Configure On-Premise License Manager

How to open the Settings dialog

  1. Open the On-Premise Licensing Portal in your browser, and log in with the system administrator user name and password you specified during the License Server installation.

  2. On the On-Premise Licensing Portal, click settings-b.png Configure Settings at the top right:

    Opening the On-Premise License Server settings

    The Configure Authentication Method dialog box will appear:

    SLM_202402_auth_method.png

Note

To open the On-Premise License Server in your browser, use: license-server-address:port, for example, localhost:40892.

Method

The Method tab (pictured above) allows you to select the preferred option to access the server. When the Access for everyone is selected, the License Server is configured as follows:

  • It gives a license seat to any user registered in your network domain for all licensed products.

  • License admins do not need to assign licenses to users in the Licensing Portal.

  • License admins cannot revoke a license from a given user.

  • Users don’t need to enter their credentials to get a license seat.

  • All users appear as anonymous.user in the Licensing Portal.

See below for LDAP and OIDC descriptions.

LDAP

Settings on the LDAP tab (pictured below) specify the LDAP provider to which the On-Premise License Server connects to get information on user accounts. By configuring LDAP:

  • License administrators can assign license seats to users by users’ distinguished names ("User DN").

  • License users enter their User DN and password to take up a license seat.

  • Your teammates can log in to the Licensing Portal by using their User DNs and passwords.

SLM_202402_LDAP_no_kerberos.png

Your network administrator can help you specify the values requested in these fields. Here are definitions for them:

Field

Definition

URL

LDAP server URL

User DN

User Distinguished Name: The user account used for the "Bind and Search" operation against your LDAP domain – often the login email address

Password

The password for the User DN LDAP Account – often the login password

Base

The LDAP Search Base for all License Management users. Any user attempting to log in must be inside the base search.

User Group DN

User Group Distinguished Name: The Fully Qualified Distinguished Name (FQDN) of an LDAP security group. Users must be members of this group to log in to an ID-based SmartBear product.

The License Server implements standard LDAP algorithms and should be able to work with any Windows and Linux LDAP providers.

Click Test to check the connection to your LDAP provider. If the connection fails, double-check the settings and check again. Save the changes when you are done.

Configure LDAPS

LDAPS is configured by adding the CA certificate to the application's trusted store. Find out about requesting a CA certificate, see Configure for HTTPS and then perform the following steps:

  1. Locate file slm_service.vmoptions in the License Management installation folder:

    • Windows:C:\Program Files\SmartBear\LicenseManager\bin

    • Linux:/opt/SmartBear/LicenseManager/bin

  2. Open it in a text editor and add the following parameters:

    1. -Djavax.net.ssl.trustStoreType=PKCS12
    2. -Djavax.net.ssl.trustStore=ca_certificate_file.p12
    3. -Djavax.net.ssl.trustStorePassword=<password>
    

About HTTPS

The basic SmartBear On-Premise License Server installation configures the server to handle requests over standard HTTP. In many environments, this is sufficient as the network is trusted. However, some organizations require that all network applications be secured with Transport Layer Security (TLS) or Secure Sockets Layer (SSL).

SmartBear On-Premise License Server supports HTTP over TLS (or HTTPS), but this requires additional manual server configuration. Additionally, you may enable the redirection from HTTP to HTTPS and enable the HTTP Strict Transport Security (HSTS) policy mechanism.

Configure for HTTPS

Follow the below set-up steps. They are for Windows – Linux is similar. Open a ticket with Support if you need assistance:

  1. Acquire a certificate

    To authenticate to clients, the On-Premise License Server must have a certificate that serves as proof of identity. Certificates come in two forms: Certificate Authority (CA) signed certificates and self-signed certificates.

    Option 1: CA-signed certificate

    CA-signed certificates provide an additional level of security because they can be automatically verified and do not rely on human verification. By providing you a certificate, the certificate authority is vouching for your identity. Software systems such as web browsers and the Java Runtime Environment (JRE) include the public keys of the trusted certificate authorities that are used to verify server certificates were vouched for by a trusted CA.

    go.gifTo acquire an SSL CA-signed certificate, contact the appropriate person in your IT department, requesting a Subject Alternative Name (SAN) extension that matches the DNS hostname.

    Option 2: Self-signed certificate

    Self-signed certificates have the advantage of being free and easy to generate. Their disadvantage is that they are not automatically trusted by the products and you have to import them to your browser/system to make a trusted connection.

    go.gifTo acquire a self-signed certificate, use the following commands:

    Note

    Adjust your domain name in the subjectAltName field below.

    openssl req -x509 -sha256 -newkey rsa:2048 -keyout slm.key -out slm.crt -addext “subjectAltName = DNS:slm.enterprise” -days 365
    openssl pkcs12 -export -in slm.crt -inkey slm.key -out slm.enterprise.p12
  2. Open the folder where License Management is installed:

    License Management install folder
  3. Copy the certificate file slm.enterprise.p12 to folder Smartbear/LicenseManager/cert.

