In this post we are going to look at a problem involving non-retail licenses where the system time changes after a reboot, causing license & SSL cert issues.
The underlying problem normally involves one of these license types (partner, demo, internal only, express and developer edition licenses), the reason being is that these licenses are normally issued with a start and end date. Every time the NetScaler boots it will check the System Time with these dates to verify whether or not your license is still valid.
In my case the evaluation Netscaler ISO I received from Citrix had a default system date of April 2017 (most likely it’s creation date). This meant that every time I’d restart the NetScaler rather than doing a warm boot the system time would reset to a date before the license start date, not only would this invalidate the license losing me all the licensed features, my SSL certs would also be removed.
Configuring the system time using shell commands, such as:
date +val 1803250328
Which sets the time to 03:29 25 March 2018 or configuring the NTP Server to googles public NTP sever time.google.com
Would only work to get the server back to the current server time and re-licensed after a warm reboot.
However, as stated a normal reboot would still reset the system time back to a period not valid under the start/end of date attached to the license and even though the NTP server settings stayed, it only re-synced the system time after the boot-up checks.
As stated by Citrix, this is completely intended –
When making customizations to a NetScaler or NetScaler Gateway appliance, the customization changes are usually lost when you restart the appliance. This is by design. This is because a NetScaler appliance runs from RAM disk and loads from a flash device.
When the license on a NetScaler expires the configuration is altered. Non-licensed features are disabled and certificates greater than 512 bits are removed from the configuration
The Fix / Work Around – Using the nsbefore.sh file.
The nsbefore.sh file runs before the network components or packet engine is initialized.
It is one of the three files that can be utilized to retain the changes and customization in a NetScaler appliance when the NetScaler applicant restarts. (Also applies to VM’s running the software version)
The other two being: (In this case they are un-needed)
- The nsafter.sh file runs after the network or packet engine is initialized.
- The rc.netscaler file runs after the ns.conf file is loaded.
First we need to get into the file directory of the Citrix NetScaler –
One way to achieve this is to use a program called WinSCP to create a session over the SFTP File protocol.
As shown in the image below, create a new session and enter the IP or hostname of your NetScaler, followed by your username and password.
(Yes I know I’m using the default username/password, don’t worry this is my demo kit 😉 )
Navigate to /nsconfig/ and create a file called nsbefore.sh (you can do this within the application by right clicking)
After you have created the file – double click it and added the contents
date +val 1803250215
This command will make sure that before any licenses checks are initiated during boot-up the system time will be set to 03:29 25 March 2018.
If you want to set the time to something different (apologies if the article has aged by the time you are reading it) following the format below, change the numbers to suit your needs.
date +val YYMMDDHHMM
YY = Year – MM = Month – DD = Day – HH = Hour – MM = Minutes
As long as it’s within the start & end date of your license, it will do. If setup, your NTP settings will sync it to current time after the reboot has occurred.
Once you have saved the file you are all set – Now when you restart your NetScaler one of the first operations preformed will be the modification of the system time to one that doesn’t invalidate your license during the proceeding license checks.
In theory this could also be used to avoid your license ever expiring, however if the current time is past your end of date for that license, you will have to keep your preset system time; making sure to avoid syncing the NetScaler with an NTP server. (Not ideal and may cause problems)