Run-time Environment for Windows

The zlib library has been upgraded to version 1.2.12.

During installation of Run-time Environment 8.41 on a machine with an old CPU, installation would fail with a message similar to:

Error when starting the Sentinel License Manager service with parameters 1280 0 0.
This is an internal error.

You can now set an expiration date for client identities. This enables vendors to:

>Easily manage trial by providing users with expiring identities that consume the same license. This removes the need to generate a new key and a new license for each trial.

>Manage which users can access a concurrency license and for how long.

After connecting to a VPN, when you click Submit on the Access to Remote ACC panel, a false-positive warning similar to the following was sometimes displayed:

"A duplicate License Manager ID exists on this server and on the server at address 10.42.49.253. This is typically caused by cloning a VM. Licenses on these two servers may be inaccessible"

If no host is specified, AdminAPI uses "localhost" to connect to the License Manager. But in modern machines, localhost is resolved to "::1". This may not work because the IPv6 option may be disabled in the License Manager.

AdminAPI now uses "127.0.0.1" instead of "::1".

When the Windows user names includes non-unicode characters as in Korean and Chinese names, installing a rebranded RTE returns "EMSUrl.properties processing" error.

By default, the Run-time Environment is now installed without legacy drivers whenever possible. As a result, the RTE installation is more stable and reliable. For more information, see the description of legacy drivers in the RTE readme document.

The Run-time Environment installer has been improved. Previously, completion of the upgrade of the Run-time Environment (hasplms.exe) was sometimes blocked if the existing Sentinel License Manager was locked by another process. With the installer for RTE 8.21, if this situation occurs, the user can now select one of these options:

> Stop the process that is locking the Sentinel License Manager and then continue the Run-time Environment upgrade.

>Restart the machine. The Run-time Environment upgrade continues immediately after the restart.

> Cancel the upgrade.

With cloud licensing, when opening a remote session, the session would be closed after 15 minutes if no hasp call was made on the session. This resolution fixes the keep-alive timeout.

The documentation for the Sentinel Run-time Environment (RTE) is now provided in HTML5 format. As a result, the documentation is modular and easier to navigate.

Because of this change, the path for accessing the documents online has changed. If you created shortcuts to access RTE documentation from the Thales web site, you must modify your shortcuts accordingly.

The paths for accessing the online RTE Readme files can be taken from: https://docs.sentinel.thalesgroup.com/ldk/rte.htm

Admin Control Center enables a customer to specify which users can access a license on a license server machine.

You can now include domain names as part of the restrictions that they specify for this purpose. For example, you can now specify:

allow=username@hostname.domainname,...
allow=khsingh@noi-2n39623.thaesgroup.com

For more information, see the description of the User Restrictions parameter on the Configuration > Users page of Admin Control Center.

Network licenses will be accessible even if port 1947 is not open in the firewall. To enable this enhancement, you must select the option Listen for clients also on port 80 in the Admin Control Center configuration.

When setting or changing the password for making changes in the Admin License Manager (using Admin Control Center or Sentinel Admin API), you must now specify a strong password. The password must satisfy the following requirements:

>At least eight characters long

>At least one uppercase letter (A-Z) and one lowercase letter (a-z)

>At least one number (0-9) OR one special character (for example: ! @ # $ % ^ & * " ( ) . , - +)

These requirements are enforced when a password is added or changed. There is no warning or action required if the existing password does not satisfy these requirements.

Sentinel LDK Run-time Environment now supports a new method for detaching licenses: Automatic Detach.

This method is especially useful when working with cloud licenses.

When Automatic Detach is enabled, a protected application automatically detaches a network seat from an SL key (that supports concurrency) when the application requires a license. As a result, the application can continue to operate even if the connection to the SL key is interrupted. The application retains the license for a predefined number of hours.

For more information, see the description of detaching licenses in the Admin Control Center help system.

When creating a client identity for cloud licensing and specifying the Limit to Key ID parameter, you can now specify multiple key IDs for a given client identity.

Under rare circumstances, the following error was logged:

log_error("Failed udp accept() call " SYS_ERROR_FORMAT "\n", SYS_ERROR_ARGS).

This was caused by a read_UDP with a wait. This issue has been resolved.

haspdinst.exe would fail if a vendor library is present on the machine but it is not signed or if the signature is not correct.

The behavior of haspdinst.exe has been changed so that in these situations:

>The installation of the Run-time Environment succeeds, but the vendor library is not copied to the destination path.

> An entry is added to the log file stating that the full path of the vendor library is not signed or its signature is not correct, and that it was not copied to the destination path.

Given the following circumstances:

>RTE version 8.11 is installed on a license server machine.

