License server
Introduction
With the IDA 9.3 release, we introduced several enhancements to the license server, including:
JSON Configuration: A single configuration file for all server settings
Access Control Lists: Fine-grained control over who can borrow licenses
Access Logging: HTTP-style logging of all license operations
Enhanced lsadm: Improved output formatting and JSON export
Check how to upgrade the server to benefit from the improvements.
This manual describes the installation, management, and interaction with a Hex-Rays License Server deployment. It is primarily intended for administrators, and will focus on the setup and management of the Hex-Rays License Server.
While we will (at least superficially) make use of the command-line client used to access/manage the server, this manual will not offer a detailed explanation of its usage, although there is a dedicated section for essential lsadm commands
Installing the Hex-Rays License Server
The first step is to install the Hex-Rays License Server, which is the central component of the deployment.
Prerequisites
After your purchase of a Hex-Rays product with floating licenses, go to the customer portal, where you will find:
an installer for the Hex-Rays License Server
the installer for the product you have purchased
a
license_server_<LID>.hexlic(where <LID> is your license ID) and the certificate bundle will be available after License Server activation, under Licenses tab
The certificate bundle contains two files hexlicsrv.crt and hexlicsrv.key that will be used for the TLS encryption between the clients and the license server. You should not try to create them yourself.
All those will be necessary, so please go ahead and download them.
You will also need root access on the host where you will be installing the server.
Installation
This chapter explains how to install the Hex-Rays License Server.
To ensure proper functionality, we recommend that the License Server version match the IDA Pro version and that both are updated to the latest version. The 9.3 License Server has backward compatibility with the 9.2 IDA Pro version (client). However, the reverse is not supported. Ensure that the License Server version is equal to or higher than the client version to maintain compatibility. For the latest installers, visit the Download Center in My Hex-Rays portal.
Installing clients
The command-line client lsadm is bundled with the Hex-Rays License Server installer. To install both Hex-Rays License Server and lsadm, simply run the installer and follow the instructions.
Every Hex-Rays product using floating licenses, such as IDA, is also a client of Hex-Rays License Server. For installation instructions for these products, please refer to their documentation.
Installing the server
The Hex-Rays License Server can be installed on x64 Linux servers. We have tested it on Debian and Ubuntu, but other major flavors of Linux should be fine too.
The installer is provided as an executable file. If needed, use chmod to ensure it has execute permissions.
To install the server, run the Hex-Rays License Server installer as root and follow the instructions (the server will not require root permissions; only the installer does.)
If your Linux system is based on systemd (e.g., Debian/Ubuntu, Red-Hat, CentOS, ...), it is recommended to let the installer create systemd units so that the server will start automatically at the next reboot.
During server installation, you’ll be prompted to create the hexlicsrv.conf configuration file. We recommend accepting the default option to create it automatically, as this file is required to run the server.
Activating the server license
In order for the Hex-Rays License Server license to be activated, it must be bound to a Host ID (an Ethernet MAC address.) From a command prompt, run /sbin/ifconfig, and lookup the "ether" address for the network interface through which the server will be accessible.
In this case, our MAC address is: bf:e2:91:10:58:d2
Go to Hex-Rays customer portal and activate your license for license server. During that process, you will need to provide the MAC address of the device where the license server will be running. Once the activation is complete, you'll be able to download the following files:
license server certificate bundle
license_server_<LID>.hexlic(license key)
Those need to be copied in the Hex-Rays License Server installation directory. As root:
Creating the initial database
At this point, the server should be ready to run.
If your system is already in production, skip this section. Using the --recreate-schema option as in the example below, will re-create an empty database.
On the first install, you will need to initialize the database the server will use:
Testing the server
Now that the server is installed and has a database to work with, we can test that it works:
Good, the server appears to run! If you are observing more worrying messages than this one, please refer to the troubleshooting section.
At this point, you may want to either let the server run, or stop it (Ctrl+C will do) and restart it using systemd:
...and make sure it runs:
If you don't see a running license_server process, please refer to the systemd diagnostic tools (e.g., journalctl) for more info.
Management
This chapter explains in detail how to perform regular administrator tasks.
