Remote Key Connection - HASP Licensing Configurations

Overview

Since we have implemented Sentinel (formerly HASP) hardware licensing, its usage and setup have generally been “magical” for the user. Install the program, plug in the key, and it just works.

The Sentinel Driver & License service is automatically installed with our software and sometimes is already on the computer. If you are using Windows, you don’t technically need to install our software for the license key to work; Windows will normally download and install the driver the first time you plug in a key.

Terms & Definitions

  • Gemalto 
    current parent company of the Sentinel product lines
  • SafeNet 
    the current brand owner/vendor of the Sentinel product lines (technically a subsidiary of Gemalto)
  • Sentinel LDK
    the latest embodiment of the HASP product
  • HASP 
    the original name of the Sentinel hardware keys
  • Sentinel LDK License Manager
    the service installed on a client computer. This is bundled and automatically installed with the Sentinel (formerly HASP) driver.
  • Sentinel Admin Control Center
    a locally installed web interface for interacting with and configuring the Sentinel LDK License Manager
  • Sentinel Hardware License Key (Commonly referred to as Sentinel HL)
    the physical key attached to the computer that contains CEI licenses. It is red and looks very similar to a USB thumb drive. 

    • Diagrams use this representation:

    • Actual picture:

Describe the magic and common reasons for it to fail

This section mainly applies to systems/network administrators or other curious souls who want to understand how the Sentinel LDK License Manager communicates with other systems. If that doesn't describe you, feel free to skip down to the next section.

Out-of-the-box configuration of the License Manager allows the service to listen for license requests and issue broadcast searches for available licenses. Broadcast discovery uses UDP port 1947; once a remote License Manager is discovered, further network communication moves to TCP port 1947. The Sentinel LDK documentation describes this further.

The most common reason for failing to discover a license server is the discovery process’ inability to find an available License Manager with an attached Sentinel Hardware License Key. For instance, larger networks typically have a separate segment for server systems. Even if you don’t use a firewall to block network communications between two routed network subnets, most routers automatically drop all broadcasts (the UDP port 1947 broadcast discovery does not reach in between LAN segments). This failure often affects VPN clients as well, since broadcast packets typically aren’t rebroadcast on the other side of a routed interface.

Firewalls (hardware, software, or virtual hardware) can also block License Service traffic if configured to disallow traffic on TCP and UDP port 1947.

Most common manual configurations

Sometimes folks have situations that require manual configuration. In this section I cover a few of the most common cases we handle. At the end of the article, configuration solutions are offered and individual system admins will need to choose the appropriate option for their company’s environment.

Larger local area network with routed network segments between client and server

As mentioned above, the setup of a license key on a server inside of one routed (or firewalled) network segment apart from clients on an entirely different network segment will likely be interfered with due to broadcast license searches being dropped at the router. One of the advanced methods covered later in this post may be an ideal solution, barring the existence of a lot of broadcast packets on the client systems network(s) that create a broadcast storm or other unintended consequence.


Mobile or home-based remote user accessing a license stored at the office

This configuration is not as common as it used to be since a lot of remote workers will just remotely control their office machine for mobile work. In the case under discussion, a remote worker has the application installed on their home or mobile computer and is connecting to the work VPN to allow the local client to find a license installed in the office. If the virtual network disallows broadcast packet re-broadcasting in the office LAN, the client will not find the license. The “Quick Fix” detailed below is ideal in this situation.


Multi-site setup with license key(s) centralized in one location

Larger customers with multiple locations sometimes run into this scenario. For instance, consider a setup with three locations connected via a site-to-site VPN over the Internet. The license keys are installed in Site A and all three sites have local installs of CEI software. Depending on how many client systems you need to configure, it may be more palatable to go with the second solution in the Advanced section and deploy a configuration file with the application.


The “Quick Fix”


Use this when you have relatively few clients to connect to a remote License Manager or if there is a limitation preventing use of the advanced methods.

Step One

Install one of our products as usual. This will install the Sentinel LDK License Manager as well. 

  • Launch a web browser and open the Sentinel Admin Control Center: http://localhost:1947
  • Click on “Configuration” in the left-hand navigation menu.
  • Choose “Access to Remote License Managers” in the tabs across the top.


Step Two

Configure the Remote License Search Parameters 

  • For every licensing host, add its IP address. Only enter one IP address per line. 
    If the remote license host is on a system with a dynamic IP address, you may enter a fully qualified domain name (e.g., “server.domain.local”). Keep in mind that the client needs to have continuous access to the DNS server(s) responsible for the domain (e.g., “domain.local”).
  • Press the “submit” button to save changes. It may take a couple of minutes, but the local client should find the license keys on the remote systems.


Advanced methods

One method is to configure your network equipment to transmit broadcast UDP traffic between network segments. This can work between VPNs, site-to-site network links, or routed subnets. Since the method for achieving this is dependent upon the brand and model of network equipment installed, you will need to discuss this with a system/network administrator familiar with configuring your network systems. Please be aware of unintended consequences such as broadcast storms that could reduce performance or reliability on your network.

It is also possible to modify the hasplm.ini file and deploy it to multiple machines at the same time. The Sentinel documentation discusses this method. You can find hasplm.ini in the %CommonProgramFiles%\Aladdin Shared\HASP\ directory. Use %CommonProgramFiles(x86)%\Aladdin Shared\HASP\ on 64 bit operating systems.

Bonus – configuring a server to allow automatic updates of the Sentinel HL (hardware) key

It is quite convenient to host the licensing key on a server. Servers are typically always turned on and available so you don’t have to worry about a co-worker accidentally killing your access to CEI software because they shut down their computer and left for Tahiti. 

When customers renew subscriptions, we place a license update file (in the format of <keynumber>.v2c) on our licensing web server. The License Update Service (installed with our software) will regularly check our web server for the unique key number. If a new file is available, it will apply the latest update without any interaction from the customer.

If you want to enable the license update service on a server system, you will need to install one of our products. This will not consume a license. Once the application and service are installed, the only other test is to make sure that your Internet filtering software/hardware or firewalls do not block outbound connections to license.thinkcei.com.

NOTE: This post concerns licensing for CEIs on premise products.