Sentinel® LDK and Sentinel HASP® Run-time Environment Command-line Installer for Windows: Readme

Version 8.11

May 2020


This document provides information regarding the Run-time Environment Command-line Installer for Sentinel HASP and Sentinel LDK, including enhancements and limitations. Using this installer, you can use HASP4, Hardlock, Sentinel HL, Sentinel HASP, and Sentinel LDK under any of the supported operating systems. ("Sentinel LDK" is the next generation of Sentinel HASP.)

The following topics are discussed:

>Operating Systems Supported

>Virtual Environments Supported

>Upgrading the Run-time Environment

>Installing the Run-time Environment

>Allowing Incoming Connections From Public Networks Using Port 1947

>Issues Related to Device Guard and Code Integrity Policies

>Enhancements and Issues Resolved in This Release

>Revision History

>Known Issues

Operating Systems Supported

> Windows 7 SP1

> Windows 8.1 SP1

> Windows Server 2008 R2 SP1

> Windows Server 2012 R2

>Windows Server 2016

>Windows Server 2019

>Windows 10 IoT Enterprise 2019 LTSC

>Windows 10 Version 2004

NOTE   Windows 10 Insider Preview builds are not supported.

The operating system versions listed in this section were tested by Gemalto and verified to be fully compatible with Sentinel LDK. For reasons of compatibility and security, Gemalto recommends that you always keep your operating system up to date with the latest fixes and service packs.

The installer detects the version of the operating system at run-time, before installing the relevant drivers.

Virtual Environments Supported

For a list of the virtual environments supported, see "Supported Platforms for End Users" in the Sentinel LDK Release Notes.

The latest Release Notes can be seen at: https://docs.sentinel.gemalto.com/ldk/LDKdocs/RN

Back to top

Upgrading the Run-time Environment

>When upgrading the Run-time Environment, ensure that it is not currently being accessed (for example: by closing all applications). Although the installation program can terminate applications that are accessing the Run-time, it cannot terminate running services.

>If you are running HASP License Manager (HASP4 and HASP HL legacy License Manager) as a service, you must stop the License Manager before proceeding with the installation.

Back to top

Installing the Run-time Environment

>Type haspdinst.exe -? for command-line help.

>To use Sentinel EMS to produce Run-time Environment installers in the Sentinel LDK v.6.0 or later environment, overwrite the haspdinst.exe file in
%ProgramFiles(x86)%\Gemalto Sentinel\Sentinel EMS\EMSServer\webapps\ems\haspTools\ with the file in this package. (For Win32 systems, go to %ProgramFiles%\...)

>A log file of the installation process is written to aksdrvsetup.log in the Windows directory.

NOTE   By default, Windows displays a User Account Control message during driver installation. Users must click Continue to continue the installation. Alternatively, users can change the default setting from the Control Panel of their operating system.

For additional information, see the topic “Upgrading Sentinel LDK Run-Time Environment (RTE) Installer” in the Sentinel EMS Configuration Guide.

Back to top

Allowing Incoming Connections From Public Networks Using Port 1947

The Run-time Environment Installer adds a firewall rule named “Sentinel License Manager” that allowed incoming connections from private networks using port 1947.

You can manually allow access from public networks using this port, but Gemalto highly recommends against this.

If you do plan to allow incoming connections from public networks using port 1947, create a rule with a different name in order to prevent future RTE upgrades from removing this access.

Back to top

Issues Related to Device Guard and Code Integrity Policies

The traditional method until now to protect against malicious application under Windows has been to trust the applications unless they were blocked by an antivirus or other security solution. Device Guard, available in Windows 10 Enterprise, implements a mode of operation in which the operating system trusts only applications that are authorized by your enterprise. You designate these trusted applications by creating code integrity policies.

You can maintain a whitelist of software that is allowed to run (a configurable code integrity policy), rather than trying to stay ahead of attackers by maintaining a constantly-updated list of "signatures" of software that should be blocked. This approach uses the trust-nothing model well known in mobile device operating systems.

