Kernun UTM requires a valid license file to operate properly. Without a license file, the software can be installed, the operating system runs allowing both local and remote administrator access, but no licensed component may be started. The licensed components include all application-level network proxies and some additional modules (for example, antivirus, antispam, and Web filter).
The license file is a cryptographically signed text file. It contains the following information:
The customer identification
An optional identifier used to distinguish different licenses of the same customer
A unique serial number
The license size (the permitted number of protected network devices)
A computer identifier, if the license is valid exclusively with particular hardware.
The expiration date, if the license is valid for a limited time.
(Only Kernun 3.3 and newer) The expiration date of upgrade subscription. Before this date, new features (components) added to Kernun will be automatically licensed if covered by the subscription. After this date, existing features will continue to work (until the optional license expiration date), but new features will not be licensed.
(Only Kernun 3.2 and older) The release version number, if the license is valid for a single Kernun release (e.g., 3.1) only. The license can be used on all patch releases and hotfixes of the licensed release (e.g, 3.1.2 or 3.1.1-h5), but not on other releases (e.g., 3.2).
The list of licensed components.
(Only Kernun 3.3 and newer) The list of licensed groups of components. Licenses are usually issued for groups of components. For example, there are groups corresponding to various Kernun products, such as Kernun Net Access or Kernun Kernun Mail Access. The use of component groups makes it possible to add new licensed components to users with active subscription without the need for a new license file.
(Only Kernun 3.3 and newer) Various parameters of the licensed components.
A cryptographic signature used to verify the integrity of the license.
License files from Kernun 3.0 are not valid for 3.1 and newer releases.
Licenses from Kernun 3.1 and 3.2 are recognized by Kernun 3.3 and newer.
The license file must be installed as
/usr/local/kernun/license.dat. The license file is
stored in the system partition and must therefore be reinstalled after
each installation or upgrade. The license file can be copied to
Kernun UTM either from the command line using SCP, or at the
License tab of the GUI System
Manager.
The set of configurable components changes depending on the type
of the Kernun product and the set of licensed components. For example,
if the HTTP proxy is not licensed, it should not be configured. A
single configuration file may comprise configurations of many Kernun
systems with different products. In each configuration section related
to a single system (section system), the product can
and should be specified using the product item. The
product specification consists of the Kernun software type, the list of
licensed components, the list of licensed component groups, and the
upgrade subscription expiration value. The product specification should be
filled according to the contents of the license file present in the
configured system. When the configuration is verified,
a check is made that only components usable in the selected products
are configured. When the configuration is applied, it is checked that
the product specified in the configuration complies with the product
installed in the target Kernun system. At the time of writing of this
text, there are two product types available:
kernun — all Kernun products;
unspecified — the product type is not
specified and will not be checked when applying the
configuration.
The recognized names of licensed components and component groups are the same as in the license files. Components:
product-kernun, product-kernun-net-access,
product-kernun-mail-access, product-kernun-vpn-access,
product-kernun-office-access, product-kernun-web-access,
product-kernun-secure-box,
product-kernun-secure-box-retail — Kernun product
names;
dns-proxy, ftp-proxy, gk-proxy, h323-proxy, http-proxy,
imap4-proxy, pop3-proxy, sip-proxy, smtp-proxy, sqlnet-proxy,
tcp-proxy, udp-proxy — individual proxies;
icap-server — server for the ICAP
protocol;
mod-antivirus — module for communication
with an antivirus in proxies;
mod-antispam — module for spam checking
in mail proxies;
mod-pwf — module for communication with
an external Web filter in the HTTP proxy;
http-cookie — support for special handling
of security-related HTTP cookies, for example, various session ID
cookies;
mod-match, mod-match-replace — module for
matching and replacement of HTML form data.
Component groups:
kernun-net-access, kernun-mail-access, kernun-vpn-access,
kernun-office-access, kernun-web-access, kernun-secure-box,
kernun-secure-box-retail — individual Kernun products;
modules-data-scanning — modules for
security scanning of data, such as the antivirus module;
modules-secure-box — special modules for
the Kernun Secure Box products;
modules-web-filter — modules providing
URL-based categorization and filtration of WWW servers.
When the initial configuration file is created (see Section 5.2, “Initial Configuration”),
the product type is detected, the currently installed license file is
examined, and the system.product item is set
appropriately. Therefore, it is recommended to install the license
file during the installation of the system,
before the initial configuration script is executed. The license file
can be installed by the standalone installer, as described in Section 5.1, “Standalone Installer”. If the license file is not installed during
the generation of the initial configuration or if a new system is being
added to an already existing configuration, the product
item must be set manually.
If you set the product item manually, select the
correct product type and enter the list of licensed components, the list
of licensed component groups, and the upgrade subscription expiration date
according to your license file[1]. It is
also possible to include the samples/include/products.cml
file in the main
configuration file. This file contains definitions of variables
that can be used instead of the system.product item.
Some products may have optional components. Their respective
variables in samples/include/products.cml have
a parameter containing the list of licensed optional components. For
example, Kernun Net Access with the optional antivirus and antispam modules will be
specified as:
$PRODUCT-KERNUN-NET-ACCESS { mod-antivirus, mod-antispam };
Even if no optional components are licensed, the empty list must be written explicitly as the variable's parameter:
$PRODUCT-KERNUN-NET-ACCESS { };Variables for products without optional components do not have a parameter and are therefore written without the braces:
$PRODUCT-KERNUN-MAIL-ACCESS;