License Installation
You have the following options for installing the license:
>Cloud Licensing: Uses Sentinel LDK Cloud Licensing (CL) Service for user-based and device-based licensing.
>Network Licensing: Licenses are managed by a local license server within the customer's network, allowing for concurrent use and offline detachment.
>Local Licensing: Licenses are deployed on the same machine as the protected application and are tied to machine fingerprints or hardware keys (dongles).
Here is a quick comparison:
| Feature | Cloud Licensing | Network Licensing | Local Licensing |
|---|---|---|---|
| Management | Centralized | Customer IT operations | Local device (IT administrator or end user) |
| Access Control | User-based and device-based | Network server | The device identified by its fingerprints or has a dongle attached |
| Offline Support | Detachable licenses | Detachable licenses | Always supported |
| Scalability | High | Moderate | Low |
| Suitable For |
Remote access, SaaS: Use cloud licensing for SaaS and geographically distributed users. |
Corporate environments: Offer network licensing for enterprise customers requiring concurrent use. |
Standalone applications: Provide local licensing for small-scale or offline-first applications. |
| For More Information: | Produce & Push | Manual License Installation | |
Produce & Push
Cloud Licensing (CL) is hosted and managed by Thales, enabling centralized application licensing. Customers access licenses managed in a Thales-hosted cloud environment and license installation is initiated directly from within Sentinel EMS using the REST API interface or user interface (portals).
For Produce & Push, note the following:
>Only vendors can perform it.
>The entitlement must be associated with a customer.
>The product locking type must support SL Admin Mode and allow network licensing and concurrent instances.
>Enable the produce and push setting, if not already set.
>If you are updating an existing Thales-hosted cloud-licensing, set keyId to the identifier of the CL key for which you want to produce and push the license.
The CL server supports the following client configurations:
User-Based Licensing (UBL)
Overview
UBL links licenses to specific users, rather than a specific devices. User is authenticated using an Identity Provider (IdP). Sentinel LDK supports both Sentinel IdP and external IdP. Applications consuming UBL licenses can use the Sentinel LDK REST APIs or native Sentinel LDK APIs.
Integration Requirements
>For Sentinel IdP (default): Sentinel IdP manages authentication and user credentials. You must configure your application to interact with the Sentinel IdP and use its APIs to validate users and obtain license details.
>For External IdPs: You must configure the external IdP (third-party IdPs, such as Okta, Azure AD) in Sentinel EMS and your application to use the relevant REST APIs for license management.
>Application Configuration: You must include Sentinel LDK libraries (specific to the language or technology of the application) and embed the REST API calls for license checks, such as obtaining licenses and validating user authentication. In addition, you must configure applications to connect to the Thales-hosted Cloud LM.
License Installation
Sentinel LDK CL service holds the license, so the client application doesn't need to install these specifically.
Customer Administrator can use Sentinel EMS Customer Portal to configure each product for the end users who can have access to the license or use Sentinel EMS REST API to achieve this.
For detailed guidance, refer to Tutorial: User-Based Licensing.
Device-Based Licensing
Overview
Device-based licensing binds licenses to a device's identity string, ensuring secure access without requiring a user-based authentication mechanism.
This mode is suitable for scenarios where device-specific entitlements or licenses are preferred. Applications interact using the Sentinel LDK native libraries and APIs. This mode uses device's identity string tied to the physical or virtual machine running the application.
Customer Administrator User Workflow
Use the Sentinel EMS Customer Portal to create and configure machine accounts. A machine account defines an end user's access to a licensed application on a specific machine (client device). Each machine account is associated with a single identity, represented by an identity string, which is installed on the relevant machine.
Installing Identity String on Client Machine
An identity string must be installed on the target machine. The end user must click and approve the identity string received from Sentinel EMS, either through email or via manual configuration in the hasp_<vendorID>.ini file.
For detailed guidance, refer to Tutorial: Identity-Based Licensing Using Machine Accounts.
Comparison Between User-Based and Device-Based Licensing
|
Feature |
User-Based Licensing |
Device-Based Licensing |
|
Identity |
User via IdP authentication |
Identity string |
|
APIs Required |
Sentinel LDK REST APIs and Sentinel LDK Licensing API |
Sentinel LDK REST APIs and Sentinel LDK Licensing API |
|
License Manager |
Thales-hosted CL Server |
Thales-hosted CL Server |
|
Offline Support |
Limited when using REST APIs. Provides detachable licenses when using the Sentinel LDK Licensing API |
Detachable licenses |
|
Use Case |
SaaS, multi-device users |
Dedicated devices |
Manual License Installation
The license is generated in Sentinel EMS and made available for download. It can be applied to a local or remote Sentinel License Manager (LM), either via the administration tools or directly through the Sentinel LDK Licensing API.
Client-Side Network Licensing
Network licensing involves deploying a license server within the customer’s environment for shared or concurrent use.
Requirements:
>Install and configure the Sentinel LM on the customer’s network.
>(Optional) Allow licenses to be detached for offline use where necessary.
>Implement communication between the client application and LM using Sentinel LDK Run-time Installation API.
Advantages:
>Supports concurrent users within an organization.
>Offline capabilities via license detachment.
>Simplified network management for corporate customers.
>In the case of a virtual environment, users can install the license manager on a physical server and let VMs work like clients.
Disadvantages:
>Requires internal IT resources for managing the LM.
>Device-specific fingerprinting may cause challenges with virtual environments.
Client-Side Local Licensing
Local licensing provides protection tied directly to a user’s device, often through a hardware dongle (preferably driverless) or software-bound key.
Requirements:
>Deploy Sentinel LDK Run-time Environment on client machines.
>Sentinel Runtime is not required with a driverless HL key (preferred).
>Licenses are bound to hardware signatures or USB dongles.
>Use Sentinel APIs to consume licenses during runtime.
Advantages:
>Simple implementation for single-device use.
>Works offline without additional configuration.
>Prevents unauthorized copying.
Disadvantages:
>Limited flexibility when accessing from multiple devices.
>Vulnerable to device failure or fingerprint change, requiring the license to be re-issued.