Reference: License Server Policy Settings

Use the following chart as reference to the license server policy settings provided by the producer to control the various operations that your local license server can perform, such as synchronization to and from the back office, licensing distribution, logging, license server failover, and others.

The Editable? column indicates whether you as the license server administrator can update the given policy.

Note:These policies are of interest to the administrator of a local license server. The administrator of a CLS instance cannot edit license server policies.

For more information about the process of overriding settings, go to the appropriate section:

Managing License Server Policy Settings in the Using the FlexNet License Server Administrator Command-line Tool section.
“License Server Properties View” in the FlexNet License Server Manager Guide. (As a reference, the chart shows the field name equivalents used in FlexNet License Server Manager for various policy settings in producer-settings.xml.)

License Server Policy Settings

Setting

Description

Edit-able?

database.backup-enabled

The property that determines whether the license server takes a backup of trusted storage at given times and stores it on the server. Should trusted storage become corrupt, the license server administrator can then restore it from the backup without contacting the back office. The default is false. See Trusted Storage Backup and Restoration for details.

Note:Note that regular trusted-storage backups can negatively affect the license server performance.

No

Licensing Policies

licensing.allowDuplicateClients

Changes the logic for processing capability requests. (Default is false.)

No

licensing.clientExpiryTimer

The frequency of checks for expired features on clients. (An expired feature is one whose borrow interval has expired or that has reached its expiration date as defined in the back office.) Expired features found during a given check are returned to the license-server feature pool. The frequency value can be specified with an optional unit-suffix letter—s, m, h, d, or w—indicating seconds, minutes, hours, days, or weeks. If no suffix is used, the server assumes the value is in seconds.

The default frequency for these checks is 2s. Consider increasing this value if the current frequency is interfering with capability-request processing or with overall throughput, particularly when features have large borrow intervals. (The minimum value is 1s.)

Yes

licensing.
dropClientEnforcedDelay

The delay that is enforced between client deletion requests. This value can be specified with an optional unit-suffix letter—s, m, h, d, or w—indicating seconds, minutes, hours, days, or weeks. If no suffix is used, the server assumes the value is in seconds.

This setting can also be used to disallow the deletion of clients; in this case, set the value DROP_CLIENT_DISALLOWED.

(Default is 0s, meaning deleting client records is allowed and there is no enforced delay between deletions.)

No

licensing.responseLifetime

The lifetime of a served-license response on the client. This value can be specified with an optional unit-suffix letter—s, m, h, d, or w—indicating seconds, minutes, hours, days, or weeks. If no suffix is used, the server assumes the value is in seconds. If this value is 0 (zero), the response has an unlimited lifetime. (Default is 1d.)

No

licensing.allowVirtualClients

The property that determines whether virtual client devices are allowed to obtain licenses. Default is true.

No

licensing.allowVirtualServer

The property that determines whether the license server is allowed to run on a virtual host. Default is true.

No

licensing.defaultBorrow
Granularity

The time unit to which the borrow interval used by the license server rounds up. Valid values include day, hour, minute, or second. (The default is second.)

For example, if the borrow interval (which is always expressed in seconds) is 60 seconds, and the borrow granularity is day, then a license issued at 5:05:01 PM expires at 11:59:59 PM—the borrow interval (5:06:01 PM) rounded to the end of the nearest day. Likewise, if granularity is minute, expiration is at 5:06:59 PM. If the granularity is second, expiration is 5:06:01 PM.

This setting is used for those client devices that do not specify one.

Note:For FlexNet Embedded client SDKs released before version 4.0, the granularity is always “day”, regardless of this setting.

No

licensing.borrowInterval

The borrow interval for served licenses. This server borrow interval is only considered if the back office does not specify a borrow interval for a feature within the license model. The current version of FlexNet Operations mandates that a borrow interval (also referred to as the feature borrow interval) be specified for new license models.

This value can be specified with an optional unit-suffix letter—s, m, h, d, or w—indicating seconds, minutes, hours, days, or weeks. If no suffix is used, the server assumes the value is in seconds. (Default is 1w.)

For information on how to determine the effective borrow interval, see licensing.borrowIntervalMax.

No

licensing.borrowIntervalMax

Restricts the borrow period of the clients. This value can be specified with an optional unit-suffix letter—s, m, h, d, or w—indicating seconds, minutes, hours, days, or weeks. If no suffix is used, the server assumes the value is in seconds. Default is NOT_CONFIGURED (0). This is also referred to as the admin borrow interval.