Backup and restore
Currently, there is no dedicated procedure to back up the Hex-Rays License Server database. It can be done by temporarily stopping the Hex-Rays License Server and making a copy of the sqlite3 database. The server must be stopped only during the backup of the sqlite3 database and then can be immediately restarted.
Alternatively, it is possible to use sqlite3 backup functionality to make a backup of the database.
Upgrading the server
Switching to the newest versions of the Hex-Rays License Server is recommended in order for the team to benefit from its improvements and new features.
The upgrade procedure consists of the following steps:
Stop the server. For example, if you are using
systemdto manage the server:sudo systemctl stop hexlicsrvPerform a backup of the database
Launch the installer
Follow the on-screen instructions
Upgrade the database with
./license_server --config-file hexlicsrv.conf --upgrade-schemaRestart the server. E.g.,
sudo systemctl start hexlicsrv
License Borrowing Limits
The server supports limiting the maximum duration for which licenses can be borrowed using the MAX_BORROW_HOURS environment variable.
MAX_BORROW_HOURS=0 or unset
No limit (default)
MAX_BORROW_HOURS=-1
Borrowing is completely disabled
MAX_BORROW_HOURS=<hours>
Limits borrowing to the specified number of hours
Note: Changes to this environment variable require a server restart to take effect.
Migrating to the latest version
Migrating from .conf to JSON
The server automatically migrates .conf files to .json format on first run:
Server detects
hexlicsrv.confexists buthexlicsrv.jsondoesn'tServer reads the
.conffile and creates equivalent.jsonServer uses the new
.jsonfileOriginal
.conffile is preserved (not deleted)
Manual migration:
If automatic migration doesn't work, you can create a JSON file manually (check troubleshooting for details).
Adding ACL to Existing Installation
Create
acl.jsonin the server directory:Add the ACL file to your JSON config:
Restart the license server
Gradually add aliases and rules as needed
JSON Configuration
The license server now supports comprehensive JSON configuration files, replacing the legacy .conf format.
Configuration File Location
The server looks for configuration in the following order:
Path specified with
-f <config_file>command-line optionhexlicsrv.jsonin the current working directory
Complete Configuration Reference
Configuration Options
Database Settings
connection_string
string
Yes
Database connection string. Format: sqlite3;Data Source=<path>;
Example:
License File
license_file
string
Yes
Path to the .hexlic license file. Use absolute paths for reliability.
Example:
Relative paths are resolved relative to the server binary location, not the current working directory. Always use absolute paths to avoid confusion.
TLS/Security Settings
cert_file
string
-
Path to TLS certificate file (PEM format)
key_file
string
-
Path to TLS private key file (PEM format)
no_tls
boolean
false
Disable TLS encryption (not recommended for production)
Example:
Network Settings
port
integer
65434
TCP port to listen on
ip_address
string
0.0.0.0
IP address to bind to. Use 0.0.0.0 for all interfaces.
Example:
Logging Settings
log_file
string
-
Path to server log file
access_log_file
string
-
Path to HTTP-style access log file
verbose
boolean
false
Enable verbose logging
badreq_dir
string
-
Directory to dump malformed requests for debugging
Example:
ACL Settings
acl_file
string
acl.json
Path to ACL configuration file
Example:
Database Schema Options
recreate_schema
boolean
false
Drop and recreate database schema on startup
upgrade_schema
boolean
false
Upgrade database schema to latest version
recreate_schema will delete all existing data. Use with caution.
Configuration Precedence
Command-line arguments always override JSON configuration values:
Example:
Minimal Configuration Example
Access Control Lists (ACL)
The ACL system provides fine-grained control over license borrowing operations.
Overview
The ACL system supports:
User aliases: Map machine identifiers to human-readable usernames
Permission rules: Allow or deny borrowing based on user or machine
Product restrictions: Limit access to specific products
Denial messages: Provide clear explanations when access is denied
ACL File Location
The server looks for ACL configuration in:
Path specified with
-a <acl_file>or--acl <acl_file>Path specified in JSON config:
"acl_file": "path/to/acl.json"acl.jsonin the current working directory
If no ACL file is found, the server operates without access restrictions.
ACL File Format
Aliases Section
The aliases section maps machine identifiers to human-readable usernames. This serves two purposes:
Identification: Makes logs and reports more readable
Rule matching: Allows rules to target users instead of machine IDs
Alias resolution:
When a client connects, the server looks up its machine ID in aliases
If found, the username from aliases is used for rule matching
If not found, the machine ID is used directly
ACLs Section
Default Policy
The default_policy determines what happens when no rule matches:
allow
Permit borrowing unless explicitly denied
deny
Block borrowing unless explicitly allowed
Recommended: Use "default_policy": "allow" for open environments, "default_policy": "deny" for restricted environments.
Rules
Rules are evaluated in order. The first matching rule determines the outcome.
Rule fields:
user
string
One of user/machine_id
Username to match (from aliases or direct)
machine_id
string
One of user/machine_id
Machine identifier to match
permission
string
Yes
"allow" or "deny"
products
array
No
List of products this rule applies to
reason
string
No
Human-readable explanation
Rule Examples
Deny a Specific User
Allow with Product Restriction
Deny Unregistered Machines
Allow Test Infrastructure
Complete ACL Example
ACL Behavior
Client sends borrow request with machine ID and username
Server resolves machine ID to alias (if configured)
Server evaluates rules in order:
First matching rule determines outcome
If no rule matches, default policy applies
If denied, the
reasonis returned to the client
Product Names
Use these product identifiers in the products array:
ida-pro
IDA Pro
ida-home
IDA Home
ida-teams
IDA Teams
Access Logging
The access logging feature provides HTTP-style logging of all license operations.
Enabling Access Logging
Via command line:
Via JSON configuration:
Log Format
Fields:
timestamp
ISO 8601 format: YYYY-MM-DD HH:MM:SS
user
Username from request (or - if not provided)
machine_id
Machine identifier from request
alias
Resolved username from ACL aliases (only shown if different from machine_id)
OPERATION
The license operation performed
license_id
The license ID involved (or - for operations without a specific license)
status_code
HTTP-style status code
duration_ms
Operation duration in milliseconds
Operations Logged
HELO
Client handshake
LIST
List available licenses
CHECKOUT
Checkout a license
CHECKIN
Return a checked-out license
BORROW
Borrow a license for offline use
RETURN
Return a borrowed license
HEARTBEAT
Keep-alive ping
Status Codes
200
Success
LICERR_OK, LICERR_WARNING, LICERR_INFO
400
Bad Request
LICERR_BAD_PACKET
403
Forbidden
LICERR_LICENSE_NOT_ACQUIRED, LICERR_LICENSE_NOT_BORROWED, LICERR_LICENSE_BORROWED
404
Not Found
LICERR_BAD_LICENSE
410
Gone
LICERR_LICENSE_EXPIRED
422
Unprocessable
LICERR_LICENSE_BAD_END_TIME, LICERR_LICENSE_BAD_BLOB
502
Bad Gateway
LICERR_NETWORK_FAILURE
503
Unavailable
LICERR_LICENSE_NO_AVAIL
Example Log Output
Log Rotation
The access log file is opened in append mode. Use standard log rotation tools:
logrotate example (/etc/logrotate.d/hexlicsrv):
License Server Command Line
license_server [options]
-f <file>
JSON configuration file
-C <string>
Database connection string
-L <file>
License file path
-c <file>
TLS certificate file
-k <file>
TLS private key file
-p <port>
Port number (default: 65434)
-i <ip>
IP address to bind
-l <file>
Log file path
-o <file>
Access log file (HTTP-style)
-a, --acl
ACL configuration file
-v
Verbose mode
-t
Disable TLS
-V, --version
Show version
--recreate-schema
Recreate database schema
--upgrade-schema
Upgrade database schema
lsadm Command-Line Tool
The lsadm tool is the command-line interface for managing the license server. This quick manual presents the basic common commands for lsadm tool.
