New Features, Enhancements, and Changes
>Service Pack: 8.3.100 | December 2021
>Service Pack: 8.3.002 | December 2021
>Service Pack: 8.3.001 | November 2021
>Patch: 7/2021: Sentinel LDK-EMS and Vendor Suite (KB0024494) | July 2021
NOTE The Sentinel LDK 8.3 release includes all features and enhancements from earlier releases. Details on patches that were released between Sentinel LDK 8.2 and Sentinel LDK 8.3 are also included in this document.
If you are upgrading from a version of Sentinel LDK that is earlier than 8.2, be sure to review the release notes for all intervening versions. Significant enhancements and changes are introduced in each version of Sentinel LDK. You can download a zip file that contains all Sentinel LDK release notes.
Service Pack: 8.3.100 | December 2021
>Enhancements to Sentinel LDK Envelope
>Enhancement to Sentinel Licensing API
>Resolve log4j Security Vulnerability
Enhancements to Sentinel LDK Envelope
>Support for .NET 6
Sentinel LDK Envelope can now be used to protect .NET 6 applications.
>Releasing an Identity-based License
The enhancement describe below applies to:
•.NET applications
•Applications protected using the Windows default engine
Users now have the option to release their license for an application in a remote session and apply the license to an application in a local session.
An end user who is assigned an identity-based license is typically granted the right to access that license from two or more machines, but only from a single machine at any given time.
The user may face a situation in which they access their license from one machine (for example, their office machine) but fail to close the application's session. If they later attempt to access their license from a different machine (for example, their home machine), the login to the license would fail.
An application protected with Envelope now gives the user the option to release their license from the original session and assign it to the new session. Until now, this option was only available programmatically using Sentinel Licensing API. However, after installing this service pack, for applications protected with Envelope, this functionality is now provided automatically. No coding is required by the developer.
>Disabling the anti-debugging feature with Windows V3 engine
The protection parameter User Debugger Detection is now supported by the Windows V3 engine. As a result, you can now disable the anti-debugging feature when you protect an application using the Windows V3 engine.
Enhancement to Sentinel Licensing API
Sentinel Licensing API is now compatible with .NET 6 applications.
Resolve log4j Security Vulnerability
This service pack resolves an Apache log4j security vulnerability. For details, see SM-113525.
Service Pack: 8.3.002 | December 2021
Address the CVE-2021-44228 Vulnerability
This service pack addresses a critical security vulnerability. For details, see Resolved Issues: Service Pack: 8.3.002 and Security Updates.
Due to the severity of this vulnerability, Thales highly recommends that you apply the updates provided by this service pack as soon as possible.
This service pack is cumulative and also installs Service Pack 8.3.001 (if not yet installed).
NOTE Service Pack 8.3.002 is referred to in some documents as Patch 8.3.002.
Service Pack: 8.3.001 | November 2021
>Issue with Vendor-Specific APIs and the Vendor Library 8.31 has Been Resolved
>Documentation Has Been Updated
Issue with Vendor-Specific APIs and the Vendor Library 8.31 has Been Resolved
The issue below was discovered shortly after the release of Sentinel LDK 8.3.
After the vendor used the Master Wizard to download vendor-specific APIs and the vendor library version 8.31, updates to SL licenses were reapplied to the license each time the License Manager Service (for SL Admin-mode) or the protected application (for SL User-mode) was started. As a result, each time the License Manager Service or the protected application was restarted:
>If the license update contained a number of executions, the execution counter in the license was reset to the value in the license update.
>If the license update contained a value to write to the license memory, the memory content was restored to the value introduced in the license update, overwriting any subsequent changes to the license memory.
Resolution:
All issues have now been fully resolved. An updated version (8.32) of the vendor-specific APIs and the vendor library are available for download using the Master Wizard.
Important!
You should:
1. Reintroduce your Master or Developer key using the Master Wizard to generate the updated DLL and vendor library
and install this service pack (the order is not important).