The following helps you determine the effective borrow interval.

If the feature borrow interval has been set in the back office, the borrow interval is the lowest of the following values:
feature borrow interval (set in the back office)
client borrow interval (set in a client capability request)
admin borrow interval (set using licensing.borrowIntervalMax)
If the feature borrow interval has not been set in the back office, the borrow interval is the lowest of the following values:
server borrow interval (defined in producer-settings.xml by the property licensing.borrowInterval)
client borrow interval (set in a client capability request)
admin borrow interval (set using licensing.borrowIntervalMax)

A feature’s current borrow expiration can never exceed the final expiration time for that feature. In addition, a borrow-interval granularity may be applied to the effective borrow interval.

This parameter cannot be used for metered features.

Yes

licensing.renewInterval

The default renew interval is set as a percentage of the effective borrow interval. This value specifies how often—if ever—the client may attempt to recontact the local license server. Successful contact extends the expiration based on the effective borrow period (in other words, the timer for the effective borrow interval is restarted).

If set to zero, the renew interval is at client discretion. (Default is 15.)

Important:This specification by itself does not lead to enforcement. The client-side APIs must extract this value from the license server capability response and take appropriate action.

For information on how to determine the effective borrow interval, see licensing.borrowIntervalMax.

No

licensing.hostIdValidation
Interval

The frequency with which the license server validates that its host ID has not changed. This value can be specified with an optional unit-suffix letter—s, m, h, d, or w—indicating seconds, minutes, hours, days, or weeks. If this value is 0 (zero), validation is disabled. Default is 2m.

No

licensing.enableBuiltinHostId

The property that enables producers to configure the local license server to pick the built-in Ethernet address as hostid.

Set licensing.enableBuiltinHostId=true if the first built-in Ethernet address should be selected as hostid, otherwise set licensing.enableBuiltinHostId=false

The following settings override the licensing.enableBuiltinHostId property:

server.publisherDefinedHostId.policy—If a producer-defined hostid type is set using the server.publisherDefinedHostId.policy property, the licensing.enableBuiltinHostId property is ignored.
ACTIVE_HOSTID—If ACTIVE_HOSTID is set either through the REST API or using a configuration file during server startup, the licensing.enableBuiltinHostId property is ignored.

Limitations 

In the following scenarios, setting the built-in Ethernet address as hostid using licensing.enableBuiltinHostId is likely to fail:

If a user’s machine is set to use a randomized wireless MAC address.
If the option to automatically disable the wireless network connection when an Ethernet cable is connected is enabled.

Therefore, if the Ethernet address is to be used as hostid, the relevant configurations must be disabled on the user’s machine.

(Default is false.)

Tip:If you want to change the built-in hostid that is stored in the license server’s database, you can call the REST endpoint /hostids/selectedbuiltin and delete the selected built-in hostid from the database. This forces the license server to fetch the first built-in hostid from the dynamic hostid list, instead of retrieving it from its database. For more information, see Deleting the Selected Built-in Hostid.

No

licensing.defaultTimeZone

Defines the time zone that will be applied when determining a feature’s expiry date, start date, and issue date.

Valid values:

UTC— If UTC is set, a feature’s start date is the start of the specified day in Coordinated Universal Time (UTC). Equally, a feature will expire at the end of the day of the configured expiry date in UTC time. This is the default value.
SERVER—If SERVER is set, a feature’s start date is the start of the specified day in the server’s default time zone. Equally, a feature will expire at the end of the day of the configured expiry date in the server's default time zone.

See Editing the Local Settings Post-Installation for additional information.

No

licensing.security.json.
enabled

The option that enables (true) or disables (false) security for JSON capability exchanges. Contact the producer to determine whether this policy applies to the licensed product you are using and whether the policy should be enabled. (Default is true.)

Yes

licensing.backup.uri

(Defined on back-up or main license server in a failover configuration; optional) The URI of the back-up license server to be included as reference information in the capability response to the client device. Use the following format:

http://server:port/fne/bin/capability 

where server:port is the back-up license server’s name and port number, as in:

http://22.22.2.222:7070/fne/bin/capability 

Yes

licensing.main.uri

(Defined on back-up or main license server in a failover configuration; optional) The URI of the main server to be included as reference information in the capability response to the client device. Use the following format:

http://server:port/fne/bin/capability 

where server:port is the main license server’s name and port number, as in:

http://11.11.1.111:7070/fne/bin/capability 

Yes

License Server Settings

server.trustedStorageDir

The directory in which trusted storage resides. (Default is ${base.dir}, which points to the flexnetls/producer_name folder in the service’s or user’s home directory.)

No

server.accessLogPattern

This property has been deprecated and should no longer be used.

It is currently not possible to change the naming pattern of the access log file.

Access Log File Naming Pattern

Name of current log file: access_request.log.

Name of rolled over files: access_yyyy-mm-dd.request.log.

When a new day starts, a new access log file named access_request.log is created and populated with new logs. The access log file from the previous day is renamed to access_yyyy-mm-dd.request.log (for example, access_2022-12-02.request.log).

No

server.publisher
DefinedHostId.policy

The property that determines whether to enable support for the use of a producer-defined hostid to identify the license server. To enable support, use the value STRICT. (Default is false, meaning support for this feature is disabled.)

If the property is set to STRICT, the server.hostType.order and licensing.enableBuiltinHostId properties (if set) are ignored.

No

server.extendedHostId.
enabled

The property that enables support for the use of extended hostids to identify the license server. (Default is true.)

No

server.hostType.order

 

The property that enables the producer to specify the order in which the local license server picks the hostid type. The order of the hostid types is specified as a comma-separated list, for example:

    server.hostType.order=ETHERNET,FLEXID9,FLEXID10,VM_UUID

Valid values are all hostid types, with the exception of producer-defined hostid types.

The following settings override the server.hostType.order property:

server.publisherDefinedHostId.policy—If a producer-defined hostid type is set using the server.publisherDefinedHostId.policy property, the server.hostType.order property is ignored.
ACTIVE_HOSTID—If ACTIVE_HOSTID is set either through the REST API or using a configuration file during server startup, the server.hostType.order property is ignored.

No

server.forceTSResetAllowed

The property that determines whether trusted storage can be reset when unsynchronized data still exists on the license server. (Default is false.)

No

server.backupMaintenance.
interval

(Defined on back-up license server in a failover configuration; required) The maximum amount of time that the back-up server can serve licenses in a failover event. This value can be specified with an optional unit-suffix letter—s, m, h, d, or w—indicating seconds, minutes, hours, days, or weeks. If no suffix is used, the server assumes the value is in seconds. If this value is set to 0, the back-up license server will serve licenses for an unlimited time while in failover mode. (Default is 3d.)

No

server.syncCompatibility

(Used for migration from the FlexNet Embedded server application) The property that enables proper conversion of time units used for synchronization to and from the back office during the migration from the FlexNet Embedded server application to the FlexNet Embedded local license server. (Default is false.)

No

Back Office URL

lfs.url

The URL for back office to which the license server sends capability requests and synchronization data. The property is required for the online deployment model of the license server.

No

Policies for Polling Back Office for License Updates

lfs.capability.enabled

The property that determines whether capability-request polling is enabled. If polling is enabled, a capability request is sent to the back office periodically to update the license server’s license rights.

This property is used for the online deployment model of the license server. (Default is true.)

No

lfs.capability.repeats

The amount of time between polling sessions to the back office. The value can be specified with an optional unit-suffix letter—s, m, h, d, or w—indicating seconds, minutes, hours, days, or weeks. If no suffix is used, the server assumes the value is in seconds. (Default is 1d; minimum is 10s.)

Yes

lfs.capability.retryCount

The number of polling attempts allowed if the initial attempt fails. (Default is 3.)

Yes

lfs.capability.retryRepeats

The amount of time between polling attempts, if the initial attempt fails. The value can be specified with an optional unit-suffix letter—s, m, h, d, or w—indicating seconds, minutes, hours, days, or weeks. If no suffix is used, the server assumes the value is in seconds. (Default is 30s; minimum is 1s.)

Yes

Policies for Synchronizing to Back Office

lfs.syncTo.enabled

The property that determines whether synchronization to the back office is enabled. This property should be viewed in combination with lfs.syncTo.includeAll:

lfs.syncTo.enabled=true and lfs.syncTo.includeAll=true: (Online synchronization) This mode collects all historical client actions in the synchronization history and uploads this data to the back office as part of the synchronization.
lfs.syncTo.enabled=true and lfs.syncTo.includeAll=false: (Online synchronization) This mode collects only the current state for each active client device at the point of synchronization and uploads this data to the back office
lfs.syncTo.enabled=false and lfs.syncTo.includeAll=true: (Offline synchronization) This mode collects all historical and current client actions. This data is retained on the license server until the offline synchronization tools are run (see Offline Synchronization to the Back Office).
lfs.syncTo.enabled=false and lfs.syncTo.includeAll=false: No synchronization data is collected (synchronization is disabled). Client data is deleted from the license server as soon as the client expires.

(Default is false.)

No

lfs.syncTo.pagesize

The maximum number of client records to include in a synchronization message to the back office. A smaller page size limits the memory overhead at the expense of having multiple synchronization transactions. (Default is 100; minimum is 10; maximum is 256.)

Yes

lfs.syncTo.threads

The number of parallel threads allocated to handle the synchronization of metered-usage and license-distribution data to the back office. (Default is 1.)

Yes

lfs.syncTo.repeats

The amount of time between synchronization sessions to the back office. The value can be specified with an optional unit-suffix letter—s, m, h, d, or w—indicating seconds, minutes, hours, days, or weeks. If no suffix is used, the server assumes the value is in seconds. (Default is 5m; minimum is 10s.)

Yes

lfs.syncTo.retryCount

The number of synchronization attempts to the back office allowed when an initial attempt fails. (Default is 4.)

Yes

lfs.syncTo.retryRepeats

The amount of time between synchronization attempts when an initial attempt fails. The value can be specified with an optional unit-suffix letter—s, m, h, d, or w—indicating seconds, minutes, hours, days, or weeks. If no suffix is used, the server assumes the value is in seconds. (Default is 5m; minimum is 1s.)

Yes

lfs.syncTo.delay

At license server startup, the amount of time the server should wait before initiating a synchronization session to the back office. (Default is 2s; minimum is 2s.)

Yes

lfs.syncTo.includeAll

The property that determines whether historical license-distribution data for concurrent features is collected and sent to the back office as part of the synchronization. This property should be viewed in combination with lfs.syncTo.enabled:

lfs.syncTo.enabled=true and lfs.syncTo.includeAll=true: (Online synchronization) This mode collects all historical client actions in the synchronization history and uploads this data to the back office as part of the synchronization.
lfs.syncTo.enabled=true and lfs.syncTo.includeAll=false: (Online synchronization) This mode collects only the current state for each active client device at the point of synchronization and uploads this data to the back office
lfs.syncTo.enabled=false and lfs.syncTo.includeAll=true: (Offline synchronization) This mode collects all historical and current client actions. This data is retained on the license server until the offline synchronization tools are run (see Offline Synchronization to the Back Office).
lfs.syncTo.enabled=false and lfs.syncTo.includeAll=false: No synchronization data is collected (synchronization is disabled). Client data is deleted from the license server as soon as the client expires.

(Default is true.)

No

Policies for Synchronizing from Back Office

lfs.syncFrom.enabled

The property that determines whether license-recovery from the back office is enabled. If recovery is enabled, the metered-usage data and license-distribution state for concurrent features is recovered from the back office when the license server initially starts up with a new or reset trusted storage. (Default is false.)

No

Policies for License Server Failover

fne.syncTo.enabled

(Defined on back-up license server only; required) The property that determines whether to enable “license server to license server” synchronization in a failover configuration. (Default is false.)

Yes

fne.syncTo.mainUri

(Defined on back-up license server only; required) The URI of the main license server in a failover configuration. Use the following format:

http://server:port/fne/bin/capability 

where server:port is the main license server’s name and port number, as in:

http://11.11.1.111:7070/fne/bin/capability 

Yes

fne.syncTo.repeats

(Defined on back-up license server only) The amount of time between synchronization sessions from the main server to the back-up server in a failover configuration. (The back-up server initiates the sessions.) The value can be specified with an optional unit-suffix letter—s, m, h, d, or w—indicating seconds, minutes, hours, days, or weeks. If no suffix is used, the server assumes the value is in seconds. (Default is 300s; minimum is 5m.)

No

fne.syncTo.pagesize

(Defined on back-up license server only) The maximum number of client records to include in a synchronization message to the back-up server. A smaller page size limits the memory overhead at the expense of having multiple synchronization transactions. (Default is 100.)

Yes

fne.syncTo.retryCount

(Defined on back-up license server only) The number of synchronization attempts from the main server allowed when an initial attempt fails. (Default is 1.)

Yes

fne.syncTo.retryRepeats

(Defined on back-up license server only) The amount of time between synchronization attempts when an initial attempt fails. The value can be specified with an optional unit-suffix letter—s, m, h, d, or w—indicating seconds, minutes, hours, days, or weeks. If no suffix is used, the server assumes the value is in seconds. The default is 60s.

Yes

Security Policies

security.enabled

The option that enables (true) or disables (false) administrative security on the license server.

When administrative security is enabled, operations used to administer the license server are “secured” (that is, credentials are required to perform them). See Managing Administrative Security on a Local License Server or CLS Instance.

When this option is true, the remaining policies in this Security Policies section are in effect.

(Default is false.)

Yes

security.token.duration

The duration of the JSON web token (generated when a user successfully authenticates credentials on the license server). When the token expires, credentials must be re-entered to re-authorize.

The value can be specified with an optional unit-suffix letter—s, m, h, d, or w—indicating seconds, minutes, hours, days, or weeks. If no suffix is used, the server assumes the value is in seconds. The default is 1d.

This policy is not editable in the FlexNet License Server Manager.

Yes

security.http.auth.enabled

The option that enforces the use of HTTPS to perform secured administrative (and possibly licensing) operations on the license server.

When false, the policy enforces the use of HTTPS to perform secured operations. (An error is generated for any attempt to perform a secured operation using HTTP.)
When true, the policy allows either HTTP or HTTPS to perform secured operations. (This is the default.)

This policy is not editable in the FlexNet License Server Manager.

Yes

security.ip.whitelist

(Available only when security.enabled is true) The list of IP addresses for those components (devices) that you determine should have access to the license server without having to provide credentials to access secured REST API endpoints. For example, you might want a machine in your IT department to have such access to the endpoints for fixing issues or performing maintenance.

List only IP4 or IP6 addresses; and separate each address with a comma, as this example value shows:

111.222.2.2,111.333.3.3 

This policy is not editable in the FlexNet License Server Manager.

Important:In certain contexts, configuring security.ip.whitelist can be considered a security risk. For example, if X-Forwarded-For is active and no gateway or reverse proxy server is in use, potential attackers could spoof the header to hide their actual IP addresses or impersonate other users. To mitigate risks, consider disabling X-Forwarded-For (XFF) headers (set disable-xforwarded-for=true in the local-configuration.yaml file).

Yes

security.anonymous

The option that determines whether or not users need credentials for “read” access to the license server’s endpoints:

When the value is true, all user accounts are automatically given “read” rights (ROLE_READ) and do not need to provide credentials for “read” access.
When the value is false, a given user account must be explicitly assigned ROLE_READ in order to perform “read” operations. (The exception occurs when no role is assigned to an account, in which case ROLE_READ is assigned as the only role by default.) Credentials are then required to perform any “read” operation. If an account is not authorized for ROLE_READ, no “read” access is given. This setting provides additional protection against unauthorized queries on the license server.

This policy is not editable in the FlexNet License Server Manager.

(Default is false.)

Yes

Logging Policies

logging.directory

The directory to which the license server writes the log for the license server. The default is ${base.dir}/logs, where ${base.dir} points to the flexnetls/producer_name folder in the service’s or user’s home directory.

No

logging.threshold

The lowest level of log-message granularity to record—FATAL, ERROR, WARN, INFO, LICENSING, POLICY, or DEBUG. For example, if FATAL is set, only messages about fatal events are recorded. However, if WARN is set, fatal-event, error, and warning messages are recorded.

(Default is INFO.)

Logging categories

FATAL—Errors that prevent the server from starting up

ERROR—Serious errors

WARN—Warnings

INFO—Informational messages

LICENSING—Server responses such as, for example, capability responses and JSON replies

POLICY—Additional information for checkout filters (these are selective license filters customizable by the producer)

DEBUG—Additional debug-level information. The license server should not use a logging level of DEBUG for a long period, because it can have a negative impact on license server performance. It is not recommended to use DEBUG on production license servers.

Yes

graylog.host

The host name of a Graylog server, if any, to which logging messages are sent.

Yes

graylog.threshold

The lowest level of log-message granularity to record—FATAL, ERROR, WARN, INFO, LICENSING, POLICY, or DEBUG. For example, if FATAL is set, only messages about fatal events are recorded. However, if WARN is set, fatal-event, error, and warning messages are recorded. (Default is WARN.)

Yes