License server

Hex-Rays License Server Administrator Guide

Introduction

This manual describes the installation, management, and interaction with a Hex-Rays License Server deployment. It is primarily intended for administrators, and will focus on the setup and management of the Hex-Rays License Server.

While we will (at least superficially) make use of the command-line client used to access/manage the server, this manual will not offer a detailed explanation of its usage: there is a dedicated document for that (the lsadm user manual).

Let's get started

The first step is to install the Hex-Rays License Server, which is the central component of the deployment. It is recommended to have the lsadm user manual ready before proceeding.

Installing the Hex-Rays License Server

Prerequisites

After your purchase of a Hex-Rays product with floating licenses, go to the customer portal, where you will find:

• an installer for the Hex-Rays License Server

• the installer for the product you have purchased

• a license_server.hexlic will be available after License Server activation, under Licenses tab

All those will be necessary, so please go ahead and download them.

You will also need root access on the host where you will be installing the server.

Installation

This chapter explains how to install the Hex-Rays License Server.

Installing clients

The command-line client lsadm is bundled with the Hex-Rays License Server installer. To install both Hex-Rays License Server and lsadm, simply run the installer and follow the instructions.

Every Hex-Rays product using floating licenses, such as IDA, is also a client of Hex-Rays License Server. For installation instructions for these products, please refer to their documentation.

Installing the server

The Hex-Rays License Server can be installed on x64 Linux servers. We have tested it on Debian and Ubuntu, but other major flavors of Linux should be fine too.

To install the server, run the Hex-Rays License Server installer as root and follow the instructions (the server will not require root permissions; only the installer does.)

Activating the server license

In order for the Hex-Rays License Server license to be activated, it must be bound to a Host ID (an Ethernet MAC address.) From a command prompt, run /sbin/ifconfig, and lookup the "ether" address for the network interface through which the server will be accessible.

    >/sbin/ifconfig
    enp4s0: flags=4163<UP,BROADCAST,RUNNING,MULTICAST>  mtu 1500
            [...snipped...]
            ether bf:e2:91:10:58:d2  txqueuelen 1000  (Ethernet)
            [...snipped...]

In this case, our MAC address is: bf:e2:91:10:58:d2

Go to Hex-Rays customer portal and activate your license for license server. During that process, you will need to provide the MAC address of the device where the license server will be running. Once the activation is complete, you'll be able to download the following files:

• license server certificate bundle

• license_server.hexlic (license key)

Those need to be copied in the Hex-Rays License Server installation directory. As root:

    >cd /opt/hexlicsrv
    >cp .../path/to/hexlicsrv.crt .
    >cp .../path/to/hexlicsrv.key .
    >cp .../path/to/license_server*.hexlic .
    >chown hexlicsrv:hexlicsrv hexlicsrv.crt hexlicsrv.key license_server*.hexlic
    >chmod 640 hexlicsrv.crt hexlicsrv.key license_server*.hexlic

Creating the initial database

At this point, the server should be ready to run.

On the first install, you will need to initialize the database the server will use:

    >sudo -u hexlicsrv ./license_server --config-file hexlicsrv.conf \
                                        --recreate-schema
    >2024-04-14 14:30:28 License Server v1.0 Hex-Rays (c) 2024
    >2024-04-14 14:30:28 Database initialized; exiting.

Testing the server

Now that the server is installed and has a database to work with, we can test that it works:

    >sudo -u hexlicsrv ./license_server --config-file hexlicsrv.conf \
                                        --certchain-file hexlicsrv.crt \
                                        --privkey-file hexlicsrv.key \
                                        --license-file license_server.hexlic
    >2024-04-14 14:35:47 License Server v1.0 Hex-Rays (c) 2024
    >2024-04-14 14:35:47 Using a license with 1 seats
    >2024-04-14 14:35:47 Listening on 0.0.0.0:65434...

Good, the server appears to run! If you are observing more worrying messages than this one, please refer to the troubleshooting section.

At this point, you may want to either let the server run, or stop it (Ctrl+C will do) and restart it using systemd:

    >systemctl restart hexlicsrv.service

...​and make sure it runs:

    >ps aux | grep license_server
    hexlicsrv  58246  0.0  0.0 ...

If you don't see a running license_server process, please refer to the systemd diagnostic tools (e.g., journalctl) for more info.

Management

This chapter explains in detail how to perform regular administrator tasks.

Backup and restore

Currently, there is no dedicated procedure to back up the Hex-Rays License Server database. It can be done by temporarily stopping the Hex-Rays License Server and making a copy of the sqlite3 database. The server must be stopped only during the backup of the sqlite3 database and then can be immediately restarted.

Alternatively, it is possible to use sqlite3 backup functionality to make a backup of the database.

Upgrading the server

Switching to the newest versions of the Hex-Rays License Server is recommended in order for the team to benefit from its improvements and new features.

The upgrade procedure consists of the following steps:

1. stopping the server. E.g., sudo systemctl stop hexlicsrv if you are using systemd to manage the server.

2. performing a backup of the database

3. putting the new server instead of the old one

4. restarting the server. E.g., sudo systemctl start hexlicsrv

Hex-Rays License Server command-line options

  -p ...​ (\--port-number ...​)         Port number (default 65434)
  -i ...​ (\--ip-address ...​)          IP address to bind to (default to any)
  -c ...​ (\--certchain-file ...​)      TLS certificate chain file
  -k ...​ (\--privkey-file ...​)        TLS private key file
  -v (\--verbose)                     Verbose mode
  (\--upgrade-schema)                 Upgrade database schema; then quit
  -C ...​ (\--connection-string ...​)   Connection string
  -l ...​ (\--log-file ...​)            Log file
  -L ...​ (\--license-file ...​)        License file
  -f ...​ (\--config-file ...​)         Config file
  (\--recreate-schema)                Drop & re-create schema; then quit **THIS WILL ERASE ALL DATA**

Troubleshooting

This chapter explains how to solve typical problems with the Hex-Rays License Server.

Connection issues

By default, the Hex-Rays License Server listens on the TCP port 65434 on all interfaces. Please ensure that this port is enabled in your firewalls.

The Hex-Rays License Server uses secure TLS connections with the clients. The TLS layer requires the certificate (.crt) and private key (.key) files. Usually, they are attached to the email message with the activation information.

The server complains about a "world-accessible" file, and exits

The following files shouldn't be readable by everyone on the system, but only by root and hexlicsrv:

• hexlicsrv.conf: this file file holds the connection string to the database the server will use, and might contain credentials.

• hexlicsrv.crt: the certificate chain

• hexlicsrv.key: the private key file

• licensesrv.hexlic: the license file

As a precaution, the Hex-Rays License Server will refuse to start if these files are readable by unauthorized users.

Please make sure they:

• have hexlicsrv:hexlicsrv ownership: chown hexlicsrv:hexlicsrv hexlicsrv.crt hexlicsrv.key licensesrv.hexlic hexlicsrv.conf

• are not world-accessible: chmod 640 hexlicsrv.crt hexlicsrv.key licensesrv.hexlic hexlicsrv.conf

Licensing

The licensesrv.hexlic file is tied to the MAC address of the first network interface. If they do not match, the server will not start. To change the MAC address, please contact support

Restoring from backups

There are no special precautions to take: restoring the sqlite3 database from a backup should be enough.