Summary Is is possible to use Short Code Transactions to activate Server Side Trusted Storage? Question Is is possible to use Short Code Transactions to activate Server Side Trusted Storage? Answer No it is not possible to perform Server Side Trusted Storage Activations using ?Short Code? transactions due to the limited information that can be transmitted in this format and the complexity of such requests. This is confirmed by this extract from the TS Programming & Reference Guide (P37 of 11.13 fnp_PR-TS.pdf) ? Normal transactions use XML formatted messages. These are transmitted either as a data stream (without end-user intervention) or as a files (with end-user intervention). When a network connection is unavailable or the XML documents are too large, you can transmit the messages using request and response codes. These transactions are referred to as short-code transactions because the request and response message is encoded as a numeric value. They are available for transactions only between a FlexEnabled client and an activation server. Typically, this type of transaction is used for telephone transactions either with a customer service representative or using automated touch tone telephony. In order to activate Server Side TS you would therefore need to use the XML file transfer method referenced above. ... View more

Summary The error "invalid license key (inconsistent authentication code)" is seen (when running with older applications into new server) when building toolkit with 11.13.1 despite all correct steps being followed. Symptoms The error "invalid license key (inconsistent authentication code)" is seen (when running with older applications into new server) after building toolkit with 11.13.1 despite all the correct steps being followed. Cause When building the toolkit or client application there are two options to use when linking in the 'lmgr' library - lmgr.lib & lmgr_trl.lib. The former includes all the code you need for backward compatibility, whilst the latter only includes the 'TRL' code -the reason being that if you don't need backward compatibility then it is more secure to use the trl version as this closes an option that hackers could use to attack the security via the older code. Up to version 11.13.0.3 the default option in the makefile was lmgr.lib(for backward compatibility), whilst with the new release (11.13.1) the default is lmgr_trl.lib (for better security). The outcome is that if you need backward compatibility then you need to edit the makefile to 'undo' these changes - Resolution - Open the makefile in a text editor - Search for instances of 'lmgr_trl' and change them to 'lmgr' - This will require changes on lines 50 (change to 'LMGRNAME='), 118, 120, 149 & 189 - Alternatively use the makefile from the older version (11.13.0.x) but add 'Shlwapi.lib' and dhcpcsvc.lib to the end of the list for XTRALIB1 on line 89 XTRALIB1 = oldnames.lib kernel32.lib user32.lib netapi32.lib \ advapi32.lib gdi32.lib comdlg32.lib comctl32.lib wsock32.lib shell32.lib \ Rpcrt4.lib oleaut32.lib Ole32.lib Wbemuuid.lib wintrust.lib crypt32.lib Ws2_32.lib psapi.lib Shlwapi.lib dhcpcsvc.lib Update - For the 11.14 version the lines that would need editing are - Windows 32 bit - 50 (change to 'LMGRNAME='), 137, 139, 174 & 214 Windows 64 bit - 48 (change to 'LMGRNAME='), 136, 138, 173 & 213 Linux 64 bit - 86, 167, 171, 172, 175 & 178. Update 2 - For the 11.14.1 version the lines that would need editing are - Windows 32 bit - 50 (change to 'LMGRNAME='), 141, 143, 178 & 218 Windows 64 bit - 48 (change to 'LMGRNAME='), 140, 142, 177 & 217 Linux 64 bit - As above ... View more

Summary What is the correct format for specifying multiple IP addresses when using them as hostids in a FEATURE/INCREMENT line. Question What is the correct format for specifying multiple IP addresses when using them as hostids in a FEATURE/INCREMENT line. Answer The format for specifying a single MAC host id is - - HOSTID 28d2443e5fa6 and the format for specifying multiple MAC host ids is - HOSTID="28d2443e5fa6 5c514f936bdd" However because the format for specifying a single IP address as a hostid is - - HOSTID=INTERNET=10.50.0.78 the format for specifying multiple IP addresses is - HOSTID="INTERNET=10.50.0.78 INTERNET=10.50.0.79" And it would be a similar format for specifying multiple hostids of different types. ... View more

Summary Is The Vendor Name included In The License File Signature Question In a FlexNet Publisher Certificate License File, does the vendor name get included in the digital signature? That means that if the vendor name is edited will the signature (SIGN) change? - tests seem to show that it does not. Answer This is an expected behavior if: 1. Same seeds (LM_SEEDs and ENCRYPTION_SEEDs) were used for both vendor toolkits. 2. Same LM_STRENGTHs were used in both Vendor toolkits. Unfortunately vendor name is not part of the signature encryption. ... View more

Summary The error Version of vendor daemon is too old. (-83,21049:104 "Connection reset by peer") is seen after upgrading the Flex Enabled Client. Symptoms Errors similar to: 9:35:08 (flexera) Request denied: Client (11.14) newer than Vendor Daemon (11.13). (Version of vendor daemon is too old. (-83,21049:104 "Connection reset by peer")) are seen after upgrading the FlexNet Publisher version of the client application. Cause The version compatibility rules regarding FlexNet Publisher elements are defined in the Version Compatibility Between Components section of the FlexNet Publisher License Administration Guide. Version Compatibility Between Components In general, always use the latest version of lmadmin, lmgrd, lmutil, and lmtools, all of which are available from Revenera, to exploit the enhancements available in the most recent versions of FlexNet Licensing. However, some enhancements require a vendor daemon built with a newer version of FlexNet Publisher, and yet others require a FlexEnabled application built with a newer version of FlexNet Publisher. Contact your software publisher for the latest version of their vendor daemon. The rules about FlexNet Licensing component version compatibility are summarized as: Version of lmutil/lmtools must be >= Version of lmadmin (or lmgrd), which must be >= Note: lmadmin can only be used with components with a version of 9.2 or later. Version of vendor daemon, which must be >= Version of the client library linked to the FlexEnabled application, which must be >= Activation utility, which must be >= Version of license file format Except for the license file, use lmver to discover the version of all these components. For the vendor daemon, lmgrd, and lmutil, you can also use the -v argument to print the version. The 'error' message reported was introduced in version 11.12.1.2 when FlexNet Publisher was upgraded to enforce this rule. This is an extract from the release notes: Version Compatibility The FlexNet Publisher support statement is: version (vendor daemon) >= version (client) . Previously, the license server did not verify the version of FlexNet Publisher client during checkout process, when the client version was greater than the server version. This could result in misleading errors, making it difficult to determine that the root cause was that the vendor daemon had not been upgraded. Now, when a checkout request is sent by a client that has FlexNet Publisher version greater than vendor daemon then error -83 (LM_SERVOLDVER) will be returned. Resolution Upgrade the license server elements to at least the same version as the client application ... View more

Summary How to query the allowed borrow period from the license server without checking out the license Question How to query the allowed borrow period from the license server without checking out the license Answer Attached is a sample application (based on the lmflex.c sample), lmflex.c_borrow_details, that shows how to list the contents of the license file showing the borrow time without any checkout. This is a sample output - C:\Program Files (x86)\Flexera\FNP\Flexera 11.14\i86_n3>lmflex Feature f1 has 1 count :Borrow = 0 Feature f2 has 1 count :Borrow = 168 Feature f3 has 1 count :Borrow = 24 Feature f4 has 1 count :Borrow = 48 press return to exit... NB f1 - no borrow, f2 - default borrow, f3 - 24 hour borrow, f4 - 48 hour borrow ... View more

Summary Analysis of Certificate License signatures in FlexNet Publisher. Question What are the various requirements of the certificate signatures with different combinations of ENCRYPTION_SEEDx and LM_SEEDx settings? Answer This discussion was driven by (issues like) - 'Future support for SIGN2' This information is intended to be shareable with customers. Configurations 6-8 in the table below are most relevant for customers asking about continued support of SIGN2. Signature Configuration #1 #2 #3 #4 #5 #6 #7 #8 (best practice) #9 (second best practice) ENCRYPTION_SEEDS Set Set Set Not set Set Set Not set Not set Set LM_SEEDS Not set Set Not set Set Not Set Set Set Set Set TRL_KEYS / CRO_KEYS (Pre 8.1) Not set Not set Not set Not set Set Set Set Set Set LM_STRENGTH LICENSE_KEY LICENSE_KEY DEFAULT DEFAULT 113/163/239BIT 113/163/239BIT 113/163/239BIT 113/163/239BIT 113/163/239BIT Signature keyword None None SIGN SIGN SIGN SIGN and SIGN2 SIGN SIGN SIGN and SIGN2 Signature type Bespoke symmetric Bespoke symmetric Bespoke symmetric Bespoke symmetric TRL1 SIGN: TRL1 SIGN2: TRL2 TRL2 TRL2 SIGN: TRL1 SIGN2: TRL2 Signature length (chars) 12 or 20 12 or 20 12 12 60/84/120 2 x 60/84/120 60/84/120 60/84/120 2 x 60/84/120 Client version Pre-8.1 8.1+ 7.1 - 8.1 8.1+ 7.1 - 8.1 8.1+ 8.1+ 10.8.6+ 10.8.6+ Library linkage lmgr.lib lmgr.lib lmgr.lib lmgr.lib lmgr.lib lmgr.lib lmgr.lib lmgr_trl.lib lmgr_trl.lib Note: TRL1 = ECDSA signature TRL2 = Improved ECDSA signature FNP docs refer to these TRL1 and TRL2 signatures when discussing SIGN2 Configuration 6 clients require licenses with the SIGN2 keyword: changing a served license file from configuration 6 to 7 or 8 would break these existing clients. Therefore, in order to move on from SIGN2, producers needs to retire or upgrade their SIGN2-based production client base. In light of this, Flexera will maintain SIGN2 support until further notice to maintain license-server backward compatibility with 'recent' SIGN2 clients. Please review FNP release notes for notifications of changes to this policy. When producers update their clients, they should prefer configuration 8, which is the most secure and simplest license signature configuration. This will allow (eventual) retiring of SIGN2. Note: The standard lmgr.lib allows verification of all signature types, whereas the recommended lmgr_trl.lib allows verification only of TRL signatures. There are multiple known cases of a binary patch in a configuration 6 client which cause it to allow verification of a legacy symmetric signature presented as SIGN and/or SIGN2 signatures in a rogue license file. Clients based on configurations 5 and 7 are vulnerable to a similar attack vector. The keys used in the old symmetric signatures are easily brute forced, allowing rogue license files like this to be widely generated. This is why Flexera strongly recommends configuration 8 (or 9), where clients can verify only a TRL signature. ... View more

Summary A license file with multiple INCREMENT lines of differing expiry dates can issues with the midnight reread when one of them expires. Symptoms Consider this license file example - INCREMENT f1 demo 1.0 20-dec-2016 1 SIGN= INCREMENT f1 demo 1.0 10-dec-2016 1 SIGN= The two counts of f1 are in the same license pool, and occur in the license file in decreasing order of expiry date. A client checks out both instances of f1 on the morning of 10 December. At midnight the client should, but does not, enter a reconnection state for the single expiring license as the first license is still valid. Resolution If the INCREMENT lines are sorted in order of increasing expiry date, the client will correctly enter a reconnection state at midnight on 10 December. This can be achieved by changing the order within the file or more reliably with the use of sort attribute, for example, INCREMENT f1 demo 1.0 20-dec-2016 1 sort=2 SIGN= INCREMENT f1 demo 1.0 10-dec-2016 1 sort=1 SIGN= Note - This issue does not occur for instances of f1 in different license pools - as would be the case with a version change ... View more

