HCL Digital Experience Cloud Native 9.5 entitlement checks
The HCL Software License Portal supports entitlement checking for several HCL Software solutions, including the HCL Digital Experience (DX) Cloud Native 9.5 Tier 1 – 7 offerings within the HCL DX portfolio. This enables customers to track their purchased software entitlement periods, and usage levels.
Overview
Beginning with HCL DX 9.5 Container Update CF207, customers deploying to supported Kubernetes platforms must specify certain entitlement check parameters within your HCL Digital Experience Cloud Native 9.5 Tier 1 – 7 installations to accomplish entitlement checks. If you do not specify these entitlement check parameters, or fail to configure them correctly, then the entitlement check will not pass and will enter the grace period. To learn more about the various entitlement check scenarios, see HCL DX Cloud Native 9.5 entitlement check scenarios.
Optionally, you can configure a local Flexnet entitlement server for enhanced control over the security of entitlement checks within your environments. With this option, you can dedicate a machine to act as a local Flexnet entitlement server. You can remain in entitlement compliance without the need for outbound connections to the HCL-hosted Flexnet entitlement service from your HCL DX Cloud Native 9.5 Kubernetes installations.
A local Flexnet entitlement server can itself also be configured to function without the need for outbound connections, with the offline version of the HCL Flexnet Embedded License Server. With outbound connections disabled, however, a member of your development team is required to manually update the entitlement server periodically, to verify entitlement with HCL. See the topic: Configuring a local Flexnet License Server for more information.
During the grace period, errors are displayed in the DX Kubernetes deployment server logs. If you encounter these errors, contact HCL Support to resolve the issue. For more information on Flexnet user and device management, see What is the HCL License & Delivery Portal (FlexNet Portal?) knowledge article on the HCL Customer Support portal.
Note
Entitlement checking is not implemented in HCL DX Cloud Native v9.5 software that is deployed to supported specified Operating Systems (e.g. Windows, Linux or IBM AIX). Customers deploying HCL DX Cloud Native v9.5 software to these platforms should plan to measure and report the total number of User Sessions consumed per contract year, in accordance with the terms of the HCL DX Cloud Native v9.5 license.
Customers can use web analytics reporting software such as Google Analytics to track user session consumption in their DX v9.5 production deployments. Reference Integrate Google Analytics with HCL Digital Experience topic Help Center topic for more information.
Prerequisites
The following are the prerequisites for configuring the DX Cloud Native V9.5 entitlements to be deployed to supported Kubernetes platforms to your HCL Flexnet License and Delivery Portal instance for entitlement checking:
- HCL Software Account and access to the HCL Software License & Delivery Portal.
- Valid HCL DX Cloud Native 9.5 (Tier 1 – 7) offering part(s) have been purchased and issued by the HCL Software licensing team.
- Your DX Cloud Native 9.5 (Tier 1 – 7) entitlements are mapped to your HCL Software License portal instance(s).
- See the How to check your Entitlements and Map Entitlements sections in the instructions: What is the HCL Software License & Download Portal? for guidance to locate and map your entitlements to your deployment servers.
- You plan to deploy or update to an HCL DX 9.5 Container Update CF207 or higher release.
Review the Architecture that presents the License Manager component of HCL DX v9.5 Container Update software below.
Architecture
The License Manager component communicates with the HCL Flexnet server to validate license entitlement periods for HCL Digital Experience Cloud Native V9.5 Tier 1 – 7 software, once configured in the DX Cloud Native 9.5 deployment Helm chart. The License Manager component also transmits user session consumption from the customer’s production DX Cloud Native 9.5 deployments to their specific Flexnet entitlements dashboard.
Follow the configuration steps outlined in the Procedure section below before you deploy a new or update an existing DX 9.5 Container deployment. These steps allow you to configure the DX Cloud Native 9.5 Tier 1 – 7 deployment Helm chart and enable the License Manager entitlement checking functions.
Procedure
-
Obtain access to the HCL License and Delivery Portal for your organization. Here you can download the Flexnex entitlement server software, as well as manage your Flexnet entitlement usernames, passwords, and device IDs. Entitlement verification is performed against the HCL- hosted Flexnet entitlement server. !!!important For remote entitlement checks to succeed, ensure that your system and network firewalls allow for outbound connections to
hclsoftware.compliance.flexnetoperations.com
. -
Configure your HCL DX Cloud Native 9.5 software for entitlement checks. This is done by making adjustments to your HCL DX deployment Helm chart. These adjustments can be made to a new or existing deployment.
-
Look for the following information that you will configure in the DX 9.5 Container Update CF207 or later Helm chart to enable License Manager and Flexnet entitlement checking.
-
These properties need to be configured to your entitlements to the applicable DX Cloud Native 9.5 Tier 1 – 7 offering parts that you have previously mapped to your HCL Software server devices defined in the HCL Software License Portal. See the Pre-requisites section for instructions.
# License Manager Configuration Controls which application is deployed and configured applications: # License Manager # If using the HCL DX 9.5 Cloud Native Tier 1 – 7 software and licensing you are required to set this to true. # The License Manager service manages the license requirements for your DX deployment. licenseManager: <boolean> configuration: # License Manager Configuration licenseManager: # Configures if this environment is a production environment. # For non production environments user sessions are not counted but the license # must still be validated. productionEnvironment: true # Flexnet License Server ID licenseServerId: "LICENSE_SERVER_ID" # Flexnet License Server URL licenseServerUri: "LICENSE_SERVER_URI" # Flexnet License Server's Configured Features licenseFeatureNameWithVersion: "LICENSE_SERVER_FEATURE_WITH_VERSION" # Flexnet License Username licenseManagerUser: "LICENSE_USERNAME" # Flexnet License Password licenseManagerPassword: "LICENSE_PASSWORD"
Using entitlements and device properties you have defined via the mapping process,you will configure those properties to your Helm chart to validate the entitlement period for your software. Once completed, your DX 9.5 Container Update 207 and higher deployments will verify the entitlement period is valid for your HCL DX Cloud Native 9.5 Tier 1 – 7 subscription entitlement(s).
-
Configure the following items to your DX 9.5 Container Update CF207 or later Helm chart according to the DX Cloud Native 9.5 entitlement(s) (Tier 1 – 7) you are entitled to and have mapped to your HCL Flexnet Server instance:
productionEnvironment:true
- Configure this variable to true if this deployment will be used to support a Production deployment. See the HCL DX 9.5 license document for the definitions of production and non-production deployments.licenseServer ID
– configure to your HCL Flexnet Software licenseServer ID.licenseServer URL
– verify your connection to the HCL Flexnet Server URL. Ensure that your system and network firewalls allow for outbound connections to hclsoftware.compliance.flexnetoperations.com.licenseFeatureNameWithVersion
– Configure this variable according to the HCL DX Cloud Native 9.5 Tier 1 – 7 offering part your organization has acquired and is mapped to your HCL Flexnet server instance(s). See Table HCL DX Cloud Native 9.5 Tier 1 – 7 parts and Flexnet License Server Feature Name below.licenseManagerUser
– Configure this variable with the user name of the administrator authenticated to manage your HCL Software License Portal entitlements.licenseManagerPassword
– Configure this variable with the password associated with the user name of the administrator to manage your HCL Software License Portal entitlements defined in the previous step.
-
(Optional) Create and upload a public/private key pair. The License Manager uses a default key when no custom key is configured.
HCL DX Cloud Native 9.5 Tier 1 – 7 parts and HCL Flexnet License Server Feature Name
HCL Digital Experience Cloud Native 9.5 Part Description Part Number | Part Number | Feature Name |
---|---|---|
HCL Digital Experience Cloud Native Tier 1, 12 Month Term License & S&S, 1-500K User Sessions | TN100928Y01 | DXPN_CloudNative_Tier1_500K@9.5 |
HCL Digital Experience Cloud Native Tier 2, 12 Month Term License & S&S, 500K-2M User Sessions | TN100929Y01 | DXPN_CloudNative_Tier2_2M@9.5 |
HCL Digital Experience Cloud Native Tier 3, 12 Month Term License & S&S, 2M-6M User Sessions | TN100930Y01 | DXPN_CloudNative_Tier3_6M@9.5 |
HCL Digital Experience Cloud Native Tier 4, 12 Month Term License & S&S, 6M-12M User Sessions | TN100931Y01 | DXPN_CloudNative_Tier4_12M@9.5 |
HCL Digital Experience Cloud Native Tier 5, 12 Month Term License & S&S, 12M-24M User Sessions | TN100932Y01 | DXPN_CloudNative_Tier5_24M@9.5 |
HCL Digital Experience Cloud Native Tier 6, 12 Month Term License & S&S, 24M-60M User Sessions | TN100933Y01 | DXPN_CloudNative_Tier6_60M@9.5 |
HCL Digital Experience Cloud Native Tier 7, 12 Month Term License & S&S, 60M-120M User Sessions | TN100934Y01 | DXPN_CloudNative_Tier7_120M@9.5 |
Example values configured to an HCL DX Cloud Native 9.5 deployment Helm chart are provided below:
configuration:
# License Manager Configuration
licenseManager:
# Configures if flexnet license checking is enabled
productionEnvironment: true
# Flexnet License Server ID
licenseServerId: "Q8A6YCZ3A4GH"
# Flexnet License Server URL
licenseServerUri: "https://hclsoftware.compliance.flexnetoperations.com"
# Flexnet License Server's Configured Features
licenseFeatureNameWithVersion: "DXPN_CloudNative_Tier1_500K@9.5"
# Flexnet License Username
licenseManagerUser: "admin"
# Flexnet License Password
licenseManagerPassword: "mypassword"
Reminder
These properties should be configured to your Helm chart BEFORE installing the environment or if making changes to the environment, before executing the DX 9.5 ContainerUpdate 207 or later Helm upgrade to your HCL Digital Experience Cloud Native 9.5 production or non-production deployment. For more information on the Helm configuration steps to manage DX 9.5 Container Update upgrades, reference this Help Center topic: Upgrade the Helm deployment to the latest version.
