31 KiB
基于HL Seats方式授权的OS过期时没有停止服务
| ID | Creation Date | Assignee | Status |
|---|---|---|---|
| OMPUB-1041 | 2023-10-22T16:39:49.000+0800 | 卢文朋 | 完成 |
P19 WMS现场采用的HL Seats授权OS的到期时间为2023/10/21 04:55。授权到期后,OS仍能正确从ACC获取认证并继续提供服务。
!image-2023-10-22-16-39-38-822.png!
ACC授权界面:
!image-2023-10-22-16-40-32-378.png!luwenpeng commented on 2023-10-22T17:02:56.180+0800:
现场情况:HL硬锁插在宿主机上,宿主机中安装了KVM,KVM中安装了虚拟机,ACC Service部署在虚拟机中 h2. ACC-LOG:
!https://docs.geedge.net/download/attachments/117312508/image-2023-10-22_1-52-25.png!
ACC日志显示2023/10/21 17:59:48前更新了授权信息 h2. OS-LOG:
!https://docs.geedge.net/download/attachments/117312508/image-2023-10-22_1-50-41.png!
OS日志显示2023/10/21 18:22 hasp_monitor Encrypting failed
- 暗示着hasp_monitor在2023/10/21 17:52是成功获取到授权信息的
- hasp_monitor成功获取到授权后会Sleep 1800s
- 2023/10/21 17:59:48 ACC更新了网络座席
- 2023/10/21 18:22 hasp_monitor wake之后继续使用之前网络座席进行Encrypting, 由于网络座席更新,发生了Encryping failed
- 2023/10/21 18:22 hasp_monitor重新获取新的网络座席
从hasp_monitor的执行流程看,2023/10/21 17:52之前网络座席还没有过期。 h2. ACC显示的到期时间:
!https://docs.geedge.net/download/attachments/117312508/image-2023-10-22_1-43-16.png! !https://docs.geedge.net/download/attachments/117312508/image-2023-10-22_1-43-49.png!
ACC显示的到期时间是2023/10/21 04:55 h2. ACC时钟:
!https://docs.geedge.net/download/attachments/117312508/image-2023-10-22_1-28-0.png! *!https://docs.geedge.net/download/attachments/117312508/image-2023-10-22_1-28-22.png!
于北京时间2023/10/22 00:45;巴基斯坦2023/10/21 21:45采集的截图
ACC 10.10.10.159 显示的时间是 2023/10/22 02:45:19 {color:#ff0000}比当地时间快5小时{color}
ACC 10.10.20.159 显示的时间是 2023/10/21 21:45:08 正常的 h2. ACC虚拟机的时钟:
!https://docs.geedge.net/download/attachments/117312508/image-2023-10-22_1-34-31.png!
于北京时间2023/10/22 00:32; 巴基斯坦2023/10/21 21:32采集的截图
虚拟机10.10.10.159 显示的时间是 2023/10/21 21:32:26 正常的
虚拟机10.10.20.159 显示的时间是 2023/10/21 21:32:29 正常的 h2. ACC虚拟机所在宿主机的时钟:
!https://docs.geedge.net/download/attachments/117312508/image-2023-10-22_1-37-14.png!
于北京时间2023/10/22 00:42; 巴基斯坦2023/10/21 21:42采集的截图
宿主机10.10.10.5显示的时间是2023/10/22 02:28:49 AM {color:#ff0000}比当地时间快约4小时46分钟{color}
宿主机10.10.20.169显示的时间是2023/10/21 09:24:52 PM {color:#ff0000}比当地时间慢约18分钟{color} h2. 综上:
(下面描述中的时间都是巴基斯坦当地时间)
ACC Service的时钟信息
-
ACC Service 显示2023/10/21 04:55授权过期,但是至少2023/10/21 17:52之前授权还有效 ** 疑问:ACC Service更新授权前(2023/10/21 17:59:48),ACC Service是否显示授权已过期? ** 疑问:ACC Service 显示的过期时间是如何计算的?
-
ACC Service 10.10.20.159 的时间正常
-
ACC Service 10.10.10.159 的时间{}{color:#ff0000}比当地时间快5小时{color}{} ** 疑问:启动 ACC Service 后修改ACC虚拟机时钟了?
ACC 虚拟机的时钟信息
- ACC虚拟机10.10.10.159的时间正常
- ACC虚拟机10.10.20.159的时间正常
ACC 虚拟机所在宿主机的时钟信息
- ACC虚拟机所在宿主机PCAP-PVE001: 10.10.10.5 {color:#ff0000}比当地时间快4小时46分钟{color}
- {color:#172b4d}ACC虚拟机所在宿主机MSH-PVE001: 10.10.20.169 PM 比当地时间慢约18分钟{color}
{color:#172b4d}联系{color}
ACC Service 10.10.10.159 的时间{}{color:#ff0000}比当地时间快5小时{color}{},该 ACC Service 所在宿主机PCAP-PVE001 10.10.10.5 的时间{}{color:#ff0000}比当地时间快4小时46分钟{color}{}
[How Sentinel LDK Protects Time-based Licenses With V-Clock|https://docs.sentinel.thalesgroup.com/ldk/LDKdocs/SPNL/LDK_SLnP_Guide/Appendixes/HowProtects_TimeBased.htm?Highlight=vclock] |V‑Clock does not provide the same level of control as the real-time clock in Sentinel HL Time keys and Sentinel HL NetTime keys. However, V‑Clock prevents the end user from setting the system time back to an earlier date and time, and thus tampering with time-based licenses. The expiration period or date for a time-based license is initially calculated according to the system clock of the end user's machine.| 文档中显示HL中的V-Clock只是确保系统时间不倒退,授权到期时间使用的是系统时间。
luwenpeng commented on 2023-10-23T14:31:59.685+0800:
更新授权后10.10.10.159的授权信息 {code:java} [root@pcap-kvm-nz001 ~]# ./hasp_rus s local getinfo test : info as followed:
<?xml version="1.0" encoding="UTF-8" ?><hasp_info> 1468561840 HASP-HL <clone_protected></clone_protected> false 4.60 <hw_version>7.2</hw_version> 29 <production_date>1663113600</production_date> false false false <rehost_enduser_managed>false</rehost_enduser_managed> <key_model>Max</key_model> <key_type>Max</key_type> <form_factor>Mini</form_factor> <response_time>1</response_time> <hw_platform>Sentinel</hw_platform> true <hasp_enabled>false</hasp_enabled> <fingerprint_change></fingerprint_change> <vclock_enabled>true</vclock_enabled> 9 TSG-OS <license_type>expiration</license_type> <exp_date>1698796500</exp_date> 534101534133789070 HASP-SL <clone_protected>true</clone_protected> false 8.23 <hw_version></hw_version> 0 <production_date>1688827990</production_date> false false false <rehost_enduser_managed>false</rehost_enduser_managed> <key_model>Certificate</key_model> <key_type>SL-UserMode</key_type> <form_factor></form_factor> <response_time>0</response_time> <hw_platform></hw_platform> false <hasp_enabled>false</hasp_enabled> <fingerprint_change>accepted</fingerprint_change> <vclock_enabled>true</vclock_enabled> 11 Network Zodiac (Rehost Enabled) <license_type>expiration</license_type> <exp_date>1704067199</exp_date> </hasp_info> [root@pcap-kvm-nz001 ~]# {code} 更新授权后10.10.20.159的授权信息 {code:java} [root@msh-kvm-nz001 ~]# ./hasp_rus s local getinfo test : info as followed:
<?xml version="1.0" encoding="UTF-8" ?><hasp_info> 1897549354 HASP-HL <clone_protected></clone_protected> false 4.60 <hw_version>7.2</hw_version> 29 <production_date>1663113600</production_date> false false false <rehost_enduser_managed>false</rehost_enduser_managed> <key_model>Max</key_model> <key_type>Max</key_type> <form_factor>Mini</form_factor> <response_time>0</response_time> <hw_platform>Sentinel</hw_platform> true <hasp_enabled>false</hasp_enabled> <fingerprint_change></fingerprint_change> <vclock_enabled>true</vclock_enabled> 9 TSG-OS <license_type>expiration</license_type> <exp_date>1698796500</exp_date> 813914921556795374 HASP-SL <clone_protected>true</clone_protected> false 8.23 <hw_version></hw_version> 0 <production_date>1688809981</production_date> false false false <rehost_enduser_managed>false</rehost_enduser_managed> <key_model>Certificate</key_model> <key_type>SL-UserMode</key_type> <form_factor></form_factor> <response_time>0</response_time> <hw_platform></hw_platform> false <hasp_enabled>false</hasp_enabled> <fingerprint_change>accepted</fingerprint_change> <vclock_enabled>true</vclock_enabled> 11 Network Zodiac (Rehost Enabled) <license_type>expiration</license_type> <exp_date>1704067199</exp_date> </hasp_info> [root@msh-kvm-nz001 ~]# {code}
luwenpeng commented on 2023-10-23T14:32:20.177+0800:
10.10.10.159的错误日志显示{color:#FF0000}“Unexpected time move to the past by 17993 seconds”{color} {code:java} [root@pcap-kvm-nz001 ~]# cat /var/hasplm/error.log 2023-07-10 22:27:38 [1069] Unrecognized configuration command '({statuscode}) {newline}' in file '/etc/hasplm/hasplm.ini' 2023-07-10 17:27:53 [1069] Unexpected time move to the past by 17993 seconds 2023-07-25 14:36:08 [1069] Failed to logout not existing session 104649063 2023-07-25 14:38:35 [1069] Failed to logout not existing session 97365897 2023-07-25 14:40:33 [1069] Failed to logout not existing session 170182860 2023-07-25 14:48:23 [1069] Failed to logout not existing session 60936620 2023-07-25 14:48:27 [1069] Failed to logout not existing session 146651492 2023-07-25 14:48:54 [1069] Failed to logout not existing session 170107269 2023-07-25 14:48:55 [1069] Failed to logout not existing session 46064631 2023-07-25 14:48:56 [1069] Failed to logout not existing session 230881559 2023-07-25 14:48:57 [1069] Failed to logout not existing session 215222965 2023-07-25 14:49:01 [1069] Failed to logout not existing session 256339667 2023-07-25 14:49:04 [1069] Failed to logout not existing session 159716494 2023-07-25 14:49:05 [1069] Failed to logout not existing session 215750551 2023-07-25 14:51:37 [1069] Failed to logout not existing session 122639995 2023-07-25 14:51:37 [1069] Failed to logout not existing session 251624379 2023-07-25 14:52:19 [1069] Failed to logout not existing session 240463490 2023-07-25 14:58:34 [1069] Failed to logout not existing session 3874594 2023-07-25 14:58:58 [1069] Failed to logout not existing session 23068935 2023-07-25 15:03:56 [1069] Failed to logout not existing session 147103624 2023-08-16 15:59:49 [1069] Failed to logout not existing session 9413842 2023-08-16 16:21:05 [1069] Failed to logout not existing session 123816039 2023-08-16 16:21:14 [1069] Failed to logout not existing session 175484872 2023-08-16 16:21:15 [1069] Failed to logout not existing session 144181234 2023-08-16 16:21:18 [1069] Failed to logout not existing session 82158414 2023-08-16 16:21:21 [1069] Failed to logout not existing session 125417785 2023-08-16 16:21:21 [1069] Failed to logout not existing session 153795180 2023-09-21 16:00:21 [1069] Failed to logout not existing session 170550098 2023-09-21 16:02:28 [1069] Failed to logout not existing session 149914386 2023-09-21 16:02:28 [1069] Failed to logout not existing session 123072468 2023-09-21 16:02:28 [1069] Failed to logout not existing session 152813400 2023-09-21 16:06:06 [1069] Failed to logout not existing session 236621699 2023-09-21 16:06:52 [1069] Failed to logout not existing session 36329370 2023-09-21 16:07:00 [1069] Failed to logout not existing session 134586752 2023-09-21 16:07:00 [1069] Failed to logout not existing session 245208374 2023-09-21 16:07:00 [1069] Failed to logout not existing session 252208405 2023-09-21 16:07:02 [1069] Failed to logout not existing session 40608153 2023-09-21 16:07:02 [1069] Failed to logout not existing session 210514153 2023-09-21 16:13:50 [1069] Failed to logout not existing session 73804376 2023-09-21 16:13:58 [1069] Failed to logout not existing session 191294591 2023-09-21 16:14:05 [1069] Failed to logout not existing session 171892951 2023-09-21 16:21:37 [1069] Failed to logout not existing session 263395403 2023-09-21 16:21:50 [1069] Failed to logout not existing session 43447029 2023-09-21 16:21:53 [1069] Failed to logout not existing session 242579109 2023-09-21 16:21:53 [1069] Failed to logout not existing session 167630486 2023-10-10 17:52:09 [1069] Failed to logout not existing session 72907780 2023-10-10 17:52:11 [1069] Failed to logout not existing session 91877893 2023-10-10 17:55:29 [1069] Failed to logout not existing session 14426740 2023-10-10 17:59:40 [1069] Failed to logout not existing session 261872345 2023-10-10 18:00:40 [1069] Failed to logout not existing session 91166461 2023-10-21 18:02:34 [1069] Failed to logout not existing session 215870962 2023-10-21 18:02:37 [1069] Failed to logout not existing session 267647807 2023-10-21 18:02:57 [1069] Failed to logout not existing session 208318992 2023-10-21 18:02:57 [1069] Failed to logout not existing session 188685595 2023-10-21 18:02:57 [1069] Failed to logout not existing session 134996703 2023-10-21 18:02:57 [1069] Failed to logout not existing session 265950763 2023-10-21 18:02:57 [1069] Failed to logout not existing session 127810735 2023-10-21 18:06:43 [1069] Failed to logout not existing session 159947985 2023-10-21 18:06:51 [1069] Failed to logout not existing session 229517899 2023-10-21 18:06:56 [1069] Failed to logout not existing session 247692719 2023-10-21 18:07:48 [1069] Failed to logout not existing session 118313814 2023-10-21 18:14:10 [1069] Failed to logout not existing session 29193593 2023-10-21 18:14:16 [1069] Failed to logout not existing session 76860867 2023-10-21 18:14:22 [1069] Failed to logout not existing session 207354560 2023-10-21 18:22:06 [1069] Failed to logout not existing session 129045899 2023-10-21 18:22:20 [1069] Failed to logout not existing session 183848723 2023-10-21 18:22:21 [1069] Failed to logout not existing session 202211014 2023-10-21 18:22:21 [1069] Failed to logout not existing session 59924530 2023-10-21 18:32:21 [1069] Failed to logout not existing session 106994471 2023-10-21 18:32:30 [1069] Failed to logout not existing session 266102557 2023-10-21 19:00:31 [1069] Failed ACC authentication attempt from 10.10.50.61 [root@pcap-kvm-nz001 ~]# {code} 10.10.20.159的错误日志显示{color:#FF0000}“Unexpected time move to the past by 2591965 seconds“{color} {code:java} [root@msh-kvm-nz001 ~]# cat /var/hasplm/error.log 2023-07-09 12:00:37 [16787] Unrecognized configuration command '({statuscode}) {newline}' in file '/etc/hasplm/hasplm.ini' 2023-07-10 11:36:29 [1068] Unrecognized configuration command '({statuscode}) {newline}' in file '/etc/hasplm/hasplm.ini' 2023-06-10 11:44:36 [1068] Unexpected time move to the past by 2591965 seconds 2023-06-10 12:07:03 [3296] Unrecognized configuration command '({statuscode}) {newline}' in file '/etc/hasplm/hasplm.ini' 2023-06-10 12:07:14 [3376] Unrecognized configuration command '({statuscode}) {newline}' in file '/etc/hasplm/hasplm.ini' 2023-07-10 12:19:31 [1066] Unrecognized configuration command '({statuscode}) {newline}' in file '/etc/hasplm/hasplm.ini' 2023-06-10 12:20:14 [1066] Unexpected time move to the past by 2591965 seconds 2023-07-10 12:30:03 [1077] Unrecognized configuration command '({statuscode}) {newline}' in file '/etc/hasplm/hasplm.ini' 2023-07-12 18:26:23 [1077] Authorization failed for unknown session 'd58459c6af41ea92c6e5b9d58e430985'(previous message repeated 91 times) 2023-07-18 10:24:27 [1077] Failed to logout not existing session 17984098 2023-07-18 11:09:54 [1077] Failed to logout not existing session 242382455 2023-07-18 13:02:02 [1077] Failed to logout not existing session 159377111 2023-07-18 13:32:04 [1077] Failed to logout not existing session 108095744 2023-07-18 14:35:38 [1077] Failed to logout not existing session 215240589 2023-07-18 15:17:51 [1077] Failed to logout not existing session 165500527 2023-07-18 16:18:11 [1077] Failed to logout not existing session 101709924 2023-07-18 16:48:12 [1077] Failed to logout not existing session 46445734 2023-07-18 17:18:56 [1077] Failed to logout not existing session 177377743 2023-07-18 17:48:58 [1077] Failed to logout not existing session 47503139 2023-07-25 14:36:41 [1077] Failed to logout not existing session 147600726 2023-07-25 14:41:27 [1077] Failed to logout not existing session 86405912 2023-07-25 14:43:30 [1077] Failed to logout not existing session 188989340 2023-07-25 14:46:15 [1077] Failed to logout not existing session 85189072 2023-07-25 14:46:24 [1077] Failed to logout not existing session 191872388 2023-07-25 14:46:38 [1077] Failed to logout not existing session 6995764 2023-07-25 14:48:37 [1077] Failed to logout not existing session 211352138 2023-07-25 14:52:43 [1077] Failed to logout not existing session 126610938 2023-07-25 14:54:16 [1077] Failed to logout not existing session 136614155 2023-07-25 14:54:16 [1077] Failed to logout not existing session 14136481 2023-07-25 14:57:53 [1077] Failed to logout not existing session 101652931 2023-07-25 14:57:58 [1077] Failed to logout not existing session 176381377 2023-07-25 14:58:09 [1077] Failed to logout not existing session 77974538 2023-07-25 15:03:44 [1077] Failed to logout not existing session 3205907 2023-07-25 15:03:44 [1077] Failed to logout not existing session 163898373 2023-07-25 15:03:44 [1077] Failed to logout not existing session 266588020 2023-07-25 15:03:45 [1077] Failed to logout not existing session 111507703 2023-07-25 15:04:59 [1077] Failed to logout not existing session 775132 2023-08-16 16:13:26 [1077] Failed to logout not existing session 219026001 2023-08-16 16:13:36 [1077] Failed to logout not existing session 197789042 2023-08-16 16:13:43 [1077] Failed to logout not existing session 235628080 2023-09-21 15:51:06 [1077] Failed to logout not existing session 218752495 2023-09-21 15:51:18 [1077] Failed to logout not existing session 174909371 2023-09-21 15:51:20 [1077] Failed to logout not existing session 145800791 2023-09-21 15:51:27 [1077] Failed to logout not existing session 52931749 2023-09-21 15:51:41 [1077] Failed to logout not existing session 203442571 2023-09-21 15:51:41 [1077] Failed to logout not existing session 42284294 2023-09-21 15:55:09 [1077] Failed to logout not existing session 158861790 2023-09-21 15:59:23 [1077] Failed to logout not existing session 