Symbols
A
- access privilege levels
- accounting
- applications
- description
- TACACS+, configuring
- admin permission
- admin-control permission
- all permission
- announcements at system login
- APIs (application programming interfaces)
- CORBA plug-in SPI
- CORBA remote API
- description
- SAE core API 1, 2
- application programming interfaces. See APIs
- architecture
- authentication 1, See also user accounts
- configuration example
- multiple methods
- RADIUS
- shared user accounts 1, 2
- TACACS+
- TACACS+, configuring
- TACACS+, configuring with C-Web interface
- TACACS+, configuring with SRC CLI
- template accounts
- authentication order
- configuring with C-Web interface
- configuring with SRC CLI 1, 2
- overview 1, 2
- removing authentication method
- removing authentication method with SRC CLI
B
C
- C Series Controller
- C Series Controllers
- C-Web interface
- committing a configuration
- configuration options
- configuring
- HTTP access 1, 2
- HTTPS access 1, 2
- logging properties
- copying an object
- deleting an object
- editing level
- elements
- getting Help
- icons
- layout
- loading configuration values
- logging out
- moving an object
- navigating
- overview 1, 2
- password, changing
- Policies, Services, and Subscribers
- renaming an object
- reverting a configuration
- starting
- updating configuration data
- username, changing
- C2000 Controller
- C3000 Controller
- C4000 Controller
- C5000 Controller
- clear permission
- cli
- client mode, NTP
- commands
- configuration statements
- configure permission
- control permission
- conventions
- customer support 1
- cweb-password
D
- date on system
- deployment scenarios
- DES (directory eventing system)
- differentiated QoS
- digital certificates. See security
- directory
- directory connection properties
- directory eventing system
- directory server
- documentation
- draft RFCs
- dynamic webpages
E
F
G
- Gigabit Ethernet interfaces, configuring IPv4
- Gigabit Ethernet interfaces, configuring IPv6
- GRE tunnel interfaces
- group interfaces, configuring 1
H
I
J
- Java Naming and Directory Interface. See JNDI
- java-heap-size, configuring
- JNDI (Java Naming and Directory Interface)
- Juniper Networks database
- adding Juniper Networks database to community
- changing modes
- community mode
- community mode configuration
- configuration example
- configuration statements
- configuring
- data recovery
- high availability
- loading sample data
- neighbors 1, 2
- overview 1, 2
- redundancy
- roles
- changing secondary to primary, SRC CLI
- overview 1, 2
- standalone mode
- verifying configuration
- Juniper-Allow-Commands attribute (RADIUS)
- Juniper-Allow-Configuration attribute (RADIUS)
- Juniper-Deny-Commands attribute (RADIUS)
- Juniper-Deny-Configuration attribute (RADIUS)
- Juniper-Local-User-Name attribute (RADIUS)
L
- LDAP (Lightweight Directory Access Protocol). See directory; directory server
- LDAP directory. See directory
- leases for licenses. See license server
- license
- license manager
- configuration statements
- configuring
- license server
- license usage
- Lightweight Directory Access Protocol. See LDAP
- load balancing
- local password authentication
- local properties
- logging, See also system log server
- login announcements, system
- login classes
- configuration
- configuration examples
- configuration prerequisites
- configuration statements
- configuration verification
- default classes
- idle timeout values
- options
- overview
- predefined
- privilege level options
- privilege levels
M
- maintenance permission
- manuals
- messages
- MII monitor
- configuring
- Monitoring Agent
- multicast
N
- NAS ID, configuring for SAE
- network
- network information collector. See NIC
- NIC (network information collector)
- notice icons
- NTP (Network Time Protocol)
- NTP,
O
- on-demand services 1, 2
- open interfaces
- operator login class
- operators, regular expression
- OSS integration
P
- passwords
- permissions
- policies
- Policies, Services, and Subscribers CLI. See SRC CLI
- Policies, Services, and Subscribers tasks. See C-Web interface
- policy management
- ports
- predefined login classes
- primary directory
- privilege levels 1
- product features 1, 2
R
- RADIUS
- RADIUS authentication. See authentication
- RADIUS authorization. See authentication
- read-only login class
- redundancy
- references
- regular expressions
- request license import file-name command
- reset permission
- residential portal
- resolving hostnames
- retrieving directory changes
- RFCs 1, 2, 3
- root account 1
- router running Junos OS
- router running JunosE Software
- routing permission
- routing-control permission
S
- SAE (service activation engine)
- configuring groups
- deleting default configurations
- SRC CLI 1, 2
- description 1, 2
- initial properties, overview
- starting
- stopping
- verifying status
- SAE (service activation engine), configuring initial properties
- SAE (service activation engine), configuring NAS ID
- SAE (service activation engine), configuring RADIUS address
- sample data
- secondary directory
- secret permission
- secret-control permission
- security
- digital certificates 1
- clearing certificates 1, 2
- clearing requests
- prerequisites
- requesting certificates 1, 2
- requesting certificates through SCEP
- viewing certificates
- security permission
- security-control permission
- server license. See license
- service activation engine. See SAE
- service permission
- service-control permission
- services
- shared user accounts
- shell permission
- SNMP agent
- access control, configuring on C Series Controllers
- community strings 1, 2
- named views
- SNMP groups
- VACM
- configuration statements 1, 2
- configuring
- description
- directory connection parameters, configuring
- Java Runtime Environment, configuring
- local properties, configuring
- logging, configuring
- monitoring
- named views, defining
- notification targets, configuring
- starting
- stopping
- system information, configuring
- trap history, configuring
- SNMP Agent
- snmp control permission
- snmp permission
- SNMP traps
- notification targets, configuring
- snmp-named-views-cli
- snmp-security-names-cli
- snmp-statements
- software standards
- SRC ACP (SRC Admission Control Plug-In)
- SRC CLI 1
- directory connections
- overview
- Policies, Services, and Subscribers CLI
- starting
- SRC components
- SRC software
- configuration prerequisites
- configuring
- creating, virtualized instance 1
- description
- features and benefits 1, 2
- financial advantages
- OSS integration
- recovering
- services
- snapshot on C Series Controller
- upgrading
- USB Storage Device
- virtualization
- virtualization, requirement
- SSH (secure shell)
- standards 1
- static host mapping
- static routes, configuring
- Steel-Belted Radius/SPE server 1, 2
- subscriber
- subscriber permission
- subscriber-control permission
- superuser login class
- support, technical See technical support
- symmetric active mode, NTP
- system authentication. See authentication
- system log server
- configuration prerequisites
- configuration statements
- message groups
- message severity levels
- messages
- messages, file
- messages, server
- messages, user notification
- overview
- system login
- system permission
- system-control permission
T
- TACACS+ authentication. See authentication
- tariff models
- technical support
- Telnet connection to remote host
- template authentication accounts
- text conventions defined
- third-party URLs
- tunnel interfaces
- tunnel interfaces, configuring
U
- UIDs
- unauthorized login class
- unresponsive directories
- usage data
- user accounts 1, See also login classes
- authentication
- configuring passwords
- configuring SSH authentication
- root password 1, 2
- authentication method and password
- configuration
- configuration verification 1, 2
- example
- overview 1, 2, 3
- shared
- user notification messages
V
W
- Web application server
- application deployment 1, 2
- channel stack
- configuration statements
- configuring the Web application server
- installing Web applications inside
- local properties
- multicast-address
- node-id
- overview
- removing Web applications from
- restarting
- shared cluster name
- shared cluster nodes
- shared cluster properties
- starting
- stopping
- viewing cluster history
- viewing cluster status
- viewing statistics
- Web Services Gateway
Download This Guide
SRC License Server Overview
- About the SRC License Server
- License Server Errors
- License Requests
- Lease Renewal
- Directory Location and Access
About the SRC License Server
The SRC license server manages server licenses for the SAE by using Common Object Request Broker Architecture (CORBA) to communicate with its client SAEs.
The SAE retrieves its licensing configuration properties from the SRC directory at startup. The license manager for an SAE maintains the licenses for that SAE and communicates with the license server to obtain more licenses or return unused licenses. You can configure properties specific to each SAE license manager.
