HashiCorp Vault Enterprise (HVE) is the next version up from the open source version.  HVE is the solution for secrets management when an organization has to manage secrets across the organization – locally, regionally, or globally.  This version also added functionality that is needed to ensure management of secrets on a larger scale.  Functionality like Performance and DR Replication, Sentinel, and Performance Standby are just a few examples.

In order to use the HVE, an organization has to procure a license that will enable all of the enterprise features.  This license can be obtained from an HashiCorp partner (ah hmmm…..RheoData) or from the HashiCorp sales teams.  

Like many other vendors, the licenses that are provided typically have a expiration date on them.  The expiration date corresponds to the terms of the license agreement and may expire is agreements are not renewed on a timely basis.  This post is intended to show you how easy it is to update the license for HVE once obtained.

Messages

As the license counts down the days remaining, the HashiCorp Vault administrator may start seeing messages in their console or logs that reference when the license will expire.  These messages look something like this:

2021-01-30T23:48:41.428Z [WARN] core.licensing: core: licensing warning: expiration_time=”2021-01-31 00:00:00 +0000 UTC” time_left=11m19s
2021-01-31T01:49:31.928Z [ERROR] core.licensing: core: licensing error: error=”invalid license or license is expired”
2021-01-31T01:49:31.928Z [INFO] core: marked as sealed
2021-01-31T01:49:31.929Z [INFO] core: pre-seal teardown starting
2021-01-31T01:49:31.929Z [INFO] core: stopping replication
2021-01-31T01:49:31.929Z [INFO] core: closed sync connection
2021-01-31T01:49:31.930Z [INFO] core: replication stopped
2021-01-31T01:49:31.930Z [INFO] rollback: stopping rollback manager
2021-01-31T01:49:31.931Z [INFO] secrets.database.database_560ae076: stopping periodic ticker
2021-01-31T01:49:31.931Z [INFO] core: pre-seal teardown complete
2021-01-31T01:49:32.432Z [INFO] core: stopping cluster listeners
2021-01-31T01:49:32.432Z [INFO] core.cluster-listener: forwarding rpc listeners stopped
2021-01-31T01:49:32.834Z [INFO] core.cluster-listener: rpc listeners successfully shut down
2021-01-31T01:49:32.835Z [INFO] core: cluster listeners successfully shut down
2021-01-31T01:49:32.835Z [INFO] core: vault is sealed

If your license happens to expire, you will not be able to use the enterprise functionality and preventing you from logging into the HashiCorp Vault Cluster.  

Updating License

Before the license expires, it is a good idea to renew your agreement and obtain a new license.  Once obtained, the HashiCorp Vault Cluster needs to be updated. By logging into either the primary or standby cluster the license can be updated by using the vault write command.

vault write /sys/license text={license key}

This writes the license to the cluster and allows for continued operations.

What to do if license expires?

In the messages above, you will notice that the license expired.  This prevented us form unsealing the HashiCorp Vault when wanting to work with it.  In order to get around this and apply the new license, the following steps needed to be done:

1. Stop Vault

kill -9 {{vault pid}}

2. Restart Vault

/opt/app/hashicorp/bin/vault server -config=/opt/app/hashicorp/config/vault.hcl &

3. Unseal Vault

vault operator unseal {{key string}}

4. Apply new license key

vault write /sys/license text={license key}

Validate the License

There are two ways to validate the license has been successfully applied.  The first way is via the command line and the second is within the UI provide by vault.

1. Check via command line.

From the command line run a vault read command and provide the directory path for the license.

vault read /sys/license

The resulting output will show the status of the license.  The expiration date is what you want to look at (this has been highlighted)

[vault@vault16 ~]$ vault read /sys/license
Key Value
--- -----
expiration_time 2021-07-31T00:00:00Z
features [HSM Performance Replication DR Replication MFA Sentinel Seal Wrapping Control Groups Performance Standby Namespaces KMIP Entropy Augmentation Transform Secrets Engine Lease Count Quotas Key Management Secrets Engine]
license_id 69629a66-32d0-4b6f-92a7-c5f4ebaadea6
performance_standby_count 9999
start_time 2021-01-29T00:00:00Z

2. Check via UI

Within the UI, in the far right-hand corner is a “status” menu.  Under this menu, there is an option for License.  This will bring up the License page.  This page will show you the License ID and Valid From information. You can also update the license from this page if needed.  The image below shows you what this looks like.

Enjoy!!!

@dbasolved