Friday, April 22, 2011

Installing VLC on a jailbroken iPad

So, you've got a jailbroken iPad. Cydia is installed. You've got an international flight in 6 hours and you want some movies to pass the time. Here's a 5 minute guide to getting VLC (and movies!) onto your iPad

  1. If you haven't jailbroken your iPad, you won't have Cydia and you cannot proceed. Refer to my previous blog post.
  2. Open Cydia.
  3. Install VLC.
  4. Install OpenSSH. This will install an FTP server on your iPad. An FTP server is like a drop box for files. You connect to the FTP server via an FTP client, and copy your movies across.
  5. Install a FTP client on your computer. If you're using a Mac, the best client is FileZilla. If you're using Windows, the best client is...FileZilla.
  6. Find the IP address of your iPad. This is in the Settings > Wi-Fi > (Your Access Point)
  7. Open FileZilla and enter the following settings
    1. Host: (your iPad's IP adddress)
    2. Username: root
    3. Password: alpine
  8. The FileZilla screen is split vertically. The left side shows the files on your local computer. The right side shows the files on your iPad.
  9. On the right side, navigate to /private/var/mobile/Media.
  10. On the left side, navigate to the folder containing your movies.
  11. Drag the movies from the left to right.
  12. When you're done, open VLC.
There you go! Now load your iPad quickly: movies copy over Wi-Fi, and you might not have enough time to copy everything you want before your flight departs!

Jailbreaking the iPad on iOS 4.3.2 with redsn0w

I've got a Sydney to Singapore flight tomorrow and I was looking to fill my iPad with the usual international flight movies: a season of Law & Order (the classic seasons when they still used typewriters), some Comedy Central Roasts and a few movies I've been meaning to watch. Normally this would just be a matter of copying movies into the VLC iPad application, but, the VLC application has been removed from the App Store!

Fortunately, it's still available from the Cydia App Store. But this means you'll need to jailbreak your iPad. Normally I leave my iPad jailbroken, but I have a long flight and I want some entertainment...

Items required to jailbreak

  1. redsn0w: you'll need at least version 0.9.6rc14. That won't mean much to you if you don't compulsively follow the iOS jailbreaking scene. In any case, just download it. It's available for both Windows and MacOS.
  2. iPad firmware: this is the 4.3.2 firmware for the iPad. Not the iPad2 - I'm stubbornly holding onto my iPad1. You can download this here. redsn0w modifies this IPSW to contain a payload which contains magic.
  3. iTunes 10.2.2. This is a no brainer. If you're using MacOS, use Software Update to ensure you have the latest version. If you're running Windows, find your nearest Apple Store and buy a Mac.
Now that we've got the tools, let's do it!
  1. Use iTunes to update your iPad to the latest iOS version 4.3.2.
  2. Run redsn0w and follow the instructions.
  3. Done! You'll know if your iPad was successfully jailbroken if there is an extra icon labelled Cydia.
If you're getting the error message "IPSW not recognized", your version of redsn0w isn't new enough. If redsn0w crashes, chances are you've downloaded the wrong iPad firmware. Make sure the iPad firmware you've downloaded matches your actual iPad firmware. You can check your current iPad firmware in Settings > General > About.  If your iPad firmware is 4.3.2 (8H7) and you're trying to run redsn0w on a file that isn't called iPad1,1_4.3.2_8H7_Restore.ipsw, you'll run into problems.

This jailbreak shouldn't take longer than 5 minutes (except for downloading the IPSW - your connection speed may vary!) If the "Downloading Jailbreak Data" screen appears on your iPad for more than 30 seconds, something is wrong.

Anyway, I have to load up my iPad with some movies for my flight. Enjoy your Easter holidays!

Thursday, April 14, 2011

FlexNet, FLEXnet, FlexLM, FLEXlm, it’s the same product, stop renaming it you crazy marketing people: an overview.

Hundreds of years ago, software vendors had a problem. They realized distribution of their software was uncontrolled after they sold their products: that is to say, people pirated their software. Vendors had to rely on the goodwill of their users to not copy their software. Until FlexNet was invented in 1988, times were hard for software vendor salespeople.

Sales person: “Hello customer! I can sell your company 100 licenses of this expensive product for the low price of $100,000!”
User: “If I buy 1 license, will your software stop me from installing it on 100 company computers, all my friends computers and all the computers in my brother-in-law’s electorate?”
Sales person: “No.”
User: “In that case, I’ll buy 1 license.”

Over the next two decades, the FlexNet licensing framework (aka. FLEXnet, FlexLM, Flexlm, Flex Kal El, Flex LM2: Electric Boogaloo and El Flexacabra) would allow vendors to minimize this problem. This worked by having a license server that would keep track of how many licenses were in use, how many licenses the user had purchased, and how many cabbages would be thrown at the user if they tried exceeding this limit (typically a student trying to use a pirated copy of AutoCAD).

But how did they restrict the software to the licensed computer? They did it by locking the software to the only unique and unchangeable serial number a computer has: the MAC address of the network adapter. When you purchase software that is FLEXenabled, the vendor will ask you for your license server MAC address. They will give you a license file which is locked to this MAC address. If you do not provide the vendor a MAC address, they will steal your automobile’s air freshener. It may seem harsh, but this is the price of software license management.

image
A typical MAC address.

Once you have a license file, you can setup your license server. This server needs to be reliable otherwise people won’t be able to use the legally obtained software your company has purchased, driving them to a life of unhappiness and overeating. Your license server needs to be network connected (2600 baud token ring should be fine) because FLEXenabled applications on your client computers need some sort of layer 2 network connectivity to send their license check-out requests.

So Mr. Paul, tell me more about this type of exercise!

OKAY! At its core, FlexNet is a service on a Windows server (or a daemon on a Linux server). In Flex terminology, each service/daemon is referred to as a license server. Here is a screenshot of multiple FlexNet license servers installed on a Windows server. You will require a video card to view the following image.

Windows services: all the crappy license servers
The Windows Services management console. To access this screen, you will need enough money to buy a Windows license.

I have highlighted the FlexNet license servers with red boxes. If your computer only has a CGA or EGA graphics adapter, these may appear as black or light blue boxes. Are you impressed? We can take that one step further. If your computer has Microsoft Silverlight, you can zoom further to reveal more. Let’s zoom in on the Autodesk License Manager to see what the heck a license manager service consists of.

image
A folder containing the FlexNet licensing components. In Linux, the Windows logo in the upper right is replaced with a penguin.

Each FlexNet license server consists of 6 components.

  • The FlexNet license manager (lmgrd.exe) is the server that does everything. When started, it starts the vendor daemon (more on this later), hogs a port (usually 27000) and waits for license management queries. When an application says “My stupid user wants to model Donald Trump’s hairpiece in AutoCAD, are there any AutoCAD licenses remaining?”, the FlexNet license manager replies helpfully with “What? I’m just the project manager, I don’t do any work! Go ask the vendor daemon on port 1234.”
  • The vendor daemon contains the business logic required to determine whether a license is available. When started, the vendor daemon will hog a port and then read the license file to see what you’re entitled to. It will then wait for referrals from the FlexNet license manager. When the client contacts it asking for a license for a particular feature, it will respond with either yay, nay. If it responds with yay, the application will work. It it responds with nay, the application will respond with “YOU HAVE NO LICENSES: BUY MORE LICENSES DEADBEAT” and then fill your house with ghosts who will push you down the stairs and break your legs.
  • The license file contains your entitlement information. A FLEXenabled application could contain many licensed features. For example, the Autodesk Education Suite 2010 consists of the following features, some of which you may or may not be licensed for:
    • Autodesk AutoCAD – 10 licenses
    • Autodesk 3ds Max – 1 license
    • Autodesk Green-Up-Your-Building-Yo – 60,000 licenses
    • Autodesk The White Album - unlimited licenses
    • Autodesk Toupee Modelling – 2,000,000,000 licenses

The license file also contains information on which vendor daemons are allowed to read it.

