Distributing Sentinel LDK Authentication Runtime
User-based (cloud) licensing uses OAuth authentication to enable users to log on to a protected application from any supported device using their credentials.
To support user-based licensing for desktop (public) applications: Unless your application already includes logic that retrieves the Sentinel Access token, you must bundle and configure the Sentinel LDK Authentication Runtime together with your protected application.
This section describes the files that you may need to provide and how to configure them. These files should be included in the same directory that contain the protected application.
Copy the files described below from the following directory on the machine where Sentinel LDK is installed:
For Windows: | %ProgramFiles(x86)%\Thales\Sentinel LDK\Redistribute\Authentication Runtime\ |
For Linux: | Linux/Redistribute/Authentication Runtime/ |
>hasp_auth.exe (for Windows) or hasp_auth (for Linux)
This file contains the Authentication Runtime. The file launches the browser to display the login screen for the user.
If the protected application is configured to launch the login screen in the browser, it is not necessary to distribute the hasp_auth file with the protected application. However, if the application is protected with Envelope, you must distribute the hasp_auth file with the protected application.
>hasp_auth.ini
This file contains Authentication Runtime configuration parameters. Modify these parameters as follows:
SNTL_TOKEN_URI | Sentinel IDP endpoint. Obtain this value from Sentinel EMS. For details, see Sentinel Identity Provider (IDP). |
SNTL_AUTHZ_URI | Token endpoint. Obtain this value from Sentinel EMS. For details, see Sentinel Identity Provider (IDP). |
SNTL_LM_HOST | This is the Sentinel EMS URL, after stripping the protocol (HTTPS). For example: company-name.prod.sentinelcloud.com |
SNTL_CLIENT_ID | The client ID from the OAuth client. Obtain this value from Sentinel EMS after you have created a public OAuth client. For details, see Adding an OAuth Client. |
SNTL_REDIRECT_URI | Use the value http://localhost/v1/callback. (When you create a public client in Sentinel EMS, use this value for Redirect URIs.) For details, see Adding an OAuth Client. |
SNTL_CODE_CHALLENGE_METHOD | Use the value that you specified in Sentinel EMS for PKCE Code Challenge Method. Possible values: plain or S256. For details, see Adding an OAuth Client. |
SNTL_STORE_AUTHZ | Default: false. Set to true only if the customer wants to store credentials in Windows Credential Manager or Linux Credential Manager. This can be set by the vendor or by the customer. |
SNTL_SCOPE | Use the default value: openid |
SNTL_AUTH_PROXY |
If the end user requires a proxy server to access the Internet, provide the URL for the proxy server. For example: Proxy server parameters should also be set in the hasp_<vendorId>.ini file (described below). |
SNTL_AUTH_PROXY_PWD | When using a proxy server: Proxy server username and password, separated by a colon (:). For example: user_id:Aa12345678 |
SNTL_LOG_LEVEL |
For troubleshooting, you can set the log level. The following values are supported. DEBUG, ERROR, INFO. If this attribute is set, a log file named logrus.log is generated in the directory containing the application. |
>welcome.html
This screen is displayed after a user logs in to the protected application successfully. You can modify this screen to suit your requirements.
>hasp_<vendorId>.ini
(Required only for public applications.)
You must create this License Manager configuration file and bundle it with the protected application or install it on the end user's machine. For a Windows desktop application, this file is typically located in the %LocalAppData%\SafeNet Sentinel\Sentinel LDK\ directory. For more information, see Working Directly With License Manager Configuration Files.
This file must contain the entry hasp_auth_rte=1. For example:
hasp_auth_rte=1
If the user requires a proxy server and you specified values for the SNTL_AUTH_PROXY and SNTL_AUTH_PROXY_PWD field above, provide the corresponding proxy parameter values in this file. Use the following syntax:
proxy = 1 proxy_host = <host> proxy_port = 8080 proxy_username = <username> proxy_password = <password> hasp_auth_rte=1