- tutorial
Many companies use 1C as the main automation platform. So it happened with us. However, the process of establishing the platform was carried out without a proper approach, in connection with which at first we had 5 protection keys for 95 licenses, then 3 more physical keys appeared to provide another 50 client licenses for 3 legal entities. The situation is stupid, since each key normally requires separate hosts, and there were fewer and fewer servers suitable for this, and the looming increase in the number of users and, consequently, the purchase of new keys, made me think about an alternative solution to avoid unnecessary information load on our servers and in general to make the key system more flexible and, preferably, more stable.
System selection
Virtualization system
![](https://i2.wp.com/habrastorage.org/storage2/6d9/08e/ed8/6d908eed8520f47088ee59c185b9b0a3.gif)
To transfer USB devices to ESX, the hardware of the guest system must be at least version 7. Then it will be possible to add USB controller and primappit USB device to the guest system. There is also a point about support. Officially, VMware only supports a certain list of devices. And he's not very big. However, Aladdin's ordinary security keys seem to be supported. The list of supported devices is on the official website. And a description of the requirements and provisions for USB barring to the guest system is also on the official website, in the knowledge base.
There are also alternative ways forwarding USB keys to a virtual environment, and to a physical one too. These devices and software are the so-called USB over IP. Software products in this case, it is not very interesting to consider, but in this case, the iron ones show themselves well. The brightest representative, the well-known AnywhereUSB with 14 ports. It is installed in a rack, has two interfaces and two power inputs (whether it really has two power supplies, I don’t know :)). The device is good for everyone, but it costs an average of 60 thousand rubles, which did not fit well into our budget.
So, after tests and trials, the virtualization platform was chosen and the use of other products was abandoned.
Operating system and HASP drivers
I chose Debian as the OS. Why? Just because. In fact, in this configuration, you can take any favorite distribution kit. But I always like Debian for its stability and good repository.
A fairly popular package from Etersoft is taken as drivers. You can get the compiled package for your distribution from FTP server companies: ftp.etersoft.ru/pub/Etersoft/HASP/stable .
After installing the package, the haspd service appears, which controls the operation of the dongle.
Setup and verification
Some additional settings all this is not required. The key starts working almost out of the box.We check. The haspdemo program is included to check the functionality. Upon successful identification of the key and the start of work, the program will output something like this to the console:
LOCALHASP_ISHASP: Result: 1
Using Passwords 15213 - 28875
LOCALHASP_HASPSTATUS: API version number is 8.0
port number 201
Key type: HASP4 M4
LOCALHASP_HASPGENERATION: OK, HASP4 is connected.
LOCALHASP_HASPNETSTATUS: connected key is HASP4 Net 20
MEMOHASP_HASPID: 436444258 (decimal), 0x1a039c62 (hex)LOCALHASP_ENCODEDATA: OK.
53 C1 F1AF | EC 16 C3 15 | 35 31 E4 7F | 9B D0 90 9F
AA BA 8C 80 | 1E 22 29 E2 | 92 7E 04 56 | DA 70 7B 63 [.....")..~.V.p(c]
23 B4 9B E6 | 2F 17 | | [#.../.]NETHASP_READBLOCK: Failed: Return status: 10
Main field: LOCALHASP_ISHASP: Result: 1 . Telling you everything is in order. Further it is written about which key is inserted.
However, if there is some problem, then the message is displayed shorter:
This is a simple demo program for the HASP4 key
Copyright Aladdin Knowledge Systems Ltd.LOCALHASP_ISHASP: Failed: status = -100
Moreover, in fact, it doesn’t matter what happens to the key, it may not be inserted, the service may not be running, or something else. I have only seen two LOCALHASP_ISHASP values so far. It's either: Result: 1 or: Failed: status = -100 . And the latter always corresponded to inoperability, and the former always meant that everything was OK. I did not find documentation for this package, so I could not find out what other statuses there are.
Done with the key. We must not forget that your newly minted key will appear in the key monitor only when at least one license is taken from it. Then aladdin monitor will show the information that it usually shows: this is the type of key, the number of licenses taken, total licenses, who exactly took the license and timeout.
It is quite simple to force this, it is enough to specify a new license manager in the client nethasp.ini manually. But about setting up the client a little later.
From this point on, the initial task can be considered completed. Now we can create several virtual machines in parallel, in an amount corresponding to the number of physical keys available. Resources such virtualka consume, of course, penny.
Problems and Solutions
Single point of failure
The first problem that is created and in plain sight is the creation of a point of failure. If before that the keys were distributed to different servers and the failure of more than one key is practically excluded, then in this case the failure of the physical server may lead to the failure of the entire 1C system, because. clients will fall off within, in my opinion, 600 seconds and after a short time all will fall off and will not be able to return to the system. What will follow such an incident can not be told. There are two solutions and they are directed in different directions. The first solution is to use a failover ESX configuration. However, this makes sense if your company has already deployed this system and has already met a number of requirements to maintain operability in case of failure of any component. Another solution is more trivial:We create a group of A records in our company's DNS. For example, key1, key2, key3 and so on. We enter DNS names in nethasp.ini clients, distribute the file using group policy. Thus, we get a fairly flexible access structure. In this case, after discovering a significant problem with virtual server esx, you can quickly move the keys to any other servers, incl. to the workstations of any employees. In parallel, we replace A records with new ones. For some time, the cache on the clients will run out and they will again be able to get a new license and continue working.
I recommend setting reverse DNS records for keys, otherwise aladdin monitor will not show the host name, but will only show the license manager ID, which is not very convenient.
If your company and everything uses a broadcast key delivery method, then everything is simplified and moving the key to another host within the broadcast domain will not affect your work in any way.
Keys fall off
There is a fairly common problem. The keys fall off. However, no particular relationship was observed. This happens on different controllers, even on different host systems. When I moved the keys and temporarily placed them in another place under the control of VMware Player, the keys fell off frequently. This is expressed rather trivially. When requesting haspdemo , the line LOCALHASP_ISHASP: Failed: status = -100 appears. Although the key is inserted and detected. dmseg shows lines that are not fully understood: usb 2-2.1: usbfs: USBDEVFS_CONTROL failed cmd aksusbd rqt 192 rq 139 len 8 ret -110The problem is solved as trivially as it looks - by restarting the service. But the sediment remains and until this is done, the server will not distribute the keys. Since I want the system to work flawlessly, it was decided to write a script that would restore the license manager itself. So, with the help of a friend, a script was written that runs haspdemo and tries to figure out if the status is returning normal or not:
[ "`haspdemo | sed -n "s/^LOCALHASP_ISHASP.* \(\-\?*\)$/\1/p"`" == "-100" ] && service haspd restart
Further, this script is inserted into the CRON launch every minute and that's it. Even if your system does not have the problem of falling off ports, this script, I think, will not hurt.
Client Key Discovery Problem
And there is such a problem. It consists in the fact that the client, after losing the key, may not want to take a new key. Also, this problem can be expressed in other manifestations. For example, if you changed the paths to the keys in the nethasp.ini file, then the client application can quite cheerfully continue to report that there are no keys and have never seen them. If you are not ready for such a reaction, then the problem becomes very unpleasant and you begin to frantically check the operation of the entire system and curse 1C nicknames, because everything works, but GlavBukh or, as luck would have it, the General, cannot now enter 1Sku for some unknown reason and you feel like an idiot instead of fixing the problem quickly. However, a fairly simple solution has helped so far. It is necessary to clear the 1C cache from the user profile. At one time I found separate file who is responsible for this information, I forgot which one :(Keys might just stop working
No one is immune from equipment failure. And those pathetic keys can stop working too. And the most important thing in this case is to find out about it as early as possible. To do this, we will use the Zabbix monitoring system. Of course, deploying it only for monitoring the keys is pointless, but if Zabbix is already installed, then why not attach monitoring of the state of the keys to it.To do this, we need to write our own script in the agent settings file. We are looking for the configuration file of the installed zabbix_agent, it is called zabbix_agentd.conf. Open it up and add the line
UserParameter=hasp.status,haspdemo | grep "^LOCALHASP_ISHASP" | sed "s/^.* \(\-\?*\)$/\1/g"
This will allow on command to collect a numeric value in the LOCALHASP_ISHASP field. In zabbix itself, everything is added already primitively, we create item for the desired host or template, as type indicate zabbix agent, specify as the key parameter hasp.status. Value type - float. If desired, we create a trigger by which you will receive a letter or SMS that the key does not work. It is better to configure this trigger in such a way that it would require at least 2 hits and cover the time required by the auto-recovery script described above, otherwise false messages about problems with the key will appear.
With the correct settings, only if the key is completely inoperative, you will receive a notification of problems.
