Contents

VE License Server - Prerequisites 

The use of a Charon VE License Server has a number of prerequisites:

1. The VE license server itself
   1. VE license server package
   2. A suitable Linux instance to be used as the VE license server. This instance must run
      
      1. in a supported cloud environment,
      2. in a supported VMware environment, or
      3. on a supported physical server.
2. Correct firewall settings
3. The VE-capable Charon emulator software
   1. For general VE mode: must run on a Charon host with appropriate network access to the VE license server (see restrictions for VMware environments in the section Charon VE-Capable Emulator and Management Software below).
   2. For AutoVE mode: a Charon instance launched from a compatible Automatic Licensing marketplace image. AutoVE server and clients must be in the same cloud environment. Please note that the AutoVE definitions must be added before the first launch of such an instance.
      

These requirements are described in more detail below.

VE License Server Package

The Charon VE License Server package is delivered as an RPM package. Stromasys or your Stromasys VAR will provide you with the software or a download link. If an instance is created based on a Stromasys-provided emulator marketplace images, the installation kit is in the /charon/storage directory.

The packaging is different based on the VE license server version:

• VE license server version 2.2.3 and older: license-server-<version>.rpm
RPM package for installation on a supported Linux system.
• VE license server version 2.2.4 and higher: license-server-<version>.rpm.sh
  Self-extracting archive containing the end-user license agreement (EULA) and the RPM package.

In both cases <version> indicates the version of the software, for example, 2.2.1

Linux Instance for the License Server

The license server package must be installed on a supported Linux instance. This instance can run in a supported cloud, in a supported VMware environment, or on a physical host. It is recommended to run the VE license server on a dedicated system to avoid license invalidation caused by changes to the system which are more likely to occur on a system used for other purposes as well, for example, to run a Charon emulator. It is also recommended to install a backup license server to ensure continued operation in case of a failure or invalidation of the primary license.

Currently Supported Cloud Providers

At the time of writing, the following cloud providers are supported by the VE license server:

• Amazon AWS
• Oracle Cloud Infrastructure (OCI)
• Microsoft Azure
• Google Cloud Platform (GCP)
• IBM cloud
• Nutanix AHV

Please refer to your cloud provider's documentation for configuring and launching an appropriate instance. A description of the basic steps of launching a cloud instance can be found in Additional Information and the cloud-specific Getting Started guides on the Charon-SSP documentation pages.

Depending on the cloud environment, Stromasys may offer prepackaged Charon VE images on selected cloud marketplaces. Such images include the Charon VE-enabled emulator software (already installed) and the VE License Server RPM package (can be installed optionally). An instance launched from a prepackaged image can also be used as a VE license server. Newer versions of Charon-SSP AL marketplace images also contain the VE License Server RPM that can be installed optionally.

Currently Supported VMware Platforms and Requirements

Below are the VMware Platforms supported by the VE license server at the time of writing, and the associated requirements:

Requirements for direct ESXi host binding

• The VE license server must run in one of the VMs on the ESXi server.
• Any Charon emulator using the VE license server must run either on the same VM as the VE license server or on a VM running on the same ESXi host.
• ESXi/vSphere version 6.5 and above.
• Valid license that supports the vSphere API feature (the free license does not support this feature). Otherwise the license server fails to start with one of the following messages
  • Older license server versions: Failed to detect ESXi/vCenter Server
  • Newer license server versions: Current license or ESXi version prohibits execution of the requested operation
• Ports 443 (TCP) and 902 (TCP, UDP) on the ESXi system must be accessible to the VE license server host.
• 100 MB of free disk space on the ESXi server to be used by the VE license server host.
• User and password on the ESXi/vSphere host used for the binding between license server and ESXi/vSphere host.

The user used in the esxi_bind command must have at least the following permissions that are assigned via a custom role definition (please note that the permission paths/names can be slightly different depending on the vSphere version). The permissions must not be limited to a specific VM - they must be global:

• Datastore > Allocate Space
• VirtualMachine > Config > AddNewDisk
• VirtualMachine > Config > RemoveDisk

Requirements for vCenter Server binding

• The VE license server must run in a VM on one of the ESXi systems managed by the vCenter Server.
• Any Charon emulator using the VE license server must run either on the same VM as the VE license server or on a VM on an ESXi host managed by the same vCenter Server.
• vCenter Server version 6.5 and above.
• Valid license that supports the vSphere API feature. Otherwise the license server fails to start with the message
  Failed to detect ESXi/vCenter Server.
• Ports 443 (TCP) and 902 (TCP, UDP) on the vCenter system must be accessible to the VE license server host.
• 100 MB of free disk space on the vCenter Server to be used by the VE license server host.
• User and password on the vCenter Server used for the binding between license server and vCenter Server.

The user used in the esxi_bind command must have at least the following permissions that are assigned via a custom role definition (please note that the permission paths/names can be slightly different depending on the vSphere version). The permissions must not be limited to a specific VM - they must be global:

• Datastore > Allocate Space
• VirtualMachine > Config > AddNewDisk
• VirtualMachine > Config > RemoveDisk

Please note: vMotion for the virtual machine running the VE license server can only be used if the license server binds to the vCenter Server. The target system must be managed by the same vCenter Server.

The VE license server for VMware environments has also been tested successfully in a Google GCVE (Google Cloud VMware Engine) environment. Please contact Stromasys to discuss your requirements if you need this product combination.

Currently Supported Physical Servers

At the time of writing, the following physical platforms are supported by the VE license server:

• Modern Intel x86 or AMD platform with sufficient resources for the required Linux operating system

Linux Host Requirements for the VE License Server

The Linux system on which the VE license server runs must fulfill the requirements described below.

Please note: the VE license server software can run on the same system as the Charon emulator. However, using a dedicated system with stable hardware and software configuration as the VE license server is the recommended configuration. This will reduce the risk of invalidating the license by a non-supported hardware or software change. Please see Operational Information and Logging for more information about such changes and also about the operation of a backup license server to ensure continued operation of critical applications.

Linux Host Hardware and Software Requirements

Operating System Requirements for the VE License Server

• Red Hat, CentOS, or Oracle Linux (64-bit) versions 7.x or 8.x
• Rocky Linux 8.x
• Red Hat, Oracle Linux, and Rocky Linux 9.x
• Support for Amazon Linux 2023 is planned to start with VE license server version 2.4.1.

Only 64-bit operating systems are supported.

Other Software Requirements for the VE License Server

Please note the following additional requirements:

• The Btrfs file system is not supported as a root file system for a VE license server.
• To unpack the shell archive containing the installation kit, the following utilities are required: gzip, md5sum, cksum, gpg, tar, and openssl 

Hardware Requirements for the VE license server

Dedicated System for the License Server (recommended)

If the system is dedicated to running the license server, its hardware configuration must satisfy the requirements of the selected Linux operating system.

License Server Combined with Charon Emulator Software (not recommended)

If the license server is combined with the Charon emulator software on the same instance, the instance used must satisfy the requirements of the Charon emulator host and all instances that will run on it. Please refer to your product-specific documentation for more information:

• For Charon-SSP, refer to the Charon-SSP user's guide of your emulator version for details (see Charon-SSP for Linux).
• For Charon-PAR, refer to the Charon-PAR user's guide of your emulator version for details (see Charon-PAR documentation).
• For Charon-AXP/VAX, refer to the user's guides for Charon-AXP or Charon-VAX.

Please note, that a dedicated license server system is the recommended configuration.

Additional Linux Host Requirements for AWS cloud

VE License Server Installation on Amazon Linux 2023

Only for VE license server 2.4.1 and higher (older versions are not supported to be run on Amazon Linux).

By default, Amazon Linux only installs a minimal gnupg package. This is not sufficient to unpack the VE license server kits archive. An attempt to unpack the archive will result in the error gpg: uncompressing failed: Unknown compression algorithm. To swap the minimal for the full package, use the following command:

# dnf swap gnupg2-minimal gnupg2-full

VE license server versions earlier than 1.1.23 only - IAM role requirement

In the AWS cloud, an IAM role allowing the ListUsers action (IAMReadOnlyAccess in the example below) must be attached to the VE license server instance. This can be done during the launch of the instance as shown in the sample below.