Only code that is verified by Code Integrity, usually through the digital signature that you have identified as being from a trusted signer, is allowed to run. This allows full control over allowed code in both kernel and user mode.

Code integrity contains two primary components:

> kernel mode code integrity (KMCI)

> user mode code integrity (UMCI)

This section describes issues that arise and the workarounds when machines at the end user site are enabled with Device Guard, and the code integrity policy set to “enforce” mode.

NOTE   The procedures described in this document should be performed by an IT professional who is familiar with Device Guard and code integrity policies.

Issue 1: Windows blocks the installation of the Run-time Environment

During installation of the Run-time Environment on your computer, Windows displays a message similar to this: "Your organization used Device Guard to block this app. Contact your support person for more info."

Solution:

To install the Run-time Environment on a machine where Device Guard is enabled in enforce mode (which make use of PcaCertificate level code signing check), ensure that DigiCert is listed/added in the Signers list of the policy file.

Import the DigiCert Intermediate certificate to the trusted list of Intermediate Certification Authorities(ICA) store on the golden computer before creating code integrity policy.

A Digicert Intermediate certificate is available from https://aboutssl.org/digicert-trusted-root-authority-certificates/#intermediates. Under Intermediate Certificates, locate and download the DigiCert EV Code Signing CA (SHA2) certificate. You can also fetch this intermediate certificate from your trusted source.

To add the DigiCert Root Certificate

1.Download the certificate on the golden computer and double-click the certificate file. The Certificate dialog box is displayed.

2.Click Install Certificate. Follow the Certificate Install Wizard to complete the import of this certificate to the ICA store.

3.Run the steps to create a new or updated policy. This will allow Sentinel software to be installed without any issues on a machine where Device Guard is enabled.

Repeat the installation of the Run-time Environment.

Issue 2: Protected application does not operate at the customer site

(LDK-17267) ) When you distribute applications that are protected with SL keys, the customized vendor library (haspvlib_vendorID.*) that are required for these applications are not signed. As a result, Device Guard does not allow the software to operate at the customer site.

Workaround A:

This workaround must be performed at the customer site.

Do the following to add an exception for the customized vendor library file in the code integrity policy:

1.Use Windows PowerShell in elevated mode to create a policy for the exception.

2.Use the Group Policy editor to deploy the policy file.

Each of these procedures is described below. For additional details, go to: https://technet.microsoft.com/en-us/itpro/windows/keep-secure/deploy-code-integrity-policies-steps?f=255&MSPPError=-2147217396

To create the policy for the exception

1. Open PowerShell in elevated mode.

2. Run the command to create a policy (referred to below as P1) in audit mode.

3. Deploy this policy.

4.Operate the protected application as you would normally.

5. Create another policy (referred to as P2) that captures audit information from the events log.

NOTE   Before proceeding with the next step, review policy P2 carefully. This policy contains information about all the binaries that were used in your system while you operated the protected application. Any unwanted application that was executed during this time is logged in the policy. If not removed, any such application will be treated as a trusted binary.

6. Merge policies P1 and P2.

7. Disable audit mode.

8. Deploy the merged policy.

To deploy the policy file

1. Open the Group Policy editor by running GPEdit.msc.

2. Navigate to: Computer Configuration\Administrative Templates\System\Device Guard

3.Select Deploy Code Integrity Policy. Enable this setting by using the path to the relevant policy file created above.

Workaround B (not recommended):

This workaround must be performed at the customer site.

Before deploying the code integrity policy, disable UMCI (user mode code integrity) mode.

To accomplish this, run the following command in Windows PowerShell in elevated mode:

Set-RuleOption -FilePath <Policy path> -Option 0 -Delete

Issue 3: Vendor Tools fail to load

(SM-907) Sentinel LDK Vendor Tools fail to load. An error message is displayed, stating that a DLL, LIB, COM, or EXE file is not designed to run on Windows or that the DLL contains an error.

For example:

Device Guard Error Message

Workaround A:

Do the following to add a policy for the Sentinel LDK Vendor Tools in the code integrity policy file:

1.Use Windows PowerShell in elevated mode to create a policy for the Vendor Tools.

