• HashiCorp Developer

  • HashiCorp Cloud Platform
  • Terraform
  • Packer
  • Consul
  • Vault
  • Boundary
  • Nomad
  • Waypoint
  • Vagrant
Vault
  • Install
  • Tutorials
  • Documentation
  • API
  • Try Cloud(opens in new tab)
  • Sign up
Enterprise

Skip to main content
23 tutorials
  • Install a HashiCorp Enterprise License
  • Secure Multi-Tenancy with Namespaces
  • Vault Namespace and Mount Structuring Guide
  • Move Secrets Engines and Auth Methods Across Namespaces
  • Disaster Recovery Replication Setup
  • Disaster Recovery Replication Failover and Failback
  • Performance Standby Nodes
  • Setting up Performance Replication
  • Performance Replication with Paths Filter
  • Monitoring Vault Replication
  • Protecting Vault with Resource Quotas
  • Codify Management of Vault Enterprise Using Terraform
  • PKI Secrets Engine with Managed Keys
  • Sentinel Policies
  • Sentinel HTTP Import
  • Control Groups
  • Transform Secrets Engine
  • Tokenize Data with Transform Secrets Engine
  • KMIP Secrets Engine
  • Key Management Secrets Engine with Azure Key Vault
  • Key Management Secrets Engine with GCP Cloud KMS
  • HSM Integration - Seal Wrap
  • HSM Integration - Entropy Augmentation

  • Resources

  • Tutorial Library
  • Certifications
  • Community Forum
    (opens in new tab)
  • Support
    (opens in new tab)
  • GitHub
    (opens in new tab)
  1. Developer
  2. Vault
  3. Tutorials
  4. Enterprise
  5. Install a HashiCorp Enterprise License

Install a HashiCorp Enterprise License

  • 10min

  • EnterpriseEnterprise
  • ConsulConsul
  • NomadNomad
  • VaultVault

To use a HashiCorp Enterprise product, you need a valid HashiCorp license. This tutorial will guide you on the steps to enable your enterprise license to start the server. By the end of this tutorial, you will have a server instance with enterprise features enabled. If you don't have a license, you can request a 30-day trial license. See the Request a license section.

NOTE: This guidance for enabling an enterprise license applies to both production and development environments.

This tutorial is applicable to the following HashiCorp enterprise product versions or greater. Nomad v1.1.0, Consul v1.10.0, and Vault v1.8.0

Prerequisites

  • Enterprise binary

Each server needs to register the enterprise license as described below. In previous versions of HashiCorp enterprise products, one server could distribute a license to other servers via the Raft protocol. This will no longer work since each server must be able to find a valid license during the startup process.

The tutorial below describes the most basic steps needed to register a license. You may need to design other steps to integrate this process into your build pipelines (such as building private disk images with Packer or using a configuration management system to distribute and install the enterprise binary and license file to your compute instances).

Install the enterprise binary

You need to install the enterprise binary before continuing with the tutorial. All HashiCorp binaries are in releases.hashicorp.com, look for a binary that has +ent in the suffix of the filename.
You can find installation tutorials for each HashiCorp product in learn.hashicorp.com

  • Install Consul Tutorial
  • Install Nomad Tutorial
  • Install Vault Tutorial

Request a trial license

Your customer support contact can generate a trial license for any HashiCorp enterprise product. If you are an existing HashiCorp enterprise customer, you may contact your organization's customer success manager (CSM) for information on how to get your organization's enterprise license.

Enable the license

You have three options for enabling an enterprise license.

  • You can provide the enterprise license as a string in an environment variable.
  • You can save the license string to a file and reference the path with an environment variable.
  • You may place the license string in a file and specify the path to the file in the server's configuration file.

Add an environment variable (optional)

You can set the enterprise license for Consul by using an environment variable. Use the the enterprise license you received in the previous step and set the environment variable CONSUL_LICENSE to the license key value.

$ export CONSUL_LICENSE=02MV4UU43BK5....

You can set the enterprise license for Nomad by using an environment variable. The environment variable name is NOMAD_LICENSE.

Use the the enterprise license you received in the previous step and set the environment variable NOMAD_LICENSE to the license key value.

$ export NOMAD_LICENSE=02MV4UU43BK5....

You can set the enterprise license for Vault by using an environment variable. Use the the enterprise license you received in the previous step and set the environment variable VAULT_LICENSE to the license key value.

$ export VAULT_LICENSE=02MV4UU43BK5....

Read from a file (optional)

The enterprise license can be read from a file. If you add the enterprise license to a file, you have two options for how to point the server instance to the file location. The two options are an environment variable or a server instance configuration file.

Use the the enterprise license key you received in the previous step and create a file that will hold the enterprise license.

You can use the echo command to copy the content from your system's clipboard into a file.

$ echo "02MV4UU43BK5..." >> license.hclic

Verify the content copied correctly to the specified file before you move onto the next step.

$ cat license.hclic
02MV4UU43BK5...

