Novell Network Management: NetWare 6

Chapter 10: Identify the Fundamentals of Novell Licensing Services

Objectives:

This chapter concerns licensing services in NetWare 6, and describes how to install and manage license certificates. The objectives important to this chapter are found on page 10-1:

  1. Identify How Server and User Licensing Works
  2. Identify Key NLS Components
  3. Manage License Certificates in the eDirectory Tree
  4. Install NLS Certificates and View NetWare Usage
Concepts:

Identify How Server and User Licensing Works

NetWare 6 uses Novell Licensing Service (NLS) to manage the number of workstations connected to your network. This is not a change from previous versions of NetWare. A difference is that you can use iManager to install license certificates for new users and new servers.

You should be aware that NetWare 6 uses two kinds of license certificates: one for users and the other one for servers. A user license certificate will allow users to access any number of servers, as long as they have proper rights. A general rule is that you should install license certificates higher in the tree than the objects that will use them. An exception is that you are allowed to install license certificate in the same container as users, if all the users in the tree are in that container.

History: Before NetWare 6, the licensing model Novell used was the Server Connection License (SCL) model. This was inefficient, in that users tied up a user license for each server they concurrently used. Other resources in the network also tied up user licenses, such as printers and workstations configured for ZENworks. It is possible to run out of licenses in this kind of environment even if all users are not connected.

NetWare 6 follows the User Access Licensing (UAL) model. In this model, a single license gives a user access to as many servers and resources as the user has rights to. When a user logs in to the tree, a license is assigned. The same license remains assigned to that user, unless the user stays logged out for 90 days. (This is similar to the way IP addresses are assigned and used by DHCP systems.) If you need to release a license sooner than 90 days from last login, use iManager to do so. SCL licenses are released when a user logs out, but that does not help much, since you need more of them.

Novell notes that it can provide Academic licenses to schools and to companies whose workers are assigned to shifts. With Academic licenses, you can change the 90 day release period to a time frame that your license agreement will specify.

If you have not changed all your servers to NetWare 6, you may have both SCL and UAL licenses active on your network. A user would need one SCL license for each NetWare 4 or 5 server they are using, but would only need one UAL license for any resources associated with NetWare 6 servers.

When a NetWare user logs in to the network, NLS searches for a license for the user. The search starts at the user's container and goes up the tree.

A server must have a license certificate placed inside its license container object. A server license usually will be one of the following types, three of which are related to the network's size:

  • MLA - a Master License Agreement may be installed over and over on as many servers as a company has. This type of license is for very large (global) organizations.
  • CLA - a Corporate License Agreement is restricted: each server must have its own unique license number. This type of license is for medium to large organizations.
  • VLA - a Volume License Agreement is restricted, and each server must have its own unique license number, just like a CLA. The difference is cost and size: this type of license is for small to medium organizations.

  • CUAL - This one is new with NetWare 6. In fact, your book doen't mention it, but next term's book will. Clustering User License Agreement is installed when you install NetWare Cluster Services; by default it is placed in the same context as the cluster object. It has nothing to do with the size of the network. Did you notice that the acronym doesn't match the definition? The acronym is the Spanish word for "which", so you might remember is as, "which one is Spanish?"

To remember these in the right relationship, remember Roman numerals. M (1000) is bigger than C (100), which is bigger than V (5). The value of the Roman numerals is given here for relative reference only. Don't get confused into thinking, for example, that there are only 5 licenses in a Volume License Agreement.

A server can also be given an "emergency" license, downloadable from Novell. This is meant to be temporary, so do it only when you install a new device that you don't have a license for. If you buy a new installation kit, over the counter at a retailer, it should come with an installation CD and a license diskette. This is called buying a Red Box product by your text.

Identify Key NLS Components

The next topic in the chapter discusses the components of Novell Licensing Services (NLS). NLS is a service with several purposes. It allows only as many connections to the network as there are licenses installed for such connections. It tracks the number of users of an application installed on the network, if that application supports such tracking.

The License Service Provider (LSP) is created on a Novell server by running NLSLSP.NLM. (This can be done on NetWare 4.11 or later servers.) The server this software runs on should have a Master or Read/Write replica of the NDS partition its license certificates are in. If it does not have such a replica, the server must be able to communicate with a server that has such a replica.

NLS service can be installed on a server when it is created, or can be added later with Deployment Manager (NWDEPLOY.EXE). NLS software is installed in the SYS:\PUBLIC and SYS:\SYSTEM directories on servers that NLS service is installed on.

Workstations and servers can both run the NLS client software to request license services. NLS clients on NLM platforms (Novell servers) search only the connection they currently have for a license. NLS clients for 32-bit versions of Windows will search the tree upward from the server they are connected with.

An NDS object called NLS_LSP_servername is created when the schema is extended with SETUPNLS.NLM or when you run NWCONFIG | License Options | Create License Service Provider. The LSP object will contain the name of a transaction database, information about how far up the tree to run searches, and notifications about license problems, including unlicensed access.

License certificate objects represent the actual licenses installed in eDirectory. The files that you install licenses from may have several types of extensions:

  • NLF - This type of file contains licenses for NetWare, BorderManager, and other Novell products.
  • CLS - This type of file contains licenses for NetWare for Small Business.
  • KEY - This type of file contains an activation key.
  • Activation keys are used with Secure Certificates, which typically come with software that supports licensing.
  • Metered Certificates are certificates that an administrator creates to monitor the number of connections to software that does not come with its own certificates. Metered Certificates are unsecure certificates.

License certificate objects contain other items described in the text.

  • Policies - Certificate policies represent rules about the use of a certificate. Several types of policies are described:
    • Stop policy - Three kinds of stop policies are described. A hard stop policy refuses connection to a resource if there are no licenses available, and informs the user. A soft stop policy informs the user of no licenses available, but allows the connection. a no stop policy tracks the number of unlicensed connections, but does not stop or inform the user.
    • All usable licenses
    • Certificate requires an activation key (The text tells us that all certificates require activation keys.)
    • Evaluation certificate policy means that this certificate is meant for limited use.
  • License Unit - Number of licenses included in the certificate.

Other terms associated with license certificates:

  • Envelope - an NLF file that contains multiple certificates. You can install an envelope, which results in installing all the certificates in it.
  • Acitvation key - as noted above, this is a file with KEY as its extension. A certificate will need it to work.
  • Notification - NLS can notify someone that too many users are trying to use certificates. By default, the user who installs the certificates is notified. Users can be added and deleted from the Notify list of a License Container or an LSP object. Notifications are also sent about errors in the system.
Manage License Certificates in the eDirectory Tree

You will manage licensing service through two eDirectory object types: license container and license certificate objects. License certificates are always stored in license containers.

License container objects are created when a server is created that runs NLS. These objects go into the same eDirectory context that the server object is in. In iManager, you can examine the properties of license container object. When troubleshooting, make sure that the version of NLS reported on the object's General tab is the same as the version of NLS running on other network servers. Troubleshoot connection issues with the container object's Units in Use tab.

License certificate objects have three tabs in iManager:

  • General - settings about the certificate configuration
  • Server Assignments - Servers must be assigned for VLA, CLA, and Retail certificates.
  • Units in Use - similar to the same tab on the container object
Install NLS Certificates and View NetWare Usage

In general, place license certificates near the object (server, user, etc.) that will need them. Place certificates on both sides of a WAN link, if users on both sides of the link will need them.

If NetWare is installed without licenses (an option, if you have no license disk when installing) two grace licenses are granted: one for the server, one for a user.

A Novell International Cryptographic Infrastructure (NICI) license must be installed on each server. This is called the encryption foundation key in the installation. These license files end with NFK.

CLA and VLA licensing works as described above. MLA is a bit different: you do not assign the license to a specific server, nor do you have to install the licenses multiple times (although this is allowed). An MLA server license is good for the whole tree, so you can install it once or many times. If you do assign a license to a specific server, no other server will be able to use it.

To install licenses with iManager (for example, the license for an application):

  1. Select License Management | Install License.
  2. Browse to the CD or floppy containing the license or envelope.
  3. Select the license.
  4. Browse to the context to install the license in.
  5. If you are assigning to a server, specify it by browsing or by distinguished name.
  6. Enter the activation key.

In other than MLA scenarios, servers must be assigned to service license certificates. (In MLA, this is not necessary.) When certificates are associated with a server, no other server can administer those certificates. Servers can have multiple certificates assigned to them.

You can monitor license usage with the NetWare usage tool. It requires two specific NLMs be run on the server: NWUSAGE and NLSLRUP. Other NLMs support the data gathering functions as well: CONNAUD, NLSMETER, and NLSADAPT.

The NetWare Usage tool is accessed through Remote Manager. You can set configuration settings through this interface or through the server console.