Bonus
It turned out to be a surprise for me, but many people really don’t know that it is possible to force 1C client parts to look for keys at specified IP addresses using a TCP or UDP connection. Indeed, many people set up their infrastructure so that each broadcast domain has a sufficient number of keys. This is wildness. For those who don't know yet, here's a quick guide:To control access to the hasp key, there is a nethasp.ini file on the client. It is located in the \conf folder of the 1C directory. We are interested in the section In this section, we need to uncomment or create the following options:
- NH_SERVER_ADDR. Here we specify a list of DNS names or IP addresses of servers with a license manager separated by commas.
- NH_USE_BROADCAST. Set the value to Disabled.
- NH_TCPIP_METHOD. The default method is UDP. You can change to TCP, but in general there is no serious need for this.
Another point about the display of keys in the aladdin monitor. Contrary to popular belief, free licenses are not only those licenses that are not used in the aladdin monitor, but also those that have 0 in the Timeout field. Values usually disappear within 36 hours, but licenses are still considered free.
In conclusion
I thought for a long time whether there is any point in such an article, after all, all this can be found on the Internet, however, considering the time that I myself spent to collect all the information, I thought that it would be very good if at least someone this The article will be useful and save time.- tutorial
Many companies use 1C as the main automation platform. So it happened with us. However, the process of establishing the platform was carried out without a proper approach, in connection with which at first we had 5 protection keys for 95 licenses, then 3 more physical keys appeared to provide another 50 client licenses for 3 legal entities. The situation is stupid, since each key normally requires separate hosts, and there were fewer and fewer servers suitable for this, and the looming increase in the number of users and, consequently, the purchase of new keys, made me think about an alternative solution to avoid unnecessary information load on our servers and in general to make the key system more flexible and, preferably, more stable.
System selection
Virtualization system
![](https://i2.wp.com/habrastorage.org/storage2/6d9/08e/ed8/6d908eed8520f47088ee59c185b9b0a3.gif)
To transfer USB devices to ESX, the hardware of the guest system must be at least version 7. Then it will be possible to add a USB controller and map the USB device to the guest system. There is also a point about support. Officially, VMware only supports a certain list of devices. And he's not very big. However, Aladdin's ordinary security keys seem to be supported. The list of supported devices is on the official website. And a description of the requirements and provisions for USB barring to the guest system is also on the official website, in the knowledge base.
There are alternative ways to transfer USB keys to a virtual environment, and to a physical one too. These devices and software are the so-called USB over IP. In this case, software products are not very interesting to consider, but iron products in this case show themselves well. The brightest representative, the well-known AnywhereUSB with 14 ports. It is installed in a rack, has two interfaces and two power inputs (whether it really has two power supplies, I don’t know :)). The device is good for everyone, but it costs an average of 60 thousand rubles, which did not fit well into our budget.
So, after tests and trials, the virtualization platform was chosen and the use of other products was abandoned.
Operating system and HASP drivers
I chose Debian as the OS. Why? Just because. In fact, in this configuration, you can take any favorite distribution kit. But I always like Debian for its stability and good repository.
A fairly popular package from Etersoft is taken as drivers. You can get the compiled package for your distribution on the company's FTP server: ftp.etersoft.ru/pub/Etersoft/HASP/stable .
After installing the package, the haspd service appears, which controls the operation of the dongle.
Setup and verification
It does not require any additional configuration. The key starts working almost out of the box.We check. The haspdemo program is included to check the functionality. Upon successful identification of the key and the start of work, the program will output something like this to the console:
LOCALHASP_ISHASP: Result: 1
Using Passwords 15213 - 28875
LOCALHASP_HASPSTATUS: API version number is 8.0
port number 201
Key type: HASP4 M4
LOCALHASP_HASPGENERATION: OK, HASP4 is connected.
LOCALHASP_HASPNETSTATUS: connected key is HASP4 Net 20
MEMOHASP_HASPID: 436444258 (decimal), 0x1a039c62 (hex)LOCALHASP_ENCODEDATA: OK.
53 C1 F1AF | EC 16 C3 15 | 35 31 E4 7F | 9B D0 90 9F
AA BA 8C 80 | 1E 22 29 E2 | 92 7E 04 56 | DA 70 7B 63 [.....")..~.V.p(c]
23 B4 9B E6 | 2F 17 | | [#.../.]NETHASP_READBLOCK: Failed: Return status: 10
Main field: LOCALHASP_ISHASP: Result: 1 . Telling you everything is in order. Further it is written about which key is inserted.
However, if there is some problem, then the message is displayed shorter:
This is a simple demo program for the HASP4 key
Copyright Aladdin Knowledge Systems Ltd.LOCALHASP_ISHASP: Failed: status = -100
Moreover, in fact, it doesn’t matter what happens to the key, it may not be inserted, the service may not be running, or something else. I have only seen two LOCALHASP_ISHASP values so far. It's either: Result: 1 or: Failed: status = -100 . And the latter always corresponded to inoperability, and the former always meant that everything was OK. I did not find documentation for this package, so I could not find out what other statuses there are.
Done with the key. We must not forget that your newly minted key will appear in the key monitor only when at least one license is taken from it. Then aladdin monitor will show the information that it usually shows: this is the type of key, the number of licenses taken, total licenses, who exactly took the license and timeout.
It is quite simple to force this, it is enough to specify a new license manager in the client nethasp.ini manually. But about setting up the client a little later.
From this point on, the initial task can be considered completed. Now we can create several virtual machines in parallel, in an amount corresponding to the number of physical keys available. Resources such virtualka consume, of course, penny.
Problems and Solutions
Single point of failure
The first problem that is created and in plain sight is the creation of a point of failure. If before that the keys were distributed to different servers and the failure of more than one key is practically excluded, then in this case the failure of the physical server may lead to the failure of the entire 1C system, because. clients will fall off within, in my opinion, 600 seconds and after a short time all will fall off and will not be able to return to the system. What will follow such an incident can not be told. There are two solutions and they are directed in different directions. The first solution is to use a failover ESX configuration. However, this makes sense if your company has already deployed this system and has already met a number of requirements to maintain operability in case of failure of any component. Another solution is more trivial:We create a group of A records in our company's DNS. For example, key1, key2, key3 and so on. We enter DNS names in nethasp.ini clients, distribute the file using group policy. Thus, we get a fairly flexible access structure. In this case, after detecting a significant problem with the esx virtual server, you can quickly move the keys to any other servers, incl. to the workstations of any employees. In parallel, we replace A records with new ones. For some time, the cache on the clients will run out and they will again be able to get a new license and continue working.
I recommend setting reverse DNS records for keys, otherwise aladdin monitor will not show the host name, but will only show the license manager ID, which is not very convenient.
If your company and everything uses a broadcast key delivery method, then everything is simplified and moving the key to another host within the broadcast domain will not affect your work in any way.
Keys fall off
There is a fairly common problem. The keys fall off. However, no particular relationship was observed. This happens on different controllers, even on different host systems. When I moved the keys and temporarily placed them in another place under the control of VMware Player, the keys fell off frequently. This is expressed rather trivially. When requesting haspdemo , the line LOCALHASP_ISHASP: Failed: status = -100 appears. Although the key is inserted and detected. dmseg shows lines that are not fully understood: usb 2-2.1: usbfs: USBDEVFS_CONTROL failed cmd aksusbd rqt 192 rq 139 len 8 ret -110The problem is solved as trivially as it looks - by restarting the service. But the sediment remains and until this is done, the server will not distribute the keys. Since I want the system to work flawlessly, it was decided to write a script that would restore the license manager itself. So, with the help of a friend, a script was written that runs haspdemo and tries to figure out if the status is returning normal or not:
[ "`haspdemo | sed -n "s/^LOCALHASP_ISHASP.* \(\-\?*\)$/\1/p"`" == "-100" ] && service haspd restart
Further, this script is inserted into the CRON launch every minute and that's it. Even if your system does not have the problem of falling off ports, this script, I think, will not hurt.
Client Key Discovery Problem
And there is such a problem. It consists in the fact that the client, after losing the key, may not want to take a new key. Also, this problem can be expressed in other manifestations. For example, if you changed the paths to the keys in the nethasp.ini file, then the client application can quite cheerfully continue to report that there are no keys and have never seen them. If you are not ready for such a reaction, then the problem becomes very unpleasant and you begin to frantically check the operation of the entire system and curse 1C nicknames, because everything works, but GlavBukh or, as luck would have it, the General, cannot now enter 1Sku for some unknown reason and you feel like an idiot instead of fixing the problem quickly. However, a fairly simple solution has helped so far. It is necessary to clear the 1C cache from the user profile. At one time, I found a separate file that is responsible for this information, I forgot which one :(Keys might just stop working
No one is immune from equipment failure. And those pathetic keys can stop working too. And the most important thing in this case is to find out about it as early as possible. To do this, we will use the Zabbix monitoring system. Of course, deploying it only for monitoring the keys is pointless, but if Zabbix is already installed, then why not attach monitoring of the state of the keys to it.To do this, we need to write our own script in the agent settings file. We are looking for the configuration file of the installed zabbix_agent, it is called zabbix_agentd.conf. Open it up and add the line
UserParameter=hasp.status,haspdemo | grep "^LOCALHASP_ISHASP" | sed "s/^.* \(\-\?*\)$/\1/g"
This will allow on command to collect a numeric value in the LOCALHASP_ISHASP field. In zabbix itself, everything is added already primitively, we create item for the desired host or template, as type indicate zabbix agent, specify as the key parameter hasp.status. Value type - float. If desired, we create a trigger by which you will receive a letter or SMS that the key does not work. It is better to configure this trigger in such a way that it would require at least 2 hits and cover the time required by the auto-recovery script described above, otherwise false messages about problems with the key will appear.
With the correct settings, only if the key is completely inoperative, you will receive a notification of problems.
Bonus
It turned out to be a surprise for me, but many people really don’t know that it is possible to force 1C client parts to look for keys at specified IP addresses using a TCP or UDP connection. Indeed, many people set up their infrastructure so that each broadcast domain has a sufficient number of keys. This is wildness. For those who don't know yet, here's a quick guide:To control access to the hasp key, there is a nethasp.ini file on the client. It is located in the \conf folder of the 1C directory. We are interested in the section In this section, we need to uncomment or create the following options:
- NH_SERVER_ADDR. Here we specify a list of DNS names or IP addresses of servers with a license manager separated by commas.
- NH_USE_BROADCAST. Set the value to Disabled.
- NH_TCPIP_METHOD. The default method is UDP. You can change to TCP, but in general there is no serious need for this.
Another point about the display of keys in the aladdin monitor. Contrary to popular belief, free licenses are not only those licenses that are not used in the aladdin monitor, but also those that have 0 in the Timeout field. Values usually disappear within 36 hours, but licenses are still considered free.
In conclusion
I thought for a long time whether there is any point in such an article, after all, all this can be found on the Internet, however, considering the time that I myself spent to collect all the information, I thought that it would be very good if at least someone this The article will be useful and save time.
Question: Monitoring software licenses
Answer:
Question: Problem with software licenses on 1c server
Answer:
Question: Software license and COM connection
A software license has been installed.
When I try to start 1C over a Com connection, it says:
-----------
No free license found!
Finding licenses on the client:
Software Licensing Error
Exceeded maximum amount users allowed by the software license file.
Source: V82.COMConnector.1
-----------
What is the problem?
Answer: The maximum number of users allowed by the software license file has been exceeded.
Question: How can I find out which file (.lic) corresponds to which software license?
Answer:
Question: Tricks of issuing software licenses by the 1C server
Answer:
Question: Client software licenses are not distributed
Answer:
Question: Problem with transferring a 1C 8.3 software license to a new server
Good afternoon.
The company had one physical server 1C 8.3 with accounting file databases. It had software licenses on it.
Purchased licenses for 1c ERP:
1.per platform for 20 people
2. to configuration 3. to server 1 s We also bought a new rack server, installed the 1C 8.3 platform on it, deployed the ERP test database, installed software licenses - everything is ok.
There was a problem with transferring file databases, or rather, I copied the databases themselves, but when starting 1C, it does not offer to enter a license, but says that the license was not found and suggests using a hardware protection key.
Tell me how to make 1C suggest introducing a software license for accounting file databases on a new server?
Answer: Super thank you!
Question: v7: 1C 7.7 TiS - could there be a software license?
Faced TiS 7.7 local without a hardware security key. As far as I remember, TiS 7.7 did not have deliveries with a software license? I remember on 7-ke there were some products with activation according to the words from the book - you had to find a word on such and such a page and then activation took place, that is, without a security key. But it seems that these were some industry decisions, as far as I remember. There is a box with a questionnaire, floppy disks and books, but there is no key anywhere. True, there is no LPT port on the PC, which is probably why they didn’t install it at the time, and lost it somewhere. But still, I would like to make sure that there was no TIS with software activation, only with hardware? Suddenly, I just always encountered hardware before.
Answer:
Answer: