CodeMeter Licensing in Kubernetes

Kubernetes?

Kubernetes is a powerful open-source platform for orchestrating containers, developed to make it easier to roll out and manage applications in distributed environments.

Originally created by Google and handed over to the open-source community in 2014, Kubernetes has caused a stir in the world of DevOps and containerization.

The basic thinking behind Kubernetes is that container applications can be organized in groups, called pods. These pods can be used on an infrastructure, be it in the cloud or in a local data center. Kubernetes takes care of automated scaling, load balancing, rolling updates and rollbacks, which makes for flexibility, tolerance, and high availability.

Self-recovery functions keep applications stable and responsive. Kubernetes offers a versatile and sustainable choice for modern application architectures and has become an important tool for managing complex applications around the globe efficiently.

Protection and Licensing

In distributed environments, the ability to protect one’s intellectual property and enforce license restrictions is even more critical than elsewhere. We can rely on the tried-and-trusted AxProtectors of CodeMeter Protection Suite to run protected applications safely in Kubernetes environments.

The challenge is: How to provide the necessary CodeMeter licenses in a Kubernetes environment? In Kubernetes, there are lots of containers, each providing a specific function or micro service. To use CodeMeter, one needs a working CodeMeter license server. That license server is usually run in its own container, while the other protected and licensed services or applications are placed in other containers.

For the application containers to be able to access the CodeMeter license server in a different container, the variable CODEMETER_HOST needs to be set properly and a dedicated network set up. KEYnote 42 has more information about how this is done.

CodeMeter License Server

When designing your own Kubernetes cluster, it is essential to pay attention to the right licensing process. In larger projects, there will likely be a need to run several CodeMeter license servers at the same time, possibly one per pod. Which design fits depends on your needs in terms of redundancy, performance, and the available resources.

Alongside the CodeMeter license server, the licenses themselves also need to be available. These are kept in CmContainers, either in hardware form in a CmDongle, in activation-based CmActLicenses, or in a CmCloudContainer accessed over the Internet. All of these CmContainer types are cryptographically identical for the Universal Firm Code, which means that the licenses in question can be provided in the right CmContainer for each case in hand. The right choice of CmContainer for Kubernetes depends on how and where Kubernetes is used.

Kubernetes in the Cloud

Leading cloud providers AWS, Microsoft Azure, and Google Cloud offer a range of comfortable ways to manage services via Kubernetes, including the means to prepare the system as easily in the cloud as one would on a local system. For containers running in the cloud, which would mean constant Internet access, CmCloudContainers are the perfect choice. Wibu-Systems operates CmCloudContainers in a private cloud with exceptional availability guarantees. All cryptographic operations and the necessary keys remain safe in that private cloud, and licenses can be activated easily through the CodeMeter License Portal. The individual CodeMeter license servers only need the access details to the CmCloudContainers, which can be provided in image form. The service is billed by the number of simultaneous license accesses, captured in the form of “seats”.

Kubernetes On-Site

For an in-house installation of Kubernetes, CmCloudContainers can also be used to gain all of the advantages mentioned above. This does, however, depend on constant Internet access. If that is a risk you are not willing to take or if you want to be independent of the global infrastructure, there are two options at your disposal: CmDongles or CmActLicenses.

Many software developers want to provide their software and licenses in a Kubernetesready form without having to account for external dependencies. Why they do so is evident: They want full control over everything in the container environment and use Kubernetes without any other requirements complicating their chosen method.

A CmActLicense requires a unique and copyproof anchor to be encrypted and properly bound to avoid simple duplication. Container environments, by their very nature, are designed to make everything as abstract as possible and to switch to and from between systems. The end result is that the necessary anchors are hard to find. For Docker installations, Wibu-Systems has already delivered an innovative solution (reviewed in KEYnote issue 42). That Docker-specific mechanism does not, however, work with Kubernetes. Older binding options, like binding licenses to hard drive serial numbers or the like, are also too easy to simulate. Kubernetes and, in particular, its fundamental containerization technology are also opensource, which means that it is easy to analyze, imitate, and circumvent any mechanisms of this type. In essence, CmActLicenses cannot be used with any meaningful security in Kubernetes and are therefore not offered in this specific scenario.

The remaining option is to handle licensing outside of Kubernetes. As explained, one or more CodeMeter license servers can be provided as containers. These can connect with CodeMeter license servers kept on physical systems (not containers and ideally not virtual machines). This makes it possible to bind the licenses to a fingerprint of the actual, physical system properties with the patented CodeMeter SmartBind technology.

A CodeMeter license server included in the network can also be used for CmDongles in order to access the licenses stored on them within Kubernetes. A popular method for this is connecting the CmDongle via USB-over-Ethernet. A device like the SEH DongleServer can be used to access the CmDongle via TCP/IP from a container in Kubernetes. This solution works even when a container is at rest, as it only needs the connection to be set again.

For high availability of local licenses even during OS maintenance, a TMR server can be integrated in all of this. Read the article on TMR servers in this issue of KEYnote to learn more about this.

Different options

CodeMeter licenses can be integrated outside of Kubernetes by providing licenses through the cloud or through CodeMeter license servers kept on physical systems. This makes licensing secure and reliable. The careful planning and selection of the right channel for licensing purposes is critical for high-availability applications in Kubernetes systems and for intellectual property to be secure and license terms enforced.

-------------------------------------------------------------------------------------------------------

Flagship Store for the OI4 community

In alliance with other key members of the Open Industry 4.0 community, Hilscher and Wibu-Systems are developing an open platform, designated as the Flagship Store for the OI4 community. This initiative promises to accelerate the journey for all stakeholders toward a fully integrated, digital, interconnected, and secure production landscape. Their collaborative approach aims to benefit everyone, from the on-the-floor app users grappling with productivity challenges and skill shortages to app providers eager for secure yet uncomplicated entry into the digital manufacturing sector. Critically, their partnership ensures robust safeguards for the intellectual property encoded within the software solutions.