Sentinel® LDK and Sentinel HASP® Run-time Environment DEB Installer for Linux: Readme

Version 7.80

April 2018


This document describes installation of the Run-time Environment for Sentinel LDK and Sentinel HASP, using DEB under the supported Ubuntu and Debian operating systems. ("Sentinel LDK" is the next generation of the Sentinel HASP system.)

The following topics are discussed:

Operating Systems Supported

The following Linux Intel (x86 and x86_64) distributions are supported:

The operating system versions listed in this section were tested by Gemalto and verified to be fully compatible with Sentinel LDK. Older operating system versions are likely to be fully compatible as well, but are not guaranteed. For reasons of compatibility and security, Gemalto recommends that you always keep your operating system up to date with the latest fixes and service packs.

Virtual Environments Supported

For a list of the virtual environments supported, see "Supported Platforms for End Users" in the Sentinel LDK Release Notes.

The latest Release Notes can be seen at: http://sentinelldk.safenet-inc.com/LDKdocs/RN

Installing the Run-time Environment

Warning: If you downgrade the Run-time Environment to a previous version, license storage may become inaccessible. Licenses may be missing, and commands will fail with the HASP_DEVICE_ERR error. To recover, reinstall the latest Run-time Environment, although this may cause some licenses to be marked as "cloned".

Perform the following steps to install the Run-time Environment for Sentinel LDK or Sentinel HASP:

  1. To support your application on both 32-bit and 64-bit architectures, ensure that you provide both 32-bit and 64-bit customized Vendor libraries with the Run-time Environment installer. These libraries are contained in the following files:
  2. Disconnect your Sentinel HL key (if any) from the computer.
  3. Open a terminal window and navigate to the directory containing the downloaded installation file.
  4. As root, enter the following command:
  5. Reconnect the Sentinel HL key.

    Note: At this point, for older HASP HL keys, the firmware on the HL key may be automatically upgraded. During the upgrade process, the key will blink continuously. Do not remove the key while it is blinking. If you remove the key too soon, the key may no longer be visible in Admin Control Center. If the key is not visible, or if the upgrade does not occur, refer to "Upgrading HASP HL Key Firmware" below.

For additional information, see “2.17 - Upgrading Sentinel LDK Run-Time Environment (RTE) Installer” in the Sentinel EMS Configuration Guide.

Back to Topics

Uninstalling the Run-time Environment

Do the following if you want to uninstall the Run-time Environment:

Back to Topics

Enhancements and Issues Resolved in This Release

Enhancements

Reference Description
SM-15321

The Run-time Environment for Linux Intel now provides native support for both 32-bit and 64-bit architectures. You are no longer required to provide 32-bit support libraries (x86 compatibility packages) for the 64-bit architecture.

Be sure to provide both 32-bit and 64-bit customized Vendor libraries with the Run-time Environment installer.

Issues Resolved

Reference Description
SM-12155 If a customer applies a V2C update from a remote machine that has the Vendor library but no license from the same vendor, the error returned was HASP_UPDATE_TOO_NEW, which was confusing. Now the error returned is HASP_KEYID_NOT_FOUND.
SM-14373 When installing the Run-time Environment in a CentOS 7.x Docker, the message "Unsupported Linux distribution" was generated.
SM-18502 Defining an excessive number of User Restrictions in Admin Control Center would cause the License Manager Service to fail.
SM-19981 hasp_update would return an internal error for an HL Key when the license definition contains empty content in the default memory section.
SM-26543 Under certain circumstances, Sentinel License Manager would crash on the REST interface with long packets.
SM-6477

Given the following circumstances:

  • A customer uses SSH to connect to a remote Linux machine.
  • On the remote machine, the customer uses multiple tmux sessions to run a protected application.
  • hasp_login was called in each session.

A license was consumed for each session.

(If the Feature is defined to count workstations and not sessions, only one license should have been consumed for a single SSH session from the same workstation.)

Back to Topics

Security Updates in This Release

This section describes security issues that may affect Sentinel products and that have been resolved in Sentinel Run-time Environment v.7.80.

For the latest information regarding these issues or any older or newly-discovered issues, see this Web page:

https://sentinel.gemalto.com/technical-support/security-updates-sm/

Reporting a Security Vulnerability

If you think you have found a security vulnerability, please send it to Gemalto using the links provided on the Web page provided above.