2.Protect your applications again using Envelope.
Be sure to use this updated version when you distribute your vendor library (haspvlib.dll) and your protected applications.
Documentation Has Been Updated
>A new version of the Sentinel LDK Software Protection and Licensing Guide is now available. This version has been updated to include differences between Sentinel LDK-EMS hosted by Thales and Sentinel LDK-EMS installed on-premises. The guide also provides an appendix with an improved description of the differences between Sentinel EMS and Sentinel LDK-EMS.
>A new version of the Sentinel LDK Installation Guide with minor improvements is provided, including a security checklist for installing Sentinel LDK-EMS on-premises.
Release: 8.3 | October 2021
>Support for High Availability for Cloud Licensing
>Release of Sentinel LDK with Sentinel EMS
>Sentinel License Manager Service Supports Kubernetes Environment
>Envelope Now Provides Class-Level Protection for Java Applications Under Linux
>Sentinel LDK Envelope Now Supports AppOnChip for .NET
>Support for Oracle Java 11 and Open JDK 16
>Envelope Now Supports Intel CET
>Improved Performance for Envelope for Linux
>Customized RTE Installers Now Generated By Master Wizard
>Dropped Support for Business Studio Server
>Maximum Expiration Date for the Expiration Date License Type has been Extended
>Sentinel LDK Envelope Protects AutoCAD Plugin
>"Aggressive Search" Setting Removed from Admin Control Center
Support for High Availability for Cloud Licensing
Sentinel LDK now supports configuring a vendor-hosted cloud license server for high availability.
Sentinel LDK License Managers in the vendor's data center can be configured to store licenses in a common external trusted license storage (a MySQL database cluster).
You can set up License Managers on two license server machines (active and passive). In the event the active License Manager stops responding, an application manager can handle failover from the active License Manager to the passive one. Only one License Manager will serve licenses at any point in time.
For information on setting up high availability for cloud licensing, see the Sentinel LDK High Availability for Cloud Licensing Configuration Guide.
Release of Sentinel LDK with Sentinel EMS
Until now, Sentinel LDK has always been integrated and released with a dedicated version of Sentinel EMS (now referred to as Sentinel LDK-EMS). Sentinel LDK-EMS is available either for installation on the vendor's server (on-premises) or as a service (hosted on a Thales server).
Starting with this release, Sentinel LDK is available for integration with a new, enterprise-level version of Sentinel EMS, hosted on Thales servers. This improved version of Sentinel EMS provides an advanced user interface and REST API to manage resources. Sentinel EMS supports multiple methods of enforcement, including custom and third-party enforcement types.
For this edition of Sentinel LDK, only Sentinel LDK Vendor Suite is installed on the vendor's machine. The advanced version Sentinel EMS is hosted on Thales servers, where it is enhanced continuously with improvements and updates.
For vendors who are currently using Sentinel LDK and Sentinel LDK-EMS, the differences between Sentinel EMS and Sentinel LDK-EMS are summarized in the appendix "Comparison Between Sentinel EMS and Sentinel LDK-EMS" in the Sentinel LDK Software Protection and Licensing Guide.
NOTE For this release of Sentinel LDK, the Sentinel LDK Software Protection and Licensing Guide has not yet been updated to reflect the differences between Sentinel EMS and Sentinel LDK-EMS. An updated version of the guide will be released soon.
Sentinel License Manager Service Supports Kubernetes Environment
A Docker image is now available for vendors to host cloud licensing. Hosting of cloud licenses in Kubernetes environments with the Docker image has been tested.
Envelope Now Provides Class-Level Protection for Java Applications Under Linux
You can now use Sentinel LDK Envelope under Windows to provide class-level protection for Java applications that run on a 64-bit Linux Intel machine. (Class-level protection for Java applications that run on a Windows machine was introduced in Sentinel LDK 8.2.)
