Configure On-Premise License Manager
How to open the Settings dialog
Open the On-Premise Licensing Portal in your browser, and log in with the system administrator user name and password you specified during the License Server installation.
On the On-Premise Licensing Portal, click Configure Settings at the top right:
The Configure Authentication Method dialog box will appear:
Note
To open the On-Premise License Server in your browser, use: license-server-address:port
, for example, localhost:40892
.
Method
The Method tab (pictured above) allows you to select the preferred option to access the server. When the Access for everyone is selected, the License Server is configured as follows:
It gives a license seat to any user registered in your network domain for all licensed products.
License admins do not need to assign licenses to users in the Licensing Portal.
License admins cannot revoke a license from a given user.
Users don’t need to enter their credentials to get a license seat.
All users appear as anonymous.user in the Licensing Portal.
See below for LDAP and OIDC descriptions.
LDAP
Settings on the LDAP tab (pictured below) specify the LDAP provider to which the On-Premise License Server connects to get information on user accounts. By configuring LDAP:
License administrators can assign license seats to users by users’ distinguished names ("User DN").
License users enter their User DN and password to take up a license seat.
Your teammates can log in to the Licensing Portal by using their User DNs and passwords.
Your network administrator can help you specify the values requested in these fields. Here are definitions for them:
Field | Definition |
---|---|
URL | LDAP server URL |
User DN | User Distinguished Name: The user account used for the "Bind and Search" operation against your LDAP domain – often the login email address |
Password | The password for the User DN LDAP Account – often the login password |
Base | The LDAP Search Base for all License Management users. Any user attempting to log in must be inside the base search. |
User Group DN | User Group Distinguished Name: The Fully Qualified Distinguished Name (FQDN) of an LDAP security group. Users must be members of this group to log in to an ID-based SmartBear product. |
The License Server implements standard LDAP algorithms and should be able to work with any Windows and Linux LDAP providers.
Click Test to check the connection to your LDAP provider. If the connection fails, double-check the settings and check again. Save the changes when you are done.
Configure LDAPS
LDAPS is configured by adding the CA certificate to the application's trusted store. Find out about requesting a CA certificate, see Configure for HTTPS and then perform the following steps:
Locate file
slm_service.vmoptions
in the License Management installation folder:Windows:
C:\Program Files\SmartBear\LicenseManager\bin
Linux:
/opt/SmartBear/LicenseManager/bin
Open it in a text editor and add the following parameters:
1. -Djavax.net.ssl.trustStoreType=PKCS12 2. -Djavax.net.ssl.trustStore=ca_certificate_file.p12 3. -Djavax.net.ssl.trustStorePassword=<password>
About HTTPS
The basic SmartBear On-Premise License Server installation configures the server to handle requests over standard HTTP. In many environments, this is sufficient as the network is trusted. However, some organizations require that all network applications be secured with Transport Layer Security (TLS) or Secure Sockets Layer (SSL).
SmartBear On-Premise License Server supports HTTP over TLS (or HTTPS), but this requires additional manual server configuration. Additionally, you may enable the redirection from HTTP to HTTPS and enable the HTTP Strict Transport Security (HSTS) policy mechanism.
Configure for HTTPS
Follow the below set-up steps. They are for Windows – Linux is similar. Open a ticket with Support if you need assistance:
Acquire a certificate
To authenticate to clients, the On-Premise License Server must have a certificate that serves as proof of identity. Certificates come in two forms: Certificate Authority (CA) signed certificates and self-signed certificates.
Option 1: CA-signed certificate
CA-signed certificates provide an additional level of security because they can be automatically verified and do not rely on human verification. By providing you a certificate, the certificate authority is vouching for your identity. Software systems such as web browsers and the Java Runtime Environment (JRE) include the public keys of the trusted certificate authorities that are used to verify server certificates were vouched for by a trusted CA.
To acquire an SSL CA-signed certificate, contact the appropriate person in your IT department, requesting a Subject Alternative Name (SAN) extension that matches the DNS hostname.
Option 2: Self-signed certificate
Self-signed certificates have the advantage of being free and easy to generate. Their disadvantage is that they are not automatically trusted by the products and you have to import them to your browser/system to make a trusted connection.
To acquire a self-signed certificate, use the following commands:
Note
Adjust your domain name in the subjectAltName field below.
openssl req -x509 -sha256 -newkey rsa:2048 -keyout slm.key -out slm.crt -addext “subjectAltName = DNS:slm.enterprise” -days 365 openssl pkcs12 -export -in slm.crt -inkey slm.key -out slm.enterprise.p12
Open the folder where License Management is installed:
Copy the certificate file
slm.enterprise.p12
to folderSmartbear/LicenseManager/cert
.Open
Smartbear/LicenseManager/bin/slm_service.vmoptions
file and add following entries:-Dserver.port=443 -Dserver.ssl.enabled=true -Dserver.ssl.key-store-type=PKCS12 -Dserver.ssl.key-store=../cert/slm.enterprise.p12 -Dserver.ssl.key-store-password=certificate_store_password # optional if certificate_store is not secured by password
Restart SLM License Manager service:
Non-standard LDAP configurations
SmartBear uses the following default LDAP configuration values:
usernameField: sAMAccountName
emailField: mail
firstNameField: givenName
lastNameField: sn
groupNameField: distinguishedName
memberOfField: memberOf
userQueryPrefix: (objectClass=user)
groupQueryPrefix: (objectClass=group)
For non-standard LDAP configurations, the mapping must be adapted. For example, if your configuration uses a custom group, instead of the default group
for user groups in AD, you must define how this object class is interpreted.
Follow the set-up steps below. They are for Windows (Linux steps are similar). If you need assistance, open a ticket with Support.
Stop the licensing service if it is running.
Edit the
Smartbear/LicenseManager/bin/slm_service.vmoptions
file and add custom configuration entries in separate lines. Use the following syntax:-Dldap.configName=value
Start the licensing service.
OpenID Connect - OIDC
Settings on the OpenID Connect (OIDC) tab (pictured below) specify the configuration that allows the On-Premise License Server to access information stored in the authentication server.
The On-Premise License Manager implements the authorization code flow and needs to obtain client id
and client secret
so users can log in with the OIDC identity provider (IDP).
Note
The License Manager must be configured as an application on the OIDC identity provider (IDP) side, for example, Okta. Use the callback URL displayed in the OIDC settings as the redirect URI.
client ID and client secret are unique identifiers that will be used to authenticate the On-Premise License Manager with your OIDC server.
By configuring OIDC:
License administrators can assign license seats to users by users’ names.
Your teammates can log into the Licensing Portal using their OIDC credentials.
Here are definitions for the values requested in the configuration fields:
Field | Description |
---|---|
Name | Descriptive name of the configuration |
URL | OIDC server URL |
Use PKCE | Toggle the switch to use the PKCE-enhanced Authorization Code Flow. For more information, see Authorization Code Flow with Proof Key for Code Exchange (PKCE) from Okta. |
Client ID | Unique identifier for the On-Premise License Manager on the OIDC server |
Client secret | Unique string paired with the Client ID value for the On-Premise License Manager on the OIDC server |
Scope | Scopes are permissions that your application will need to access user data. You will need to add openid, profile. In some environments, the email scope will also be required. The OIDC server will only grant the scopes that you have requested. |
User Name | Field in the token that contains user data. This depends on you OIDC server configuration. Common fields for storing user data in OIDC tokens include email and name. |
Group Filter Enabled | Toggle the switch to use group filtering and manage access control based on the group membership. |
Group Name Field | Field in the token that contains group data, for example, company or department |
User Group Filter | To grant permissions to resources, add values configured on the OIDC server that match the client's requirements. |
Admin Group Filter | To grant administrator permission, add values configured on the OIDC server that will assign elevated scopes. |
Callback URL to be registered on the OIDC server | Use this URL as the redirect URI in the OIDC server settings. |
Note
The filters in OIDC settings apply only to users authenticated via the OIDC server. Service accounts do not have groups assigned.
Test your configuration.
After configuring the OIDC method, the
button shows on the login page. Users must use this button to log in.For more information on Open Connect ID, see How Open ID Connect Works.
How settings affect user authentication
The License Server settings specify how the Server gets information on user accounts in your network and how it authenticates users. The following table provides a brief overview of the setting effect:
Settings | Required | License admin needs to assign licenses to users on On-Premise Licensing Portal | Users need to enter their credentials on product start |
---|---|---|---|
Access for everyone | Optional | No | No |
LDAP | Required | Yes | Yes |
OIDC | Required | Yes | Yes Log in with OIDC is added as a login option |
Save or discard changes
The Save button on a page remains disabled until you change some settings on this page.
The button saves the changes made to this page only.
After you change a setting on some page, the dialog displays the Discard Changes button (initially, the button is hidden). Click it to discard all the changes made to the settings on this page.
Next steps
After installing and configuring the On-Premise License Server, you can add licenses and assign them to users in your network. See Add Licenses and Assign Licenses to Users.
Change Password
As a system admin, you can change the password for your account. Use the
dialog to update your login credentials.