>A license with multiple products (SL or HL) is installed.

>User restrictions are defined. For example:
deny=USER_A@all,product:1
allow=USER_A@all,product:2

>USER_A attempts to consume a license from Product 1. The request is denied.

> Using the same login scope, USER_A then attempts to consume a license from Product 2.

The second attempt would also fail, even though the user is authorized to consume a license from Product 2.

The following issues were resolved:

>When performing an offline license detach, the expiration date field in the H2R file did not contain a value for the year. For example: <tr><td>expiration</td><td><b>Sun Jul 12, 15:59:30 UTC</b></td></tr>

>When using Admin API for .NET: If you call the API “AdminApi.Get” (any scope, element :ExpirationDate) the expiration date information did not contain a value for the year.

A guest on Hyper-V was recognized by Admin Control Center as a virtual PC rather than as a Hyper-V guest.

Admin API now supports the use of HTTPS for communication with a remote Admin License Manager.

Certain important security issues were resolved. For more information, see the reference to article KB0020199 in the Gemalto Security Updates page: https://sentinel.gemalto.com/technical-support/security-updates-sm/

Gemalto acknowledges and thanks Artem Zinenko from Kaspersky Lab ICS CERT for responsible disclosure of these vulnerabilities.

Given the following circumstances:

>A license for a Product is detached from a customer's license server and applied on a different machine

>In Sentinel LDK-EMS, the original entitlement for the Product is copied and used to create an update to the Product. The update is applied to the license server machine.

>The detached license is canceled and returned to the license server.

The number of available seats of the Product on the license server would not reflect that the license had been returned.

The RTE Installer now provides more details in order to help ensure that installation of the RTE completes successfully. The Installer now differentiates between the following situations:

>Installation of the RTE has succeeded. No restart is required.

>Installation of the RTE cannot complete due to a lock on a required file. The RTE Installer attempts to rename the locked file in the background. If it succeeds, the installation will continue. If the rename attempt fails, the installer returns error 52. At this point, your code can call the new RTE Installer API function haspds_GetLockingProcessList to get the locking process name. You can then release the locked file and restart the RTE Installer.

The hasp_login function would fail to log in to a HASP4 parallel port key (the function would not fail with HASP4 UBS keys). The login would fail with the error code HASP_HASP_NOT_FOUND = 7. This issue would occur with RTE version 7.52 and later.

A possible security issue related to buffer overflow (reported by Kaspersky) has been resolved.

In the past, the timeout for an idle License Manager session was fixed at 12 hours. You can now set the timeout to any value between 10 minutes and 720 minutes (12 hours). The timeout value can be set as follows:

>In Admin Control Center, on the Basic Configuration page. Use the Idle Timeout of Session parameter.

>In the hasplm.ini file. Assign the timeout value to idle_session_timeout_mins.

Admin Control Center now adds the update counter in C2V files in clear text - for example: <update_counter>5</update_counter>
It is no longer necessary to decode the C2V file in order to view this information.

After system reboot/service restart, an SL AdminMode detached license would disappear from a recipient machine that had no other licenses.

You can now enter the URL to access Sentinel LDK-EMS in your Web browser without changing the EMS URL to lowercase.

Admin Control Center (under Windows) can now display and apply updates to local SL UserMode keys. (Session information and certificate information for SL UserMode keys is not displayed.)

To display SL UserMode keys in Admin Control Station, License Manager runs an additional process (hasplmv) on the machine. If you are willing to accept that SL UserMode keys will not be displayed, you have the option to prevent hasplmv from executing by clearing the relevant check box on the Configuration page in Admin Control Center.

When a data file is protected with Version 2 data protection mode for Android platforms: If, for any reason (for example, no license was found), the protected application was not able to decrypt the protected data file, no error message was generated to explain why the file cannot be opened.

Under Windows 10, a physical machine would be detected as a virtual machine when only Hyper-V Hypervisor is enabled.

The Diagnostics report in Admin Control Center (Diagnostics > Generate Report) displays information on "Recent Clients" and "Recent Users". Each entry contained a time stamp but not a date stamp. The report has been corrected to display both a time stamp and a date stamp for each entry.

When building a Run-Time Environment installer using Wix, an error message similar to the following was generated:
Invalid product version '7.53.1.66350' in package HASP_Setup.msi'. When included in a bundle, all product version fields in an MSI package must be less than 65536.
This error no longer occurs.

Various crash conditions in the License Manager that could be used for denial-of-service attacks or privilege-escalation attacks have been resolved.

