual proxy headers within Qlik Admin console

Before installing the Qlik Extension, you will need to set up a virtual proxy in your Qlik Management Console to enable licensing. Please use the steps below: 

  1. Launch the Qlik Management Console (https://<Qlik Sense server host>/qmc)
  2. Navigate to “Virtual Proxies”
  3. Click “Create new”
  4. Fill out the following sections’ fields:
  • Identification
    • Description: header-authentication
    • Prefix: hdr
    • Session inactivity timeout: 300
    • Session cookie header name: X-Qlik-Session-hdr
  • Authentication
    • Anonymous access mode: No anonymous user
    • Authentication method: Header authentication dynamic user directory
    • Header authentication header name: hdr-usr
    • Header authentication dynamic user directory: $ud\\$id
  • Load balancing
    • A server node needs to be added as a load balancing node to instruct the virtual proxy to use a specific proxy to route requests.
    • Select “Add new server node” and select the node you’d like to add (e.g., Central)

5. Click “Apply”

6. Click on “Proxies” under the “Associated items” section

7. Log out and log back into the QMC

  • In order for the virtual proxy to work, it needs to be linked to a main proxy. To add a proxy to the virtual proxy, click the Link button.
  • When the Select proxy services window appears, click the proxy to link the virtual proxy to and click Link.

8. Restart the Qlik Engine and Proxy through Windows Service Manager

The final state in the Qlik Management Console should look like this:

3. Perform a sample curl from Extensions server (the Linux server where you installed the API)

When you have finished the instructions above, run the following command from the machine where Narratives for Qlik will be installed:

curl https://<Qlik Sense server host>/hdr/qrs/about/?xrfkey=123456789ABCDEFG -H 'X-Qlik-xrfkey: 123456789ABCDEFG' -H 'hdr-usr: <User Directory\Name>'
  • Replace <Qlik Sense server host> with the hostname of your Qlik Sense server (e.g.,
  • Replace <User Directory\Name> with the full username of an Admin in your Qlik Sense site (e.g., MYCOMPANY\pgriffin)

If it succeeds you should see the following output:

{“buildVersion”:””,”buildDate”:”9/20/2013 10:09:00 AM”,”databaseProvider”:”Devart.Data.PostgreSql”,”nodeType”:1,”schemaPath”:”About”}

If the response contains an error message about an insecure SSL connection, your server does not trust the Qlik Server certificate. Follow the instructions in Step 1 above to install the Qlik root certificate onto your server.