Run-time Environment for Linux

The zlib library has been upgraded to version 1.2.12.

During installation of Run-time Environment 8.41 on a machine with an old CPU, installation would fail with a message similar to:

Error when starting the Sentinel License Manager service with parameters 1280 0 0.
This is an internal error.

You can now set an expiration date for client identities. This enables vendors to:

>Easily manage trial by providing users with expiring identities that consume the same license. This removes the need to generate a new key and a new license for each trial.

>Manage which users can access a concurrency license and for how long.

High Availability for cloud licensing now supports configuration of active-active license servers

To support this functionality, VLIB 8.41 or later must be deployed on the license servers.

After connecting to a VPN, when you click Submit on the Access to Remote ACC panel, a false-positive warning similar to the following was sometimes displayed:

"A duplicate License Manager ID exists on this server and on the server at address 10.42.49.253. This is typically caused by cloning a VM. Licenses on these two servers may be inaccessible"

If no host is specified, AdminAPI uses "localhost" to connect to the License Manager. But in modern machines, localhost is resolved to "::1". This may not work because the IPv6 option may be disabled in the License Manager.

AdminAPI now uses "127.0.0.1" instead of "::1".

A customer can now detach one or more seats with concurrency from a cloud license server and install them on a machine with a client identity. Applications on remote machines in the same LAN can then consume seats from this machine. This enables customers to:

> Set up second-level license servers.

> Control the number of local hardware resources used by an application.

With cloud licensing, when opening a remote session, the session would be closed after 15 minutes if no hasp call was made on the session. This resolution fixes the keep-alive timeout.

The documentation for the Sentinel Run-time Environment (RTE) is now provided in HTML5 format. As a result, the documentation is modular and easier to navigate.

Because of this change, the path for accessing the documents online has changed. If you created shortcuts to access RTE documentation from the Thales web site, you must modify your shortcuts accordingly.

The paths for accessing the online RTE Readme files can be taken from: https://docs.sentinel.thalesgroup.com/ldk/rte.htm

Admin Control Center enables a customer to specify which users can access a license on a license server machine.

You can now include domain names as part of the restrictions that they specify for this purpose. For example, you can now specify:

allow=username@hostname.domainname,...
allow=khsingh@noi-2n39623.thaesgroup.com

For more information, see the description of the User Restrictions parameter on the Configuration > Users page of Admin Control Center.

Network licenses will be accessible even if port 1947 is not open in the firewall. To enable this enhancement, you must select the option Listen for clients also on port 80 in the Admin Control Center configuration.

When setting or changing the password for making changes in the Admin License Manager (using Admin Control Center or Sentinel Admin API), you must now specify a strong password. The password must satisfy the following requirements:

>At least eight characters long

>At least one uppercase letter (A-Z) and one lowercase letter (a-z)

>At least one number (0-9) OR one special character (for example: ! @ # $ % ^ & * " ( ) . , - +)

These requirements are enforced when a password is added or changed. There is no warning or action required if the existing password does not satisfy these requirements.

Sentinel LDK Run-time Environment now supports a new method for detaching licenses: Automatic Detach.

This method is especially useful when working with cloud licenses.

When Automatic Detach is enabled, a protected application automatically detaches a network seat from an SL key (that supports concurrency) when the application requires a license. As a result, the application can continue to operate even if the connection to the SL key is interrupted. The application retains the license for a predefined number of hours.

For more information, see the description of detaching licenses in the Admin Control Center help system.

Under rare circumstances, the following error was logged:

log_error("Failed udp accept() call " SYS_ERROR_FORMAT "\n", SYS_ERROR_ARGS).

This was caused by a read_UDP with a wait. This issue has been resolved.

Given the following circumstances:

>RTE version 8.11 is installed on a license server machine.

>A license with multiple products (SL or HL) is installed.

>User restrictions are defined. For example:
deny=USER_A@all,product:1
allow=USER_A@all,product:2

>USER_A attempts to consume a license from Product 1. The request is denied.

> Using the same login scope, USER_A then attempts to consume a license from Product 2.

The second attempt would also fail, even though the user is authorized to consume a license from Product 2.

The following issues were resolved:

>When performing an offline license detach, the expiration date field in the H2R file did not contain a value for the year. For example: <tr><td>expiration</td><td><b>Sun Jul 12, 15:59:30 UTC</b></td></tr>

>When using Admin API for .NET: If you call the API “AdminApi.Get” (any scope, element :ExpirationDate) the expiration date information did not contain a value for the year.

Admin API now supports the use of HTTPS for communication with a remote Admin License Manager.

Certain important security issues were resolved. For more information, see the reference to article KB0020199 in the Gemalto Security Updates page: https://sentinel.gemalto.com/technical-support/security-updates-sm/

Gemalto acknowledges and thanks Artem Zinenko from Kaspersky Lab ICS CERT for responsible disclosure of these vulnerabilities.