Sentinel LDK Vulnerabilities

The vulnerabilities listed below affect the License Manager service of HASP SRM, Sentinel HASP and Sentinel LDK products. These vulnerabilities are resolved in Sentinel Run-time Environment version 7.80.

Back to Topics

Revision History

This section describes enhancements implemented and issues resolved in the last three major releases of Sentinel Run-time Environment.

Issues Resolved in Version 7.65

Reference Description
SM-21408 The Admin Control Center help system was missing information regarding the new “Idle Timeout of Session” configuration parameter.
SM-23320 A possible security issue related to License Manager failure due to stack overflow on deep XML data (reported by Kaspersky) has been resolved.
SM-23402

A possible security issue related to buffer overflow (reported by Kaspersky) has been resolved.

Enhancements in Version 7.63

Reference Description
SM-13505

In the past, the timeout for an idle License Manager session was fixed at 12 hours. You can now set the timeout to any value between 10 minutes and 720 minutes (12 hours). The timeout value can be set as follows:

  • In Admin Control Center, on the Basic Configuration page. Use the Idle Timeout of Session parameter.
  • In the hasplm.ini file. Assign the timeout value to idle_session_timeout_mins.
SM-14894

Admin Control Center now adds the update counter in C2V files in clear text - for example: <update_counter>5</update_counter>
It is no longer necessary to decode the C2V file in order to view this information.

SM-19483 Admin Control Center now recognizes the new V2CP format to update protection keys. This supports planned enhancements in Sentinel LDK v.7.8.

Issues Resolved in Version 7.63

Reference Description
SM-11734 When a Licensing API operation was performed repeatedly for an extended period of time with an HL key, the hasp_login function would fail with HASP_DEVICE_ERR=43. (Disconnecting and reconnecting the key would resolve the issue.)
SM-15922 Admin Control Center no longer requires the <?xml header in a V2C file.
SM-17175

After system reboot/service restart, an SL AdminMode detached license would disappear from a recipient machine that had no other licenses.

SM-18502 In Admin Control Center, defining too many users in the User Restrictions field would cause the License Manager to fail.

Enhancements in Version 7.61

Reference Description
SM-5318

The Run-time Environment now supports the use of the VMType3 clone protection scheme.

Issues Resolved in Version 7.61

Reference Description
SM-13945 The Readme files for earlier releases of Sentinel LDK Runtime Environment Installers for Linux incorrectly listed cases SM-901, SM-942, SM-4237, SM-6102, and LDK-14805 as being implemented or resolved in those releases. These cases are only relevant for Windows platforms. These cases has been removed from the cases listed in the Revision History section of this (version 7.61) Readme file and will not appear in the Revision History section in future Readme files for Runtime Environment Installers for Linux.

Enhancements in Version 7.60

Reference Description
SM-1286

You can now enter the URL to access Sentinel EMS in your Web browser without changing the EMS URL to lowercase.

SM-6525

In the past, Admin Control Center and Admin API provided a configuration parameter that determined whether a remote user could access and perform actions in Admin Control Center. However, this parameter did not control remote access to Admin API.
Now, the parameter Allow Remote Access to ACC and Admin API (in Admin Control Center) and the tag <accremote> (in Admin API) control remote access to both Admin Control Center and Admin API.

Issues Resolved in Version 7.60

Reference Description
SM-515 It was possible to rehost a cloned license to another machine.
SM-518

The Diagnostics report in Admin Control Center (Diagnostics > Generate Report) displays information on "Recent Clients" and "Recent Users". Each entry contained a time stamp but not a date stamp. The report has been corrected to display both a time stamp and a date stamp for each entry.

SM-552

On Linux and Mac machines, Admin Control Center would fail to download additional languages when the user clicked the More Languages option.

SM-507

When an end user would unpack a Run-time Environment that was configured for the user by Sentinel EMS, the following warning was displayed:
A lone zero block at 21242
This issue did not interfere with the functionality of the Run-time Environment.

SM-555

When started, the License Manager would display warning messages similar to:
warning: maximal mount count reached, running e2fsck is recommended

There are no functionality issues related to these warning messages.
These messages would be seen at system boot time or in /var/log/kern.log.

