Implementation for High Availability

This section describes the procedure required to set up high-availability license server machines.

(A license server is a machine on which Sentinel LDK License Manager service is installed.)

Note the following:

> Each machine referred to in this section can be a physical machine or virtual machine.

>The Batch Codes referred to in this section are the Batch Code that you are using for cloud licensing.

( Deploying a CL Server in Kubernetes on GCP describes how to deploy a cloud license server machine in Kubernetes on Google Cloud Platform.)

Requirements for the License Server Machines

The following are the requirements for Sentinel LDK License Manager when configured for high availability:

>When a load balancer is used, it should be configured to use the same License Manager service (LMS) instance for a given client or session. When the LMS instance used changes within a login session, the client API requires additional communications to re-establish new secure channels with the new LMS instance. This occurs transparently, but it requires a certain amount of time, and it should be avoided for optimal performance.

>The machine time of all the license server machines in the cluster must be synchronized. If the time on one of the license server machines is ahead of the others, the LMS on that machine will kill all the other LMS sessions.

>The initial start of the first LMS in the cluster must have creation rights on the MySQL database. Creation right are required to create new tables.

>For the active-active configuration, you must enable a sticky session load balancing policy.

>The VLIB version must be in sync with the LMS version. Older VLIBs are not supported. If the versions do not match, no license is loaded and an appropriate error is logged.

For a list of supported VLIB versions and the matching LMS versions, see the Sentinel LDK Release Notes.

NOTE      

>Sentinel Licensing API returns the error HASP_CLOUD_STORAGE_BUSY when conflicting requests cannot be handled in a timely manner. This error is not expected to occur unless an unexpected deadlock condition in the database is reached or the license server machine is in starvation. The client can detect this special condition by checking for this error.

>In Admin Control Center 8.41 and later, the access to remote LMs is always disabled. The configuration panel Access to Remote License Managers is not present.

Setting Up the License Server Machines

To set up high-availability license server machines:

1.Configure the DNS Service and Reverse Proxy in your data center to satisfy the requirements described in High-Level Architecture.

2.Install MySQL on a machine that will serve as the database server for trusted license storage.

It is not necessary to create a license storage database on the server. The license storage database will be created automatically as described later in this procedure.

NOTE     

>You will have complete control over this database and are responsible for the security of the database.

>If necessary, you can reduce the load on the MySQL database by relaxing ACID compliance. For details, see Configuring MySQL for Relaxed Durability.

3.Set up the license server machines.

Set up the two license server machines to serve as the active license servers using either of the methods described below.

NOTE   You can use an existing license server machine for one of the machines. Any licenses already present on the license server machine will be automatically migrated to the trusted license storage in the MySQL database. For details, see Migrating Licenses to the Trusted License Storage.

Using a generated RTE installer

i.Obtain the Run-time Environment Installer that is generated by the Master Wizard when you introduce your Vendor keys. For more information, see Introducing Your Sentinel Vendor Keys to Sentinel LDK .

ii.install the Sentinel LDK Run-time Environment (RTE) on the two machines that will serve as the active license server machines.

If you are using multiple Batch Codes, copy the Vlibs for any additional Batch Codes to the /var/hasplm directory on each machine.

Using a Docker image

A Docker image that contains an installed Sentinel LDK Run-time Environment is available.

i.Download the Docker image from https://hub.docker.com/u/thalesgroupsm.

(The Dockerfile used to build this Docker image can be viewed here.)

ii.Import the downloaded Docker image on the two machines that will serve as the active license server machines. Use the following command on each machine:

docker image import sentinel-ldk-rte.tar imagename:version

iii.Copy your Vendor libraries for all Batch Codes to the /var/hasplmin directory on each license server machine.

4.Configure each license server machine.

On each license server machine, configure the options described below.

You can specify options:

As entries in the hasplm.ini file. (Recommended method)

Defined as environment variables on the machine. (Use this option when working with Docker.)

In the mysql.cnf configuration file.

In the mysql.cnf configuration file, the [sentinel_ldk] section is read. The [client] section is also read, as with any generic MySQL client application. (Specify the location of the mysql.cnf file in the hasplm.ini file.) For typical high availability configuration, the use of a CNF file is not required, as the other options that available for the hasplm.ini file are typically enough.

NOTE   When you perform the initial startup of the LMS on the two license server machines (later in this procedure), the configuration parameters that you specified in the hasplm.ini file are copied to the MySQL database. Once this occurs, the configuration parameters in the MySQL database take precedence over parameter values in the hasplm.ini file. Any changes that you make to the configuration parameters using the Admin API or Admin Control Center are written directly to the database; no changes are written to the hasplm.ini file.

The table below describes the available configuration options as hasplm.ini entries and as environment variables.

Note that the four environment variables database_mysql_host, ...user, ...password, ...port and the environment variable database_mysql_cnf are alternative ways to configure the same MySQL options. The variable database_mysql_cnf is more powerful as it allows you to configure additional options, such as SSL support.

File Entry or
Environment Variable
Notes
database
HASPLM_DATABASE
Specify the value: mysql (This entry is required even if using the MySQL CNF file.)
database_mysql_host
HASPLM_DATABASE_MYSQL_HOST

The host machine where MySQL is located.

database_mysql_user
HASPLM_DATABASE_MYSQL_USER
User name for the MySQL account to use to connect to the database.
database_mysql_password
HASPLM_DATABASE_MYSQL_PASSWORD
Password for the above MySQL account.
database_mysql_port
HASPLM_DATABASE_MYSQL_PORT
Port on the database server for connecting to the database. Default: 3306
database_mysql_database
HASPLM_DATABASE_MYSQL_DATABASE

Name of the MySQL database to create. Default is sentinel_ldk.

This is similar to the database option in my.cnf. However, when this option specified in the hasplm.ini file, the database is created automatically if it does not yet exist. The same option in my.cnf causes the connection to fail if the specified database does not exist.

database_mysql_library Path of the MySQL client library.
Default for Linux is: libmariadb.so.3
In Linux: Install the libmariadb.so.3 using the distribution package manager.
database_mysql_cnf
HASPLM_DATABASE_MYSQL_CNF
only needed for mysql file.

Path of the MySQL configuration file.

The default is my.cnf in the standard MySQL search directories. In this file the [sentinel_ldk] section is read. The [client] section is also read, as in any generic MySQL client application.

This entry is only required if you are using the MySQL configuration file to configure high availability. Note that the use of the MySQL configuration file is not strictly required for normal use, as the options in the License Manager INI file are typically enough to handle the required configuration.

cloud_portal
HASP_CLOUD_PORTAL

Whether Sentinel Admin Control Center should display a message that Sentinel LDK Cloud Portal is being used to manage client identities for this LMS. If yes, assign the value 1 to this variable; otherwise, assign the value 0 or do not define this variable.

Notes:

> The message is only displayed afer Sentinel LDK Cloud Portal has been used at least once to create client identities.

>Setting the value to 1 for this variable does not block Sentinel Admin Control Center from being used to manage client identities. However, Thales recommends that you not use Sentinel Admin Control Center to to manage client identities once Sentinel LDK Cloud Portal has been implemented.

rate_token_max

Maximum number of tokens in the bucket for rate limiting. This is also the starting value for the number of tokens in the bucket. Default: 0

If rate_token_max or rate_token_period_ms is 0, rate limiting is disabled.

For details, see Sentinel LDK Software Protection and Licensing Guide.

rate_token_period_ms

Interval (in milliseconds) at which a new token is added to the bucket for rate limiting. For example, a value of 1000 means that a new token is added every second. Default: 0

A typical hasplm.ini file would contain the following:

database = mysql
database_mysql_host = 192.168.1.235
database_mysql_user = root
database_mysql_password = Password1!
database_mysql_port = 3306

A typical my.cnf file would contain the following:

[mysqld]
port = 3306

[sentinel_ldk]
port = 3306
password = Password1!
user = root
server = 192.168.1.235

5.Start the LMS on both license server machines.

NOTE   At this point, if one of the license server machines contains existing licenses, the licenses are migrated to the trusted license storage in the MySQL database. For details, see Migrating Licenses to the Trusted License Storage.

6.Generate fingerprint files.

On one of the active license server machines, use Admin Control Center to generate a fingerprint file (for each Batch Code) for the machine:

a.Start Admin Control Center on the machine.

b.In the navigation pane, click Sentinel Keys.

c.On the Sentinel Keys page, identify the entry at the top of the list for the relevant Batch Code. The Location column contains Local.

d.Click the Fingerprint button in the entry. The fingerprint_batchCode.C2V file is generated.

7.Create trusted storage authorization files.

For each Batch Code, use the relevant fingerprint file generated above to generate a trusted storage authorization V2C file using one of the following methods:

Using Sentinel LDK-EMS: For details, see Sentinel LDK-EMS Configuration Guide .

Using Sentinel License Generation API: For details, see Sentinel License Generation API Reference.

8.Apply the trusted storage authorization files.

Using Admin Control Center on the active license server machine, apply the trusted storage authorization V2C file for each Batch Code:

a.Select Update/Attach from the navigation pane in Admin Control Center.

b.Click Select File and apply the relevant V2C files.

9.Configure the web server.

This step demonstrates how you can use Docker Compose and NGINX to set up the active license server machines.

This demonstration uses two LMS instances (lms1 and lms2) as active license server machines.

Configure NGINX and Docker Compose as follows:

The content of nginx.conf should be similar to the following:

user  nginx;

events {
    worker_connections   1000;
}

http {
    upstream server_lms {
        ip_hash;      #load balacning policy
        #By dedfault, it is active-active setup. 
        server lms1:1947; 
        server lms2:1947; 
        #commented part is for active-passive setup.
        #server lms1:1947 weight=1 max_fails=3  fail_timeout=10s;  
        #server lms2:1947 weight=1 max_fails=3  fail_timeout=10s backup;
    }

        server {
              listen 80;          #Runtime API wil go through http. 
              listen 443 ssl;     #ACC can be accessed by https    
              ssl_certificate     /etc/nginx/certs/nginx-selfsigned.crt;
              ssl_certificate_key /etc/nginx/certs/nginx-selfsigned.key;

              location / {
                proxy_pass http://server_lms;
                proxy_set_header  Host  $host;
                proxy_set_header  X-Real-IP  $remote_addr;
                proxy_set_header  X-Forwarded-For $proxy_add_x_forwarded_for;
          }
        }
}

The content of docker-compose.yml should be similar to the following:

version: "3"
 
services:
  lms_database:
    image: mysql:8.0
    container_name: lms_database
    volumes:
      - lms_db_data:/var/lib/mysql
    restart: always
    environment:
      MYSQL_ROOT_PASSWORD: root!
      MYSQL_DATABASE: lms
      MYSQL_USER: lms
      MYSQL_PASSWORD: Password1!
 
  lms1:
    depends_on:
      - lms_database
    build: .
    container_name: lms1
    restart: always
    #hostname: lms1
    environment:
      HASPLM_DATABASE: mysql
      HASPLM_DATABASE_MYSQL_HOST: lms_database
      HASPLM_DATABASE_MYSQL_USER: root
      HASPLM_DATABASE_MYSQL_PASSWORD: root!
      HASPLM_DATABASE_MYSQL_PORT: 3306
    volumes:
      - ./haspvlib_x86_64_37517.so:/var/hasplm/haspvlib_x86_64_37517.so
      - ./hasplm.ini:/etc/hasplm/hasplm.ini
    depends_on:
      - lms_database
 
  lms2:
    depends_on:
      - lms_database
    build: .
    container_name: lms2
    #restart: always
    #hostname: lms2
    environment:
      HASPLM_DATABASE: mysql
      HASPLM_DATABASE_MYSQL_HOST: lms_database
      HASPLM_DATABASE_MYSQL_USER: root
      HASPLM_DATABASE_MYSQL_PASSWORD: root!
      HASPLM_DATABASE_MYSQL_PORT: 3306
    volumes:
      - ./haspvlib_x86_64_37517.so:/var/hasplm/haspvlib_x86_64_37517.so
      - ./hasplm.ini:/etc/hasplm/hasplm.ini
    depends_on:
      - lms_database
 
  nginx:
    image: nginx:latest
    volumes:
      - ./nginx.conf:/etc/nginx/nginx.conf:ro
      - ./nginx-selfsigned.crt:/etc/nginx/certs/nginx-selfsigned.crt:ro
      - ./nginx-selfsigned.key:/etc/nginx/certs/nginx-selfsigned.key:ro
 
    depends_on:
      - lms1
      - lms2
    ports:
     - "443:443"

10.Confirm the setup as follows:

a.Run docker-compose up.

b.Open Admin Control Center of the LMS exposed by NGINX and determine the computer name on the Diagnostics page. The computer name should be the name of the active license server machine.

c.Run docker-compose kill lms1 to stop the lms1 service.

After 10 seconds, NGINX will transfer all the requests to lms2.

d.Check the computer name again. The name should have changed from lms1 to lms2.