Sentinel^® LDK and Sentinel HASP^® Run-time Environment DEB Installer for Linux: Readme

The Run-time Environment for Linux Intel now provides native support for both 32-bit and 64-bit architectures. You are no longer required to provide 32-bit support libraries (x86 compatibility packages) for the 64-bit architecture.

Be sure to provide both 32-bit and 64-bit customized Vendor libraries with the Run-time Environment installer.

Given the following circumstances:

• A customer uses SSH to connect to a remote Linux machine.
• On the remote machine, the customer uses multiple tmux sessions to run a protected application.
• hasp_login was called in each session.

A license was consumed for each session.

(If the Feature is defined to count workstations and not sessions, only one license should have been consumed for a single SSH session from the same workstation.)

A possible security issue related to buffer overflow (reported by Kaspersky) has been resolved.

In the past, the timeout for an idle License Manager session was fixed at 12 hours. You can now set the timeout to any value between 10 minutes and 720 minutes (12 hours). The timeout value can be set as follows:

• In Admin Control Center, on the Basic Configuration page. Use the Idle Timeout of Session parameter.
• In the hasplm.ini file. Assign the timeout value to idle_session_timeout_mins.

Admin Control Center now adds the update counter in C2V files in clear text - for example: <update_counter>5</update_counter>
It is no longer necessary to decode the C2V file in order to view this information.

After system reboot/service restart, an SL AdminMode detached license would disappear from a recipient machine that had no other licenses.

The Run-time Environment now supports the use of the VMType3 clone protection scheme.

You can now enter the URL to access Sentinel EMS in your Web browser without changing the EMS URL to lowercase.

In the past, Admin Control Center and Admin API provided a configuration parameter that determined whether a remote user could access and perform actions in Admin Control Center. However, this parameter did not control remote access to Admin API.
Now, the parameter Allow Remote Access to ACC and Admin API (in Admin Control Center) and the tag <accremote> (in Admin API) control remote access to both Admin Control Center and Admin API.

The Diagnostics report in Admin Control Center (Diagnostics > Generate Report) displays information on "Recent Clients" and "Recent Users". Each entry contained a time stamp but not a date stamp. The report has been corrected to display both a time stamp and a date stamp for each entry.

On Linux and Mac machines, Admin Control Center would fail to download additional languages when the user clicked the More Languages option.

When an end user would unpack a Run-time Environment that was configured for the user by Sentinel EMS, the following warning was displayed:
A lone zero block at 21242
This issue did not interfere with the functionality of the Run-time Environment.

When started, the License Manager would display warning messages similar to:
warning: maximal mount count reached, running e2fsck is recommended

There are no functionality issues related to these warning messages.
These messages would be seen at system boot time or in /var/log/kern.log.

A number of issues would occur under Arch Linux-2017.01.01-X64:

• Installation of the Run-time Environment would fail. Execution of aksusbd-7.51.1-i386/dinst would fail with the message: “Unsupported init script system”

• The fingerprint for an SL UserMode license could be fetched successfully. However, when installing a V2C file for the license, the Licensing API would generate the message: error 43.

• A Sentinel HL (Driverless configuration) key can be used successfully with the Licensing API. However, when the key contains a license with concurrency, the Licensing API generates “error 80” (because the License Manager Service cannot be installed on the system).

The License Manager and API no longer change the CPU affinity mask to force the process to run on all CPUs. They now keep the default affinity that was set at the process startup.

When operated under Wine, Sentinel License Generation API was not communicating correctly with the Master key. The following message was displayed: error `communication with Master Key failed: Master Key might not be present'

Sentinel Admin Control Center can now be used to configure the License Manager for the following additional considerations:

• Allow specific named users to access specific Batch Codes, protection keys (haspID), or Product IDs.
• Use the "*" wildcard character for IP and hostname.
• Use subnet mask notation (for example: 172.18.8.0/21) for IP addresses

For more information, see "Configuring User Settings" in the Admin Control Center online help.

Various crash conditions in the License Manager that could be used for denial-of-service attacks or privilege-escalation attacks have been resolved.

When a user issues a "detach license" request from a remote Admin Control Center, the user name cannot be included in request. As a result, User Restrictions (defined in ACC on the license server machine) that are based on the user name are handled as follows:

• “allow” user restrictions that are based on a specific user name are not applied because the user name is not available to the License Manager on the license server. If a different restriction such as deny=all@all is also specified, the detach request will be denied.

• If any “deny” user restriction that is applicable for the request in all respects other than username exists, that restriction is applied even if the user name specified in the restriction does not match. For example: If the detach request was sent from a machine with the hostname host123, and a user restriction has been specified deny=skr@host123 on the license server machine, the detach request is denied even the user requesting the detach has a different username.

Sentinel Admin Control Center online help has been updated to describe these limitations.

When a Sentinel EMS user performs an action in a Java-free Web browser that affect Sentinel protection keys in Sentinel EMS Vendor Portal or Customer Portal,  the user would get the following message: “Either Runtime is not installed or the EMS portal URL is not configured in ACC. Download the Latest Runtime Installer (EXE / DLL)”. This message appears when the installed RTE is not configured to communicate with the Sentinel EMS machine. Until now, this configuration had to be performed manually.

Now, when a user installs RTE 7.54 (or later) that was rebranded by Sentinel EMS 7.5.4 (or later), the installed RTE is already configured as required. No manual configuration is required.

In Sentinel Admin Control Center on a Linux machine, when a user would click "More Languages", Admin Control Center would not contact the Gemalto server to search for available language packs.

Given the following circumstances:

• A V2C file was applied to a new SL AdminMode license on a given machine.
• The same V2C was applied a second time to the license.

Instead of generating an error message and rejecting the update, the License Manager would generate the error message and then remove the original SL AdminMode license from the machine. (The license would be restored when the License Manager was restarted.)

Given the following circumstances:

• A license server machine and the recipient machine are in different time zones
• A detachable license is transferred online from the server to the recipient machine.

Given the following circumstances:

• An SL AdminMode or SL Legacy license is located on a physical machine.
• From a remote VM, hasp_get_info() is called to fetch values of the "disabled" and "usable" tags for the SL license.

Given the following circumstances:

1. SL Legacy licenses from two different vendors were present on a machine.
2. The license from one of the vendors is removed.
3. The License Manager service is restarted.