  • The options file allows license check-out to be restricted. You can restrict licenses to IP addresses, IP ranges, hostnames, usernames, or a combination. This is a useful feature if you think that people named Paul are morons who should never be allowed to use AutoCAD let alone a computer or a refrigerator. The file extension is .opt. If you give an options file a different extension bees will swarm your local pool.
  • The log file contains any server related events (ie. logging when the license server has stopped, started, failed, died, submitted its tax return, run over pedestrians, etc.). The file extension is .log. If anything goes wrong it is about as useful as a log. If you are having issues with your licensing, do not send me your log file. I cannot emphasise that enough.
  • The debug log file contains license related events (ie. when licenses have been checked-in or checked-out). File extension is .debuglog. If you are a linux neckbearded geek with no life, you can write an application which reads this .debuglog file and tells you which license features are most popular (probably that toupee modelling one) and which ones are least popular (so you can stop buying those features and spend the money on Domo merchandise).

How do license checkouts work?

FlexNet is a client-server application. That is to say, the client (your end user) wants to kill the server administrator when the licensing is broken (in a good year, this can be up to 99% of the time). However, in the unlikely event your license infrastructure is working, the license check-out process is as follows.

image

  1. Client contacts the FlexNet Server
    The client (typically a laptop user in a north pole igloo) starts AutoCAD. AutoCAD looks in a few places (system environment variables, Windows registry, licensing files, adjacent barrels) for the hostname and port of the FlexNet license server. It will ask the FlexNet license server for the vendor daemon port.
  2. Server responds with vendor daemon port
    The FlexNet license manager replies with the port of the vendor daemon and sometimes the location of your neighbourhood chemist.
  3. Client responds with license check-out request
    The client responds with “AutoCAD license: give me 1.”
  4. Vendor daemon checks license file
    The vendor daemon determines whether any valid licenses are available.
  5. Vendor daemon replies with yay/nay

So there you have the basics of FlexNet. It is a completely foolproof framework for preventing filthy pirates (read: students) from pirating your application. Some questions still linger: how can I make my license service redundant in case someone drops a lobster into my license sever and destroys it? Where should I purchase cheap name brand footwear? What colour is a license file? I will address these issues in a following post if I feel like it. Stay tuned.

Wednesday, April 13, 2011

Setting up an Aladdin HASP license server

In my last licensing blog post, I wrote about how AnywhereUSB devices could be used to virtualize physical license servers with USB copy protection dongles. In this post, I’ll show you how to setup an Aladdin HASP license server from scratch. Nothing about it isn’t difficult, but the entire process is unintuitive. There are two nearly indistinguishable types of HASP keys, and you’ll need different types of installers for each. And you launch the installer from the monitoring component. So obvious. And the great thing about licensing is, you have no choice! You either figure out how the licensing application works, or you don’t use the software.

To begin, you’ll need three bits of software.
  • Digi AnywhereUSB drivers
    These will install the virtual USB controllers on your server and install the AnywhereUSB management console. If you’re installing the HASP license server on a physical server with USB ports, you obviously don’t need to install this.

  • Aladdin Monitor
    This is a management console for your HASP devices. It shows you what devices are connected, whether the HASP services have started, and the clients that have checked out licenses (for HASP HL keys). It is also the installer for the HASP HL Service. How obvious! The user interface for the Aladdin Monitor is among the worst ever produced (up there with BMW iDrive and SAP).

    You can download the Aladdin monitor installer (aksmon32_setup) here.

  • Aladdin HASP4 server
    The Aladdin HASP4 server acts as an intermediary between Aladdin HASP4 protected applications and the Aladdin HASP4 dongle

    You can download the Aladdin HASP4 server installer (lmsetup.exe) here.
To begin, install the AnywhereUSB drivers. I’ll describe how to install these drivers in a later blog post.
Next, install the Aladdin Monitor by performing the following steps.
  1. Extract the aksmon32_setup.exe file from the package to the destination server.
  2. Run the aksmon32_setup.exe installer.
  3. Unless you are a German speaker, select U.S. English then click OK. Perhaps Aladdin HASP makes more sense if you select German (UPDATE: according to a German reader, no. It isn't any more intuitive in Deutsch).

    Aladdin HASP Monitor installer: select language

  4. At the Welcome screen, click Next.
    Aladdin HASP Monitor installer: welcome screen

  5. At the License Agreement screen, sign away your rights by clicking I agree then clicking Next.

    Aladdin HASP Monitor installer: license agreement screen

  6. At the Destination Location screen, click Next.

    Aladdin HASP Monitor installer: destination installation screen

  7. The installer will ask you if you want to keep a backup. This backup is completely useless, but we’ll select Yes anyway. Click Next.

    Aladdin HASP Monitor installer: backup request screen

  8. Click Next to start the installation of the Aladdin Monitor.

    Aladdin HASP Monitor installer: ready to install screen

  9. Once the installation has completed, click Finish to exit the installer.

    Aladdin HASP Monitor installer: installation complete screen

  10. The Aladdin Monitor is now available in the Start Menu.

    Aladdin HASP monitor link in Start Menu
That was boring! Now time to install the Aladdin HASP HL-Service. You have to do this from within the Aladdin Monitor. How intuitive! Let's begin before you fall asleep.
  1. Open the AKS Monitor application
    (Start > Programs > Aladdin > Monitor > AKS Monitor)

    Aladdin Monitor

  2. Click Services > Hardlock > Install HL Service

    Aladdin Monitor: Install HL-Server Service

  3. A prompt will appear.
    Click OK to accept.
    Aladdin monitor: confirmation of Hardlock service installation

  4. Now it’s time to make sure the HASP HL service automatically restarts if it crashes (a license service crashing? Surely not!).
    Open the Computer Management console (Start > Run > compmgmt.msc)

  5. Select the Services node in the left-hand pane

  6. Select the HL-Server service.
    Aladdin monitor: checking the service start settings

  7. Right-click on the HL-Server service and click Properties.

    Aladdin monitor: checking the service start settings

  8. On the Recovery tab, change the First failure, Second failure and Subsequent failures reponses to Restart the Service.

    Aladdin monitor: setting the HL-Service to restart automatically

  9. Click OK to close the properties window.

  10. Close the Computer Management console.

  11. In the AKS Monitor, click Services > Hardlock > Start HL-Server Service. This will cause the HL-Server service to rescan the network for Aladdin dongles.

    Aladdin monitor: starting the HL-Server

  12. Once the scan is complete, an HL-Server will appear under the HL-Server folder.

    Aladdin monitor: looking at the HL-Server node

  13. Expanding the server node will show all the Aladdin dongles connected to the server. In this case, there is a single Aladdin dongle with the module address of 6903.

    Aladdin monitor: an Hardlock dongle has appeared!
  14. Close the Aladdin Monitor.
Okay, we’re nearly there. If we plug in an Aladdin HASP HL dongle, it will work. Now we need to install the software to support Aladdin HASP4 dongles! To do this, perform the following steps.
  1. Extract the lmsetup.exe file from the package to the destination server.
  2. Run the lmsetup.exe installer.
  3. Select U.S. English then click OK.

    clip_image002[13]

  4. At the Welcome screen, click Next.

    clip_image004[11]

  5. At the End User License Agreement screen, click I accept the license agreement then click Install.

    clip_image006[8]

  6. At the Installation Type screen, select Service (nhsrvice.exe) then click Next.
    Installing it as an application is utterly stupid and would require you to login to start the license service.

    clip_image008[8]

  7. A the Choose Destination Location screen, click Next.

    clip_image010[8]

  8. A the Select Program Manager Group, click Next.

    clip_image012[8]

  9. At the Device Driver Installation screen, click Next.

    This screen will appear even if the appropriate driver is present on the server. Good work guys!

    clip_image014[8]

  10. If a Driver Installation error message appears, click OK to continue.
    This behaviour is by design and expected.

    clip_image016[9]

  11. On the HASP License Manager screen, select Yes then click Finish to complete the installation.

    clip_image018[7]

  12. Now, time to make sure the service automatically restarts when it crashes.

    Open the Computer Management console
    (Start > Run > compmgmt.msc)
  13. Select the Services node in the left-hand pane
  14. Select the HASP Loader service.

    clip_image020

  15. Right-click on the HASP Loader service and click Properties.

    clip_image022

  16. On the Recovery tab, change the First failure, Second failure and Subsequent failures reponses to Restart the Service.

    clip_image024

  17. Click OK to close the properties window.
  18. Close the Computer Management console.
  19. Open the AKS Monitor application
    (Start > Programs > Aladdin > Monitor > AKS Monitor)
  20. The server name will appear under the HASP License Manager server.

    clip_image026

  21. Close the Aladdin Monitor.
Woo, finally done! Now all you need to do is point your HASP clients at your HASP server! Maybe I’ll write a post on that.

Tuesday, April 12, 2011

Deploying VMs with multiple interfaces through PowerCLI

The easiest way of deploying a large amount of VMs quickly is with a PowerCLI script. You write a script that modifies a guest customization, then you deploy from that customization. But how do you configure the IP addresses on the deployed VM?

Get-OSCustomizationNicMapping -spec myCustomization | Set-OSCustomizationNicMapping -IpMode UseStaticIP -IpAddress 192.168.0.100 -SubnetMask 255.255.255.0 -DefaultGateway 192.168.0.1 -Dns 192.168.0.150,192.168.0.151

Get-OSCustomizationNicMapping -spec myCustomization | Set-OSCustomizationNicMapping -IpMode UseStaticIP -IpAddress 192.168.0.100 -SubnetMask 255.255.255.0 -DefaultGateway 192.168.0.1 -Dns 192.168.0.150,192.168.0.151

Simple enough, but what is the server has multiple interfaces? Look at the output above. See the ‘Position’ column? ‘1’ means that the first network adapter is being modified. You can change different network adapters by modifying the Position attribute in the Get-OSCustomizationNicMapping command.

Get-OSCustomizationNicMapping -spec myCustomization | where { $_.Position -eq '1'} | Set-OSCustomizationNicMapping -IpMode UseStaticIP -IpAddress $192.168.0.100 -SubnetMask 255.255.255.0 -DefaultGateway 192.168.0.1 -Dns 192.168.0.1,192.168.0.1

Get-OSCustomizationNicMapping -spec myCustomization | where { $_.Position -eq '1'} | Set-OSCustomizationNicMapping -IpMode UseStaticIP -IpAddress $192.168.0.100 -SubnetMask 255.255.255.0 -DefaultGateway 192.168.0.1 -Dns 192.168.0.1,192.168.0.1

Notice how the output is the same. We can modify the second adapter by changing the Position attribute to 2.

Get-OSCustomizationNicMapping -spec myCustomization | where { $_.Position -eq '2'} | Set-OSCustomizationNicMapping -IpMode UseStaticIP -IpAddress $192.168.0.100 -SubnetMask 255.255.255.0 -DefaultGateway 192.168.0.1 -Dns 192.168.0.1,192.168.0.1

Get-OSCustomizationNicMapping -spec myCustomization | where { $_.Position -eq '2'} | Set-OSCustomizationNicMapping -IpMode UseStaticIP -IpAddress $192.168.0.100 -SubnetMask 255.255.255.0 -DefaultGateway 192.168.0.1 -Dns 192.168.0.1,192.168.0.1

All good. But, you should only have a single default gateway on a server. When we try to execute the command without the –DefaultGateway argument, we get an error message.

Set-OSCustomizationNicMapping : Missing an argument for parameter 'DefaultGateway'. Specify a parameter of type 'System.String' and try again.

Set-OSCustomizationNicMapping : Missing an argument for parameter 'DefaultGateway'. Specify a parameter of type 'System.String' and try again.
At line:1 char:204
+ Get-OSCustomizationNicMapping -spec myCustomization | where { $_.Position -eq '2'} | Set-OSCustomizationNicMapping -IpMode UseStaticIP -IpAddress 192.168.200.100 -SubnetMask 255.255.255.0 -DefaultGateway <<<<  -Dns 192.168.0.150,192.168.0.151
+ CategoryInfo : InvalidArgument: (:) [Set-OSCustomizationNicMapping], ParameterBindingException
+ FullyQualifiedErrorId : MissingArgument,VMware.VimAutomation.ViCore.Cmdlets.Commands.SetOSCustomizationNicMapping

The Set-OSCustomizationNicMapping command has a bug that forces you to have a default gateway! Boo hiss! How do we get around this? Set the OSCustomizationNicMapping so both interfaces have default gateways. Then, use a RunOnce command to remove the default gateway you don’t want. In the Guest Customization settings, go to Run Once and add the command

netsh interface ip delete address “Local Area Connection” address=192.168.0.1 gateway=all

image

This command will delete the default gateway 192.168.0.1 on the interface “Local Area Connection” (the first network adapter). Obviously if you want to delete the default gateway on the second adapter, change this to “Local Area Connection 2”.

I hope this helps you. In the meantime, I will file a bug report with VMware and see if it’s fixed in VMware 5.

Wednesday, April 6, 2011

Jailbreaking the iPhone 4 on iOS 4.3.1 with redsn0w

With every iOS release, you can expect a jailbreak within several weeks. iOS 4.3.1 is no exception! Being the resident office iPhone enthusiast, I've had a few people ask me how to jailbreak their iPhones, and whether it's worth it. It's funny that the why precedes how :)

Well, the good news is that it's simple and straightforward.

  1. To begin, consult the helpful Jailbreak Matrix to see if your iOS firmware and phone model can be jailbroken. If you've bought an iPhone in the last two years, the answer is generally yes.
  2. Download your current iOS firmware (a link is provided in the Jailbreak Matrix).
  3. Download the jailbreaking application redsn0w. redsn0w will modify your downloaded iOS firmware to contain an payload.
  4. Run redsn0w and follow the instructions. redsn0w will modify your downloaded firmware then guide you through the process of uploading it to your phone. This involves placing your iPhone in DFU (Direct Firmware Update) mode, which takes a few tricky keypresses. If you don't get it at first, keep on trying. It took me 4 or 5 times to get it right!
  5. Once the firmware has been uploaded, you can close redsn0w as the rest of the jailbreak takes place on your iPhone.

If you're stuck with a "Moving Applications" screen while your iPhone 4.3.1 is being jailbroken, be patient! I had to wait 4-5 minutes for redsn0w to progress beyond that point. Now that you're waiting for your phone to be jailbroken, check out these 5 bloody good reasons to jailbreak your iPhone!

(Disclaimer: jailbreaking can potentially brick your phone and void your warranty! Only do it if you have a compelling reason. Like BiteSMS).

Tuesday, April 5, 2011

Aladdin HASP security dongles, USB-over-Ethernet devices, and licensing frameworks.

