Novell is now a part of Micro Focus

Understanding BorderManager Licensing

Articles and Tips: article

LAURA PAN
Technical Writer
Common Engineering Services

ALVIN CONSTANTINO
Product Planning Manager
Novell Technical Services

01 Dec 1999


Wishing you had a Novell Consultant to help you get the most of BorderManager? Here's a collection of implementation tips that will help you install and configure this powerful product suite.

Introduction

Significant changes to BorderManager licensing were implemented for BorderManager 3 and later. The primary change was a move away from server licenses that followed a concurrent licensing scheme to server and client licenses that follow a non-concurrent licensing scheme.

In the concurrent licensing scheme implemented for BorderManager 2.1 servers, the license count was based on the number of users simultaneously connecting through a BorderManager service at a given time, regardless of the total user count on the network. If a network had 100 users, but only 50 users simultaneously accessed a BorderManager service, a license for 50 users was sufficient. However, the concurrent licensing scheme was difficult to manage because an administrator could not accurately gauge when a license supporting a greater number of users was required. In the non-concurrent licensing scheme implemented for BorderManager 3 and later servers, the client license count is equal to the user count. A user license is required for every user who has the capability of accessing a BorderManager service.

Note: The BorderManager Firewall Services 3.5 and BorderManager Enterprise Edition 3.5 software includes Network Address Translation (NAT) and NIAS 4.2 Routing and Remote Access services. These services are also included with NetWare 5 or can be added to a NetWare 5 server from a support pack. If you want to implement these services (but not any of the other BorderManager services) on a NetWare 5 server, you are not required to purchase or license the BorderManager software.

This AppNote describes how BorderManager licensing works, how to install BorderManager licenses, how to monitor license use, and finally, how to upgrade BorderManager licenses.

The Mechanics of BorderManager Licensing

This section provides a brief description of Novell Licensing Services (NLS) and BorderManager license envelopes and certificates.

Novell Licensing Services

Novell Licensing Services (NLS) was first introduced with NetWare 5, but can also be added to NetWare 4.x servers by installing NetWare 4.x Support Packs. Refer to the individual support pack Readmes for the procedure to install NLS licensing on NetWare 4.x servers.

When NLS is installed on a server, a License Service Provider (LSP) object is created in your NDS tree. The LSP object name has the format of NLS_LSP_server_ name, where server_name is the name of the server. If you have partitioned your tree, make sure that each partition of your NDS tree has an LSP. NLS-enabled software installed on a server, such as BorderManager 3.5, uses NLMs to communicate with LSPs. NLS-enabled software installed on a client workstation uses DLLs to communicate with LSPs.

Note: To ensure you are using the latest versions of the NLS LSP files, always install the latest NetWare 4.x or NetWare 5 Support Pack.

License container objects are installed in the NDS tree when you install licenses. A license container object name has the format of Vendor+Licensed Product Name+Product Version Number. For example, a license container for Novell BorderManager Authentication Services 3.5 would be Novell+BorderManager Authentication Services+350. Each license container object holds at least one license certificate. Each license certificate is displayed with a serial number.

When NLS-enabled software runs on servers, it attempts to acquire a license from an LSP. The LSP searches the NDS tree for a license container object that holds valid licenses. If a license is available, the LSP allocates a license to the software.

BorderManager License Envelopes and Certificates

Because the BorderManager 3.5 software is NLS-enabled, the BorderManager software package you purchase includes a license diskette containing NLS license envelope files. The bundling of BorderManager license certificates in these license envelopes allows you to install multiple license certificates at the same time. License envelopes for single-server installations are different than those for Master License Agreement (MLA) installations. However, both single-server and MLA license diskettes contain evaluation license envelopes for all of the BorderManager services. The evaluation license envelopes are also located in the LICENSE directory on the BorderManager CD-ROMs. If you download the BorderManager Enterprise Edition 3.5 evaluation software, the evaluation license envelopes are included with the software. The trial license certificates in the evaluation license envelopes are valid for up to 60 days after they are installed. Individual license certificate attributes enable NLS to determine whether the license certificates can be installed on a single server or on multiple servers, and whether the license certificates expire. Refer to the following table for the license envelope filenames.


