This document describes installation of the Run-time Environment for Sentinel LDK and Sentinel HASP, using RPM under the supported SUSE, RedHat, or CentOS operating systems.
The following topics are discussed:
>Virtual Environments Supported
>Installing the Run-time Environment
>Uninstalling the Run-time Environment
>Enhancements and Issues Resolved in This Release
>Resuming a Suspended Application
>Upgrading HASP HL Key Firmware
The following Linux Intel (x86_64) and Linux ARM (x86 and x86_64) distributions are supported:
> OpenSUSE Leap 15.1
>Red Hat EL 7.7, 8.1
> CentOS 8.1
The operating system versions listed in this section were tested by Gemalto and verified to be fully compatible with Sentinel LDK. For reasons of compatibility and security, Gemalto recommends that you always keep your operating system up to date with the latest fixes and service packs.
For a list of the virtual environments supported, see "Supported Platforms for End Users" in the Sentinel LDK Release Notes.
The latest Release Notes can be seen at: http://sentinelldk.gemalto.com/LDKdocs/RN
NOTE Given the following circumstances:
>You are installing or upgrading the Run-time Environment on the customer's machine.
>You want a placeholder for new SL keys for the relevant Batch Code to appear at the top of the Sentinel Keys page in Admin Control Center.
Distribute your current custom Vendor library along with the Run-time Environment installer.
CAUTION! If you downgrade the Run-time Environment to a previous version, license storage may become inaccessible. Licenses may be missing, and commands will fail with the HASP_DEVICE_ERR error. To recover, reinstall the latest Run-time Environment, although this may cause some licenses to be marked as "cloned".
To install or upgrade the Run-time Environment for Sentinel LDK or Sentinel HASP
1.To support your application on both 32-bit and 64-bit architectures, ensure that you provide both 32-bit and 64-bit customized Vendor libraries with the Run-time Environment installer. These libraries are contained in the following files:
•haspvlib_<vendorID>.so
•haspvlib_x86_64_<vendorID>.so
•haspvlib_armhf_<vendorID>.so
•haspvlib_arm64_<vendorID>.so
2.Disconnect your Sentinel HL key (if any) from the computer.
3.Open a terminal window and navigate to the directory containing the downloaded installation file.
4.As root, enter the following command:
•For 32-bit ARM systems:
New installation: rpm -i aksusbd-8.13.armv7hl.rpm
Upgrade: rpm -U aksusbd-8.13.armv7hl.rpm
•For 64-bit ARM systems:
New installation: rpm -i aksusbd-8.13.aarch64.rpm
Upgrade: rpm -U aksusbd-8.13.aarch64.rpm
•For 64-bit Intel systems:
New installation: rpm -i aksusbd-8.13-1.x86_64.rpm
Upgrade: rpm -U aksusbd-8.13-1.x86_64.rpm
5.Reconnect the Sentinel HL key.
NOTE At this point, for older HASP HL keys, the firmware on the HL key may be automatically upgraded. During the upgrade process, the key will blink continuously. Do not remove the key while it is blinking. If you remove the key too soon, the key may no longer be visible in Admin Control Center. If the key is not visible, or if the upgrade does not occur, refer to "Upgrading HASP HL Key Firmware" below.
For additional information, see the topic “Upgrading Sentinel LDK Run-Time Environment (RTE) Installer” in the Sentinel EMS Configuration Guide.
To uninstall the Run-time Environment
>As root, enter the command: rpm -e aksusbd
The Run-time Environment is uninstalled.
NOTE If you ever used -i --force to upgrade the Run-time Environment, you may not be able to uninstall it using the command above. In this situation, do the following:
1.Manually copy the aksusbd daemon to the /etc/init.d/ directory.
