License Manager for 1C in a virtual environment + monitoring in Zabbix
- From the sandbox
- Tutorial
In many companies, 1C is used as the main automation platform. So it happened with us. However, the process of establishing the platform was carried out without a proper approach, in connection with which we first had 5 security keys for 95 licenses, then 3 more physical keys appeared to provide another 50 client licenses for 3 legal entities. The situation is stupid, since each key normally requires a separate host, and the number of suitable servers has become smaller, and the looming increase in the number of users and, therefore, the purchase of new keys made me think about an alternative solution that avoids unnecessary information load on our servers and generally make the key system more flexible and, preferably, more stable.System selection
Virtualization system
As a visualization system, esxi 5.1 was chosen. Selected for good support for transferring USB devices, and because in addition to ESX, I understand only Hyper-V, which does not support transferring devices. To transfer USB devices to ESX, the guest system hardware must be at least version 7. Then it will be possible to add a USB controller and map the USB device to the guest system. There is still a moment about support. Officially, VMware only supports a specific list of devices. And it’s not very big. However, Aladdin common security keys seem to be supported. The list of supported devices is on the official site here . A description of the requirements and provisions for the transfer of USB to the guest system is also on the official website, in the knowledge base here.
There are alternative ways of transferring USB keys to the virtual environment, and to the physical one too. These are devices and software called USB over IP. Software products in this case are not very interesting to consider, but hardware in this case shows themselves quite well. The brightest representative, everyone knows AnywhereUSB with 14 ports. It is installed in a rack, has two interfaces and two power inputs (does it really have two power supplies, I don’t know :)). The device is good for everyone, but costs an average of 60 thousand rubles, which did not fit our budget well. So, after tests and trials, the virtualization platform was chosen and abandoned the use of other products.
HASP operating system and drivers
I chose Debian as the OS. Why? Just because. In fact, in this configuration, you can take any favorite distribution. But I always like Debian for stability and a good repository. As drivers, a fairly popular package from Etersoft is taken . You can get the compiled package for your distribution on the company's FTP server: ftp.etersoft.ru/pub/Etersoft/HASP/stable .
After installing the package, a service appears
haspdthat controls the operation of the key.Setup and Verification
All this does not require any additional configuration. The key starts to work almost out of the box.
We check. To test the performance, the kit includes a program
haspdemo. If the key is successfully identified and the work starts, the program will output something like this to the console:This is a simple demo program for the HASP4 key
Copyright © Aladdin Knowledge Systems Ltd.
LOCALHASP_ISHASP: Result: 1
Using Passwords 15213 - 28875
LOCALHASP_HASPSTATUS: API version number is 8.0
port number 201
Key type: HASP4 M4
LOCALHASP_HASPGENERATION: OK, HASP4 is connected.
LOCALHASP_HASPNETSTATUS: connected key is HASP4 Net 20
MEMOHASP_HASPID: 436444258 (decimal), 0x1a039c62 (hex)
LOCALHASP_ENCODEDATA: OK.
53 C1 F1 AF | EC 16 C3 15 | 35 31 E4 7F | 9B D0 90 9F [S ....... 51 ....]
AA BA 8C 80 | 1E 22 29 E2 | 92 7E 04 56 | DA 70 7B 63 [..... ") .. ~ .Vp {c]
23 B4 9B E6 | 2F 17 | | [# ... /.]
NETHASP_READBLOCK: Failed: Return status: 10
Main field:
LOCALHASP_ISHASP : Result: 1. Informing that everything is in order. It is further written about which key is inserted. However, if there is any problem, the message is displayed shorter:
This is a simple demo program for the HASP4 key
Copyright © Aladdin Knowledge Systems Ltd.
LOCALHASP_ISHASP: Failed: status = -100
Moreover, in fact, it doesn’t matter what happens to the key, it may not be inserted, the service may not start, or something else. I have only seen two meanings
LOCALHASP_ISHASP. Это либо : Result: 1, either : Failed: status = -100. And the last always corresponded to inoperability, and the first always meant that everything is OK. I did not find the documentation for this package, so I could not find out what other statuses there were. We figured out the key. We must not forget that in the key monitor your newly made key will appear only when at least one license has been taken from it. Then aladdin monitor will show the information that it usually shows: this is the type of key, number of licenses taken, total licenses, who exactly took the license and timeout.
Forcing this is quite simple, just specify the new license manager in the client nethasp.ini with your hands. But about setting up the client a little later.
From this moment, the initial task can be considered completed. Now we can create several virtual machines in parallel, in an amount corresponding to the number of available physical keys. Such virtual machines consume resources, naturally, cheap.
Problems and Solutions
Single point of failure
The first problem that is created and in plain sight is the creation of a point of failure. If before that the keys were distributed to different servers and the failure of more than one key is practically eliminated, then in this case the failure of the physical server can lead to the failure of the entire 1C system, because Clients will fall off within, in my opinion, 600 seconds and after a short time all will fall off and will not be able to return to the system. What follows such an incident can not be told. There are two solutions and are directed in a different direction. The first solution is to use a fail-safe ESX configuration. However, it is advisable if your system has already been deployed and a number of requirements have already been met to maintain operability in the event of failure of any component. Another solution is more trivial:
We create group A records in our company's DNS. For example, key1, key2, key3 and so on. Add DNS names to nethasp.ini clients, distribute the file using Group Policy. Thus we get a fairly flexible access structure. In this case, after detecting a significant problem with the esx virtual server, you can quickly move the keys to any other servers, including to workstations of any employees. At the same time, we replace A records with new ones. For some time, the cache on the clients will end and they will again be able to take on a new license and continue to work.
I recommend registering reverse DNS records for the keys, otherwise aladdin monitor will not show the host name, but only the license manager ID will show, which is not very convenient.
If your company and everything use the broadcast method of key delivery, then everything is simplified and when you move the key to another host within the broadcast domain, it will not affect the work.
Keys fall off
There is such a fairly common problem. Keys fall off. Moreover, no particular connection was noticed. This happens on different controllers, even on different host systems. When I transferred the keys and temporarily placed them elsewhere under VMware Player, the keys were rolled off often. It is expressed quite trivially. When prompted
haspdemo, a line appears LOCALHASP_ISHASP : Failed: status = -100. Although the key is inserted and detected. dmsegshows incomplete lines:usb 2-2.1: usbfs: USBDEVFS_CONTROL failed cmd aksusbd rqt 192 rq 139 len 8 ret -110The problem is solved as trivially as it looks - by restarting the service. But the precipitate remains and until this is done, the server will not distribute the keys. Since I wanted the system to work flawlessly, it was decided to write a script that would restore the work of the license manager itself. So, with the help of a friend, a script was written that launches
haspdemoand tries to understand whether the normal status is returned or not: [ "`haspdemo | sed -n 's/^LOCALHASP_ISHASP.* \(\-\?[0-9]*\)$/\1/p'`" == "-100" ] && service haspd restartNext, this script is inserted into the CRON launch every minute and that's it. Even if the problem of falling off ports is not observed on your system, this script, I think, will not hurt.
Client key discovery problem
And there is such a problem. It consists in the fact that the client after losing the key may not want to take a new key. This problem can also be expressed in other manifestations. For example, if you replaced the key paths in the nethasp.ini file, then the client application can quite vigorously continue to report that there are no keys and have never seen it. If you are not ready for such a reaction, then the problem becomes very unpleasant and you start to frantically check the operation of the entire system and cover it with 1C nicknames, because everything works, but GlavBukh, or, as luck would have it, General, can’t enter 1 Sku now for no apparent reason and you feel like an idiot, instead of quickly solving a problem. However, a rather simple solution helped. It is necessary to clear the 1C cache from the user profile. At one time I found a separate file,
Keys may just stop working
No one is insured against equipment failure. And these pathetic keys may also stop working. And the most important thing in this case is to find out about this as soon as possible. For this, we will use the Zabbix monitoring system. Of course, it’s pointless to deploy it only for monitoring the keys, but if the zabbix is already installed, then why not monitor the state of the keys to it.
To do this, we need to register our own script in the agent settings file. We are looking for the configuration file of the installed zabbix_agent, it is called zabbix_agentd.conf. Open it and add a line
UserParameter=hasp.status,haspdemo | grep "^LOCALHASP_ISHASP" | sed 's/^.* \(\-\?[0-9]*\)$/\1/g'This will allow the team to collect the digital value in the field
LOCALHASP_ISHASP. In the zabbix itself, everything is already added primitively, create an Item for the desired host or template, specify Zabbix agent as Type , and hasp.status as the key parameter . The value type is float . If desired, create a trigger by which you will be sent a letter or sms that the key is not working. It is better to configure this trigger in such a way that it would require at least 2 operations and cover the time it takes for the auto-recovery script described above, otherwise false messages about problems with the key will appear.When correctly configured, only when the key is completely inoperative, you will receive a notification of problems.
Bonus
It turned out to be a surprise for me, but many really do not know that it is possible to make the client parts of 1C look for keys at the specified IP addresses using a TCP or UDP connection. Indeed, many configure the infrastructure so that there is a sufficient number of keys in each broadcast domain. This is wildness. For those who are not in the know, here is a brief instruction:
To control access to the hasp key, the client has the file nethasp.ini. It is located in the \ conf folder of the 1C directory. We are interested in the [NH_TCPIP] section. In this section, we need to uncomment or create the following parameters:
- NH_SERVER_ADDR. Here we indicate a list of DNS names or IP addresses of servers with a license manager, separated by commas.
- NH_USE_BROADCAST. Set the value to Disabled.
- NH_TCPIP_METHOD. The default method is UDP. You can change to TCP, but in general this is not a serious need.
Another point about the display of keys in aladdin monitor. Contrary to popular belief, free licenses are not only those licenses that are not available as employees in the aladdin monitor, but also those with a Timeout field of 0. Values usually disappear within 36 hours, but still licenses are considered free.
In conclusion
I thought for a long time whether there was any sense in such an article, all the same, all this can be found on the Internet, however, having counted the time that I myself spent to collect all the information, I thought it would be very good if at least to someone this The article will be useful and save time.