Sentinel^® LDK and Sentinel HASP^® Run-time Environment Installer GUI for Windows: Readme

If a customer applies a V2C update from a remote machine that has the Vendor library but no license from the same vendor, the error returned was HASP_UPDATE_TOO_NEW, which was confusing. Now the error returned is HASP_KEYID_NOT_FOUND.

The RTE installer adds a firewall rule (named “Sentinel License Manager”) that, in the past, allowed incoming connections from any network, including public networks, using port 1947. Starting with RTE version 7.80, the firewall rule added by the RTE Installer does not allow incoming connections from public networks. If you are upgrading from an earlier version of RTE, the installer replaces the existing rule (that allows connections from public networks) with a rule that blocks such connections.

You can manually allow access using this port from public networks, but Gemalto highly recommends against this.

If you do plan to allow access from public networks using port 1947, create a rule with a different name in order to prevent future RTE upgrades from removing this access.

A possible security issue related to buffer overflow (reported by Kaspersky) has been resolved.

In the past, the timeout for an idle License Manager session was fixed at 12 hours. You can now set the timeout to any value between 10 minutes and 720 minutes (12 hours). The timeout value can be set as follows:

• In Admin Control Center, on the Basic Configuration page. Use the Idle Timeout of Session parameter.
• In the hasplm.ini file. Assign the timeout value to idle_session_timeout_mins.

Admin Control Center now adds the update counter in C2V files in clear text - for example: <update_counter>5</update_counter>
It is no longer necessary to decode the C2V file in order to view this information.

After system reboot/service restart, an SL AdminMode detached license would disappear from a recipient machine that had no other licenses.

The Run-time Environment now supports the use of the VMType3 clone protection scheme.

You can now enter the URL to access Sentinel EMS in your Web browser without changing the EMS URL to lowercase.

Admin Control Center (under Windows) can now display and apply updates to local SL UserMode keys. (Session information and certificate information for SL UserMode keys is not displayed.)

To display SL UserMode keys in Admin Control Station, License Manager runs an additional process (hasplmv) on the machine. If you are willing to accept that SL UserMode keys will not be displayed, you have the option to prevent hasplmv from executing by clearing the relevant check box on the Configuration page in Admin Control Center.

In the past, Admin Control Center and Admin API provided a configuration parameter that determined whether a remote user could access and perform actions in Admin Control Center. However, this parameter did not control remote access to Admin API.
Now, the parameter Allow Remote Access to ACC and Admin API (in Admin Control Center) and the tag <accremote> (in Admin API) control remote access to both Admin Control Center and Admin API.

When a data file is protected with Version 2 data protection mode for Android platforms: If, for any reason (for example, no license was found), the protected application was not able to decrypt the protected data file, no error message was generated to explain why the file cannot be opened.

Under Windows 10, a physical machine would be detected as a virtual machine when only Hyper-V Hypervisor is enabled.

The Diagnostics report in Admin Control Center (Diagnostics > Generate Report) displays information on "Recent Clients" and "Recent Users". Each entry contained a time stamp but not a date stamp. The report has been corrected to display both a time stamp and a date stamp for each entry.

When building a Run-Time Environment installer using Wix, an error message similar to the following was generated:
Invalid product version '7.53.1.66350' in package HASP_Setup.msi'. When included in a bundle, all product version fields in an MSI package must be less than 65536.
This error no longer occurs.

Under certain circumstances, Sentinel LDK License Manager Service would crash. The exception code would map to STATUS_STACK_OVERFLOW in __chkstk API.

Sentinel Admin Control Center can now be used to configure the License Manager for the following additional considerations:

• Allow specific named users to access specific Batch Codes, protection keys (haspID), or Product IDs.
• Use the "*" wildcard character for IP and hostname.
• Use subnet mask notation (for example: 172.18.8.0/21) for IP addresses

For more information, see "Configuring User Settings" in the Admin Control Center online help.

Various crash conditions in the License Manager that could be used for denial-of-service attacks or privilege-escalation attacks have been resolved.

When a user issues a "detach license" request from a remote Admin Control Center, the user name cannot be included in request. As a result, User Restrictions (defined in ACC on the license server machine) that are based on the user name are handled as follows:

• “allow” user restrictions that are based on a specific user name are not applied because the user name is not available to the License Manager on the license server. If a different restriction such as deny=all@all is also specified, the detach request will be denied.

• If any “deny” user restriction that is applicable for the request in all respects other than username exists, that restriction is applied even if the user name specified in the restriction does not match. For example: If the detach request was sent from a machine with the hostname host123, and a user restriction has been specified deny=skr@host123 on the license server machine, the detach request is denied even the user requesting the detach has a different username.

Sentinel Admin Control Center online help has been updated to describe these limitations.

Installation of a rebranded RTE would fail when the account name contains multi-byte characters (such as Japanese). The install log would contain an error similar to the following:

could not open C:\Users\userName\AppData\Local\Temp\EMSUrl.properties ../hhlinst.c,4659
OPEN file C:\Users\userName\AppData\Local\Temp\EMSUrl.properties processing error. ../hhlinst.c,4660,

The decrypt function in the HASP4 API would give incorrect results after RTE 7.52 or 7.53 was installed.

Given the following scenario:

1. Obtain a C2V file for an SL Legacy key.
2. Prepare an update to upgrade the SL Legacy key to an SL AdminMode key in Sentinel License Generation API, but do not apply the update.
3. Prepare a second update using the first update as the current state for the key.
4. Apply the second update to the key.

The update would return a status of OK even though the update fails.

Given the following scenario:

1. Connect a Sentinel HL (HASP configuration) key to a machine and generate a C2V file for the key.
2. Create an update in Sentinel License Generation API to upgrade the key to a Sentinel HL (Driverless configuration) key, but do not apply the update.
3. Prepare a second update to the key using the first update as the current state for the key.
4. Apply the second update to the key.

The update would return a status of OK even though the update fails.

The Features page in Admin Control Center now displays the peak number of consumed seats per Feature. The peak number is based on the current License Manager session. For each Feature, the peak number value is displayed as a tool tip for the seats value under the Logins column. This information enables end users and organizations to determine if the number of seats purchased is suitable for their needs.

The Run-time Environment can now be installed under Windows 10 when Device Guard is enabled.

A Sentinel HL (HASP configuration) key would not be accessible by the protected application under the following circumstances:

The following conditions exist:

• Windows 10 version 1607 is present on the machine.
• The network is disabled.
• The Run-time Environment is not present on the machine.

The following actions are performed:

1. The HL key is connected to the machine and then disconnected.
2. The Run-time Environment is installed on the machine.
3. The HL key is connected again to the machine.

The HL key would not be accessible.

When using RTE 7.51, a Stop error (BSoD) would occur when the protected application attempted to retrieve the serial number of the disk drive that uses Intel RAID drivers.

Under certain circumstances, the uninstall of the Run-time Environment on a Windows 8 machine would fail.

The uninstall of the Run-time Environment would not provide proper notification if it failed to remove all necessary files. The uninstall process now provides a detailed list of any files that it fails to remove and advises the user to remove the files manually.

During the installation of a rebranded Run-time Environment using the -v flag (haspdinst.exe -i -v), an internal error would be displayed (message: "An error occurred when the RTE installer attempted to unpack the file sm.cab"). Note that the -v flag is not a documented option, and that the installation would succeed despite the error message.

Given the following circumstances.

1. A machine is not connected to the network
2. Run-time Environment v.7.50 is installed on the machine.
3. The Run-time Environment is removed with a purge command.
4. You connect a Sentinel HL (HASP configuration) key to the machine.

The Run-time Environment would be automatically reinstalled.

Now, the Run-time Environment is not installed under these circumstances.

Given the following circumstances:

• A V2C file was applied to a new SL AdminMode license on a given machine.
• The same V2C was applied a second time to the license.

Instead of generating an error message and rejecting the update, the License Manager would generate the error message and then remove the original SL AdminMode license from the machine. (The license would be restored when the License Manager was restarted.)

Given the following circumstances:

• A file type is registered as “protected” using Version 1 data file protection.
• A file of the protected type is saved from the protected application using “Save as”.

Given the following circumstances:

• A license server machine and the recipient machine are in different time zones
• A detachable license is transferred online from the server to the recipient machine.

Given the following circumstances:

• An SL AdminMode or SL Legacy license is located on a physical machine.
• From a remote VM, hasp_get_info() is called to fetch values of the "disabled" and "usable" tags for the SL license.

Given the following circumstances:

1. SL Legacy licenses from two different vendors were present on a machine.
2. The license from one of the vendors is removed.
3. The License Manager service is restarted.

Given the following circumstances:

1. RTE version 6.60 or earlier is installed on a machine with no licenses.
2. Retrieve the fingerprint of the machine.
3. Upgrade the RTE to version 7.41
4. Use the retrieved fingerprint to generate an SL AdminMode license.
5. Apply the license with the upgraded RTE.

Sentinel LDK communicates via TCP and UDP on port 1947. This port is IANA-registered exclusively for this purpose. At the end user site, the firewall must be configured so that communication via this port is not blocked.

When a computer names contains UTF-16 characters, Admin Control Center displays the short name for the computer (similar to Windows Explorer). Similarly, the sntl_admin_get function in Admin API returns the short name.

After Windows 7 is upgraded to Windows 8, the user is not able to use existing SL licenses or to install new SL licenses.

Workaround: After you upgrade from Windows 7 to Windows 8, reinstall the Run-time Environment.

Sentinel Licensing API: On a computer with the Nvidia chip set GeForce 7025/nForce 630a, and where the CPU is AMD Athlon 64 X2, the hasp_read and hasp_encrypt functions may fail with error 39, HASP_BROKEN_SESSION. This problem only exists with HASP HL keys with Firmware version 3.25.

Workaround 1: On the computer described above, when error 39 is returned, call the hasp_read or hasp_encrypt function again. It is not necessary to call hasp_login again.

Workaround 2: Use Sentinel HL keys with Firmware version 4.2x.

With some new USB chipsets, it is possible that the API hasp_update() call, used to update the firmware of Sentinel HL keys to version 3.25, will generate the HASP_BROKEN_SESSION return code, even if the firmware is correctly updated. (This issue does not occur with Sentinel HL Driverless keys with firmware version 4.x.)

Workaround: Install the latest Run-time Environment. The automatic firmware update feature of the License Manager will automatically update the firmware of the key the first time that the key is connected, without the need to call hasp_update().

For a Java 7 or Java 8 application that is protected with Envelope, the end user must use the following flag when launching the protected application:

• For Java 7: Specify -usesplitverifier
• For Java 8: Specify -noverify

If the appropriate flag is not specified, the application may throw java.verifyerror when launched.

The License Manager fails to load vlibs under Windows 10 when Device Guide is enabled and the Code Integrity policy is set to “enforce”. For more information, see Issues Related to Device Guard and Code Integrity Policies.

Sentinel LDK Vendor Tools fail to load under Windows 10 when Device Guide is enabled and the Code Integrity policy is set to "enforce". An error message is displayed regarding a certain DLL, stating that the DLL is not designed to run on Windows or that the DLL contains an error. For more information, see Issues Related to Device Guard and Code Integrity Policies.

Given the following circumstances at a customer site:

1. One machine has Run-time Environment version 7.51.
2. A second machine has a version of Run-time Environment that is earlier than 7.51.
3. The customer performs rehost of a license repeatedly between the two machines.
4. An update is applied to the license on either of these machines.

A rehost operation sometimes fails with the message HASP_REHOST_ALREADY_APPLIED.

Workaround: Obtain a new SL license from the software vendor for the protected application on the target machine. Before attempting any additional rehost procedure, install the latest Run-time Environment on both machines.