Overview

To use the license server functionality the eloqld server process must be started on the license server and configured with a list of licenses, separated in groups.

The license server is specified in the license file instead of a license key. Also a group is specified to draw the license from. An example would be a test system or a production system.

Licenses keys for use with a license server are not system specific (dependent on a SWID) but are specific to a license server. They can only be used with the designated license server. A server based license may be requested by any system but a separate license is required for each concurrent system.

For simplicity, system specific license (dependent on a SWID) may also be used with a license server. These behave the same as when used in a license file and can only be used on the specified system.

eloqld configuration overview

By default, a license pool file eloqld.pool specifies a license file for use by the license server. It is located in the Eloquence configuration directory.
Alternatively, license keys may also be provided in separate files in a directory. The format is identical to a single pool file. Any file in the configured directory is read to obtain a list of licenses.

The license pool files are read and its licenses are maintained by the eloqld server process. The server process uses a status file eloqld.status that is updated periodically. It is used to restore the current status after the eloqld process was restarted.

The eloqld server process is managed the same way as the other server processes. The eloqld process supports a http status showing the current license pools and leases (reserved licenses).

Eloquence license file

The following configuration options are supported:

server=host[:service]

The server config option specifies the host name or IP address and (optional) the service name or port number that is used by the license server.

server=localhost
server=example.marxmeier.com:8891

The first example indicates the license server runs on the local system. It uses the default service name eloqld. The second example specifies a system name and port number.

secret=password

The secret config item specifies the password that is used by the license server. It must be specified if the server process uses a password. The license server connection will fail if the password does not match.

secret=aeQu1iev

pool=name

The pool config item defines the license pool that is used. If not present it defaults to the host name.

pool=test

A hash sign (#) at the beginning of the line considered a comment and is ignored. The current implementation does not allow for spaces around the equal sign.

The chklic utility may be used to verify the information in the license file. It will request and then immediately release a license and report the results.

Checking license ...
License file is "/etc/opt/eloquence/8.4/license"

System ID:
251096700793713

License server configured ...
>> server=example.marxmeier.com
>> secret=aeQu1iev
>> pool=test

** Summary **
License type              : Temporary
License version           : B.08.40 13 1709311191
License name              : pool#1
TurboIMAGE compatibility  : Available
Replication               : Available
Encryption                : Available
FTS compatibility         : Available
Number of users           : Unlimited
License expires in        : 24 day(s)

...

Possible problems include a bad or non-accessible server, a bad password or a license not available. An error message as shown below is returned.

Unable to connect [111] Connection refused
[lconn] Unable to connect license server example:9999

[lconn] ERR: Server secret not matching

Q1: [lreq] ERR: No license available (#0,no pool)

Q1: [lreq] ERR: No license available (15,in use)

eloqld startup configuration

Please note that on Linux and HP-UX a user (UID) and group (GID) must be configured to start the eloqld process.

Linux

On Linux, systemd is used to manage the eloqld server process. The eloqld84.service systemd unit file is used. The .service suffix may be omitted.

systemctl start eloqld84
systemctl stop eloqld84

The status can be queried with:

systemctl status eloqld84

To enable or disable that the eloqld84 systemd unit is started and stopped automatically.

systemctl enable eloqld84
systemctl disable eloqld84

HP-UX

The eloqld is started/stopped with the /sbin/init.d/eloq84 script:

/sbin/init.d/eloq84 start eloqld
/sbin/init.d/eloq84 stop eloqld

The status can be queried with:

/sbin/init.d/eloq84 status eloqld

The START_ELOQLD configuration in the /etc/rc.config.d/eloquence84 startup configuration file specifies if the eloqld daemon is started and stopped automatically.

/etc/rc.config.d/eloquence84

# If START_ELOQLD is set to 1 the eloqld daemon is started
# automatically. The ELOQLD_ARGS allows to specify eloqld command 
# line arguments.
#START_ELOQLD=0
#ELOQLD_ARGS=""

Windows

The Windows Service Control Manager is used to start/stop the eloqld Windows service. Alternatively, eloqld may be started/stopped on the command line (as Administrator):

net start eloqld
net stop eloqld

The Windows Service Control Manager may be used to configure the eloqld Windows service to start/stop automatically and to use an account different from SYSTEM.

The status can be checked in the configured LogFile or with the Windows Event Viever (expand the Windows Logs folder and select the Application event log).

The config file has multiple sections enclosed in square brackets. Section names are not case sensitive. String values can be enclosed in double quotes to protect leading or trailing spaces. An unquoted hash character (#) starts a comment.

• Server configuration [server]
• Server limits [limits]
• License pool configuration [pool]

Server configuration [server]

Service

The service name (as defined in /etc/services) or the port number where the server should listen for requests. The default value is eloqld.

A suffix /4, /6, or /46 may be used for establishing IPv4 only, IPv6 (with implied IPv4) or separate IPv4 and IPv6 listening sockets. By default, separate IPv4 and IPv6 sockets are used. For example: eloqld/46

ServiceHttp

The service name (as defined in /etc/services) or the port number where the server should listen for HTTP requests. If neither ServiceHttp nor ServiceHttps are specified, the HTTP/HTTPS status is disabled.
A suffix may specify support of the IPv4 and IPv6 protocol. By default, separate IPv4 and IPv6 sockets are used.

ServiceHttps

The service name (as defined in /etc/services) or the port number where the server should listen for HTTPS (secure HTTP) requests. If neither ServiceHttp nor ServiceHttps are specified, the HTTP/HTTPS status is disabled.
Enabling the secure HTTP protocol requires that TLS is configured (see TLSCertChainFile and TLSCertKeyFile).
A suffix may specify support of the IPv4 and IPv6 protocol. By default, separate IPv4 and IPv6 sockets are used.

TLSCertChainFile

Absolute path to a file in PEM format containing the server certificate and optionally any additional intermediate certificates which represent the chain up to the root certificate.
The certificates in this file must be sorted in the verification order, starting with the server certificate. The file may in addition contain the private key associated with the server certificate, in which case the TLSCertKeyFile configuration may be omitted.

Note: TLS (Transport Layer Security) configuration is required to enable the HTTPS (secure HTTP) status (see ServiceHttps above).
To enable HTTPS, a server certificate is needed for the eloqld host name. Web browsers require a certificate which is issued by a known authority. Using a self-signed certificate typically requires to configure each browser which are used to access the HTTPS status.

TLSCertKeyFile

Absolute path to a file in PEM format containing the private key associated with the server certificate. If this key is contained in the TLSCertChainFile configuring TLSCertKeyFile is not necessary.

UID (HP-UX and Linux)

The name (or numeric id) of the account used by the eloqld process when started as root.

Please note, that the server will refuse to start as root unless UID and GID are valid.

GID (HP-UX, Linux)

The name (or numeric id) of the group used by the eloqld process when started as root.

Please note, that the server will refuse to start as root unless UID and GID are valid.

LogFile

This defines where log messages are written to. This configuration value either specifies a path/file or one of the keywords below:

• console - log messages are written to the console
• syslog - log messages will be sent to the syslog daemon (HP-UX, Linux) or the Windows Event Log.

The default value is "syslog".

SysIdent (HP-UX, Linux)
SysFacility (HP-UX, Linux)

When logging to the syslog daemon, these config items may be used to define a syslog identifier and facility. Supported facility values are: USER/DAEMON/LOCAL0..LOCAL7. The default syslog identifier is "eloqld". The default syslog facility is "USER". Please refer to syslogd(1M) for more information.

SysIdent = eloqld
SysFacility = USER

LogFlags

Each log message has an associated origin and severity. The log flags define which messages are be logged. The "*" origin matches all message origins, so it can be used to setup a default which can be overridden for a specific message origin (e.g. "*1N0"). The default LogFlags are "*0".

The following origin are in use:

• * = All origins
• A = Address filter
• C = Configuration subsystem
• H = HTTP requests
• N = Network transport
• S = Server framework
• T = Thread kernel
• L = License parsing
• P = Protocol

The following severities are in use:

• 0 = error messages
• 1 = information
• 2 = debug
• 3 = verbose debug

When using syslog, the following priorities are mapped:

• 0 = LOG_ERR
• 1 = LOG_NOTICE
• 2 = LOG_DEBUG
• 3 = LOG_DEBUG

Enabling log messages with debug or verbose debug severity may result in a large number of log messages.
Set LogFlags = *0 to enable fatal messages only. Set LogFlags = *1 to enable regular log messages, or *1H0 to suppress HTTP protocol status messages. Set LogFlags = *1S2 to enable more detailed connection and disconnection messages.

StatusFile

Specifies the name of a file that is used to restore the eloqld server process status after a restart. If is updated continuously while the eloqld process is active and read on server startup.

The default is: eloqld.status

HP-UX and Linux: StatusFile may either specify a file name (relative to /var/tmp) or an absolute file name.

HTTPUser

If set, the eloqlb HTTP status display will require a matching user name (HTTP basic authentication) before allowing access to the eloqld HTTP status. The default value is empty.

HTTPPswd

If set, the eloqlb HTTP status display will require a matching password (HTTP basic authentication) before allowing access to the eloqld HTTP status. The default value is empty.

Allow|Deny

The Allow or Deny config item may be used to allow or deny license requests based on the client network address.

