Revision History

This section describes enhancements implemented and issues resolved in the last three major releases of Sentinel Run-time Environment.

The revision history for earlier versions of Sentinel Run-time Environment is available at: https://docs.sentinel.thalesgroup.com/ldk/LDKdocs/RTE_History/Default.htm

Enhancements in Version 8.13

Reference Description
SM-50563 Enhancements to clone protection scheme VMType3 are now supported by the Admin License Manager. This scheme now supports the Amazon EC2 cloud computing service in addition to Microsoft Azure. This provides enhanced clone protection for protected applications that execute on these platforms.
SM-66926 You can now generate a C2V file for a Master key or Developer key using the Sentinel Keys page in Admin Control Center.
SM-70231 Disk serial number is now included in the fingerprint of the end user's machine, regardless of third party driver versions (for example: Intel RAID).
SM-80982 Sentinel Run-time Environment now supports the cloud licensing functionality that was added to Sentinel Admin API. Using this new functionality, you can now use Admin API to automate the management of identity clients instead of performing manual operations in Sentinel Admin Control Center.
SM-81994 The field "Issued to Client" on the configuration page for client identities has been renamed "Issued to".
SM-82620 Documentation has been updated to better describe the behavior of the Run-time Environment command line installer when a V2C file is present in the directory. See the description of installing the Run-time Environment in this document.

Issues Resolved in Version 8.13

Reference Description
SM-78964

haspdinst.exe would fail if a vendor library is present on the machine but it is not signed or if the signature is not correct.

The behavior of haspdinst.exe has been changed so that in these situations:

>The installation of the Run-time Environment succeeds, but the vendor library is not copied to the destination path.

> An entry is added to the log file stating that the full path of the vendor library is not signed or its signature is not correct, and that it was not copied to the destination path.

SM-80253 Certain security vulnerabilities have been resolved. Thales would like to acknowledge Positive Technologies for responsible disclosure of these vulnerabilities.
SM-80941

Given the following circumstances:

>RTE version 8.11 is installed on a license server machine.

>A license with multiple products (SL or HL) is installed.

>User restrictions are defined. For example:
deny=USER_A@all,product:1
allow=USER_A@all,product:2

>USER_A attempts to consume a license from Product 1. The request is denied.

> Using the same login scope, USER_A then attempts to consume a license from Product 2.

The second attempt would also fail, even though the user is authorized to consume a license from Product 2.

SM-81033

The following issues were resolved:

>When performing an offline license detach, the expiration date field in the H2R file did not contain a value for the year. For example: <tr><td>expiration</td><td><b>Sun Jul 12, 15:59:30 UTC</b></td></tr>

>When using Admin API for .NET: If you call the API “AdminApi.Get” (any scope, element :ExpirationDate) the expiration date information did not contain a value for the year.

SM-81658

Given the following circumstances:

>RTE version 8.11 is installed on a license server machine.

>User restrictions on the license server are set to: deny=all@all

A client attempting to consume a license from the server would get the return status code 40/HASP_REMOTE_COMM_ERR instead of the expected status code 53/USER_ACCESS_DENIED.

Enhancements in Version 8.11

Reference Description

SM-7201

This release of Sentinel LDK Run-time Environment introduces cloud licensing to serve network license seats to remote machines over the Internet. A remote machine with the required identity information will be able to consume a network seat or detach a license from the license server machine. The license server machine can be hosted on a cloud server either by the software vendor (for all customers) or by the individual customers for users in their organizations.

Issues Resolved in Version 8.11

Reference Description
SM-63276 Allocation of network seats from a remote License Manager with duplicate Features has been optimized.
SM-60133

A guest on Hyper-V was recognized by Admin Control Center as a virtual PC rather than as a Hyper-V guest.

SM-71776 When an update to a 6.x Firmware key contains a large number of Features, a timeout would occur.
SM-73072
SM-73074
"Denial of Service" vulnerabilities were resolved.

Enhancements in Version 7.103

Reference Description

SM-51158

Admin API now supports the use of HTTPS for communication with a remote Admin License Manager.

SM-12702

A local or remote user can now use the "Sentinel Keys Available" page of Admin Control Center (instead of the RUS utility) to generate a fingerprint.