Installation of a rebranded RTE would fail when the account name contains multi-byte characters (such as Japanese). The install log would contain an error similar to the following:

could not open C:\Users\userName\AppData\Local\Temp\EMSUrl.properties ../hhlinst.c,4659
OPEN file C:\Users\userName\AppData\Local\Temp\EMSUrl.properties processing error. ../hhlinst.c,4660,

The decrypt function in the HASP4 API would give incorrect results after RTE 7.52 or 7.53 was installed.

Given the following scenario:

1.Obtain a C2V file for an SL Legacy key.

2.Prepare an update to upgrade the SL Legacy key to an SL AdminMode key in Sentinel License Generation API, but do not apply the update.

3.Prepare a second update using the first update as the current state for the key.

4.Apply the second update to the key.

The update would return a status of OK even though the update fails.

The Features page in Admin Control Center now displays the peak number of consumed seats per Feature. The peak number is based on the current License Manager session. For each Feature, the peak number value is displayed as a tool tip for the seats value under the Logins column. This information enables end users and organizations to determine if the number of seats purchased is suitable for their needs.

A Sentinel HL (HASP configuration) key would not be accessible by the protected application under the following circumstances:

The following conditions exist:

>Windows 10 version 1607 is present on the machine.

>The network is disabled.

>The Run-time Environment is not present on the machine.

The following actions are performed:

1.The HL key is connected to the machine and then disconnected.

2.The Run-time Environment is installed on the machine.

3.The HL key is connected again to the machine.

The HL key would not be accessible.

When using RTE 7.51, a Stop error (BSoD) would occur when the protected application attempted to retrieve the serial number of the disk drive that uses Intel RAID drivers.

Under certain circumstances, the uninstall of the Run-time Environment on a Windows 8 machine would fail.

The uninstall of the Run-time Environment would not provide proper notification if it failed to remove all necessary files. The uninstall process now provides a detailed list of any files that it fails to remove and advises the user to remove the files manually.

During the installation of a rebranded Run-time Environment using the -v flag (haspdinst.exe -i -v), an internal error would be displayed (message: "An error occurred when the RTE installer attempted to unpack the file sm.cab"). Note that the -v flag is not a documented option, and that the installation would succeed despite the error message.

>A file type is registered as “protected” using Version 1 data file protection.

>A file of the protected type is saved from the protected application using “Save as”.

Under certain circumstances, the saved file was not encrypted.

Given the following circumstances:

>A license server machine and the recipient machine are in different time zones

>A detachable license is transferred online from the server to the recipient machine.

Given the following circumstances:

>An SL AdminMode or SL Legacy license is located on a physical machine.

>From a remote VM, hasp_get_info() is called to fetch values of the "disabled" and "usable" tags for the SL license.

Given the following circumstances:

1.SL Legacy licenses from two different vendors were present on a machine.

2.The license from one of the vendors is removed.

3.The License Manager service is restarted.

(RTE GUI Installer only) Given the following circumstances:

1. RTE version 6.60 or earlier is installed on a machine with no licenses.

2.Retrieve the fingerprint of the machine.

3.Upgrade the RTE to version 7.41

4.Use the retrieved fingerprint to generate an SL AdminMode license.

5.Apply the license with the upgraded RTE.

The license would be marked as “cloned”.

>Sandisk: 16 GB, 64 GB

>Transcend: 16 GB, 64 GB

>Toshiba: 32 GB

>Samsung: 64 GB

>Kingston: 64 GB, 256 GB, 512 GB

>An SL key contains a Feature that allows concurrency but does not allow virtual machines.

>The SL key is installed on a physical machine.

The template for customizing entries for the Access log in Sentinel License Manager has been enhanced.

>A new log element (functionparams2) is available.

>Tags for special characters that could not be used in the template until now are provided.

>Existing elements (sessioncount, logincount, loginlimit) that did not provide reliable results have been corrected.

>The following events are now logged correctly: session timeout, orphaned session logout, manual disconnect, AdminAPI disconnect.

In addition, the template is now used for log entries generated by Embedded License Managers and External License Managers.

Under Windows 8.1 (x86 platform), the Hardlock driver would not detect NtTerminateProcess and NtTerminateThread SST indexes. As a result:

>When starting a protected application, the Secure Channel Communication error (H0046) would occur.

>A Stop error (BSoD) would occur.

>Names provided within a license container (for example, a V2C file) are valid just for that container.

>Names provided manually in a vendorid.xml file always override those container names, retaining backward compatibility (for examples, for translations)

>vendorid.xml files are never overwritten by the License Manager, so different names for licenses on different machines are no longer mixed up

A Stop message (BSoD) would occur while running a DataHASP protected application when Norton Internet Security is installed.

A delay would occur in obtaining the current remaining executions count when using the Licensing API hasp_get_sessioninfo() call soon after the hasp_login() call.