Flexera Software Community Knowledge Base

cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Knowledge Base Categories
Summary: A Cross-Site Request Forgery which results in addition of local admin user to lmadmin license server has been identified in FlexNet Publisher lmadmin.exe 11.10.X. Please see the Symptoms section for more details. If you do not distribute lmadmin to your customers, there is no further action on your part. If you do, you must distribute to those same customers the security update mentioned in the Resolution section of this article. This security vulnerability has been assigned the CVE ID number of CVE-2019-8962. Symptoms: The lmadmin license server allows an authorized license administrator to create other local admin users. However, when an admin user is authenticated and authorized by lmadmin in FlexNet Publisher 11.10.X there exists a Cross-Site Request Forgery vulnerability. Because of which an attacker can inherit the identity and privileges of the victim to perform an undesired function on the victim's behalf. In one such reported instance a POST action with valid session resulted into creation of a new local admin user. Resolution: This vulnerability is mitigated in FlexNet Publisher 11.12.1 and later. Such an attack is prevented through a randomized token that gets assigned from the back-end for a specific use-case (in this instance an authorized user wanting to add an admin user), which is then be verified upon receipt of the POST request. An attacker without access to the web front-end of the application typically would not be able to gain access to such token and thus such attacks would fail. The FlexNet Publisher 11.12.1 and later addresses the security vulnerability and is available on Flexera’s Product and License Center.   We advise all FlexNet Publisher customers update lmadmin.exe to FlexNet Publisher 11.12.1 or later.
View full article
Question: How to dictate licensing communication to be prioritize on IPv4 or IPV6 addresses (to be used for communication with client) or use only one of them? Answer: FNP_IP_ENV: This client-side environment variable determines how the client's IP address is presented to the server. • If the variable is set to a value of 0, 4, or 6, the IP address sent to the server is resolved on the client, from the client's hostname, as follows:         • If the variable is set to 0, then the client resolves its hostname to both an IPv4 and an IPv6 address.         • If the variable is set to 4, then the client resolves its hostname only to an IPv4 address.         • If the variable is set to 6, then the client resolves its hostname only to an IPv6 address. • If the variable is set to 1 (default value), the client-side hostname resolution is bypassed. Instead, the client's IP address is determined from the socket connection at the server, which means that a NAT-translated IP address for the client can be obtained. -------------------------------------------------------------------------------------- FNP_IP_PRIORITY: The environment variable FNP_IP_PRIORITY decides the IP priority for hostname resolution, and can apply to the server, the client, or utilities like lmhostid. Values are: • 4 (default): hostname resolution is attempted to IPv4 address first; if that fails, resolution to IPv6 address is attempted. • 6: hostname resolution is attempted to IPv6 address first; if that fails, resolution to IPv4 address is attempted. Examples of when to set to this value:         • on the machine where running lmhostid, if IPv6 address is required from lmhostid ‐internet         • on the client if node-locked IPv6 INTERNET HostID is used         • on the server if IPv6 address is used in the options file or as a server HostID.               Note: IPv4 and IPv6 addresses cannot be mixed on the server. ------------------------------------------------------------------------ Clients send both IPv4 and IPv6 addresses in the checkout message to the server. In some licensing models, it may be desirable for the server to operate on a NAT-translated IP address instead of the client's actual IP address—for example, if using the EXCLUDE keyword in an options file to exclude all clients originating from behind a specific firewall. To enable such use cases, set FNP_IP_ENV=1 on the client. Setting this environment variable prevents the client resolving its own hostname to an IP address, which means the server instead obtains an IP address for the client from the socket connection.
View full article
End User Portal is throwing popup repeatedly to download the "Download Manger" while downloading files although it is already installed and not allowing to download any files from end user portal when downloading using "Download Manager".
View full article
Summary Error Failed to load CLR – Error will occur when installing the setup with PowerShell custom Action or any .net dll Synopsis This information applies to the following InstallShield project types: Basic MSI InstallScript MSI When the installer includes a .NET Installer Class, with any custom action the error will occur InstallShield: Failed to load CLR 궰耂 - error 0x80131700 Cause If the Specific machine doesn’t have the required .net framework is not available   The .NET framework is not properly installed on your system Workaround  If the underlying cause for the error code 0x80131700 is the improper installation of .NET framework on your PC, then the best and easy way to resolve this error is to reinstall it. By default, the built in version of .NET framework in Windows 10 is 3.5 to reinstall this again on your system follow the steps given below: Go to Start menu and type: features in the search box Now Choose the option ‘Turn Windows Features on or off’ and then press Enter After this, look for Microsoft .NET framework 3.5.1 and uncheck the box Once you uncheck it, restart your computer Repeat the step 1 and 2 Now check the box before .NET framework 3.5 Restart your system Now try using the Troubleshooting Wizard. Also you can the other option, In some cases, the below option used to resolve the issue.  Please add the property “IS_CLR_VERSION” in property manager and specify the .net version in the value field EX: In the Value column, enter a semicolon-delimited list of versions. Example: 1.1.4322;1.0.3705 or 2.0.50727 or 4.0.30319 References: https://answers.microsoft.com/en-us/windows/forum/all/error-installing-net-framework-20-error-0x80131700/5a4e32d9-0e71-4566-a487-9a1758fd4ff7?messageId=a9508c2a-00a8-4295-be85-3225b7a1dccd
View full article
Steps to be followed to Block The Error Message Popups
View full article
Summary InstallShield digital signing feature uses a timestamp server from Symantec which is being decommissioned (more details here) and migrated to Digicert. Signing with new Digicert URL causes a breakage in Digital Signing Symptoms When signing an installer with SHA-256 digest, using the new Digicert server (http://timestamp.digicert.com), the resulting installer is signed by SHA-256 digest, but the counter signatures are signed with SHA1 due to an incorrect order in which InstallShield calls the signing APIs Affected InstallShield Versions InstallShield 2015 SP2 InstallShield 2016 SP2 InstallShield 2018 R2 InstallShield 2019 R2 All minor releases of the above releases included Resolution The issue is resolved in a hotfix that can be downloaded from this link. Please note that the hotfix is applicable on the latest service packs of above affected versions. After applying the hotfix, please update Settings.xml file in <InstallShield_InstallPath>/Support/0409 with new URLs Before: <DigitalSignature Timestamp="http://timestamp.verisign.com/scripts/timstamp.dll"/><DigitalSignature TimestampRFC3161="http://sha256timestamp.ws.symantec.com/sha256/timestamp"/> After: <DigitalSignature Timestamp="http://timestamp.digicert.com"/><DigitalSignature TimestampRFC3161="http://timestamp.digicert.com"/> Note: For Japanese, Settings.xml can be found at “<InstallShield_InstallPath>/Support/0411” Additional Information If there are any additional issues, please contact our  Technical Support team
View full article
InstallShield StandAlone Build with Docker Build your own Docker Image with InstallShield SAB  On a machine where Docker is installed, create Folder (eg: ISDockerBuild). Copy InstallShield SAB installer (eg: InstallShield2019R3StandaloneBuild.exe) to the above created folder (i.e ISDockerBuild). Create a file called DockerFile (no extension) inside the above created folder (i.e ISDockerBuild) with the following content or Download the same from here [Dockerfile] # Base Windows Image FROM mcr.microsoft.com/windows:1809 # Change to Root Dir WORKDIR / # Copy InstallShield installer to root ADD InstallShield2019R3StandaloneBuild.exe / # InstallShield installation RUN InstallShield2019R3StandaloneBuild.exe /s /v"INSTALLLEVEL=101 SABCONTAINER=1 /qn" The final folder should look like this:     Launch CMD (Run As Administrator), and navigate to the above created folder (i.e ISDockerBuild) Run the following command to build the Docker image with InstallShield installed: docker build -t installshield-sab-2019r3 --no-cache=true Wait for the build to complete. Once the build is complete run the following command to list the newly created image docker images   License InstallShield SAB  Activate a Node Locked License For activating SAB using a node locked license, you need to manually copy the license file (license.lic) to InstallShield [INSTALLDIR] location: usually C:\Program Files (x86)\InstallShield\<IS-VERSION>\System\ It is also mandatory to create the container with --mac-address option, else the MAC/Physical address will be dynamic each time you create a new container. Open the license file that you want to use for activating InstallShield SAB and copy the MAC address.           Use the same/copied MAC/Physical address to create the container using --mac-address docker run --mac-address <MAC-ADDRESS> <IMAGE> <CMD> (Optional) In case if you want to create container, mount folder and assign MAC address at the same time run the following command: docker run --mac-address <MAC-ADDRESS> -v "<HOST-DIR>:<CONTAINER-DIR>" <IMAGE> <CMD> Where: MAC-ADDRESS : is separated by colon( : ), eg: 00:16:7F:51:03:7D HOST-DIR : folder present in Physical machine/VM CONTAINER-DIR : folder inside the container;  if the folder does not exists it will be automatically create it. The container should be in Exited state in order to copy files to a container. Run the following command to Stop the container: docker stop <CONTAINER-ID/CONTAINER-NAME> After the container is stopped, run the following command to copy the license file (i.e license.lic) to docker container. docker cp license.lic <CONTAINER-ID/CONTAINER-NAME>:C:\Program Files (x86)\InstallShield\<IS-VERSION>\System\ After the license file copy is done, run the following command to Restart the container: docker start <CONTAINER-ID/CONTAINER-NAME>   Activate a Concurrent License Download ini from here. Open and edit ini with your concurrent server details. Where: CC-SERVER - Concurrent Server CC-PORT - Concurrent Server Port Copy ini to InstallShield [INSTALLDIR] location, Usually C:\Program Files (x86)\InstallShield\<IS-VERSION>\System\ If the container is running, you need to stop the container. Run the following command to Stop the container: docker stop <CONTAINER-ID/CONTAINER-NAME> After the container is stopped, run the following command to copy ini file to docker container. docker cp server.ini <CONTAINER-ID/CONTAINER-NAME:C:\Program Files (x86)\InstallShield\<IS-VERSION>\System\ After ini file copy is done successfully, run the following command to Restart the container: docker start <CONTAINER-ID/CONTAINER-NAME>   Downloading a Docker image with pre-installed StandAlone Build You can download a docker image with pre-installed InstallShield 2019 R3 StandAlone build.  docker pull  flexerasoftware/installshield:sab2019r3 Note: By choosing to download the above docker image, you agree to accept the terms and conditions outlined in our End User License Agreement available at https://www.flexera.com/legal/clickthrough   Building InstallShield projects via Docker Container Considering that you already have a Docker image with InstallShield or you are using the Docker image provided by InstallShield. Run the following command to create a container and mount directory in an interactive process docker run -it  -v "<HOST-DIR>:<CONTAINER-DIR>" <IMAGE> <CMD> (Optional) In case if you want to create container, mount folder and assign MAC address at the same time run the following command: docker run -it --mac-address <MAC-ADDRESS> -v "<HOST-DIR>:<CONTAINER-DIR>" <IMAGE> <CMD> Where: MAC-ADDRESS : is separated by colon( : ), eg: 00:16:7F:51:03:7D HOST-DIR : folder present in Physical machine/VM CONTAINER-DIR : folder inside the container;  if the folder does not exists it will be automatically create it. To license InstallShield SAB please refer here. Navigate to C:\Program Files (x86)\InstallShield\2019 SAB\System Run the following command to build your project: IsCmdBld.exe -p "C:\InstallShield Projects\MyAppProject.ism"   Note:  Please refer the following for addition details on the commands used: docker build: https://docs.docker.com/engine/reference/commandline/build/ docker images: https://docs.docker.com/engine/reference/commandline/images/ docker start : https://docs.docker.com/engine/reference/commandline/start/ docker stop : https://docs.docker.com/engine/reference/commandline/stop/ docker cp: https://docs.docker.com/engine/reference/commandline/cp/ docker run: https://docs.docker.com/engine/reference/run/
View full article
Question: Why do EndUser/Portal User roles have Producer Portal permissions?   Answer:  End User permissions are dependent on Producer Portal permission.  Having Producer Portal permissions does not mean users (Customer Users) can access the Producer Portal.  Users with a Portal User role are limited to accessing the End User Portal.  Only Users with a Producer role may access the Producer Portal. For example for View Accounts to work for a Portal User the role needs the regular (Producer Portal) View Accounts permission and the End User Portal View Accounts permission.  
