# How do I monitor and control usage of the network license?

Authored By Alissa Wilczynski

## Before getting started

Before proceeding with this article, you need to complete the steps to setup the network license on the keyserver. For instructions on how to do this, see "How to configure the keyserver and clients for Zemax network licenses."

Also note that this article only applies to softkey and Red USB network licenses. If you have a Black USB network license (license numbers 22000-40999), refer to "Monitor and log usage of the Black USB network license."

## Introducing the Sentinel Admin Control Center

The Sentinel Admin Control Center on your network license server contains all the advanced settings to secure, control and monitor the network license and client machines. By default, this Sentinel Admin Control Center (ACC) page is accessible from any client machine as well as the server machine, unless you restrict remote admin access or set a password. The options to secure the server are covered below.

To get started with configuration, on the keyserver machine hosting the network license, open the Zemax License Manager (ZLM) from Windows Start...Zemax License Manager. Then select Launch Sentinel Admin Control Center. For versions of the ZLM dated November 2018 or earlier, this is located at the top of the window. For versions of the ZLM dated June 2019 or later, this is located under the "Troubleshoot" section. Note: You can also open a browser window on the server machine and go to http://localhost:1947.

Click on Sentinel Keys. This page shows all available licenses found on this machine and elsewhere on your network. Licenses with "Location: Local” are hosted on this machine. Licenses hosted on other machines will show the "Location: XXXXXX," where "XXXXXX" is the computer name. You can click on the computer name to open the Admin Control Center on other machines (if permissions on those machines allow).

Note: Zemax licenses are listed as "Vendor: 114811." If you have Sentinel licenses from other vendors, they will be listed with a different Vendor number.

For the local machine, you can then select Features, under either Actions of from the left-hand navigation pane. The Features page will tell you details about each license, including the total number of seats available under "Limit" (in the screenshot below, the Limit is 5) and the type of Zemax license under "Product" and "Feature." This example is a Professional Edition OpticStudio Network license.

This section has provided an overview of the general UI and functionality in the Sentinel Admin Control Center. The following sections will describe more specific functionality.

## Configuration settings

This section provides a more detailed discussion of the most important settings in the Sentinel Admin Control Center (ACC). These include allowing remote access, setting a password. Each section below will refer to the following image describing different regions of the ACC.

### Allow remote access

Removing the check from this box will only disallow remote access to the Sentinel Admin Control Center on the server. It does NOT keep users from accessing installed licenses.

Tip: To confirm that removing the checkmark from "Allow Remote Access" is set, try to access the server's Sentinel Admin Control Center page from another machine. Substitute the machine name for "localhost", so it would be something like http://servername:1947 .You will get a "403: Forbidden" error.

1. After submitting the new password, you will get an authentication popup to enter the new password. Leave the User Name field empty, as there is no username required. Type the new password you just set and you will get logged back in to the Admin Control Center.

1. If you need to remove the password, just click Change Password again. You will be prompted for the current password. Just leave both New and Re-enter Admin Password fields blank and Submit. If you do not have or forgot the current password, move the to next section of this article.

If you forget the password you set, it can be removed. To do so:

1. Using Notepad, open the file "hasplm.ini" located in C:\Program Files (x86)\Common Files\Aladdin Shared\HASP folder.
2. Delete the encrypted password (everything after the equals sign) on the line adminpassword. Re-save the file. You will need administrator rights to do so.

1. Restart the Sentinel LDK License Manager servive using the instructions below.

## Log errors

Basic access and error logs are available so you can see any errors with loading the licensing service, accessing the license from clients, and license activation or transfer issues.

To begin logging errors, navigate to Configuration...Basic Settings and select Write an error log file.We suggest you do not check this box unless directed by Zemax support when troubleshooting an issue. To limit the size of the log files you can set a size limit. When the log file reaches the size specified (0 - 9999 KB) in Size Limit, the file is closed and a new log file is started. If Size Limit is set to 0, the log file is never closed.

To view the error log file, it is a text file called error_114811.log located in C:\Program Files (x86)\Common files\Alladin Shared\HASP

## View active sessions

Select Sessions along the left-hand navigation to see each license seat in active use. From here, you can see each current user’s ID, IP Address, machine name, and login time. There is also a Disconnect option but OpticStudio will not release a license seat unless the end-user closes the application.

Note: The sessions list does not include detached/checked-out licenses in use by client machines. See the section "View checked out licenses" to view information on checked-out licenses.

## Restrict users

In this section, we discuss how to allow or deny access to the license from specific users on the local network. The default with no rules set is to allow all users access to the network license.

NOTE that if you are using a subscription license that requires the "end users" login to access the license that list supercedes this one.

See the section "Restricting client machine license access" for details on how to restrict license access for specific client machines.

Click Show Recent Users to display a list of users who have recently accessed licenses on this machine. From the popup window that appears, you can explicitly select to block or allow users individually "on the fly" so you don't have to add them to the "User Restrictions" list manually.

You can also combine user and machine rules (like allow certain users only from a certain machine access to a license) by replacing @all with the IP address or machine name. Further details on rules are available on the Configuring User Settings page in the ACC.

• The username is based on the Windows username. To verify the format of the username, click the Show Recent Users button.
• The list of rules is processed from top to bottom (similar to Apache and other products).
• Note that allow=all@all will automatically be the added as the last item on the list. If you want to restrict all users except certain ones, just make sure deny=all is at the bottom of the list, but above allow=all@all like Example B below.
• These rules are shared by all Sentinel Licensed products you have installed on the machine. For example, if you have both OpticStudio Pro and Premium network licenses, you cannot block users from one or the other. You would need to move one license to another machine or VM then set rules on that machine**.

Also, note that you can add rules so only certain users or computers can access certain products. This eliminates the need to host licenses on different servers if you want to have separate rules for each. This feature was added as of the Sentinel LDK Runtime 7.60. Check the diagnostics page of the Admin Control Center to see the runtime version you currently have installed. The 7.60 LDK release (or newer) is included with the Zemax License Manager and Opticstudio in versions dated May 2018 or later (OpticStudio 18.4). If you want access to this Sentinel LDK feature with an earlier version of the ZLM or OpticStudio, you may install the latest Sentinel LDK runtime separately. Refer to "How to troubleshoot softkey license issues" for instructions.

1. In the ACC, navigate to Features and identify the desired Product or Key ID from the list. Note: we recommend using Product rather than Key ID, as the Key ID field will change after a license replacement.
2. After noting the Product or Key ID, navigate to Configuration...Users.

Tip: If you want to verify what the usernames are, click Show Recent Users. It will give you a list of those who accessed the license in the last 24 hours or so.
Tip: Before beginning, be sure to add a rule to allow the server access to the license. This ensures the Zemax License Manager can see and transfer it properly. To do so, include the following line as the first rule on the list and submit it. Replace SERVERNAME with the actual name of the machine listed at the top of the Admin Control Center.

allow=all@SERVERNAME

Three examples of the syntax required for this process are outlined below:

allow=all@all
deny=user1@all deny=user2@all deny=user3@all

1. Allow only user1, user2, and user3 access to licenses. Notice the "deny=all@all" after the list of users and before "allow=all@all".

allow=user1@all
allow=user2@all allow=user3@all
deny=all@all allow=all@all

​​​​deny=USER1,product:21,key:410177719861922512

deny=all@COMPUTER1,product:21,key:1410177719861922512

1. Press Submit when you are finished.

## Restrict client machines

In this section, we discuss how to allow or deny access to the license from specific client machines on the local network. The default with no rules set is to allow all client machines access to the network license. See the section "Restricting user license access" for details on how to restrict license access for specific users.

Before getting started, note that Allow Access from Remote Clients must remain checked on the keyserver machine, or clients will not be able to see the license on the server.

You can also restrict certain computers from using the license. Click Show Recent Client Access to display a list of users who have recently accessed licenses on this machine. You can block or allow machines "on the fly". That way you don't have to add them to the "Access Restrictions" list manually.

