Two Sides of Licensing
The prime purpose of CodeMeter is the protection and licensing of software. In license management, CodeMeter protection covers two complete dimensions: the independent software vendors (ISVs) and their software users.
The ISVs’ Perspective
CodeMeter offers many solutions and added value for ISVs. The three essential functions are:
- Technical monitoring of licenses on the user’s side
- Handling of the desired licensing models
- Distribution and management of licenses
ISVs integrate their license controls in their software either individually by means of CodeMeter API or automatically via Wibu Protector Suite. The automatic integration option allows the quick and easy encryption of the complete application, a technology that is available for Windows, Linux, and OS X under the AxProtector and IxProtector brands. For Java and .NET applications, automatic encryption and obfuscation tools are available. On embedded devices, ExProtector offers not only encryption, but also the option of preventing the execution of unauthorized software modules.
Wibu-Systems’ Protector Suite promises a high degree of protection with minimal efforts for integration. This protection can be made even stronger by implementing additional security mechanisms by API.
CodeMeter supports any desired licensing model, with the most common types already included in the package. These turnkey models include single-user licenses, network licenses, licenses for features-on-demand, demo and trial licenses, and lease or pay-per-use models.
One excellent example of a preinstalled license model is the functionality offered for maintenance services. When finalizing the license, the ISV enters the start and end dates of the service contract, and the release date of the software is recorded in its protection. Everything else is handled automatically and securely by CodeMeter, since the release date is an integral part of the cryptographic data. If an attacker tries to modify the release date, the software will not open, since the cryptographic key has changed.
Unusual or complex licensing models can also be covered with minimal effort.
License Distribution and Management
One essential task for ISVs is the creation, distribution, and management of licenses. The flexibility and versatility of CodeMeter License Central lets you choose the complexity of your licensing management: from a stand-alone installation for smaller sets of licenses to the full integration in the sales process or the ISV’s ERP and CRM systems, as a local appliance, or as a cloud-based solution.
CodeMeter License Central is available in the following editions:
- Desktop Edition: Stand-alone as a local appliance.
- Internet Edition: As a local appliance for integration in the ISV’s systems, with internet connection for cloud-based online activation.
- Datacenter Edition: Cloud-based solution operated by Wibu-Systems on behalf of the ISV as a stand-alone appliance in the Wibu-Cloud.
- Dedicated Server Edition: Cloud-based solution operated by Wibu-Systems on behalf of the ISV with the additional option of integration in back-end systems, such as SAP, Salesforce, and others.
When using CodeMeter, the ISV decides the manner in which licenses are fixed and stored at the customer’s location. The user can then choose between the options made available by the ISV, including:
- CmDongle: The license is tied to a CmDongle and stored completely on that dongle, with all cryptographic keys. These keys can be used by the software, but never taken off the dongle.
- CmActLicense: The license is tied to a dynamic fingerprint of the computer and stored in an encrypted license file. The fingerprint has a defined degree of tolerance (SmartBind®) for changes and modifications to the computer. Anti-debug measures and the use of the fingerprint as a key stop the unauthorized copying of licenses to other devices.
- License Server: The license is copied to a license server and stored on a CmDongle or in a CmActLicense. Choosing a computer fingerprint allows the license server to be operated in the cloud if the ISV so chooses. The licenses are made available to the end users via a network (LAN, WAN, Cloud), in full compliance with the rules defined by the user.
This degree of scalability enables ISVs to define the level of security that they need and the maximum flexibility that they want to allow their users. The rule of thumb is that a CmDongle offers the most secure solution while keeping the license easily transportable. A license server kept in the ISV’s cloud also offers very good levels of security. Storing a CmActLicense on a computer or license server still promises a high degree of state-of-the-art security.
From the ISV to the User
Licenses can make their way from ISVs to users via multiple alternative routes. With the flexibility and power of License Central, it’s easy to come up with the solutions that are perfect for you. But that complexity can be overwhelming, so it’s important to select licensing options that are best for you and your users.
The best practice seems to be for ISVs to find the best routes for their specific target groups. The most common route goes online, and is offered as the standard choice for users. One or more fall-back options should be offered for problem cases, usually including at least one offline route.
The multible delivery options for perfect license transfere are displayed in the orange box below.
The choice of the best route depends on many factors. When determining these factors, some good questions to ask are: Are you working mostly with new customers or mostly with an established customer base? Are your customers regular internet users or do they prefer offline options? Are the licenses managed by an administrator? How technologically skilled are your customers?
Wibu-Systems’ licensing experts are always available to contribute their know-how and best practices for choosing the optimal route.
The User’s Perspective
For users, licensing should be a simple process that does not interfere with their everyday work.
They expect answers for the following questions from license management:
- Which licenses have I bought and where are they?
- Who can use which licenses?
- Which employees have used which licenses for how long?
Multiple delivery options for perfect license transfer to the user:
- The ISV programmes a CmDongle and mails it to the user.
- The ISV creates a ticket and the user activates the license directly from the ISV’s software. The ISV can decide whether the license is tied to the PC as a CmActLicense or copied to a CmDongle, or whether the user himself can make that choice.
- The ISV stores the license for a specific PC (serial number of the CmActLicense) or a specific CmDongle (serial number) and the user opts for “automatic updating” in the ISV’s software.
- The ISV offers activation via web portal. The user is given a ticket to transfer the license directly via his browser.
- The ISV creates a license for a PC or a CmDongle and the user transfers it directly via his browser.
- The ISV integrates activation functionality in a customer portal. The ISV places a license for the user on that portal (tied to the user’s account), which the user accesses and copies via his browser.The ISV offers the user the option of creating a license request right from within the software. This request is transferred offline to an internet-connected PC, where the user uses the ticket and the request file to download an activation file from the web portal. This activation file is taken back to the target device, where the license is activated on a CmDongle or software-based CmActLicense.
- The activation process works as in (G). In the place of the ticket, the account of the user is used instead.
- The activation works as in (G). In the place of the ticket, the serial number of the CmDongle or CmActLicense is used instead.
- As in (G) to (I). Instead of the ISV’s software, the available standard tools of Wibu-Systems are used (CodeMeter control centre, the command line interface programme cmu, or double-click on a license activation file).
- The user creates a license request from within the ISV’s software and sends this by email to the ISV, where an activation file is created and emailed back to the user.
- As in (L) Instead of the ISV’s software, the standard tools of Wibu-Systems are used. Alternatively, the license request can also be created via the network, either on an administrator’s workstation if the license server is integrated in the network or on a service technician’s laptop if the license is to be transferred to a control device.
User Portal in the CodeMeter License Central
The Web Depot included in CodeMeter License Central offers users not only a means of transferring their licenses, but also a simple overview over all of the licenses they have bought.
The SOAP interface in the CodeMeter License Central gives ISVs the option of integrating a license overview in their user portals. The user accesses this portal typically with a login name and password to see a list of all tickets and the licenses included in the tickets. Depending on the chosen configuration of the ISV, the following data can be shown for each license:
- Product name
- Product number
- Retrieval state
- Date of purchase
- Serial number of the CmContainers that keeps the license
The ISV determines whether users can hand back licenses and transfer them to other CmContainers. Another parameter that can be set by the ISV is the number and sequence of re-activations without actual return of the license. This is particularly important for software-based licensing with CmActLicenses tied to specific computers, since users will regularly change their workstations and equally regularly forget to hand back their licenses when they do so. A degree of tolerance for such re-activation can help reduce the need for support, although there need to be limits to prevent abuse.
CodeMeter License Server - License Tracking
The CodeMeter License Server makes licenses available via networks. The ISV defines the number of licenses that can be used concurrently and chooses a monitoring mechanism, such as the number per active application or the number per workstation. When workstations are counted, each virtual machine and each terminal server session is counted as a real PC.
The user switches on CodeMeter License Tracking to record every access to available licenses (and every denied access). This records the username, computer ID / IP address, and license. A CodeMeter WebAdmin interface lets the user create simple statistics for his licenses; more complex assessments can be exported and processed in dedicated license tracking files.
With CodeMeter License Tracking, larger companies can achieve cost-unit-precise accounting of their licenses. The overview of active licenses allows the user to see how his licenses are utilized by every cost unit.
In addition to promising transparency in terms of costs, CodeMeter License Tracking also allows the option of identifying licenses that are not used and licenses that are missing, enabling users and ISVs alike to find new ways for optimized licensing. Combined with overflow licenses (where the ISV allows the user to use more licenses that he has bought), the exact number of active licenses can be established and, if they so choose, billed.
CodeMeter License Server – Access Privileges
Version 5.20 replaces CodeMeter’s Access Control with the Access Privileges Module. This new module allows licenses to be flagged for individual employees or complete Active Directory groups. Such a configuration dataset includes the following details:
- Username / AD group / IP address
- Minimum number of licenses
- Maximum number of licenses
The minimum number of licenses states how many licenses have been reserved for the employee (or group, or IP address). This number of licenses can never be held by others. The maximum number of licenses states how many licenses the employee can hold. A configuration of minimum = 1 and maximum = 1 defines that one license has been reserved exclusively for the employee. It is always available for that defined user.
The configuration can be set separately for every license (every product item) in a CmContainer, or the access rights are pre-defined as the standard values for the entire server. On a detailed page, all access rights can be displayed for a given user name (or group, or IP address).
This feature allows the sharing of licenses between two departments. For example, ten licenses for an application are bought that are needed by the sales and the support team. One license each is reserved for the team leaders. The support group is to be given another five reserved licenses, and the sales team one reserved license. The right configuration would look as follows:
CodeMeter License Server – Access Privileges
User:firstname.lastname@example.org; Minimum = 1; Maximum = 1
User:email@example.com; Minimum = 1; Maximum = 1
Group:firstname.lastname@example.org; Minimum = 5; Maximum = 7
Group:email@example.com; Minimum = 1; Maximum = 3
CodeMeter recognizes the user names and group allocations automatically without any specific involvement of the ISV. If a specific rule is defined for a single user name, this overrides the group allocation of that user’s name. If no rules are set up for the user’s name, the user is included in the rules for the first group that he is allocated to. These simple rules are flexible enough for almost every possible configuration.
KEYnote 27 – Edition Spring 2014