How to Configure RCDevs License Server
1. Introduction
In this short How-To, we will explain how to configure RCDevs License Server. The license server is now the default RCDevs model for licensing. This documentation is addressed to every new customer who is subscribing for an enterprise license. For others, the license server can be used with at least WebADM 1.6.8-2.
IMPORTANT NOTE
Once the license server is configured with WebADM, a license cache is available for 10 days. That means, if your WebADM servers are not able to communicate with RCDevs license servers, WebADM will continue to work as expected during 10 days. Once the offline cache is expired, WebADM services will stop working. To renew the license cache, WebADM needs to communicate again with license servers.
2. First Steps
2.1 Only Applicable for WebADM 1.x versions
After subscribing an RCDevs enterprise license, a license file will be provided to you by the RCDevs sales team.
You have to import this file on your WebADM server. To do it, 2 ways are possible, import the license file from the WebADM Administrator portal or copy the file on the server through SSH/WinSCP in /opt/webadm/conf/ folder.
To enable the license server configuration, you have to edit WebADM servers file (/opt/webadm/conf/servers.xml).
Login on the WebADM server through SSH and edit the following file:
vi /opt/webadm/conf/servers.xml
In this file, you should find the license server section. If the following bloc is not available in your servers.xml file, please add it. It looks like below:
<!--
<LicenseServer name="License Server"
host="license.rcdevs.com"
port="7001"
ca_file="" />
-->
You have to uncomment it like below:
<LicenseServer name="License Server"
host="license.rcdevs.com"
port="7001"
ca_file="" />
Configuration is done, you can save and quit this file. To changes takes effect, you have to restart WebADM services:
/opt/webadm/bin/webadm restart
During the restart, if the communications with the license servers work fine, you should see:
Connected License server: License Server (91.134.128.157)
And after:
Checking License service access... Ok
If during the services restarting you see:
Connected License server: ERROR (no server available)
That means that WebADM is not able to contact the license server. Or the new license hasn’t been imported yet. We will see how to troubleshoot this issue in the Troubleshoot section of this documentation.
2.1 Only Applicable for WebADM 2.x
On WebADM v2.x there is no modification to perform in /opt/webadm/conf/servers.xml anymore.
You just need to enable RCDevs cloud services in /opt/webadm/conf/webadm.conf :
cloud_service yes
Your WebADM server(s) must be able to reach https://cloud.rcdevs.com
[root@webadm1 ~]# telnet cloud.rcdevs.com 443
Trying 149.202.186.103...
Connected to cloud.rcdevs.com.
Escape character is '^]'.
Have a look on RCDevs Cloud Service documentation for more information.
Restart WebADM services to changes takes effect.
3. Import the License from the WebADM Administrator Portal
In that scenario, you have to log in on the WebADM Admin GUI, click on the Admin tab and click on Software License Details in Licensing and Configurations section.
You are now in the Software License Details menu. Through this menu, a blue button named Import New License is available to import the license file provided by the RCDevs sales team. Click on the Import New License button.
And you are now in the following menu:
Click on the Browse File button and select your license file locally.
Or for Method 2, copy the content of the license file and past it below.
Click on the appropriate Import button according to the method you choose.
You will now see the license details and another blue button to upload the license.
Click on Update License button.
The license file is now imported on your WebADM server. Please, restart WebADM to activate the license.
/opt/webadm/bin/webadm restart
Finally, you will see the imported license under Admin tab and click on Software License Details.
4. Troubleshooting License Server Connection
4.1 License Server (no server available)
This error can occur when starting WebADM services.
Logs example
[root@webadm1 ~]# /opt/webadm/bin/webadm restart
Stopping WebADM HTTP server... Ok
Stopping WebADM Watchd server..... Ok
Stopping WebADM Session server... Ok
Stopping WebADM PKI server... Ok
Checking libudev dependency... Ok
Checking system architecture... Ok
Checking server configurations... Ok
Found Trial Enterprise license (RCDEVSSUPPORT)
Licensed by RCDevs Security SA to RCDevs Support
Licensed product(s): OpenOTP,SpanKey,TiQR
Starting WebADM PKI server... Ok
Starting WebADM Session server... Ok
Starting WebADM Watchd server... Ok
Starting WebADM HTTP server... Ok
Checking server connections...