2.Use the Group Policy editor to deploy the policy file.

Each of these procedures is described below. For additional details, go to: https://technet.microsoft.com/en-us/itpro/windows/keep-secure/deploy-code-integrity-policies-steps?f=255&MSPPError=-2147217396

To create the policy for the Vendor Tools

1. Open PowerShell in elevated mode.

2. Run the command to create a policy (referred to below as P1) in audit mode.

3. Deploy this policy.

4. Execute all of the Vendor Tools that you will require at your site and perform all of the functions in these tools that you will require. If you miss any required Vendor Tools or Vendor Tool functions, the required entries will not be added in the new code integrity policy, and these tools or functions will generate an error message when they are eventually used.

5. Create another policy (referred to as P2) that captures audit information from the events log.

NOTE   Before proceeding with the next step, review policy P2 carefully. This policy contains information about all the binaries that were used in your system while you operated the Vendor Tools. Any unwanted application that was executed during this time is logged in the policy. If not removed, any such application will be treated as a trusted binary.

6. Merge policies P1 and P2.

7. Disable audit mode.

8. Deploy the merged policy.

To deploy the policy file

1. Open the Group Policy editor by running GPEdit.msc.

2. Navigate to: Computer Configuration\Administrative Templates\System\Device Guard

3.Select Deploy Code Integrity Policy. Enable this setting by using the path to the relevant policy file created above.

Workaround B (not recommended):

Perform this workaround at your development site.

Before deploying the code integrity policy, disable UMCI (user mode code integrity) mode.

To accomplish this, run the following command in Windows PowerShell in elevated mode:

Set-RuleOption -FilePath <Policy path> -Option 0 -Delete

No further actions are required.

Issue 4: Digital signature removed from the RTE Installer

(SM-18780) When a user creates a Run-time Environment Installer using Sentinel EMS, the digital signature is removed from the Installer. As a result, Device Guard blocks the RTE Installer from executing.

If the vendor downloads the installer as an EXE file and signs it, Device Guard allows the installer to run, but the installation fails due to an unsigned DLL file called by haspdinst.exe.

Workaround:

Perform the procedure that follows.

1.Download the Run-time Environment Installer from the following URL in the Gemalto web site:

https://sentinelcustomer.gemalto.com/sentineldownloads/

2.Use the downloaded Installer to install the Run-time Environment.

3.Place a copy of the Vendor library (haspvlib_vendorID.*) in: %CommonProgramFiles(x86)%\Aladdin Shared\HASP\

(On a 32-bit machine, place the Vendor library in: %CommonProgramFiles%\Aladdin Shared\HASP\)

To work with Sentinel EMS, continue with the following additional steps:

4.In a Web browser, enter the following to start Admin Control Center: http://localhost:1947

5.On the Configuring Network Settings page, in the EMS URL field, enter the URL to access the Sentinel EMS Service.

6.Click Submit.

7.Proceed to work with Sentinel EMS as required.

As an alternative, you can use one of the workarounds provided above for issues 2 and 3.

Back to top

Enhancements and Issues Resolved in This Release

Enhancements in Version 8.11

Reference Description

SM-7201

This release of Sentinel LDK Run-time Environment introduces cloud licensing to serve network license seats to remote machines over the Internet. A remote machine with the required identity information will be able to consume a network seat or detach a license from the license server machine. The license server machine can be hosted on a cloud server either by the software vendor (for all customers) or by the individual customers for users in their organizations.

Issues Resolved in Version 8.11

Reference Description
SM-63276 Allocation of network seats from a remote License Manager with duplicate Features has been optimized.
SM-60133

A guest on Hyper-V was recognized by Admin Control Center as a virtual PC rather than as a Hyper-V guest.

SM-71776 When an update to a 6.x Firmware key contains a large number of Features, a timeout would occur.
SM-73072
SM-73074
"Denial of Service" vulnerabilities were resolved.

Back to top

Revision History

This section describes enhancements implemented and issues resolved in the last three major releases of Sentinel Run-time Environment.

The revision history for earlier versions of Sentinel Run-time Environment is available at: https://docs.sentinel.gemalto.com/ldk/LDKdocs/RTE_History/Default.htm

Enhancements in Version 7.103

Reference Description

SM-51158

Admin API now supports the use of HTTPS for communication with a remote Admin License Manager.

SM-12702

A local or remote user can now use the "Sentinel Keys Available" page of Admin Control Center (instead of the RUS utility) to generate a fingerprint.

Note: For Linux or Mac (where Admin Control Center is available), only SL AdminMode fingerprints can be generated.

Issues Resolved in Version 7.103

Reference Description

SM-66308

Certain important security issues were resolved. For more information, see the reference to article KB0020564 in the Gemalto Security Updates page: https://sentinel.gemalto.com/technical-support/security-updates-sm/

Gemalto acknowledges and thanks Vladimir Dashchenko from Kaspersky Lab ICS CERT for responsible disclosure of these vulnerabilities.

Issues Resolved in Version 7.102

Reference Description

SM-26322

Certain important security issues were resolved. For more information, see the reference to article KB0020199 in the Gemalto Security Updates page: https://sentinel.gemalto.com/technical-support/security-updates-sm/

Gemalto acknowledges and thanks Artem Zinenko from Kaspersky Lab ICS CERT for responsible disclosure of these vulnerabilities.

SM-62256 Under certain circumstances, it was possible to misuse detached licenses.
SM-64937 When Sentinel EMS was used to create an RTE Installer after the Master Wizard was used multiple times to introduce Vendor keys, the vendor libraries included with the RTE Installer would have an incorrect date.
SM-65371 The GUI-based RTE Installer would display an error screen when a .properties file existed in SysWOW64.

Enhancements in Version 7.101

Reference Description
SM-61960

The Run-time Environment now supports controlling the generation of the License Manager ID files. This is done using the Enable Detaching of Licenses configuration check box in Admin Control Center. When selected, the License Manager generates ID files. When cleared, the License Manager stops generating any new ID files. However, the existing ID files are retained.

By default, the Enable Detaching of Licenses check box is cleared.

Issues Resolved in Version 7.101

Reference Description
SM-62902

Certain important security issues were resolved. For more information, see the reference to article KB0020074 in the Gemalto Security Updates page: https://sentinel.gemalto.com/technical-support/security-updates-sm/

Gemalto acknowledges and thanks the Blizzard Red Team for responsible disclosure of these vulnerabilities.

Enhancements in Version 7.100

Reference Description
SM-47546 The Run-time Environment now supports the ability of the Licensing API to check remaining idle time before a protection key login session is terminated. Checking the remaining idle time does not reset the session.
SM-50812 The Run-time Environment now supports improved protection against the misuse of computer restoration software (such as Deep Freeze).
SM-7269 SM-54601 The Run-time Environment now supports protecting applications that run in a Docker container. The scheme VMType4 is supported for clone protection.

Issues Resolved in Version 7.100

Reference Description
SM-49346 Under certain circumstances, the License Manager would generate a false-positive report of a virtual machine because some components of the Deep Freeze product were present on the machine.
SM-56397

Given the following circumstances:

>A license for a Product is detached from a customer's license server and applied on a different machine

>In Sentinel EMS, the original entitlement for the Product is copied and used to create an update to the Product. The update is applied to the license server machine.

>The detached license is canceled and returned to the license server.

The number of available seats of the Product on the license server would not reflect that the license had been returned.

SM-57376 In certain situations, an SL license would disappear after system reboot.
SM-56723 When a machine was restored from sleep mode, a USB sharing violation error would occur if a HASP HL key was plugged into a USB HUB with an independent power supply.

Issues Resolved in Version 7.92

Reference Description
SM-50889 SM-50902 SM-50900

Certain important security issues were resolved. For more information, see the reference to article KB0018794 in the Gemalto Security Updates page: https://sentinel.gemalto.com/technical-support/security-updates-sm/

Gemalto acknowledges and thanks Artem Zinenko from Kaspersky Lab ICS CERT for responsible disclosure of these vulnerabilities.

