This document provides information regarding the Run-time Environment Installer GUI for Sentinel LDK and Sentinel HASP, including supported operating systems, enhancements, known compatibility issue, and issues resolved. ("Sentinel LDK" is the next generation of Sentinel HASP.)
The following topics are discussed:
Note: Windows 10 Insider Preview builds are not supported.
The operating system versions listed in this section were tested by Gemalto and verified to be fully compatible with Sentinel LDK. For reasons of compatibility and security, Gemalto recommends that you always keep your operating system up to date with the latest fixes and service packs.
The installer detects the version of the operating system at run-time, before installing the relevant drivers.
For a list of the virtual environments supported, see "Supported Platforms for End Users" in the Sentinel LDK Release Notes.
The latest Release Notes can be seen at: http://sentinelldk.gemalto.com/LDKdocs/RN
When using the Installer GUI to upgrade the Run-time Environment, ensure that:
For additional information, see “Upgrading Sentinel LDK Run-Time Environment (RTE) Installer” in the Sentinel EMS Configuration Guide.
The Run-time Environment Installer adds a firewall rule named “Sentinel License Manager” that allowed incoming connections from private networks using port 1947.
You can manually allow access from public networks using this port, but Gemalto highly recommends against this.
If you do plan to allow incoming connections from public networks using port 1947, create a rule with a different name in order to prevent future RTE upgrades from removing this access.
The traditional method until now to protect against malicious application under Windows has been to trust the applications unless they were blocked by an antivirus or other security solution. Device Guard, available in Windows 10 Enterprise, implements a mode of operation in which the operating system trusts only applications that are authorized by your enterprise. You designate these trusted applications by creating code integrity policies.
You can maintain a whitelist of software that is allowed to run (a configurable code integrity policy), rather than trying to stay ahead of attackers by maintaining a constantly-updated list of "signatures" of software that should be blocked. This approach uses the trust-nothing model well known in mobile device operating systems.
Only code that is verified by Code Integrity, usually through the digital signature that you have identified as being from a trusted signer, is allowed to run. This allows full control over allowed code in both kernel and user mode.
Code integrity contains two primary components:
This section describes issues that arise and the workarounds when machines at the end user site are enabled with Device Guard, and the code integrity policy set to “enforce” mode.
Note: The procedures described in this document should be performed by an IT professional who is familiar with Device Guard and code integrity policies.
During installation of the Run-time Environment on your computer, Windows displays a message similar to this: "Your organization used Device Guard to block this app. Contact your support person for more info."
Solution:
To install the Run-time Environment on a machine where Device Guard is enabled in enforce mode (which make use of PcaCertificate level code signing check), ensure that DigiCert is listed/added in the Signers list of the policy file.
Import the DigiCert Intermediate certificate to the trusted list of Intermediate Certification Authorities(ICA) store on the golden computer before creating code integrity policy.
A Digicert Intermediate certificate is available from https://aboutssl.org/digicert-trusted-root-authority-certificates/#intermediates. Under Intermediate Certificates, locate and download the DigiCert EV Code Signing CA (SHA2) certificate. You can also fetch this intermediate certificate from your trusted source.
To add the DigiCert Root Certificate:
Repeat the installation of the Run-time Environment.
(LDK-17267) ) When you distribute applications that are protected with SL keys, the customized vendor library (haspvlib_vendorID.*) that are required for these applications are not signed. As a result, Device Guard does not allow the software to operate at the customer site.
Workaround A:
This workaround must be performed at the customer site.
Do the following to add an exception for the customized vendor library file in the code integrity policy:
Each of these procedures is described below. For additional details, go to: https://technet.microsoft.com/en-us/itpro/windows/keep-secure/deploy-code-integrity-policies-steps?f=255&MSPPError=-2147217396
To create the policy for the exception:
To deploy the policy file:
Workaround B (not recommended):
This workaround must be performed at the customer site.
Before deploying the code integrity policy, disable UMCI (user mode code integrity) mode.
To accomplish this, run the following command in Windows PowerShell in elevated mode:Set-RuleOption -FilePath <Policy path> -Option 0 -Delete
(SM-907) Sentinel LDK Vendor Tools fail to load. An error message is displayed, stating that a DLL, LIB, COM, or EXE file is not designed to run on Windows or that the DLL contains an error.
For example:
Workaround A:
Do the following to add a policy for the Sentinel LDK Vendor Tools in the code integrity policy file:
Each of these procedures is described below. For additional details, go to: https://technet.microsoft.com/en-us/itpro/windows/keep-secure/deploy-code-integrity-policies-steps?f=255&MSPPError=-2147217396
To create the policy for the Vendor Tools:
To deploy the policy file:
Workaround B (not recommended):
Perform this workaround at your development site.
Before deploying the code integrity policy, disable UMCI (user mode code integrity) mode.
To accomplish this, run the following command in Windows PowerShell in elevated mode:Set-RuleOption -FilePath <Policy path> -Option 0 -Delete
No further actions are required.
(SM-18780) When a user creates a Run-time Environment Installer using Sentinel EMS, the digital signature is removed from the Installer. As a result, Device Guard blocks the RTE Installer from executing.
If the vendor downloads the installer as an EXE file and signs it, Device Guard allows the installer to run, but the installation fails due to an unsigned DLL file called by haspdinst.exe.
Workaround:
Perform the procedure that follows.
To work with Sentinel EMS, continue with the following additional steps:
As an alternative, you can use one of the workarounds provided above for issues 2 and 3.
Reference | Description |
---|---|
SM-50889 SM-50902 SM-50900 |
Certain important security issues were resolved. For more information, see the reference to article KB0018794 in the Gemalto Security Updates page: https://sentinel.gemalto.com/technical-support/security-updates-sm/ Gemalto acknowledges and thanks Artem Zinenko from Kaspersky Lab ICS CERT for responsible disclosure of these vulnerabilities. As part of the resolution for these issues, Admin Control Center no longer supports importing external language packs (either online or offline). Translated user interface files are included in the RTE installer. The end user now selects the desired language for the interface by clicking the name of the language instead of clicking a country flag image. |
This section describes enhancements implemented and issues resolved in the last three major releases of Sentinel Run-time Environment.
The revision history for earlier versions of Sentinel Run-time Environment is available at: http://sentinelldk.gemalto.com/Default.htm
Reference | Description |
---|---|
SM-43605 | Sentinel LDK drivers have been repackaged so that significant Windows 10 operating system upgrades will not impact existing SL AdminMode licenses. |
SM-47103 |
The Vlib search path for Runtime Environment versions 7.0 through 7.81 included the following paths:
Support for the \SafeNet Sentinel\Sentinel LDK\ paths was discontinued in version 7.90. To reinstate support for vendors who have been placing their Vlib files in the \SafeNet Sentinel\Sentinel LDK\ directory, upon first use, Run-time Environment version 7.91 or later moves the Vlib files from the \SafeNet Sentinel\Sentinel LDK\ directory to the \Aladdin Shared\HASP\ directory. |
Reference | Description |
---|---|
SM-17431 | The License Manager now supports the use of custom clone protection schemes. |
SM-34308 |
In Admin Control Center, the configuration parameter Allow Remote Access to ACC and Admin API has been split into two independent parameters:
This provide more granular control of access from a remote machine. You can now allow or deny access separately for Admin Control Center and for Admin API. (A corresponding split for configuration parameters was implemented in Sentinel Admin API.) When the License Manager is upgraded to version 7.90, each new parameter is assigned the value that was assigned to the original parameter. As a result, after the upgrade, there is no change in access granted. |
Reference | Description |
---|---|
SM-18163 |
The RTE Installer now provides more details in order to help ensure that installation of the RTE completes successfully. The Installer now differentiates between the following situations:
|
SM-27901 | The revision history of all enhancements implemented and issues resolved for earlier versions of the RTE is now available online at: http://sentinelldk.safenet-inc.com/Default.htm |
SM-30222 SM-30886 |
Several security improvements have been implemented. |
Reference | Description |
---|---|
SM-28148 |
The hasp_login function would fail to log in to a HASP4 parallel port key (the function would not fail with HASP4 UBS keys). The login would fail with the error code HASP_HASP_NOT_FOUND = 7. This issue would occur with RTE version 7.52 and later. |
SM-31010 | If the client connected using different IPv6 interfaces, the License Manager would sometimes count the sessions on a machine multiple times. |
Reference | Description |
---|---|
SM-12155 |
If a customer applies a V2C update from a remote machine that has the Vendor library but no license from the same vendor, the error returned was HASP_UPDATE_TOO_NEW, which was confusing. Now the error returned is HASP_KEYID_NOT_FOUND. |
SM-18502 | Defining an excessive number of User Restrictions in Admin Control Center would cause the License Manager Service to fail. |
SM-19981 | hasp_update would return an internal error for an HL Key when the license definition contains empty content in the default memory section. |
SM-23609 |
The RTE installer adds a firewall rule (named “Sentinel License Manager”) that, in the past, allowed incoming connections from any network, including public networks, using port 1947. Starting with RTE version 7.80, the firewall rule added by the RTE Installer does not allow incoming connections from public networks. If you are upgrading from an earlier version of RTE, the installer replaces the existing rule (that allows connections from public networks) with a rule that blocks such connections. You can manually allow access using this port from public networks, but Gemalto highly recommends against this. If you do plan to allow access from public networks using port 1947, create a rule with a different name in order to prevent future RTE upgrades from removing this access. |
SM-25600 | The Run-Time Environment would require an excessive amount of time to install. |
SM-26543 | Under certain circumstances, Sentinel License Manager would crash on the REST interface with long packets. |
SM-9841 | HASP4 keys would stop working after the Run-time Environment was upgraded to v.7.54. |
Reference | Description |
---|---|
SM-21408 | The Admin Control Center help system was missing information regarding the new “Idle Timeout of Session” configuration parameter. |
SM-23320 | A possible security issue related to License Manager failure due to stack overflow on deep XML data (reported by Kaspersky) has been resolved. |
SM-23402 |
A possible security issue related to buffer overflow (reported by Kaspersky) has been resolved. |
SM-23813 | A possible security issue that was reported by Kaspersky has been resolved. |
Reference | Description |
---|---|
SM-13443 | When a Sentinel HL (HASP configuration) key or HASP HL key is attached to a Windows machine, the Run-time Environment is no longer installed automatically by Windows Update. It is now the software vendor’s responsibility to ensure that the Run-time Environment is installed when required. |
SM-13505 |
In the past, the timeout for an idle License Manager session was fixed at 12 hours. You can now set the timeout to any value between 10 minutes and 720 minutes (12 hours). The timeout value can be set as follows:
|
SM-14894 |
Admin Control Center now adds the update counter in C2V files in clear text - for example: <update_counter>5</update_counter> |
SM-19483 | Admin Control Center now recognizes the new V2CP format to update protection keys. This supports planned enhancements in Sentinel LDK v.7.8. |
Reference | Description |
---|---|
SM-15922 | Admin Control Center no longer requires the <?xml header in a V2C file. |
SM-17175 |
After system reboot/service restart, an SL AdminMode detached license would disappear from a recipient machine that had no other licenses. |
SM-18015 | On some machines, the License Manager service would start before the Secure Storage driver is loaded. This would cause the Secure Storage to become corrupted. Now, the License Manager service waits for the Secure Storage driver to start. |
SM-18302 | Cancelling a detached SL AdminMode license from the recipient VM machine would fail with the HASP_VM_DETECTED error. |
SM-18502 | In Admin Control Center, defining too many users in the User Restrictions field would cause the License Manager to fail. |
Reference | Description |
---|---|
SM-5318 |
The Run-time Environment now supports the use of the VMType3 clone protection scheme. |
Reference | Description |
---|---|
SM-1286 |
You can now enter the URL to access Sentinel EMS in your Web browser without changing the EMS URL to lowercase. |
SM-901 |
Admin Control Center (under Windows) can now display and apply updates to local SL UserMode keys. (Session information and certificate information for SL UserMode keys is not displayed.) |
SM-4237 |
To display SL UserMode keys in Admin Control Station, License Manager runs an additional process (hasplmv) on the machine. If you are willing to accept that SL UserMode keys will not be displayed, you have the option to prevent hasplmv from executing by clearing the relevant check box on the Configuration page in Admin Control Center. |
SM-6525 |
In the past, Admin Control Center and Admin API provided a configuration parameter that determined whether a remote user could access and perform actions in Admin Control Center. However, this parameter did not control remote access to Admin API. |
Reference | Description |
---|---|
LDK-12145 |
When a data file is protected with Version 2 data protection mode for Android platforms: If, for any reason (for example, no license was found), the protected application was not able to decrypt the protected data file, no error message was generated to explain why the file cannot be opened. |
SM-513 |
Under Windows 10, a physical machine would be detected as a virtual machine when only Hyper-V Hypervisor is enabled. |
SM-515 | It was possible to rehost a cloned license to another machine. |
SM-518 |
The Diagnostics report in Admin Control Center (Diagnostics > Generate Report) displays information on "Recent Clients" and "Recent Users". Each entry contained a time stamp but not a date stamp. The report has been corrected to display both a time stamp and a date stamp for each entry. |
SM-6102 |
When building a Run-Time Environment installer using Wix, an error message similar to the following was generated: |
SM-942 |
Under certain circumstances, Sentinel LDK License Manager Service would crash. The exception code would map to STATUS_STACK_OVERFLOW in __chkstk API. |
Reference | Description |
---|---|
SM-4748 |
Sentinel Admin Control Center can now be used to configure the License Manager for the following additional considerations:
For more information, see "Configuring User Settings" in the Admin Control Center online help. |
Reference | Description |
---|---|
SM-4942 |
Various crash conditions in the License Manager that could be used for denial-of-service attacks or privilege-escalation attacks have been resolved. |
SM-7748 |
When a user issues a "detach license" request from a remote Admin Control Center, the user name cannot be included in request. As a result, User Restrictions (defined in ACC on the license server machine) that are based on the user name are handled as follows:
Sentinel Admin Control Center online help has been updated to describe these limitations. |
Reference | Description |
---|---|
SM-889 | Run-time Environment is supported under Windows Server 2016. |
Reference | Description |
---|---|
SM-2090 |
Installation of a rebranded RTE would fail when the account name contains multi-byte characters (such as Japanese). The install log would contain an error similar to the following:
|
SM-2957 |
The decrypt function in the HASP4 API would give incorrect results after RTE 7.52 or 7.53 was installed. |
SM-3767 | After installation of RTE 7.53, hasplms was unreachable to remote clients. The RTE installer did not add the firewall rule to allow Sentinel License Manager Service. |
Reference | Description |
---|---|
SM-1201 |
Given the following scenario:
The update would return a status of OK even though the update fails. |
SM-1549 |
Given the following scenario:
The update would return a status of OK even though the update fails. |
Reference | Description |
---|---|
LDK-15786 |
The Features page in Admin Control Center now displays the peak number of consumed seats per Feature. The peak number is based on the current License Manager session. For each Feature, the peak number value is displayed as a tool tip for the seats value under the Logins column. This information enables end users and organizations to determine if the number of seats purchased is suitable for their needs. |
SM-815 |
The Run-time Environment can now be installed under Windows 10 when Device Guard is enabled. |
Reference | Description |
---|---|
SM-498 |
A Sentinel HL (HASP configuration) key would not be accessible by the protected application under the following circumstances: The following conditions exist:
The following actions are performed:
The HL key would not be accessible. |
SM-504 |
When using RTE 7.51, a Stop error (BSoD) would occur when the protected application attempted to retrieve the serial number of the disk drive that uses Intel RAID drivers. |
SM-528 |
Under certain circumstances, the uninstall of the Run-time Environment on a Windows 8 machine would fail. |
SM-537 |
The uninstall of the Run-time Environment would not provide proper notification if it failed to remove all necessary files. The uninstall process now provides a detailed list of any files that it fails to remove and advises the user to remove the files manually. |
SM-824 |
During the installation of a rebranded Run-time Environment using the -v flag ( |
SM-830 |
Given the following circumstances.
The Run-time Environment would be automatically reinstalled. Now, the Run-time Environment is not installed under these circumstances. |
Reference | Description |
---|---|
LDK-13933 | When installing Sentinel LDK Run-time Environment v7.41 or later under Windows 10 (x86), the file hlvdd.dll was not installed. As a result, the protected application would fail. |
LDK-16215 | Each time the end user would connect a Sentinel HL (Driverless configuration) key to a different USB port on a Windows machine, the Driver Software Installation message box would indicate that a restart was required. |
LDK-16443 |
Given the following circumstances:
Instead of generating an error message and rejecting the update, the License Manager would generate the error message and then remove the original SL AdminMode license from the machine. (The license would be restored when the License Manager was restarted.) |
Reference | Description |
---|---|
LDK-12479 |
Given the following circumstances:
|
LDK-12860 | When a fully-qualified domain name (FQDN) was provided in the login scope using a character set outside the Windows code page, the login would fail with error code 50 (Scope Result Empty). |
LDK-13136 | Sentinel Licensing API would identify a Max Micro key as a Max key under certain circumstances. |
LDK-13455 |
Given the following circumstances:
|
LDK-13926 | The branded RTE Installer that is generated by Sentinel EMS did not copy the haspvlib correctly to /var/hasplm/. As a result, when hasp_update attempted to apply a V2C file, error 48 was generated. |
LDK-14274 |
Given the following circumstances:
|
LDK-14280 | HASP HL keys are not recognized correctly by the License Manager when keys from two or more vendors are connected to a given machine. |
LDK-14805 | The Run-time Environment did not support RAID controllers that create symbolic links as \Device\RaidPort. |
LDK-15306 | On the Diagnostics page of Admin Control Center, the Requests counter would count a request to local licenses as a remote request. |
LDK-15307 |
Given the following circumstances:
|
LDK-15857 |
Given the following circumstances:
|
LDK-16113 | When a V2C file to clear the “cloned” status of an SL Legacy license was applied, The “clear clone” operation was not applied correctly until the user restarted the machine. |
LDK-16215 | Driver software was reinstalled and the end user was prompted to restart the machine each time an HL (Driverless configuration) key was connected to a differed USB port on the machine. |
Reference | Description |
---|---|
SM-36385 |
After Windows 7 is upgraded to Windows 8, the user is not able to use existing SL licenses or to install new SL licenses. Workaround: After you upgrade from Windows 7 to Windows 8, reinstall the Run-time Environment. |
SM-20626 |
When installing the RTE on a machine where Fabula Tech USB over Network is installed, installation of the RTE hangs. Workaround: Disconnect the HL key before running the RTE installer. |
SM-907 |
Sentinel LDK Vendor Tools fail to load under Windows 10 when Device Guard is enabled and the Code Integrity policy is set to "enforce". An error message is displayed regarding a certain DLL, stating that the DLL is not designed to run on Windows or that the DLL contains an error. For more information, see Issues Related to Device Guard and Code Integrity Policies. |
LDK-17302 LDK-13953 LDK-14971 |
Given the following circumstances at a customer site:
A rehost operation sometimes fails with the message HASP_REHOST_ALREADY_APPLIED. Workaround: Obtain a new SL license from the software vendor for the protected application on the target machine. Before attempting any additional rehost procedure, install the latest Run-time Environment on both machines. |
LDK-17267 |
The License Manager fails to load vlibs under Windows 10 when Device Guard is enabled and the Code Integrity policy is set to “enforce”. For more information, see Issues Related to Device Guard and Code Integrity Policies. |
LDK-8480 |
With some new USB chipsets, it is possible that the API hasp_update() call, used to update the firmware of Sentinel HL keys to version 3.25, will generate the HASP_BROKEN_SESSION return code, even if the firmware is correctly updated. (This issue does not occur with Sentinel HL Driverless keys with firmware version 4.x.) Workaround: Install the latest Run-time Environment. The automatic firmware update feature of the License Manager will automatically update the firmware of the key the first time that the key is connected, without the need to call hasp_update(). |
LDK-2471 |
Sentinel Licensing API: On a computer with the Nvidia chip set GeForce 7025/nForce 630a, and where the CPU is AMD Athlon 64 X2, the hasp_read and hasp_encrypt functions may fail with error 39, HASP_BROKEN_SESSION. This problem only exists with HASP HL keys with Firmware version 3.25. Workaround 1: On the computer described above, when error 39 is returned, call the hasp_read or hasp_encrypt function again. It is not necessary to call hasp_login again. Workaround 2: Use Sentinel HL keys with Firmware version 4.2x. |
12506 |
Sentinel LDK communicates via TCP and UDP on port 1947. This port is IANA-registered exclusively for this purpose. At the end user site, the firewall must be configured so that communication via this port is not blocked. |
© Gemalto 2019. All rights reserved. Gemalto, the Gemalto logo, are trademarks and service marks of Gemalto and are registered in certain countries.