SM-3687

A number of issues would occur under Arch Linux-2017.01.01-X64:

  • Installation of the Run-time Environment would fail. Execution of aksusbd-7.51.1-i386/dinst would fail with the message: “Unsupported init script system”
  • The fingerprint for an SL UserMode license could be fetched successfully. However, when installing a V2C file for the license, the Licensing API would generate the message: error 43.
  • A Sentinel HL (Driverless configuration) key can be used successfully with the Licensing API. However, when the key contains a license with concurrency, the Licensing API generates “error 80” (because the License Manager Service cannot be installed on the system).
SM-9496

The License Manager and API no longer change the CPU affinity mask to force the process to run on all CPUs. They now keep the default affinity that was set at the process startup.

SM-9755

When operated under Wine, Sentinel License Generation API was not communicating correctly with the Master key. The following message was displayed: error `communication with Master Key failed: Master Key might not be present'

Enhancements in Version 7.55

Reference Description
SM-4748

Sentinel Admin Control Center can now be used to configure the License Manager for the following additional considerations:

  • Allow specific named users to access specific Batch Codes, protection keys (haspID), or Product IDs.
  • Use the "*" wildcard character for IP and hostname.
  • Use subnet mask notation (for example: 172.18.8.0/21) for IP addresses

For more information, see "Configuring User Settings" in the Admin Control Center online help.

Issues Resolved in Version 7.55

Reference Description
SM-4942

Various crash conditions in the License Manager that could be used for denial-of-service attacks or privilege-escalation attacks have been resolved.

SM-7748

When a user issues a "detach license" request from a remote Admin Control Center, the user name cannot be included in request. As a result, User Restrictions (defined in ACC on the license server machine) that are based on the user name are handled as follows:

  • “allow” user restrictions that are based on a specific user name are not applied because the user name is not available to the License Manager on the license server. If a different restriction such as deny=all@all is also specified, the detach request will be denied.
  • If any “deny” user restriction that is applicable for the request in all respects other than username exists, that restriction is applied even if the user name specified in the restriction does not match. For example: If the detach request was sent from a machine with the hostname host123, and a user restriction has been specified deny=skr@host123 on the license server machine, the detach request is denied even the user requesting the detach has a different username.

Sentinel Admin Control Center online help has been updated to describe these limitations.

Enhancements in Version 7.54

Reference Description
SM-884

When a Sentinel EMS user performs an action in a Java-free Web browser that affect Sentinel protection keys in Sentinel EMS Vendor Portal or Customer Portal,  the user would get the following message: “Either Runtime is not installed or the EMS portal URL is not configured in ACC. Download the Latest Runtime Installer (EXE / DLL)”. This message appears when the installed RTE is not configured to communicate with the Sentinel EMS machine. Until now, this configuration had to be performed manually.

Now, when a user installs RTE 7.54 (or later) that was rebranded by Sentinel EMS 7.5.4 (or later), the installed RTE is already configured as required. No manual configuration is required.

Issues Resolved in Version 7.54

Reference Description
SM-552

In Sentinel Admin Control Center on a Linux machine, when a user would click "More Languages", Admin Control Center would not contact the Gemalto server to search for available language packs.

Issues Resolved in Version 7.51

Reference Description
LDK-16443

Given the following circumstances:

  • A V2C file was applied to a new SL AdminMode license on a given machine.
  • The same V2C was applied a second time to the license.

Instead of generating an error message and rejecting the update, the License Manager would generate the error message and then remove the original SL AdminMode license from the machine. (The license would be restored when the License Manager was restarted.)

Issues Resolved in Version 7.50

Reference Description
LDK-13136 Sentinel Licensing API would identify a Max Micro key as a Max key under certain circumstances.
LDK-13455

Given the following circumstances:

  • A license server machine and the recipient machine are in different time zones
  • A detachable license is transferred online from the server to the recipient machine.
The detached license would expire earlier than expected.
LDK-13926 The branded RTE Installer that is generated by Sentinel EMS did not copy the haspvlib correctly to /var/hasplm/. As a result, when hasp_update attempted to apply a V2C file, error 48 was generated.
LDK-14274

Given the following circumstances:

  • An SL AdminMode or SL Legacy license is located on a physical machine.
  • From a remote VM, hasp_get_info() is called to fetch values of the "disabled" and "usable" tags for the SL license.
The incorrect values disabled=true and usable= false were returned.
LDK-14280 HASP HL keys are not recognized correctly by the License Manager when keys from two or more vendors are connected to a given machine.
LDK-15306 On the Diagnostics page of Admin Control Center, the Requests counter would count a request to local licenses as a remote request.
LDK-15307

Given the following circumstances:

  1. SL Legacy licenses from two different vendors were present on a machine.
  2. The license from one of the vendors is removed.
  3. The License Manager service is restarted.
The remaining SL Legacy license was no longer visible in Admin Control Center.
LDK-16113 When a V2C file to clear the “cloned” status of an SL Legacy license was applied, The “clear clone” operation was not applied correctly until the user restarted the machine.

Enhancements in Version 7.40

Reference Description
LDK-7237 Under certain circumstances, Admin Control Center would continue to show active sessions for an HL key after all sessions had logged out of the key.
LDK-8994 In Admin Control Center on Linux platforms: When the user clicked Show Recent Client Access on the Access From Remote Clients tabbed page, the user/hostname was not displayed.
LDK-10273 Admin Control Center would allow a license to be detached even though the termination date for the detach was invalid.
LDK-10564 The Vendor ID of a Master key was not the same in Admin Control Center pages and in diagnostic reports.
LDK-11825 Admin Control Center was not able to display an invalid HL key. Now such a key is visible in Admin Control Center with an indication that the key is not valid.
LDK-12040 Admin Control Center did not function correctly in the Konqueror browser if the Konquerors page cache was enabled.

Issues Resolved in Version 7.40

Reference Description
LDK-7237 Under certain circumstances, Admin Control Center would continue to show active sessions for an HL key after all sessions had logged out of the key.
LDK-8994 In Admin Control Center on Linux platforms: When the user clicked Show Recent Client Access on the Access From Remote Clients tabbed page, the user/hostname was not displayed.
LDK-10273 Admin Control Center would allow a license to be detached even though the termination date for the detach was invalid.
LDK-10564 The Vendor ID of a Master key was not the same in Admin Control Center pages and in diagnostic reports.
LDK-11825 Admin Control Center was not able to display an invalid HL key. Now such a key is visible in Admin Control Center with an indication that the key is not valid.
LDK-12040 Admin Control Center did not function correctly in the Konqueror browser if the Konquerors page cache was enabled.

Back to Topics

Known Issues - Run-time Environment

Reference Description
140898 Under the Linux operating system, Sentinel License Manager does not support the IPV6 network protocol.

Back to Topics

Resuming a Suspended Application

If the Sentinel HL key for a running application is disconnected, the application is suspended. When the key is re-attached, the application resumes, but it goes into the background. The application can be brought to the foreground using one of the shell built-in "fg" from the same terminal from where application had been launched.

Do the following to bring a background application to the foreground:

  1. List your background running jobs using command "jobs".
  2. Choose your job ID.
  3. Enter the following command to bring the application to the foreground: fg <%jobId>

Upgrading HASP HL Key Firmware

The HASP HL Key Firmware has been modified to support future planned security enhancements in Sentinel LDK and Sentinel HASP. Sentinel LDK and Sentinel HASP automatically upgrade the Firmware on HASP HL keys from v.3.21 to the latest version (v.3.25). This occurs:

(You can determine the Firmware version of your HL key by viewing the key on the Sentinel Keys page of the Admin Control Center.)

For HL keys with Firmware earlier than v.3.21, the upgrade does not occur automatically. Customers can upgrade the Firmware to v.3.25 by applying the Firmware Update V2C provided on the Sentinel HASP or Sentinel LDK Installation DVD v.5.0 and later.

During the Firmware upgrade, the relevant key will start to blink. Do not remove the key while it is blinking. If you remove the key too soon, the key may no longer be visible in Admin Control Center.

Note: In the event the key is no longer visible using the Linux Run-time Environment, do the following on a Windows computer:

  1. Install the Run-time Environment using the enclosed installer script.
  2. Connect the HL key.
  3. Run the application FirmwareUpdate.exe, located on the DVD in \Windows\Installed\Redistribute\Firmware Update\HASP HL\.
  4. The HL key is upgraded to v.3.25 Firmware and will now be visible in the Linux Admin Control Center.

Back to Topics

© Gemalto 2018. All rights reserved. Gemalto, the Gemalto logo, are trademarks and service marks of Gemalto and are registered in certain countries.

DocID 154 Revision 1803-5