• You can use either an IP address or computer name. We recommend using the computer name as IP addresses are generally dynamic and may change.
• These rules are shared by all Sentinel Licenses you have installed on the machine. For example, if you have both OpticStudio Pro and Premium network licenses, you cannot block computers from one or the other. You would need to move one license to another machine or VM then set rules on that machine.
• The list of rules is processed from top to bottom (similar to Apache and other products).
• Note that allow=all@all will automatically be the added as the last item on the list. If you want to restrict all users except certain ones, just make sure deny=all is above allow=all@all like Example 2 below.

To set the rules manually, the rules are similar to the above "Users" settings page. Examples are below. See the Configuring Access from Remote Clients page in the ACC for other details.

1. Allow all machines except the 5 machines listed to use the license.

1. Allow only the 5 machines listed access to the license. Notice the deny=all is after the list of users and before "allow=all@all".

Sentinel Admin Control Center logging is available but is limited in the information it tracks. It makes a simple text file based on about 20 predefined parameters. Basic access logs let you see how many sessions have been open at once in the past as well as checked out license seats.

TIP: If you would like to see more detailed license usage over time using a third party utility, I recommend following the article Monitoring concurrent users to track network license utilization instead.

To enable basic logs of usage of the Zemax License from client machines follow these steps:

1. Check the Write an Access Log File box. To limit the size of the log files you can set a size limit. When the log file reaches the size specified (0 - 9999 KB) in Size Limit, the file is closed and a new log file is started. If Size Limit is set to 0, the log file is never closed.
2. Check the Include Remote Requests box. This is what enables logging usage of the license seats from client machines.

The following optional check boxes are available:

• Include Local Requests: Logs license requests from the current machine (Normally not useful for servers, unless you also run your Zemax application on the server)
• Include Administration Requests: Logs requests made to Sentinel License Manager by Admin Control Center (no license information is tracked). The admin requests are logged with [ACC] or [SRM] prefixes in the log file.
1. Click Submit at the bottom of the page.
2. Click the Edit Log Parameters button to configure the formatting and set the information you want to log. See the ACC Edit Log Parameters page for details on how to format the log files. Note: I recommend including commas in between each parameter of the "log parameters" page if you want the file to be saved in a format that you can open with Excel or other software.

The log files are text files and so can be opened with Notepad or similar editors. To view the access log, it is stored with the filename access.log in one of the following folders:

• ..\Program Files (X86)\common files\aladdin shared\HASP\log (if Write Log Files Daily is checked)
• ..\Program Files (X86)\common files\aladdin shared\HASP\ (if Write Log Files Daily is not checked)

This section will describe how to manage license seat check out settings on the keyserver machine. For details on the check out process for client machines, refer to "How to configure the keyserver and clients for OpticStudio network licenses."

Softkeys are able to permit license check-out on a client machine, which allows the client to remove a seat from the network key. It will be hosted on the local machine for a limited loan period. During this loan period, the client machine can be taken offline while maintaining access to its license seat. Note that client machines do not need any configuration to use this feature, it is built in to the Zemax License Manager. To maximize the availability of seats, we recommend clients not check out a license seat unless they have a specific need to use it offline or dedicate a seat for a period of time.

Note: This feature is for softkey licenses only. Red USB network keys are not capable of license check out.

By default, when the license is initially activated on the keyserver, license check-out is disabled. To enable the check out functionality on the server, navigate to Configuration...Detachable Licenses and check Enable Detaching of Licenses.

In the Detachable Licenses section, there are two settings that can be used to restrict access to detached (checked out) license seats: Max Detach Duration and Reserved Licenses.

• Max Detach Duration: The duration of the license loan can be set for any period from 1 - 9999 days. Licenses automatically expire after the specified duration. Checked out licenses can be checked back in early any time by the client, as long as the client can communicate with the key server machine. Note that licenses cannot be checked back in early from the server machine, only from the client machine.

Tip: We recommend keeping the duration as short as practical. We suggest 1-2 weeks. If a client computer with a checked out license seat fails, lost or stolen, you will lose access to that license seat until the specified duration runs out. For example, if you check out a license for a 30 day duration, and the client computer is stolen on day 1, you will need to wait 29 days for the check out period to expire. If you encounter this situation, and need a temporary license seat, feel free to contact the Zemax support team. Include your softkey license number (Such as L100000). Note that temporary licenses are available for 30 days or less.

• Reserved Licenses: A certain number or percentage of all available license seats can be reserved on the network and made unavailable for check out.  In the example screenshot below, we have reserved 5 licenses (or seats) on a 15-license network soft key. This means that 10 licenses could be checked out to individual client machines for offline use, but 5 licenses would only be available on a first-come, first-served basis.  If you are hosting more than one network license on a single server (for example both OpticStudio Professional and Premium) it is possible to configure different settings for each by using the “Per-Product Settings” option.

Tip: If you have more than one Zemax network license on the server, select the "Per Product Settings" button on the right. You may configure different detachable license settings for each license.

If you'd like to see which client machines have checked out a license seat for offline use, first click the Products link on the left-hand navigation. Then, locate the product you'd like to view. Look for the Detached column.

If this column contains only a dash (-) for a given product, then no license seats are checked out for that product. If there is a number displayed in this column, click the number to display a list of computers that have checked out a license seat. It will also display the date the loan period will expire. .

## Restarting the Sentinel LDK License Manager service

This is useful if it's not practical to restart the entire license server machine, and can be used to fix the following issues:

• The license server or client machines are not able to see the softkey license in the Zemax License Manager
• You change a configuration setting on the keyserver and it doesn't take effect after clicking "Submit".
• License check out on the client fails even if the detachable license feature is enabled on the server.
• You need to release license seats from the server that appear in the session list but are not accessible to other users.

You may either open the Start menu, and search for services.msc, or open Control Panel > System and Security > Administrative Tools > Services. Right-click on Sentinel LDK License Manager and select Restart. It will typically take 30-60 seconds to be ready.

I checked out a license seat for use offline. When i restarted my computer, it was no longer available in the Zemax License Manager. What happened?

This is an issue that was discovered with the licensing in OpticStudio 17, 17.5 and 18.1. The vendor of our softkey licensing released an update that was included in OpticStudio 18.4. If you need to address this without installing a newer release, you can install the latest version of the softkey runtime instead. See Resolving network license issues on client machines.

How can I enable license check-out on the key server so that my colleagues can work offline?

See the "License check out" section above. Note: License check out is only an option for network softkeys, not for Red USB network keys.

Where do I set the length of the checked-out license loan period?

See the "License check out" section above and set the number of days in "Max. Detach Duration"

What if clients get an error when checking out a license even though check out is enabled on the keyserver?

See Restart the Sentinel LDK License Manager service on the server.

How can I keep X seats reserved for first-come, first-serve use while allowing the others to be checked-out?

See the "License check out" section above. You may set a fixed number (X) or a percentage of all licenses to keep locked in the general license pool, unavailable for check-out.

Can I check a license seat back in early from the key server machine if the client machine is broken or stolen?

No. Checking in an offline license has to be done from the client machine. If the client machine is no longer available due to machine failure or theft, you will need to wait until the check out loan period expires to get the seat back. See the "License check out" section for details.

In the Zemax License Manager, the there are less than the total number of available seats I expect to see. Why?

First, check for licenses that have been checked out (detached) as well as open sessions in the "View checked out licenses" section above. If the total number of seats is still not what you expect, this means that the server has not properly released a session after OpticStudio was closed. To resolve this, follow the instructions in "Restart the Sentinel LDK License Manager" section above.

I set a password on my keyserver. Now I can't see my network license in the Zemax License Manager.  What do I do?

The Zemax License Manager cannot prompt for the Admin Control Center password and therefore will not see the licenses if a password is set for "all ACC pages". This will also keep you from transferring or updating your network license through the Zemax License Manager. Visibility of the license from client machines will not be affected by a password on the server. If you want to avoid this issue, there are 2 options.

1. Set a password only for "Configuration pages".
2. Temporarily remove the password, do what you need to with the Zemax License Manager, then enable the password when you are done.

Besides the documentation here, there is either the "Help" link on the left side of the Admin Control Center page, or you may access context-sensitive help for each section by clicking the “Help” button in the lower right corner of each page which will take you to the proper subsection of the Help index.

KA-01569