2. Use the latest RPM package with the -U option to upgrade the Run-time Environment.
3.Proceed to uninstall the Run-time Environment as described above.
| Reference | Description |
|---|---|
| SM-50563 | Enhancements to clone protection scheme VMType3 are now supported by the Admin License Manager. This scheme now supports the Amazon EC2 cloud computing service in addition to Microsoft Azure. This provides enhanced clone protection for protected applications that execute on these platforms. |
| SM-66926 | You can now generate a C2V file for a Master key or Developer key using the Sentinel Keys page in Admin Control Center. |
| SM-70231 | Disk serial number is now included in the fingerprint of the end user's machine, regardless of third party driver versions (for example: Intel RAID). |
| SM-80982 | Sentinel Run-time Environment now supports the cloud licensing functionality that was added to Sentinel Admin API. Using this new functionality, you can now use Admin API to automate the management of identity clients instead of performing manual operations in Sentinel Admin Control Center. |
| SM-81994 | The field "Issued to Client" on the configuration page for client identities has been renamed "Issued to". |
| Reference | Description |
|---|---|
| SM-80253 | Certain security vulnerabilities have been resolved. Thales would like to acknowledge Positive Technologies for responsible disclosure of these vulnerabilities. |
| SM-80941 |
Given the following circumstances: >RTE version 8.11 is installed on a license server machine. >A license with multiple products (SL or HL) is installed. >User restrictions are defined. For example: >USER_A attempts to consume a license from Product 1. The request is denied. > Using the same login scope, USER_A then attempts to consume a license from Product 2. The second attempt would also fail, even though the user is authorized to consume a license from Product 2. |
| SM-81033 |
The following issues were resolved: >When performing an offline license detach, the expiration date field in the H2R file did not contain a value for the year. For example: <tr><td>expiration</td><td><b>Sun Jul 12, 15:59:30 UTC</b></td></tr> >When using Admin API for .NET: If you call the API “AdminApi.Get” (any scope, element :ExpirationDate) the expiration date information did not contain a value for the year. |
| SM-81658 |
Given the following circumstances: >RTE version 8.11 is installed on a license server machine. >User restrictions on the license server are set to: A client attempting to consume a license from the server would get the return status code 40/HASP_REMOTE_COMM_ERR instead of the expected status code 53/USER_ACCESS_DENIED. |
This section describes enhancements implemented and issues resolved in the last three major releases of Sentinel Run-time Environment.
The revision history for earlier versions of Sentinel Run-time Environment is available at: https://docs.sentinel.gemalto.com/ldk/LDKdocs/RTE_History/Default.htm
| Reference | Description |
|---|---|
|
SM-7201 |
This release of Sentinel LDK Run-time Environment introduces cloud licensing to serve network license seats to remote machines over the Internet. A remote machine with the required identity information will be able to consume a network seat or detach a license from the license server machine. The license server machine can be hosted on a cloud server either by the software vendor (for all customers) or by the individual customers for users in their organizations. |
| Reference | Description |
|---|---|
| SM-63276 | Allocation of network seats from a remote License Manager with duplicate Features has been optimized. |
| SM-71776 | When an update to a 6.x Firmware key contains a large number of Features, a timeout would occur. |
| SM-73072 SM-73074 |
"Denial of Service" vulnerabilities were resolved. |
| Reference | Description |
|---|---|
|
SM-51158 |
Admin API now supports the use of HTTPS for communication with a remote Admin License Manager. |
| SM-12702 |
A local or remote user can now use the "Sentinel Keys Available" page of Admin Control Center (instead of the RUS utility) to generate a fingerprint. Note: For Linux or Mac (where Admin Control Center is available), only SL AdminMode fingerprints can be generated. |
| Reference | Description |
|---|---|
|
SM-66308 |
Certain important security issues were resolved. For more information, see the reference to article KB0020564 in the Gemalto Security Updates page: https://sentinel.gemalto.com/technical-support/security-updates-sm/ Gemalto acknowledges and thanks Vladimir Dashchenko from Kaspersky Lab ICS CERT for responsible disclosure of these vulnerabilities. |
| Reference | Description |
|---|---|
|
SM-26322 |
Certain important security issues were resolved. For more information, see the reference to article KB0020199 in the Gemalto Security Updates page: https://sentinel.gemalto.com/technical-support/security-updates-sm/ Gemalto acknowledges and thanks Artem Zinenko from Kaspersky Lab ICS CERT for responsible disclosure of these vulnerabilities. |
| SM-62256 | Under certain circumstances, it was possible to misuse detached licenses. |
| Reference | Description |
|---|---|
| SM-61960 |
The Run-time Environment now supports controlling the generation of the License Manager ID files. This is done using the Enable Detaching of Licenses configuration check box in Admin Control Center. When selected, the License Manager generates ID files. When cleared, the License Manager stops generating any new ID files. However, the existing ID files are retained. By default, the Enable Detaching of Licenses check box is cleared. |
| Reference | Description |
|---|---|
| SM-47546 | The Run-time Environment now supports the ability of the Licensing API to check remaining idle time before a protection key login session is terminated. Checking the remaining idle time does not reset the session. |
| SM-7269 SM-54601 | The Run-time Environment now supports protecting applications that run in a Docker container. The scheme VMType4 is supported for clone protection. |
| Reference | Description |
|---|---|
| SM-56397 |
Given the following circumstances: >A license for a Product is detached from a customer's license server and applied on a different machine >In Sentinel EMS, the original entitlement for the Product is copied and used to create an update to the Product. The update is applied to the license server machine. >The detached license is canceled and returned to the license server. The number of available seats of the Product on the license server would not reflect that the license had been returned. |
| SM-57376 | In certain situations, an SL license would disappear after system reboot. |
| SM-57569 | Under certain circumstances, the License Manager clock would freeze during hibernation or in stand-by mode. |
| Reference | Description |
|---|---|
| SM-50889 SM-50902 SM-50900 |
Certain important security issues were resolved. For more information, see the reference to article KB0018794 in the Gemalto Security Updates page: https://sentinel.gemalto.com/technical-support/security-updates-sm/ Gemalto acknowledges and thanks Artem Zinenko from Kaspersky Lab ICS CERT for responsible disclosure of these vulnerabilities. As part of the resolution for these issues, Admin Control Center no longer supports importing external language packs (either online or offline). Translated user interface files are included in the RTE installer. The end user now selects the desired language for the interface by clicking the name of the language instead of clicking a country flag image. |
| Reference | Description |
|---|---|
| SM-17431 | The License Manager now supports the use of custom clone protection schemes. |
| SM-34308 |
In Admin Control Center, the configuration parameter Allow Remote Access to ACC and Admin API has been split into two independent parameters: >Allow Remote Access to ACC >Allow Remote Access to Admin API This provide more granular control of access from a remote machine. You can now allow or deny access separately for Admin Control Center and for Admin API. (A corresponding split for configuration parameters was implemented in Sentinel Admin API.) When the License Manager is upgraded to version 7.90, each new parameter is assigned the value that was assigned to the original parameter. As a result, after the upgrade, there is no change in access granted. |
| SM-40306 | The License Manager and the Licensing API now honor a CPU mask that was set by the user. |
| Reference | Description |
|---|---|
| SM-27901 | The revision history of all enhancements implemented and issues resolved for earlier versions of the RTE is now available online at: https://docs.sentinel.gemalto.com/ldk/home.htm |
| SM-30222 SM-30886 |
Several security improvements have been implemented. |
| Reference | Description |
|---|---|
| SM-28148 |
The hasp_login function would fail to log in to a HASP4 parallel port key (the function would not fail with HASP4 UBS keys). The login would fail with the error code HASP_HASP_NOT_FOUND = 7. This issue would occur with RTE version 7.52 and later. |
| SM-31614 | The License Manager would construct the main board fingerprint incorrectly under certain circumstances. This would result in false reports of clone detection. |
| SM-33235 | Under certain circumstances, the method used to access Secure Storage would result in corruption of SL licenses. |
| Reference | Description |
|---|---|
| SM-15321 |
The Run-time Environment for Linux Intel now provides native support for both 32-bit and 64-bit architectures. You are no longer required to provide 32-bit support libraries (x86 compatibility packages) for the 64-bit architecture. Be sure to provide both 32-bit and 64-bit customized Vendor libraries with the Run-time Environment installer. |
| Reference | Description |
|---|---|
| SM-12155 | If a customer applies a V2C update from a remote machine that has the Vendor library but no license from the same vendor, the error returned was HASP_UPDATE_TOO_NEW, which was confusing. Now the error returned is HASP_KEYID_NOT_FOUND. |
| SM-14373 | When installing the Run-time Environment in a CentOS 7.x Docker, the message "Unsupported Linux distribution" was generated. |
| SM-18502 | Defining an excessive number of User Restrictions in Admin Control Center would cause the License Manager Service to fail. |
| SM-19981 | hasp_update would return an internal error for an HL Key when the license definition contains empty content in the default memory section. |
| SM-26543 | Under certain circumstances, Sentinel License Manager would crash on the REST interface with long packets. |
| SM-6477 |
Given the following circumstances: >A customer uses SSH to connect to a remote Linux machine. >On the remote machine, the customer uses multiple tmux sessions to run a protected application. >hasp_login was called in each session. A license was consumed for each session. (If the Feature is defined to count workstations and not sessions, only one license should have been consumed for a single SSH session from the same workstation.) |
The following known issues exist in the Run-time Environment:
| Reference | Description |
|---|---|
| SM-68016 |
After you upgrade the Run-time Environment, Admin Control Center might show a dummy key id for Key type - "HASP Placeholder" Workaround: Refresh Admin Control Center. |
| 140898 | Under the Linux operating system, Sentinel License Manager does not support the IPV6 network protocol. |
If the Sentinel HL key for a running application is disconnected, the application is suspended. When the key is re-attached, the application resumes, but it goes into the background. The application can be brought to the foreground using one of the shell built-in "fg" from the same terminal from where application had been launched.
To bring a background application to the foreground
1.List your background running jobs using command "jobs".
2.Choose your job ID.
3.Enter the following command to bring the application to the foreground: fg <%jobId>
The HASP HL Key Firmware has been modified to support future planned security enhancements in Sentinel LDK and Sentinel HASP. Sentinel LDK and Sentinel HASP automatically upgrade the Firmware on HASP HL keys from v.3.21 to the latest version (v.3.25). This occurs:
>when a HASP HL key with v.3.21 Firmware is present on a computer where the Run-time Environment is being updated to v.1.14 or later.
>when a customer connects a HASP HL key with v.3.21 Firmware to a computer where the Run-time Environment v.1.14 or later has been previously installed.
(You can determine the Firmware version of your HL key by viewing the key on the Sentinel Keys page of the Admin Control Center.)
For HL keys with Firmware earlier than v.3.21, the upgrade does not occur automatically. Customers can upgrade the Firmware to v.3.25 by applying the Firmware Update V2C provided on the Sentinel HASP or Sentinel LDK Installation DVD v.5.0 and later.
During the Firmware upgrade, the relevant key will start to blink. Do not remove the key while it is blinking. If you remove the key too soon, the key may no longer be visible in Admin Control Center.
NOTE In the event the key is no longer visible using the Linux Run-time Environment, do the following on a Windows computer:
1.Install the Run-time Environment using the enclosed installer script.
2.Connect the HL key.
3.Run the application FirmwareUpdate.exe, located on the Installation Drive in \Windows\Installed\Redistribute\Firmware Update\HASP HL\.
The HL key is upgraded to v.3.25 Firmware and will now be visible in the Linux Admin Control Center.
Copyright © 2020 Thales Group. All rights reserved.