If you’ve done virtualization work in an engineering companies, you’ve probably come across a USB hardware dongle. These awful devices are used to ‘secure’ software from unauthorized copying. Software companies love them because they believe that dongles prevent piracy (or make it difficult), and VMware architects hate them because
  • they require additional hardware and software to use in a virtual environment
  • the additional software is sometimes flaky
  • physical elements add a single point of failure and prevent us from using SRM
  • they’re difficult to test because our customers need them to use their products, and we need them to test our solutions
  • we dislike physical things.
In 2010-2011, the most common type of security dongle in circulation is the Aladdin HASP series. Aladdin HASP is a family of hardware produced by SafeNet Inc (previously Aladdin Knowledge Systems). There are several types of HASP dongles.
  • HASP
  • HASP4
  • HASP Hard Lock (HL)
  • NetHASP
  • TimeHASP
The most common HASP keys are the HASP4 and HASP HL. The features of these two types differ: amount of onboard memory (used to store entitlements, instructions) and encryption strength. Neither dongle has a battery-backed RTC (real-time clock, typically used to enable time-based software rental). HASP keys can be identified by their translucent and coloured shells. The following are photos of the HASP4 and HASP HL keys.
Aladdin HASP dongles - universally disliked
Dongles: back, and with a vengeance!
As shown above, the form factor cannot be used to accurately identify the type of dongle. HASP4 dongles typically have stickers containing the letters H4. HASP HL dongles typically have an engraving in the reading HASP HL.
Dongles are only half of the problem. The problem is the license software used to drive them. For HASP4 dongles, it’s often FlexNet. For HASP HL dongles, it’s the HASP HL server.
Applications protected with FlexNet and Aladdin HASP4
FlexNet is a licensing framework published by Flexera Software. Vendors license and customize the FlexNet framework to meet their entitlement management requirements. In the majority of FlexNet implementations, machine-specific license files are used to protect applications.
The non-dongle FlexNet license check-out process is illustrated below.
FlexNet - license checkout process
  1. Client contacts FlexNet license server and requests vendor daemon port: The FLEXenabled application contacts the license server and asks for the port of the vendor daemon. The FLEXenabled application knows the hostname and FlexNet license server port number from the client license file.
  2. Server responds with vendor daemon port: The FlexNet license manager replies with the port of the vendor daemon
  3. Client responds with license check-out request: The FLEXenabled application sends a license check-out request to the vendor daemon
  4. Vendor daemon reads license file to determine entitlement
  5. Server sends accept or reject: The vendor daemon determines whether any valid licenses are available and sends an accept/reject to the FLEXenabled application.
The FlexNet framework supports the use of Aladdin HASP hardware dongles (as well as other dongle types). HASP4 sits on top of the FlexNet framework. This involves an additional step between step 4 and 5. I’ll label these 4A and 4B.
FlexNet and HASP - license checkout process
4A. Contact HASP4 server: the vendor daemon contacts the HASP4 server and requests the HASP_ID of all connected HASP dongles.
4B. Dongle check: The HASP4 server contacts all connected HASP dongles and retrieves the HASP_ID. It passes these to the vendor daemon which checks for an authorized dongle.
Applications protected with HASP HL
Aladdin HASP HL is a standalone licensing framework. The license check-out process is illustrated below.
Aladdin HASP HL - license checkout process
  1. Client contacts HASP HL Server: The protected application sends a request for a license check-out to the HASP HL Server.
  2. Entitlement check: The HASP HL Server asks the Aladdin HASP HL dongle whether the license check=out is permitted. The dongle determines whether this is allowed and replies with an answer.
  3. Response: The HASP HL Server replies to the application.
Okay, enough about licensing frameworks. How do you virtualize a server that has a USB dongle plugged in the back?
To do it, you’ll need a USB-over-Ethernet device. A USB-over-Ethernet device is a network attached USB hub that connect USB peripheral devices to a server over a network. They were typically used as range extenders for USB devices (such as receipt printers, point of sale barcode scanners, biometric readers, manufacturing line control systems) where having a local PC was not practical or secure. Recently, they have been used to connect USB devices to virtual machines.
The following illustration (taken from VMware's AnywhereUSB guide) shows how an AnywhereUSB USB-over-Ethernet device can be used to connect USB devices to a virtual machine.
image
The advantages of USB-over-Ethernet devices are
  1. Dongles with potentially high replacement costs can be secured in datacentre (I worked with a dongle that costed $45,000 to replace. The vendor had a clause in the EULA stating the replacement cost of a dongle was equal to the cost of the license. No joke.)
  2. VMs with license servers can be protected with VMware HA and VMware FT – license servers previously didn’t have any HA mechanism.
  3. They allows you to virtualize those “final few” servers in datacentre.
  4. They are easy to centrally manage and monitor
  5. No major architectural changes required.
USB-over-Ethernet devices aren’t without their drawbacks…
  1. There is the possibility of potential incompatibility between dongles and USB-over-Ethernet device. These devices aren’t perfect.
  2. They introduce another point of failure
  3. No USB-over-Ethernet devices on market have redundant power supplies – if you have to do power testing, get ready to lose the device.
  4. The cheapest USB-over-Ethernet devices aren’t rack mountable.
  5. They require additional drivers in virtual machine.
  6. They are difficult to source in Australia: It is important to have hot spare ready or you could potentially be waiting weeks for a replacement. That’s a week of your licensed software being unavailable to users. If you need them, please contact me!
A word of caution: hardware dongles are notorious for being finicky. Working with dongles can be tedious and time consuming. When you find a configuration that works for you, document the solution current state: the USB-over-Ethernet firmware level, the host driver software, the OS and even the hotfix level. Pay careful attention during your patch cycle and ensure that the dongle continues to work after any updates have been applied. There are documented cases of incompatible dongles and servers and there is no definitive hardware compatibility list and determining compatibility is an exercise in trial and error. USB-over-Ethernet devices vendors periodically release firmware updates to improve compatibility, but those same firmware updates could break compatibility. Exercise extreme caution!
USB-over-Ethernet devices
There are a few USB-over-Ethernet devices on the market.
  1. Digi AnywhereUSB: these are the most popular device on the market. Use these and your problems will be minimized. If you can’t source the AnywhereUSB…
  2. Lantronix UBox: was previously popular. Although discontinued, the UBox is more compatible with certain families of security devices. The device drivers for this software are a little less stable.
  3. Belkin Network USB hub: don’t even bother. Support for HASP dongles are hit and miss.
image
The Digi AnywhereUSB/5. Plug the USB dongle in the front, the network cable in the back, and you’re set.
In my next post, I’ll describe the process for installing these devices in your environment.












Monday, April 4, 2011

The Australian Government and SSO, Part 2: Electric Boogaloo.

Australia.gov.au is the Australian government’s attempt at single sign-on (SSO) for citizens. According to Australia.gov.au, “Dealing with the Australian Government online just got easier, with a single account to sign on to multiple agencies.” Sound familiar?

Let’s make a Australia.gov.au ID and see if it lives up to the claim!

The signup process: the signup process is convoluted. Step 1 involves agreeing to terms and conditions which is reasonable. Step 2 and 3 involve picking a password and secret questions. Just wait…why are we picking a password before picking a username? Why are we doing this before even entering our names? It’s like an SSO version of Jeopardy where you enter the password first. After completing the signup, you are assigned a username that starts with two letters and followed by six digits.

Australia.gov.au - final step of signup process
What an easy to remember username! (Don’t worry, I changed it before taking a screenshot)

Connecting your Australia.gov.au identity with other agencies: buried in the My Accounts section is a Manage Agency Links page that allows you to use your Australia.gov.au ID with the other government agencies. At the time of writing, there are only three: the Child Support Agency, Centrelink and Medicare Australia.

Australia.gov.au - manage agency links screen

If you choose to link your Australia.gov.au ID with these agencies, you are prompted to enter your already existing username and password for those sites.

 

Australia.gov.au - linking a CSA accountAustralia.gov.au - linking a Centrelink account

Australia.gov.au - linking your Medicare account

The screens prompting you to link your accounts.

It’s important to note that you can only link already existing agency accounts. You must create accounts individually at each government agencies before you can link them together with your Australia.gov.au, which defeats the purpose of single sign-on.

Once you’ve connected a pre-existing agency account, a link to the agency appears in your My Account section. To test, I’ve linked my existing Medicare Online Services account. A link now appears to Medicare Australia.

image

Clicking on this link gives me a…

image

…an error message saying “A SAML error has occurred.” That’s not good! As I am not a customer of the other agencies, I am unable to test the linking feature.

Password management: a minimum password complexity applies to Australia.gov.au IDs. With a single identity, it is important to allow strong passwords which make use of special characters. Unfortunately, some special characters are disallowed.

Other observations: if you forget your username, you are locked out of the service. There is no username recovery process. To change your secret questions, you need to answer a secret question. If you’ve forgotten the answer, you’re unable to change it. You are also unable to login, because you need to answer your secret question with each login.

Verdict: The inability to retrieve a lost username is a showstopper: it is not unreasonable for people to forget their username, especially if they can’t pick it and it consists of random characters and numbers. The same goes with secret questions. While other companies like Facebook, Google and Microsoft are implementing worldwide SSO systems with ease, the Australian Government are reinventing the SSO mistakes of 2006. Australia.gov.au is another disappointing attempt at SSO by the Australian Government, and I have no reason to believe it will improve any time soon.