Author Topic: Floating Licence Server vs Keystore service (Read 70608 times)

skiwi · « **Reply #15 on:** August 27, 2021, 12:09:46 pm »

Maybe we are talking at cross purposes.

If my understanding is correct all authentication is done in the EA client against the model or using AD.
At least that's how it works for us.

Paolo F Cantoni · « **Reply #16 on:** August 27, 2021, 12:49:20 pm »

Quote from: Eve on August 27, 2021, 11:41:39 am

In the PCS license configuration, you will find that it allows the configuration of multiple groups and the credentials for each of those groups. By default, your request one of those groups in EA by specifying the appropriate name and password.

However, it does allow you to link each group to one (or more?) active directory groups, which provides for more flexibility than the active directory integration in the legacy keystore service.

What kinds of groups are these? EA groups? PCS Groups? AD Groups? We don't necessarily have the same EA groups for each repository (we haven't liked them to AD groups at all).

Remember, we're not using any part of PCS except the licence server.

I'm totally lost at this point.

Paolo

skiwi · « **Reply #17 on:** August 27, 2021, 01:39:32 pm »

I don't know if it helps, but EA has licences,
PCS has session tokens (only needed for the paid services such as WebEA. The licence server is tokenless, as is EA model connections via PCS).
Eve is talking about WebConfig - Floating License Groups | Enterprise Architect User Guide (sparxsystems.com)

Eve · « **Reply #18 on:** August 27, 2021, 02:59:09 pm »

You need to configure who can access licenses.

The old keystore service had a bunch of ways that you could do this.

The Floating License Server only provides one way. You define one or more groups and the entitlements that each of those groups has.

I jumped in to correct this misinformation.

Quote from: skiwi on August 26, 2021, 12:42:39 pm

Note there is one irritant with the PCS KS. It requires a user id and password, DAMY.

If you specify one or more active directory groups in the corresponding group for the keystore service then the server will authenticate the user against those active directory groups to determine inclusion in each group and the corresponding entitlements of the user requesting a license.

If you don't link to any active directory groups, then yes you will need to provide the user id and password defined for the group.

skiwi · « **Reply #19 on:** August 27, 2021, 03:30:04 pm »

Quote from: Eve on August 27, 2021, 02:59:09 pm

I jumped in to correct this misinformation.
Quote from: skiwi on August 26, 2021, 12:42:39 pm
Note there is one irritant with the PCS KS. It requires a user id and password, DAMY.

If you specify one or more active directory groups in the corresponding group for the keystore service then the server will authenticate the user against those active directory groups to determine inclusion in each group and the corresponding entitlements of the user requesting a license.

If you don't link to any active directory groups, then yes you will need to provide the user id and password defined for the group.

Thankyou, this was information that I was not supplied by support when I raised this issue, and not apparent to me over multiple viewings of the documentation. Could you please point to the documentation that describes how to set this up?

Paolo F Cantoni · « **Reply #20 on:** August 27, 2021, 03:56:02 pm »

Quote from: skiwi on August 27, 2021, 01:39:32 pm

I don't know if it helps, but EA has licences,
PCS has session tokens (only needed for the paid services such as WebEA. The licence server is tokenless, as is EA model connections via PCS).
Eve is talking about WebConfig - Floating License Groups | Enterprise Architect User Guide (sparxsystems.com)

Thanks, skiwi, yes it does - a lot!

Unfortunately, our infrastructure resource dedicated to this task won't be in until next Thursday, so I'll have to wait till then to get anything done.

Have a good weekend!
Paolo

Eve · « **Reply #21 on:** August 27, 2021, 04:09:11 pm »

It's in the same place just linked.

https://sparxsystems.com/enterprise_architect_user_guide/15.2/pro_cloud_server/webconfig_add_or_edit_group.html

skiwi · « **Reply #22 on:** August 27, 2021, 07:01:38 pm »

OK, thanks, I guess I didn't realise the implication of connecting an AD group to a EA licence key group => no password.
And as I noted nothing I was told made the connection either.
Since we only have one group of users I hadn't seen any use for this connection,
I might try it, perhaps I can connect the default group with an AD group.

Modesto Vega · « **Reply #23 on:** September 01, 2021, 01:01:25 am »

The ProCloud Server Floating License Server/Service must use HTTPS for Sparx EA to communicate with it. Oddly, when modelling Sparx EA can communicate with ProCloud Server over HTTP. In other words, HTTPS is only required for Sparx EA to communicate with the PCS FLS.

The biggest hurdle so far for our infrastructure team has been HTTPS configuration, if self-certification is not allowed and an external certifying authority must be used the process can be lengthy.

Strictly speaking the PCS FLS still uses a keystore, the keys have to be imported and stored in a file. What PCS FLS offers is the capability of handling all communications, modelling and licensing, between Sparx EA and PCS over HTTP/HTTPS. There are some restrictions but we have not gotten there yet.

Modesto Vega · « **Reply #24 on:** September 02, 2021, 09:22:50 pm »

Just expanding on my HTTPS comment. HTTPS must be enabled in order for Active Directory authentication to work with PCS.

Modesto Vega · « **Reply #25 on:** October 12, 2021, 12:06:18 am »

We have now migrated from a file based repository to Pro Cloud Server Floating License Server but are getting the following error when connecting to the floating license server: "provided credentials do not include authorisation for this key type".

The error appears irrespective of better the group is mapped to an AD group or not.

Does anybody know how to resolve this?

Modesto Vega · « **Reply #26 on:** October 12, 2021, 01:06:00 am »

To answer my own question the AD groups were incorrectly mapped, they were missing WINNT:// at the begining.

Sunshine · « **Reply #27 on:** October 12, 2021, 06:51:36 am »

The one thing to be aware of regarding the floating licence server is that it works across IPv4 and not IPv6. We discovered this when we all had to work from home using direct access which runs IPv6. We had to move to a keystore service on shared drive. We are in the process of setting up PCS at the moment as that seems to be the way of the future.

Modesto Vega · « **Reply #28 on:** October 13, 2021, 03:47:51 am »

Quote from: Sunshine on October 12, 2021, 06:51:36 am

The one thing to be aware of regarding the floating licence server is that it works across IPv4 and not IPv6. We discovered this when we all had to work from home using direct access which runs IPv6. We had to move to a keystore service on shared drive. We are in the process of setting up PCS at the moment as that seems to be the way of the future.

Just for clarity, are you saying that the PCS floating license server doesn’t uses IPv4 instead of IPv6?

Direct Access is the next item to attempt for our implementation.

Eve · « **Reply #29 on:** October 13, 2021, 07:52:44 am »

The legacy Keystore Service only works over IPv4. PCS including the floating license server it contains runs both IPv4 and IPv6.

Sparx Systems Forum

News: