Install a HashiCorp Enterprise License

11min
|
Enterprise
Consul
Nomad
Vault

To use a HashiCorp Enterprise product, you need a valid HashiCorp license. This tutorial will guide you on the steps to enable your enterprise license to start the server. By the end of this tutorial, you will have a server instance with enterprise features enabled. If you don't have a license, see the request a license section.

Note

This guidance for enabling an enterprise license applies to both production and development environments.

Tip

This tutorial is applicable to the following HashiCorp enterprise product versions or greater. Nomad v1.1.0, Consul v1.10.0, and Vault v1.8.0

Prerequisites

Enterprise binary

Each server needs to register the enterprise license as described below. In earlier versions of HashiCorp enterprise products, one server could distribute a license to other servers via the Raft protocol. This will no longer work since each server must be able to find a valid license during the startup process.

The tutorial below describes the most basic steps needed to register a license. You may need to design other steps to integrate this process into your build pipelines (such as building private disk images with Packer or using a configuration management system to distribute and install the enterprise binary and license file to your compute instances).

Install the enterprise binary

Install the enterprise binary before continuing with the tutorial. All HashiCorp binaries are in releases.hashicorp.com, look for a binary that has +ent in the suffix of the filename.

Review the installation tutorials for each HashiCorp product:

Request a trial license

Your customer support contact can generate a trial license for any HashiCorp enterprise product. If you are an existing HashiCorp enterprise customer, you may contact your organization's customer success manager (CSM) for information on how to get your organization's enterprise license.

Enable the license

You have three options for enabling an enterprise license.

You can provide the enterprise license as a string in an environment variable.
You can save the license string to a file and reference the path with an environment variable.
You may place the license string in a file and specify the path to the file in the server's configuration file.

Add an environment variable (optional)

You can set the enterprise license for Consul by using an environment variable. Use the enterprise license you received in the previous step and set the environment variable CONSUL_LICENSE to the license key value.

$ export CONSUL_LICENSE=02MV4UU43BK5....

You can set the enterprise license for Nomad by using an environment variable. The environment variable name is NOMAD_LICENSE.

Use the enterprise license you received in the previous step and set the environment variable NOMAD_LICENSE to the license key value.

$ export NOMAD_LICENSE=02MV4UU43BK5....

You can set the enterprise license for Vault by using an environment variable. Use the enterprise license you received in the previous step and set the environment variable VAULT_LICENSE to the license key value.

$ export VAULT_LICENSE=02MV4UU43BK5....

Read from a file (optional)

The enterprise license can be read from a file. If you add the enterprise license to a file, you have two options for how to point the server instance to the file location. The two options are an environment variable or a server instance configuration file.

Use the enterprise license key you received in the previous step and create a file that will hold the enterprise license.

You can use the echo command to copy the content from your system's clipboard into a file.

$ echo "02MV4UU43BK5..." >> license.hclic

Verify the content copied correctly to the specified file before you move onto the next step.

$ cat license.hclic
02MV4UU43BK5...

The environment variable name is CONSUL_LICENSE_PATH. Use the license file you created earlier and set the environment variable CONSUL_LICENSE_PATH to the license key path.

$ export CONSUL_LICENSE_PATH=/etc/consul.d/license.hclic

Note

The file path provided must be an absolute path. Shell variables like $HOME can be used but relative paths like ~/ cannot be used.

The Consul server instance accepts a configuration file. In the server instance configuration file, you may specify the enterprise license key file path through the license_path attribute.

{
  "server": true,
  "license_path": "/etc/consul.d/license.hclic"
}

Note

The file path provided must be an absolute path. Shell variables like $HOME can be used but relative paths like ~/ cannot be used.

Validate the license

Run the following command to validate the contents of the license file on disk.

$ consul license inspect /etc/consul.d/license.hclic
Source: /etc/consul.d/license.hclic
Product: consul
License ID: 00000000-0000-0000-0000-000000000000
Customer ID: 00000000-0000-0000-0000-000000000000
Installation ID: *
Issue Time: 2021-04-27 10:17:21.653194654 +0000 UTC
Start Time: 2021-04-27 00:00:00 +0000 UTC
Expiration Time: 2022-04-27 00:00:00 +0000 UTC
Termination Time: 2023-04-27 00:00:00 +0000 UTC
Modules:
    Global Visibility, Routing and Scale
    Governance and Policy
Features:
    Automated Backups
    Automated Upgrades
    Enhanced Read Scalability
    Network Segments
    Redundancy Zone
    Advanced Network Federation
    Namespaces
    SSO
    Audit Logging
    Admin Partitions

License is valid

The environment variable name is NOMAD_LICENSE_PATH. Use the license file you created earlier and set the environment variable NOMAD_LICENSE_PATH to the license key path.

