Network HASP dongles
Network activity that occurs in the communication between an application and/or a local license manager and a remote license manager.
License Manager
We will, from QINSy version 8.18.0, no longer use the HASP Loader, but the License Manager instead.
Sentinel LDK Run-time Network Activity
This appendix describes the type of network activity that occurs in the communication between:
- An application (protected using Sentinel LDK) and the local Sentinel License Manager (referred to as “local communications”).
- The local Sentinel License Manager and one or more remote Sentinel License Managers (referred to as “remote communications”).
Details regarding local communications and remote communications are provided lower on the page.
This alinea is intended to assist IT managers who want to understand how run-time activity on the network may impact the way they set up their network rules and policies.
Sentinel LDK communicates via TCP and UDP on socket 1947.This socket is IANA-registered exclusively for this purpose.
In this appendix:
Local Communications
This section describes communication between a protected application and the local Sentinel License Manager service.
A protected application communicates only with Sentinel License Manager on the computer where the application is running, regardless of whether the Sentinel HL or SL Key is located on the same computer or on a remote computer.
Under Windows, Sentinel License Manager is a service that is launched automatically by hasplms.exe. Under Mac OS and Linux, the Sentinel License Manager is a process launched automatically by hasplmd.
Sentinel License Manager service opens socket 1947 for listening (both for UDP packets and TCP packets).
- IPv4 sockets are always opened (Sentinel License Manager currently does not work without IPv4 installed).
- IPv6 sockets are opened if IPv6 is available.
A protected application tries to connect to 127.0.0.1:1947 TCP to communicate with Sentinel License Manager. If an application uses multiple sessions, multiple concurrent TCP connections may exist.
If a session is unused for a certain number of minutes (at least seven minutes, but the exact number depends on several factors), the session may be closed and automatically re-opened later in order to limit resources used by the application.
These local communications currently use IPv4 only.
The communication uses binary data blocks of varying size.
Remote Communications
This section describes communication between the local Sentinel License Manager service and a remote Sentinel License Manager service. This type of communication occurs when the protected application is running on a different computer from the computer where the Sentinel protection key is installed.
The protected application communicates only with the local Sentinel License Manager on the computer where the application is running, as described in "Local Communications". The local Sentinel License Manager discovers and communicates with the License Manager on the computer containing the Sentinel protection key using one of the following methods:
- If the option Broadcast Search for Remote Licenses is selected in the Admin Control Center (in the Access From Remote Clients tab of the Configuration page), the local Sentinel License Manager issues a UDP broadcast to local subnets on port 1947 using:
- IPv4 (always)
- IPv6 (if available)
The option Broadcast Search for Remote Licenses is selected by default.
- For addresses specified in the Admin Control Center field Remote License Search Parameters or Specify Search Parameters (in the Access From Remote Clients tab of the Configuration page), the local License Manager does the following:
- For a local Admin License Manager: The License Manager issues a UDP “ping” packet to port 1947 for all addresses specified. These addresses may be individual machine addresses or broadcast addresses.
- For a local Integrated License Manager or External License Manager: The License Manager sends a TCP request to all individual addresses. If the field contains a broadcast address (xxx.xxx.xxx.255), the License Manager send a UDP broadcast to discover a running server at that broadcast address.
All Sentinel License Managers found by the discovery process are then connected via TCP port 1947, using IPv4 or IPv6 as detected during discovery, and data regarding the remote Sentinel protection keys are transferred.
This discovery process is repeated at certain intervals. (The interval size depending on a number of factors, but it is generally not less than five minutes.)
UDP packets sent and received in the discovery process contain the Sentinel License Manager GUID (40 bytes of payload data).
When starting or stopping a Sentinel License Manager, and when adding or removing a Sentinel protection key, a UDP notification packet is sent, containing the Sentinel License Manager GUID and a description of the changes encountered. This is done to allow other Sentinel License Managers to update their data before the next scheduled discovery process.
TCP packets between two Sentinel License Managers on different computers use HTTP with base-64 encoded data in the body section.
Types of License Managers
Several types of License Managers may be available to a protected application, depending on the platform used. The protected application selects the License Manager to use depending on various circumstances.
- Integrated License Manager (Windows, Android)
- The Integrated License Manager (Integrated LM) is included in the Sentinel LDK Licensing API and in applications that were protected using Sentinel LDK Envelope.
- The Integrated LM is able to directly handle local SL UserMode keys, local Sentinel HL (Driverless configuration) keys, without the need for admin rights.
- The Integrated LM has no user interface. Sessions for protection keys that are handled directly by the Integrated LM are not visible in Admin Control Center. However, the Integrated LM can be configured. For more information, see the Sentinel Admin API Reference help file.
- The Integrated LM can be upgraded by upgrading the Licensing API or by re-protecting the application with the latest version of Sentinel LDK Envelope.
The Integrated License Manager is deprecated and will be discontinued in one of the upcoming Sentinel LDK releases.
- External License Manager (Windows)
- The External License Manager (External LM) is contained in a standalone file: hasp_rt.exe. The hasp_rt.exe file must be placed in the same directory as the protected application
- The External LM is able to directly handle local SL UserMode keys, local Sentinel HL (Driverless configuration) keys, without the need for admin rights. To handle SL UserMode protection keys, you must place your customized Vendor library in the same directory as the protected application.
- The External LM has no user interface. Sessions for protection keys that are handled directly by the External LM are not visible in Admin Control Center. However, the External LM can be configured. For more information, see the Sentinel Admin API Referencee help file.
- The External LM can be upgraded by simply replacing the hasp_rt.exe file with a later version of the file.
For applications that were protected with versions of Sentinel LDK earlier than v.7.0, you must replace the Licensing API DLL or LIB file in order to make the External LM available.
- Admin License Manager (Windows, Mac, Linux)
- The Admin License Manager (Admin LM) is included as part of the Run-time Environment. The Run-time Environment also includes device drivers, data file encryption drivers, and Sentinel Admin Control Center, which is the user interface for the Admin LM.
- The Admin LM can manage all Sentinel HL and SL keys, with the exception of SL UserMode keys. Sessions for protection keys that are handled by the Admin LM are visible in Admin Control Center.
- The Admin License Manager must be present on machines where remote protection keys are located.
- Installation of the Run-time Environment on a computer requires admin rights. No special rights are required after the installation.
The table that follows summarizes the differences between the various types of License Managers.
Attribute | Admin License Manager | External License Manager | Integrated License Manager |
Supported platforms | Windows, Mac, Linux | Windows | Windows, Android |
Requires admin rights for installation | Yes | No | No |
Easily upgradable | Yes | Yes | No |
Requires additional files | Yes | Yes | No |
Supports Sentinel HL (Driverless configuration) key | Yes | Yes | Yes |
Supports Sentinel HL (HASP configuration) key and HASP HL key | Yes | No | No |
Supports SL AdminMode key | Yes | No | No |
Supports SL UserMode key | No | Yes | Yes |
Supports SL Legacy key | Yes | No | No |
Supports remote network key | Yes | No | No |
Differences between the External LM and the Integrated LM in the Licensing API
The functionality of the External LM is nearly identical to that of the Integrated LM. This includes backward compatibility with Licensing API, the server search process, Sentinel SL UserMode license support, Sentinel HL (Driverless configuration) key support and configuration options.
The following are the differences between the External LM and the Integrated LM in the Licensing API:
External License Manager | Integrated License Manager |
The Licensing API runs in a separate process. In the Task Manager, two processes are listed: The protected application and the External License Manager module | There is no separate process for the License Manager. |
If, for any reason, the License Manager fails, only the hasp_rt.exe process will crash. The protected application continues to run. The error HASP_LOCAL_COMM_ERR (33) is returned for any subsequent calls to the Licensing API. | If the License Manager fails, the protected application also fails. |
If the protected application fails for any reason, the hasp_rt.exe module automatically exits, but only after closing all the login sessions left open by the protected application | Login sessions are kept alive for three minutes. The licenses that were in use by the protected application are not available during this time. |
When debugging a protected application (and thus stopping all the background threads of the application) login sessions do not time out after 3 minutes, because the License Manager keeps the sessions alive. | Login sessions time out after three minutes. After they time out, the protected application cannot use calls to the Licensing API. |
Return to: How-to NetHASP dongles