Given the following circumstances:

>A license for a Product is detached from a customer's license server and applied on a different machine

>In Sentinel LDK-EMS, the original entitlement for the Product is copied and used to create an update to the Product. The update is applied to the license server machine.

>The detached license is canceled and returned to the license server.

The number of available seats of the Product on the license server would not reflect that the license had been returned.

In Admin Control Center, the configuration parameter Allow Remote Access to ACC and Admin API has been split into two independent parameters:

>Allow Remote Access to ACC

>Allow Remote Access to Admin API

This provide more granular control of access from a remote machine. You can now allow or deny access separately for Admin Control Center and for Admin API. (A corresponding split for configuration parameters was implemented in Sentinel Admin API.)

When the License Manager is upgraded to version 7.90, each new parameter is assigned the value that was assigned to the original parameter. As a result, after the upgrade, there is no change in access granted.

The hasp_login function would fail to log in to a HASP4 parallel port key (the function would not fail with HASP4 UBS keys). The login would fail with the error code HASP_HASP_NOT_FOUND = 7. This issue would occur with RTE version 7.52 and later.

In the past, the timeout for an idle License Manager session was fixed at 12 hours. You can now set the timeout to any value between 10 minutes and 720 minutes (12 hours). The timeout value can be set as follows:

>In Admin Control Center, on the Basic Configuration page. Use the Idle Timeout of Session parameter.

>In the hasplm.ini file. Assign the timeout value to idle_session_timeout_mins.

Admin Control Center now adds the update counter in C2V files in clear text - for example: <update_counter>5</update_counter>
It is no longer necessary to decode the C2V file in order to view this information.

After system reboot/service restart, an SL AdminMode detached license would disappear from a recipient machine that had no other licenses.

You can now enter the URL to access Sentinel LDK-EMS in your Web browser without changing the EMS URL to lowercase.

The Diagnostics report in Admin Control Center (Diagnostics > Generate Report) displays information on "Recent Clients" and "Recent Users". Each entry contained a time stamp but not a date stamp. The report has been corrected to display both a time stamp and a date stamp for each entry.

On Linux and Mac machines, Admin Control Center would fail to download additional languages when the user clicked the More Languages option.

When an end user would unpack a Run-time Environment that was configured for the user by Sentinel LDK-EMS, the following warning was displayed:
A lone zero block at 21242
This issue did not interfere with the functionality of the Run-time Environment.

When started, the License Manager would display warning messages similar to:
warning: maximal mount count reached, running e2fsck is recommended

There are no functionality issues related to these warning messages.
These messages would be seen at system boot time or in /var/log/kern.log.

A number of issues would occur under Arch Linux-2017.01.01-X64:

>Installation of the Run-time Environment would fail. Execution of aksusbd-7.51.1-i386/dinst would fail with the message: “Unsupported init script system”

>The fingerprint for an SL UserMode license could be fetched successfully. However, when installing a V2C file for the license, the Licensing API would generate the message: error 43.

>A Sentinel HL (Driverless configuration) key can be used successfully with the Licensing API. However, when the key contains a license with concurrency, the Licensing API generates “error 80” (because the License Manager Service cannot be installed on the system).

The License Manager and API no longer change the CPU affinity mask to force the process to run on all CPUs. They now keep the default affinity that was set at the process startup.

Various crash conditions in the License Manager that could be used for denial-of-service attacks or privilege-escalation attacks have been resolved.

Given the following circumstances:

>A license server machine and the recipient machine are in different time zones

>A detachable license is transferred online from the server to the recipient machine.

Given the following circumstances:

>An SL AdminMode or SL Legacy license is located on a physical machine.

>From a remote VM, hasp_get_info() is called to fetch values of the "disabled" and "usable" tags for the SL license.

Given the following circumstances:

1.SL Legacy licenses from two different vendors were present on a machine.

2.The license from one of the vendors is removed.

3.The License Manager service is restarted.

>An SL key contains a Feature that allows concurrency but does not allow virtual machines.

>The SL key is installed on a physical machine.

The template for customizing entries for the Access log in Sentinel License Manager has been enhanced.

>A new log element (functionparams2) is available.

>Tags for special characters that could not be used in the template until now are provided.

>Existing elements (sessioncount, logincount, loginlimit) that did not provide reliable results have been corrected.

>The following events are now logged correctly: session timeout, orphaned session logout, manual disconnect, AdminAPI disconnect.

In addition, the template is now used for log entries generated by Embedded License Managers and External License Managers.

Admin Control Center now enables the user to generate a C2V file without the requirement of installing the RUS utility. This is supported for Windows, Mac and Linux platforms. The following limitations apply:

>HL Basic keys are not supported.

>C2V files fetched from HASP HL and Sentinel HL (HASP Configuration) keys will not work with Business Studio.