The server license includes a license key signature, customer name, expiration date, number of concurrent active service sessions, a CORBA reference for the license server, and other attributes.
The CORBA reference enables the license server’s SAE clients to locate the server to obtain a license unit. (A license unit is also referred to as a lease.) The SAE disregards who activates service sessions and simply monitors the number of active service sessions.
License Server Errors
If the license checking process does not discover a valid license, it logs an error message and terminates itself. This check can take a while to finish; on a slow server at the first start after an installation, it can take up to several minutes.
You may wish to look at the information log during the startup for a message declaring a missing license or indicating that the SAE startup has been completed.
License Requests
When the license server receives a request for a lease from the SAE, the license server calculates the number of leases in use if the request is granted and compares that value to a limit specified in the license:
- When the new total is below the limit, the license server grants the requested lease to the client.
- If the new total exceeds the limit, the license server grants leases up to the amount available.
- If the current total exceeds the license limit, the license server denies all requests.
On startup, client SAEs search for a valid license in the LDAP object cn=@License, ou=licSvr, ou=Licenses, o=Management, <base>. If the SAE finds a valid license that includes a reference to the license server (license.server.corbaloc property), then before it activates new service sessions the SAE contacts the license server to lease a license unit. The SAE request includes the name of a virtual router that it associates with service sessions.
When a lease is granted, it specifies the:
- Service-session-unit-size—Number of active service sessions
- Lease duration—Length of time allotted to a grant
- Allocation threshold—A percentage of the license service-session-unit-size that defines how many licenses are available for allocation
- Release threshold—A percentage of the license service-session-unit-size that defines when a lease is released
The license server stores the number of granted license units associated with each virtual router name in an internal table.
Because license leases are allocated in advance of actual need, a license is available when a subscriber tries to activate a service. The SAE requests an additional license lease when the number of active service sessions on a particular virtual router reaches the allocation threshold.
Example: License Allocation
This example shows how the SAE requests another lease when its current lease reaches a specified threshold. For a service-session-unit-size of 50 and an allocation threshold of 90%, the SAE requests a second lease when the number of active service sessions reaches 45 (50 x 90%). Once the lease is granted, if the active service sessions continue to increase, the SAE requests another lease when the number of active service sessions reaches 95, and again at 145.
Example: License Release Example
License units are released as active service sessions decrease, with the SAE retaining more licenses than it currently needs to avoid fluctuation around the threshold. For example, a lease has a service-session-unit-size of 50, a release threshold of 10%, and four license chunks (200 licenses) allocated to the SAE. In this case:
- If the number of active service sessions drops to 105, the fourth license unit is released, leaving three units and 150 licenses.
- If the number of active service sessions drops to 55, the third license unit is released, leaving two units and 100 licenses.
- If the number of active service sessions drops to 5, the second license unit is released, leaving one unit and 50 licenses.
Lease Renewal
The SAE renews a lease every one-third of the lease duration even if the number of active service sessions stays in the same range. If the SAE cannot renew the lease for any reason (such as a network failure) before the lease expires, the SAE releases the lease and does not accept new service sessions until it receives a new grant from the license server. While in this state, the SAE logs an error message for each request and returns the same message through the API. The message includes the service name, subscriber, and reason for rejection.
Directory Location and Access
Server licenses are stored in the directory entry cn=@License, ou=licSvr, ou=Licenses, ou=Configuration, o=Management, <base>. The authentication distinguished name (DN) and password needed to access the license object are stored in the /opt/UMC/licsvr/etc/bootstrap.properties file. The license server reads its configuration properties from the object (default) l=config, l=LICSVR, ou=staticConfiguration, ou=Configuration, o=Management, <base>.
The license server reads the license from the SRC directory at startup. The license server continues to poll the directory to check for updated licenses. The master license is cn=@License. The license server does not accept client requests without the master license. You can add more licenses to increase the limit on the number of service sessions. Adding these licenses does not require restarting the license server.
Related Documentation
- SRC License Server Redundancy
- Unsuccessful Connections from the SAE to the SRC License Server
- Obtaining an SRC License
- Installing Server Licenses for C Series Controllers (SRC CLI)
