This article is for server administrators to configure advanced server settings and usage logging using a legacy Zemax OpticStudio, OpticsViewer or OpticsBuilder network softkey or Red USB hardkey license.
If you are using an Ansys-licensed version of Zemax software and Ansys License Manager 2022 R2 or newer, see Ansys Zemax licensing overview and guides.
Authored By Don Dickinson
Introduction
This covers basic logging of license usage, password protection, user and computer restrictions, as well as the detachable license (check out) feature to use a license seat when not connected to the network.
Getting Started
Before proceeding, please read:
This article only applies to servers Zemax legacy licenses products with a softkey or Red USB network license, that have a license serial number such as L100000 or T100000 and use the Zemax License Manager application.
If you are using an Ansys-licensed version of Zemax software and Ansys License Manager 2022 R2 or newer, see Ansys Zemax licensing overview and guides.
If you have a Black USB network license (license numbers 22000-40999), refer to "Monitor and log usage of the Black USB network license."
Also, you need to complete the steps to setup the network license on the keyserver. For instructions on how to do this, see "How to configure the keyserver for Zemax network licenses."
Introducing the Sentinel Admin Control Center
The Sentinel Admin Control Center on your network license server contains all the advanced settings to secure, control and monitor the network license and client machines. By default, this Sentinel Admin Control Center (ACC) page is accessible from any client machine as well as the server machine, unless you restrict remote admin access or set a password. The options to secure the server are covered below.
To get started with configuration, on the keyserver machine hosting the network license, open the Zemax License Manager (ZLM) from Windows Start...Zemax License Manager. Then select Launch Sentinel Admin Control Center. For versions of the ZLM dated November 2018 or earlier, this is located at the top of the window. For versions of the ZLM dated June 2019 or later, this is located under the "Troubleshoot" section. Note: You can also open a browser window on the server machine and go to http://localhost:1947.
After doing so, your web browser will open to the Sentinel Admin Control Center Help page.
Click on Sentinel Keys. This page shows all available licenses found on this machine and elsewhere on your network. Licenses with "Location: Local” are hosted on this machine. Licenses hosted on other machines will show the "Location: XXXXXX," where "XXXXXX" is the computer name. You can click on the computer name to open the Admin Control Center on other machines (if permissions on those machines allow).
Note: Zemax licenses are listed as "Vendor: 114811." If you have Sentinel licenses from other vendors, they will be listed with a different Vendor number.
For the local machine, you can then select Features, under either Actions of from the left-hand navigation pane. The Features page will tell you details about each license, including the total number of seats available under "Limit" (in the screenshot below, the Limit is 5) and the type of Zemax license under "Product" and "Feature." This example is a Professional Edition OpticStudio Network license.
This section has provided an overview of the general UI and functionality in the Sentinel Admin Control Center. The following sections will describe more specific functionality.
Configuration settings
This section provides a more detailed discussion of the most important settings in the Sentinel Admin Control Center (ACC). These include allowing remote access, setting a password. Each section below will refer to the following image describing different regions of the ACC.
Allow remote access
To allow other machines remote access to the ACC on your machine, under Basic Settings, check Allow Remote Access to ACC. This option is checked upon the default installation. When checked, the Sentinel Admin Control Center page is accessible from any machine that can view the server. Client machines can access the Control Center by navigating in an internet browser to http://{network.host.IP.address}:1947. With this option enabled, other machines can view the Sessions to identify who is accessing a particular license or change settings via the Configuration page. See the next section on how to set a password to restrict access to the admin control center, or just the configuration settings.
Removing the check from this box will only disallow remote access to the Sentinel Admin Control Center on the server. It does NOT keep users from accessing installed licenses.
Tip: To confirm that removing the checkmark from "Allow Remote Access" is set, try to access the server's Sentinel Admin Control Center page from another machine. Substitute the machine name for "localhost", so it would be something like http://servername:1947 .You will get a "403: Forbidden" error.
Set a password
By default, there is no password set to access the ACC on your machine. This means that if "Allow Remote Access to ACC" is checked, any other machine on the network can access your machine's ACC. You can add a password to prevent local and remote users from changing settings or seeing the license information on the server without authenticating with a password. If you only need to lockout remote users from access to the keyserver's Admin Control Center, you can remove the check the "Allow Remote Access to ACC" box at the tops of this page instead.
To set a password follow these steps:
- Choose either Configuration Pages or All ACC pages. We recommend setting it to Configuration Pages only. This allows anyone to view current license information and usage but blocks the ability to modify any of the configuration settings.
If you set a password for "All ACC pages" your softkey license will not be visible in the Zemax License Manager on the server, as the license manager has no way to enter a password when retrieving key information. However, clients will still be able to see and use the license. Licenses will still be visible to client machine either way. - Select Change Password.
- You will be asked to supply a new password. If there is no current password set, leave Current Admin Password blank. Enter a password in the New Admin Password field and Re-enter new admin password. Click Submit to confirm it.
- After submitting the new password, you will get an authentication popup to enter the new password. Leave the User Name field empty, as there is no username required. Type the new password you just set and you will get logged back in to the Admin Control Center.
- If you need to remove the password, just click Change Password again. You will be prompted for the current password. Just leave both New and Re-enter Admin Password fields blank and Submit. If you do not have or forgot the current password, move the to next section of this article.
Reset a password
If you forget the password you set, it can be removed. To do so:
- Using Notepad, open the file "hasplm.ini" located in C:\Program Files (x86)\Common Files\Aladdin Shared\HASP folder.
- Delete the encrypted password (everything after the equals sign) on the line adminpassword. Re-save the file. You will need administrator rights to do so.
- Restart the Sentinel LDK License Manager service using the instructions below.
- Close and re-open all instances of your web browser.
Additional built-in help on the password feature can be found here.
Log errors
Basic access and error logs are available so you can see any errors with loading the licensing service, accessing the license from clients, and license activation or transfer issues.
To begin logging errors, navigate to Configuration...Basic Settings and select Write an error log file.We suggest you do not check this box unless directed by Zemax support when troubleshooting an issue. To limit the size of the log files you can set a size limit. When the log file reaches the size specified (0 - 9999 KB) in Size Limit, the file is closed and a new log file is started. If Size Limit is set to 0, the log file is never closed.
To view the error log file, it is a text file called error_114811.log located in C:\Program Files (x86)\Common files\Alladin Shared\HASP
Manage license access
This section describes how to manage both user and client access to the license hosted on the keyserver. It discusses the settings needed to view active license sessions, restrict access to specific licenses, and log license usage.
View active sessions
Select Sessions along the left-hand navigation to see each license seat in active use. From here, you can see each current user’s ID, IP Address, machine name, and login time. There is also a Disconnect option but OpticStudio will not release a license seat unless the end-user closes the application.
Note: The sessions list does not include detached/checked-out licenses in use by client machines. See the section "View checked out licenses" to view information on checked-out licenses.
Restrict users
In this section, we discuss how to allow or deny access to the license from specific users on the local network. The default with no rules set is to allow all users access to the network license.
NOTE: If you are using a subscription license that requires the "end users" login to the license, then the end user list on the Zemax web site supercedes this one.
You can confirm if your license requires end users login by checking the Zemax license Manager. If it has an "activated" checkbox then you do not need to follow this section. Assign end users on Zemax.com instead.
See the section "Restricting client machine license access" for details on how to restrict license access for specific client machines.
Click Show Recent Users to display a list of users who have recently accessed licenses on this machine. From the popup window that appears, you can explicitly select to block or allow users individually "on the fly" so you don't have to add them to the "User Restrictions" list manually.
You can also combine user and machine rules (like allow certain users only from a certain machine access to a license) by replacing @all with the IP address or machine name. Further details on rules are available on the Configuring User Settings page in the ACC.
When restricting access to license for specific users, you should note the following about the user restrictions list:
- The username is based on the Windows username. To verify the format of the username, click the Show Recent Users button.
- The list of rules is processed from top to bottom (similar to Apache and other products).
