License Proxy - SSH Tunnel

A step-by-step guide for Rescale customers to setup a license proxy using SSH tunnel mode on Rescale admin page

SSH Tunnel Mode is used when a user opts to use their existing software licenses on Rescale’s platform by establishing an SSH tunnel. Rescale provisions an exclusive proxy server for that user and the proxy server forwards license polling requests from software on Rescale’s platform to a user’s local license server. This is the quickest method to setup a license proxy. It also provides free encryption service; all license requests are passed through an encrypted SSH tunnel. There will be a recurring monthly charge for the connectivity to the Rescale proxy server that has to be paid by the user

Here are the prerequisites to set up license proxy in SSH Tunnel mode:

  • The user should have an account in Rescale
  • The user should have an account in Rescale with company administrator rights
  • Hostname for on-premise license server
  • The user's computer should allow outbound ssh access on port 22
  • List of software and associated license and vendor ports
  • Ensure that vendor ports are fixed in license files
  • The user should have access to the on-premises license server with admin privileges to debug any issues

This section lists the steps to be followed on your local on-premises workstation where the license server is hosted

Obtain Port and Host Name Information

  • Ensure that FlexLM (Flex License Manager) or RLM (Reprise License Manager) is running

  • Obtain the hostname and the ports (license and the vendor) from the license file

  • The port the license server listens on can be obtained from the license logs

  • For both FlexLM and RLM there are 2 processes that handle license access: the License Server (lmgrd or rlm) and the Vendor Daemon

  • For FlexLM, look at the part of the log when the license server was started. It will display information in the following format. You will need to obtain the ports from this part of the log:

00:00:00 (lmgrd) FlexNet Licensing (<license manager version>) started on <hostname>
00:00:00 (lmgrd) lmgrd tcp-port <license server port>
00:00:00 (lmgrd) Started <vendor daemon> (pid <pid>)
00:00:00 (lmgrd) <vendor daemon> using TCP-port <vendor port>

Similarly, the ports as well as the hostnames for the Reprise License Manager can be parsed from the license logs. The format of the logs will look something like this:

1/1 00:00 (rlm) License server started on <hostname>
1/1 00:00 (rlm) Using TCP/IP port <license server port>
1/1 00:00 (rlm) Starting ISV server <vendor daemon> on port <vendor port>
  • The vendor dameon port is by default a dynamic port that can change when the license server undergoes a restart as a result of re-installing a license or just simply routine server maintenance. Fixing the vendor port ensures that it does not change after the setup

  • To fix the vendor ports, follow the steps listed below:

  • Please note, before making any changes to the vendor ports, ensure that there are no running jobs since the License server needs to be shut down

For Windows Users
  • Open the license file in text editor with admin privileges. For instance,

My Computer > D:> Documents > license > license-file.txt

  • Now, once you locate your license file, right click and Run as administrator

  • If you do not get the option of opening the document with admin rights, please open Notepad with admin rights and open the license file in it

Notepad-administrator

  • Once you open the license file, you will see lines similar to the one below:

SERVER hostname hostid 1055
VENDOR (Daemon)

Please add PORT = [your-vendor-port-number]

For example: If your vendor port number is "49812" the license file should look like:

SERVER hostname hostid 1055
VENDOR (Daemon) PORT=49812

  • Save and close the license file
  • Verify that the vendor port is fixed by re-opening the file
  • Once, you verify the vendor port was fixed, restart the license server
  • Check for the license file logs to see if the vendor port is the same as that you fixed

Note: You need to fix the vendor port in all the license files that are associated with the server. If you have more than 1 license file, you should fix the vendor port in all the license files. Otherwise, you will get an when you restart the license server


For Linux Users
  • Open Terminal

  • Locate your license file where it is saved. For instance:

cd Documents/license/license-file.txt

  • Open the license file in a text editor with admin privileges. For example, if you are using Vim text editor, type vim [name-of-your-license-file], otherwise use appropriate command to open the license file as per the available text editor you have

  • Your license file will have lines similar to the one below:

SERVER hostname hostid 1055
VENDOR (Daemon)

Please add PORT = [your-vendor-port-number]

For example: If your vendor port number is 49812 the license file should look like:

SERVER hostname hostid 1055
VENDOR PORT=49812

  • Save and close the file
  • Verify that the vendor port is fixed by re-opening the file
  • Restart the license server
  • Look for the license file logs to check if the vendor port is the same as that you fixed

Note: You need to fix the vendor port in all the license files that are associated with the server. If you have more than 1 license file, you should fix the vendor port in all the license files. Otherwise, you will get an error when you restart the license server

Once the license server has restarted, please follow the steps mentioned below:



For Windows Users

Download open-source SSH bundle from the link containing the following:

  • Plink - to be used to run the executable
  • PuTTY - to be used as SSH terminal
  • PuTTYgen - to generate the (private/public) key pair
  • Pageant - to enable private key for connection

Directory Files

Make sure you have moved all of the files from download folder to a specified location

Example: My Computer > C:> Documents > Rescale tunnel

Generate (private/public) Key Pair using puTTYgen

To generate the private/public key pair, follow the steps as mentioned below:

  • Open puTTYgen, generate the private/public key pair and save it to same folder where all the files were saved in the previous step

See screenshot below to generate the key pair:

puttygen-keypair

Import Keys into Pageant

To import keys into Pageant follow the steps mentioned below:

  • Open pageant.exe to launch the key manager, it might launch in the Windows taskbar
  • Look for the pageant.exe icon in the taskbar, right click on it and select Add Key

pageant-addkey

  • Select the private key that you generated in the above step to import it into pageant and click Open

pageant



For Linux Users

On Mac OSX and Linux, SSH key generation utilities can be run from the command line of a terminal. To open the Mac OSX Terminal, open the Finder and choose Utilities from the Go menu. Find the Terminal application in the Utilities window and double-click it. The Terminal window opens with the command line prompt displaying the name of your machine and your username

First check for existing keys on your computer. From the command line of the terminal type:

$ ls -al ~/.ssh

This lists the files in your .ssh directory, however, if you have a new Mac OSX or Linux installation, the .ssh directory may not yet exist

The default public key file names are:

  • id_dsa.pub
  • id_ecdsa.pub
  • id_ed25519.pub
  • id_rsa.pub

If you wish to use an existing key file for your Rescale account, you can skip to the next step - Copy contents of your public key

Generate a New SSH Key

By default, keys for all identities are added to the directory:

  • /Users/_yourname_/.ssh on Mac OSX
  • /home/_yourname_/.ssh on Linux

If you have an existing identity (public/private key pair) in this directory that you want to use on Rescale, skip this step. To create a new default identity:

  1. Open a terminal session on your local system
  2. Enter ssh-keygen at the command line in the terminal
  3. The command prompts you for a file to save the key in. If the .ssh directory doesn't exist, the system creates one for you
  4. Accept the default location

The ssh-keygen command creates your default identity with its public and private keys. The whole interaction will look like this:

[mairi@centos ~]$ ssh-keygen
Generating public/private rsa key pair.
Enter file in which to save the key (/home/mairi/.ssh/id_rsa):
Enter passphrase (empty for no passphrase):
Enter same passphrase again:
Your identification has been saved in /home/mairi/.ssh/id_rsa.
Your public key has been saved in /home/mairi/.ssh/id_rsa.pub.
The key fingerprint is:
ed:88:95:91:38:e4:5e:ff:d6:73:70:f7:43:3e:f6:3b mairi@centos
The key's randomart image is:
+--[ RSA 2048]----+
|      .          |
|     o . .       |
|      + +        |
|     . o =       |
|      . S o   ..o|
|       o o . .ooo|
|      . . . o o=o|
|           .  .E+|
|               .+|
+-----------------+
  • You can, of course, save your new key pair to an alternative, i.e. non-default, location in your file system if you wish. By default, ssh-keygen generates 2048-bit RSA keys

  • ssh-keygen generates a public key and a private key. If not specified, the default public key will be saved as id_rsa.pub and the private key as id_rsa in your ~/ssh folder. Ensure that the ~/ssh is only accessible by you by setting the proper permissions to that folder:

chmod 700 ~/.ssh

This section lists the steps to setup a license proxy on the Rescale admin page. The license proxy setup on the Company Administration Page can be accessed at license proxy page. The page will look similar to the screenshot below:

rescale-licenseproxy-page

  • Navigate to the Rescale Administrator page from your accounts to start the setup of license proxy

  • Navigate to Integrations >> License Proxies

  • Select Add New

  • Give an identifiable name for the license proxy

  • Select SSH Tunnel as the "License Proxy Mode"

  • Do not make any changes to the "Enable High Availability" option. The default value is No

  • Put in your public SSH keys for authorized connection to the license proxy server You can obtain your public keys from the file that was generated using puTTYgen and was saved in the folder created in step (How to generate (private/public) key pair using puTTYgen) or if you have puTTYgen open, you can directly copy the keys from the window and paste. If you are unsure on how to do this, please check out this page on SSH Keys Setting up your SSH Key pair

  • Click on Add an Access Rule (These are the CIDR rules for SSH access of the license proxy server)

To set the Access Rules, follow the steps mentioned below):

  • Open a web browser (Google Chrome or Internet Explorer) and search "my IP"
  • Copy and paste the IP address with /32 mask (e.g 100.24.32.20/32) and add a description (e.g "Office IP") that you want to describe it as.
  • You should make sure the IP you would like to access the proxy from should fall within the specified range.

The CIDR rule is required because this will enable the SSH tunnel execution from that location to the Rescale proxy. Every user in the company will be able to use Rescale and submit jobs as long as this tunnel connection is UP, regardless of the physical location. If the license server(s) are in the same network, then there has to be a public IP of that physical location added in the Access Rules.

  • After adding the CIDR, add the license port information. Select a "Unique Hostname" for your license proxy. This is the hostname of the machine that hosts the license server. The hostname can be obtained from the license logs

Hostname

  • Add the license server ports for the proxy to route traffic. It can be obtained from the FlexLM logs file. For example, if you are running Abaqus your FlexLM logs will look like this:

Log

Please then fill in the two Port numbers (license port and vendor port) and select the correct Software from the dropdown under software section on the proxy page as shown below:

License ports new

For Example, if you are using ANSYS software licenses, it has 3 ports (2 license server ports and 1 vendor port) as mentioned below:

  • 1055 - FlexNet/FlexLM License Server Port ANSYSLMD_LICENSE_FILE
  • 2325 - ANSYS License Interconnect Port ANSYSLI_SERVERS
  • 49281 - Vendor Daemon Port

Ansys-ports

  • The port information for the software you are using can be obtained from your license file (FlexLM or RLM)
  • If your license has multiple features (such as, ANSYS Fluent, ANSYS Fuids Desktops etc.) served by the same license service and the same license server, then all of those features with port numbers should be explicitly added on the license proxy settings page
  • After making the above mentioned changes, click on the Launch License Proxy button
  • Once your proxy has launched, you should see the following information on the page:

Proxy Sync

Follow the steps outlined below in order to complete the SSH tunnel settings on your on-premises server:



For Windows Users
  • Download and save the batch script to a directory containing the plink.exe executable as mentioned in section Set up system settings for SSH

  • Make sure your private key (.ppk) is stored in the same directory as pageant.exe

Windows

  • Now, use windows explorer to go to the directory where all the files are, go to the search bar, and type “cmd”

  • This will open a command prompt at the directory you are in, so you don’t need to change the directory and navigate to the particular directory from the command prompt

  • Open the (<company>_license_proxy.bat) file (script) in a text editor

Windows-script

  • Copy everything starting from plink and paste on the command prompt window

(E.g plink.exe -ssh username@license-proxy-name.tunnel.rescale.com -R 1055:on-prem-license-server-1:1055 -R 2325:on-prem-license-server-2:2325 -R 49281:on-prem-license-server-3:49281 -v -N)

  • Run the batch script to establish the ssh tunnel

The command window will print out a log which shows something like this:

Looking up host "<company>.tunnel.rescale.com"
...
Authenticating with public key "<key>" from agent Sending Pageant's response
Access granted
Requesting remote port 27000 forward to my-server:27000
Requesting remote port 28000 forward to my-server:28000
Remote debug message: Forwarding listen address "localhost" overridden by server GatewayPorts Remote port forwarding from 27000 enabled
Remote debug message: Forwarding listen address "localhost" overridden by server
GatewayPorts
Remote port forwarding from 28000 enabled

Please note: The tunnel needs to be up and stable while any Rescale jobs are running



For Linux Users
  • Download the script, as shown below:

Linux-script

  • Open the <company>_license_proxy.bat file (script) in a text editor, copy everything starting from ssh and paste in the terminal

(E.g ssh username@license-proxy-name.tunnel.rescale.com -R 1055:on-prem-license-server-1:1055 -R 2325:on-prem-license-server-2:2325 -R 49281:on-prem-license-server-3:49281 -R -v -N &)

  • Run the shell script in your terminal to establish the ssh tunnel

Linux-plink

Note: The tunnel needs to be up and stable while any Rescale jobs are running

To test your connection and verify if the settings made were properly configured:

After following the above steps you should get a successful SSH Tunnel connection and you should be able to see the tunnel status as Green and UP on the company license proxy page as shown below:

licenseproxy-status

  1. Back on the License Proxy Company Administration page the Listening Ports section should be updated to indicate whether your tunnel is working or not:

License-Connection

  1. Click on the Radio Button under actions options on the company license proxy page as shown below:

radio-button

Please note that the radio button only displays the status of the FlexLM license servers. If you have a RLM license the radio button will not display any information

  1. Submit a dummy job by logging into your Rescale account.
  • Create a new job by clicking the +New job button in the top left of the page. Select the Software you want in the software section and select Provide Existing License option as shown below:

Provide Existing License

  • In the appropriate field type in the <license server port>@<hostname>, in our example case 27000@my-server, then click the Check Availability button. The license prompt provides customers immediate feedback for whether the license server address specified is reachable from the Rescale platform by clicking the blue Check Availability button. The connection information should be printed to the screen as shown below:

License

If you see the tunnel status to be "Down" and not running it can be because of the following reasons:

Tunnel-status

  • On-premises workstation got restarted where the tunnel is running from
  • Pageant is not loaded while running the license server
  • Private keys are deleted
  • License server is put down for any reason
  • The license server is disconnected from the internet
  • The license service (i.e lmgrd) has exited
  • The license has expired