127089501 2023-09-21 16:02:01 [1077] Failed to logout not existing session 211173538 2023-09-21 16:02:11 [1077] Failed to logout not existing session 250019030 2023-09-21 16:02:15 [1077] Failed to logout not existing session 32721663 2023-09-21 16:02:18 [1077] Failed to logout not existing session 241932556 2023-09-21 16:02:29 [1077] Failed to logout not existing session 141907594 2023-09-21 16:02:29 [1077] Failed to logout not existing session 141249032 2023-09-21 16:06:21 [1077] Failed to logout not existing session 1878453 2023-09-21 16:06:26 [1077] Failed to logout not existing session 143203327 2023-09-21 16:06:31 [1077] Failed to logout not existing session 208587720 2023-09-21 16:13:19 [1077] Failed to logout not existing session 53491167 2023-10-10 18:02:48 [1077] Failed to logout not existing session 50642496 2023-10-10 18:02:48 [1077] Failed to logout not existing session 254305863 2023-10-10 18:02:48 [1077] Failed to logout not existing session 228338295 2023-10-10 18:02:48 [1077] Failed to logout not existing session 254877968 2023-10-10 18:02:48 [1077] Failed to logout not existing session 267350814 2023-10-21 17:59:48 [1077] Failed to logout not existing session 53139327 2023-10-21 18:00:48 [1077] Failed to logout not existing session 144821944 2023-10-21 18:07:20 [1077] Failed to logout not existing session 170056255 2023-10-21 18:07:29 [1077] Failed to logout not existing session 1004799 2023-10-21 18:07:29 [1077] Failed to logout not existing session 241794193 2023-10-21 18:07:29 [1077] Failed to logout not existing session 29880603 2023-10-21 18:07:29 [1077] Failed to logout not existing session 232483800 2023-10-21 18:07:29 [1077] Failed to logout not existing session 167582215 2023-10-21 18:14:22 [1077] Failed to logout not existing session 173226639 2023-10-21 18:21:27 [1077] Failed to logout not existing session 52797931 2023-10-21 18:21:37 [1077] Failed to logout not existing session 116201127 2023-10-21 18:21:40 [1077] Failed to logout not existing session 254472269 2023-10-21 18:21:45 [1077] Failed to logout not existing session 153354551 2023-10-21 18:22:04 [1077] Failed to logout not existing session 30706447 2023-10-21 18:22:04 [1077] Failed to logout not existing session 42129790 2023-10-21 18:25:40 [1077] Failed to logout not existing session 143046705 [root@msh-kvm-nz001 ~]# {code}
luwenpeng commented on 2023-10-23T14:40:23.993+0800:
10.10.10.159 ACC的配置 {code:java} [root@pcap-kvm-nz001 ~]# cat /etc/hasplm/hasplm.ini ;************************************************************************* ;* ;* Sentinel License Manager configuration file ;* ;************************************************************************* [SERVER] adminusername = admin adminpassword = WYdBWQdWRJOr278f4lNPsA==:fA10BqULFHclRiz6qnryXw==:100000 certificate = privatekey = identity_storage_encrypt = no pagerefresh = 3 linesperpage = 12 accremote = 1 adminremote = 1 enablehaspc2v = 0 old_files_delete_days = 90 enabledetach = 0 enableautodetach = 0 autodetachhours = 2 reservedseats = 0 reservedpercent = 0 detachmaxdays = 14 commuter_delete_days = 7 disable_um = 0 idle_session_timeout_mins = 720 requestlog = 0 loglocal = 0 logremote = 0 logadmin = 0 errorlog = 1 rotatelogs = 0 access_log_maxsize = 0 error_log_maxsize = 0 zip_logs_days = 0 delete_logs_days = 0 pidfile = 0 passacc = 0 accessfromremote = anyone accesstoremote = 1 bind_local_only = 0 id_public_addr = proxy = 0 proxy_host = proxy_port = 8080 proxy_username = proxy_password = [REMOTE] broadcastsearch = 1 serversearchinterval = 30 [ACCESS] [USERS] [VENDORS] [EMS] [TRUST] [LOGPARAMETERS] text = {timestamp} {clientaddr}:{clientport} {clientid} {method} {url} {function}({functionparams}) result ({statuscode}) {newline} [root@pcap-kvm-nz001 ~]# {code} 10.10.20.159 ACC的配置 {code:java} [root@msh-kvm-nz001 ~]# cat /etc/hasplm/hasplm.ini ;************************************************************************* ;;* ;;* Sentinel License Manager configuration file ;;* ;;************************************************************************* [SERVER] adminusername = admin adminpassword = WYdBWQdWRJOr278f4lNPsA==:fA10BqULFHclRiz6qnryXw==:100000 certificate = privatekey = identity_storage_encrypt = no pagerefresh = 3 linesperpage = 12 accremote = 1 adminremote = 1 enablehaspc2v = 0 old_files_delete_days = 90 enabledetach = 0 enableautodetach = 0 autodetachhours = 2 reservedseats = 0 reservedpercent = 0 detachmaxdays = 14 commuter_delete_days = 7 disable_um = 0 idle_session_timeout_mins = 720 requestlog = 0 loglocal = 0 logremote = 0 logadmin = 0 errorlog = 1 rotatelogs = 0 access_log_maxsize = 0 error_log_maxsize = 0 zip_logs_days = 0 delete_logs_days = 0 pidfile = 0 passacc = 0 accessfromremote = anyone accesstoremote = 1 bind_local_only = 0 id_public_addr = proxy = 0 proxy_host = proxy_port = 8080 proxy_username = proxy_password = [REMOTE] broadcastsearch = 1 serversearchinterval = 30 [ACCESS] [USERS] [VENDORS] [EMS] [TRUST] [LOGPARAMETERS] text = {timestamp} {clientaddr}:{clientport} {clientid} {method} {url} {function}({functionparams}) result ({statuscode}) {newline} [root@msh-kvm-nz001 ~]# {code}
luwenpeng commented on 2023-10-24T17:29:53.316+0800:
工作原理
TSG-OS用于检测授权的hasp_monitor的工作原理如下
调用LDK的API执行login获取授权信息
调用LDK的API执行{{{}encrypt和{}}}{{{}decrypt操作,如果返回异常则执行logout然后执行第1步{}}}
{{执行sleep 30分钟}}
{{循环执行第2步和第3步}}
直接原因
现场部署环境的配置与研发测试环境的配置不同导致。
- 研发测试环境的[idle_session_timeout_mins为10分钟|https://docs.geedge.net/pages/viewpage.action?pageId=104765516], ACC版本为aksusbd-8.31-1.x86_64.rpm
- 现场部署环境的idle_session_timeout_mins为720分钟,ACC版本为aksusbd-9.13-1.x86_64.rpm
当idle_session_timeout_mins为10分钟时
- 当hasp_monitor执行sleep 30分钟时就会触发ACC的idle timeout造成hasp_monitor的session被淘汰。
- hasp_monitor再次执行{{{}encrypt/{}}}{{{}decrypt{}}}操作时会返回异常,然后重新login获取新的授权信息。
当idle_session_timeout_mins为720分钟时
- 当hasp_monitor执行sleep 30分钟时不就会触发ACC的session timeout
- 即使授权过期了hasp_monitor获取的session仍然有效,仍然可以正常执行{{{}encrypt/{}}}{{{}decrypt操作{}}}
根本原因
对于授权过期后仍然可以正常执行{{{}encrypt/{}}}{{{}decrypt操作这种现象,厂商给出的建议如下:{}}}
- 建议一:定期执行login/logout重新获取新的授权信息(当idle_session_timeout_mins为10时执行的流程)
- 建议二:更新login的API使用hasp_login_scope指定die_at_expiration=1参数,当授权过期后执行{{{}encrypt和{}}}{{{}decrypt操作时返回异常{}}}
{}临时解决方案:{}使用厂商的建议一
- 将现场ACC的idle_session_timeout_mins从720分钟调整到10分钟
- 重启ACC或者disconnect现有的session以使配置生效
{}最终解决方案:{}使用厂商的建议一和建议二
- 将现场ACC的idle_session_timeout_mins从720分钟调整到30分钟
- 更新hasp_monitor使用支持die_at_expiration=1参数的API
- 将hasp_monitor的探测间隔设置从30分钟调整为15分钟,当共享内存中的授权信息超过为15*2分钟未更新Firewall就退出
更新时钟
对于系统时钟不对的问题,建议按照以下流程执行更新:
更新宿主机的时钟
更新虚拟机的时钟
重启ACC: systemctl restart hasplmd
更新V2C授权
Under certain circumstances, you may want to re-enable a blocked application by changing the V‑Clock time. This can be accomplished by receiving a C2V file for the protection key from the customer and then returning a V2C file that provides an update to the V‑Clock time.
NOTE Before applying a V2C file to reset the V-Clock using the system clock, the user should ensure that the system clock is set to the current date and time.
厂商文档显示:在系统时间设置正确的前提下,只有在再次更新V2C授权时才会更新硬锁的V-Clock
更新授权注意事项
建议更新授权{color:#FF0000}前/后{color}分别采集以下信息
ACC->Features->Restrictions的值是否显示Expire
ACC->Sessions页面中各Session信息
hasp_monitor的日志
特别注意:更新授权后查看ACC->Sessions页面中各Session的Login Time确保所有OS的hasp_monitor重新login成功(通过需要30分钟)
luwenpeng commented on 2023-10-25T15:09:33.677+0800:
推荐的ACC配置文件[^hasplm.ini]
关闭ACC的broadcastsearch,ACC上只显示当前设备上硬锁的信息,不显示局域网内其他硬锁的信息
调整日志的格式
将idle_session_timeout_mins从720分钟调整为10分钟
调整日志配置项目
** 将日志文件保存时间从90天改为30天 ** 开启requestlog/loglocal/logremote记录OS获取授权的状态 ** 开启rotatelogs/zip_logs_days,并将access_log_maxsize/error_log_maxsize调整到64000bytes ** 开启访问日志后,评估产生的日志量 *** 授权有效时:OS至多每15分钟/30分钟访问一次 *** 授权过期时:OS每秒请求一次授权信息,每条授权信息在日志中占有173字节,假设授权到期后30天内都没有授权,则36台OS请求产生的日志量为16G {panel:title=在不考虑日志压缩的情况下,需要部署 ACC 的机器有 16G 的磁盘空间可以记录日志} 173 * 36 * 3600 * 24 * 30 / 1000 / 1000 / 1000 = 16G {panel}
!image-2023-10-25-14-48-28-797.png!
gitlab commented on 2023-10-28T21:29:21.349+0800:
[卢文朋|https://git.mesalab.cn/luwenpeng] mentioned this issue in [a commit|1e7f7a967c] of [TSG / tsg-os-buildimage|https://git.mesalab.cn/tsg/tsg-os-buildimage] on branch [update-hasp-tools|https://git.mesalab.cn/tsg/tsg-os-buildimage/-/tree/update-hasp-tools]:{quote}bugfix: OMPUB-1041 基于HL Seats方式授权的OS过期时没有停止服务{quote}
gitlab commented on 2023-10-28T21:32:01.294+0800:
[卢文朋|https://git.mesalab.cn/luwenpeng] mentioned this issue in [a merge request|https://git.mesalab.cn/tsg/tsg-os-buildimage/-/merge_requests/1871] of [TSG / tsg-os-buildimage|https://git.mesalab.cn/tsg/tsg-os-buildimage] on branch [update-hasp-tools|https://git.mesalab.cn/tsg/tsg-os-buildimage/-/tree/update-hasp-tools]:{quote}bugfix: OMPUB-1041 基于HL Seats方式授权的OS过期时没有停止服务{quote}
luwenpeng commented on 2023-10-30T18:44:38.123+0800:
更新到现场的配置文件[^P19-hasplm.ini]
Attachments
Attachment: hasplm.ini
Attachment: image-2023-10-22-16-39-38-822.png
Attachment: image-2023-10-22-16-40-32-378.png
Attachment: image-2023-10-25-14-48-28-797.png
Attachment: P19-hasplm.ini