Portable Licenses in the Cloud
CmCloudContainers are the latest addition to the CmContainer family. Compared to hardware CmDongles and software CmActLicenses, CmCloudContainers live in the cloud, without the user having to have a local secure anchor. As with a CmActLicense, which is bound to a known device, the user can get going immediately, and as with a secure hardware CmDongle, the user stays fully mobile and can use the license on any device they want.
Bound to the User
CmCloudContainers are bound to known users. They have to sign in with the CodeMeter Cloud Server in the Wibu Cloud to prove who they are, using user names and passwords that are autocreated by the CodeMeter Cloud Server and delivered to the user in the form of a special credential file. The users can then import this credential file to any device they want to be working on.
The licenses themselves are safely tucked away in a secure CmContainer on the CodeMeter Cloud Server. When the credential file is imported by the user, it is linked with the local device; the local CodeMeter Runtime essentially mirrors the contents of the CmCloudContainer and notifies the CodeMeter Cloud Server whenever the software is indeed used on the local computer. All encryption and decryption operations also happen in the cloud to make sure that users can only use as many licenses as they actually own.
Online or Offline?
This immediately answers one fundamental question: “Do users of cloud licenses have to be online all the time?” Since the cryptographic operations happen in the cloud, encrypted software can only launch if their users are indeed online. However, if the software is not encrypted at all or has already been decrypted, it is up to the vendors to decide what happens when a user is no longer connected to the Internet. They either give the user the benefit of the doubt and tolerate this, or they force their software to stop working after a number of failed connection attempts.
There is the option of using CodeMeter Protection Suite IP Protection to encrypt the software and set a certain degree of tolerance with the CodeMeter Core API. This would encrypt the software, but also place the decryption key in the software itself, allowing it to start even if no license is present. The software can also be set to conduct license checks at regular intervals and to only react if a threshold number of connection attempts or a defined time since the last successful check has been passed.
Software that needs to run offline and still comply with tough security standards can always use a CmActLicense or CmDongle, two container types purpose-built for such a situation.
Multiple Users – One CmContainer?
In some scenarios, a CmCloudContainer is meant to be used as a multi-user license, as can be done with a CodeMeter network server. This is not only possible with CmCloudContainers; the new container even offers two alternative options. The first option is for a system admin to set up a CodeMeter network server to import the credential file to, removing the need for the end users to have online access to the CodeMeter Cloud Server. The network server now functions as a type of proxy, which also means that access controls and usage statistics can work just as they do with CmDongles or CmActLicenses on a CodeMeter network server. The credential file needed for this purpose is kept in a single central place that is managed by the administrator.
The second option is for the end users to access the same CmCloudContainer from their computers. In this case, the credential file is copied to each of their computers. To prevent fraud, the credentials would also have to be changed on all of these computers if e.g. one computer is stolen or a user leaves the group. The usual access control and usage statistics functions would also not be available with this arrangement. Despite its apparent advantages, the second option therefore has definite drawbacks compared to a central CodeMeter network server, and it breaks one of the fundamental principles of good password management: People should not share passwords. It might even be better to give each user a separate CmCloudContainer with licenses dynamically distributed between them by CodeMeter License Central.
Costs are a factor to keep in mind: Five users accessing one CmCloudContainer at the same time consume the same amount of energy as five users with five CmCloudContainers. This simple fact is reflected in the Wibu-Systems’ pricing model, which treats the choice between one or multiple CmCloudContainers as a merely technical rather than a financial decision.
CodeMeter Cloud Dashboard
Software vendors who wish to provide CmCloudContainers to only a select group of users can benefit from CodeMeter Cloud Dashboard as the perfect tool for the purpose. After signing in, they have the following options:
- Creating new CmCloudContainers: A credential file is created with the name chosen by the vendor.
- Creating new credentials: This creates a new credential file for an existing CmContainer, which invalidates the previous credential file, but not the licenses already stored in the CmCloudContainer.
- Creating a context file: This creates a context file for a given CmCloudContainer, which can be used to create or edit licenses with CodeMeter License Central, CodeMeter License Editor, CmBoxPgm, or other proprietary tools. The same type of file can also work as a receipt for the purposes of CodeMeter License Central.
- Importing an update file: An update file is imported to transfer licenses into a CmCloudContainer.
Creating and distributing CmCloudContainers to large numbers of users can be done manually, but this would be a laborious and unnecessary choice. It is better to go with the license portal of CodeMeter License Central: Users can sign themselves in with their username and a password, which could even be linked with an existing user management system. To prevent spam, users may have to possess a valid ticket before they are allowed to create an account.
When users then want to use licenses in the cloud, the license portal reaches out to the CodeMeter Cloud Server and creates a credential file in the background. The file can be stored in encrypted form on the license portal, from where the user can download or import it directly to the target computer.
The license portal enables users to place their licenses in a CmCloudContainer, a CmDongle, or a CmActLicense, depending on the preferred choice of the software vendor. The portal can also be used to move licenses from one container to another, for which users would have to return their licenses e.g. from a CmCloudContainer to CodeMeter License Central and then move them into a CmActLicense if they wish to use the licenses offline in future.
Users that want to use their license on another computer can simply download or import their credential file directly from the license portal.
They do not have to activate their licenses again, as the licenses stay in the same CmContainer they have always been in.
Whenever users are worried that their credential files might have been stolen or otherwise abused, they can turn to the license portal to request a new credential file. A message to say that a license is already in use is a typical sign of such a theft if the user is sure that the software is not indeed in use, not even on another system.
When the credential file is changed, the password also needs to be changed via the license portal. To do so, the user simply requests a new password and is then given a new credential file to import to the target devices – and everything is secure and back to normal.
Software Activation Wizard
All these functions, from creating CmCloudContainers to changing passwords or activating licenses, can be done through the license portal, or they can be accessed from within the licensed software itself. All this needs is the integration of a Software Activation Wizard in the software that can communicate with the gateway, a special version of the license portal without a visible user interface.
KEYnote 40 – Edition Fall 2020