- Note that allow=all@all will automatically be the added as the last item on the list. If you want to restrict all users except certain ones, just make sure deny=all is at the bottom of the list, but above allow=all@all like Example B below.
- These rules are shared by all Sentinel Licensed products you have installed on the machine. For example, if you have both OpticStudio Pro and Premium network licenses, you cannot block users from one or the other. You would need to move one license to another machine or VM then set rules on that machine**.
Also, note that you can add rules so only certain users or computers can access certain products. This eliminates the need to host licenses on different servers if you want to have separate rules for each. This feature was added as of the Sentinel LDK Runtime 7.60. Check the diagnostics page of the Admin Control Center to see the runtime version you currently have installed. The 7.60 LDK release (or newer) is included with the Zemax License Manager and Opticstudio in versions dated May 2018 or later (OpticStudio 18.4). If you want access to this Sentinel LDK feature with an earlier version of the ZLM or OpticStudio, you may install the latest Sentinel LDK runtime separately. Refer to "How to troubleshoot softkey license issues" for instructions.
To allow or deny access to a specific product or key ID (license) for a specific client, follow the instructions below.
- In the ACC, navigate to Features and identify the desired Product or Key ID from the list. Note: we recommend using Product rather than Key ID, as the Key ID field will change after a license replacement.
- After noting the Product or Key ID, navigate to Configuration...Users.
- Use the User Restrictions field to modify which users have access to the desired license.
Tip: If you want to verify what the usernames are, click Show Recent Users. It will give you a list of those who accessed the license in the last 24 hours or so.
Tip: Before beginning, be sure to add a rule to allow the server access to the license. This ensures the Zemax License Manager can see and transfer it properly. To do so, include the following line as the first rule on the list and submit it. Replace SERVERNAME with the actual name of the machine listed at the top of the Admin Control Center.allow=all@SERVERNAME
Three examples of the syntax required for this process are outlined below:
- Allow all users except user1, user2, and user3 access to all licenses.
allow=all@all
deny=user1@all
deny=user2@all
deny=user3@all
- Allow only user1, user2, and user3 access to licenses. Notice the "deny=all@all" after the list of users and before "allow=all@all".
allow=user1@all
allow=user2@all
allow=user3@alldeny=all@all
allow=all@all
- Deny USER1 access to an OpticStudio Premium-Network license (Product 21) with Key ID 410177719861922512. Allow USER2, USER3, and USER4 access to the same license.
deny=USER1,product:21,key:410177719861922512
- Deny all users at COMPUTER1 access to the same license.
deny=all@COMPUTER1,product:21,key:1410177719861922512
- Press Submit when you are finished.
Restrict client machines
In this section, we discuss how to allow or deny access to the license from specific client machines on the local network. The default with no rules set is to allow all client machines access to the network license. See the section "Restricting user license access" for details on how to restrict license access for specific users.
Before getting started, note that Allow Access from Remote Clients must remain checked on the keyserver machine, or clients will not be able to see the license on the server.
You can also restrict certain computers from using the license. Click Show Recent Client Access to display a list of users who have recently accessed licenses on this machine. You can block or allow machines "on the fly". That way you don't have to add them to the "Access Restrictions" list manually.
When restricting access to license for specific clients, you should note the following about the access restrictions list:
- You can use either an IP address or computer name. We recommend using the computer name as IP addresses are generally dynamic and may change.
- These rules are shared by all Sentinel Licenses you have installed on the machine. For example, if you have both OpticStudio Pro and Premium network licenses, you cannot block computers from one or the other. You would need to move one license to another machine or VM then set rules on that machine.
- The list of rules is processed from top to bottom (similar to Apache and other products).
- Note that allow=all@all will automatically be the added as the last item on the list. If you want to restrict all users except certain ones, just make sure deny=all is above allow=all@all like Example 2 below.
To set the rules manually, the rules are similar to the above "Users" settings page. Examples are below. See the Configuring Access from Remote Clients page in the ACC for other details.
- Allow all machines except the 5 machines listed to use the license.