Results
Your HCL DX Cloud Native 9.5 environments have been configured for entitlement checks that will validate your deployment software remains in the purchased timeframe.
Ensure that your entitlement checks are succeeding by viewing your HCL DX 9.5 Container Update Server License Manager pod logs.
Use kubectl logs for the license manager pod. For example in a namespace dxns, execute the following command:
kubectl logs pod/<release-name>-license-manager-0 -n <namespace>
See the HCL DX Cloud Native 9.5 entitlement check scenarios for success and error messages and how to manage in the HCL Digital Experience Cloud Native 9.5 entitlement check scenarios topic.
Entitlement checking to ensure the entitlement period for the DX Cloud Native 9.5 part is valid for the purchased term will be initiated at deployment start, upgrade, or configuration change processes. Entitlement checking will also occur once per day for active deployments.
Refer to Configuring a local HCL Flexnet entitlement server topic for additional configurations needed to enable connectivity to a local license server.
Securing License Server communication for License Manager application
Secure communication between HCL DX and the HCL License Server (cloud or local) involves signed content using a public and private keypair. HCL DX signs licensing requests with the private key and the License Server verifies signatures with the corresponding public key.
Note
The License Manager expects the public key to be uploaded to the License Server beforehand and the private key to be passed as a secret in the Helm values. However, if the private key is not provided, the default key is used and uploaded automatically.
Generating a Public/Private Keypair
Generate a public/private keypair to be used for secure communication. Refer to the following list for the required format:
- The keypair must be in “RSA 2048-bit” format.
- The private key must be “pksc8” format.
- The public key must be in “DER” format.
Various third-party tools are available for generating this keypair. Refer to the documentation supplied with the third-party tool for instructions. The following is an example of keypair generation using OpenSSL:
# Generate private key
openssl genrsa -out portal_private_key.pem 2048
# Get the public key.
openssl rsa -in portal_private_key.pem -pubout -outform DER -out portal_public_key.der
# Convert private key to pkcs8 format to use it with HCL Portal
openssl pkcs8 -topk8 -inform PEM -outform PEM -in portal_private_key.pem -out portal_private_key_pkcs8.pem -nocrypt
Uploading Public Key
Refer to the following instructions to upload the public key to your License Server using the provided command line tool.
Get the Bearer Authentication from Flexnet using authorize endpoint:
curl --location 'https://hclsoftware.compliance.flexnetoperations.com/api/1.0/instances/<instance ID>/authorize' \
--header 'Content-Type: application/json' \
--data-raw '{"password":"XXXXXXX","user":"XXXXXXX"}'
{
"expires": "2023-12-19T05:39:28.850Z",
"token": "eyJ0eXAiOiJKV1QiLCJhbGciOiJIUzUxMiJ9.eyJzdWIiOiJhZG1pbiIsImlzcyI6IlE4QTVZQ1ozQTRHSCIsImlhdCI6MTcwMjg3Nzk2OCwiZXhwIjoxNzAyOTY0MzY4LCJyb2xlcyI6IlJPTEVfQURNSU4sUk9MRV9EUk9QQ0xJRU5ULFJPTEVfUkVBRCxST0xFX1JFU0VSVkFUSU9OUyIsInhzcmZUb2tlbiI6IjRmOWRjMGFkLWQ1MGMtNGZhZi05YmE0LTc0N2ZmMjJjODQ0MiJ9.mvuXXJNfew-WzJ7CX8Y8yH339zX3SNpaX79jMTu-shanE8nHPfZRA240EAsVO64nMxFAPyr_8gP7JOLRQ2XOeA"