Connected LDAP server: LDAP Server (192.168.3.60)
Connected SQL server: SQL Server (192.168.3.68)
Connected PKI server: PKI Server (127.0.0.1)
Connected Mail server: SMTP Server (78.141.172.203)
Connected Push server: Push Server (91.134.128.157)
Connected Session server: Session Server (::1)
Connected License server: License Server (no server available)
Checking LDAP proxy user access... Ok
Checking SQL database access... Ok
Checking PKI service access... Ok
Checking Mail service access... Ok
Checking Push service access... Ok
Checking License service access... ERROR
Possible reason/Solution :
- WebADM can not communicate with RCDevs license services. Check with telnet if license.rcdevs.com and destination port are reachable from WebADM server(s).
4.1.1 DNS Resolution
Fist, check that the DNS resolution from your WebADM server works correctly for license.rcdevs.com.
[root@webadm1 ~]# ping license.rcdevs.com
PING license.rcdevs.com (91.134.128.157) 56(84) bytes of data.
64 bytes from 91.134.128.157 (91.134.128.157): icmp_seq=1 ttl=54 time=17.5 ms
64 bytes from 91.134.128.157 (91.134.128.157): icmp_seq=2 ttl=54 time=16.8 ms
64 bytes from 91.134.128.157 (91.134.128.157): icmp_seq=3 ttl=54 time=17.1 ms
^C
--- license.rcdevs.com ping statistics ---
3 packets transmitted, 3 received, 0% packet loss, time 2001ms
rtt min/avg/max/mdev = 16.890/17.194/17.510/0.295 ms
As you can see, the resolution works here. If it’s not your case, add an entry in your DNS system or configure the public IP of RCDevs license servers in /opt/webadm/conf/servers.xml.
license.rcdevs.com is a DNS name for redundant infrastructure. The actual resolved IP for license.rcdevs.com can change, so it is recommended to use the DNS name instead of the IP. If your firewall does not allow using DNS names and you have to use IP addresses, we advise you to allow traffic to the following three IP addresses :
- 91.134.128.157
- 213.32.75.204
- 213.32.75.212
4.1.2 Communication on port 7001
Here we will try if WebADM is able to access to license.rcdevs.com on 7001 port using telnet tool:
[root@webadm1 ~]# telnet license.rcdevs.com 7001
Trying 91.134.128.157...
Connected to license.rcdevs.com.
Escape character is '^]'.
Communication on port 7001 is allowed. If WebADM is not able to communicate on port 7001, please check your firewall.
IMPORTANT NOTE
Please note that the protocol is pure TCP and not HTTPS. Some firewalls (e.q. Palo Alto) block the connection if the rule is defined with HTTPS.
4.2 Checking License service access… ERROR
This error can occur when starting WebADM services.
Logs example
[root@webadm1 ~]# /opt/webadm/bin/webadm restart
Stopping WebADM HTTP server... Ok
Stopping WebADM Watchd server..... Ok
Stopping WebADM Session server... Ok
Stopping WebADM PKI server... Ok
Checking libudev dependency... Ok
Checking system architecture... Ok
Checking server configurations... Ok
Found Trial Enterprise license (RCDEVSSUPPORT)
Licensed by RCDevs Security SA to RCDevs Support
Licensed product(s): OpenOTP,SpanKey,TiQR
Starting WebADM PKI server... Ok
Starting WebADM Session server... Ok
Starting WebADM Watchd server... Ok
Starting WebADM HTTP server... Ok
Checking server connections...