Command-Line Options
-u
--user
Specify custom user@machine-id for requests
-j
--json
Output results in JSON format
-V
--version
Show version information
-h
--host
License server hostname (format: host:port)
-v
--verbose
Enable verbose output
Commands
info
Show server information
-
list
List all licenses
-
checkout
Checkout a license
<license_id>
checkin
Return a license
<license_id>
borrow
Borrow for offline use
<license_id> <end_time>
return
Return borrowed license
<license_id>
Usage Examples
List Licenses
Checkout License
Borrow License
Show Version
Output Formats
Standard Table Output
JSON Output
Troubleshooting
This chapter explains how to solve typical problems with the Hex-Rays License Server.
Connection issues
By default, the Hex-Rays License Server listens on the TCP port 65434 on all interfaces. Please ensure that this port is enabled in your firewalls.
The Hex-Rays License Server uses secure TLS connections with the clients. The TLS layer requires the certificate (.crt) and private key (.key) files. Usually, they are attached to the email message with the activation information.
The server complains about a "world-accessible" file, and exits
The following files shouldn't be readable by everyone on the system, but only by root and hexlicsrv:
hexlicsrv.conf: this file file holds the connection string to the database the server will use, and might contain credentials.hexlicsrv.crt: the certificate chainhexlicsrv.key: the private key filelicense_server_<LID>.hexlic: the license file
As a precaution, the Hex-Rays License Server will refuse to start if these files are readable by unauthorized users.
Please make sure they:
have
hexlicsrv:hexlicsrvownership:chown hexlicsrv:hexlicsrv hexlicsrv.crt hexlicsrv.key licensesrv.hexlic hexlicsrv.confare not world-accessible:
chmod 640 hexlicsrv.crt hexlicsrv.key license_server_<LID>.hexlic hexlicsrv.conf
Licensing
The licensesrv.hexlic file is tied to the MAC address of the first network interface. If they do not match, the server will not start. To change the MAC address, please contact support
"Error: Failed to list licenses"
This error means that the currently installed license server license file (hexlic) content is incorrect. More precisly, the "licenses" list does not contain an entry with the following items:
or that the activation end date in the same section has expired.
Make sure to activate all the floating license plans owned by the license server before downloading the license server hexlic file.
"Error: stat() failed on "hexlicsrv.conf": No such file or directory"
This error occurs when the hexlicsrv.conf configuration file is missing.
During the server installation, the user is asked whether to automatically create this configuration file for pre-configuring the server. Replying "no" will require creating the configuration file manually (which may be a bit tedious).
Solution: The simplest approach is to reinstall the server:
Uninstall the server by executing the uninstall program in the installation directory.
Re-run the installer and accept the prompt to automatically create the configuration file.
"Error: Failed to initialize the license manager: No valid license file could be found"
This error can occur if a recent hexlic file is loaded in the version 9.0 of the license server.
Solution Make sure to download and install the latest version of the license server.
"Missing private key path" when upgrading the schema
This is a known regression in the version 9.2 of the license server.
Solution Use the following command line:
Restoring from backups
There are no special precautions to take: restoring the sqlite3 database from a backup should be enough.
Common Issues
ACL File Not Found
Symptom: Server starts but ACL restrictions don't work
Solution: Verify the ACL file path in your configuration:
Access Denied Unexpectedly
Symptom: User receives "access denied" but should be allowed
Troubleshooting steps:
Check if user's machine ID has an alias:
Verify rule order (first match wins)
Check default policy
Review access log for the denial:
JSON Configuration Not Loading
Symptom: Server ignores JSON configuration
Solution:
Verify JSON syntax:
Check file permissions:
Use absolute path with
-f:
Access Log Not Writing
Symptom: Access log file remains empty or doesn't exist
Solution:
Verify the directory exists and is writable
Check the path in configuration
Ensure the server has write permissions
Automatic Migration from .conf to .json Failed
.conf to .json FailedSymptom: The server does not create .json automatically, or fails to migrate the existing .conf file.
Solution:
If automatic migration does not occur, create the JSON configuration file manually.
Old format (hexlicsrv.conf):
New format (hexlicsrv.json):
Validating Configuration
Validate JSON Config
Validate ACL File
Test ACL Rules
Start the server in verbose mode and attempt operations:
Then in another terminal:
Check the server output and access log for details.
Last updated
Was this helpful?