As part of the resolution for these issues, Admin Control Center no longer supports importing external language packs (either online or offline). Translated user interface files are included in the RTE installer. The end user now selects the desired language for the interface by clicking the name of the language instead of clicking a country flag image.

Issues Resolved in Version 7.91

Reference Description
SM-43605 Sentinel LDK drivers have been repackaged so that significant Windows 10 operating system upgrades will not impact existing SL AdminMode licenses.
SM-47103

The Vlib search path for Runtime Environment versions 7.0 through 7.81 included the following paths:

>For Windows x64:

%CommonProgramFiles(x86)%\SafeNet Sentinel\Sentinel LDK\

%CommonProgramFiles(x86)%\Aladdin Shared\HASP\

>For Windows x86:

%CommonProgramFiles%\SafeNet Sentinel\Sentinel LDK\

%CommonProgramFiles%\Aladdin Shared\HASP\

Support for the \SafeNet Sentinel\Sentinel LDK\ paths was discontinued in version 7.90.

To reinstate support for vendors who have been placing their Vlib files in the \SafeNet Sentinel\Sentinel LDK\ directory, upon first use, Run-time Environment version 7.91 or later moves the Vlib files from the \SafeNet Sentinel\Sentinel LDK\ directory to the \Aladdin Shared\HASP\ directory.

Enhancements in Version 7.90

Reference Description
SM-17431 The License Manager now supports the use of custom clone protection schemes.
SM-34308

In Admin Control Center, the configuration parameter Allow Remote Access to ACC and Admin API has been split into two independent parameters:

>Allow Remote Access to ACC

>Allow Remote Access to Admin API

This provide more granular control of access from a remote machine. You can now allow or deny access separately for Admin Control Center and for Admin API. (A corresponding split for configuration parameters was implemented in Sentinel Admin API.)

When the License Manager is upgraded to version 7.90, each new parameter is assigned the value that was assigned to the original parameter. As a result, after the upgrade, there is no change in access granted.

Enhancements in Version 7.81

Reference Description
SM-18163

The RTE Installer now provides more details in order to help ensure that installation of the RTE completes successfully. The Installer now differentiates between the following situations:

>Installation of the RTE has succeeded. No restart is required.

>Installation of the RTE cannot complete due to a lock on a required file. The RTE Installer attempts to rename the locked file in the background. If it succeeds, the installation will continue. If the rename attempt fails, the installer returns error 52. At this point, your code can call the new RTE Installer API function haspds_GetLockingProcessList to get the locking process name. You can then release the locked file and restart the RTE Installer.

SM-27901 The revision history of all enhancements implemented and issues resolved for earlier versions of the RTE is now available online at: https://docs.sentinel.gemalto.com/ldk/home.htm
SM-30222
SM-30886

Several security improvements have been implemented.

Issues Resolved in Version 7.81

Reference Description
SM-28148

The hasp_login function would fail to log in to a HASP4 parallel port key (the function would not fail with HASP4 UBS keys). The login would fail with the error code HASP_HASP_NOT_FOUND = 7. This issue would occur with RTE version 7.52 and later.

SM-31010 If the client connected using different IPv6 interfaces, the License Manager would sometimes count the sessions on a machine multiple times.

Issues Resolved in Version 7.80

Reference Description
SM-12155

If a customer applies a V2C update from a remote machine that has the Vendor library but no license from the same vendor, the error returned was HASP_UPDATE_TOO_NEW, which was confusing. Now the error returned is HASP_KEYID_NOT_FOUND.

SM-18502 Defining an excessive number of User Restrictions in Admin Control Center would cause the License Manager Service to fail.
SM-19981 hasp_update would return an internal error for an HL Key when the license definition contains empty content in the default memory section.
SM-23609

The RTE installer adds a firewall rule (named “Sentinel License Manager”) that, in the past, allowed incoming connections from any network, including public networks, using port 1947. Starting with RTE version 7.80, the firewall rule added by the RTE Installer does not allow incoming connections from public networks. If you are upgrading from an earlier version of RTE, the installer replaces the existing rule (that allows connections from public networks) with a rule that blocks such connections.

You can manually allow access using this port from public networks, but Gemalto highly recommends against this.

If you do plan to allow access from public networks using port 1947, create a rule with a different name in order to prevent future RTE upgrades from removing this access.

SM-25600 The Run-Time Environment would require an excessive amount of time to install.
SM-26543 Under certain circumstances, Sentinel License Manager would crash on the REST interface with long packets.
SM-9841 HASP4 keys would stop working after the Run-time Environment was upgraded to  v.7.54.

Back to top

Known Issues

Reference Description
SM-70131

The Sentinel LDK License Manager (process hasplms.exe) hangs intermittently and reaches a very high CPU utilization (approximately 1.9 GB).

Workaround: Protect the application using the latest API libraries and, if the RTE is required on the end user's machine, upgrade to the most recent RTE.

SM-68016

After you upgrade the Run-time Environment, Admin Control Center might show a dummy key id for Key type - "HASP Placeholder"

Workaround: Refresh Admin Control Center.

SM-36385

After Windows 7 is upgraded to Windows 8, the user is not able to use existing SL licenses or to install new SL licenses.

Workaround: After you upgrade from Windows 7 to Windows 8, reinstall the Run-time Environment.

SM-20626

When installing the RTE on a machine where Fabula Tech USB over Network is installed, installation of the RTE hangs.

Workaround: Disconnect the HL key before running the RTE installer.

SM-907

Sentinel LDK Vendor Tools fail to load under Windows 10 when Device Guard is enabled and the Code Integrity policy is set to "enforce". An error message is displayed regarding a certain DLL, stating that the DLL is not designed to run on Windows or that the DLL contains an error. For more information, see Issues Related to Device Guard and Code Integrity Policies.

LDK-17302

LDK-13953

LDK-14971

Given the following circumstances at a customer site:

1. One machine has Run-time Environment version 7.51.

2. A second machine has a version of Run-time Environment that is earlier than 7.51.

3. The customer performs rehost of a license repeatedly between the two machines.

4. An update is applied to the license on either of these machines.

A rehost operation sometimes fails with the message HASP_REHOST_ALREADY_APPLIED.

Workaround: Obtain a new SL license from the software vendor for the protected application on the target machine. Before attempting any additional rehost procedure, install the latest Run-time Environment on both machines.

LDK-17267

The License Manager fails to load vlibs under Windows 10 when Device Guard is enabled and the Code Integrity policy is set to “enforce”. For more information, see Issues Related to Device Guard and Code Integrity Policies.

LDK-8480

With some new USB chipsets, it is possible that the API hasp_update() call, used to update the firmware of Sentinel HL keys to version 3.25, will generate the HASP_BROKEN_SESSION return code, even if the firmware is correctly updated. (This issue does not occur with Sentinel HL Driverless keys with firmware version 4.x.)

Workaround: Install the latest Run-time Environment. The automatic firmware update feature of the License Manager will automatically update the firmware of the key the first time that the key is connected, without the need to call hasp_update().

LDK-2471

Sentinel Licensing API: On a computer with the Nvidia chip set GeForce 7025/nForce 630a, and where the CPU is AMD Athlon 64 X2, the hasp_read and hasp_encrypt functions may fail with error 39, HASP_BROKEN_SESSION. This problem only exists with HASP HL keys with Firmware version 3.25.

Workaround 1: On the computer described above, when error 39 is returned, call the hasp_read or hasp_encrypt function again. It is not necessary to call hasp_login again.

Workaround 2: Use Sentinel HL keys with Firmware version 4.2x.

12506

Sentinel LDK communicates via TCP and UDP on port 1947. This port is IANA-registered exclusively for this purpose. At the end user site, the firewall must be configured so that communication via this port is not blocked.

Back to top

Copyright © 2020 Thales Group. All rights reserved.

DocID 129 Revision 2005-3