Alternatively, the role can be set/changed by selecting the instance, right-clicking on it, and selecting Security > Modify IAM Role (in the older AWS console, use the Action menu). If such a role has not yet been defined, please refer to Creating and Attaching an AWS IAM Role (versions < 1.1.23 only) and to the documentation provided by AWS for additional information.

Additional Linux Host Requirements for IBM cloud

For the VE license server to work properly in the IBM cloud, an API key must be created and installed. Please refer to Creating and Installing an IBM API Key.

Firewall Considerations

Communication Between License Server and Client Systems

Any intermediate firewall as well as the cloud-specific subnet and instance security settings must permit the necessary ports for the appropriate source systems:

• Basic license operation
  The TCP port that is used by the license client to access the license must be permitted on the license server, and by any intermediate firewall.
  Default: TCP/8083; an alternative port can be configured in /opt/license-server/config.ini.
• Access to license server web interface
  • The TCP port used by remote systems to web-based management interface must be permitted on the license server, and by any intermediate firewall.
    Default: TCP/8084; an alternative port can be configured in /opt/license-server/config.ini.
  • TCP port 80 must be available to the license server to redirect HTTP requests to HTTPS. For remote connections, the port must also be permitted through intermediate firewalls. Starting with version 1.1.25, redirection (and thereby use of TCP port 80) can be enabled or disabled in /opt/license-server/config.ini.
  • Important: at the time of writing, the web-server component of the license server applications will not start if a port required by the web server is already used by another application. This will also prevent the licensing component from starting.

See Additional Configuration Options - the config.ini File.

See Cloud-Specific Firewall Information for an overview about the traffic filtering mechanisms used in the different cloud environments.

Simplified sample commands if firewalld is used on the Linux system:

# firewall-cmd --permanent --zone=public --add-port=8084/tcp

# firewall-cmd --permanent --zone=public --add-port=80/tcp

# firewall-cmd --permanent --zone=public --add-port=8083/tcp

# firewall-cmd --reload

• The default zone name can be found with the command firewall-cmd --get-default-zone, a list of all zones can be displayed with the command firewall-cmd --get-zones.
• The parameter --permanent writes the command to the respective firewalld configuration files. To add the command to the running firewall, re-run it without the parameter --permanent.
• The simplified sample above does not limit the source IP address to the addresses of the license clients. This would require a more sophisticated configuration. Please refer to the documentation of your Linux system.

Communication between Primary and Backup AutoVE License Servers

When AutoVE mode is used, the primary and backup license servers can synchronize their database of registered clients. The TCP port for this synchronization must be permitted on both servers. Default: TCP/8085; an alternative port can be configured in /opt/license-server/config.ini.

Communication Between License Server and Cloud Infrastructure

The license server must be able to access information provided by the cloud infrastructure. In particular, it must be able to communicate with the following addresses/systems:

• The metadata server of the cloud environment (169.254.169.254) on AWS, Azure, OCI, and GCP
• If running a VE license server version before 1.1.23 on AWS, the host iam.amazonaws.com
• If running on GCP there are the following additional requirements:
  • Access to the host www.googleapis.com.
  • Service account and role assigned to the instance that allow access to the API and metadata server.
    This is normally provided by the Compute Engine default service account and the Default access scope in the Identity and API access section. Do not change the default assignment unless know how to assign the required permissions in a custom configuration. If the permissions are not correct, the fingerprint creation will fail with Failed to retrieve instance document.
• If running on the IBM cloud, the hosts iam.cloud.ibm.com and resource-controller.cloud.ibm.com

Any intermediate firewall as well as the cloud-specific subnet and instance security settings must permit communication with these systems for the VE license server to function properly. See Cloud-Specific Firewall Information for an overview about the mechanisms used in the different cloud environments, and your Linux firewall documentation for any Linux specific questions. The license server system must have an appropriate DNS configuration to look up the IP addresses of the hostnames listed above.