To provide class-level protection (or class-level and method level protection) for a Java application, protect the application using Envelope on a Windows machine. Envelope generates runtime files for both Windows and Linux machines to the specified output folder.
Copy the entire output folder to the target location (whether Windows or Linux).
Sentinel LDK Envelope Now Supports AppOnChip for .NET
Sentinel LDK Envelope now supports the use of AppOnChip to protect .NET applications. The applications must be protected using Method level or Method level & Windows Shell as the protection type.
For this release of Envelope, the support for AppOnChip for .NET does not include the integrated performance profiling mode that is provided when protecting a native Windows application with AppOnChip. Performance profiling must be performed using an external 3rd-party utility. Thales plans to include an integrated performance profiler in one of the coming releases.
The AppOnChip module for the Sentinel LDK Master license is not required for applications that are licensed using Sentinel HL Max, Time, NetTime, Net, and Drive keys. For applications that are licensed using Sentinel HL Basic keys or Sentinel HL Pro keys, an annual or perpetual AppOnChip module must be obtained from Thales.
For more information regarding AppOnChip protection for .NET applications, see the Envelope help system.
Support for Oracle Java 11 and Open JDK 16
Sentinel LDK Envelope under Windows now supports the protection of Oracle JDK 11 and Open JDK 16 applications for Windows, Linux, and Mac. This includes applications that use the Java Platform Module System (JPMS).
As part of the protection process, Envelope generates files that contain the command required to execute module-based applications on different platforms. You must modify these files before using them to execute the protected application.
For details, see the help system for Sentinel LDK Envelope.
Envelope Now Supports Intel CET
Sentinel LDK Envelope for Linux now support ELF binaries that are compiled with Intel Control-Flow Enforcement Technology enabled.
Improved Performance for Envelope for Linux
The performance of Envelope for Linux applications has been significantly improved. Envelope now require much less time to protect applications that have a large number of relocations.
Customized RTE Installers Now Generated By Master Wizard
The Master Wizard can now be used to generate customized Run-time Environment installers for Windows, Linux, and Mac. The Master Wizard downloads the latest Run-time Environment installer for each platform and inserts the current Vendor library into each installer. The installer for Windows is also configured to insert the URL for accessing Sentinel LDK-EMS. For more information, see the description of introducing Vendor keys in the Sentinel LDK Installation Guide.
In the current version of Sentinel LDK-EMS, the same Run-time Environment installers can be downloaded from the Developer page (RTE Installer tab). However, this capability is planned to be discontinued in Sentinel LDK-EMS 8.4.
Dropped Support for Business Studio Server
Sentinel LDK 8.3 no longer supports Sentinel HASP Business Studio Server (BSS) or the Business Studio user interface.
As a result:
>The Sentinel LDK installer no longer checks for the presence of the Business Studio Server.
>The Business Studio Server option has been removed from the Master Wizard.
>The Sentinel HASP Business Studio Server API (BSS API) is no longer supported.
>The Sentinel HASP Business Studio Server API for Sentinel EMS is no longer supported.
>HASPClient and SOAPWS have been removed from Sentinel LDK-EMS.
>Legacy Business Studio Server folders and files are no longer installed with Sentinel LDK.
>Legacy Activation API and samples are no longer installed with Sentinel LDK.
>References to Business Studio Server have been removed from the Sentinel LDK 8.3 documentation.
>The Business Studio Server migration tool is no longer provided with Sentinel LDK 8.3.
Vendors who want to migrate from Sentinel HASP Business Studio Server to Sentinel LDK can do so by installing and migrating to Sentinel LDK 8.2, and then upgrading to the current version of Sentinel LDK. Sentinel LDK 8.2 will continue to be available for download until further notice.
The guide for migrating from Sentinel HASP Business Studio Server to Sentinel LDK 8.2 will continue to be available from https://docs.sentinel.thalesgroup.com/ldk/migration.htm
Maximum Expiration Date for the Expiration Date License Type has been Extended
The maximum allowed expiration date for a license with the Expiration Date license type has been extended from 2038 to 2091.
Sentinel LDK Envelope Protects AutoCAD Plugin
Sentinel LDK Envelope can now protect an AutoCAD plugin (versions 2020, 2021, and 2022).
To protect an AutoCAD plugin, you must select the engine option Use Windows V3 engine on the Advanced tab in the Sentinel LDK Envelope Settings window. After you change the selected engine, stop and then restart Envelope before you continue working.
"Aggressive Search" Setting Removed from Admin Control Center
The setting Aggressive Search for Remote Licenses has been removed from Admin Control Center. The aggressive search functionality is now always enabled, as this provides benefit with no negative impact.
Patch: 7/2021: Sentinel LDK-EMS and Vendor Suite (KB0024494) | July 2021
NOTE In parallel with this patch, Sentinel LDK Run-time Environment 8.23 is being released. You must install this version of the Run-time Environment on all vendor and customer machines in order to support all new functionality provided by this patch.
>Detaching Seats With Concurrency
>Support for Cloud Licensing in Admin API Has Been Enhanced
>Support for Rosetta 2 Emulation in Envelope for Mac
>Relative Paths Are Now Supported in the Envelope Project File
>Envelope Can Now Protect a Launcher App for Android
>Automatic Firmware Upgrade for Sentinel HL Keys
>New Features, Enhancements, and Changes
>V2CP Format Is Now Available for Sentinel SL Product Keys and Protection Key Updates
Detaching Seats With Concurrency
When detaching a license from a cloud license server machine, you have the option of specifying that the detached license should contain one or more network seats. These seats can be accessed concurrently on the machine that receives the detached license.
A detached license with concurrency can be used to:
>Set up second-level license servers. These can be used to provide greater control over the distribution of network seats within an organization and to minimize the overhead of license administration. For more information, see the Sentinel LDK Software Protection and Licensing Guide.
>Control the number of local hardware resources used by an application. For example, a customer can limit a protected application to use 4 out 8 CPUs. This requires a detached license with 4 seats, where access to each CPU is granted after the application logs in to the license. In this example, the fifth login will be denied, ensuring that only 4 CPUs are in use.
Sentinel LDK Run-time Environment 8.23 must be installed both on the license server machine and the machine to which seats are detached.
Simplified SL Key Creation and Updates in Sentinel EMS for Vendor-Hosted Cloud Licenses Now Available Using Web Services
You can now use Sentinel EMS Web Services to produce an entitlement and push an SL key or license update to your cloud license server in a single operation.
This simplifies the process and removes several steps that otherwise need to be performed manually. For a Product Key, this results in a new SL key on the license server. For a Protection Key update for a single key, this updates the selected key on the license server.
When you create an entitlement, you define the XML to include specific definitions. Then you insert the entID in the new pushActivation web service call.
For configuration details, see the cloud licensing options in the Administration Console and other locations, as described in the Sentinel LDK–EMS Configuration Guide.
For usage details, see the sections on producing and pushing a license for a Sentinel SL key in the Sentinel LDK–EMS Web Services Guide.
Support for Cloud Licensing in Admin API Has Been Enhanced
Sentinel Admin API has been enhanced to support cloud licensing as described in this section.
Retrieving Identity Status
When using Admin API to retrieve an individual client identity, the retrieved information now includes the identity status and the identity creation date. For example:
<identity> <identity_code>V3FODP3</identity_code> <identity_secret>oBWAAQCBEFDgoU5T2jAw3uo0ExljSZQ</identity_secret> <issued_to>123</issued_to> <allow_remote_login_access>1</allow_remote_login_access> <allow_remote_detach_access>0</allow_remote_detach_access> <allow_network_detach_access>0</allow_network_detach_access> <limit_to_key_id></limit_to_key_id> <creation_date>1621497648</creation_date> <disabled>0</disabled> <maximum_number_of_auto_registered_machines>1</maximum_number_of_auto_registered_machines> <registered_machines></registered_machines> </identity>
Creating a Client Identity That Supports Detaching Seats With Concurrency
When using Admin API to create a client identity, you can include the following tag to allow the user to detach seats with concurrency from a cloud license server:
<element allow_network_detach_access="1"/>
Identifying Cloud Information When Retrieving SL Key Data
When using Admin API to retrieve all data regarding an SL key, the tag <cloud‑based> indicates whether the SL key is not identity-based, local and identity-based, or remote and obtained using an identity.
Support for Rosetta 2 Emulation in Envelope for Mac
The following enhancements have been implemented for Sentinel LDK Envelope running with the Rosetta 2 emulator:
>Envelope can be used on an Apple-Silicon Mac machine.
>Envelope no longer supports 32-bit Intel binaries.
If a binary contains 32-bit Intel code (for example, as part of a universal binary), Envelope strips the 32-bit code from the resulting binary.
>64-bit Intel binaries protected by Envelope can be executed on an Apple-Silicon Mac machine using the Rosetta 2 emulation.
Code written for native Apple-Silicon cannot be protected. If the binary contains native code for Apple-Silicon (for example, as part of a universal binary), Envelope strips the native Apple-Silicon code from the resulting binary.
>If a binary does not contain code for the 64-bit Intel architecture, Envelope reports an error.
This can occur when the binary contains only 32-bit Intel code or only Apple-Silicon code.
In these situations, earlier versions of Envelope would create a binary with no code.
>Newer versions of Xcode/Clang may generate code with embedded data. At runtime, the contents of the code section are both executed and read from. When dump protection is enabled in Envelope, this situation could cause "bad access" exceptions (EXC_BAD_ACCESS). These exceptions would either:
•cause the process to fail, OR
•cause the exception alert to be displayed, and the user would have to abort the process.
Envelope now detects access to the code section from the code section itself and handles these cases gracefully.
For more information, see the description of Rosetta support in the help system for Sentinel LDK Envelope for Mac.
Relative Paths Are Now Supported in the Envelope Project File
(For Windows and Mac projects) When protecting an application using Sentinel LDK Envelope, you can now use relative paths in the project file in the INPUT_FILE, OUTPUT_FILE, and the BUNDLE fields.
For example:
<INPUT_FILE>../Deploy/Thales/Sample Desktop-devel.exe</INPUT_FILE>
Envelope Can Now Protect a Launcher App for Android
Sentinel LDK Envelope can now be used to protect a launcher app for Android. The protected APK can run whether it is started it from the launcher or from the system (by pressing on the home button).
Automatic Firmware Upgrade for Sentinel HL Keys
When you upgrade a Sentinel HL key to the Driverless configuration, the Firmware on the key may be automatically upgraded. Until now, the automatic upgrade would occur only if the Firmware on the key version was version 4.23.
After installing this patch, when you upgrade a Sentinel HL key to the Driverless configuration, the Firmware is upgrade to version 4.60 if the current version is earlier than 4.60.
Automatic Firmware upgrade is not relevant for Sentinel HL Drive microSD keys.
Sentinel EMS UI Branding Changes
Footer logo customization was removed from the UI Branding section in the Administration Console.
V2CP Format Is Now Available for Sentinel SL Product Keys and Protection Key Updates
In Sentinel EMS, you can now set the default file format for licenses to V2CP (Vendor-to-Customer Package) instead of V2C (Vendor-to-Customer). This enables Sentinel EMS to deliver multiple updates to end customers in a single package. The License Manager subdivides V2CP files into their component V2C files and then applies each update in sequence.
End users can continue to activate licenses seamlessly, regardless of the file format type.
For details on managing the default file format setting, see the section on using the V2CP file format in Sentinel LDK–EMS Configuration Guide.