- Allow only the 5 machines listed access to the license. Notice the deny=all is after the list of users and before "allow=all@all".
Log license usage
Sentinel Admin Control Center logging is available but is limited in the information it tracks. It makes a simple text file based on about 20 predefined parameters. Basic access logs let you see how many sessions have been open at once in the past as well as checked out license seats.
Important note on logging: There is no documentation or a utility application available from the license vendor (Thales) to help setup the log parameters nor interpret the logs beyond this guide and the built in help @ http://localhost:1947/_int_/ACC_help_edit_log_template.html
If you would like to see more detailed license usage over time, there are third party utilities to do so. One option is covered in the article Monitoring concurrent users to track network license utilization instead.
To enable basic logs of usage of the Zemax License from client machines follow these steps:
- Check the Write an Access Log File box. To limit the size of the log files you can set a size limit. When the log file reaches the size specified (0 - 9999 KB) in Size Limit, the file is closed and a new log file is started. If Size Limit is set to 0, the log file is never closed.
- Check the Include Remote Requests box. This is what enables logging usage of the license seats from client machines.
The following optional check boxes are available:
- Include Local Requests: Logs license requests from the current machine (Normally not useful for servers unless you also run your Zemax application on the server)
- Include Administration Requests: Logs requests made to Sentinel License Manager by Admin Control Center (no license information is tracked). The admin requests are logged with [ACC] or [SRM] prefixes in the log file.
- Click Submit at the bottom of the page.
- Click the Edit Log Parameters button to configure the formatting and set the information you want to log. See the ACC Edit Log Parameters page for details on how to format the log files. Note: I recommend including commas in between each parameter of the "log parameters" page if you want the file to be saved in a format that you can open with Excel or other software.
The log files are text files and so can be opened with Notepad or similar editors. To view the access log, it is stored with the filename access.log in one of the following folders:
- ..\Program Files (X86)\common files\aladdin shared\HASP\log (if Write Log Files Daily is checked)
- ..\Program Files (X86)\common files\aladdin shared\HASP\ (if Write Log Files Daily is not checked)
License check out
This section will describe how to manage license seat check out settings on the keyserver machine. For details on the check out process for client machines, refer to "How to configure the keyserver and clients for OpticStudio network licenses."
Softkeys are able to permit license check-out on a client machine, which allows the client to remove a seat from the network key. It will be hosted on the local machine for a limited loan period. During this loan period, the client machine can be taken offline while maintaining access to its license seat.
To maximize the availability of seats, we recommend clients not check out a license seat unless they have a specific need to use it offline or dedicate a seat for a period of time.
Note that client machines do not need any configuration to use this feature, it is built in to the Zemax License Manager.
Note: This feature is for softkey licenses only. Red USB network keys are not capable of license check out.
By default, when the license is initially activated on the keyserver, license check-out is disabled. To enable the check out functionality on the server, navigate to Configuration...Detachable Licenses and check Enable Detaching of Licenses.
In the Detachable Licenses section, there are two settings that can be used to restrict access to detached (checked out) license seats: Max Detach Duration and Reserved Licenses.
- Max Detach Duration: The duration of the license loan can be set for any period from 1 - 9999 days. Licenses automatically expire after the specified duration. Checked out licenses can be checked back in early any time by the client, as long as the client can communicate with the key server machine. Note that licenses cannot be checked back in early from the server machine, only from the client machine.
A warning on checked out license duration: We recommend keeping the duration as short as practical, typically 1-2 weeks. This is because licenses cannot be checked back in early from the server machine, only from the client machine.
Therefore if a client computer with a checked out license seat fails, lost or stolen, you will lose access to that license seat until the specified duration runs out. For example, if you check out a license for a 30 day duration, and the client computer is stolen on day 1, you will need to wait 29 days for the check out period to expire.
If you encounter this situation and need a temporary license seat, feel free to contact the Zemax support team. Include your softkey license number (Such as L100000). Note that temporary licenses are available for 30 days or less.
- Reserved Licenses: A certain number or percentage of all available license seats can be reserved on the network and available only for check out. In the example screenshot above, we have reserved 5 licenses (or seats) out of a 15-license network soft key. This means that 5 seats are reserved only for check out (and are therefore removed from the seat count) The other 10 license seats are available for first-come, first-served basis. If you have only a few seats we recommend not reserving them to maximize availability.
If you are hosting more than one network license on a single server (for example both OpticStudio Professional and Premium) it is possible to configure different settings for each by using the “Per-Product Settings” option.
View checked out licenses
You can see which client machines have checked out a license seat for offline use. First, be sure to be logged into the license server machine. Then open the admin control center and click the Products link on the left-hand navigation. Then, locate the product you'd like to view. Look for the Detached column. Note: Depending on the version of the admin control center, the Detached column exists on the Feature page instead of Products.
If this column contains only a dash (-) for a given product, then no license seats are checked out for that product. If there is a number displayed in this column, click the number to display a list of computers that have checked out a license seat. It will also display the date the loan period will expire. .
Tip: If the number under Detached cannot be clicked, then the "detached licenses" option on the server is disabled. You will need to re-enable it by following the steps in the License check out section above.
Restarting the Sentinel LDK License Manager service
This is useful if it's not practical to restart the entire license server machine, and can be used to fix the following issues:
- The license server or client machines are not able to see the softkey license in the Zemax License Manager
- You change a configuration setting on the keyserver and it doesn't take effect after clicking "Submit".
- License check out on the client fails even if the detachable license feature is enabled on the server.
- You need to release license seats from the server that appear in the Session list but are not accessible to other users.
You may either open the Start menu, and search for services.msc, or open Control Panel > System and Security > Administrative Tools > Services. Right-click on Sentinel LDK License Manager and select Restart. It will typically take 30-60 seconds to be ready.
Frequently asked questions
I checked out a license seat for use offline. When i restarted my computer, it was no longer available in the Zemax License Manager. What happened?
This is an issue that was discovered with the licensing in OpticStudio 17, 17.5 and 18.1. The vendor of our softkey licensing released an update that was included in OpticStudio 18.4. If you need to address this without installing a newer release, you can install the latest version of the softkey runtime instead. See Resolving network license issues on client machines.
How can I enable license check-out on the key server so that my colleagues can work offline?
See the "License check out" section above. Note: License check out is only an option for network softkeys, not for Red USB network keys.
Where do I set the length of the checked-out license loan period?
See the "License check out" section above and set the number of days in "Max. Detach Duration"
What if clients get an error when checking out a license even though check out is enabled on the keyserver?
See Restart the Sentinel LDK License Manager service on the server.
Can I check a license seat back in early from the key server machine if the client machine is broken or stolen?
No. Checking in an offline license has to be done from the client machine. If the client machine is no longer available due to machine failure or theft, you will need to wait until the check out loan period expires to get the seat back. See the "License check out" section for details.
In the Zemax License Manager, the there are less than the total number of available seats I expect to see. Why?
First, check for licenses that have been checked out (detached) as well as open sessions in the "View checked out licenses" section above. If the total number of seats is still not what you expect, this means that the server has not properly released a session after OpticStudio was closed. To resolve this, follow the instructions in "Restart the Sentinel LDK License Manager" section above.
I set a password on my keyserver. Now I can't see my network license in the Zemax License Manager. What do I do?
The Zemax License Manager cannot prompt for the Admin Control Center password and therefore will not see the licenses if a password is set for "all ACC pages". This will also keep you from transferring or updating your network license through the Zemax License Manager. Visibility of the license from client machines will not be affected by a password on the server. If you want to avoid this issue, there are 2 options.
- Set a password only for "Configuration pages".
- Temporarily remove the password, do what you need to with the Zemax License Manager, then enable the password when you are done.
Where can I find additional help for the Admin Control Center?
Besides the documentation here, there is either the "Help" link on the left side of the Admin Control Center page, or you may access context-sensitive help for each section by clicking the “Help” button in the lower right corner of each page which will take you to the proper subsection of the Help index.
KA-01569
Comments
Please sign in to leave a comment.