Run-time Environment for Mac

The zlib library has been upgraded to version 1.2.12.

You can now set an expiration date for client identities. This enables vendors to:

>Easily manage trial by providing users with expiring identities that consume the same license. This removes the need to generate a new key and a new license for each trial.

>Manage which users can access a concurrency license and for how long.

After connecting to a VPN, when you click Submit on the Access to Remote ACC panel, a false-positive warning similar to the following was sometimes displayed:

"A duplicate License Manager ID exists on this server and on the server at address 10.42.49.253. This is typically caused by cloning a VM. Licenses on these two servers may be inaccessible"

If no host is specified, AdminAPI uses "localhost" to connect to the License Manager. But in modern machines, localhost is resolved to "::1". This may not work because the IPv6 option may be disabled in the License Manager.

AdminAPI now uses "127.0.0.1" instead of "::1".

A customer can now detach one or more seats with concurrency from a cloud license server and install them on a machine with a client identity. Applications on remote machines in the same LAN can then consume seats from this machine. This enables customers to:

> Set up second-level license servers.

> Control the number of local hardware resources used by an application.

With cloud licensing, when opening a remote session, the session would be closed after 15 minutes if no hasp call was made on the session. This resolution fixes the keep-alive timeout.

The documentation for the Sentinel Run-time Environment (RTE) is now provided in HTML5 format. As a result, the documentation is modular and easier to navigate.

Because of this change, the path for accessing the documents online has changed. If you created shortcuts to access RTE documentation from the Thales web site, you must modify your shortcuts accordingly.

The paths for accessing the online RTE Readme files can be taken from: https://docs.sentinel.thalesgroup.com/ldk/rte.htm

Admin Control Center enables a customer to specify which users can access a license on a license server machine.

You can now include domain names as part of the restrictions that they specify for this purpose. For example, you can now specify:

allow=username@hostname.domainname,...
allow=khsingh@noi-2n39623.thaesgroup.com

For more information, see the description of the User Restrictions parameter on the Configuration > Users page of Admin Control Center.

Network licenses will be accessible even if port 1947 is not open in the firewall. To enable this enhancement, you must select the option Listen for clients also on port 80 in the Admin Control Center configuration.

When setting or changing the password for making changes in the Admin License Manager (using Admin Control Center or Sentinel Admin API), you must now specify a strong password. The password must satisfy the following requirements:

>At least eight characters long

>At least one uppercase letter (A-Z) and one lowercase letter (a-z)

>At least one number (0-9) OR one special character (for example: ! @ # $ % ^ & * " ( ) . , - +)

These requirements are enforced when a password is added or changed. There is no warning or action required if the existing password does not satisfy these requirements.

Sentinel LDK Run-time Environment now supports a new method for detaching licenses: Automatic Detach.

This method is especially useful when working with cloud licenses.

When Automatic Detach is enabled, a protected application automatically detaches a network seat from an SL key (that supports concurrency) when the application requires a license. As a result, the application can continue to operate even if the connection to the SL key is interrupted. The application retains the license for a predefined number of hours.

For more information, see the description of detaching licenses in the Admin Control Center help system.

Under rare circumstances, the following error was logged:

log_error("Failed udp accept() call " SYS_ERROR_FORMAT "\n", SYS_ERROR_ARGS).

This was caused by a read_UDP with a wait. This issue has been resolved.

Given the following circumstances:

>RTE version 8.11 is installed on a license server machine.

>A license with multiple products (SL or HL) is installed.

>User restrictions are defined. For example:
deny=USER_A@all,product:1
allow=USER_A@all,product:2

>USER_A attempts to consume a license from Product 1. The request is denied.

> Using the same login scope, USER_A then attempts to consume a license from Product 2.

The second attempt would also fail, even though the user is authorized to consume a license from Product 2.

The following issues were resolved:

>When performing an offline license detach, the expiration date field in the H2R file did not contain a value for the year. For example: <tr><td>expiration</td><td><b>Sun Jul 12, 15:59:30 UTC</b></td></tr>

>When using Admin API for .NET: If you call the API “AdminApi.Get” (any scope, element :ExpirationDate) the expiration date information did not contain a value for the year.

Admin API now supports the use of HTTPS for communication with a remote Admin License Manager.

Certain important security issues were resolved. For more information, see the reference to article KB0020199 in the Gemalto Security Updates page: https://sentinel.gemalto.com/technical-support/security-updates-sm/

Gemalto acknowledges and thanks Artem Zinenko from Kaspersky Lab ICS CERT for responsible disclosure of these vulnerabilities.

Given the following circumstances:

>A license for a Product is detached from a customer's license server and applied on a different machine

>In Sentinel LDK-EMS, the original entitlement for the Product is copied and used to create an update to the Product. The update is applied to the license server machine.

>The detached license is canceled and returned to the license server.

The number of available seats of the Product on the license server would not reflect that the license had been returned.

>In Admin Control Center, on the Basic Configuration page. Use the Idle Timeout of Session parameter.

>In the hasplm.ini file. Assign the timeout value to idle_session_timeout_mins.

Sentinel LDK Run-time Environment is now supported under macOS Sierra.

Given the following scenario:

1.Obtain a C2V file for an SL Legacy key.

2.Prepare an update to upgrade the SL Legacy key to an SL AdminMode key in Sentinel License Generation API, but do not apply the update.

3.Prepare a second update using the first update as the current state for the key.

4.Apply the second update to the key.

The update would return a status of OK even though the update fails.

Given the following circumstances:

>A license server machine and the recipient machine are in different time zones

>A detachable license is transferred online from the server to the recipient machine.

After installing RTE version 7.40 and enabling 'Broadcast Search for Remote Licenses' option, the ACC access log would contain a message similar to the following:

Given the following circumstances:

>An SL AdminMode or SL Legacy license is located on a physical machine.

>From a remote VM, hasp_get_info() is called to fetch values of the "disabled" and "usable" tags for the SL license.

Given the following circumstances:

1.SL Legacy licenses from two different vendors were present on a machine.

2.The license from one of the vendors is removed.

3.The License Manager service is restarted.

The remaining SL Legacy license was no longer visible in Admin Control Center.

>An SL key contains a Feature that allows concurrency but does not allow virtual machines.

>The SL key is installed on a physical machine.

1.A license with concurrency is installed on a Sentinel protection key. The count criteria is "Per Login".

2.Protected applications that consume seats from the license are started.

3.While the applications are active, the license is updated to change the count criteria (for example, from "Per Login" to "Per Process").

4.One or more protected applications are closed.

The Login count for the license would no longer match the number of actual applications active.

As part of the resolution for this issue, when the count criteria for a network license is modified, all active sessions are automatically terminated.

>The user installed a version of the Run-time Environment prior to version 7.32 under Mac OS X 10.9 or 10.10.

> During the installation, the firewall prompted the user to deny or allow incoming network connections for hasplmd. The user clicked Deny.

As a result, it was necessary for the user to temporarily disable the firewall in order to access Admin Control Center.

Starting with Run-time Environment v.7.32, driver binaries are signed. As a result, the firewall no longer prompts the user to deny or allow incoming network connections for hasplmd.

However, when Run-time Environment v.7.32 is installed over an earlier version for which incoming network connections had been blocked as described above, it is necessary to reboot the machine after the installation. After the machine is rebooted, the user will be able to access Admin Control Center without the need to disable the firewall.

The template for customizing entries for the Access log in Sentinel License Manager has been enhanced.

>A new log element (functionparams2) is available.

>Tags for special characters that could not be used in the template until now are provided.

>Existing elements (sessioncount, logincount, loginlimit) that did not provide reliable results have been corrected.

>The following events are now logged correctly: session timeout, orphaned session logout, manual disconnect, AdminAPI disconnect.

In addition, the template is now used for log entries generated by Embedded License Managers and External License Managers.

Admin Control Center now enables the user to generate a C2V file without the requirement of installing the RUS utility. This is supported for Windows, Mac and Linux platforms. The following limitations apply:

>HL Basic keys are not supported.

>C2V files fetched from HASP HL and Sentinel HL (HASP Configuration) keys will not work with Business Studio.

The template for customizing entries for the Access log in Sentinel License Manager has been enhanced.

>A new log element (functionparams2) is available.

>Tags for special characters that could not be used in the template until now are provided.

>Existing elements (sessioncount, logincount, loginlimit) that did not provide reliable results have been corrected.

>The following events are now logged correctly: session timeout, orphaned session logout, manual disconnect, AdminAPI disconnect.

In addition, the template is now used for log entries generated by Embedded License Managers and External License Managers.

Admin Control Center now enables the user to generate a C2V file without the requirement of installing the RUS utility. This is supported for Windows, Mac and Linux platforms. The following limitations apply:

>HL Basic keys are not supported.

>C2V files fetched from HASP HL and Sentinel HL (HASP Configuration) keys will not work with Business Studio.

The Fridge daemon would fail to load when the machine has more than 128 devices participating in the fingerprint algorithm.