Sentinel runtime environment installer error

How I solved “Unable to access HASP SRM Run-time Environment? (H0033)”

First of all, don’t stress! These instructions will most likely get you up and running with your 4D, 5D, 6D or other dongle-controlled program in short order.

Background

My wife asked me to install her Viking embroidery “5D” software on her Surface Pro PC so she could use the touch tablet and pen to do graphics drawing and editing in the Design Creator.

The software is protected by requiring the user to have a USB dongle plugged in when running the program.

Installation went through normal software install and then it also had 3 updates to install. Two of the updates seemed to end with an error, perhaps because I did not reboot the PC after each (it was not clear whether or not to do this). At any point, running the program with the dongle installed resulted in the H0033 error.

I tried doing a repair install and also install of drivers (from the main install menu) – neither helped.

Searching on this error showed several hits saying to go to the windows Services and enabling the HASP License Manager (or Sentinel HASP License Manager) but in my case, I did not have the HASP entry in Services.

I looked in the Device Manager and saw an error for the HASP device and its properties said the device driver was not installed. Doing an Uninstall followed by a Scan for New Hardware did not help.

Some posts said to try to go to this url in your browser: http://localhost:1947 but that just displayed an error. Normally, this would display the HASP SRM Admin Control Center.

Solution

I eventually found a post to download the HASP SRM Runtime drivers at https://sentinelcustomer.gemalto.com/sentineldownloads/ (or use the link below). Installing this did solve the H0033 error. Also, once installed, the dongle light was lit and the http://localhost:1947 worked.

From the download page, I chose to install the Sentinel HASP/LDK Windows GUI Run-time Installer. The zip file contains a Readme file and a HASPUserSetup.exe file. Run the exe file to start the installation. It’s pretty quick.

Copy of HASP SRM Runtime download zip file:

When I installed the driver, I did not have the dongle plugged in. After the install, I tried going to the the localhost url above and it worked (displayed a page, not an error). I then plugged in the dongle and it lit up and the localhost url displayed more mildly interesting information.

Read the feedback (over 100 posts) and you will see virtually everybody is successful with this procedure. Please post feedback on your results.

Gary Davis

DotNET/PayPal Development and other Techie Stuff

Источник

Sentinel В® LDK Environment Installer GUI for Windows: Readme

Version 7.81

July 2018

This document provides information regarding the Run-time Environment Installer GUI for Sentinel LDK and Sentinel HASP, including supported operating systems, enhancements, known compatibility issue, and issues resolved. («Sentinel LDK» is the next generation of Sentinel HASP.)

The following topics are discussed:

Operating Systems Supported

• Windows 7 SP1
• Windows 7 SP1 Embedded standard (x86)
• Windows 8.1 SP1
• Windows Server 2008 R2 SP1
• Windows Server 2012 R2
• Windows Server 2016
• Windows 10 Version 1803
  Note: Windows 10 Insider Preview builds are not supported.

The operating system versions listed in this section were tested by Gemalto and verified to be fully compatible with Sentinel LDK. For reasons of compatibility and security, Gemalto recommends that you always keep your operating system up to date with the latest fixes and service packs.

The installer detects the version of the operating system at run-time, before installing the relevant drivers.

Virtual Environments Supported

For a list of the virtual environments supported, see «Supported Platforms for End Users» in the Sentinel LDK Release Notes.

Upgrading the Run-time Environment

When using the Installer GUI to upgrade the Run-time Environment, ensure that:

• No other Run-time Environment Installer is active.
• No other Run-time Environment components are active. Although the installation program terminates applications that are accessing the Run-time, it does not terminate running services. For example, if the Sentinel License Manager is running as a service, you must stop the service before upgrading the Run-time Environment.

Installing the Run-time Environment

• The Installer GUI detects the version of the operating system during Run-time Environment installation, before installing the relevant drivers.
• By default, Windows displays a User Account Control message during driver installation. The user must click Continue to continue the installation. Alternatively, the user can change the default setting from the Control Panel of their operating system.
• A log file of the installation process is written to aksdrvsetup.log in the Windows directory.

For additional information, see “2.17 — Upgrading Sentinel LDK Run-Time Environment (RTE) Installer” in the Sentinel EMS Configuration Guide.

Allowing Incoming Connections From Public Networks Using Port 1947

The Run-time Environment Installer adds a firewall rule named “Sentinel License Manager” that allowed incoming connections from private networks using port 1947.

You can manually allow access from public networks using this port, but Gemalto highly recommends against this.

If you do plan to allow incoming connections from public networks using port 1947, create a rule with a different name in order to prevent future RTE upgrades from removing this access.

The traditional method until now to protect against malicious application under Windows has been to trust the applications unless they were blocked by an antivirus or other security solution. Device Guard, available in Windows 10 Enterprise, implements a mode of operation in which the operating system trusts only applications that are authorized by your enterprise. You designate these trusted applications by creating code integrity policies.

You can maintain a whitelist of software that is allowed to run (a configurable code integrity policy), rather than trying to stay ahead of attackers by maintaining a constantly-updated list of «signatures» of software that should be blocked. This approach uses the trust-nothing model well known in mobile device operating systems.

Only code that is verified by Code Integrity, usually through the digital signature that you have identified as being from a trusted signer, is allowed to run. This allows full control over allowed code in both kernel and user mode.

Code integrity contains two primary components:

• kernel mode code integrity (KMCI)
• user mode code integrity (UMCI)

This section describes issues that arise and the workarounds when machines at the end user site are enabled with Device Guard, and the code integrity policy set to “enforce” mode.

Note: The procedures described in this document should be performed by an IT professional who is familiar with Device Guard and code integrity policies.

Issue 1: Windows blocks the installation of the Run-time Environment

During installation of the Run-time Environment on your computer, Windows displays a message similar to this: «Your organization used Device Guard to block this app. Contact your support person for more info.»

Solution:

To install the Run-time Environment on a machine where Device Guard is enabled in enforce mode (which make use of PcaCertificate level code signing check), ensure that DigiCert is listed/added in the Signers list of the policy file.

Import the DigiCert Intermediate certificate to the trusted list of Intermediate Certification Authorities(ICA) store on the golden computer before creating code integrity policy.

A Digicert Intermediate certificate is available from https://aboutssl.org/digicert-trusted-root-authority-certificates/#intermediates. Under Intermediate Certificates, locate and download the DigiCert EV Code Signing CA (SHA2) certificate. You can also fetch this intermediate certificate from your trusted source.

To add the DigiCert Root Certificate:

1. Download the certificate on the golden computer and double-click the certificate file. The Certificate dialog box is displayed.
2. Click Install Certificate. Follow the Certificate Install Wizard to complete the import of this certificate to the ICA store.
3. Run the steps to create a new or updated policy. This will allow Sentinel software to be installed without any issues on a machine where Device Guard is enabled.

Repeat the installation of the Run-time Environment.

Issue 2: Protected application does not operate at the customer site

(LDK-17267) ) When you distribute applications that are protected with SL keys, the customized vendor library (haspvlib_vendorID.*) that are required for these applications are not signed. As a result, Device Guard does not allow the software to operate at the customer site.

Workaround A:

This workaround must be performed at the customer site.

Do the following to add an exception for the customized vendor library file in the code integrity policy:

1. Use Windows PowerShell in elevated mode to create a policy for the exception.
2. Use the Group Policy editor to deploy the policy file.

To create the policy for the exception:

1. Open PowerShell in elevated mode.
2. Run the command to create a policy (referred to below as P1) in audit mode.
3. Deploy this policy.
4. Operate the protected application as you would normally.
5. Create another policy (referred to as P2) that captures audit information from the events log.
   Note: Before proceeding with the next step, review policy P2 carefully. This policy contains information about all the binaries that were used in your system while you operated the protected application. Any unwanted application that was executed during this time is logged in the policy. If not removed, any such application will be treated as a trusted binary.
6. Merge policies P1 and P2.
7. Disable audit mode.
8. Deploy the merged policy.

To deploy the policy file:

1. Open the Group Policy editor by running GPEdit.msc.
2. Navigate to: Computer ConfigurationAdministrative TemplatesSystemDevice Guard
3. Select Deploy Code Integrity Policy. Enable this setting by using the path to the relevant policy file created above.

Workaround B (not recommended):

This workaround must be performed at the customer site.

Before deploying the code integrity policy, disable UMCI (user mode code integrity) mode.

To accomplish this, run the following command in Windows PowerShell in elevated mode:
Set-RuleOption -FilePath

-Option 0 -Delete

Issue 3: Vendor Tools fail to load

(SM-907) Sentinel LDK Vendor Tools fail to load. An error message is displayed, stating that a DLL, LIB, COM, or EXE file is not designed to run on Windows or that the DLL contains an error.

Workaround A:

Do the following to add a policy for the Sentinel LDK Vendor Tools in the code integrity policy file:

1. Use Windows PowerShell in elevated mode to create a policy for the Vendor Tools.
2. Use the Group Policy editor to deploy the policy file.

To create the policy for the Vendor Tools:

1. Open PowerShell in elevated mode.
2. Run the command to create a policy (referred to below as P1) in audit mode.
3. Deploy this policy.
4. Execute all of the Vendor Tools that you will require at your site and perform all of the functions in these tools that you will require. If you miss any required Vendor Tools or Vendor Tool functions, the required entries will not be added in the new code integrity policy, and these tools or functions will generate an error message when they are eventually used.
5. Create another policy (referred to as P2) that captures audit information from the events log.
   Note: Before proceeding with the next step, review policy P2 carefully. This policy contains information about all the binaries that were used in your system while you operated the Vendor Tools. Any unwanted application that was executed during this time is logged in the policy. If not removed, any such application will be treated as a trusted binary.
6. Merge policies P1 and P2.
7. Disable audit mode.
8. Deploy the merged policy.