Allow/Deny argument syntax:

{ All | hostname |ip-address [/{addrbits|netmask}] }

• Multiple Allow/Deny entries are recognized and combined.

• hostname is the name of a host or network that is resolved into one or more ip addresses.

• ip-address is either an IPv4 or IPv6 address.
  • An IPv6 address, enclosed in square brackets, such as [::1]. The addrbits option may be used to specify the number of relevant bits in the IP address.

  • An IPv4 address, such as 127.0.0.1. The addrbits option may be used to specify the number of relevant bits in the IP address. The netmask option allows to specify an IPv4 network mask, such as 255.255.255.0.

If neither Allow nor Deny are configured, connections are allowed from all network addresses (implied Allow=All).

If Allow and/or Deny are configured, connections are denied unless specifically allowed (implied Deny=All).

For example:

allow = localhost
allow = 10.64.71.0/24

AllowHttp|DenyHttp
AllowHttps|DenyHttps

The AllowHTTP(s) or DenyHTTP(s) config items may be used to allow or deny HTTP or HTTPS access to access the license server status based on the client network address.

WorkerThreads

Sets the number of worker threads. A higher setting allows for more parallel activity. The default is: 2

MessageTimeout

This config item specifies the time in seconds a connection waits before closing a connection. The default is: 30 (seconds)

HTTPKeepAlive

If nonzero, the HTTP persistent connection mode is enabled so that the web browser may use a single connection for multiple requests. This typically speeds up page loading because it minimizes the overhead required to establish new connections and, in case of HTTPS, process the TLS handshake. The default is: 15 (seconds)

RateBlock
RateResume

Connection rate limiting is a defense against DoS (Denial of Service) attacks. The number of new connection attempts per second is monitored. If it reaches or exceeds the configured RateBlock limit, new connections are refused until the rate drops to RateResume at most.

The defaults are: RateBlock=500 and RateResume=50

LicenseFile

Specifies a file name (relative to the Eloquence config directory) or an absolute name and path of a file. This file is read on eloqld startup and provides a list of licenses organized in sections. The default is eloqld.pool

LicenseFile = eloqld.pool

LicenseDir

Specifies a directory name (relative to the Eloquence config directory) or an absolute path of a directory. Any files in this directory are read on eloqld startup and provide files to hold licenses organized in sections. This is not set by default.

Secret

Specifies a password that is shared by the server and client. If present a connection can only succeed if the secret is matching.

secret = aeQu1iev

Renew

Specifies the default timeout (in seconds) after which a license is considered unused. A leased licenses is periodically renewed to indicate its continued use. The default timeout is 4 hours (14400 seconds).

The example below specifies the pool "test" with 2 licenses and the pool "beta" with one license:

[test]

ELOQ B.08.40 id=13 type=server name="pool#1"
 opt=hp3k,repl,enc,ftc users=unlimited server=145588981027104
 valid-from=2024-01-01 valid-to=2024-03-31
 seq=1709311191 valid=9df49eff2d8f5fd42cb3f6eba3c87441

ELOQ B.08.40 id=14 type=server name="pool#2"
 opt=hp3k,repl,enc,ftc users=unlimited server=145588981027104
 valid-from=2024-01-01 valid-to=2024-03-31
 seq=1709311250 valid=a9307bc33f20dcd65f25efc72bbcb602

[beta]

ELOQ B.08.40 id=1 type=temp name="EQ beta test" 
 opt=hp3k,repl,enc,ftc users=unlimited
 valid-from=2023-11-22 valid-to=2024-03-31
 seq=1706217850 valid=156a05f877b824b69c5b0dea4fa08118

A single license key can only be specified once and can only belong to a single pool section. Any subsequent ocurrence is ignored. A license key is defined by the product (ELOQ), license key id (id=). If different versions of a license key are present (eg. different product versions), only the most recent version is used, older versions are ignored. A license key is usually specific to a license server and then specifies the SWID of the applicable license server (server=).

Typically license keys managed by a license server are not system specifc but for convenience any licenses may be added to a license server.

When reading the a license pool file the following problems are logged in the message log.

Invalid license entry

Invalid or currupted license key

Unsupported product or version

License not applicable to this server.

The license key specifies a server swid that does not match this server

License may only be used with a swid

The license type must either specify a swid or an expiration date to be used with a license server.

License may only be used with a server id

The license type must either specify a license server id or an expiration date to be used with a license server.

License not yet active

The license specifies a start date that is not yet reached.

License expired

The license specifies an expiration date that has passed.

License expires in ## days

This is a note that the license specifies an expiration date and will expire.

Duplicate license entry

A duplicate license key is ignored. This message is only logged if a newer (or same) license key version was already encountered.