Configuration File Structure
The Sentinel LDK Envelope configuration file is an XML file that contains the protection and licensing attributes used by Sentinel LDK Envelope to package a protected application. The Sentinel LDK Envelope command-line utility linuxenv reads the configuration file and applies the protection and licensing attributes to a Linux application. A separate configuration file can be used for each protected application.
This topic describes the XML tags and the structure of the tags that make up the configuration file. A sample configuration file is also available. The sample configuration file envconfig.cfgx is provided for Linux users under the following directory in the Sentinel LDK installation for Linux: Linux/VendorTools/Envelope
Configuration File Tags
The table below describes the relevant XML tags available in the Sentinel LDK Envelope configuration file. Each opening tag must be followed by a value and corresponding closing tag, according to the following syntax: <tag>value</tag>
If you do not provide a value for a tag or if you do not specify a given tag, the default value indicated in the table is applied by Sentinel LDK Envelope.
| XML Tag | Parent XML Tag |
Description | Values |
|---|---|---|---|
| <CONFIG> | No parent | Root tag of the configuration file tree. | |
| <INFO> | <CONFIG> | Container that holds information on the configuration file. | |
| <VERSION> | <INFO> | Version of the configuration file. | Default: 1.1 |
| <COMMENT> | <INFO> | Comment on the configuration file. | |
| <PLATFORM> | <INFO> | Platform on which the protected application will run. | Linux.ELF |
| <KEY_TYPE> | <INFO> | Type of protection system used. | Default: Sentinel LDK |
| <FILE_PROFILE> | <CONFIG> | Container that holds application-specific settings. | |
| <INPUT_FILE> | <FILE_PROFILE> | Absolute or relative path of the application file to protect. The path cannot contain any special characters. |
Envelope supports protection of the following file types: > Linux executables > Linux shared objects (*.so) |
| <OUTPUT_FILE> | <FILE_PROFILE> | Absolute or relative path of the output location for the protected application file. The path cannot contain any special characters. | |
| <BACKGROUND_CHECK> | <FILE_PROFILE> |
Set a time interval for periodic background checks for a protection key. Regardless of the setting for this tag, the License Manager checks for the required license when the application is started. For more information, see Behavior of Periodic Background Check. |
Integers= Time intervals (in seconds) for background checks 0=Background checks are disabled Default: 300 |
| <IGNORE_BACKGROUND_CHECK> | <FILE_PROFILE> |
Number of grace periods to grant the user if a background check determines that the required protection key is not connected. This tag is only applicable if <BACKGROUND_CHECK> is enabled. For more information, see Behavior of Periodic Background Check. Note: For applications that execute in a Docker container, this parameter must be set to -1. Abort and Retry options are not supported. |
-1 = Only provide Retry option (Default value) 0 = Provide Abort and Retry options 1-254 = Provide Abort and Retry options, and provide Ignore option to allow the specified number of grace periods 255 = Provide Abort and Retry options, and provide Ignore option with unlimited grace periods. |
| <MESSAGE_OUTPUT_MODE> | <FILE_PROFILE> |
Options for displaying/logging end user messages. You can select one or more options. Separate multiple entries by commas. Note: When you protect an application with output option 1 (the default setting), the protected application requires XServer at runtime. A GUI-based application always requires XServer for its own user interface in any event. However, for a command-line application, GUI output is not recommended, because the command-line application will then require XServer specifically for output of Envelope messages. Thales recommends that you protect a command-line application with the output option of 4, and not with the default setting. With output option 1: If XServer is not installed or is not working properly on the end user machine, then on any error or warning, the message “No Protocol specified” will be displayed on the terminal that the user is using to run the protected application. |
0 = No message output 1 = GUI message box 4 = Output to console 5 = Output to GUI and console Default: 1 |
| <CONSOLE_CONFIGURATION> | <FILE_PROFILE> | Character width (if message output mode is set to standard error). The console does not allow mixed output. Therefore, you must set this switch according to the behavior of your console application. |
1=char 2=wchar_t Default: 1 |
| <ENCRYPTION_LEVEL> | <FILE_PROFILE> |
Encryption level for the executable code. As you increase the encryption level, the security of the protected application increases. However, the start-up time also increases. Select the highest level that does not cause an unacceptable start-up delay. |
1 to 5 Default: 4 |
| <EXCLUDE_SECTIONS> | <FILE_PROFILE> |
The encryption of certain ELF binary sections may impact the runtime performance (in terms of vmRSS) on devices where swap area is not supported. You can use this tag to disable the encryption of one or more sections. For example: <EXCLUDE_SECTIONS> <EXCLUDE_SECTION>abc</EXCLUDE_SECTION> <EXCLUDE_SECTION>xyz</EXCLUDE_SECTION> </EXCLUDE_SECTIONS> |
|
| <ALLOW_DEBUG> | <FILE_PROFILE> |
Whether to allow debugging for the protected application. This feature is applicable for both executables and shared objects. |
0=Disallow debugging 1=Allow debugging Default: 0 |
| <ALLOW_MEMDUMP> | <FILE_PROFILE> |
Whether to allow memory dumps for the protected application. If memory dumps are disallowed: > Core file will not be generated in case of application failure. > Debugging for the protected application is automatically disallowed. This overrides the setting for <ALLOW_DEBUG>. This feature is applicable for both executables and shared objects. NOTE When debugging is allowed, memory dumps are also allowed regardless of the setting for the <ALLOW_MEMDUMP> tag. (Protection against memory dumps does not work when debugging of the protected application is allowed.) For information on taking memory dumps. see the description of --memdump . |
0=Disallow memory dumps 1=Allow memory dumps Default: 0 |
| <ALLOW_RANDOMIZE> | <FILE_PROFILE> | Whether section information should be randomized. |
0=Disabled. The symbol table is removed. Thales recommends this option. 1=Partial. The symbol table is retained; only strings are randomized. 2=Full. The symbol table is also randomized. Default: 0 |
| <DATA_FILE_PROTECTION> | <FILE_PROFILE> |
Whether the Data Protection module should be inserted into the protected application. This module enables the protected application to access data files that were protected with the Sentinel LDK Data Protection utility. For more information, see the description of protecting data files in the |
0=Do not insert. 1=Insert. Default: 0
|
| <KEEP_SYMBOL_TABLE> | <FILE_PROFILE> |
Whether to preserve a shared object’s symbol section in the protected shared object to enable linking against it at build time. Not applicable for executables. Note: This option adds additional imports from pthread and dl shared objects into a protected shared object. Thus, it is required to resolve pthread and dl dependencies at build time. The following example compiles the main application with a protected shared library: |
1 = Preserve 0 = Do not preserve Default: 0 |
| <HASP_PROFILE> | <CONFIG> | Container that holds Sentinel-specific settings. | |
| <VENDOR_CODE> | <HASP_PROFILE> | Vendor Code string for the Sentinel protection key. | Vendor code string |
| <LOGIN_SCOPE> | <HASP_PROFILE> |
Definition of the data that is to be searched for the Sentinel licenses, in XML format. Within the <LOGIN_SCOPE> element, the characters “ Example How to use the login_scope element for protection for a specific Key ID (hasp id): <LOGIN_SCOPE> <?xml version="1.0" encoding="UTF-8"?> <haspscope> <hasp id="1183674833" /> </haspscope> </LOGIN_SCOPE> Note: For information on the syntax for these parameters, see the topic "Scope Input XML Tags" in the Sentinel Licensing API Reference. You can also paste a login scope that was created using Sentinel LDK ToolBox into this element, replacing the “ |
Default: <haspscope/> |
| <FEATURE_ID> | <HASP_PROFILE> | Identifier of the protected Feature. The protected application will search for this Feature ID in the Sentinel protection key. |
Default: 0 Other values depend on the type of Sentinel protection key. |
| <PIP_OPT_OUT> | <CONFIG> |
Envelope collects data on the ways that Sentinel LDK Envelope is used by vendors to protect their software applications. This information enables us better understand which features are most important to you and where to allocate resources to improve the Sentinel LDK product. The information accumulated is stripped of identifying elements before transmission to Thales. For information on the information accumulated, see Product Improvement Program: Data Transferred. You have to option to discontinue your participation in this program. |
0 = Envelope collects and transmits data to Thales. Thales recommends this option. 1 = Envelope does not collect and transmit data to Thales. Default: 0 |