Communication Between License Server and ESXi Host / vCenter Server

The license server must be able to access the following ports on the ESXi host or vCenter Server it binds to: ports 443 (TCP) and 902 (TCP and UDP).

Charon VE-Capable Emulator and Management Software

The VE license server software requires matching Charon emulator software.

Please note:

• The requirements are different for the two modes of a VE license server (general VE or AutoVE). They are described below.
• The protocol versions used by the emulator software and the license server must be compatible. The software checks for compatible protocol versions and reports an error should there be a mismatch.
• The Charon VE-capable emulator software can run on the same system as the license server or on a separate system with appropriate network access to the VE License Server. However, there are restrictions in a VMware environment.
• Restrictions for VMware environments:
  • If the license server binds to the ESXi host on which the license server VM runs, any Charon emulator using the VE license server must run either on the same VM as the VE license server or on a VM running on the same ESXi host.
  • If the license server binds to the vCenter Server that manages the ESXi host on which the license server VM runs, any Charon emulator using the VE license server must run either on the same VM as the VE license server or on a VM on an ESXi host managed by the same vCenter Server.

Charon Emulator Packages for VE Licenses (General VE Mode)

The VE licenses are supported by the following products:

• Charon-SSP 4.2.x and later
• Charon-PAR 3.0.6 and later
• Charon-AXP/VAX planned for version 4.12 (Linux versions only)

Stromasys or your Stromasys VAR will provide you with the software or a download link. In certain cloud environments, Stromasys may offer prepackaged Charon VE images on selected cloud marketplaces. If you use a Charon host in the cloud and the instance was launched from such a prepackaged image, the required VE-capable emulator software is already installed (refer to the respective cloud-specific Getting Started Guide for more information).

For detailed information about the relevant installation packages, please refer to the product documentation specific to your emulator product and version:

• For Charon-SSP, refer to the Charon-SSP user's guide of your emulator version for details (see Charon-SSP for Linux).
• For Charon-PAR, refer to the Charon-PAR user's guide of your emulator version for details (see Charon-PAR documentation).
• For Charon-AXP/VAX, refer to the user's guides for Charon-AXP or Charon-VAX.

Charon Automatic Licensing Marketplace Images (AutoVE Mode)

If the VE license server is used in AutoVE mode, the license client must be an instance launched from a compatible marketplace Automatic Licensing image. At the time of writing AutoVE was only supported by Charon-SSP AL marketplace images. For up-to-date availability information, please contact your Stromasys representative.

• The AutoVE license server must be defined for the instance before first launch (see Configuring AutoVE Information on the Charon AL Host).
• This support was added in Charon-SSP version 5.3.8 and later images in selected clouds.

VE License Server - Installation

If you are not familiar with the installation of RPM packages, please refer to the general Charon user's guide of your product, or your Linux system documentation.

Please note:

• In versions before 1.0.17, the license server will not start automatically after the initial installation. It will be started once a valid license has been installed (see Installing a License on the VE License Server).
• When upgrading to version 1.0.24 or above from an older version of the license server, a license update is required due to a change in the license schema.
• If you plan to use a primary and a backup license server, the license server software must be installed on both systems.

VE License Server Installation Steps

In the description below, the placeholders used have the following meaning:

• <mykey> is the private key of the key-pair you associated with your cloud instance
  (for an on-premises VMware installation or an installation on a physical system where logging in with username/password is allowed, this is not needed).
• <user> is the user associated with your license server instance (e.g., opc on OCI, centos for a CentOS instance on AWS, or the custom user on your VMware virtual machine;
  for an instance installed from a Stromasys-provided Charon AL or VE emulator marketplace image, use user charon for SFTP and user sshuser for interactive login.
• <linux-ip> is the ip address of your license server system.
  

Please note: if an instance was installed from a prepackaged Charon emulator marketplace image, the installation package is already stored in /charon/storage. Please check, if there are newer versions available that would be preferable for your environment.

Perform the following steps to install the VE License Server software:

1. Copy the license server software package to the license server host (if needed):
   
   1. For example, use sftp to connect to the VE license server system.
      # sftp -i ~/.ssh/<mykey>  <user>@<linux-ip>
   2. Copy the software package to the license server system using the following SFTP command:
      > put <local-path-to-license-server-package>


2. Use ssh to log in on the license server host.
   # ssh-i ~/.ssh/<mykey> <user>@<linux-ip>
   
   
3. As a privileged user (root) go to the directory where you stored the installation package and install the package:
   1. Become the root user: # sudo -i
   2. Go to the package location:  # cd <path-to-package-directory>
If you used SFTP to copy the package to an instance installed from a prepackaged Charon marketplace image, the home directory of the charon user and the default location for file transfers is /charon/storage.
   3. For VE license server 2.2.4 and above, unpack the archive and agree to the end-user license agreement:
      
      1. # sh ./license-server-<version>.rpm.sh
         This will display the EULA. After agreeing to it, for version 2.2.4, the RPM installation package will be unpacked in the current directory. For version 2.2.5 and later, the EULA and the RPM package will be unpacked in a subdirectory (license-server-<version>.rpm) of the current working directory.
   4. Install the package: 
      1. Go to the directory in which the RPM package is located.           
      2. Linux 7.x: # yum install license-server*.rpm
      3. Linux 8.x and 9.x: # dnf install license-server*.rpm

Below, you find the sample output of an installation (version 8.x of the supported Linux distributions; assuming that the RPM is in the current working directory):

# dnf install license-server-2.0.1.rpm 
Last metadata expiration check: 0:19:36 ago on Di 03 Mai 2022 13:20:02 CEST.
Dependencies resolved.
================================================================================
 Package               Architecture  Version          Repository           Size
================================================================================
Installing:
 license-server        x86_64        2.0.1-1          @commandline         53 M

Transaction Summary
================================================================================
Install  1 Package

Total size: 53 M
Installed size: 85 M
Is this ok [y/N]: y
Downloading Packages:
Running transaction check
Transaction check succeeded.
Running transaction test
Transaction test succeeded.
Running transaction
  Preparing        :                                                        1/1 
  Running scriptlet: license-server-2.0.1-1.x86_64                          1/1 
  Installing       : license-server-2.0.1-1.x86_64                          1/1 
  Running scriptlet: license-server-2.0.1-1.x86_64                          1/1 
Created symlink /etc/systemd/system/multi-user.target.wants/licensed.service → /etc/systemd/system/licensed.service.

  Verifying        : license-server-2.0.1-1.x86_64                          1/1 

Installed:
  license-server-2.0.1-1.x86_64                                                 

Complete!

VE License Server Post-Installation Tasks

After the installation, it is strongly recommended to change the default password of the web GUI. Please refer to VE License Server Web-based Management GUI for more information.

Charon VE-Capable Emulator Software Installation

The Charon emulator software can be installed as a standard installation based on installation packages provided by Stromasys, or (in supported cloud environments) be provided as a marketplace image from which a Charon emulator host instance can be launched.

The detailed host requirements, the installation, and the management of the Charon emulator software are described in the user's guides of the respective products and versions.

For a standard Charon emulator installation, please refer to the following resources on the Stromasys product documentation page:

• For Charon-SSP, refer to the Charon-SSP user's guide of your emulator version for details (see Charon-SSP for Linux).
• For Charon-PAR, refer to the Charon-PAR user's guide of your emulator version for details (see Charon-PAR documentation).
• For Charon-AXP/VAX, refer to the Charon-AXP/VAX user's guides of your emulator version for details (see Charon-AXP and Charon-VAX documentation).

To launch a Charon emulator host instance from a prepackaged VE or AutoVE enabled marketplace image, please refer to the cloud-specific information in the appendix or your cloud-specific Getting Started guide.

• A prepackaged VE image will provide a Charon emulator host suitable to use a VE license server operating in general VE license mode.
• A prepackaged AL (Automatic Licensing) image will provide a Charon emulator host suitable to use a VE license server operating in AutoVE mode.
• Please note: not every cloud environment will offer one or both types of prepackaged marketplace images. Please refer to the cloud-specific Getting Started guide of your product, or contact your Stromasys representative to check the availability.