 
Single Server License Diskette
(Multiple Server) MLA License Diskette
Evaluation (also included on single-server or MLA license diskettes)

BorderManager Firewall Services 3.5

BMFW.NLF

BMFWMLA.NLF

BMFWT.NLF BMVPNT.NLF BMAST.NLF

BorderManager VPN Services 3.5 License Diskette

BMVPN.NLF

BMVPNMLA.NLF

BMVPNT.NLF BMFWT.NLF BMAST.NLF

BorderManager Authentication Services 3.5 License Diskette

BMAS.NLF

BMASMLA.NLF

BMAST.NLF BMFWT.NLF BMVPNT.NLF

BorderManager Enterprise Edition 3.5 License Diskette

BMFW.NLF BMVPN.NLF BMAS.NLF

BMFWMLA.NLF BMVPNMLA.NLF BMASMLA.NLF

BMFWT.NLF BMVPNT.NLF BMAST.NLF

BorderManager Enterprise Edition 3.5 Evaluation Software

Not included

Not included

BMFWT.NLF BMVPNT.NLF BMAST.NLF

If you purchase the BorderManager 3.5 software online from shop.novell.comor from an authorized Novell Electronic Distributor, you receive your license certificates electronically instead of on a license diskette. For more information about purchasing BorderManager licenses electronically, refer to Ordering Licenses Electronically later in this article.

By default, each BorderManager server license certificate allows five client (user) connections. Additional user licenses must be purchased to support the total number of users on your network.

Note: Based on the BorderManager 3.5 software license agreement, it is acceptable for some of the BorderManager software components to exceed the client user count. The services that fall in this category are server-to-server (site-to-site) VPNs, Novell IP gateways, Network Address Translation (NAT), and NIAS 4.2 Routing and Remote Access services.

The table below summarizes the BorderManager license certificates that are bundled in each license envelope file. The license certificates for the individual BorderManager services are sufficient to support strong authentication for VPN, proxy, SOCKS, or Authentication Services clients. You are not required to install additional license certificates to enable token authentication.


 
(BorderManager Firewall Services)BMFW.NLF, BMFWMLA.NLF, or BMFWT.NLF
(BorderManager VPN Services)BMVPN.NLF, BMVPNMLA.NLF, or BMVPNT.NLF
(BorderManager Authentication Services) BMAS.NLF, BMASMLA.NLF or BMAST.NLF

Proxy Certificate

X

 

 

Gateway Certificate

X

 

 

Site-to-Site VPN Certificate

X

X

 

Client-to-Site VPN Certificate

 

X

 

Access Control List (ACL) Certificate

X

X

 

Authentication Services Certificate

 

 

X

Each BorderManager license diskette also contains a unique Novell International Cryptography Infrastructure (NICI) foundation key that is required for all BorderManager installations. The NICI foundation key on a single-server license diskette is valid for one server only, whereas the NICI foundation key on a MLA license diskette is valid for multiple servers. NetWare 5 servers have a unique NICI foundation key installed by default. The NICI foundation key enables the right type of cryptography licensed in a product.

Note: The BorderManager Enterprise Edition 3.5 evaluation software does not include a NICI foundation key. Do not install the evaluation software on a NetWare 4.x server unless you have a valid NICI foundation key. Also, the BorderManager Enterprise Edition 3.5 evaluation software does not include the Consolidated Support Pack that is on the BorderManager Enterprise Edition 3.5 CD-ROM.

Each BorderManager single-server license diskette also includes a license envelope that contains a 2-user license for NetWare 5. Because MLA customers do not receive the NetWare 5 software with their BorderManager software, BorderManager MLA license diskettes do not include NetWare 5 license envelopes.

On a BorderManager single-server license diskette, the NICI foundation key filename is *.NFK and the NetWare 5 license envelope filename is *.NLF, where * is a matching serial number.

Installing BorderManager Licenses

This section describes BorderManager license serial numbers, BorderManager license detection, and the methods to install BorderManager licenses.

BorderManager License Serial Numbers

Before you install BorderManager licenses, you should understand how the license serial numbers are used. There are two types of serial numbers. The first type of license serial number is the one that appears on your license diskette. The second type of serial number tracks the license certificates bundled in a license envelope. Unfortunately, the two types of serial numbers are unrelated. You cannot identify the exact serial numbers of your license certificates based solely on the serial number on the license diskette.

The following key points are provided to help you keep track of BorderManager license serial numbers.

  • The serial number on a BorderManager license diskette is an inventory tracking number only—for example, 94001475.

  • A single license diskette can contain multiple license envelopes, all with different license serial numbers. However, each license certificate within a license envelope shares the same license serial number.

  • Multiple license certificate objects in NDS are displayed with the same serial number if they were installed from the same license envelope. For example, if you install license certificates from the license envelope file, BMFW.NLF, the resulting four license certificate objects for the proxy, gateways, site-to-site VPN, and access control have the same serial number—for example, 95031475.

  • The first line of the PSN.DAT file on a license diskette displays the license diskette tracking number.

  • The second line of the PSN.DAT file on a license diskette displays the serial number for the primary license envelope on the diskette. The primary license envelope for a BorderManager Enterprise Edition or BorderManager Firewall Services license diskette is BMFW.NLF or BMFWMLA.NLF. The primary license envelope for a BorderManager VPN Services license diskette is BMVPN.NLF or BMVPNMLA.NLF. The primary license envelope for a BorderManager Authentication Services license diskette is BMAS.NLF or BMASMLA.NLF.

BorderManager License Detection

When the LSP on a BorderManager server receives a request for a BorderManager license, it searches the BorderManager server's context first. If it does not find an available license certificate in the server's context, it sequentially searches each container higher in the NDS tree.

It is recommended that BorderManager single-server license certificates be installed in the same container as the BorderManager server. This prevents NLS from having to "walk the NDS tree" to find an available license. However, if you do not install the license certificates in the same container as the server, make sure that they are installed in a container higher in the tree because NLS can only search for license certificates in containers above the container holding the server. For best results, all BorderManager single-server license certificates should be assigned to a specific server. However, the license certificates in a BorderManager Enterprise Edition 3.5 license envelope do not have to be assigned to the same server. For example, you can assign the proxy license certificate to one server and the authentication services license certificate to another server.

If you have a BorderManager MLA license, it is recommended that you install it in the same replica partition that holds the server objects. If the license certificates are installed in a different replica partition, there may be significant performance issues, especially if the LSP must search another replica across a WAN link.

To restrict an LSP from searching non-local partitions, do the following:

  1. In NetWare Administrator, locate the LSP object for the server. The object name has the format of NLS_LSP_server_ name, where server_name is the name of the server.

  2. Right-click the LSP object and select Details.

  3. Under License Search Method, click the "Search to the root of the local partition" radio button.

  4. Click OK.

You have several options for installing BorderManager licenses. The rest of this section describes each procedure and its advantages and conditions.

Using the Installation Programs to Install License Certificates

During the installation of BorderManager 3.5 software on a NetWare 5 or NetWare 4.x (4.11 or 4.2) server, you are prompted to install a BorderManager server license. The graphical installation program for NetWare 5 servers allows you to select the path to the license from a drop-down list or to enter it. You are required to enter the path when you install a BorderManager server license for a NetWare 4.x server.

Advantages: This method requires the least amount of time since it is an integrated part of the software installation. All of the license certificates are automatically assigned to the server.

Conditions: The installation program automatically installs the license certificates in the same container as the server (you cannot specify another container). All of the license certificates in a license envelope must be installed. You cannot individually select which license certificates to install.

Using LICINST to Install License Certificates

You can use LICINST at any time after the BorderManager software installation to install BorderManager license certificates.

