Specifications
Chapter 14. License and serial number servers 153
14.4.3 Security
There are security aspects involving license server usage that should be understood. The
SafeNet license server may have three lists of IP addresses (or domain names or ranges of
IP addresses):
The Authorized User List determines which systems can use a web interface to manage
the SafeNet license server. The default list contains only one address: 127.0.0.1, which is
the local host and is always allowed whether specified or not.
The Allowed Site Address list determines which clients may obtain zPDT licenses from
this server. If the list is empty (the default) then any client may obtain a license from this
server.
The Blocked Site Address list specifies client addresses that may not obtain a license from
this server. If the list is empty (the default) then no client addresses are blocked.
Each list is limited to 32 entries. These lists are in the sntlconfigsrve.xml file in
/opt/safenet-sentinel/common_files/sentinel_key_server/ and may be edited there.
They can also be managed by pointing a browser to port 7002 on the machine running the
SafeNet license server, for example:
http://localhost:7002 (if working on the server machine)
If a different machine is used to access the server web interface, then the IP address of that
machine must be listed in the Authorized User List. We strongly suggest using the browser
method because directly editing this XML file is prone to introducing syntax errors that cause
the license server to fail (without error messages). List entries might take any of the following
forms:
127.0.0.1 (a simple IP address)
my.local.domain.com (a domain name)
10.1.1.2-10.3.255.254 (a range of IP addresses)
Be certain to click the update button on the web page after keying updates to the lists. You
must then restart the SafeNet server:
# cd /opt/safenet_sentinel/common_files/sentinel_keys_server
# ./loadserv restart
These lists provide one way to secure usage of a zPDT license server. Other methods, such
as restricted router interfaces or non-routable IP addresses, may be more appropriate.
Firewalls
Working with the zPDT default port numbers, a firewall on a license and UIM server must
allow connections to ports 9450 and 9451. One solution is to simply disable the firewall on the
license server. Another solution is to enable the firewall and open the required ports with
commands such as:
# iptables -I INPUT -p tcp --dport 9450 -j ACCEPT
# iptables -I INPUT -p tcp --dport 9451 -j ACCEPT
These commands would need to be entered (from a root userid) after the server Linux system
is booted. Network management skills are needed to properly implement the server functions.