Summary Wrong Visual Studio redistributable included with lmadmin 11.14.1.2 installer Symptoms In the FNP V11.14.1.2 release notes there is mentioned the following change: Windows lmadmin and the third-party libraries on which it depends are now built with the Visual Studio 2010 compiler, instead of the deprecated 2008 compiler. But the FNP toolkit still includes under the FNP toolkit folder "i86_n3\lmadmin" the VC++ 2008 redistributable vcredist_x86.exe and the supplied lmadmin installer also includes this version in error. Cause The wrong redistributable has been used in the release Resolution Visual studio C++ 2010 SP1 Redistributable Package (x86) is required to be installed and shipped instead of redistributable 2008. Visual studio C++ 2010 SP1 Redistributable Package (x86) can be downloaded from this link - https://www.microsoft.com/en-in/download/details.aspx?id=8328" This will be corrected in the next release. Workaround See above ... View more

Summary The lmremove functionality does not terminate lingered licenses. Synopsis It has been noted that the lmremove functionality, whether implemented via an API call or the lmremove (lmutil) utility does not free lingered licenses. Discussion That would be the expected behaviour, lmremove does not override the linger setting. This is an extract from the license administration guide (Version 11.13.1, page 136) - When removing by handle, if licenses are grouped as duplicates, all duplicate licenses are also removed. If license lingering is set and lmremove is used to reclaim the license, lmremove starts, but does not override, the license?s linger time. You can protect the unauthorized execution of lmremove when you start up lmgrd. The default for lmadmin is to disable lmremove because removing a user?s license is disruptive. The only way to recover the license in these circumstances would be to stop the server, delete the borrow cache (from ?C:\ProgramData\FNP\FLEXlm\vendorborrow?) and restart the server. But note this would remove ALL the borrowed licenses. ... View more

Summary FNP license server will not start when installed as a service now that the service startup is configured for 'Local Service' rather than 'Local System' Symptoms FlexNet Publisher license server will not start when installed as a service now that with the release of 11.13.1 the service startup is configured for 'Local Service' rather than 'Local System'. Cause The service needs write and update access to the directory where the log file will be written - it will not have this by default. This can be resolved by following the steps defined in the release notes (reproduced below). The notes refer specifically to Windows 10 but it has been shown that the same principles apply to Windows 7/8 and Server 2012 also Resolution When running lmgrd-as-a-service or lmadmin-as-a-service from a Windows 10 non-admin account, folder permissions may need to be set. This issue arises after using lmadmin.exe -installService <service name> and installs.exe or lmtools to configure a license server to run as a windows service on Windows 10. When attempting to start the service from a User-privilege account, a -5 'access is denied' error may occur. This is because the folder in which the service is installed does not have 'Local Service' privileges. As a workaround, these privileges can be applied using the Security tab of File Explorer: 1. Navigate to the folder path, where the service is installed. 2. Select the folder, right click and go to Properties. 3. In the Properties dialog box, click the Security tab, select Group or user names and click Advanced button. 4. In the Advanced Security Settings for XXXX window, click Enable Inheritance or Disable Inheritance as applicable to enable or disable settings. 5. Select the check box ?Replace all child object permission entries with inheritable permission entries from the object? and click Apply. ... View more

Summary Where can I find our FlexNet Publisher Vendor Keys Question Where can I find our FlexNet Publisher Vendor Keys? Answer The FlexNet Publisher Vendor Keys will be sent to you in a 'Welcome' email when you purchase the product. They can also be downloaded from the Product and Licensing centre - https://flexerasoftware.flexnetoperations.com FlexNet Licensing -> FlexNet Publisher -> FlexNet Publisher Licenses & Tools (version) -> Licenses (tab) ... View more

Summary As part of the Amazon EC2 detection FNP may make calls to the IP Address 169.254.169.254:80 Synopsis Starting with FlexNet Publisher (FNP) 11.12 it has been noticed that FNP attempts to communicate with the IP address 169.254.169.254. Discussion Statement from Engineering - The IP address noted (169.254.169.254) is one we attempt to connect to and query as part of our virtualization checks - in this case for Amazon EC2. However this check had some side effects - - Checkouts are slower since this check was incorporated - Some anti virus scanners are reporting the behaviour as suspicious - "Suspicious network activity has been detected.'..... - TCP Port 80 - 169.254.169.254:80' There is no mechanism to prevent the VM detection functionality from accessing 169.254.169.254:80. The use of an iptables blocking rule is the best practice approach for a customer to take if they are concerned about accesses to this address. Workaround There is no workaround for the first side effect as the detection cannot be disabled. For the second side effect it should be possible to add the executable to the Virus Scanner Publishers 'Whitelist' ... View more

