Fingerprint Generator Tool
Generating an SL AdminMode or SL UserMode protection key license to run a protected application requires a fingerprint (C2V file) from the target machine on which a license will be installed. You can use the Fingerprint Generator Tool to manually generate machine fingerprints on behalf of users for machines where outgoing file transmission is restricted. (When restrictions do not exist, fingerprints can be generated using the RUS tool or Admin Control Center on the target machine.)
Users can display the required hardware identifiers data on the target machine's screen and share it with you via email or telephone. They can run your application and your application calls the Licensing API get_info function to retrieve these hardware identifiers. For more details, see Sentinel LDK ToolBox User Guide.
You can then enter the data into the Fingerprint Generator Tool on a machine where Sentinel LDK is installed. Afterward, you can use Sentinel EMS to generate the required license (V2C or V2CP file), which is installed on the target machine.
The fingerprint generated by the tool includes the mandatory parameter SSID (Secure Storage Identifier) and at least one of the following hardware identifiers from the target machine:
>MAC address
>FQDN (Fully Qualified Domain Name)
>IP address
>SID (Security Identifier on Windows or Machine ID on Linux)
In the hardware identifiers provided by the Licensing API get_info function, each hardware identifier is appended with a single-character checksum, separated by a slash (/). This checksum character helps confirm that the value was not mistyped or corrupted when communicated between the user and the vendor.
The checksum character is appended to the end of each hardware identifier (for example, MAC address, FQDN). Its purpose is to validate that the identifier has been entered or transmitted correctly. For example:
MAC address: 00-50-56-84-64-F8/c FQDN: ndsmt0214271-2/j IP Address: 10.164.27.17/a SID: S-1-5-21-3288819229-3833815190-3254703673/t
The Fingerprint Generator Tool enables you to:
>Support environments where C2V files cannot be shared due to security restrictions.
>Generate fingerprints that are compatible with both Windows and Linux platforms.
>Generate fingerprints for both physical machines and virtual machines.
>Validate the accuracy of manually provided entered hardware identifier using checksum characters. The checksum is optional. If omitted, the tool accepts the identifier as is and skips checksum validation.
>Use identifiers of hardware-based components (described below) to generate fingerprints for SL UserMode and SL AdminMode licenses.
When generating a fingerprint file, consider the following:
>Security decreases when using fewer components (for example, using only MAC address or only FQDN).
>If the SSID (Secure Storage Identifier) is not provided, Thales recommends that you use Perpetual or Expiration Date licenses for enhanced security.
>For SL UserMode licenses, provide instructions for users on how to fetch the MAC address and FQDN, or how to implement APIs to automate this process and display the information from their application.
>When generating a license using the fingerprint generated by the tool, you must use the custom clone protection scheme.
Working With the Fingerprint Generator Tool
The Fingerprint Generator Tool is installed as part of the Sentinel LDK Vendor Suite.
To generate a fingerprint file:
1.On the machine where Sentinel LDK Vendor Suite is installed, open a Command Prompt window.
2.Run the command to navigate to the directory containing the Fingerprint Generator Tool. For example:
cd %Program Files(x86)%\Thales\Sentinel LDK\VendorTools\Utilities\Fingerprint Generator Tool\
3.Prepare and execute the appropriate command to generate the fingerprint file. Below is the general command-line syntax:
fingerg_windows_x64 -mac <MACAddress> -fqdn <Fully Qualified Domain Name> -ip <IPAddress> -sid <Machine SID> -ssid <SecureStorageID> -fptype <FingerprintType> -vid <VendorID> -vm -f <Output File Name>
Replace the placeholders with the relevant information as specified in the table below. Make sure to include all mandatory parameters and at least one of the following: -mac, -ip, -fqdn, -sid
| Parameter | Description |
|---|---|
| -ssid |
(Mandatory) Hash of the SSID (Secure Storage Identifier). NOTE When you set the SSID to unenforced, the Fingerprint Generator Tool disables the SSID check. In this case, the system does not support rehost and detach operations. |
| -fptype | (Mandatory) License Type to generate. Possible values are: adminmode and usermode. |
| -vid | (Mandatory) Vendor ID. |
| -mac | MAC address in the format XX:XX:XX:XX:XX:XX. |
| -ip |
IP address. NOTE Enter the machine’s IP address only when it is static or fixed. A static IP allows the system to consistently identify the machine during license validation. IP addresses of WiFi cards are not supported. |
| -fqdn |
FQDN in the format SERVER.DOMAIN. |
| -sid | Security identifier (Windows) or machine ID (Linux). |
| -vm | If specified, indicates that the fingerprint is for a virtual machine. |
| -f | The output file name. If not specified, the fingerprint data is displayed in the command prompt console. |
| -help | Display help and usage instructions. |
Run the command to generate a fingerprint and save it to a file. For example,
Without checksum:
fingerg_windows_x64 -mac D0:51:A9:0B:9F:80 -fqdn darkstar.example.com -ip 10.23.105.51 -sid 18f40b0 -ssid 1A145732 -fptype usermode -vid 21499 -f output.txt
With checksum:
fingerg_windows_x64.exe -fqdn ndsmt0214271-2/j -ssid 3258884752/4 -ip 10.164.27.17/b -mac 00-50-56-84-64-F8/b -sid S-1-5-21-3288819229-3833815190-3254703673/u -fptype adminmode -vid 37517 -f output.txt
The tool automatically validates the checksum for each identifier. If any identifiers are entered incorrectly (for example, incorrect MAC address or FQDN), the tool will return an error, prompting you to verify the values. For example:
The following identifier(s) are invalid because the checksum does not match the expected value. Verify that you entered them correctly. -mac -fqdn
If the command runs successfully, a message is displayed in the console indicating that data is written to the file. For example, Data written to file:output.txt.
4. Check the console or output file (if available) for the generated fingerprint details in XML format. For example:
<hasp_info> <host_fingerprint type="SL-UserMode" vendorid="21499"crc="1023009405">MnhJSbP0sIO3eLBDiJ5e6oG5CRo6wMewJPT2rB5GxszRTzuoYFEPn+VgTs79fYEHOgv+/sAHOeTc1/c81A==</host_fingerprint> </hasp_info>
The output.txt file is saved in your default directory (%Program Files(x86)%\Thales\Sentinel LDK\VendorTools\Utilities\Fingerprint Generator Tool).
5.Use the generated fingerprint file in
Troubleshooting License Generation
Scenario: License generation fails due to insufficient fingerprint data (for example, Platform Default was used with insufficient required criteria).
Resolution: Use a custom clone protection scheme based on criteria that align with the identifiers specified in the tool.