cancel
Showing results for 
Search instead for 
Did you mean: 

Is FNE supposed to automatically communicate with Gemalto products on startup?

Is FNE supposed to automatically communicate with Gemalto products on startup?

Summary

Is FNE supposed to automatically communicate with Gemalto products on startup?

Question

We discovered that upon creation of a license manager, FlexNet Embedded (FNE) 2017 R1 seems to be communicating with all the Gemalto/SafeNet floating license servers and clients in our building. We need to understand this so we can pass security scans and explain to our customers why we would do this. Preferably, we?d like to be able to disable this communications unless it is serving some useful purpose.

Is Flexera sub-licensing the floating license server technology from Gemalto? Or is this more likely tied to however FNE is doing the hostid search?

If not, we took a wireshark capture of traffic when we tested by running a command line program we created which just creates a LicenseManager and uses it to list the features from trusted storage. We can see that FNE sends out broadcast UDP packets to port 1947 (hasp), which is answered by 8 PCs. We tracked down the IP addresses of these and they appear to be either license servers or clients of a product which uses Gemalto?s floating license server. After this, the FNE machine creates a TCP connection to each machine and posts data to it using HTTP.

They need to at least understand why this traffic is happening before they can ship products that do this. They?ve indicated it will make subsequent security audits much easier if they can just disable this communication.

Answer

Our FlexNet Publisher (FNP) Engineering team was able to shed some light on this situation. Since FlexNet Embedded (FNE) supports host-ids which use the SafeNet dongles, FNE does have some of FNP's code embedded. It appears FNP is currently setting an option to preclude communications that FNE is probably not setting. FNE Engineering Management indicated we?ll look into making that change with FNE going forward, but in the meantime the mechanism below should suffice.

The FNE 2017 R2 XT kit has a new configuration mechanism (slightly enhanced with R3) tha allows you (the publisher) to restrict the types of host-id FNE will look-up. So, if you aren?t using SafeNet dongles, then you should disable that and won?t see this any more.

The new XT kit configuration mechanism is detailed in the FNE 2017 R2 release notes under "Hostid Filtering and Caching." Here's the blurb:

"By design, whenever a FlexNet Embedded API or method requests the retrieval of hostids on a client device, native libraries attempt to retrieve all available hostids on the device. This detection can take considerable time and cause problems with detection libraries used by certain dongles.

The new Identity Update utility (identityupdateutil) sets up filtering and caching parameters for use during hostid detection on a FlexNet Embedded client device. This configuration is injected into the binary containing the identity data for your FlexNet Embedded client applications and is retrieved whenever a FlexNet Embedded API or method, such as getHostids, is called to detect available hostids on the client device. The configuration helps to reduce hostid retrieval time by limiting the detection process to specific hostid types and (optionally) by caching retrieved hostids for future hostid-detection calls.

This utility supports the configuration of client identities for applications that you create with the FlexNet Embedded C XT, .NET XT, or Java XT SDK. It does not support the configuration of client identities for applications created with the FlexNet Embedded C SDK; nor does it support the configuration of a FlexNet Embedded license server identity."

Bug FNE-11086 has been raised against this. It was initially reported against the Windows Java XT x86-64 Platform and the Red Hat Reference Linux Java XT x86-64 Platform. The issue has been observed on several PCs running 64 bit Windows 7.
Was this article helpful? Yes No
No ratings