New Features, Enhancements, and Changes
NOTE If you are upgrading from a version of Sentinel LDK that is earlier than 8.5, be sure to review the release notes for all intervening versions. Significant enhancements and changes are introduced in each version of Sentinel LDK. Download a ZIP file that contains all Sentinel LDK release notes to see the changes.
Service Pack: 9.0.200
>Enhanced Envelope Protection for Python Applications Under Windows
>Improved Windows Shell Protection for .NET Assemblies
>Additional Enhancements to Sentinel LDK Envelope
Enhanced Envelope Protection for Python Applications Under Windows
Sentinel LDK now provides a new command-line tool called Script Envelope for applying Sentinel LDK Envelope protection to Python applications on a Windows machine.
After you create a project file that contains protection parameters, you can protect the Python application simply be executing Script Envelope. No additional steps are required.
For details, see Sentinel LDK Envelope for Windows.
Improved Windows Shell Protection for .NET Assemblies
Until now, Sentinel LDK Envelope supported shell protection for normal .NET executables.
Effective with this release, the Envelope V3 engine additionally supports shell protection for .NET mixed mode executables and DLL assemblies under Windows.
Additional Enhancements to Sentinel LDK Envelope
The following enhancements have been implemented by this service pack:
>.NET Envelope runtime message boxes now display as a foreground window.
>For application protected using the Windows V3 engine, Envelope runtime message boxes now display as a foreground window.
>The .NET target frameworks under which protected applications are supported includes .NET 8. For details, see this table.
New Version of Tomcat
Sentinel LDK-EMS now works with Tomcat 9.0.83. When you install this service pack on your machine, Tomcat 9.0.83 is installed automatically on the machine.
Service Pack: 9.0.100
>Sentinel LDK-EMS Now Supports Microsoft Office 365 SMTP Without Basic Authentication
>Disabling Cloud Licensing Even If Cloud Licensing Module Has Expired
>Master Wizard Now Communicates Using HTTPS
>Changes to Support for .NET Target Framework
>Enhancements to Sentinel LDK Envelope and Data Protection Utility
Sentinel LDK-EMS Now Supports Microsoft Office 365 SMTP Without Basic Authentication
Microsoft has disabled the basic authentication approach for Office 365. Sentinel LDK-EMS now supports Office 365 SMTP for vendors who are using email for license activation.
Disabling Cloud Licensing Even If Cloud Licensing Module Has Expired
A vendor can now set the Cloud Licensing configuration parameter in Sentinel LDK-EMS to Disabled even if the Cloud Licensing module in their Master license has expired. As a result, a vendor who used cloud licensing for a limited period is no longer blocked from disabling cloud-enablement for existing SL keys.
Master Wizard Now Communicates Using HTTPS
Communication between Sentinel LDK Master Wizard and Thales servers is now secured using HTTPS protocol.
Changes to Support for .NET Target Framework
When installing Service Pack 9.0.100, the .NET target frameworks under which protected applications are supported is modified. For details, see this table.
Enhancements to Sentinel LDK Envelope and Data Protection Utility
The table below describes enhancements to Sentinel LDK Envelope and Sentinel LDK Data Protection utility.
| Component | Description |
|---|---|
| Windows V3 protection engine |
The advanced protection parameter Keep Debug Info has been implemented for the Windows V3 protection engine. When this parameter is set to True, debug information for the application is retained. (Default setting is False.) Note: For the Windows V3 engine, this functionality retains debug information for both executables and DLLs. |
| Envelope GUI for Windows |
The Feature ID and Frequency columns have been added back to the data grids for .NET and Java. |
| Windows V3 protection engine |
When you attempt to protect a program file with the V3 protection engine, Envelope now detects if the program file is already protected with the Windows NG engine. If the program is already protected, Envelope issues an error message and the operation fails. |
| Windows NG protection engine |
When you attempt to protect a program file with the NG protection engine, Envelope now detects if the program file is already protected with the Windows V3 engine. If the program is already protected, Envelope issues an error message and the operation fails. |
| Windows V3 protection engine |
When protecting a program file, Envelope now removes an existing Authenticode signature and logs a warning that the protected program file needs to be re-signed. |
| Linux Envelope | Linux Envelope for QT framework has been implemented. |
| Data File Protection for Linux |
Data file protection now supports new file statistics functions of recent versions of glibc. |
Release: 9.0
>Enhancements to Sentinel LDK Envelope
>Enhancements to Sentinel Run-time Environment Installer API
>Enhancement to V-Clock for Sentinel SL Keys
>RUS Branding Has Been Removed from Sentinel LDK-EMS GUI
>Expiration Date Licenses Can Now Be Assigned a Start Date
>Identity Strings Can Now Be Hidden
>Rate Limiting for Cloud Licensing
>Licensing REST API Is Now Available
>Directories for Licensing API Have Been Renamed
>Enhancement to Sentinel Admin API
>Admin Control Center Now Uses Session-Based Authentication
>Improved Help System for Admin Control Center
>Enhancement to the Run-time Environment Changes a Return Code in Admin API
>FQDN Clone Protection Scheme Has Been Changed
>Additional Changes to Sentinel LDK
Enhancements to Sentinel LDK Envelope
Sentinel LDK Envelope now supports the following functionality:
>Enhanced V3 Engine
The Windows V3 engine has been significantly enhanced to provide more robust and stable protection of Windows applications. As a result, Thales now recommends the use of the V3 engine as the engine of choice when protection applications.
The behavior of Sentinel LDK Envelope 9.0 is as follows:
•When you start Sentinel LDK Envelope 9.0 for the first time, by default the Windows engine used for applications in new projects is V3.
•If you open a project that was created in Sentinel LDK Envelope 8.5 or earlier, the protection engine in the Envelope Settings dialog box changes for that project to the setting that was in force when that project was created.
Once you manually change the Windows engine in the Settings dialog box and click OK, the engine you selected is applied for all applications that you add to any project, regardless of when the project was created.
>Support for AppOnChip in the V3 Protection Engine
The enhanced V3 protection engine now supports the use of AppOnChip functionality to protect applications that are licensed using HL (Driverless configuration) keys.
>Support for .NET 7
Sentinel LDK Envelope now supports .NET 7 applications.
Enhancements to Sentinel Run-time Environment Installer API
Sentinel Run-time Environment Installer API has been enhanced as follows:
>The haspds_Install function has been enhanced to support forcing installation of the RTE with legacy drivers if required.
Enhancement to V-Clock for Sentinel SL Keys
The V-Clock in an SL key can now be set to a specific date and time, or to the date and time from the system clock on the machine where the V2C file is generated. This may be required, under certain circumstances, to re-enable a Feature that was blocked due to time-tampering.
NOTE Before applying a V2C file to reset the V-Clock using the system clock, the user should ensure that the system clock is set to the current date and time.
RUS Branding Has Been Removed from Sentinel LDK-EMS GUI
Support for RUS branding in Sentinel LDK-EMS has been changed as follows:
>The functionality of generating a branded RUS executable has been removed from the Sentinel LDK-EMS user interface. (This functionality was available from the Developer > RUS Branding tab.)
This functionality has been replaced by a new standalone tool called Sentinel RUS Generator, which is available from the Sentinel LDK launcher. This tool can be used to generate a RUS utility executable that is associated with your Batch Code and that is customized with your company name and any additional text that you want to provide.
>The branded RUS utility executable can no longer be downloaded from the Sentinel LDK-EMS Customer Portal when used to deliver licenses. Thales recommends that you provide a branded RUS utility executable as part of the software package that you deliver to your customers.
For more information, see Sentinel RUS Generator.
Generation of executable files (EXE) that contain V2C data is no longer supported while producing protection key update entitlements.
Expiration Date Licenses Can Now Be Assigned a Start Date
When defining license terms for a Feature with an expiration date
For example: If you want to provide a customer with a 30-day license that expires on a specific date, you can deliver the license any time prior to the start date specified in the license. The customer will be able to use the license only from the specified start date.
NOTE By default, expiration date licenses can be used starting from 00:00:00 on the start date and expire at 23:59:59 on the expiration date . You can optionally specify different times in the license definition.
If no start date is specified, the license is active as soon as it is received and installed by the customer.
The start date is specified as an attribute of the expiration date tag. For example:
<expiration_date start_date=”2023-06-01”>2023-12-31</expiration_date>
The following limitations apply:
>Requires Sentinel Run-time Environment 9.12 or later.
>Only applicable for SL AdminMode and SL UserMode keys.
>Currently, start date and expiration date are calculated based on UTC and may not use the date and time that the user expects. In an upcoming release, the client time zone will be considered during license generation to ensure that the expected date and time are used.
Identity Strings Can Now Be Hidden
Identity strings used by cloud licensing can now be hidden in Sentinel Admin Control Center and in the hasplm.ini file on licensed users’ machines. This prevents licensed users from sharing their identity strings with other users.
When hidden, the identity string is replaced in the serveraddr string in Admin Control Center with “*”.
Automatic detach remains supported even if the identity string is not visible in Admin Control Center or the hasplm.ini file.
Licenses that were detached before the identity string was hidden continue to be available without providing the identity.
For more information, see Sentinel Admin API Reference.
Rate Limiting for Cloud Licensing
Sentinel Licensing API now supports rate limiting for cloud license managers. As a result, it is now possible to implement rate limiting for cloud license requests issued by protected applications on customers’ machines. The use of rate limiting prevents overloading the license server and improves the user experience if licensed user interactions with the applications are generating an excessive number of requests to the license server. For more information, see Sentinel Licensing API Reference.
Licensing REST API Is Now Available
This release introduces the Sentinel LDK Licensing REST API web service. This API is recommended for use with both cloud-based applications (Software-as-a-Service offerings) and local applications that run in a trusted environment. There is no need to embed or install Sentinel LDK Run-time Environment or License Manager.
Sentinel LDK Licensing REST API web service supports both HL keys and SL keys (including CL keys).
If your application runs locally in an untrusted environment, Thales recommends using Sentinel LDK Envelope, which wraps your application in a protective shield.
For more information, see Sentinel Licensing REST API Reference.
Directories for Licensing API Have Been Renamed
The sample and API directories for Sentinel Licensing API in the Sentinel LDK installation have been renamed as follows:
From:
>\Samples\Runtime\
>\API\Runtime\
To:
>\Sample\Licensing\
>\API\Licensing\
These directories have been renamed for Windows, Linux, and Mac installation of Sentinel LDK. This change aligns the name of these directories from the legacy name of the API (that is, Runtime API) to the current name (Licensing API).
Enhancement to Sentinel Admin API
Access to Sentinel Admin API can now be restricted so that it is only available for users from the local network. This can be enforced using firewall rules. Administrator-level requests would be allowed only on a specific port or network interface (or both).
Admin Control Center Now Uses Session-Based Authentication
Password protection in Sentinel Admin Control Center now uses session-based authentication instead of basic authentication. This enhancement provides the option to log in securely from any machine without the need to configure a trusted client.
NOTE If you have configured Admin Control Center to require login credentials, a user name is now required. If you have not defined a user name, use admin (the default user name) to log in to Admin Control Center.
Improved Help System for Admin Control Center
The help system for Sentinel Admin Control Center has been significantly improved. This new help system is provided when the user is working with Run-time Environment 9.12 and later.
Until now, the help system was implemented using simple HTML pages with very little navigation assistance.
The new help system is displayed in an independent browser window and provides:
>Context-sensitive help content
>A navigation pane
>Search capabilities
>Improved formatting and readability
These improvements will better assist users in working with Admin Control Center.
Enhancement to the Run-time Environment Changes a Return Code in Admin API
Sentinel Admin API generated a misleading return code as described below.
Given the following circumstances:
>The provided scope for the sntl_admin_get function to retrieve an identity list returns a null data set.
>The installed Run-time Environment is version 8.43 or earlier.
The value for the return code was 0 (SNTL_ADMIN_STATUS_OK).
After you install Run-time Environment version 8.51 or later, in the same circumstances, the value for the return code is (SNTL_ADMIN_SCOPE_RESULTS_EMPTY).
This enhancement (SM-122852) was implemented with the release of Sentinel LDK 8.5 , but was not reported in the documentation.
FQDN Clone Protection Scheme Has Been Changed
Vendor library (vlib) 9.12 was released as part of the initial release of Sentinel LDK 9.0. Vlib 9.13 was released shortly afterward. The vlib is downloaded when you introduce any of your Vendor keys using the Sentinel LDK Master Wizard.
After upgrading to vlib 9.12 or 9.13, under certain circumstances, SL keys that are protected using the FQDN clone protection scheme on machines are detected as cloned.
This issue is resolved in vlib 9.15, which as now been released. Vendors for whom this issue is problematic should re-introduce their Vendor key to download vlib 9.15.
For more information and security considerations regarding the FQDN clone protection scheme, see the description of the FQDN scheme in the Sentinel LDK Software Protection and Licensing Guide.
Additional Changes to Sentinel LDK
The Sentinel LDK High Availability for Cloud Licensing Configuration Guide has been incorporated into the Sentinel LDK Installation Guide. This configuration guide was formerly a standalone document.
Generation of Executable files (EXE) that contain V2C data is no longer supported when producing protection key update entitlements.