How to Configure RCDevs License Server
  Download PDF

1. Introduction

In this short How-To, we will explain how to configure RCDevs License Server. The license server is now the default RCDevs model for licensing. This documentation is addressed to every new customer who is subscribing for an enterprise license. For others, the license server can be used with at least WebADM 1.6.8-2.

IMPORTANT NOTE

Once the license server is configured with WebADM, a license cache is available for 10 days. That means, if your WebADM servers are not able to communicate with RCDevs license servers, WebADM will continue to work as expected during 10 days. Once the offline cache is expired, WebADM services will stop working. To renew the license cache, WebADM needs to communicate again with license servers.

2. First Steps

2.1 Only Applicable for WebADM 1.x versions

After subscribing an RCDevs enterprise license, a license file will be provided to you by the RCDevs sales team.

You have to import this file on your WebADM server. To do it, 2 ways are possible, import the license file from the WebADM Administrator portal or copy the file on the server through SSH/WinSCP in /opt/webadm/conf/ folder.

To enable the license server configuration, you have to edit WebADM servers file (/opt/webadm/conf/servers.xml).

Login on the WebADM server through SSH and edit the following file:

vi /opt/webadm/conf/servers.xml

In this file, you should find the license server section. If the following bloc is not available in your servers.xml file, please add it. It looks like below:

<!--
<LicenseServer name="License Server"
        host="license.rcdevs.com"
        port="7001"
        ca_file="" />
--> 

You have to uncomment it like below:

<LicenseServer name="License Server"
        host="license.rcdevs.com"
        port="7001"
        ca_file="" />

Configuration is done, you can save and quit this file. To changes takes effect, you have to restart WebADM services:

/opt/webadm/bin/webadm restart

During the restart, if the communications with the license servers work fine, you should see:

Connected License server: License Server (x.x.x.x)

And after:

Checking License service access... Ok

If during the services restarting you see:

Connected License server: ERROR (no server available)

That means that WebADM is not able to contact the license server. Or the new license hasn’t been imported yet. We will see how to troubleshoot this issue in the troubleshooting section of this documentation.

2.2 Only Applicable for WebADM 2.x

On WebADM v2.x there is no modification to perform in /opt/webadm/conf/servers.xml anymore. You just need to enable RCDevs cloud services in /opt/webadm/conf/webadm.conf :

cloud_service yes

Your WebADM server(s) must be able to reach https://cloud.rcdevs.com

[root@webadm1 ~]# telnet cloud.rcdevs.com 443
Trying x.x.x.x...
Connected to cloud.rcdevs.com.
Escape character is '^]'.

Have a look on RCDevs Cloud Service documentation for more information.

Restart WebADM services to changes takes effect.

3. Import the License from the WebADM Administrator Portal

In that scenario, you have to log in on the WebADM Admin GUI, click on the Admin tab and click on Software License Details in Licensing and Configurations section.


You are now in the Software License Details menu. Through this menu, a blue button named Import New License is available to import the license file provided by the RCDevs sales team. Click on the Import New License button.



And you are now in the following menu:



Click on the Browse File button and select your license file locally.



Or for Method 2, copy the content of the license file and past it below.



Click on the appropriate Import button according to the method you choose.



You will now see the license details and another blue button to upload the license. Click on Update License button.



The license file is now imported on your WebADM server. Please, restart WebADM to activate the license.

/opt/webadm/bin/webadm restart

Finally, you will see the imported license under Admin tab and click on Software License Details.



4. Troubleshooting License Server Connection

To troubleshoot communications issues with RCDevs services, keep in mind the following :

  • WebADM v1.x are using license.rcdevs.com port 7001 over TCP,
  • WebADM v2.x are using cloud.rcdevs.com port 443 over https.

Please, perform the following tests accordingly.

4.1 License Server (no server available)

This error can occur when starting WebADM services.

Logs example

[root@webadm1 ~]# /opt/webadm/bin/webadm restart
Stopping WebADM HTTP server... Ok
Stopping WebADM Watchd server..... Ok
Stopping WebADM Session server... Ok
Stopping WebADM PKI server... Ok
Checking libudev dependency... Ok
Checking system architecture... Ok
Checking server configurations... Ok

Found Trial Enterprise license (RCDEVSSUPPORT)
Licensed by RCDevs Security SA to RCDevs Support
Licensed product(s): OpenOTP,SpanKey,TiQR

Starting WebADM PKI server... Ok
Starting WebADM Session server... Ok
Starting WebADM Watchd server... Ok
Starting WebADM HTTP server... Ok

Checking server connections... 
Connected LDAP server: LDAP Server (192.168.3.60)
Connected SQL server: SQL Server (192.168.3.68)
Connected PKI server: PKI Server (127.0.0.1)
Connected Mail server: SMTP Server (x.x.x.x)
Connected Push server: Push Server (x.x.x.x)
Connected Session server: Session Server (::1)
Connected License server: License Server (no server available)

Checking LDAP proxy user access... Ok
Checking SQL database access... Ok
Checking PKI service access... Ok
Checking Mail service access... Ok
Checking Push service access... Ok
Checking License service access... ERROR

Possible reason/Solution :

  • WebADM can not communicate with RCDevs license services. Check with telnet if license.rcdevs.com and destination port are reachable from WebADM server(s).

4.1.1 DNS Resolution

First, check that the DNS resolution from your WebADM server works correctly for license.rcdevs.com for WebADM v1.x and cloud.rcdevs.com for WebADM v2.x.

[root@webadm1 ~]# nslookup license.rcdevs.com

Server:		x.x.x.x
Address:		x.x.x.x#53

Non-authoritative answer:
license.rcdevs.com	canonical name = cloud.rcdevs.com.
Name:	cloud.rcdevs.com
Address: 149.202.167.74
Name:	cloud.rcdevs.com
Address: 149.202.165.239
[root@webadm1 ~]# nslookup cloud.rcdevs.com

Server:		x.x.x.x
Address:		x.x.x.x#53

Non-authoritative answer:
Name:	cloud.rcdevs.com
Address: 149.202.167.74
Name:	cloud.rcdevs.com
Address: 149.202.165.239

As you can see, the resolution works here. If it’s not your case, investigate with your DNS administrator why DNS resolution is failing.

Warning

license.rcdevs.com and cloud.rcdevs.com are DNS names for redundant infrastructure using dynamic allocated IPs addresses. The current resolved IPs for license.rcdevs.com and cloud.rcdevs.com can change at any time without any information provided by RCDevs. It is recommended to use the DNS name and configure your firewall accordingly.

4.1.2 Communication on port 7001 or 443

Here we will try if WebADM is able to access to license.rcdevs.com on 7001 port using telnet tool:

[root@webadm1 ~]# telnet license.rcdevs.com 7001
Trying x.x.x.x ...
Connected to license.rcdevs.com.
Escape character is '^]'.

Communication on port 7001 are allowed. If WebADM is not able to communicate on port 7001, please check your firewall.

[root@webadm1 ~]# telnet cloud.rcdevs.com 443
Trying x.x.x.x ...
Connected to cloud.rcdevs.com.
Escape character is '^]'.

Communication on port 443 are allowed. If WebADM is not able to communicate on port 443, please check your firewall.

4.2 Checking License service access… ERROR

This error can occur when starting WebADM services.

Logs example

[root@webadm1 ~]# /opt/webadm/bin/webadm restart
Stopping WebADM HTTP server... Ok
Stopping WebADM Watchd server..... Ok
Stopping WebADM Session server... Ok
Stopping WebADM PKI server... Ok
Checking libudev dependency... Ok
Checking system architecture... Ok
Checking server configurations... Ok

Found Trial Enterprise license (RCDEVSSUPPORT)
Licensed by RCDevs Security SA to RCDevs Support
Licensed product(s): OpenOTP,SpanKey,TiQR

Starting WebADM PKI server... Ok
Starting WebADM Session server... Ok
Starting WebADM Watchd server... Ok
Starting WebADM HTTP server... Ok

Checking server connections... 
Connected LDAP server: LDAP Server (192.168.3.60)
Connected SQL server: SQL Server (192.168.3.68)
Connected PKI server: PKI Server (127.0.0.1)
Connected Mail server: SMTP Server (x.x.x.x)
Connected Push server: Push Server (x.x.x.x)
Connected Session server: Session Server (::1)
Connected License server: License Server (x.x.x.x)

Checking LDAP proxy user access... Ok
Checking SQL database access... Ok
Checking PKI service access... Ok
Checking Mail service access... Ok
Checking Push service access... Ok
Checking License service access... ERROR

Possible reasons/Solutions :

After connections checks during WebADM services start, WebADM will try to perform an authentication to RCDevs license services or RCDevs cloud services. The authentication is done through your enterprise license. New licenses are pushed every hour on RCDevs licenses servers. Your license needs to be pushed on RCDevs licenses servers first in order to be used with RCDevs license services. You can encounter this issue if your license has been generated by RCDevs Sales team at 3:10 pm for example, and you tried to use it before 4:00 pm. If the problem persists after 1 hour, contact RCDevs support.

4.3 How can I be sure that WebADM and License Server are synchronized?

To be sure that communications between WebADM and Licence Servers working fine, log in on the WebADM GUI and click on the Admin tab.

You should see Active License Server: License Server (x.x.x.x) like below:



For WebADM v2.x you should see something similar regarding RCDevs Cloud Services:



Always under the Admin menu, another check must be done. Click on Software License Details:



And you should see something similar if everything works fine.



If you have ‘Active License Server: None’ as below after performing every check we previously did, please contact RCDevs support.



4.4 WebADM snapshot restore, Error (Given Token is out of Sync)



When you restore a snapshot, you will also restore the previous One-Time License Token which will in most cases be invalid. The rotation of that license Token happens every time WebADM connect to license services. If you re-use an old token (after a snapshot restore for e.g), then the token in use between license services and WebADM is out of sync. If your pool is full (2 nodes by default) WebADM is not able to reconnect to license service and perform the resync automatically. In that situation, you need to manually unbind the old client to liberate a license client slot for the restored version of WebADM be able to connect to the license service. To do this, login on the GUI of your restored WebADM server, click on ‘Admin’ tab and ‘Software License Details’. Scroll down until ‘License Server client’ section and click ‘Unbind’ buttons.

4.5 Server Pool

The licensing model is based on the number of users and the number of WebADM instances that you want to configure.

WebADM Servers IPs doesn’t matter anymore with license servers. You have now a pool with x servers allowed according to the license you ordered. If your pool is full, and you want to connect another WebADM instance in this pool, you need to unbind one server to free up one slot in your pool. To remove an instance from your server pool, log into the WebADM Admin GUI, click on the Admin tab, Software License Details and in License Server Client, find the client in question and click Unbind Client to remove the client from your pool.



A slot is now available for another server:



4.6 WebADM cannot contact License Servers anymore

If for any reason, your WebADM server is not able to contact the license servers or if the license servers are down for maintenance, an offline cache will allow WebADM to continue working without problem during 10 days. After 10 days, WebADM will stop working if the communication with license servers have not been established in meanwhile.



4.7 License error for product OpenOTP (active users limit exceeded)

This error appears when you activated more users than allowed by your license. Freeware users are allowed to activate up to 20 users. Number of activated users can be checked through WebADM GUI > Admin > Software license details.



Activated users consuming license slots can be listed with report tool.

Logs example

[2020-04-17 18:50:45] [192.168.3.64] [OpenOTP:RCKOG0P2] License error for product OpenOTP (active users limit exceeded)

Solutions :

  • Contact RCDevs sales team to order/extend your license allowing you the amount of activated users.
  • Deactivate enough accounts until the amount of authorized users by your license is reach.

After users deactivation, you can manually clear license cache to force a new counting of activated users and get activated users value updated. To clear WebADM license cache, login on WebADM GUI > Admin > Clear WebADM license cache or restart WebADM services.

5. Information transferred from WebADM to RCDevs License server

For the online license, the information transmitted is the following.

No private or individual user information at all is transmitted.

  • Customer ID and instance ID (As in WebADM Software license details)
  • Host ID Hash (not IP or MAC or any recognizable address)
  • One time license token (generated locally)
  • Number of activated users (for OpenOTP)
  • Result of one way hash function of the user search base (used to verify the cluster member configs are same)
  • Installed RCDevs software versions
  • User and host count (for Spankey)