Connected LDAP server: LDAP Server (192.168.3.60)
Connected SQL server: SQL Server (192.168.3.68)
Connected PKI server: PKI Server (127.0.0.1)
Connected Mail server: SMTP Server (78.141.172.203)
Connected Push server: Push Server (91.134.128.157)
Connected Session server: Session Server (::1)
Connected License server: License Server (91.134.128.157)
Checking LDAP proxy user access... Ok
Checking SQL database access... Ok
Checking PKI service access... Ok
Checking Mail service access... Ok
Checking Push service access... Ok
Checking License service access... ERROR
Possible reasons/Solutions :
After connections checks during WebADM services start, WebADM will try to perform an authentication to RCDevs license services. The authentication is done through your entreprise license. New licenses are pushed every hours on RCDevs licenses servers. Your license needs to be pushed on RCDevs licenses servers first in order to be used with RCDevs license services. You can encountered this issue if your license has been generated by RCDevs Sales team at 3:10 pm for example and your tried to use it before 4:00 pm. If the problem persists after 1 hour, contact RCDevs support.
4.3 How can I be sure that WebADM and License Server are synchronized?
To be sure that communications between WebADM and Licence Servers working fine, log in on the WebADM GUI and click on the Admin tab.
You should see Active License Server: License Server (91.134.128.157) like below:
Always under the Admin menu, another check must be done. Click on Software License Details:
And you should see something similar if everything works fine.
If you have ‘Active License Server: None’ as below after performing every check we previously did, please contact RCDevs support.
4.4 WebADM snapshot restore, Error (Given Token is out of Sync)
When you restore a snapshot, you will also restore the previous One-Time License Token which will in most cases be invalid. The rotation of that license Token happens every time WebADM connect to license services. If you re-use an old token (after a snapshot restore for e.g), then the token in use between license services and WebADM is out of sync. If your pool is full (2 nodes by default) WebADM is not able to reconnect to license service and perform the resync automatically. In that situation, you need to manually unbind the old client to liberate a license client slot for the restored version of WebADM be able to connect to the license service. To do this, login on the GUI of your restored WebADM server, click on ‘Admin’ tab and ‘Software License Details’. Scroll down until ‘License Server client’ section and click ‘Unbind’ buttons.
4.5 Server Pool
The licensing model is based on the number of users and the number of WebADM instances that you want to configure.
WebADM Servers IPs doesn’t matter anymore with license servers. You have now a pool with x servers allowed according to the license you ordered. If your pool is full and you want to connect another WebADM instance in this pool, you need to unbind one server to free up one slot in your pool. To remove an instance from your server pool, log into the WebADM Admin GUI, click on the Admin tab, Software License Details and in License Server Client, find the client in question and click Unbind Client to remove the client from your pool.
A slot is now available for another server:
4.6 WebADM cannot contact License Servers anymore
If for any reason, your WebADM server is not able to contact the license servers or if the license servers are down for maintenance, an offline cache will allow WebADM to continue working without problem during 10 days. After 10 days, WebADM will stop working if the communication with license servers have not been established in meanwhile.
4.7 License error for product OpenOTP (active users limit exceeded)
This error appears when you activated more users than allowed by your license. Freeware users are allowed to activate up to 40 users. Number of activated users can be checked through WebADM GUI > Admin > Software license details.
Activated users consuming license slots can be listed with report tool.
Logs example
[2020-04-17 18:50:45] [192.168.3.64] [OpenOTP:RCKOG0P2] License error for product OpenOTP (active users limit exceeded)
Solutions :
- Contact RCDevs sales team to order/extend your license allowing you the amount of activated users.
- Deactivate enough accounts until the amount of authorized users by your license is reach.
After users deactivation, you can manually clear license cache to force a new counting of activated users and get activated users value updated.
To clear WebADM license cache, login on WebADM GUI > Admin > Clear WebADM license cache or restart WebADM services.
5. Information transferred from WebADM to RCDevs License server
For the online license, the information transmitted is the following.
No private or individual user information at all is transmitted.
- Customer ID and instance ID (As in WebADM Software license details)
- Host ID Hash (not IP or MAC or any recognisable address)
- One time license token (generated locally)
- Number of activated users (for OpenOTP)
- Result of one way hash function of the user search base (used to verify the cluster member configs are same)
- Installed RCDevs software versions
- User and host count (for Spankey)