/***************************************************************************** Copyright: : MARX(R) CryptoTech LP Project : Smarx(R)OS Network Server Description : Smarx(R)OS Network Server (CBIOS Server) and Admin Application Date : Jun 15, 2023 OS : Windows (11-7 and 2016-2008R2 Server) ****************************************************************************** CONTENTS ======== 1. Overview 2. Installation 3. Configuration Settings (CBIOSSrv.cfg) 4. Server Administration with the Administrative Utility 5. Running CBIOS Network Server as system service under Windows 6. Monitoring of the Network Licensing Process 7. FAQ (Frequently Asked Questions) 8. Version History 1. Overview =========== The Smarx(R)OS Network Server (or CBIOS Network Server) allows Smarx OS based applications to access a CRYPTO-BOX(R) attached to the USB port of any computer on the network. It takes care of managing the remote connections and forwards license queries to the attached CRYPTO-BOX units. 1.1 Supported Operating Systems ------------------------------- a) Windows - Windows 11/10/8.1/8/7 (64 and 32bit) - Windows Server 2016/2012R2/2012/2008R2 - Legacy systems (untested): - Windows Vista, Windows XP - Windows Server 2008/2003 b) Linux - Ubuntu 14 and higher (x86 and amd64) - CentOS 6.7 and higher (x86 and amd64) - Debian package for ARM64v8 (tested on Ubuntu Server 18.04.3 Pre-Release V12/Raspberry Pi 4) - Debian package for ARMv7 (tested on Raspian 10/Raspberry Pi 4) c) macOS - macOS (OS X) 10.9 or higher 1.2 Supported CRYPTO-BOX Hardware --------------------------------- - CRYPTO-BOX SC Rev.1 and Rev.2, Firmware 2.2 and higher - CRYPTO-BOX XS/Versa Rev.1 and Rev.2, Firmware 1.6 and higher, Smarx OS formatted 2. Installation =============== 2.1 Installation Package (Windows) ---------------------------------- The latest version of the CBIOS Network Server installation packages can be always found at: https://www.marx.com/en/support/downloads?direct=network Location in the Protection Kit (PPK): \Redistributable\CBIOS Network Server The CBIOS Network Server installation package for Win32 & Win64 platforms is provided as: a) CBIOS Network Server independent MSI setup (Windows Installer) - CBIOS Network Server.msi b) CBIOS Network Server MSM component (Windows Installer Merge Module) - CBIOSNetworkServer.msm to be included to customer specific setup c) CRYPTO-BOX Driver Setup MSM component (Windows Installer Merge Module) - CBUSetup.msm to be included to customer specific setup The MSI setup incorporates both b) and c) MSM components. It installs CBIOS Network Server and Admin Application and performs automatic installation of CRYPTO-BOX driver and related components depending on the operating system found. All components are digitally signed. 2.2 Installation Package (Linux and macOS) ------------------------------------------ The CBIOS Server installation packages for Linux and macOS can be downloaded from: https://www.marx.com/en/support/downloads?direct=network Please refer to the included readme file for further details. 2.3 Installation (Windows) -------------------------- For Windows the installation of the server is done via the CBIOS Network Server.msi smart setup package (see above). During the installation process x86 or x64 edition of the Server (depending on the target platform) will be installed to: \Program Files (x86)\MARX CryptoTech\CBIOS Network Server\ NOTE: a) If a previous/older installation of CBIOS Network Server exists on the system, it will be updated. The installer will also replace the configuration file (CBIOSSrv.cfg, see 3.) and rename the existing file to *.bak. b) Be aware that for Win64 platform the CBIOS Network Server (64bit application) will be installed to the "Program Files (x86)" folder. It is caused by MSI/MSM current limitations: "...A package cannot be marked as supporting both Intel64 and x64 platforms, a Template Summary property value of "Intel64,x64" is invalid. A package cannot be marked as supporting both 32-bit and 64-bit platforms, the Template Summary property values of "Intel,x64" or "Intel,Intel64" are invalid..." For more details see: http://msdn.microsoft.com/en-us/library/aa372396(VS.85).aspx Using 64-Bit Windows Installer Packages c) The CBIOS Network Server Windows Installer Merge Module (MSM component) can register the CBIOS Network Server as a service. This option can be controlled in the host installation by specifying SERVICE_CHECK property value: Set SERVICE_CHECK to null (empty field, SERVICE_CHECK = "") will not register CBIOS Network Server as a service. E.g. msiexec /i "CBIOS Network Server.msi" SERVICE_CHECK="" Set SERVICE_CHECK to 1 (thus SERVICE_CHECK = "1") to register CBIOS Network Server as a service. E.g. msiexec /i "CBIOS Network Server.msi" SERVICE_CHECK="1" Remark: The server won't be registered as a service if setting SERVICE_CHECK to "" d) You can run the msi setup in quiet mode (to suppress UI output) with the /qn option. 2.4 Installation (Linux and macOS) ---------------------------------- For more information on installing the CBIOS Server under Linux and macOS, please refer to the corresponding readme file in the Linux/macOS packages which can be downloaded from: https://www.marx.com/en/support/downloads#networktools 3. Configuration Settings (CBIOSSrv.cfg) ======================================== Configuration settings are set in CBIOSSrv.cfg (resp. CBIOSSrv64.cfg) file. You can edit default settings (some options described below may not be available under Linux and macOS): 3.1 Server IP & Port -------------------- Default values: IP=* Port=8765 If having more than one active network configured for the Server computer (Ethernet, Wi-Fi, active VPN, virtual adapters of VMWare, etc.) it may be required to assign a dedicated IP address (& optionally port) to listen/response to UDP broadcasting of CBIOS network clients. It can be done with IP (and port) parameter of the CBIOSSrv.cfg configuration file. Examples: IP=10.10.10.32 (IPv4) or fe80::1ff:fe23:4567:890a (IPv6) Port=1234 Important Hints: a) If IP=* is set (default), CBIOS Server will listen on all network interfaces available on this computer (IPv4 and IPv6). If you specify an IP address here (IPv4 or IPv6), CBIOS Server will be available only via this particular address. b) If IP=localhost is set, then the server will be available on the local computer only. This is useful when server and client application are running on the same computer and server should not be exposed to other computers in the network. Please note that using IP=127.0.0.1 instead of locahost is not supported! 3.2 Server UDP Port (broadcasting) ---------------------------------- UDPPort=8766 // default value 3.3 Server Passwords -------------------- Administrative Password: AdminPassword=admin // default value Optional Client Password: OptionalClientPassword= // ignored - default value The Administrative Password is used for server administration (AdminApp or customer specific program). Starting with version 2.14, the Server supports hardware based encryption calls not requiring UPW/APW Login in local mode (CryptFixed, InternalRSA, all CBU SC specific calls) before UPW/APW Logon. The Optional Client Password is supposed to prevent potential DDoS attacks if the Server is exposed online(accessible via global network). In this case specifying value for Optional Client Password in the CBIIOSSRv.cfg configuration file will require clients to start with the CBIOS_ClientLogin (OptionalClientPassword) call for their requests on hardware based encryption to be processed by the Server prior to UPW/APW login. If no value is set to OptionalClientPassword (by default), then clients' requests for hardware based encryption coming prior to UPW/APW login will be always processed by the Server. 3.4 Connection Settings ----------------------- ConnectionTimeoutSec=30 // default value in seconds KeepAliveScanRateMSec=3000 // default value in milliseconds KeepAliveTimeoutSec=180 // default value in seconds ClientKeepAliveDelayMSec=3000 // default value in milliseconds 3.5 Debug Settings ------------------ "DebugLevel" parameter in CBIOSSrv.cfg file controls the level of the debug information that will be added to log file (see 3.6). It is specified as DebugLevel= where Level 0 - quiet, nothing is written to log file Level 1 - critical errors Level 2 - warnings Level 3 - general information (default) Level 4 - debug information 3.6 Logfile Name and location ------------------------------ "LogFileName=" parameter allows to set logfile name and location. Default values are: Name: CBIOSSrv.log (resp. CBIOSSrv64.log) Location: Windows Vista and higher: \Program Data\MARX\Network Server Windows XP: \Documents and Settings\All Users\MARX\Network Server\ Remark: If the "LogFileName=" parameter was not set in .cfg before first start of the server, CBIOS Server GUI will show only instead of log messages. In that case please restart the server to show the log messages. 3.7 Max Log Size Settings ------------------------- MaxLogSizeKB=200 (default value). It controls the maximum log file size, but leaves the full session server. The old log is renamed to <...>.bak. 3.8 SetUPW/SetAPW Options ------------------------- Allows to execute CBIOS_SetUPW/CBIOS_SetAPW via network SetUPW=1 - allow CBIOS_SetUPW requests SetUPW=0 - do not allow CBIOS_SetUPW requests (default value) 3.9 Protection against Denial-of Service (DDoS) attacks ------------------------------------------------------ Allows to limit the number of requests per client (IP address) to the server during a defined time interval to prevent server overload, for instance by an attack or a malfunctioning application. FilterPacketsLimit=200 // Number of requests that are allowed to receive during FilterPacketsInterval, 0 - disable protection (default value) FilterPacketsInterval=5000 // Restriction interval (ms) In case the limit has reached, further requests will lead to CBIOS:ERR_CONN_REFUSED 4. Server Administration ======================== There are several possibilities to administrate the Smarx(R)OS Network Server: a) Locally on the same PC where the server is installed. Under Windows, the Smarx OS Network Server icon appears in system tray after the server was started. - To open the server console: Select Open (also doubleclick); - To stop/start Server: Select Stop/Start; - To shutdown Server: Select Exit. b) The server can be managed remotely with the Administrative Utility (Windows 64/32 application), via TCP/IP protocol. The Administrative Utility (AdminApp.exe resp. AdminApp64.exe) is part of the CBIOS Server installation package for Windows (see 2.1) c) Alternatively the server can be administrated directly via API commands. A sample can be found in the PPK: \SmarxOS\Network\Win\Samples\netadmin for details. The server administration with the Administrative Utility is described below: 4.1 Connect to Server --------------------- The Administrative Utility can find the Network Server either with sending broadcasting packages (more than one server can be found on the local network) or direct specifying: - Server Name (IPv4 or IPv6 address - 127.0.0.1 by default) - Port (8765 by default) To connect to the server the password ("admin" by default) need to be submitted on connect dialog window. 4.2 Server Information ---------------------- After successful connection to Server, information about Server settings, attached CRYPTO-BOXes and connected clients/applications is displayed. 4.3 Change Server Settings -------------------------- To change Server settings press "Change settings" button and set Server Connection timeout (in seconds), Inactivity timeout (in seconds) and Inactivity scan rate (in seconds). Connection timeout - The timeout for inactive socket-level connection. If client opens connection to server but does not send any data, this connection will be closed when timeout is reached. After that server will be ready to process subsequent requests. Inactivity timeout - The session-level inactivity timeout. If client does not send keep-alive packet for previously opened session until this timeout is reached, this session will be closed and all appropriate resources (network licenses, e.g.) will be released. Inactivity scan rate - The rate at which session table is scanned for inactive sessions (those sessions for which keep-alive packet is not received in time). Client keep-alive rate - The rate at which client periodically send keep-alive packets to a server 4.4 Change Password ------------------- To change Administrative password settings press "Change password" button, input current (old) password, set and confirm new password value. 4.5 Restart or Shutdown Server ------------------------------ To restart/shutdown Server, press "Restart Server" or "Shutdown Server" buttons. IMPORTANT: Please have in mind that if the server is shut down, it can only be restarted locally on the computer where it is installed! 5. Running CBIOS Network Server as system service under Windows =============================================================== 5.1 System service registration by user --------------------------------------- To register CBIOSSRV as service: a) Run server launcher (CBIOSSRV.EXE) b) Stop server (button [Stop] on launcher's window) c) Enable check-box "Run as service"* d) Start server (button [Start] on launcher's window) After that you can exit launcher application (on tray), you will be asked if you wish to stop service or leave it running. Please note that you will need to run the server with Administrative rights to register it as service (right-click CBIOSSRV.EXE and select "Run as..."). Later, after system reboot, service will be launched automatically before user login (server can be accessed on the network without Windows logon) To unregister CBIOSSRV as service: a) run server launcher (CBIOSSRV.EXE) b) stop server (button [Stop] on launcher's window) c) disable check-box "Run as service"* d) start server (button [Start] on launcher's window) * NOTE: If server is not registered as a Service, it will not run without server launcher running (as a tray icon or as a full-scale window) Being registered as service, CBIOSSRV can be also managed through Administrative Tools -> Component Services 5.2 System service registration with CBIOSSrvReg.EXE tool --------------------------------------------------------- Alternatively, CBIOSSRV can be registered/unregistered as service with CBIOSSrvReg.EXE. To register service, launch registration tool with following parameters: CBIOSSrvReg.EXE /i /s [/q] [/dr] [/dl] [/sn:{path}] [/ln:{path}] where /i - install /s - as a Service (register Network Server as a Service) /q - quite mode (optional) /dr - do not run launcher (optional) /dl - do not add launcher to system logon (optional) /sn:{path} - Service file path (optional). Default is CBIOSSrv.srv in the same folder as the CBIOSSrvReg.exe. /ln:{path} - Launcher file path (optional). Default is CBIOSSrv.exe in the same folder as the CBIOSSrvReg.exe. To unregister service, launch registration tool with following parameters: CBIOSSrvReg.EXE /u { /q } where /u - uninstall /q - quite mode (optional) NOTE: You will need to run the server with Administrative rights to register/unregister it as service! Right-click CBIOSSRV.EXE and select "Run as...". 6. Monitoring of the Network Licensing Process ============================================== Starting with version 2.9, the CBIOS Network Server supports monitoring of the network licensing process. This functionality allows customers to get real statistics and information on their network licensing process. Standard System Event Log is used for logging. Its main advantage - it is easy to access System Event Log from any application (even remotely). Any interested application can subscribe through standard API and then be notified on new records of "CBIOSServer" type. The Server sends the following notification codes and logs corresponding types of events: - Server Started - Server Stopped - License Locked - License Unlocked 6.1 Technical Details --------------------- The log is saved as a special category of events: "CBIOSServer". It can be viewed by starting Event Viewer Console (eventvwr.msc or Control Panel->Administrative Tools->Event Viewer). After being launched the CBIOS Server starts issuing notifications on lock/release license activity. To get access to the log the following C# code can be used: eventLog_CBIOSServer = new EventLog(); eventLog_CBIOSServer.Source = "CBIOSServer"; eventLog_CBIOSServer.Log = "CBIOSServer"; eventLog_CBIOSServer.EnableRaisingEvents = true; To get notifications it is necessary to subscribe to notifications on corresponding events (C#): eventLog_CBIOSServer.EntryWritten += new EntryWrittenEventHandler(eventLog_CBIOSServer_EntryWritten); The Server sends the following notification codes and logs corresponding types of events: -Server Started -Server Stopped -License Locked -License Unlocked with the following parameters: -Box Handle -User computer name -User app file name -Box name -App Id -Free licenses A special sample demonstrating this logic is included to the PPK, see: \SmarxOS\Network Server\Win32\CBIOSServerEventLog_Sample for details. 7. FAQ (Frequently Asked Questions) =================================== Q: How can I limit the number of instances of my client application in the network which can connect to the server? A: This requires a CRYPTO-BOX SC or XS (CRYPTO-BOX Versa model does not support limiting the number of network licenses), and the License Control System (LCS) which is available as an option. For more details see: https://www.marx.com/en/lcs And the "Network Licensing" White Paper: https://www.marx.com/en/support/documents#whitepapers Q: How can I see which clients are currently logged in to the server and how many licenses are left? A: There are different options to get these information: a) AdminApp displays the clients which are currently logged in to the server, see 4. for details. b) The Event Viewer shows when server is started/stopped or licenses are locked/unlocked, see 6. for details. c) In debug mode, the server log file will show information on locked/unlocked licenses, see 3.5 for details Q: Where can I obtain the latest version of the CBIOS Network Server? A: The latest release is available at marx.com download area: https://www.marx.com/en/support/downloads#networktools Q: Does the Server support IPv6 protocol? A: Yes, both IPv4 and IPv6 are supported. If IP=* is set in .cfg file (default value), CBIOS Server will listen on all network interfaces available on this computer (IPv4 and IPv6). If you specify an IP address here (IPv4 or IPv6), CBIOS Server will be available only via this particular address. Q: When I search for available server in my network, I get no results although the server is up and running on the other computer in my network. A: UDP Search will only work if UDP connection is not blocked by the firewall, and both CBIOS Server and client are in the same sub-network. See also next question. Q: I cannot connect to the CBIOS Server / I always get CBIOS:ERR_CONN_REFUSED! A: In most cases this is a configuration/firewall issue. Please check your network and firewall settings or try to disable your firewall temporary to test connection. You can also use MARX Analyzer to test your network configuration: https://www.marx.com/en/support/downloads#driversanddiagnostic Another reason might be that settings for Packet Filtering are too low, see 3.9 for details. 8. Version History ================== 2.27.23.615 15JUN2023 If no Network License DataObject was specified for a partition, network license will be 0 by default for this partition. 2.26.23.127 27JAN2023 Fixed network connection bugs. Fixed logging. AdminApp fixes: displaying network server version, close administration window if connection to the server was lost 2.24.21.705 05JUL2021 Rebuild with latest CBIOS library 2.23.21.226 26FEB2021 Add Denial-of Service (DDoS) protection UDP search bugs and IPv6 connection bugs fixed 2.22.20.1127 27NOV2020 Fix minor bugs in config parsing 2.22.20.1126 26NOV2020 SetAPW/UPW command support added 2.21.20.702 02JUL2020 IPv6 support added to CBIOS Server and AdminApp 2.19.19.624 24JUN2019 Server sometimes crashes during public key generation - fixed Installer performs "Modify/Repair" maintenance actions when CBIOS Server is already installed in order to avoid uninstallation of the application when using silent mode. 2.18.19.429 29APR2019 Server sometimes hangs when accepting new connection - fixed 2.17.16.929 29SEP2016 RSA PKCS1 support for CBU SC in EncryptInternalRSA/DecryptInternalRSA 2.16.15.424 24APR2016 RUMS support added 2.15.14.627 27JUN2014 CDO Binding support added, small server fixes 2.14.13.605 05JUN2013 Support of hardware based encryption (CryptFixed, InternalRSA, all CBU SC specific calls) prior to UPW/APW login (see 2.3); specify IP address to listen for UDP broadcasting (see 2.1); bug fix: server crash for DecryptInternalRSA with invalid parameters 2.13.12.918 19SEP2012 DO_BIND for server added, GUI launcher: small GUI adjustments 2.12.12.516 16MAY2012 Adding internal RSA support to CBIOS networking: CBIOS_(En|De)cryptInternalRSA, including CBIOS Server fixes. GUI launcher: Access rights management for Win7 and Vista, log file path adjusted 2.11.11.1017 17OCT2011 Extended network licensing added 2.10.11.105 5JAN2011 RSA & AES DO support (CBU SC) 2.10.10.318 18MAR2010 Network notifications added, ClientKeepAliveDelayMSec parameter added 2.9.9.1204 04DEC2009 System EventLog supported for licences, Network CBIOS library fixes (GetBoxInfoAdv/ GetBoxInfoAdvI now support old clients ) 2.8.9.0416 16APR2009 Full CBU2 Support 2.7.8.0908 08SEP2008 Network CBIOS library speed improvements 2.7.8.0612 19JUN2008 Data Objects: "Expiration date", "Number of days" now get time from the server in case CBIOS network, CBIOS Server fixes: - server closing connections with client in case of server time synchronization - fixed; - internal server\client version synchronization added 2.5.7.1210 10DEC2007 Network CBIOS library fixed 2.5.7.1106 06NOV2007 UDP broadcasting for local network added 2.0.6.1215 15DEC2006 support for Vista32 added 2.0.6.615 15JUN2006 rebuild with universal CBIOS.Lib, license fixes 1.5.5.1208 08DEC2005 rebuild with new CBIOS library 1.3.5.609 09JUN2005 Server "start as service" mode implemented 1.31 22APR2005 LMS policy changed 1.30 19JAN2005 firmware 2.0 supported 1.22 19NOV2004 rebuild with fixed CBIOS.Lib (64K caching) 1.21 07OCT2004 Server fixes, launcher and Admin App revised 1.20 27AUG2004 network threads fixes 1.12 15JUN2004 traffic encryption added 1.11 28APR2004 Server fixes 1.00 10MAR2004 Initial version **** Copyright (c) 2002, 2023 MARX(R) CryptoTech LP **** Windows is a registered trademark of Microsoft Corporation in the United States and/or other countries.