Versions Compared

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.
Comment: Clarification regarding dongle battery

Anchor
TOC
TOC
Include Page
KBCOMMON:KB-CSSstyle
KBCOMMON:KB-CSSstyle

...

This page provides an overview of the basic steps to set up the licensing environment for a system running Charon-PAR for Linux using either Sentinel HASP licensing, or Virtual Environment (VE) licensing.

Table of Contents

...

General Licensing Aspects

Ccreating Creating and updating a license prior and during the operation of Charon emulators involves the following basic steps:

...

  • Upgrading to this Charon-PAR from an older version requires a license update. Please contact your VAR or Stromasys representative to plan the update.
  • Applicable to HASP licensing only: Charon-PAR version 3.0.0 and higher is incompatible with licenses of earlier versions. Earlier product versions are incompatible with licenses for Charon-PAR 3.0.0 and higher. Charon-PAR licenses of version 2.1.0 are not compatible with emulators running Charon-PAR version 2.0.0.

...

In some emulator products it is possible to configure the number of retries and the waiting time between them by adding parameters to the emulator configuration file. Please refer to the product documentation for the details regarding the relevant parameters: license_retry_period and license_retry_count parameters (obsolete starting with version 1.10)

2. At regular intervals during the runtime of the emulator (the default license check period of 1 hour can be changed by Stromasys using the appropriate license parameters):

...

  • Hardware dongles require the Sentinel HASP run-time (driver) installation before the dongle can be connected to and used by the system.
  • Hardware dongles (with the exception of , apart from HL-MAX dongles) , are equipped with a battery and a clock, which makes them independent of the host clock. To keep the battery charged, the dongle should occasionally be The battery is not rechargeable. However, the dongle can use the power provided by the host system while it is plugged in. By doing this, the depletion of the battery can be slowed down. Check the dongle at regular intervals if it is not permanently connected to a system even if it is not currently needed. If the battery becomes completely depleted, the dongle will be permanently unusable and must be replaced. See also: How long does the license USB dongle battery last upon a full charge.

Software License

A software license is a "virtual" key with functionality very similar to a HASP network-enabled hardware dongle.

A software license does not require any special hardware but it still requires installation of the Sentinel runtime environment

Please note:

  • To avoid unexpected problems, do not use any Sentinel runtime software that was not provided by Stromasys without being advised to do so by your Stromasys representative.
  • Software licenses are best suited for stable environments, because their correct function depends on certain characteristics of the host system. Changing any of these characteristics will invalidate the license.
    • If the Charon host runs on real hardware, software licenses are by default tightly bound to the hardware for which they were issued. If major hardware characteristics of the system are changed, the license will be disabled.
    • If the Charon host runs in a virtual environment (e.g., VMware), software licenses are normally bound to the virtual machine ID and a set of additional characteristics of the virtual machine. If any of these parameters are changed, the license will be disabled.
  • Software licenses are very sensitive to even small changes on the host system. Therefore, it is especially important to provide for a backup license that will ensure continued operation should there be a problem with the software license. See Handling Multiple License Keys and Product Licenses for details.

For a more detailed description of the restrictions, please refer to HASP Software Licensing restrictions or contact your Stromasys representative.

...

The Sentinel ACC on the local system is accessed by starting a web-browser and pointing it to the URL: http://localhost:1947.

...

Sentinel Admin Control Center (ACC) Security Settings

...

The menu options ProductsFeatures and Sessions on the left-hand side provide the same information as the buttons. However, they show the information for all licenses.

...

classpagebreak

Viewing Viewing a License with hasp_srm_view

...

After installing a license on the system, verify the availability of the license as described in the section View Existing Licenses.

Check if the license shows the correct product, expiration date etc.

...

To identify the relevant key IDs, display the available licenses as described in section View Existing Licenses.

To get information about modifying the Charon configuration files, refer to the appropriate sections in the user's guide.

Div
classpagebreak

...


Prioritizing Licenses - Charon-PAR Version 1.10 and Higher

Prioritized List of License Keys

...

To identify the relevant key IDs, display the available licenses as described in section View Existing Licenses.

To get information about modifying the Charon configuration files, refer to the appropriate sections in the user's guide.

...

To identify the relevant product license IDs, display the available licenses as described in section View Existing Licenses.

To get information about modifying the Charon configuration files, refer to the appropriate sections in the user's guide.

...

  • If you have not installed the license server yet (and for any more in-depth information), please refer to the VE license server user's guide (see Licensing Documentation).

  • The information below shows the command-line tools for license management. Starting with version 1.1.16 of the VE license server, these activities can also be performed using a web-based management GUI. Please refer to the appropriate VE license server user's guide (see chapter VE License Server Web-based Management GUI in the VE license server documentation under Licensing Documentation).

Firewall Considerations

Excerpt
nameVEFWconsiderations

If the VE license server is not installed on the same system as the emulator, any intermediate firewall must allow at least the port on which the license is served. Optionally, the firewalls must allow the port on which the web-based GUI is available. These ports are configurable on the VE license server. The default values are the following:

  • Default port on which licenses are served by the VE license server: TCP 8083.
  • Default port on which the web-based GUI runs: TCP 8084.

Creating a C2V File on a VE License Server

Running esxi_bind before First C2V Creation on VMware

The esxi_bind command sets up the necessary communication connection between the VE license server and the ESXi host / the vCenter server.

It must be run on the license server (and the backup license server, if applicable)

  • once before the first license is requested,

  • and again, should the user for the access to the ESXi host / the vCenter server change.

Perform the following steps:

  1. Use ssh to log in on the license server instance.
    # ssh <user>@<license-server-ip>
    where

    1. <user> is the user for interactive login associated with your license server system

    2. <license-server-ip> the ip address of your license server system

  2. Become the privileged user and run the esxi_bind program.

    1. Become the root user: # sudo -i

    2. Run the c2v program: # /opt/license-server/esxi_bind -a <address> -u <username> -p <password>
      where

      1. <address> is the IP address of the ESXi host or vCenter server

      2. <username> is a user with administrative rights on the ESXi host or vCenter server

      3. <password> is the password of the administrative user

  3. If the command is successful, it will create the file /opt/license-server/config.ini containing the connection data (the password is encrypted).

...

classpagebreak

Creating a VE C2V File

The fingerprint is collected on the license server using the c2v utility.

Perform the following steps to collect the fingerprint on the license server and (if applicable) the backup license server:

  1. Use ssh to log in on the license server instance.
    # ssh -i ~/.ssh/<mykey> <user>@<license-server-ip>
    where

    1. <mykey> is the private key of the key-pair you associated with your cloud instance
      (for an on-premises VMware installation where login with username/password is allowed, it is not needed)

    2. <user> is the user for interactive login associated with your license server instance (e.g., opc on OCI, centos for a CentOS instance on AWS, or the custom user on your VMware virtual machine or physical server; for an instance installed from a prepackaged Charon VE marketplace image, use sshuser)

    3. <license-server-ip> is the ip address of your license server system

  2. Become the privileged user and run the c2v program.

    1. Become the root user: # sudo -i

    2. Run the c2v program: # /opt/license-server/c2v --filename <my-file>.c2v --platform <my-platform>
      where

      1. <my-file>.c2v is the path and name under which you want to store the fingerprint. The file type is C2V (customer-to-vendor)

      2. <my-platform> indicates the platform on which the license server runs (possible values: physical, aws, oci, gcp, azure, ibm, nutanix, or esxi).

  3. Copy the resulting C2V file to your local system (unless you can send email from the license server system).

...

classpagebreak

Installing a VE V2C File on a VE License Server

The license data is installed on the license server using the v2c utility.

Perform the following steps to install the license on the license server:

  1. Copy the V2C file to the license server (e.g., with SFTP).

  2. Use ssh to log in on the license server instance.
    # ssh -i ~/.ssh/<mykey> <user>@<license-server-ip>
    where

    1. <mykey> is the private key of the key-pair you associated with your license server instance
      (for an on-premises VMware installation where login with username/password is allowed, it is not needed)

    2. <user> is the user for interactive login associated with your license server instance (e.g., opc on OCI, centos for a CentOS instance on AWS, or the custom user on your VMware virtual machine or your physical server; for an instance installed from a prepackaged Charon VE marketplace image, use sshuser)

    3. <license-server-ip> is the ip address of your license server system

  3. Become the privileged user and run the v2c program.

    1. Become the root user: # sudo -i

    2. Run the v2c program: # /opt/license-server/v2c -f <my-file>.v2c
      where <my-file>.v2c is the path and name under which you want to store the fingerprint. The file type is V2C (vendor-to-customer).

After the installation of the V2C file, the license server will be restarted.

Viewing the License on a VE License Server

...

VE Licensing Certificates Overview

This section applies to Charon-PAR version 3.0.11 and later.

This section provides a short overview of the certificates used by the VE license server and Charon-PAR. Please refer to the VE license server documentation for details.

The VE license server uses certificates for different purposes:

  • License server operation: encrypted communication between license server and license clients (emulators).

    • New certificate support in the VE license server started with version 2.1.3. Changed certificate names starting with VE license server 2.2.2.

    • New certificate support for Charon-PAR started with version 3.0.11.

  • Web-based management GUI: encrypted (HTTPS) communication between the integrated license server web server and web browsers. Starting with VE license server version 2.1.4, the name of the certificate and its management changed. Please refer to the VE license server documentation.