  4. Open Smartbear/LicenseManager/bin/slm_service.vmoptions file and add following entries:

    -Dserver.port=443
    -Dserver.ssl.enabled=true
    -Dserver.ssl.key-store-type=PKCS12
    -Dserver.ssl.key-store=../cert/slm.enterprise.p12
    -Dserver.ssl.key-store-password=certificate_store_password # optional if certificate_store is not secured by password
  5. Restart SLM License Manager service:

    License Management restart

Non-standard LDAP configurations

SmartBear uses the following default LDAP configuration values:

  • usernameField: sAMAccountName

  • emailField: mail

  • firstNameField: givenName

  • lastNameField: sn

  • groupNameField: distinguishedName

  • memberOfField: memberOf

  • userQueryPrefix: (objectClass=user)

  • groupQueryPrefix: (objectClass=group)

For non-standard LDAP configurations, the mapping must be adapted. For example, if your configuration uses a custom group, instead of the default group for user groups in AD, you must define how this object class is interpreted.

Follow the set-up steps below. They are for Windows (Linux steps are similar). If you need assistance, open a ticket with Support.

  1. Stop the licensing service if it is running.

  2. Edit the Smartbear/LicenseManager/bin/slm_service.vmoptions file and add custom configuration entries in separate lines. Use the following syntax:

    -Dldap.configName=value

  3. Start the licensing service.

OpenID Connect - OIDC

Settings on the OpenID Connect (OIDC) tab (pictured below) specify the configuration that allows the On-Premise License Server to access information stored in the authentication server.

The On-Premise License Manager implements the authorization code flow and needs to obtain client id and client secret so users can log in with the OIDC identity provider (IDP).

Note

The License Manager must be configured as an application on the OIDC identity provider (IDP) side, for example, Okta. Use the callback URL displayed in the OIDC settings as the redirect URI.

client ID and client secret are unique identifiers that will be used to authenticate the On-Premise License Manager with your OIDC server.

By configuring OIDC:

  • License administrators can assign license seats to users by users’ names.

  • Your teammates can log into the Licensing Portal using their OIDC credentials.

SLM_2024_OIDC_no_kerberos.png

Here are definitions for the values requested in the configuration fields:

Field

Description

Name

Descriptive name of the configuration

URL

OIDC server URL

Use PKCE

Toggle the switch to use the PKCE-enhanced Authorization Code Flow. For more information, see Authorization Code Flow with Proof Key for Code Exchange (PKCE) from Okta.

Client ID

Unique identifier for the On-Premise License Manager on the OIDC server

Client secret

Unique string paired with the Client ID value for the On-Premise License Manager on the OIDC server

Scope

Scopes are permissions that your application will need to access user data. You will need to add openid, profile. In some environments, the email scope will also be required. The OIDC server will only grant the scopes that you have requested.

User Name

Field in the token that contains user data. This depends on you OIDC server configuration. Common fields for storing user data in OIDC tokens include email and name.

Group Filter Enabled

Toggle the switch to use group filtering and manage access control based on the group membership.

Group Name Field

Field in the token that contains group data, for example, company or department

User Group Filter

To grant permissions to resources, add values configured on the OIDC server that match the client's requirements.

Admin Group Filter

To grant administrator permission, add values configured on the OIDC server that will assign elevated scopes.

Callback URL to be registered on the OIDC server

Use this URL as the redirect URI in the OIDC server settings.

Note

The filters in OIDC settings apply only to users authenticated via the OIDC server. Service accounts do not have groups assigned.

Test your configuration.

After configuring the OIDC method, the Log in with OIDC button shows on the login page. Users must use this button to log in.

SLM_OIDC_login_202403.png

For more information on Open Connect ID, see How Open ID Connect Works.

How settings affect user authentication

The License Server settings specify how the Server gets information on user accounts in your network and how it authenticates users. The following table provides a brief overview of the setting effect:

Settings

Required

License admin needs to

assign licenses to users on

On-Premise Licensing Portal

Users need to enter

their credentials on

product start

Access for everyone

Optional

No

No

LDAP

Required

Yes

Yes

OIDC

Required

Yes

Yes

Log in with OIDC is added as a login option

Save or discard changes

  • The Save button on a page remains disabled until you change some settings on this page.

    The button saves the changes made to this page only.

  • After you change a setting on some page, the dialog displays the Discard Changes button (initially, the button is hidden). Click it to discard all the changes made to the settings on this page.

Next steps

After installing and configuring the On-Premise License Server, you can add licenses and assign them to users in your network. See Add Licenses and Assign Licenses to Users.

Change Password

As a system admin, you can change the password for your account. Use the Change Password dialog to update your login credentials.

202402_change_admin_pass.png

See Also

Publication date: