Rate Limiting for the Thales-Hosted Cloud Licensing Service

Thales offers a service called hosted cloud licensing to vendors who use Sentinel LDK and who subscribe to Sentinel EMS. When you subscribe to the hosted cloud licensing service, Thales hosts a high-availability license manager to serve cloud licenses to your customers. You create and manage cloud licenses and client identities using this hosted service.

Your license agreement with Thales includes the following limitations on the number of Licensing API calls that will be served:

>Identity-level rate limit is 40 API requests per minute (peak value).

>Customer-level rate limit is 20,000 API requests per minute (peak value) and 5,000,000 API requests per 24 hours. This limitation is based on the assumption that you have approximately 1,000 concurrent identity sessions. This does not indicate that you are limited to 1000 end users.

For more information, see .Sentinel LDK Software Protection and Licensing Guide for Sentinel EMS.

Complying With Rate Limiting

To ensure that API calls from your licensed users do not exceed the rate limits described above, you can use Sentinel Licensing API or the WebService API to limit the frequency with which API calls are sent to the hosted cloud license service. (Rate limiting only applies to API calls that use client identities.)

Best practices for complying with the rate limits include avoiding unnecessary but repetitive API calls, such as calling encrypt/decrypt every few second to keep a session alive.

NOTE   Rate limiting is also applicable for vendor-hosted cloud licensing. For more information, see Rate Limiting for Vendor-Hosted Cloud Licensing.

Using Sentinel Licensing API, you can implement rate limiting for cloud license API calls by protected applications on customers’ machines. The use of rate limiting improves the licensed user experience if licensed user interactions with the applications are generating an excessive number of API calls to the license server.

Your license agreement with Thales is enforced by a device-based rate limiting policy using a token bucket algorithm (https://en.wikipedia.org/wiki/Token_bucket), as follows:

Rate limiting is enforced by a device-based rate limiting policy using a token bucket algorithm (https://en.wikipedia.org/wiki/Token_bucket), as follows:

>Each protected application that uses cloud licensing is assigned a bucket. The bucket is assigned a starting number of tokens. The number assigned is also the maximum number of tokens that the bucket can contain.

>Each of the following types of API calls consumes between 1 or more tokens from the bucket and is affected by exceeding the rate limit: hasp_login, hasp_logout, hasp_encrypt, hasp_decrypt, hasp_read, hasp_write, hasp_get_rtc, and hasp_update_session. These calls can fail with the error HASP_IDENTITY_RATE_EXCEEDED.

NOTE   Each Restful API consumes 1 token from the bucket.

>When the bucket is empty, the rate limit is considered to be exceeded.

>New tokens are added periodically to the bucket.

The rate limit forces you to implement protection of your application using a limited number of API calls.

Rate Limiting Mechanism

The following mechanisms exist for implementation of rate limiting:

>With Sentinel Licensing API 9.0 or later:

The bucket is stored in the identity session. This means that each application uses a different bucket, and different applications do not interfere with each other. The license server always fulfills the API calls, but if the rate limit is exceeded, the license server notifies the Licensing API how long to wait before making a new call. The Licensing API then causes the API call to fail on the client side, without any connection with the license server, until the stated time has elapsed.

>With Sentinel Licensing API earlier than version 9.0:

It is not possible to make the API call to fail on the client side. Therefore, the license server makes the API call fail and returns the error HASP_IDENTITY_RATE_EXCEEDED to the client.

NOTE   This method of failing the API call is inefficient. It saves only a fraction of the server work, as the server still has to process the API call. The older Licensing API also invalidates the HASP secure channel, requiring the secure channel to be reestablished, and then consuming additional API calls.

>With Sentinel Licensing REST API:

Once rate limiting is triggered, the license server makes the API call fail and returns the error HASP_IDENTITY_RATE_EXCEEDED at the LDK level, and returns the error 429 at the HTTP level. A Retry-After header is included to this response, indicating how long to wait before making a new API call. The use of the WebService API differs from the Licensing API in that the bucket is stored at the identity level. As a result, all applications that use the same identity share the same bucket.

NOTE   To reduce token consumption, Thales highly recommends that you use the latest version of Sentinel Licensing API.