$ export NOMAD_LICENSE_PATH=/etc/nomad.d/license.hclic

Note

The file path provided must be an absolute path. Shell variables like $HOME can be used but relative paths like ~/ cannot be used.

The Nomad server instance accepts a configuration file. In the server instance configuration file, you may also specify the enterprise license key file path in the server stanza block.

server {
 enabled = true
 license_path = "/etc/nomad.d/license.hclic"
}

Note

The file path provided must be an absolute path. Shell variables like $HOME can be used but relative paths like ~/ cannot be used.

The environment variable name is VAULT_LICENSE_PATH. Use the license file you created earlier and set the environment variable VAULT_LICENSE_PATH to the license key path.

$ export VAULT_LICENSE_PATH=/etc/vault.d/license.hclic

Note

The file path provided must be an absolute path. Shell variables like $HOME can be used but relative paths like ~/ cannot be used.

Use the license subcommand to validate the license.

Note

The license subcommand is only available with the Vault Enterprise binary.

$ vault license inspect $VAULT_LICENSE_PATH
Source: /etc/vault.d/license.hclic
Product: vault
License ID: S3sAm3st-8c10-9db0-2e8f-aB34Ef78
Customer ID: aB34Ef78-dc55-cb2c-ca2d-ef7ae4c2e080
Installation ID: *
Issue Time: 2023-02-15 13:57:46.677406153 +0000 UTC
Start Time: 2023-02-15 00:00:00 +0000 UTC
Expiration Time: 2024-02-15 23:59:59.999 +0000 UTC
Termination Time: 2024-02-15 23:59:59.999 +0000 UTC
{"license_id":"S3sAm3st-8c10-9db0-2e8f-aB34Ef78","customer_id":...snip...}

License is valid

You can specify the enterprise license key file path in the Vault server configuration using the license_path attribute.

license_path = "/etc/vault.d/license.hclic"

Note

The file path provided must be an absolute path. Shell variables like $HOME can be used but relative paths like ~/ cannot be used.

License setting priority

When both VAULT_LICENSE and VAULT_LICENSE_PATH environment variables exist, VAULT_LICENSE takes precedence. In addition, if the license_path is defined in the server configuration file and VAULT_LICENSE or VAULT_LICENSE_PATH exists, the environment variables take precedence over license_path.

License file reload

Use the sys/config/reload/license endpoint to reload your Vault Enterprise license if needed. Vault reads the license from a file if specified using the license_path configuration parameter or the VAULT_LICENSE_PATH environment variable.

$ vault write -force sys/config/reload/license

Once the updated license is applied, Vault will enable or disable licensed features if the features allowed by the license are different.

Validating the server

Start the Consul server instance.

$ consul agent -dev
==> Starting Consul agent...
         Version: '1.10.0+ent'
         Node ID: '93a230f3-888e-7fd7-81ea-04f6d43ab199'
       Node name: 'defaultNode'
      Datacenter: 'dc1' (Segment: '<all>')
          Server: true (Bootstrap: false)
     Client Addr: [127.0.0.1] (HTTP: 8500, HTTPS: -1, gRPC: 8502, DNS: 8600)
    Cluster Addr: 127.0.0.1 (LAN: 8301, WAN: 8302)
         Encrypt: Gossip: false, TLS-Outgoing: false, TLS-Incoming: false, Auto-Encrypt-TLS: false

==> Log data will now stream in as it occurs:

If the server instance started successfully, then you will receive a message stating the Consul agent started.

Look for the lines Server: true and Version: 1.10.0+ent to verify that an enterprise server is running.

Error message

The server instance will notify you if the enterprise license key is not found. If you encounter the error message below or similar, please revisit the steps above.

$ consul agent -dev
...
2021-06-03T07:29:30.220-0700 [ERROR] agent: Error starting agent: error="server agents require a license to be loaded via the configuration"
2021-06-03T07:29:30.220-0700 [INFO]  agent: Exit code: code=1

Start the Nomad server instance.

$ sudo nomad agent -dev
==> No configuration files loaded
==> Starting Nomad agent...
==> Nomad agent configuration:

       Advertise Addrs: HTTP: 127.0.0.1:4646; RPC: 127.0.0.1:4647; Serf: 127.0.0.1:4648
            Bind Addrs: HTTP: 127.0.0.1:4646; RPC: 127.0.0.1:4647; Serf: 127.0.0.1:4648
                Client: true
             Log Level: DEBUG
                Region: global (DC: dc1)
                Server: true
               Version: 1.1.0+ent

==> Nomad agent started! Log data will stream in below:

If the server instance started successfully, then you will receive a message stating the Nomad agent started.

Look for the lines Server: true and Version: 1.1.0+ent to verify that an enterprise server is running.

Error message

The server instance will notify you if the enterprise license key is not found. If you encounter the error message below or similar, please revisit the steps above.

$ sudo nomad agent -dev
==> No configuration files loaded
==> Starting Nomad agent...
==> Error starting agent: server setup failed: failed to initialize enterprise licensing: failed to read license: license is missing. To add a license, configure "license_path" in your server configuration file, use the NOMAD_LICENSE environment variable, or use the NOMAD_LICENSE_PATH environment variable.

Start the Vault server in dev mode for testing.

$ vault server -dev -dev-root-token-id=root
==> Vault server configuration:

             Api Address: http://127.0.0.1:8200
                     Cgo: disabled
         Cluster Address: https://127.0.0.1:8201
              Go Version: go1.16.5
              Listener 1: tcp (addr: "127.0.0.1:8200", cluster address: "127.0.0.1:8201", max_request_duration: "1m30s", max_request_size: "33554432", tls: "disabled")
               Log Level: info
                   Mlock: supported: false, enabled: false
           Recovery Mode: false
                 Storage: inmem
                 Version: Vault v1.8.0+rc1
             Version Sha: ce481f21f5a76bfc5717f43ac7362f1240e1aaff

==> Vault server started! Log data will stream in below:

If the server instance started successfully, you will receive a message stating the Vault server started.

Now, you should be able to login.

$ vault login root

Read the license status information.

$ vault license get

Example output:

Key                          Value
---                          -----
expiration_time              2024-02-15T23:59:59.999Z
features                     [HSM Performance Replication DR Replication MFA Sentinel Seal Wrapping Control Groups Performance Standby Namespaces KMIP Entropy Augmentation Transform Secrets Engine Lease Count Quotas Key Management Secrets Engine Automated Snapshots]
license_id                   S3sAm3st-8c10-9db0-2e8f-aB34Ef78
performance_standby_count    9999
start_time                   2023-02-15T00:00:00Z
termination_time             2024-02-15T23:59:59.999Z

Error message

When the enterprise license is missing, the following error will be displayed.

Error initializing core: no autoloaded license provided and storage is not initialized. Licenses can be obtained at https://vaultproject.io/trial
[INFO]  proxy environment: http_proxy="" https_proxy="" no_proxy=""
[WARN]  no `api_addr` value specified in config or in VAULT_API_ADDR; falling back to detection if possible, but this value should be manually set
[INFO]  core: security barrier not initialized
[WARN]  core: A valid license is required to be loaded but none was found. Licenses can be obtained at https://vaultproject.io/trial

Be sure to set your enterprise license to be read from an environment variable or read from a file.

Tip

Refer to the Vault Enterprise License Frequently Asked Questions (FAQs) to learn more about the changes introduced in Vault 1.8.

Next steps

In this tutorial, you deployed a server instance for an enterprise HashiCorp product using a valid enterprise license key. You may now continue exploring other enterprise tutorials for Consul, Nomad, or Vault.

Consul Enterprise Tutorials

Nomad Enterprise Tutorials

Vault Enterprise Tutorials

Back to Collection

9 tutorials

Nomad Enterprise
Learn about Nomad Enterprise features and how to use them at scale.
- Nomad
10 tutorials

Consul Enterprise
Consul Enterprise eases the operational complexities with redundancy, read scalability, managed access, and service architectures across complex network topologies.
- Consul

Prerequisites

Install the enterprise binary

Request a trial license

Enable the license

Add an environment variable (optional)

Read from a file (optional)

Validate the license

Validating the server

Error message

Next steps

This tutorial also appears in: