Machine Accounts
Machine accounts are available with Sentinel LDK Cloud Licensing (CL).
Sentinel LDK Cloud Licensing (CL) provides various ways to consume cloud licenses that are hosted by Thales.
>With identity string-based licensing, described on this page, the device is authorized instead of the user. When you set up machine accounts (described below), users install identity strings on their devices. Any user that has access to those devices can access the vendor's protected application (or service).
>With user-based licensing, the user is authorized instead of the device. Users can log on to the vendor's protected application (or service) on any device using standard user credentials, such as a user name and password. For details, see User-Based Licensing.
|
>Prerequisites for Creating a Machine Account |
New to Sentinel EMS?
|
What Is a Machine Account?
A machine account represents a set of cloud licensing permissions that grant authorization rights to a customer's end user to access protected applications on one or more client devices (also known as registered machines). Machine accounts are one type of Sentinel LDK Cloud Licensing (CL).
Sentinel LDK Cloud Licensing (CL) (also known as CL) refers to licensing that is hosted by Thales on a service-hosted, cloud license manager server.
To enable client authentication and access control, each machine account is assigned a unique identity string. This identity string must be installed on the client device where the vendor's application runs. When the vendor's application tries to launch on that device, the client communicates with the cloud licensing service on Thales' service-hosted, cloud license manager server, which authenticates the client identity based on the identity string and verifies the access permissions assigned to the machine account. If the machine account is authorized to access the application, the application opens and runs.
Each machine account is defined for a specific end user and must be associated with a customer. When you create a machine account, you select the customer and add the name and email address of the user that receives email notification. By default, a machine account inherits the cloud licensing permissions defined for the associated customer. You can modify these settings for an end user if needed.
Machine accounts can be created on the Sentinel EMS vendor or customer portal, depending on whether the vendor or a customer's administrator user creates and manages machine accounts. Both vendors and customers' administrator users can also view the list of activated products on the respective portals, as well as manage the list of registered machines on which each machine account can access protected applications.
Compare with user-based licensingPrerequisites for Creating a Machine Account
A role that includes Customer Management permissions. At minimum, you need the Add permission. For details, see Roles.
(On the Sentinel EMS customer portal, the customer's administrator user can also create machine accounts.)
Cloud Licensing Flow for Machine Accounts
The following diagram illustrates the unique steps that comprise the cloud licensing flow for machine accounts. This diagram assumes that you already set up your catalog with products and features for your protected applications.
1: Vendor - One-Time Setup |
|
|---|---|
|
|
Define the default, global cloud licensing permissions The global cloud licensing permissions specify the default usage permissions for all customers using CL keys. For details, see Cloud Licensing Permissions. If needed, you can modify the default cloud licensing permissions for specific customers. These permissions, known as service-hosted cloud licensing permissions, are inherited from the global cloud licensing permissions, and are available only after at least one CL key is generated for a customer. For details, see Customers. (Later, after you activate an entitlement using Produce and Push, you can modify the service-hosted cloud licensing permissions for specific machine accounts if needed. By default, machine accounts inherit the permissions defined for the associated customer. For details, see Permissions.) |
|
|
Vendor: Customize the license notification email template Sentinel EMS provides an out-of-the-box email template that is sent automatically to a customer's end user when a machine account is created. We recommend that you review and customize this email template. For details, see Sentinel LDK Machine Account Certificate. |
2: Vendor |
|
|
|
Create administrator users for customers A customer's administrator user manages machine account You can create a customer's administrator user before (or after) you create the entitlement, or you can create administrator users for one or more customers in advance if you already have the relevant details. |
|
|
Create an entitlement When you create an entitlement, you must: >Assign a customer. For details, see Customers. >Select products that include: •One of the SL-AdminMode locking types. For details, see Locking Type. •Features whose license model supports concurrency on a network and specifies the maximum number of concurrent instances. For details, see Configure License Model and Sentinel LDK Enforcement - License Models. Depending on your configuration, you may also need to set some attributes in the Additional Attributes section of the Define Entitlement Attributes pane. For details, see Entitlements for Sentinel LDK Cloud Licensing (CL) (Produce and Push). |
|
Activate the entitlement To enable cloud licensing, you must use Produce and Push to activate the entitlement. Activating an entitlement generates a CL key for the relevant products. In addition, when you use Produce and Push for the first time, a new Service-Hosted Cloud Licensing Permissions tab is added to the customer details on the Customers page as described in Define the default, global cloud licensing permissions. You can modify these permissions, if needed. |
3: Vendor or Customer's Administrator User |
|
|
|
Create a machine account If Send Notification is enabled, then, when you create a machine account, an email notification is automatically sent to the email address defined in the machine account. The email informs the end user that they can start using the protected application by clicking a link in the email. The link installs the end user identity credentials for the protected applications that are already installed. Therefore, make sure to share the protected application with the end user before creating a machine account, so that they can install the protected application on the device (known as a registered machine) where they plan to run the protected application. For details on distributing protected software, see Sentinel LDK Software Protection and Licensing Guide. For details on creating a machine account, see Creating a Machine Account. The customer's administrator user manages machine accounts in the Sentinel EMS customer portal. |
|
|
Maintain the registered machines Either the vendor or the customer's administrator user can manage registered machines for machine accounts as needed. For example, the customer's administrator user may need to enable or disable a registered machine. The customer's administrator user manages registered machines in the Sentinel EMS customer portal. For details, see the section on registered machines in the Guide to the Sentinel EMS Customer Portal. |
4: End User |
|
|
|
Install the identity credentials for the protected application The end user can click the link in the email that was received for the machine account. This automatically installs the end user identity credentials for the protected application that is installed on the end user's device. The customer must ensure that the protected application includes Sentinel Run-time Environment and is already installed on the device where the end user plans to run the protected application. For details on distributing your protected applications, see Sentinel LDK Software Protection and Licensing Guide. Alternatively, the customer might share instructions with the end user describing how to install the identity credentials manually. The end user does this by updating the configuration .ini file for the protected application with the unique, personalized identity string received from the customer. In this case, Sentinel Run-time Environment is not required. For more details on the identity string and to view an example, see Copy Identity String. For details on manually installing a client identity on an end user's machine, see Sentinel LDK Software Protection and Licensing Guide. For details on identity credentials, see Identity Code. |
|
|
Start using the application to automatically register the machine (device) The first time that the end user runs the protected application, the machine is automatically registered on the service-hosted, cloud license manager server. Exception: If the Maximum Number of Registered Machines is set to Unlimited, then the machine is not registered. |
Machine Account Status
The Status attribute available on the Machine Accounts page specifies the status of a machine account:
>Enabled: The end user can access the protected application that was shared by the customer when creating or updating the machine account. You can disable a machine account when needed.
>Disabled: The end user cannot access the protected application that was shared by the customer when creating or updating the machine account. You can enable a disabled machine account when needed.
>Out-of-Sync:
Creating a Machine Account
You create a machine account from the Machine Accounts page.
To create a machine account:
1.From the navigation pane, select Customers > Machine Accounts to view the Machine Accounts page.
2.Click the Add Machine Account button.
3.Fill in the machine account attributes and modify the cloud licensing permissions if needed.
4.In the Permissions area, if you set Allow Access to All Associated Keys/Products to No, associate at least one Sentinel key or product with this machine account.
NOTE If your customer has multiple Sentinel keys that contain the same product, and you want to set this option to No, Thales recommends that you select the relevant Sentinel key, not the product. Otherwise, the machine account will be associated with only one of the Sentinel keys instead of all the keys containing this product.
5.Click Save.
Machine Account Attributes
The following table explains the attributes that are used to create a machine account:
| Attribute | Description | Required/Optional | Valid Values |
|---|---|---|---|
| Customer |
Customer for whose end user you are creating the machine account. Start typing and select from the list of suggestions. If the customer does not yet exist, you must first create the customer. For details, see Creating a Customer. |
Required |
An existing customer |
| Customer Identifier |
Unique identifier for the customer. Automatically displayed when you select a customer. |
Required |
Read-only value for the selected customer |
| Name |
Unique name of the end user of the protected application. This is the user for whom you are creating this machine account. The name is used in the greeting of the Sentinel LDK Machine Account Certificate email, described in Sentinel LDK Machine Account Certificate. |
Optional |
1 to 64 characters |
| Email address of the machine account. Used to send email notifications to the end user of the protected application when the machine account is created and updated. | Required |
>A valid email address >Up to 100 characters >Cannot contain: spaces and \ () [] : ; “ <> >Cannot start with a '.' >Cannot contain double .. >Cannot contain double @@ |
|
| Send Notification |
Send a notification to the machine account email address after the machine account is created. If you set this value to No, then you must provide the identity link to the end user in some other way, as the end user must install the identity string on their machine to use the protected application provided by the customer. The identity link is available by clicking Copy Identity Link for the relevant machine account in the Machine Accounts grid. |
Required |
Yes OR No Default: Yes |
| Identity Code |
An identity code is a unique 7-character string. The read-only identity code is part of the full identity string that specifies the client identity for the machine account as defined in the cloud licensing service database. When the end user clicks the link in the email notification that is sent when you create a machine account, the identity string is installed on the end user's machine. If you disable Send Notification, then you must provide the identity string to the end user in some other way, as the end user must install this identity string on their machine to use the protected application provided by the customer. NOTE If the end user clicks the URL link from the email that notifies them that they can access the protected application, then Sentinel Run-time Environment version 8.51 or later must be included with the protected application. When the end user runs a protected application, the local license manager uses the identity string to consume a license from the relevant protection key on the service-hosted, cloud license manager server whenever the application or service starts, or as defined in your application. For example, you might set authentication verification "per session" instead of "at login". After successful verification, the device accesses your protected application or service. If the end user has the appropriate permissions, the end user can use the identity string to detach a license from the service-hosted, cloud license manager server and then run the protected application offline. See also: Copy Identity Link and Copy Identity String |
N/A | Automatically generated when a machine account is created successfully. |
Permissions
You can retain the default, service-hosted, cloud licensing permissions, as described in Cloud Licensing Permissions, or you can modify these permissions for this machine account.
The permission values are displayed as read-only until you select a customer. When a customer is selected, you can modify the permissions.
| Attribute | Description |
|---|---|
| Maximum Number of Registered Machines |
A client machine may be automatically registered with the machine account when a protected application runs for the first time. Possible values: >1-10. The maximum number of remote machines that are allowed to use this machine account to access the license server machine. Each machine is automatically registered the first time it accesses the license server machine. When the maximum number of machines are registered, no additional machines can use the machine account. >Unlimited. An unlimited number of remote machines are allowed to use the machine account to access the license server machine. The machines are not registered. Default: 5 |
| Expiration Date |
Date on which the client identity (represented by the identity code) expires for the machine account. Possible values: >An expiration date >Never expires To set an expiration date: a.Clear the Never Expires check box. b.Do one of the following: –Set the date. –Click the calendar icon to display a calendar. Use the calendar to select the expiration date. –In the Days field, specify the number of days the client identity should remain active. Regardless of which field (calendar or days) you use to specify the duration of the client identity, the other field is automatically updated so that the two fields remain synchronized. If you set an expiration date, make sure that the selected date does not exceed the expiration date of the CL key. When using a second-level license server with a detached license, the expiration date for the detached license cannot exceed the expiration date of the CL key or of the client identity on the second-level license server. |
| Allow Online Connection to Licenses |
Enables a remote machine with an installed identity string to consume a license from the service-hosted, cloud license manager server. Possible values: Yes or No |
| Allow License Detaching |
(Relevant for both automatic and on-demand detaching) Enables a client machine to detach a license (a network seat) for a protected application from the service-hosted, cloud license manager server whenever a license is required. >Automatic detaching. Detached licenses are deducted from the pool of available networks seats on the CL key. The client machine retains the license up to the number of hours specified even if the connection to the license server is interrupted. This enables the protected application to continue to operate without connection to the license server machine. When the detached license expires, it automatically returns to the pool of network seats on the CL key and is disabled on the machine. Maximum offline duration: 2 hours >On-demand detaching. End users can access a manually detached license from a CL key for a specified number of days. This is useful if they want to work with a protected application and expect to be disconnected from the company’s network for an extended period. On-demand detaching works only in offline mode. To use a manually detached license: On the machine where the CL key is located, an administrator can generate an H2R file that contains a detached license. The administrator transfers the file to the recipient (for example, the end user) who then applies the H2R file on the machine. Maximum duration: 14 days Possible values: Yes or No |
| Allow Concurrency for Detached Licenses |
(Relevant only for on-demand detaching and visible only if Allow License Detaching is set to Yes) Enables a machine with the identity string to detach one or more network seats with concurrency from the license server machine. These seats can then be accessed concurrently on the machine that receives the detached license. A detached license with concurrency can be used to: >Set up second-level license servers. These can be used to provide greater control over the distribution of network seats within an organization and to minimize the overhead of license administration. For more information, see the Sentinel LDK Software Protection and Licensing Guide. >Control the number of local hardware resources used by an application. For example, a protected application can be limited to use 4 out 8 CPUs. This requires a detached license with 4 seats, where access to each CPU is granted after the application logs in to the license. In this example, the fifth login will be denied, ensuring that only 4 CPUs are in use. Possible values: Yes or No |
| Allow Access to All Associated Keys/Products |
When set to Yes, enables a machine with the identity string to access licenses for all products. When set to No, enables you to select the Sentinel keys or products for which the identity string can access licenses. Possible values: Yes or No To associate Sentinel keys or products with the machine account: In the Available Keys / Products area, do one of the following: >Click the >Select one or more check boxes and click the Add button below the grid to move the Sentinel keys or products to the Associated Keys / Products area. |
Add button in the Actions column to move a specific key or product to the Associated Keys / Products area.Registered Machines
Client devices may be registered automatically when an end user opens a protected application. Vendors and customers' administrator users can view the list of registered machines for each end user.
| Attribute | Description | ||
|---|---|---|---|
| Status |
The status of the registered machine. |
||
| Enabled | The end user can use the machine to access protected applications | ||
| Disabled | The end user cannot use the machine the access protected applications. This can occur only if the vendor or the customer's administrator user disables the machine. | ||
| Machine Name | The name of the device as defined in the system settings. | ||
| IP Address |
The IP address of the client machine. |
||
| Host User Name | The name of the end user that logs in to the machine to use the protected application. | ||
| Registration Date | The date that the machine was registered, which is usually the date that the end user logged in to the protected application for the first time. | ||
| Actions | The actions that you can perform for this registered machine. (On the customer portal, a customer's administrator users can perform these actions only for the machine accounts that they manage.) | ||
|
Opens a confirmation box that enables you to change the status of an enabled machine to Disabled. This prevents the end user from accessing protected applications on the registered machine. |
||
|
Opens a confirmation box that enables you to change the status of a disabled machine to Enabled. |
||
|
(Not recommended) Opens a confirmation box that enables you to permanently remove the machine from the service-hosted, cloud license manager server. To enforce the Maximum Number of Registered Machines, Thales recommends that you disable a registered machine instead of deleting it. |
||
|
Connects to the service-hosted, cloud license manager server to synchronize a machine account. If synchronization fails, then contact Thales Customer Support for assistance. |
||
Actions for Machine Accounts
The following table lists the actions available for machine accounts:
| Action | Description | |
|---|---|---|
|
Edit |
Updates information for an existing machine account. |
| Copy Identity String |
Copies the identity string to the Clipboard. This is useful if Sentinel Run-time Environment is not included with the protected application, and the end user needs to update the API .ini file with this identity string to use the protected application. Example of identity string: FFSTQYU:oBWAAQCBEFPxvWKzIBicixs/v0rerEA@licenseserver.example.com Example .ini file path on Windows: %LocalAppData%\SafeNet Sentinel\Sentinel LDK\hasp_<vendorId>.ini
|
|
| Copy Identity Link |
Copies the identity string and the link to the protected application to the Clipboard. This is the same link that is included in the email that is sent to end users using the Send Notification option to notify them that they have access to a protected application. This is useful if you want to share this link directly with the end user instead of using the Send Notification option. Make sure to share the Sentinel Run-time Environment together with the protected application, as described in Sentinel LDK Software Protection and Licensing Guide. Example of identity link: https://cloudportal.example.com/_int_/install.html?identity=FFSTQYU:oBWAAQCBEFPxvWKzIBicixs/v0rerEA@licenseserver.example.com |
|
|
Disable | Prevents the end user from using the protected application. You might disable a machine account if you want to temporarily prevent the end user from accessing the protected applications or to transfer the machine account to another end user. |
|
Enable | Re-enables a machine account that is marked as disabled, enabling the end user to use the protected applications that are available for that machine account. |
|
Delete |
Permanently deletes a machine account. The end user can no longer access the protected applications. You might delete a machine account when an employee leaves your organization. |
|
Synchronize |
Connects to the service-hosted, cloud license manager server to synchronize a machine account. |