This document provides information regarding the Run-time Environment Installer GUI for Sentinel LDK and Sentinel HASP, including supported operating systems, enhancements, known compatibility issue, and issues resolved. ("Sentinel LDK" is the next generation of Sentinel HASP.)
The following topics are discussed:
The operating system versions listed in this section were tested by Gemalto and verified to be fully compatible with Sentinel LDK. Older operating system versions are likely to be fully compatible as well, but are not guaranteed. For reasons of compatibility and security, Gemalto recommends that you always keep your operating system up to date with the latest fixes and service packs.
When using the Installer GUI to upgrade the Run-time Environment, ensure that:
The traditional method until now to protect against malicious application under Windows has been to trust the applications unless they were blocked by an antivirus or other security solution. Device Guard, available in Windows 10 Enterprise, implements a mode of operation in which the operating system trusts only applications that are authorized by your enterprise. You designate these trusted applications by creating code integrity policies.
You can maintain a whitelist of software that is allowed to run (a configurable code integrity policy), rather than trying to stay ahead of attackers by maintaining a constantly-updated list of "signatures" of software that should be blocked. This approach uses the trust-nothing model well known in mobile device operating systems.
Only code that is verified by Code Integrity, usually through the digital signature that you have identified as being from a trusted signer, is allowed to run. This allows full control over allowed code in both kernel and user mode.
Code integrity contains two primary components:
This section describes issues that arise and the workarounds when machines at the end user site are enabled with Device Guard, and the code integrity policy set to “enforce” mode.
Note: The procedures described in this document should be performed by an IT professional who is familiar with Device Guard and code integrity policies.
(LDK-17267) ) When you distribute applications that are protected with SL keys, the customized vendor library (haspvlib_vendorID.*) that are required for these applications are not signed. As a result, Device Guard does not allow the software to operate at the customer site.
Workaround A:
This workaround must be performed at the customer site.
Do the following to add an exception for the customized vendor library file in the code integrity policy:
Each of these procedures is described below. For additional details, go to: https://technet.microsoft.com/en-us/itpro/windows/keep-secure/deploy-code-integrity-policies-steps?f=255&MSPPError=-2147217396
To create the policy for the exception:
To deploy the policy file:
Workaround B (not recommended):
This workaround must be performed at the customer site.
Before deploying the code integrity policy, disable UMCI (user mode code integrity) mode.
To accomplish this, run the following command in Windows PowerShell in elevated mode:
Set-RuleOption -FilePath <Policy path> -Option 0 -Delete
(SM-907) Sentinel LDK Vendor Tools fail to load. An error message is displayed, stating that a DLL, LIB, COM, or EXE file is not designed to run on Windows or that the DLL contains an error.
For example:
Workaround A:
Do the following to add a policy for the Sentinel LDK Vendor Tools in the code integrity policy file:
Each of these procedures is described below. For additional details, go to: https://technet.microsoft.com/en-us/itpro/windows/keep-secure/deploy-code-integrity-policies-steps?f=255&MSPPError=-2147217396
To create the policy for the Vendor Tools:
To deploy the policy file:
Workaround B (not recommended):
Perform this workaround at your development site.
Before deploying the code integrity policy, disable UMCI (user mode code integrity) mode.
To accomplish this, run the following command in Windows PowerShell in elevated mode:
Set-RuleOption -FilePath <Policy path> -Option 0 -Delete
No further actions are required.
Reference | Description |
---|---|
SM-4748 | Sentinel Admin Control Center can now be used to configure the License Manager for the following additional considerations:
For more information, see "Configuring User Settings" in the Admin Control Center online help. |
Reference | Description |
---|---|
SM-4942 | Various crash conditions in the License Manager that could be used for denial-of-service attacks or privilege-escalation attacks have been resolved. |
SM-7748 | When a user issues a "detach license" request from a remote Admin Control Center, the user name cannot be included in request. As a result, User Restrictions (defined in ACC on the license server machine) that are based on the user name are handled as follows:
Sentinel Admin Control Center online help has been updated to describe these limitations. |
Reference | Description |
---|---|
SM-889 | Run-time Environment is supported under Windows Server 2016. |
Reference | Description |
---|---|
SM-2090 | Installation of a rebranded RTE would fail when the account name contains multi-byte characters (such as Japanese). The install log would contain an error similar to the following:
|
SM-2957 | The decrypt function in the HASP4 API would give incorrect results after RTE 7.52 or 7.53 was installed. |
SM-3767 | After installation of RTE 7.53, hasplms was unreachable to remote clients. The RTE installer did not add the firewall rule to allow Sentinel License Manager Service. |
Reference | Description |
---|---|
SM-1201 | Given the following scenario:
The update would return a status of OK even though the update fails. |
SM-1549 | Given the following scenario:
The update would return a status of OK even though the update fails. |
Reference | Description |
---|---|
LDK-15786 | The Features page in Admin Control Center now displays the peak number of consumed seats per Feature. The peak number is based on the current License Manager session. For each Feature, the peak number value is displayed as a tool tip for the seats value under the Logins column. This information enables end users and organizations to determine if the number of seats purchased is suitable for their needs. |
SM-815 | The Run-time Environment can now be installed under Windows 10 when Device Guard is enabled. |
Reference | Description |
---|---|
SM-498 | A Sentinel HL (HASP configuration) key would not be accessible by the protected application under the following circumstances: The following conditions exist:
The following actions are performed:
The HL key would not be accessible. |
SM-504 | When using RTE 7.51, a Stop error (BSoD) would occur when the protected application attempted to retrieve the serial number of the disk drive that uses Intel RAID drivers. |
SM-528 | Under certain circumstances, the uninstall of the Run-time Environment on a Windows 8 machine would fail. |
SM-537 | The uninstall of the Run-time Environment would not provide proper notification if it failed to remove all necessary files. The uninstall process now provides a detailed list of any files that it fails to remove and advises the user to remove the files manually. |
SM-824 | During the installation of a rebranded Run-time Environment using the -v flag ( |
SM-830 | Given the following circumstances.
The Run-time Environment would be automatically reinstalled. Now, the Run-time Environment is not installed under these circumstances. |
Reference | Description |
---|---|
LDK-13933 | When installing Sentinel LDK Run-time Environment v7.41 or later under Windows 10 (x86), the file hlvdd.dll was not installed. As a result, the protected application would fail. |
LDK-16215 | Each time the end user would connect a Sentinel HL (Driverless configuration) key to a different USB port on a Windows machine, the Driver Software Installation message box would indicate that a restart was required. |
LDK-16443 | Given the following circumstances:
Instead of generating an error message and rejecting the update, the License Manager would generate the error message and then remove the original SL AdminMode license from the machine. (The license would be restored when the License Manager was restarted.) |
Reference | Description |
---|---|
LDK-12479 | Given the following circumstances:
|
LDK-12860 | When a fully-qualified domain name (FQDN) was provided in the login scope using a character set outside the Windows code page, the login would fail with error code 50 (Scope Result Empty). |
LDK-13136 | Sentinel Licensing API would identify a Max Micro key as a Max key under certain circumstances. |
LDK-13455 | Given the following circumstances:
|
LDK-14274 | Given the following circumstances:
|
LDK-14280 | HASP HL keys are not recognized correctly by the License Manager when keys from two or more vendors are connected to a given machine. |
LDK-14805 | The Run-time Environment did not support RAID controllers that create symbolic links as \Device\RaidPort. |
LDK-15306 | On the Diagnostics page of Admin Control Center, the Requests counter would count a request to local licenses as a remote request. |
LDK-15307 | Given the following circumstances:
|
LDK-15857 | Given the following circumstances:
|
LDK-16113 | When a V2C file to clear the “cloned” status of an SL Legacy license was applied, The “clear clone” operation was not applied correctly until the user restarted the machine. |
LDK-16215 | Driver software was reinstalled and the end user was prompted to restart the machine each time an HL (Driverless configuration) key was connected to a differed USB port on the machine. |
Reference | Description |
---|---|
LDK-12845 | Installation of Sentinel Run-time Environment version 7.40 on a machine with an obsolete version (11.5.x) of Intel RAID drivers would cause a Stop error (BSoD). |
Reference | Description |
---|---|
LDK-6938 | The Run-time Environment now supports Sentinel HL Drive microSD keys. |
LDK-8350 | The diagnostic report in Admin Control Center now provides additional information for driverless keys and updated driver versions |
LDK-10079 | The diagnostic panel in Admin Control Center now displays the version number for the Run-time Environment. |
LDK-10107 | The Admin Control Center log file now indicates the version number for the Licensing API. |
LDK-10279 | The button in Admin Control Center for generating C2V files is now blocked for HASP HL keys and Sentinel HL (HASP configuration) keys. |
LDK-11034 | The Sentinel Keys page in Admin Control Center now displays the capacity of attached Sentinel Drive microSD keys. |
LDK-11335 | Admin Control Center now displays the module name (in addition to the Feature ID) for Sentinel Master keys and Sentinel Developer keys. |
Reference | Description |
---|---|
LDK-7237 | Under certain circumstances, Admin Control Center would continue to show active sessions for an HL key after all sessions had logged out of the key. |
LDK-8866 | Under certain circumstances, if SL license information became corrupted, Sentinel LDK License Manager Service would crash instead of issuing an error message. As a result, it was not possible for the vendor to correct the situation by sending a license update. |
LDK-9797 | The Run-time Environment did not provide a meaningful error message when a given License Manager ID was found on multiple machines in the same network. This situation is typically caused by cloning a VM. As a result, it was difficult to identify the source of the problem when the licenses on these machine were inaccessible. Now an appropriate error message is generated. |
LDK-9948 | Rehosting of an SL Legacy key to a different machine would fail with the return code HASP_CLONE_DETECTED. |
LDK-10273 | Admin Control Center would allow a license to be detached even though the termination date for the detach was invalid. |
LDK-10564 | The Vendor ID for a Master key was not the same in Admin Control Center pages and in the Diagnostics Reports. |
LDK-10857 | When an iSCSI disk was connected to a Windows physical machine, the License Manager would regard the machine as a virtual machine. |
LDK-11478 | After Run-time Environment v.7.32 was installed, running an application that was protected with Sentinel HASP Envelope (prior to Sentinel LDK 6.3) would cause a Stop error (BSoD). |
LDK-11787 | Under certain circumstances, the Licensing API function hasp_get_info would always return a value of 0 as the value for <updateCounter> for an SL license. Now the function returns the correct value for <updateCounter>. |
LDK-11825 | Admin Control Center was not able to display an invalid HL key. Now such a key is visible in Admin Control Center with an indication that the key is not valid. |
LDK-12196 | When an SL key is installed on a machine with Run-time Environment 7.32 or 7.3, the Run-time Environment would continually open additional handles. |
Reference | Description |
---|---|
LDK-6934 | Sentinel LDK Run-time Environment now supports the Sentinel HL Drive microSD key (patent pending). This key has been tested with the following microSD cards:
|
LDK-10090 | Run-time Environment is now supported under Windows 10 Technical Preview Build 10041. |
Reference | Description |
---|---|
LDK-9325 | Given the following circumstances:
|
LDK-8862 | When attempting to access a remote License Manager, Sentinel Admin API would return the incorrect error code SNTL_ADMIN_LM_NOT_FOUND (6002). |
LDK-7237 | Given the following circumstances:
As part of the resolution for this issue, when the count criteria for a network license is modified, all active sessions are automatically terminated. |
Reference | Description |
---|---|
LDK-4468 | The template for customizing entries for the Access log in Sentinel License Manager has been enhanced.
For information on the log template, see the Edit Log Parameters screen and related help screen in Admin Control Center. (Click the Edit Log Parameters button from the Configuration - Basic Settings screen.) |
LDK-735 | Admin Control Center now enables the user to generate a C2V file without the requirement of installing the RUS utility. This is supported for Windows, Mac and Linux platforms. The following limitations apply:
|
Reference | Description |
---|---|
LDK-7084 | The hasp_get_info() function in the Licensing API did not return consistent results for localhost when no IP address set in etc\hosts file for localhost. The function would return either localhost(127.0.0.1) or IPv4. To resolve this issue, the Licensing API must be upgraded to version 7.3 or later and the Run-time Environment must be upgraded to version 6.65 or later. |
LDK-5710 | When the real-time clock battery in a Sentinel HL (Driverless configuration) keys is exhausted, the error code returned by the hasp_login or hasp_login_scope function was HASP_INT_ERR instead of HASP_NO_BATTERY_POWER. |
LDK-5390 | If hasplms.exe is locked at the time the user attempts to upgrade the Run-time Environment, a misleading error message was displayed. The error message now provides an appropriate description of the issue. |
LDK-8895 | When an activated SL Legacy license is installed on a machine that contains Products that have clone protection disabled, and a user then attempts to detach a license, error 64 (clone detected) was generated. Now a license can be successfully detached. |
LDK-8936 | Installation of certain third party tools would cause the removal of a symbolic link from Hardlock drivers. As a result, HL keys would become inaccessible. |
Reference | Description |
---|---|
12506 | Sentinel LDK communicates via TCP and UDP on port 1947. This port is IANA-registered exclusively for this purpose. At the end user site, the firewall must be configured so that communication via this port is not blocked. |
180256 | When a computer names contains UTF-16 characters, Admin Control Center displays the short name for the computer (similar to Windows Explorer). Similarly, the sntl_admin_get function in Admin API returns the short name. |
182646 | After Windows 7 is upgraded to Windows 8, the user is not able to use existing SL licenses or to install new SL licenses. Workaround: After you upgrade from Windows 7 to Windows 8, reinstall the Run-time Environment. |
LDK-2471 | Sentinel Licensing API: On a computer with the Nvidia chip set GeForce 7025/nForce 630a, and where the CPU is AMD Athlon 64 X2, the hasp_read and hasp_encrypt functions may fail with error 39, HASP_BROKEN_SESSION. This problem only exists with HASP HL keys with Firmware version 3.25. Workaround 1: On the computer described above, when error 39 is returned, call the hasp_read or hasp_encrypt function again. It is not necessary to call hasp_login again. Workaround 2: Use Sentinel HL keys with Firmware version 4.2x. |
LDK-8480 | With some new USB chipsets, it is possible that the API hasp_update() call, used to update the firmware of Sentinel HL keys to version 3.25, will generate the HASP_BROKEN_SESSION return code, even if the firmware is correctly updated. (This issue does not occur with Sentinel HL Driverless keys with firmware version 4.x.) Workaround: Install the latest Run-time Environment. The automatic firmware update feature of the License Manager will automatically update the firmware of the key the first time that the key is connected, without the need to call hasp_update(). |
LDK-11418 | For a Java 7 or Java 8 application that is protected with Envelope, the end user must use the following flag when launching the protected application:
If the appropriate flag is not specified, the application may throw java.verifyerror when launched. |
LDK-12145 | When a data file is protected with Version 2 data protection mode for Android platforms: If, for any reason (for example, no license was found), the protected application is not able to decrypt the protected data file, no error message is generated to explain why the file cannot be opened. |
LDK-15786 | The enhancement described in LDK-15786 above is not documented in the online help for Admin Control Center. Workaround: The necessary information appears in the description of the enhancement. |
LDK-17267 | The License Manager fails to load vlibs under Windows 10 when Device Guide is enabled and the Code Integrity policy is set to “enforce”. For more information, see Issues Related to Device Guard and Code Integrity Policies. |
SM-513 | Under Windows 10, a physical machine is detected as a virtual machine when only Hyper-V Hypervisor is enabled. Workaround: Enable other Hyper-V components (Hyper-V Services). |
SM-907 | Sentinel LDK Vendor Tools fail to load under Windows 10 when Device Guide is enabled and the Code Integrity policy is set to "enforce". An error message is displayed regarding a certain DLL, stating that the DLL is not designed to run on Windows or that the DLL contains an error. For more information, see Issues Related to Device Guard and Code Integrity Policies. |
SM-1201 | Under certain circumstances, when updates are applied in the incorrect sequence for an SL Legacy key, an incorrect status is returned. Workaround: A CIR will be issues to resolve this issue. |
LDK-17302 LDK-13953 LDK-14971 |
Given the following circumstances at a customer site:
A rehost operation sometimes fails with the message HASP_REHOST_ALREADY_APPLIED. Workaround: Obtain a new SL license from the software vendor for the protected application on the target machine. Before attempting any additional rehost procedure, install the latest Run-time Environment on both machines. |
SM-2895 SM-2957 |
HASP4 applications protected with Sentinel LDK Envelope do not run with Run-time Environment 7.52 and 7.53 Workaround: Use Run-time Environment 7.50 or earlier to continue using HASP4 applications protected with Sentinel LDK Envelope. |
© Gemalto 2017. All rights reserved. Gemalto, the Gemalto logo, are trademarks and service marks of Gemalto and are registered in certain countries.