To deploy the policy file:

1. Open the Group Policy editor by running GPEdit.msc.
2. Navigate to: Computer ConfigurationAdministrative TemplatesSystemDevice Guard
3. Select Deploy Code Integrity Policy. Enable this setting by using the path to the relevant policy file created above.

Workaround B (not recommended):

Perform this workaround at your development site.

Before deploying the code integrity policy, disable UMCI (user mode code integrity) mode.

To accomplish this, run the following command in Windows PowerShell in elevated mode:
Set-RuleOption -FilePath

-Option 0 -Delete

No further actions are required.

Issue 4: Digital signature removed from the RTE Installer

(SM-18780) When a user creates a Run-time Environment Installer using Sentinel EMS, the digital signature is removed from the Installer. As a result, Device Guard blocks the RTE Installer from executing.

If the vendor downloads the installer as an EXE file and signs it, Device Guard allows the installer to run, but the installation fails due to an unsigned DLL file called by haspdinst.exe.

Workaround:

Perform the procedure that follows.

Download the Run-time Environment Installer from the following URL in the Gemalto web site:

To work with Sentinel EMS, continue with the following additional steps:

1. In a Web browser, enter the following to start Admin Control Center: http://localhost:1947
2. On the Configuring Network Settings page, in the EMS URL field, enter the URL to access the Sentinel EMS Service.
3. Click Submit.
4. Proceed to work with Sentinel EMS as required.

As an alternative, you can use one of the workarounds provided above for issues 2 and 3.

Enhancements and Issues Resolved in This Release

Enhancements

The RTE Installer now provides more details in order to help ensure that installation of the RTE completes successfully. The Installer now differentiates between the following situations:

• Installation of the RTE has succeeded. No restart is required.
• Installation of the RTE cannot complete due to a lock on a required file. The RTE Installer attempts to rename the locked file in the background. If it succeeds, the installation will continue. If the rename attempt fails, the installer returns error 52. At this point, your code can call the new RTE Installer API function haspds_GetLockingProcessList to get the locking process name. You can then release the locked file and restart the RTE Installer.

Several security improvements have been implemented.

Issues Resolved

The hasp_login function would fail to log in to a HASP4 parallel port key (the function would not fail with HASP4 SUB keys). The login would fail with the error code HASP_HASP_NOT_FOUND = 7. This issue would occur with RTE version 7.52 and later.

Security Updates in This Release

There are no known and unresolved security issue relating to Sentinel products in this release.

For the latest information regarding any older or newly-discovered issues, see this Web page:

Reporting a Security Vulnerability

If you think you have found a security vulnerability, please send it to Gemalto using the links provided on the Web page provided above.

Revision History

This section describes enhancements implemented and issues resolved in the last three major releases of Sentinel Run-time Environment.

The revision history for earlier versions of Sentinel Run-time Environment is available at: http://sentinelldk.safenet-inc.com/Default.htm

Issues Resolved in Version 7.80

If a customer applies a V2C update from a remote machine that has the Vendor library but no license from the same vendor, the error returned was HASP_UPDATE_TOO_NEW, which was confusing. Now the error returned is HASP_KEYID_NOT_FOUND.

The RTE installer adds a firewall rule (named “Sentinel License Manager”) that, in the past, allowed incoming connections from any network, including public networks, using port 1947. Starting with RTE version 7.80, the firewall rule added by the RTE Installer does not allow incoming connections from public networks. If you are upgrading from an earlier version of RTE, the installer replaces the existing rule (that allows connections from public networks) with a rule that blocks such connections.

You can manually allow access using this port from public networks, but Gemalto highly recommends against this.

If you do plan to allow access from public networks using port 1947, create a rule with a different name in order to prevent future RTE upgrades from removing this access.

Issues Resolved in Version 7.65

A possible security issue related to buffer overflow (reported by Kaspersky) has been resolved.

Enhancements in Version 7.63

In the past, the timeout for an idle License Manager session was fixed at 12 hours. You can now set the timeout to any value between 10 minutes and 720 minutes (12 hours). The timeout value can be set as follows:

• In Admin Control Center, on the Basic Configuration page. Use the Idle Timeout of Session parameter.
• In the hasplm.ini file. Assign the timeout value to idle_session_timeout_mins.

Admin Control Center now adds the update counter in C2V files in clear text — for example: 5
It is no longer necessary to decode the C2V file in order to view this information.

Issues Resolved in Version 7.63

The Run-time Environment now supports the use of the VMType3 clone protection scheme.

Enhancements in Version 7.60

You can now enter the URL to access Sentinel EMS in your Web browser without changing the EMS URL to lowercase.

Admin Control Center (under Windows) can now display and apply updates to local SL UserMode keys. (Session information and certificate information for SL UserMode keys is not displayed.)

To display SL UserMode keys in Admin Control Station, License Manager runs an additional process (hasplmv) on the machine. If you are willing to accept that SL UserMode keys will not be displayed, you have the option to prevent hasplmv from executing by clearing the relevant check box on the Configuration page in Admin Control Center.

In the past, Admin Control Center and Admin API provided a configuration parameter that determined whether a remote user could access and perform actions in Admin Control Center. However, this parameter did not control remote access to Admin API.
Now, the parameter Allow Remote Access to ACC and Admin API (in Admin Control Center) and the tag (in Admin API) control remote access to both Admin Control Center and Admin API.

Issues Resolved in Version 7.60

When a data file is protected with Version 2 data protection mode for Android platforms: If, for any reason (for example, no license was found), the protected application was not able to decrypt the protected data file, no error message was generated to explain why the file cannot be opened.

Under Windows 10, a physical machine would be detected as a virtual machine when only Hyper-V Hypervisor is enabled.

The Diagnostics report in Admin Control Center (Diagnostics > Generate Report) displays information on «Recent Clients» and «Recent Users». Each entry contained a time stamp but not a date stamp. The report has been corrected to display both a time stamp and a date stamp for each entry.

When building a Run-Time Environment installer using Wix, an error message similar to the following was generated:
Invalid product version ‘7.53.1.66350’ in package HASP_Setup.msi’. When included in a bundle, all product version fields in an MSI package must be less than 65536.
This error no longer occurs.

Under certain circumstances, Sentinel LDK License Manager Service would crash. The exception code would map to STATUS_STACK_OVERFLOW in __chkstk API.

Enhancements in Version 7.55

Sentinel Admin Control Center can now be used to configure the License Manager for the following additional considerations:

• Allow specific named users to access specific Batch Codes, protection keys (haspID), or Product IDs.
• Use the «*» wildcard character for IP and hostname.
• Use subnet mask notation (for example: 172.18.8.0/21) for IP addresses

For more information, see «Configuring User Settings» in the Admin Control Center online help.

Issues Resolved in Version 7.55

Various crash conditions in the License Manager that could be used for denial-of-service attacks or privilege-escalation attacks have been resolved.

When a user issues a «detach license» request from a remote Admin Control Center, the user name cannot be included in request. As a result, User Restrictions (defined in ACC on the license server machine) that are based on the user name are handled as follows:

• “allow” user restrictions that are based on a specific user name are not applied because the user name is not available to the License Manager on the license server. If a different restriction such as deny=all@all is also specified, the detach request will be denied.

• If any “deny” user restriction that is applicable for the request in all respects other than username exists, that restriction is applied even if the user name specified in the restriction does not match. For example: If the detach request was sent from a machine with the hostname host123, and a user restriction has been specified deny=skr@host123 on the license server machine, the detach request is denied even the user requesting the detach has a different username.

Sentinel Admin Control Center online help has been updated to describe these limitations.

Enhancements in Version 7.54

How I solved “Unable to access HASP SRM Run-time Environment? (H0033)”

First of all, don’t stress! These instructions will most likely get you up and running with your 4D, 5D, 6D or other dongle-controlled program in short order.

Background

My wife asked me to install her Viking embroidery “5D” software on her Surface Pro PC so she could use the touch tablet and pen to do graphics drawing and editing in the Design Creator.

The software is protected by requiring the user to have a USB dongle plugged in when running the program.

Installation went through normal software install and then it also had 3 updates to install. Two of the updates seemed to end with an error, perhaps because I did not reboot the PC after each (it was not clear whether or not to do this). At any point, running the program with the dongle installed resulted in the H0033 error.

I tried doing a repair install and also install of drivers (from the main install menu) – neither helped.

Searching on this error showed several hits saying to go to the windows Services and enabling the HASP License Manager (or Sentinel HASP License Manager) but in my case, I did not have the HASP entry in Services.

I looked in the Device Manager and saw an error for the HASP device and its properties said the device driver was not installed. Doing an Uninstall followed by a Scan for New Hardware did not help.

Some posts said to try to go to this url in your browser: http://localhost:1947 but that just displayed an error. Normally, this would display the HASP SRM Admin Control Center.

Solution

I eventually found a post to download the HASP SRM Runtime drivers at https://sentinelcustomer.gemalto.com/sentineldownloads/ (or use the link below). Installing this did solve the H0033 error. Also, once installed, the dongle light was lit and the http://localhost:1947 worked.

From the download page, I chose to install the Sentinel HASP/LDK Windows GUI Run-time Installer. The zip file contains a Readme file and a HASPUserSetup.exe file. Run the exe file to start the installation. It’s pretty quick.

Copy of HASP SRM Runtime download zip file:

When I installed the driver, I did not have the dongle plugged in. After the install, I tried going to the the localhost url above and it worked (displayed a page, not an error). I then plugged in the dongle and it lit up and the localhost url displayed more mildly interesting information.

Read the feedback (over 100 posts) and you will see virtually everybody is successful with this procedure. Please post feedback on your results.

Share Post

Gary Davis

DotNET/PayPal Development and other Techie Stuff

Источник

Troubleshooting

License key is not connected.

Connected license key’s batch code is different from required one (a license key of another software vendor is used).

Connect the license key provided by VIT.

When network license key is required, the license key being connected does not enable the protected software.

Check if the license key that is being connected is a network key (usually red) and, if not, connect the network protection key.

Sentinel LDK Run-time environment (hasplms.exe process) is not installed on the computer where protected software is to run.

See the instructions:

Network traffic is blocked at Port 475 on the computer where the license key is installed and/or protected software is running (due to Windows Firewall or, for example, antivirus software).

Disable all the software that may block access to your license key or add a blocked object into a list of exceptions (whether it is Port 475, Sentinel LDK Run-time service or other software blocked).

“Feature not found (H0031)” error

The license key does not have any information about Program Number/Feature ID requested by protected application.

Update the license key:

On your computer, two license keys with the same batch codes are installed. The key that was detected and currently enables the protected application does not have the feature(s) needed by that application.

For hardware license keys: connect available keys one-by-one to see which of them enables protected functionality of your application.

Also, read more on this conflict (the Important 2 block).

“Unable to access HASP SRM RunTime Environment (H0033)” error

C:WINDOWSsystem32hasplms.exe is blocked by the Firewall or antivirus software.

Add the Sentinel LDK Run-time environment to the blocking exceptions list.

Port 1947 is blocked by the Firewall. Add the port to the blocking exceptions list.

Sentinel LDK Run-time environment (hasplms.exe)
stopped working.

Relaunch the environment’s process.

“Terminal services detected, cannot run without a dongle (H0027)” error

Occurs when terminal services are detected. For example, Microsoft Terminal Server (including Remote Desktop services), Citrix Winframe/Metaframe etc.

Your license key should not be connected to a computer that has active terminal software installed.

VIT controls this option by allowing or prohibiting its products operation on terminal servers. If such option is needed, request for the license key update:

“Your license has expired (H0041)” error

Update the license key:

«UpdateTooOld»

Trying to install a V2C file with an update counter that is out of sequence with update counter in the Sentinel protection key. Values of update counter in file are lower than those in Sentinel protection key.

«UpdateTooNew»

Trying to install a V2C file with an update counter that is out of sequence with the update counter in the Sentinel protection key. First value in file is more-than-1 greater than value in Sentinel protection key.

When licensing information contained in a v2c-file is to update (rewrite) the information contained in the corresponding license key, that new information must be applied strictly in a sequence of corresponding c2v-files generation.

Check if you are applying several license updates in a right order and whether all of them are present and none skipped. If everything seems to be applied correctly, but the error still occurs, contact your manager: there might be something overlooked while v2c-files generation on VIT’s side. Possible solution may be to format your license key and write a new license information into it from scratch.

Источник

Sentinel В® LDK Environment Installer GUI for Windows: Readme

Version 7.81

July 2018

This document provides information regarding the Run-time Environment Installer GUI for Sentinel LDK and Sentinel HASP, including supported operating systems, enhancements, known compatibility issue, and issues resolved. («Sentinel LDK» is the next generation of Sentinel HASP.)

The following topics are discussed:

Operating Systems Supported

• Windows 7 SP1
• Windows 7 SP1 Embedded standard (x86)
• Windows 8.1 SP1
• Windows Server 2008 R2 SP1
• Windows Server 2012 R2
• Windows Server 2016
• Windows 10 Version 1803
  Note: Windows 10 Insider Preview builds are not supported.

The operating system versions listed in this section were tested by Gemalto and verified to be fully compatible with Sentinel LDK. For reasons of compatibility and security, Gemalto recommends that you always keep your operating system up to date with the latest fixes and service packs.

The installer detects the version of the operating system at run-time, before installing the relevant drivers.

Virtual Environments Supported

For a list of the virtual environments supported, see «Supported Platforms for End Users» in the Sentinel LDK Release Notes.

Upgrading the Run-time Environment

When using the Installer GUI to upgrade the Run-time Environment, ensure that:

• No other Run-time Environment Installer is active.
• No other Run-time Environment components are active. Although the installation program terminates applications that are accessing the Run-time, it does not terminate running services. For example, if the Sentinel License Manager is running as a service, you must stop the service before upgrading the Run-time Environment.

Installing the Run-time Environment

• The Installer GUI detects the version of the operating system during Run-time Environment installation, before installing the relevant drivers.
• By default, Windows displays a User Account Control message during driver installation. The user must click Continue to continue the installation. Alternatively, the user can change the default setting from the Control Panel of their operating system.
• A log file of the installation process is written to aksdrvsetup.log in the Windows directory.

For additional information, see “2.17 — Upgrading Sentinel LDK Run-Time Environment (RTE) Installer” in the Sentinel EMS Configuration Guide.

Allowing Incoming Connections From Public Networks Using Port 1947

The Run-time Environment Installer adds a firewall rule named “Sentinel License Manager” that allowed incoming connections from private networks using port 1947.

You can manually allow access from public networks using this port, but Gemalto highly recommends against this.

If you do plan to allow incoming connections from public networks using port 1947, create a rule with a different name in order to prevent future RTE upgrades from removing this access.

Issues Related to Device Guard and Code Integrity Policies

The traditional method until now to protect against malicious application under Windows has been to trust the applications unless they were blocked by an antivirus or other security solution. Device Guard, available in Windows 10 Enterprise, implements a mode of operation in which the operating system trusts only applications that are authorized by your enterprise. You designate these trusted applications by creating code integrity policies.

You can maintain a whitelist of software that is allowed to run (a configurable code integrity policy), rather than trying to stay ahead of attackers by maintaining a constantly-updated list of «signatures» of software that should be blocked. This approach uses the trust-nothing model well known in mobile device operating systems.

Only code that is verified by Code Integrity, usually through the digital signature that you have identified as being from a trusted signer, is allowed to run. This allows full control over allowed code in both kernel and user mode.

Code integrity contains two primary components:

• kernel mode code integrity (KMCI)
• user mode code integrity (UMCI)

This section describes issues that arise and the workarounds when machines at the end user site are enabled with Device Guard, and the code integrity policy set to “enforce” mode.

Note: The procedures described in this document should be performed by an IT professional who is familiar with Device Guard and code integrity policies.

Issue 1: Windows blocks the installation of the Run-time Environment

During installation of the Run-time Environment on your computer, Windows displays a message similar to this: «Your organization used Device Guard to block this app. Contact your support person for more info.»

Solution:

To install the Run-time Environment on a machine where Device Guard is enabled in enforce mode (which make use of PcaCertificate level code signing check), ensure that DigiCert is listed/added in the Signers list of the policy file.

Import the DigiCert Intermediate certificate to the trusted list of Intermediate Certification Authorities(ICA) store on the golden computer before creating code integrity policy.

A Digicert Intermediate certificate is available from https://aboutssl.org/digicert-trusted-root-authority-certificates/#intermediates. Under Intermediate Certificates, locate and download the DigiCert EV Code Signing CA (SHA2) certificate. You can also fetch this intermediate certificate from your trusted source.

To add the DigiCert Root Certificate:

1. Download the certificate on the golden computer and double-click the certificate file. The Certificate dialog box is displayed.
2. Click Install Certificate. Follow the Certificate Install Wizard to complete the import of this certificate to the ICA store.
3. Run the steps to create a new or updated policy. This will allow Sentinel software to be installed without any issues on a machine where Device Guard is enabled.

Repeat the installation of the Run-time Environment.

Issue 2: Protected application does not operate at the customer site

(LDK-17267) ) When you distribute applications that are protected with SL keys, the customized vendor library (haspvlib_vendorID.*) that are required for these applications are not signed. As a result, Device Guard does not allow the software to operate at the customer site.

Workaround A:

This workaround must be performed at the customer site.

Do the following to add an exception for the customized vendor library file in the code integrity policy:

1. Use Windows PowerShell in elevated mode to create a policy for the exception.
2. Use the Group Policy editor to deploy the policy file.

To create the policy for the exception:

1. Open PowerShell in elevated mode.
2. Run the command to create a policy (referred to below as P1) in audit mode.
3. Deploy this policy.
4. Operate the protected application as you would normally.
5. Create another policy (referred to as P2) that captures audit information from the events log.
   Note: Before proceeding with the next step, review policy P2 carefully. This policy contains information about all the binaries that were used in your system while you operated the protected application. Any unwanted application that was executed during this time is logged in the policy. If not removed, any such application will be treated as a trusted binary.
6. Merge policies P1 and P2.
7. Disable audit mode.
8. Deploy the merged policy.

To deploy the policy file:

1. Open the Group Policy editor by running GPEdit.msc.
2. Navigate to: Computer ConfigurationAdministrative TemplatesSystemDevice Guard
3. Select Deploy Code Integrity Policy. Enable this setting by using the path to the relevant policy file created above.

Workaround B (not recommended):

This workaround must be performed at the customer site.

Before deploying the code integrity policy, disable UMCI (user mode code integrity) mode.

To accomplish this, run the following command in Windows PowerShell in elevated mode:
Set-RuleOption -FilePath

-Option 0 -Delete

Issue 3: Vendor Tools fail to load

(SM-907) Sentinel LDK Vendor Tools fail to load. An error message is displayed, stating that a DLL, LIB, COM, or EXE file is not designed to run on Windows or that the DLL contains an error.

Workaround A:

Do the following to add a policy for the Sentinel LDK Vendor Tools in the code integrity policy file:

1. Use Windows PowerShell in elevated mode to create a policy for the Vendor Tools.
2. Use the Group Policy editor to deploy the policy file.

To create the policy for the Vendor Tools:

1. Open PowerShell in elevated mode.
2. Run the command to create a policy (referred to below as P1) in audit mode.
3. Deploy this policy.
4. Execute all of the Vendor Tools that you will require at your site and perform all of the functions in these tools that you will require. If you miss any required Vendor Tools or Vendor Tool functions, the required entries will not be added in the new code integrity policy, and these tools or functions will generate an error message when they are eventually used.
5. Create another policy (referred to as P2) that captures audit information from the events log.
   Note: Before proceeding with the next step, review policy P2 carefully. This policy contains information about all the binaries that were used in your system while you operated the Vendor Tools. Any unwanted application that was executed during this time is logged in the policy. If not removed, any such application will be treated as a trusted binary.
6. Merge policies P1 and P2.
7. Disable audit mode.
8. Deploy the merged policy.

To deploy the policy file:

1. Open the Group Policy editor by running GPEdit.msc.
2. Navigate to: Computer ConfigurationAdministrative TemplatesSystemDevice Guard
3. Select Deploy Code Integrity Policy. Enable this setting by using the path to the relevant policy file created above.

Workaround B (not recommended):

Perform this workaround at your development site.

Before deploying the code integrity policy, disable UMCI (user mode code integrity) mode.

To accomplish this, run the following command in Windows PowerShell in elevated mode:
Set-RuleOption -FilePath

-Option 0 -Delete

No further actions are required.

Issue 4: Digital signature removed from the RTE Installer

(SM-18780) When a user creates a Run-time Environment Installer using Sentinel EMS, the digital signature is removed from the Installer. As a result, Device Guard blocks the RTE Installer from executing.

If the vendor downloads the installer as an EXE file and signs it, Device Guard allows the installer to run, but the installation fails due to an unsigned DLL file called by haspdinst.exe.

Workaround:

Perform the procedure that follows.

Download the Run-time Environment Installer from the following URL in the Gemalto web site:

To work with Sentinel EMS, continue with the following additional steps:

1. In a Web browser, enter the following to start Admin Control Center: http://localhost:1947
2. On the Configuring Network Settings page, in the EMS URL field, enter the URL to access the Sentinel EMS Service.
3. Click Submit.
4. Proceed to work with Sentinel EMS as required.

As an alternative, you can use one of the workarounds provided above for issues 2 and 3.

Enhancements and Issues Resolved in This Release

Enhancements

The RTE Installer now provides more details in order to help ensure that installation of the RTE completes successfully. The Installer now differentiates between the following situations:

• Installation of the RTE has succeeded. No restart is required.
• Installation of the RTE cannot complete due to a lock on a required file. The RTE Installer attempts to rename the locked file in the background. If it succeeds, the installation will continue. If the rename attempt fails, the installer returns error 52. At this point, your code can call the new RTE Installer API function haspds_GetLockingProcessList to get the locking process name. You can then release the locked file and restart the RTE Installer.

Several security improvements have been implemented.

Issues Resolved

The hasp_login function would fail to log in to a HASP4 parallel port key (the function would not fail with HASP4 SUB keys). The login would fail with the error code HASP_HASP_NOT_FOUND = 7. This issue would occur with RTE version 7.52 and later.

Security Updates in This Release

There are no known and unresolved security issue relating to Sentinel products in this release.

For the latest information regarding any older or newly-discovered issues, see this Web page:

Reporting a Security Vulnerability

If you think you have found a security vulnerability, please send it to Gemalto using the links provided on the Web page provided above.

Revision History

This section describes enhancements implemented and issues resolved in the last three major releases of Sentinel Run-time Environment.

The revision history for earlier versions of Sentinel Run-time Environment is available at: http://sentinelldk.safenet-inc.com/Default.htm

Issues Resolved in Version 7.80

If a customer applies a V2C update from a remote machine that has the Vendor library but no license from the same vendor, the error returned was HASP_UPDATE_TOO_NEW, which was confusing. Now the error returned is HASP_KEYID_NOT_FOUND.

The RTE installer adds a firewall rule (named “Sentinel License Manager”) that, in the past, allowed incoming connections from any network, including public networks, using port 1947. Starting with RTE version 7.80, the firewall rule added by the RTE Installer does not allow incoming connections from public networks. If you are upgrading from an earlier version of RTE, the installer replaces the existing rule (that allows connections from public networks) with a rule that blocks such connections.

You can manually allow access using this port from public networks, but Gemalto highly recommends against this.

If you do plan to allow access from public networks using port 1947, create a rule with a different name in order to prevent future RTE upgrades from removing this access.

Issues Resolved in Version 7.65

A possible security issue related to buffer overflow (reported by Kaspersky) has been resolved.

Enhancements in Version 7.63

In the past, the timeout for an idle License Manager session was fixed at 12 hours. You can now set the timeout to any value between 10 minutes and 720 minutes (12 hours). The timeout value can be set as follows:

• In Admin Control Center, on the Basic Configuration page. Use the Idle Timeout of Session parameter.
• In the hasplm.ini file. Assign the timeout value to idle_session_timeout_mins.

Admin Control Center now adds the update counter in C2V files in clear text — for example: 5
It is no longer necessary to decode the C2V file in order to view this information.

Issues Resolved in Version 7.63

The Run-time Environment now supports the use of the VMType3 clone protection scheme.

Enhancements in Version 7.60

You can now enter the URL to access Sentinel EMS in your Web browser without changing the EMS URL to lowercase.

Admin Control Center (under Windows) can now display and apply updates to local SL UserMode keys. (Session information and certificate information for SL UserMode keys is not displayed.)

To display SL UserMode keys in Admin Control Station, License Manager runs an additional process (hasplmv) on the machine. If you are willing to accept that SL UserMode keys will not be displayed, you have the option to prevent hasplmv from executing by clearing the relevant check box on the Configuration page in Admin Control Center.

In the past, Admin Control Center and Admin API provided a configuration parameter that determined whether a remote user could access and perform actions in Admin Control Center. However, this parameter did not control remote access to Admin API.
Now, the parameter Allow Remote Access to ACC and Admin API (in Admin Control Center) and the tag (in Admin API) control remote access to both Admin Control Center and Admin API.

Issues Resolved in Version 7.60

When a data file is protected with Version 2 data protection mode for Android platforms: If, for any reason (for example, no license was found), the protected application was not able to decrypt the protected data file, no error message was generated to explain why the file cannot be opened.

Under Windows 10, a physical machine would be detected as a virtual machine when only Hyper-V Hypervisor is enabled.

The Diagnostics report in Admin Control Center (Diagnostics > Generate Report) displays information on «Recent Clients» and «Recent Users». Each entry contained a time stamp but not a date stamp. The report has been corrected to display both a time stamp and a date stamp for each entry.

When building a Run-Time Environment installer using Wix, an error message similar to the following was generated:
Invalid product version ‘7.53.1.66350’ in package HASP_Setup.msi’. When included in a bundle, all product version fields in an MSI package must be less than 65536.
This error no longer occurs.

Under certain circumstances, Sentinel LDK License Manager Service would crash. The exception code would map to STATUS_STACK_OVERFLOW in __chkstk API.

Enhancements in Version 7.55

Sentinel Admin Control Center can now be used to configure the License Manager for the following additional considerations:

• Allow specific named users to access specific Batch Codes, protection keys (haspID), or Product IDs.
• Use the «*» wildcard character for IP and hostname.
• Use subnet mask notation (for example: 172.18.8.0/21) for IP addresses

For more information, see «Configuring User Settings» in the Admin Control Center online help.

Issues Resolved in Version 7.55

Various crash conditions in the License Manager that could be used for denial-of-service attacks or privilege-escalation attacks have been resolved.

When a user issues a «detach license» request from a remote Admin Control Center, the user name cannot be included in request. As a result, User Restrictions (defined in ACC on the license server machine) that are based on the user name are handled as follows:

• “allow” user restrictions that are based on a specific user name are not applied because the user name is not available to the License Manager on the license server. If a different restriction such as deny=all@all is also specified, the detach request will be denied.

• If any “deny” user restriction that is applicable for the request in all respects other than username exists, that restriction is applied even if the user name specified in the restriction does not match. For example: If the detach request was sent from a machine with the hostname host123, and a user restriction has been specified deny=skr@host123 on the license server machine, the detach request is denied even the user requesting the detach has a different username.

Sentinel Admin Control Center online help has been updated to describe these limitations.

Enhancements in Version 7.54

Решение проблем с технологией защиты

HASP LM Server running

Ошибка 48

Ошибка 42

При подключении панели телефонии может возникать следующая ошибка «Версия менеджера лицензии Sential HASP устарела КОД: 042«

Ошибка означает, что у Вас используется версия панели телефонии, которая не может работать с установленной на данный момент версией драйвера Hasp. Необходимо обновить версию драйвера HASP. Решение представлено в инструкции.

Ошибка H0033

Ошибка 48 5 718 1275

ПК не видит сетевой ключ

Hasp Key Inactive

Комментарии