The environment variable name is CONSUL_LICENSE_PATH. Use the license file you created earlier and set the environment variable CONSUL_LICENSE_PATH to the license key path.

$ export CONSUL_LICENSE_PATH=/etc/consul.d/license.hclic

NOTE: The file path provided must be an absolute path. Shell variables like $HOME can be used but relative paths like ~/ cannot be used.

The Consul server instance accepts a configuration file. In the server instance configuration file, you may specify the enterprise license key file path through the license_path attribute.

{
  "server": true,
  "license_path": "/etc/consul.d/license.hclic"
}

NOTE: The file path provided must be an absolute path. Shell variables like $HOME can be used but relative paths like ~/ cannot be used.

Validate the license

Run the following command to validate the contents of the license file on disk.

$ consul license inspect /etc/consul.d/license.hclic
Source: /etc/consul.d/license.hclic
Product: consul
License ID: 00000000-0000-0000-0000-000000000000
Customer ID: 00000000-0000-0000-0000-000000000000
Installation ID: *
Issue Time: 2021-04-27 10:17:21.653194654 +0000 UTC
Start Time: 2021-04-27 00:00:00 +0000 UTC
Expiration Time: 2022-04-27 00:00:00 +0000 UTC
Termination Time: 2023-04-27 00:00:00 +0000 UTC
Modules:
    Global Visibility, Routing and Scale
    Governance and Policy
Features:
    Automated Backups
    Automated Upgrades
    Enhanced Read Scalability
    Network Segments
    Redundancy Zone
    Advanced Network Federation
    Namespaces
    SSO
    Audit Logging
    Admin Partitions

License is valid

The environment variable name is NOMAD_LICENSE_PATH. Use the license file you created earlier and set the environment variable NOMAD_LICENSE_PATH to the license key path.

$ export NOMAD_LICENSE_PATH=/etc/nomad.d/license.hclic

NOTE: The file path provided must be an absolute path. Shell variables like $HOME can be used but relative paths like ~/ cannot be used.

The Nomad server instance accepts a configuration file. In the server instance configuration file, you may also specify the enterprise license key file path in the server stanza block.

server {
 enabled = true
 license_path = "/etc/nomad.d/license.hclic"
}

NOTE: The file path provided must be an absolute path. Shell variables like $HOME can be used but relative paths like ~/ cannot be used.

The environment variable name is VAULT_LICENSE_PATH. Use the license file you created earlier and set the environment variable VAULT_LICENSE_PATH to the license key path.

$ export VAULT_LICENSE_PATH=/etc/vault.d/license.hclic

NOTE: The file path provided must be an absolute path. Shell variables like $HOME can be used but relative paths like ~/ cannot be used.

You can specify the enterprise license key file path in the Vault server configuration using the license_path attribute.

license_path = "/etc/vault.d/license.hclic"

NOTE: The file path provided must be an absolute path. Shell variables like $HOME can be used but relative paths like ~/ cannot be used.

License setting priority

When both VAULT_LICENSE and VAULT_LICENSE_PATH environment variables exist, VAULT_LICENSE takes precedence. In addition, if the license_path is defined in the server configuration file and VAULT_LICENSE or VAULT_LICENSE_PATH exists, the environment variables take precedence over license_path.

License file reload

Use the sys/config/reload/license endpoint to reload your Vault Enterprise license if needed. Vault reads the license from a file if specified using the license_path configuration parameter or the VAULT_LICENSE_PATH environment variable.

$ vault write -force sys/config/reload/license 

Once the updated license is applied, Vault will enable or disable licensed features if the features allowed by the license are different.

Validating the server

Start the Consul server instance.

$ consul agent -dev
==> Starting Consul agent...
         Version: '1.10.0+ent'
         Node ID: '93a230f3-888e-7fd7-81ea-04f6d43ab199'
       Node name: 'defaultNode'
      Datacenter: 'dc1' (Segment: '<all>')
          Server: true (Bootstrap: false)
     Client Addr: [127.0.0.1] (HTTP: 8500, HTTPS: -1, gRPC: 8502, DNS: 8600)
    Cluster Addr: 127.0.0.1 (LAN: 8301, WAN: 8302)
         Encrypt: Gossip: false, TLS-Outgoing: false, TLS-Incoming: false, Auto-Encrypt-TLS: false

==> Log data will now stream in as it occurs:

If the server instance started successfully, then you will receive a message stating the Consul agent started.

Look for the lines Server: true and Version: 1.10.0+ent to verify that an enterprise server is running.

Error message

The server instance will notify you if the enterprise license key is not found. If you encounter the error message below or similar, please revisit the steps above.

$ consul agent -dev
...
2021-06-03T07:29:30.220-0700 [ERROR] agent: Error starting agent: error="server agents require a license to be loaded via the configuration"
2021-06-03T07:29:30.220-0700 [INFO]  agent: Exit code: code=1

Start the Nomad server instance.

$ nomad agent -dev
==> No configuration files loaded
==> Starting Nomad agent...
==> Nomad agent configuration:

       Advertise Addrs: HTTP: 127.0.0.1:4646; RPC: 127.0.0.1:4647; Serf: 127.0.0.1:4648
            Bind Addrs: HTTP: 127.0.0.1:4646; RPC: 127.0.0.1:4647; Serf: 127.0.0.1:4648
                Client: true
             Log Level: DEBUG
                Region: global (DC: dc1)
                Server: true
               Version: 1.1.0+ent

==> Nomad agent started! Log data will stream in below:

If the server instance started successfully, then you will receive a message stating the Nomad agent started.

Look for the lines Server: true and Version: 1.1.0+ent to verify that an enterprise server is running.

Error message

The server instance will notify you if the enterprise license key is not found. If you encounter the error message below or similar, please revisit the steps above.

$ nomad agent -dev
==> No configuration files loaded
==> Starting Nomad agent...
==> Error starting agent: server setup failed: failed to initialize enterprise licensing: failed to read license: license is missing. To add a license, configure "license_path" in your server configuration file, use the NOMAD_LICENSE environment variable, or use the NOMAD_LICENSE_PATH environment variable.

Start the Vault server in dev mode for testing.

$ vault server -dev -dev-root-token-id=root
==> Vault server configuration:

             Api Address: http://127.0.0.1:8200
                     Cgo: disabled
         Cluster Address: https://127.0.0.1:8201
              Go Version: go1.16.5
              Listener 1: tcp (addr: "127.0.0.1:8200", cluster address: "127.0.0.1:8201", max_request_duration: "1m30s", max_request_size: "33554432", tls: "disabled")
               Log Level: info
                   Mlock: supported: false, enabled: false
           Recovery Mode: false
                 Storage: inmem
                 Version: Vault v1.8.0+rc1
             Version Sha: ce481f21f5a76bfc5717f43ac7362f1240e1aaff

==> Vault server started! Log data will stream in below:

If the server instance started successfully, you will receive a message stating the Vault server started.

Now, you should be able to login.

$ vault login root

Read the license status information.

$ vault read sys/license/status

Example output:

The autoloading_used parameter value is true.

Key                   Value
---                   -----
autoloaded            map[expiration_time:2022-02-10T23:59:59.999Z features:[HSM Performance Replication DR Replication MFA Sentinel Seal Wrapping Control Groups Performance Standby Namespaces KMIP Entropy Augmentation Transform Secrets Engine Lease Count Quotas Key Management Secrets Engine Automated Snapshots] license_id:c88a298a-bcd3-5569-3a3b-d79c85c0dcf9 performance_standby_count:9999 start_time:2021-02-10T00:00:00Z]
autoloading_used      true
persisted_autoload    map[expiration_time:2022-02-10T23:59:59.999Z features:[HSM Performance Replication DR Replication MFA Sentinel Seal Wrapping Control Groups Performance Standby Namespaces KMIP Entropy Augmentation Transform Secrets Engine Lease Count Quotas Key Management Secrets Engine Automated Snapshots] license_id:c88a298a-bcd3-5569-3a3b-d79c85c0dcf9 performance_standby_count:9999 start_time:2021-02-10T00:00:00Z]

Error message

When the enterprise license is missing, the following error will be thrown.

Error initializing core: no autoloaded license provided and storage is not initialized. Licenses can be obtained at https://vaultproject.io/trial
[INFO]  proxy environment: http_proxy="" https_proxy="" no_proxy=""
[WARN]  no `api_addr` value specified in config or in VAULT_API_ADDR; falling back to detection if possible, but this value should be manually set
[INFO]  core: security barrier not initialized
[WARN]  core: A valid license is required to be loaded but none was found. Licenses can be obtained at https://vaultproject.io/trial

Be sure to set your enterprise license to be read from an environment variable or read from a file.

Refer to the Vault Enterprise License Frequently Asked Questions (FAQs) to learn more about the changes introduced in Vault 1.8.

Next steps

In this tutorial, you deployed a server instance for an enterprise HashiCorp product using a valid enterprise license key. You may now continue exploring other enterprise tutorials for Consul, Nomad, or Vault.

Consul Enterprise Tutorials

Nomad Enterprise Tutorials

Vault Enterprise Tutorials

 Back to Collection
 Next

This tutorial also appears in:

  •  
    9 tutorials
    Nomad Enterprise
    Learn about Nomad Enterprise features and how to use them at scale.
    • Nomad
  •  
    10 tutorials
    Consul Enterprise
    Consul Enterprise eases the operational complexities with redundancy, read scalability, managed access, and service architectures across complex network topologies.
    • Consul

On this page

  1. Install a HashiCorp Enterprise License
  2. Prerequisites
  3. Install the enterprise binary
  4. Request a trial license
  5. Enable the license
  6. Next steps
Give Feedback(opens in new tab)
  • Certifications
  • System Status
  • Terms of Use
  • Security
  • Privacy
  • Trademark Policy
  • Trade Controls
  • Give Feedback(opens in new tab)