Note: For Linux or Mac (where Admin Control Center is available), only SL AdminMode fingerprints can be generated.

Issues Resolved in Version 7.103

Reference Description

SM-66308

Certain important security issues were resolved. For more information, see the reference to article KB0020564 in the Gemalto Security Updates page: https://sentinel.gemalto.com/technical-support/security-updates-sm/

Gemalto acknowledges and thanks Vladimir Dashchenko from Kaspersky Lab ICS CERT for responsible disclosure of these vulnerabilities.

Issues Resolved in Version 7.102

Reference Description

SM-26322

Certain important security issues were resolved. For more information, see the reference to article KB0020199 in the Gemalto Security Updates page: https://sentinel.gemalto.com/technical-support/security-updates-sm/

Gemalto acknowledges and thanks Artem Zinenko from Kaspersky Lab ICS CERT for responsible disclosure of these vulnerabilities.

SM-62256 Under certain circumstances, it was possible to misuse detached licenses.
SM-64937 When Sentinel EMS was used to create an RTE Installer after the Master Wizard was used multiple times to introduce Vendor keys, the vendor libraries included with the RTE Installer would have an incorrect date.
SM-65371 The GUI-based RTE Installer would display an error screen when a .properties file existed in SysWOW64.

Enhancements in Version 7.101

Reference Description
SM-61960

The Run-time Environment now supports controlling the generation of the License Manager ID files. This is done using the Enable Detaching of Licenses configuration check box in Admin Control Center. When selected, the License Manager generates ID files. When cleared, the License Manager stops generating any new ID files. However, the existing ID files are retained.

By default, the Enable Detaching of Licenses check box is cleared.

Issues Resolved in Version 7.101

Reference Description
SM-62902

Certain important security issues were resolved. For more information, see the reference to article KB0020074 in the Gemalto Security Updates page: https://sentinel.gemalto.com/technical-support/security-updates-sm/

Gemalto acknowledges and thanks the Blizzard Red Team for responsible disclosure of these vulnerabilities.

Enhancements in Version 7.100

Reference Description
SM-47546 The Run-time Environment now supports the ability of the Licensing API to check remaining idle time before a protection key login session is terminated. Checking the remaining idle time does not reset the session.
SM-50812 The Run-time Environment now supports improved protection against the misuse of computer restoration software (such as Deep Freeze).
SM-7269 SM-54601 The Run-time Environment now supports protecting applications that run in a Docker container. The scheme VMType4 is supported for clone protection.

Issues Resolved in Version 7.100

Reference Description
SM-49346 Under certain circumstances, the License Manager would generate a false-positive report of a virtual machine because some components of the Deep Freeze product were present on the machine.
SM-56397

Given the following circumstances:

>A license for a Product is detached from a customer's license server and applied on a different machine

>In Sentinel EMS, the original entitlement for the Product is copied and used to create an update to the Product. The update is applied to the license server machine.

>The detached license is canceled and returned to the license server.

The number of available seats of the Product on the license server would not reflect that the license had been returned.

SM-57376 In certain situations, an SL license would disappear after system reboot.
SM-56723 When a machine was restored from sleep mode, a USB sharing violation error would occur if a HASP HL key was plugged into a USB HUB with an independent power supply.

Issues Resolved in Version 7.92

Reference Description
SM-50889 SM-50902 SM-50900

Certain important security issues were resolved. For more information, see the reference to article KB0018794 in the Gemalto Security Updates page: https://sentinel.gemalto.com/technical-support/security-updates-sm/

Gemalto acknowledges and thanks Artem Zinenko from Kaspersky Lab ICS CERT for responsible disclosure of these vulnerabilities.

As part of the resolution for these issues, Admin Control Center no longer supports importing external language packs (either online or offline). Translated user interface files are included in the RTE installer. The end user now selects the desired language for the interface by clicking the name of the language instead of clicking a country flag image.

Issues Resolved in Version 7.91

Reference Description
SM-43605 Sentinel LDK drivers have been repackaged so that significant Windows 10 operating system upgrades will not impact existing SL AdminMode licenses.
SM-47103

The Vlib search path for Runtime Environment versions 7.0 through 7.81 included the following paths:

>For Windows x64:

%CommonProgramFiles(x86)%\SafeNet Sentinel\Sentinel LDK\

%CommonProgramFiles(x86)%\Aladdin Shared\HASP\

>For Windows x86:

%CommonProgramFiles%\SafeNet Sentinel\Sentinel LDK\

%CommonProgramFiles%\Aladdin Shared\HASP\

Support for the \SafeNet Sentinel\Sentinel LDK\ paths was discontinued in version 7.90.

To reinstate support for vendors who have been placing their Vlib files in the \SafeNet Sentinel\Sentinel LDK\ directory, upon first use, Run-time Environment version 7.91 or later moves the Vlib files from the \SafeNet Sentinel\Sentinel LDK\ directory to the \Aladdin Shared\HASP\ directory.

Enhancements in Version 7.90

Reference Description
SM-17431 The License Manager now supports the use of custom clone protection schemes.
SM-34308

In Admin Control Center, the configuration parameter Allow Remote Access to ACC and Admin API has been split into two independent parameters:

>Allow Remote Access to ACC

>Allow Remote Access to Admin API

This provide more granular control of access from a remote machine. You can now allow or deny access separately for Admin Control Center and for Admin API. (A corresponding split for configuration parameters was implemented in Sentinel Admin API.)

When the License Manager is upgraded to version 7.90, each new parameter is assigned the value that was assigned to the original parameter. As a result, after the upgrade, there is no change in access granted.

Enhancements in Version 7.81

Reference Description
SM-18163

The RTE Installer now provides more details in order to help ensure that installation of the RTE completes successfully. The Installer now differentiates between the following situations:

>Installation of the RTE has succeeded. No restart is required.

>Installation of the RTE cannot complete due to a lock on a required file. The RTE Installer attempts to rename the locked file in the background. If it succeeds, the installation will continue. If the rename attempt fails, the installer returns error 52. At this point, your code can call the new RTE Installer API function haspds_GetLockingProcessList to get the locking process name. You can then release the locked file and restart the RTE Installer.

SM-27901 The revision history of all enhancements implemented and issues resolved for earlier versions of the RTE is now available online at: https://docs.sentinel.thalesgroup.com/ldk/LDKdocs/RTE_History/Default.htm
SM-30222
SM-30886

Several security improvements have been implemented.

Issues Resolved in Version 7.81

Reference Description
SM-28148

The hasp_login function would fail to log in to a HASP4 parallel port key (the function would not fail with HASP4 UBS keys). The login would fail with the error code HASP_HASP_NOT_FOUND = 7. This issue would occur with RTE version 7.52 and later.

SM-31010 If the client connected using different IPv6 interfaces, the License Manager would sometimes count the sessions on a machine multiple times.

Enhancements in Version 7.80

Reference Description
SM-15321

The Run-time Environment for Linux Intel now provides native support for both 32-bit and 64-bit architectures. You are no longer required to provide 32-bit support libraries (x86 compatibility packages) for the 64-bit architecture.

Be sure to provide both 32-bit and 64-bit customized Vendor libraries with the Run-time Environment installer.

Issues Resolved in Version 7.80

Reference Description
SM-12155 If a customer applies a V2C update from a remote machine that has the Vendor library but no license from the same vendor, the error returned was HASP_UPDATE_TOO_NEW, which was confusing. Now the error returned is HASP_KEYID_NOT_FOUND.
SM-14373 When installing the Run-time Environment in a CentOS 7.x Docker, the message "Unsupported Linux distribution" was generated.
SM-18502 Defining an excessive number of User Restrictions in Admin Control Center would cause the License Manager Service to fail.
SM-19981 hasp_update would return an internal error for an HL Key when the license definition contains empty content in the default memory section.
SM-26543 Under certain circumstances, Sentinel License Manager would crash on the REST interface with long packets.
SM-6477

Given the following circumstances:

>A customer uses SSH to connect to a remote Linux machine.

>On the remote machine, the customer uses multiple tmux sessions to run a protected application.

>hasp_login was called in each session.

A license was consumed for each session.

(If the Feature is defined to count workstations and not sessions, only one license should have been consumed for a single SSH session from the same workstation.)