Important information:

  • General VE license server configuration:

    • The VE license server will – by default – use the old certificates. Therefore, compatibility with existing Charon clients will be maintained during an upgrade of the license server.

    • If the new certificates (using pre-defined names) are present in /opt/license-server/certs, these will be used and clients will have to use matching certificates. Please refer to the VE license server documentation for information how to activate the new certificates and, if desired, create custom certificates.

  • Checking if the new certificates are enabled in a Charon-PAR installation:

    • Certificate location: /opt/charon/bin/certs

    • Sample certificate names: ca.crt.sample, charon.crt.sample, and charon.key.sample

    • If the directory contains the above files without the .sample suffix (e.g., ca.crt, charon.crt, charon.key), the new certificates have been enabled. On the license server, the sample files (for root CA and license server) are in /opt/license_server/certs. Please see the VE License Server guide in License Documentation for more information.

  • Make sure you understand the implications and possible side-effects before changing the certificate configuration. Incorrect configurations can lead to the loss of license access and interruptions in operation.

Firewall Considerations

Excerpt
nameVEFWconsiderations

If the VE license server is not installed on the same system as the emulator, any intermediate firewall must allow at least the port on which the license is served. Optionally, the firewalls must allow the port on which the web-based GUI is available. These ports are configurable on the VE license server. The default values are the following:

  • Default port on which licenses are served by the VE license server: TCP 8083.
  • Default port on which the web-based GUI runs: TCP 8084.


Div
classpagebreak


Creating a C2V File on a VE License Server

Running esxi_bind before First C2V Creation on VMware

Insert excerpt
PDC:__Include: Installing a License on the VE License Server
PDC:__Include: Installing a License on the VE License Server
nameVEesxi_bind
nopaneltrue

Div
classpagebreak


Creating a VE C2V File and Sending it to Stromasys

The fingerprint is collected on the license server using the c2v utility.

Perform the following steps to collect the fingerprint on the license server and (if applicable) the backup license server:

  1. Use ssh to log in on the license server instance.
    # ssh -i ~/.ssh/<mykey> <user>@<license-server-ip>
    where

    1. <mykey> is the private key of the key-pair you associated with your cloud instance
      (for an on-premises VMware installation where login with username/password is allowed, it is not needed)

    2. <user> is the user for interactive login associated with your license server instance (e.g., opc on OCI, centos for a CentOS instance on AWS, or the custom user on your VMware virtual machine or physical server; for an instance installed from a prepackaged Charon VE marketplace image, use sshuser)

    3. <license-server-ip> is the ip address of your license server system

  2. Become the privileged user and run the c2v program.

    1. Become the root user: # sudo -i

    2. Run the c2v program: # /opt/license-server/c2v --filename <my-file>.c2v --platform <my-platform>
      where

      1. <my-file>.c2v is the path and name under which you want to store the fingerprint. The file type is C2V (customer-to-vendor)

      2. <my-platform> indicates the platform on which the license server runs (possible values: physical, aws, oci, gcp, azure, ibm, nutanix, or esxi).

  3. Copy the resulting C2V file to your local system (unless you can send email from the license server system).

  4. Send the C2V file to the Stromasys orders department (email address will be provided by Stromasys).
Div
classpagebreak


Installing a VE V2C File on a VE License Server

In response to the C2V file, Stromasys will send you a V2C file. This file contains the license data and is installed on the license server using the v2c utility.

Perform the following steps to install the license on the license server:

  1. Copy the V2C file to the license server (e.g., with SFTP).

  2. Use ssh to log in on the license server instance.
    # ssh -i ~/.ssh/<mykey> <user>@<license-server-ip>
    where

    1. <mykey> is the private key of the key-pair you associated with your license server instance
      (for an on-premises VMware installation where login with username/password is allowed, it is not needed)

    2. <user> is the user for interactive login associated with your license server instance (e.g., opc on OCI, centos for a CentOS instance on AWS, or the custom user on your VMware virtual machine or your physical server; for an instance installed from a prepackaged Charon VE marketplace image, use sshuser)

    3. <license-server-ip> is the ip address of your license server system

  3. Become the privileged user and run the license_viewer v2c program.

    1. Become the root user: # sudo -i

    2. Run the license_viewer v2c program: # /opt/license-server/license_viewer

Charon-PAR Emulator License Configuration

The license server must be added to the Charon-PAR emulator configuration. Please refer to the section Initial Emulator License Configuration.

Updating an Existing License

If you need to update an existing license, for example because the time limit on the license has expired or to upgrade to a new product versions, perform the following tasks:

  1. Generate the C2V file for the existing license. This Customer-to-Vendor (C2V) file contains the license characteristics necessary for creating the license update.
  2. Send the C2V file to Stromasys. Stromasys will use the data to create the necessary license update. You will receive a V2C file (the Vendor-to-Customer file).
  3. Apply the license data from the V2C file(s) on the license server. This will install and activate the update for your license.

...

classpagebreak

License Troubleshooting

The most important tool for identifying a license problem are the log files of the Charon emulator, the VE license server, and the Linux system. Always check them first in case of a problem.

Log Files for License Troubleshooting

Charon-SSP emulator log file location:

The default location of the emulator log files is the directory in which the emulator was started.

Please note: the path of the log emulator log files can be configured by the user to a non-default value.

VE license server log file location:

The path to the VE license server log on the license server is /opt/license-server/log/license.log.

The path to the VE integrated web server is /opt/license-server/log/webserver.log.

Linux system log:

The Linux logs can be viewed with the journalctl program. Examples:

  • Identify VE license server entries (newest first): journalctl -r -t license_server

  • Identify HASP runtime daemon entries (newest first): journalctl -r -t aksusbd

System Processes for Licensing

Correct license operation requires the corresponding system process:

...

HASP licenses: the aksusbd service must run. You can check the status with
# systemctl status aksusbd

...

    1. v2c -f <my-file>.v2c
      where <my-file>.v2c is the path and name under which you want to store the fingerprint. The file type is V2C (vendor-to-customer).

After the installation of the V2C file, the license server will be restarted.

Viewing the License on a VE License Server

The license data can be viewed via the web-based GUI of the VE license server (see Licensing Documentation). It can also be viewed with the license_viewer program using the following steps:

  1. Use ssh to log in on the license server instance.
    # ssh -i ~/.ssh/<mykey> <user>@<license-server-ip>
    where

    1. <mykey> is the private key of the key-pair you associated with your license server instance
      (for an on-premises VMware installation where login with username/password is allowed, it is not needed)

    2. <user> is the user for interactive login associated with your license server instance (e.g., opc on OCI, centos for a CentOS instance on AWS, or the custom user on your VMware virtual machine or your physical server; for an instance installed from a prepackaged Charon VE marketplace image, use sshuser)

    3. <license-server-ip> is the ip address of your license server system

  2. Become the privileged user and run the license_viewer program.

    1. Become the root user: # sudo -i

    2. Run the license_viewer program: # /opt/license-server/license_viewer

Charon-PAR Emulator License Configuration

The license server must be added to the Charon-PAR emulator configuration. Please refer to the section Initial Emulator License Configuration.

Updating an Existing License

If you need to update an existing license, for example because the time limit on the license has expired or to upgrade to a new product versions, perform the following tasks:

  1. Generate the C2V file for the existing license. This Customer-to-Vendor (C2V) file contains the license characteristics necessary for creating the license update.
  2. Send the C2V file to Stromasys. Stromasys will use the data to create the necessary license update. You will receive a V2C file (the Vendor-to-Customer file).
  3. Apply the license data from the V2C file(s) on the license server. This will install and activate the update for your license.
Div
classpagebreak


License Troubleshooting

The most important tool for identifying a license problem are the log files of the Charon emulator, the VE license server, and the Linux system. Always check them first in case of a problem.

Log Files for License Troubleshooting

Charon emulator log file location:

The default location of the emulator log files is the directory in which the emulator was started.

Please note: the path of the log emulator log files can be configured by the user to a non-default value.


VE license server log file location:

The path to the VE license server log on the license server is /opt/license-server/log/license.log.

The path to the VE integrated web server is /opt/license-server/log/webserver.log.


Linux system log:

The Linux logs can be viewed with the journalctl program. Examples:

  • Identify VE license server entries (newest first): journalctl -r -t license_server

  • Identify HASP runtime daemon entries (newest first): journalctl -r -t aksusbd

System Processes for Licensing

Correct license operation requires the corresponding system processes.

Sentinel HASP System processes

HASP licenses require the aksusbd process and the hasplmd process. In aksusbd version 7.63, both processes are started and stopped by the same service (/etc/init.d/aksusbd). In aksusbd version 8.13, there are two systemd services:

  • the aksusbd service
  • the hasplmd service

Checking the status of the services:

# systemctl status aksusbd
# systemctl status hasplmd

Starting and stopping the services:

  • The two services have a dependency such that starting one of them will start the other, stopping one of them will stop the other, and restarting one of them will restart the other.
  • Starting the services:
    # systemctl start aksusbd
    # systemctl start hasplmd
  • Stopping the services:
    # systemctl stop aksusbd
    # systemctl stop hasplmd
Div
classpagebreak


VE License Server Process

VE licensing requires that the licensed service must run on the license server.

...

Checking the status

...

of the service:

# systemctl status

...

licensed

Starting and stopping the service:

  • Starting the service:
    # systemctl start licensed
  • Stopping the service:
    # systemctl stop licensed

Further Information

Sentinel HASP licenses:

...