This command line executable demonstrates use of the native-code software entitlement library.
This is draft documentation subject to change.
The executable expects the following parameters (in any order):
| Parameter | Required | Definition |
|---|---|---|
| --url | Mandatory | The URL of the server that will process our request. Note: must start with https:. |
| --token | Mandatory | The token as returned by sestest generate. |
| --application | Mandatory | Unique identifier for the application being requested. |
| --thumbprint | Optional | Thumbprint of an additional certificate to accept in the TLS certificate chain of the HTTPS connection. Note: cannot be the thumbprint of a root certificate. Mandatory if --common-name specified. |
| --common-name | Optional | The common name of the certificate indicated by --thumbprint. Mandatory if --thumbprint specified. |
Before running sesclient.native.exe you will need to ensure your runtime environment has the Visual C++ Redistributable for Visual Studio 2015 installed. Install the version that matches the architecture (x86 vs x64) of the version sesclient.native.exe of you are using.
For convenience, consider copying vc_redist.x64.exe and vc_redist.x86.exe into the folder .\lib\vc_redist\ before running publish-archives.ps1. If those files are present, they'll be automatically included in the distribution zip file package generated by the build.
In the Azure Batch production environment, sesclient.native can be used as a stand-in for any other application that has been integrated with our software entitlements service. This gives you or the Azure Batch team a diagnostic tool that can be used to isolate issues.
To run within an Azure Batch task:
sesclient.native --url %AZ_BATCH_ACCOUNT_URL% --token %AZ_BATCH_SOFTWARE_ENTITLEMENT_TOKEN% --application contosoappSubstitute the name of your own application (or the one you are testing with) for contosoapp.
Note that the environment variables AZ_BATCH_ACCOUNT_URL and AZ_BATCH_SOFTWARE_ENTITLEMENT_TOKEN are published by Azure Batch for use by a specific task; they are not part of the environment available if/when you remote into a compute node.
In this scenario, sesclient.native will verify that the connection is made to a genuine Azure Batch server by checking the certificate used to secure the HTTPS connection. If the certificate used for the connection does not trace back to one of the well known Microsoft intermediate certificate authorities built into the native-code library, the software entitlement check will fail.
In a local (non-Batch) test environment, you won't have access to a certificate signed by any one of the well known Microsoft intermediate certificate authorities, so sesclient.native allows you to specify your own certificate to use.
You'll need to specify the same certificate for sesclient.native as you already do for sestest server so the two components can handshake the connection properly.
Assuming the appropriate thumbprint is available in the environment variable %CONNECTION_THUMBPRINT%, and the common name of that certificate is available in %COMMON_NAME%, run sestest as a server in a different console window:
sestest server --connection %CONNECTION_THUMBPRINT% ...(Note that other parameters to sestest server have been omitted for clarity.)
You can now use sesclient.native to verify a token using the sestest server as an endpoint:
sesclient.native --url <url> --token <token> --application <app> --thumbprint %CONNECTION_THUMBPRINT% --common-name %COMMON_NAME%
- For
<url>specify the url shown on the console ofsestest serveras it starts up. - For
<token>specify a token previously generated bysestest generate. - For
<app>specify the id of the application for which you want to check the entitlement.
The --thumbprint and --common-name parameters configure the native-code library to treat a server using that specific certificate as a genuine Azure Batch server.
For more information, see our step by step walk-through.