Summary Process for adding a new platform to FlexNet Embedded by applying new Publisher/Platform keys to the "Publisher Identity Utility". Synopsis If a customer is sent new license (platform) keys from Revenera and the only purpose for them is to add additional platforms to FlexNet Embedded (FNE), you do not need to create a new identity. Instead, you only need to update the existing identity. With older versions of FNO, this could be done directly via the UI. Newer versions of FlexNet Operations don't allow you to change vendor keys with existing identities directly. I.e., once you've created them, the vendor key fields are read only in the UI. So instead you need to export the identity, then modify it via the Publisher Identity Utility (pubidutil) from your toolkit (in the bin/tools directory). To do this, open the downloaded identity with pubidutil and then change the vendor keys (and ONLY the vendor keys). And then click "Finish" to save it. Note, this allows you to include the new platforms without changing the internal seed values, so your older clients compiled with the original identity will still work with the licenses generated using the updated identity (which just added more platforms) as well as licenses generated with the pre-upgraded identity. After it's saved, import the updated identity back to FlexNet Operations and you should be good to go. If you've inadvertently deleted your existing identity (and don't have a backup), you can create the identity again via the BackOfficeIdentity (which is where the internal seeds were originally generated). If you lost the BackOfficeIdentity, you're out of luck (unless you happen to have a backup of your database or some other means to get a copy of the original BackOfficeIdentity before you upgrade the identity to add new platforms with updated vendor keys). Discussion Following is the detailed set of instructions on updating an existing Identity with updated Publisher Keys : 1. In the Producer Portal select Administer / Identities, then select the identity that you have already created to View the Identity. 2. At the bottom of the View Identity page select "Binary File" to download and save the current Back Office Identity locally. The file name is IdentityBackOffice.bin. Make a local backup copy as you can always revert back if necessary. 3. Run the pubidutil tool located in the /bin/tools directory of any of the FNE SDKs. If you don't have this readily available, you can download the tool from the Product and License Center via FlexNet Licensing/FlexNet Embedded/FlexNet Embedded Licenses & Tools: 4. Select Browse under Back-Office Identity and browse to the IdenityBackOffice.bin saved in Step 2. 5. This will populate the UI with your existing keys & Identity Information (example shown below): 6. Update the Publisher Keys with the new keys you receive from Revenera. You can click "Check Keys" to make sure they were input correctly. It should respond with Expiration: Permanent. 7. Click Finish. Your IdentityBackOffice.bin has now been updated, you now need to upload this modified Identity in FlexNet Operations. 8. From the Producer Portal View Identity Screen select Edit this Identity. You should see the Update Identity menu shown below: 9. Select Choose File and browse to the location of the modified IdentityBackOffice.bin, followed by Save. You will receive a warning, select "I am sure" to complete. When you make an update to add additional platform support in this manner you will NOT affect any existing devices and requests from devices with the previous version of the identity will also work. 10. You can now download the client identities for use on platforms that were not previously enabled. ... View more

Summary How do you copy the FlexNet Embedded publisher configuration settings from one FlexNet Operations to another so that identical binary/header files are created. Synopsis If on different instances of FlexNet Operations On-Premises you generate identity data, even with identical platform keys, the resultant binary/header files will be different due to a random element being used. This can cause issues if the requirement is to have, for example, identical test and production servers. How then, can systems be setup with identical data? Discussion To create such systems you should use the export/import mechanism. This can be found under the under the 'Administrations' tag - 'Devices -> Manage Publishers'. Select the 'export' option on the source system to create the export 'jar' file. Select the general 'Import' option from the left hand menu to install the data on the target system (the ?jar? file contains headers to direct the import to the required tables). ... View more