TNSR Licenses

Starting with TNSR software version 25.10, TNSR now supports the initial phase of Licensing. At this time, TNSR does not perform checks or enforcement based on licenses. However, users can, and should, still obtain a License for their TNSR installations.

There will be exactly one license per running device, and entitlements will be stored on that license. In the future, Netgate will use licenses to validate the use of features, authorize new software installations, ensure a TAC Plan is purchased and valid, and other related purposes.

Generating a license is simple, and in most cases may be accomplished by performing a license request with a single command in the TNSR CLI.

Note

At this time it is not possible to issue valid licenses for instances of TNSR software running on public cloud platforms. Support for licensing on public cloud platforms will be included in the next release.

License Overview

The process to obtain a TNSR license is:

  • Generate a license key pair (automatic in most cases)

  • View a license request using a specific name and e-mail address and token (if necessary)

  • Submit a license request using the same name and e-mail address and token (if necessary)

License Key Pair Management

Each device requires a unique license key pair. The private key never leaves the device, and the licensing system uses the public key when making requests.

Note

The public key of a TNSR license key pair is derived from the private key. When storing, viewing, or importing the license key pair, users may only see the PEM format private key.

Automatic Behavior

TNSR will automatically generate a license key pair under most conditions.

When TNSR starts, it checks for an existing license key pair. If there is no license key pair and there is no license in the TNSR configuration, TNSR generates a new license key pair which can then be used in license requests.

If there is no license key pair on the device, but there is a license in the configuration, then TNSR will not generate a new key pair since it could lead to a conflict. The user must import the existing license key pair as described in Importing a License Key Pair.

If there is an existing key pair, TNSR does not make any changes.

Generate a License Key Pair

Users can manually generate a key pair if needed, but the automatic key is sufficient for most purposes. This key is used to sign the license for a device, and once a license is signed for a device, the same license and key must always be used for that device.

tnsr# pki license-key generate

Danger

Do not lose this key pair. Do not replace it. Ensure it is backed up, along with other PKI data (Backup Utility).

If a license key pair already exists, the generate command (or API call) will fail so TNSR does not create a key pair that does not match its license.

Warning

If an existing key pair must be replaced with another key pair, the existing key pair must be deleted first. Do not delete a license key pair unless directed to do so by Netgate TAC.

Importing a License Key Pair

If a license key pair exists for this device, but it isn’t currently in place on TNSR, users can import the key pair. This can be necessary after reinstalling and restoring from a backup, for example.

Note

The key pair being imported must be an ed25519 format private key.

Import from File

To import a license key pair from a PEM format file on the TNSR device:

tnsr# pki license-key import <file>

Copy and Paste

Users can also import the PEM format key pair by copying pasting it into a terminal session.

First, use the enter command:

tnsr# pki license-key enter

Next, paste the key data:

-----BEGIN PRIVATE KEY-----
<key data>
-----END PRIVATE KEY-----

Viewing a License Key Pair

To view the current private key, use:

tnsr# pki license-key get

Note

TNSR does not currently display the public key except when viewing a license request. The public key is derived from the private key and is not stored separately.

Deleting a License Key Pair

Danger

Do not delete a license key pair unless directed to do so by Netgate TAC. Though it is possible to delete a license key pair, it should rarely be necessary. Lost key pairs will cause major problems. If a lost key pair was used to sign a license, it will require manual intervention from Netgate TAC to recover and regenerate a license.

To delete the current license key pair:

tnsr# pki license-key delete

License Requests

TNSR submits a license request which is received and signed by Netgate servers.

License requests have the following parameters for all operations:

name “<full name>”:

The full name of the person who purchased the TNSR license. This must match the name used when making a purchase from the Netgate Store.

email <email-address>:

The e-mail address of the person who purchased the TNSR license. This must match the address used when making a purchase from the Netgate Store.

token <token>:

A token issued by Netgate for use with the license. Tokens can authorize a TNSR instance to obtain a license or apply paid features to the license, such as access to TAC. The token will be present in e-mail messages from Netgate when purchasing or renewing TNSR and related services which require a token.

Tokens are not mandatory for Netgate TNSR devices to obtain a license, but they are required to obtain a license for any third party hardware registered with Netgate.

Tokens are in UUID format, for example: 4f09ec56-4fa4-40a0-8c29-5af5ee236775

Preview a License Request

Users can inspect the content of a license request before submitting it to Netgate servers. Users concerned with privacy may wish to inspect the full content of the license request to ensure it does not contain any sensitive data.

tnsr# show license request [json] name "<full name>" email <email-address> [token <token>]

The optional json parameter is somewhat human-readable and can also be viewed using common JSON utilities. Without the json parameter, the data is the same, but the output is base64 encoded.

Note

The token is required for third party hardware or installations with related services such as access to TAC. The token can be omitted for installations on Netgate hardware with no additional services.

Perform a License Request

To submit a license request to Netgate servers for signing, change to config mode and run the following command:

tnsr(config)# license request name "<full name>" email <email-address> [token <token>]

Note

The token is required for third party hardware or installations with related services such as access to TAC. The token can be omitted for installations on Netgate hardware with no additional services.

Note

At this time it is not possible to issue valid licenses for instances of TNSR software running on public cloud platforms. Support for licensing on public cloud platforms will be included in the next release.

Warning

Please ensure that the name and email address on a license request is correct as all future correspondence about the license will be sent to the supplied email address.

Tip

If Netgate has already signed the License, users can re-fetch it from the Netgate license servers by making another license request using the same name, email, and key pair.