To install a BorderManager license envelope using LICINST, do the following:

  1. Load LICINST from the system console (as opposed to the graphical console).

  2. Enter the administrative user name and password to log in to NDS.

  3. Enter the file server context. The file server context of the server from which you are running LICINST is displayed by default.

  4. Enter the path to the license. The default path is A:\.

  5. From the Select License list, press Enter to select the license envelope you want to install. The License Information window displays a brief description of the highlighted license envelope.

  6. Press Enter to install the license. A confirmation screen is displayed after the license is installed.

  7. Press Esc until you can exit LICINST.

Note: When you exit LICINST, you may encounter the message "You need to have the license installed. If you choose to exit, you can use NWAdmin to install/manage licenses." This message mistakenly appears when you have successfully installed a license and you may safely ignore it. Refer to TID #2945533 for additional details.

Advantages: You can specify the container (file server context) into which the license certificates are to be installed. All of the license certificates are automatically assigned to the server that is running LICINST. You do not need to be logged in from a client workstation.

Condition: All of the license certificates in a license envelope must be installed. You cannot individually select which license certificates to install.

Using NWAdmin to Install License Certificates

You can use NWAdmin at any time after the BorderManager software installation to install BorderManager license certificates. You must be logged in with administrative rights to the container where the license certificates will be installed.

To install a BorderManager license envelope using NWAdmin, do the following:

  1. In NWAdmin, click the container where the license certificates will be installed.

  2. From the NWAdmin menu, select Tools | Install License | Install Envelope.

  3. Browse for or enter the path to the license envelope.

  4. If necessary, deselect any license certificates you do not want to install. By default, all of the license certificates are highlighted.

  5. Click OK.

Advantages: You can specify the container into which the license certificates are to be installed. You can individually select which license certificates within a license envelope to install.

Conditions: You must be logged in from a client workstation. You must manually assign single-server (non-MLA) BorderManager license certificates to a server (refer to the last procedure in this section).

Using NLS Manager to Install License Certificates

You can use NLS Manager at any time after the BorderManager software installation to install BorderManager license certificates.

To install a BorderManager license envelope using NLS Manager, do the following:

  1. In NLS Manager, click the tree icon to view licenses in the NDS tree.

  2. Click the container where the license certificates will be installed.

  3. From the NLS Manager menu, select Actions | Install Envelope.

  4. Click Next to continue.

  5. Browse for and select the license envelope and click Next.

  6. Check the check boxes corresponding to the license certificates you want to install and click Next.

  7. Browse for and select the container where the license certificates will be installed and click Next.

  8. Click Finish. An installation summary window is displayed.

  9. Click Close to close the summary window.

Advantages: NLS Manager provides an installation wizard to guide you through the installation procedure. You can specify the container into which the license certificates are to be installed. You can individually select which license certificates within a license envelope to install.

Conditions: You must be logged in from a client workstation. You must manually assign single-server (non-MLA) BorderManager license certificates to a server (refer to the last procedure in this section).

Using NWCONFIG to Install License Certificates

You can use NWCONFIG at any time after the BorderManager software installation to install BorderManager license certificates. However, NWCONFIG is the least recommended method, especially if you already have other licenses installed. NWCONFIG displays all installed licenses in a list by serial number, which can be extremely difficult to view and navigate.

To install a BorderManager license envelope using NWCONFIG, do the following:

  1. Load NWCONFIG from the system console (as opposed to the graphical console).

  2. Select "License Options".

  3. Select "Install Licenses".

  4. Press <F3< to enter the path to the license or press <Enter< to continue if the default path is already A:\.

  5. From the Installable Licenses list, press <Enter< to select the license envelope you want to install. Another window displays a brief description of the highlighted license envelope.

  6. Press <Enter< to install the license. In the Installable Licenses list, an asterisk appears next to the license envelope you installed.

  7. Press <Esc< until you can exit NWCONFIG.

Advantages: None.