View full article
Question:  How does it work?   Answer: Flexera's Download Manager does not use either ActiveX control or Flash.   The Download Manger checks the Origin HTTP header and validates the security of the download URLs using JSON Web Token Authentication.  Flexera's Download Manager only works with FlexNet Operations. The Download Manager pre-allocates a temporary download file in the installed users Downloads folder. When the file is fully downloaded the temporary file is renamed and may be accessed by the user.    
View full article
When opening a case for FlexNet Operations Cloud, please provide the below information where possible.  Providing this information with your case will help shorten the time to a solution or answer. - URL of your tenant (for example:  https://flex1102-fno.flexnetoperations.com/flexnet/operations/) -  Environment (UAT or Production) -  Description of the problem or question.  What are you trying to accomplish?  What is your desired result? -  Steps to reproduce the problem.  Please provide specific examples. -  Any error messages.  If there are errors, screenshots that include the page URL are very helpful -  Web Service requests, please an example of the XML of the request and response received and the user  that submits the requests -  Reporter, please copy the report into the Shared folder and provide the name of the report
View full article
Summary Network Block or IP whitelist for FlexNet Operations Cloud Synopsis When configuring network security (firewall/proxy) rules customers may want to whitelist the IP addresses needed to connect to FlexNet Operations Cloud. Discussion We recommend whitelisting network blocks instead of individual IP addresses as our IP addresses can potentially change. The network blocks to whitelist are as follows. IPv4 Production/UAT:  64.14.29.0/24 Disaster Recovery:  64.27.162.0/24 IPv6 Production/UAT:  2620:122:f001:1163::/64 Disaster Recovery:  2620:122:f001:1163::1/128 These network blocks are not in use today, but could be used in the future... Production/UAT 162.244.220.0/24 Disaster Recovery 162.244.222.0/24
View full article
Question: Has older HASP (HASP4) dongle support removed from latest version of FNP toolkits? Answer: Starting 11.14.0 we have to enable support for the HASP4 dongles in the daemon configuration file ls_vendor.c (unsigned int ls_flexid9_hasp4_support = 1;) .  After doing that and ensuring that we build the toolkit with additional argument as DONGLE=1, with a clean build, we should be able to start the vendor daemon. 
View full article
Question: Over the years, our customers have had  issues with LSB-loader as described in FNP release documentations. Moreover,  on some recent Linux updates, such as SUSE Enterprise Linux 12, the LSB component is not offered as part of the supported distribution. Components in FlexNet Publisher, such as lmgrd, require the LSB-loader. If this is not present, lmgrd will fail to run with a 'file not found' error (FNP-11338, FNP- 11353) Answer: Starting FNP-11.14 tookit, The   install_fnp.sh   will now issue a warning if it detects LSB is not installed on the host: $ sudo ./install_fnp.sh ... Checking LSB compatibility... *** WARNING: 64-bit LSB packages not installed LSB compatibility checks complete ... FNP utilities will continue to give the   File not found   error. Supplying the   --nolsb   flag to the command will cause fake symlinks to be created to mimic the missing LSB installation: $ sudo ./install_fnp.sh --nolsb ... Checking LSB compatibility... *** WARNING: 64-bit LSB packages not installed Fix attempted by creating symlink for /lib64/ld-lsb-x86-64.so.3 LSB compatibility checks complete ... After which FNP utilities should run ok.
View full article
Summary A Denial of Service vulnerability related to command handling has been identified in FlexNet Publisher lmadmin.exe 11.16.2. Please see the Symptoms section for more details. If you do not distribute lmadmin to your customers, there is no further action on your part. If you do, you must distribute to those same customers the security update mentioned in the Resolution section of this article. This security vulnerability has been assigned the CVE ID number of CVE-2019-8960 . Symptoms The message reading function used in lmadmin.exe can, given a certain message, call itself again and then wait for a further message. With a particular flag set in the original message, but no second message received, the function eventually return an unexpected value which leads to an exception being thrown. The end result can be process termination. Resolution The FlexNet Publisher 2019 R3 SP1 (11.16.5.1) addresses the security vulnerability and is available from Flexera’s Product and License Center.   We advise all FlexNet Publisher customers update lmadmin.exe to FlexNet Publisher 11.16.5.1.    
View full article
We have an expert team of professionals available to answer questions and to assist you with technical issues with Flexera products. To contact Flexera Support for technical issues, use our case portal by navigating to the top menu and click Get Support -> Open New Case. NOTE: The online case portal requires the user to be logged into the community and their community login to be associated with an account that has active maintenance. If you do not see this option, please use our phone support. You can contact Support by phone using the toll and toll-free options below. Toll-free numbers only work  within the countries they are listed under. North America* +1 630-332-2513 (toll) +1 877-279-2853 (toll-free in North America) Europe* +44 1925 944367 (toll) +44 800 047 8642 (toll-free in Europe) India* +61 1800 560 603 (toll) 000 800 040 2367 (toll-free in India) Japan +81 3-4540-5335 (select option 2) *Select Option 1 for Product Support or Option 2 for FlexNet Operations Cloud Business Critical Emergencies
View full article
Summary A Denial of Service vulnerability related to stack exhaustion has been identified in FlexNet Publisher lmadmin.exe 11.16.2. Please see the Symptoms section for more details. If you do not distribute lmadmin to your customers, there is no further action on your part. If you do, you must distribute to those same customers the security update mentioned in the Resolution section of this article. This security vulnerability has been assigned the CVE ID number of CVE-2019-8961 . Symptoms Because the message reading function calls itself recursively given a certain condition in the received message, an unauthenticated remote attacker can repeatedly send messages of that type to cause a stack exhaustion condition. Resolution The FlexNet Publisher 2019 R3 SP1 (11.16.5.1) addresses the security vulnerability and is available from Flexera’s Product and License Center.   We advise all FlexNet Publisher customers update lmadmin.exe to FlexNet Publisher 11.16.5.1.    
View full article
This article provides a Hotfix for InstallAnywhere 2018 SP1.
View full article
Question: ■ what is the hasp_rt.exe ? what is it for ? ■ and when exactly is it required ? ■ WHAT IS THE POINT OF HAVING HASP_RT.EXE ? our tests over a year shows that the dongle works without hasp_rt.exe. Can we skip it, if yes what are the consequences? Answer: 1) what is the hasp_rt.exe ? what is it for ? hasp_rt.exe is the External License Manager for the LDK 7.x or newer protected applications. It is mainly used to handle accessing of local Driverless keys (HL or SL). It will also be able to close any active sessions in case of an application crash. ■and when exactly is it required ? hasp_rt.exe is not technically required, as you could use either the Admin License Manager (hasplms.exe, included with drivers), or the Integrated License Manager (included internally inside of the LDK protected application). ■WHAT IS THE POINT OF HAVING HASP_RT.EXE ? our tests over a year shows that the dongle works without hasp_rt.exe. Can we skip it, if yes what are the consequences? Most times this file is needed if your Enveloped application may crash at exiting of the application. If your protected application is able to work fine without using this hasp_rt.exe, then that is fine too. Consequences for not including that hasp_rt.exe are mainly that you are limited to using either the Admin License Manager or the Internal License Manager. https://sentineltechsupport.gemalto.com/2013/10/ldk-7-0-integrated-license-manager/
View full article
Summary ISEXP: fatal error -7219: Failed to verify digital signature of <> Error -2147467259: Automation error Symptoms This build error usually occurs due to expired, corrupt or missing root certificates on your machine. ISDEV: fatal error -7210: Failed to verify digital signature ISDEV : fatal error -7219: Failed to verify digital signature of C:\Program Files\InstallShield\VERSION\System\IsUiServices.dll Cause The Build Machine Does Not Have Latest currently used root Certificates This is related to the operating system and is generally seen if building on an offline machine or a machine missing the latest root certificate update. Resolution Ensure your Windows Trusted root certificates are up to date: https://support.microsoft.com/en-gb/kb/293781 If your certificate has expired or become corrupted, verify if this is the case by right clicking on C:\Program Files (x86)\InstallShield\VERSION\System\ISUIServices.dll to view the properties - if there is a Warning triangle this needs to be updated replaced. The current certificate is VeriSign Class 3 Public Primary Certification Authority -G5 The certificate is no longer publicly downloadable from VeriSign Website, this particular site no longer exists, since they were aquired by Symantec. Workaround In order to obtain an updated certificate for this Goto https://www.websecurity.digicert.com/theme/roots Locate Root 3 Name: VeriSign Class 3 Public PCA - Generation 5 (G5) Serial Number: 18 da d1 9e 26 7d e8 bb 4a 21 58 cd cc 6b 3b 4a Operational Period: Tue, November 08, 2006 to Wed, July 16, 2036 Certificate SHA1 Fingerprint: 4e b6 d5 78 49 9b 1c cf 5f 58 1e ad 56 be 3d 9b 67 44 a5 e5 Change the extension to cer, double click on the file to open the certificate, and click the install button. You should install this certificate to the Trusted Root Certificate Authorities Store. Symantec SHA256 TimeStamping Signer Certificate - G1 Download and install the certificate at the below link: https://symantec.tbs-certificats.com/vsign-universal-root.cer Double click on the file to open the certificate and click the install button. You should install this certificate to the Trusted Root Certificate Authorities Store. Additional Information Symantec - Licensing and Use of Root Certificates https://www.symantec.com/page.jsp?id=roots See also: Windows 8 and Windows Server 2012: How to Open the Certificates Console http://social.technet.microsoft.com/wiki/contents/articles/11497.how-to-open-the-certificates-console-in-windows-8-and-windows-server-2012.aspx Related KB Articles Error -7210</>
View full article
Symptoms: InstallAnywhere digital signing feature uses a timestamp URL from Symantec which is being decommissioned (more details here) and migrated to Digicert. Signing with new Digicert URL causes a breakage in Digital Signing Diagnosis: When signing an installer with SHA-256 digest, using the new Digicert server (http://timestamp.digicert.com), the resulting installer is signed by SHA-256 digest, but the counter signatures are signed with SHA1 due to an incorrect order in which InstallAnywhere calls the signing APIs Affected InstallAnywhere Versions InstallAnywhere 2015 InstallAnywhere 2017 InstallAnywhere 2018 InstallAnywhere 2020 All minor releases of the above releases included Resolution The issue is resolved in a hotfix that can be downloaded from here. Please note that the hotfix is applicable on the latest service packs of above affected versions. Download and extract the contents of the file. Copy x86/IAWinDigiSign.exe to <IA_Install_Location>/resource/nativetools/windows Copy x64/IAWinDigiSign.exe to <IA_Install_Location>/resource/nativetools/windows64 After replacing the above files, in your InstallAnywhere project, navigate to Project à Platforms à Windows à Digital Signing and update the Timestamp server field to http://timestamp.digicert.com Additional Information If there are any additional issues, please contact our  Technical Support team  
View full article