}
Upload the public key to the Flexnet server:
curl --location 'https://hclsoftware.compliance.flexnetoperations.com/api/1.0/instances/<instance ID>/rest_licensing_keys' \
--header 'Authorization: Bearer eyJ0eXAiOiJKV1QiLCJhbGciOiJIUzUxMiJ9.eyJzdWIiOiJhZG1pbiIsImlzcyI6IlE4QTVZQ1ozQTRHSCIsImlhdCI6MTcwMTk0NTY5NCwiZXhwIjoxNzAyMDMyMDk0LCJyb2xlcyI6IlJPTEVfQURNSU4sUk9MRV9EUk9QQ0xJRU5ULFJPTEIOPKLVBRCxST0xFX1JFU0VSVkFUSU9OUyIsInhzcmZUb2tlbiI6IjI0MjRiOTgwLWY2ZDEtNGViYi04NWQ5LTI3YmQzMTJmYzIwZiJ9.JR0fnMZyyMY4wwPtE9kMWD2kvbxLgBplq2X-wgmYpe7COFW-5IVvdLmdaRvb0AydSKHf3DKPDGVrd2dubr9Lbw' \
--header 'Content-Type: application/octet-stream' \
--data '@/Flexnet-release/portal_public_key.der'
{
"publicKey": "MIIBIjANBgkqhkiG9w0BAQEFAAOCAUUUIPHJnjgPOMnbqsjqsL29p313tvMpV0QjIDT03traV3v4UnUuIrIYmYPerzQJsVzoKZHU0IYA9FZTLXP4uJMPTwNJhDVtbki5Fbx4h9U2c7h78QCFne07kdtAeBh0keReFklpj7CJbOi4RhqSX6uaZ/gBOg+RMT6/q9Oxkry31WvqISNWlAXmyfNQTo/GMUe4dKpbEBGPOLKRESHlBXnqrqPw+EqlrJDiJSr/TIfLokm8qFLSzBwYahhi6L0gnLmnuEPPfkxFwhjaSjdb336dVGzkRc1AsS9L0TDTtQBzUxkL6cIW+EzxXOyWnT2ekcFMripuyXBG80UkhXKTVpRwj/nXeXQIDAQAB"
}
Helm Chart Configuration to enable private key in License Manager Deployment
Create your secret using a private Key:
kubectl create secret generic <secret name> --from-file=privateKey=portal_private_key_pkcs8.pem -n <namespace>
security:
licenseManager:
customFlexnetLicenseManagerPrivateKeySecret: <secret name>
Note
For multiple instances running with the same entitlement and license server, all instances must either: - Use the same private key - Not have configured a private key
Revoking of public key from Flexnet
If you need to revoke the public key from Flexnet, refer to the following steps. To complete the revocation process, you must provide the Bearer Authentication token to authenticate the request. Note that without the token, the revocation process cannot be completed.
Get the Bearer Authentication from Flextnet using authorize endpoint:
curl --location 'https://hclsoftware.compliance.flexnetoperations.com/api/1.0/instances/<instance ID>/authorize' \
--header 'Content-Type: application/json' \
--data-raw '{"password":"XXXXXXX","user":"XXXXXXX"}'
{
"expires": "2023-12-19T05:39:28.850Z",
"token": "eyJ0eXAiOiJKV1QiLCJhbXXXYYYUzUxMiJ9.eyJzdWIiOiJhZG1pbiIsImlzcyI6IlE4QTVZQ1ozQYUPLFWNUISQACIsImlhdCI6MTcwMjg3Nzk2OCwiZXhwIjoxNzAyOTY0MzY4LCJyb2xlcyI6IlJPTEVfQURNSU4sUk9MRV9EUk9QQ0xJRU5ULFJPTEVfUkVBRCxST0xFX1JFU0VSVkFUSU9OUyIsInhzcmZUb2tlbiI6IjRmOWRjMGFkLWQ1MGMtNGZhZi05YmE0LTc0N2ZmMjJjODQ0MiJ9.mvuXXJNfew-WzJ7CX8Y8yH339zX3SNpaX79jMTu-shanE8nHPfZRA240EAsVO64nMxFAPyr_8gP7JOLRQ2XOeA"
}
curl --location --request DELETE 'https://hclsoftware.compliance.flexnetoperations.com/api/1.0/instances/<instance ID>/rest_licensing_keys' \
--header 'Authorization: Bearer eyJ0eXAiOiJKV1QiLCJhbGciOiJIUzUxMiJ9.eyJzdWIiOiJhZG1pbiIsImlzcyI6IlE4QTVZQ1ozQTRHSCIsImlhdCI6MTcwMzQ5ODg0MywiZXhwIjoxNzAzNTg1MjQzLCJyb2xlcyI6IlJPTEVfQURNSU4sUk9MRV9EUk9QQ0xJRU5ULFJPTEVfUkVBRCxST0xFX1JFU0VSVkFUSU9OUyIsInhzcmZUb2tlbiI6IjJlYTNjM2U3LWQ3MDEtNDFjMS05NWQ2LWEyOTMzZjBlNTQwNyJ9.u8ZAF4SpBoLucxPA0WaEtcDkuQVT3ZCGx-qAtHYbcZDD%YYBBzqvYWkxN3fTRHjNRKE0idV8bh5Zs75KSvU9A'