Conditions: NWCONFIG automatically installs the license certificates in the same container as the server (you cannot specify another container). All of the license certificates in a license envelope must be installed. You cannot individually select which license certificates to install. You must manually assign single-server (non-MLA) BorderManager license certificates to a server (refer to the next procedure).

Assigning a Single-Server License Certificate to a Server

If you use the BorderManager installation program or LICINST to install a single-server license envelope, the license certificates are automatically assigned to the server that is running the installation program or module. However, if you use NWAdmin, NLS Manager, or NWCONFIG to install a BorderManager single-server license envelope, each license certificate must be manually assigned to a server. You must be logged in to NDS as Admin or the owner of the license certificate to make a server assignment. The user who installed the license is automatically considered the license certificate owner.

To assign a license certificate to a server, do the following:

  1. In NWAdmin, right-click the license certificate object and select Details.

  2. Click the Assignments tab.

  3. In the File Server Assignment field, browse for or enter the server name.

  4. Click OK.

Monitoring BorderManager License Status

This section describes how to monitor BorderManager license status with NWAdmin and NLS Manager.

Monitoring BorderManager License Status with NWAdmin

The BorderManager tools in NWAdmin allow you to view real-time activity for the IP Gateway, Proxy Cache, and Virtual Private Network (VPN). To access the BorderManager tools, click the server object and select Tools | Novell BorderManager from the NWAdmin menu. The Novell BorderManager window for your server shows the license status for these BorderManager services. The License Status column lists "Yes" if the BorderManager component has a license certificate or "No" if the BorderManager component doesn't have a license certificate.

You can also check if a license certificate has an expiration date in NWAdmin. Right-click the license certificate object and click the Policy Information tab.

Monitoring BorderManager License Status with NLS Manager

NLS Manager provides more information about BorderManager licensing than NWAdmin does. When you run NLS Manager, it offers a Quick View Update feature that finds all license containers in the NDS tree. It either walks the NDS tree to find them or relies on the Licensing Catalog object that periodically scans the NDS tree for license information. You must have NDS Catalog Services installed to take advantage of the Licensing Catalog object.

Note: Quick View displays the first instance of a license certificate in a license container object. If you store multiple licenses in a single license container, the first license certificate is displayed. In general, the active license should be listed first in the license container.

As shown in Figure 1, Quick View is useful for viewing the following:

  • Location (container) of the licenses that are installed

  • Number of license units in use

  • Number of license units installed (a BorderManager evaluation license displays the value "Unlimited", a BorderManager single-server license displays the value "1")

  • Percentage of license units in use

  • Date and time of last license activity

Figure 1: NLS Manager's Quick View of licenses.

Double-click an entry (row) in Quick View to generate a license report. A license report has a graphical view and a summary view. The report's graphical view shows the number of license units used and the number of license units installed. The report's summary view shows the following statistics:

  • Date and time report was generated

  • Licensed product

  • License container context

  • Current license usage

  • Peak license usage

  • When license use exceeded the number of licenses installed

Upgrading Licenses

This section summarizes the requirements for upgrading BorderManager 3.5 evaluation licenses and BorderManager 2.1 or BorderManager 3 server licenses. This section also describes how to download licenses from an electronic distributor.

Upgrading Evaluation (Trial) Licenses

To upgrade a BorderManager 3.5 evaluation license certificate, you simply are required to install a valid license certificate with no expiration using one of the methods previously described. You are not required to reinstall the BorderManager software unless you are upgrading from the 56-bit to the 128-bit server version.

The rights you need to install a license depend on where you want to place the license certificate object in the NDS tree. If you install the license certificate in the same container as your server, you need only be logged in as the container administrator with Supervisor rights to that container. However, if your server uses a MLA license and you want to place the license object in a different container than where your server is located, you need to log in as a user with administrative rights to both containers.

When installing new license certificates, remember that license certificate objects representing expired license certificates will remain in the NDS tree until you manually delete them. You need not delete the license container object that held the evaluation license certificate unless you do not plan to install the new license certificate in the same location.

