Overview

Vendor-hosted cloud licensing provides vendors with a simplified method of distributing and managing software licenses for their protected applications. However, this method also obligates the vendor to ensure that the Sentinel LDK License Manager server (referred to below as license server) for the hosted cloud licenses are available at all times.

To support high availability for license servers, multiple license servers are typically used. A load balancer distributes license requests among the license servers to ensure that all requests are processed without delay. In the event one of the license servers fails, the remaining license servers provide high availability without causing any downtime or loss of licenses. Some of solutions for redundant license servers use 2-out-of-3 licensing concept to limit license abuse.

Challenges with Redundant License Manager Schemes

Traditional on-premises redundant License Manager schemes face the following challenges:

>License seat management

If the license is a network license, the failover system must be able to handle distribution of network seats between the primary and secondary License Manager dynamically, and the system must be able to prevent license abuse by unscrupulous customers.

>License persistent data sync

If the license contains persistent data such as an execution counter, and the counter is exhausted in one License Manager, the failover system must be able to cope with this when switching to an alternate License Manager.

>License activation/update

Traditionally, each License Manager must be capable of handling, activating and updating the licenses that it manages.

The License Manager provided by default by Sentinel LDK stores licenses in a "secure storage". This type of storage can be accessed and updated only by the specific License Manager that is used to create it. As a result, this type of License Manager is not suited for use with a failover system. It is not possible to synchronize license data among License Managers that use secure storage.

Trusted License Storage Solution

With Sentinel LDK 8.3 and later, a License Manager can be configured to support "trusted license storage". Licenses are stored in an external MySQL data base. This type of storage can be accessed and updated by multiple License Managers. As a result:

>You can set up a MySQL database cluster to serve as a trusted license storage. MySQL allows you to back up and restore the database without clone protection issues. The database cluster can provide database backup and failover and ensure uninterrupted access to the license information.

>You can set up multiple License Managers to support high availability. All the License Managers can use the same trusted license storage.

This solution poses none of the challenges described above for traditional on-premises redundant License Managers. Sentinel LDK License Managers can be configured to support active-passive (backup) or active-active high availability deployment.

This feature is available for subscription vendors. The trusted license storage (MySQL) is adapted to enable high availability.

Your License Managers are installed on multiple machines. This setup significantly reduces the possibility that a single point of failure will disrupt the availability of licenses to your customers.

Using a MySQL database for cloud license storage provides the following advantages:

>The License Manager is much faster at startup as V2C files do not need to be preprocessed.

>Only the database has state, removing the need for any kind of storage on the license server machines.

>Performance on write operations is improved because the operations don’t requires the security features.

This document describes how you can configure your license servers to ensure high availability.

Migrating Licenses to the Trusted License Storage

When you configure a license server machine with existing licenses for high availability, the licenses are automatically migrated to the trusted license storage (MySQL database).

Migration only occurs if the MySQL database is empty when it is first connected to the License Manager.

The original licenses remain in the secure storage on the license server machine, but they are no longer accessed or maintained by the License Manager.

NOTE   After moving from a local database (SQLite) to the trusted license storage (MySQL database), performance becomes dependent on the network performance and MySQL server performance.

Prerequisites

The following prerequisites must be satisfied in order to configure or use high availability for Sentinel LDK:

>You must have the Cloud License module in your Sentinel LDK Master License.

>The Pool of New SL Keys (Feature ID 3) and SL Pool of Seats (Feature ID 4) must be subscription-based or perpetual (and not metered).

>The cloud license server machines must be Linux machines.

>For the active-active configuration, the Run-time Environment on each cloud license server must be version 8.41 or later.

NOTE   If your Master License does not satisfy the prerequisites listed above: You can still evaluate high availability for cloud licensing by using a MySQL database for cloud license storage with the DEMOMA Batch Code.

Machine Requirements

Machines requirement depend on actual workload (for example, the number of clients that you wants to support).

If you are using Google Cloud Platform and Kubernetes, all the resources can be adjusted on demand.

Thales suggests an initial configuration as follows:

>NGINX machine: 2 CPUs and 1 GB RAM

>Each License Manager Service machine: 2 CPUs and 2 GB RAM

>MySQL machine: 4 GB RAM

The solution described in this document is compatible with deployment using Kubernetes and with Google native load balancer.

Limitations

>SL Legacy licenses are not supported on the MySQL database.

>When high availability is implemented, clients' machines are not able to report the number of currently-available network seats. As a result:

•In Admin Control Center, the Products page > Available column always reports the total number of network seats defined, ignoring the number of seats in use.

• In Sentinel Licensing API, the currentlogins field in the hasp_get_sessioninfo() request always reports 0.

Requests to Sentinel Admin API (directed to the server) can be use to retrieve the effective numbers of seats in use.

Detaching/Rehosting Licenses

When using cloud License Managers with MySQL trusted storage:

>The following actions are not supported:

•Rehosting from trusted storage to secure storage

•Detaching licenses to trusted storage

>The following actions are supported:

•Rehosting from one trusted storage to another trusted storage

•Rehosting from secure storage to trusted storage. (However, this does not result in a usable license unless the license is cloud-enabled.)

•Detaching licenses from trusted storage to secure storage (client)