Upgrading Server Licenses

If you are upgrading BorderManager 2.1 software, you must upgrade your server license to a BorderManager Enterprise Edition 3.5 server license and purchase the appropriate number of non-concurrent user licenses. This includes BorderManager FastCache 2.1, which allowed an unlimited number of users per server license. Unlimited users are no longer supported in any BorderManager product.

If you are upgrading BorderManager 3 software, you must install what is called a Server+-users Pack license to upgrade your server license to a BorderManager Enterprise Edition 3.5 server license. However, you are not required to purchase BorderManager 3.5 user licenses unless your user count has increased. When you install the Server+-users Pack license, all users who were previously licensed to use the BorderManager 3 software automatically become licensed users of the BorderManager Enterprise Edition 3.5 software.

Ordering Licenses Electronically

As an alternative to license fulfillment through traditional reseller channels, you can now order BorderManager server or user licenses electronically from shop.novell.com, or if you participate in a Novell Customer Connections licensing program, from a Novell-authorized Electronic Distributor, such as BITSource. Shop.novell.com and Novell distribution partners who qualify as Electronic Distributors enable you to download the licenses you purchase over the Internet.

Electronic license files contain your proof of purchase, software license agreement, and license certificates. To obtain and use these items, you must:

  • Submit your order online

  • Download Sm@rtCert

  • Access a secure, e-commerce Web site

  • Use Sm@rtCert to download your license certificates

  • Install the license certificates

Sm@rtCert is an executable file that links you to a secure Web site where all your purchased licenses are located. (Sm@rtCert is not a self-extracting file; it does not contain your actual licenses.)

To download Sm@rtCert, complete the following steps:

  1. Format a diskette. You will download Sm@rtCert to this diskette.

  2. Label the Sm@rtCert diskette.

  3. Insert the Sm@rtCert diskette into drive A:\.

  4. From your Web browser, access the URL you were given to the secure Web site.

  5. At the Save As screen, save the Sm@rtCert program to the diskette.

  6. Make a backup of the Sm@rtCert program on your client workstation's hard drive as a safety measure and for future use.

To download an electronic license, do the following:

  1. Format a diskette. You will download your license certificates to this diskette.

  2. Label the diskette with the license envelope filenames you will download.

  3. Insert the license diskette into drive A:\.

  4. Run the Sm@rtCert program you saved in Step 5 above.

  5. Click the Registration button to access Novell's product registration page to register your product.

  6. From the Sm@rtCert screen, select the tab for the license certificate you want to download.

Note: The number of tabs you see on your Sm@rtCert screen corresponds to the number of license certificates you purchased. If you purchased only one license certificate, that certificate tab is automatically selected. Sm@rtCert can display up to 15 tabs only. If you purchased more than 15 license certificates, you will receive additional Sm@rtCert programs to fulfill the number of license certificates you need to download.

  1. Click Download.

  2. Read and accept the license agreement.

  3. Select drive A:\ as the location for the download.

  4. Click OK to copy the license certificates to your license diskette.

  5. Repeat Step 3 through Step 7 for each license certificate fulfilled by this instance of Sm@rtCert.

Conclusion

This AppNote provided an overview of BorderManager licensing requirements, the utilities to install and monitor license use, and how to download licenses electronically.

More information about NLS may be found in the NetWare 5 documentation or refer to the January 1999 AppNote, "A Closer Look at Novell Licensing Services in NetWare 5".

For more information about Novell's Electronic Distributor program, access the Electronic Distributor Program Fact Sheet at http://www.novell.com/news/press/pressroom/news_brief/fact_sheet.html.

For more information about BITSource, the first company to deliver volume licenses to corporate customers in North America through Novell resellers, accesshttp://www.bitsource.com.

* Originally published in Novell AppNotes

Disclaimer

The origin of this information may be internal or external to Novell. While Novell makes all reasonable efforts to verify this information, Novell does not make explicit or implied claims to its validity.

© Copyright Micro Focus or one of its affiliates