License Portals – Default and Custom Look
With license portals, everyone benefits – software developers and their users. License portals enable users to manage their licenses whenever they want and wherever they have to. They can activate licenses, transfer them to other devices, or even recover lost licenses to the extent allowed by the software vendor. This means exceptional availability and real customer satisfaction, coming not at a cost, but with a gain for the developer, as license portals keep the support and maintenance costs down.
People often ask: “What does the standard license portal of Wibu-Systems look like? Sometimes, the answer is: “Let’s have a look at our WebDepot”. Other times it is: “There is no one standard. You have all the flexibility you want.” Can both be true? The answers are not as contradictory as they seem: It is very rare for software developers to start from scratch. In most cases, their software licenses have to fit in with an existing ecosystem of ERP, CRM, e-commerce, user portal systems etc. And in very few of these cases would this ecosystem be clear-cut and homogeneous.
Sales and distribution processes differ from vendor to vendor: There are still traditional face-to-face sales, but the standard is a wild combination of online sales via some e-commerce channel, brand-store sales, long daisy chains of resellers, OEM partners, VARs, online traders, and – legend has it – high-end electronics retailers like Best Buy. Some sales models focus on the end user, while others are squarely aimed at projects with commercial clients. The education system is also a popular market. Seeing the many different needs and expectations of these many models, Wibu-Systems asked itself: “What should the standard license portal look like?”, and the answer was that a single one-size-fits-all solution would be too complex and too unwieldy for most users, other than qualified computer scientists. This is why Wibu-Systems made the decision to produce an easily customizable, flexible, and expandable toolkit to design the right portals for each target group quickly and efficiently. Ockham’s razor applies: Entities are not to be multiplied without necessity”.
The Bare Bones
Where does WebDepot come into the picture? Wibu-Systems’ WebDepot is the most basic configuration of the license portal, which includes all the functions relevant for anonymous single users. Why can the user stay anonymous? They get an activation code, the ticket, from the software developer, which is used for authentication in WebDepot. It is essentially the permission to activate the license. There is no need to record any user data, let alone create a user account. The only user information captured by the system is the serial number of the CmContainer in which the license has been activated, which is needed for updates or if the container is lost at some point.
The most basic function of WebDepot is the activation of licenses: The user enters the ticket and selects an available CmContainer for activation. If software-based CmActLicenses are the developer’s preferred license container, WebDepot recognizes if no soft container already exists and creates a soft container automatically on the user’s device. All these transactions between the user’s computer and the browser go through a WebSocket interface provided automatically by CodeMeter Runtime and supported by all modern browsers like Google Chrome, Microsoft Edge, or Mozilla’s Firefox.
Offline? No Problem!
Even in today’s hyperconnected world, there are cases in which a license needs to be activated on a device that is not directly connected to the Internet. For these instances, WebDepot comes with a special file sharing mode: The target computer for the license creates a con-text file for the chosen CmContainer, including the CmContainer’s serial number and public key, a certificate to confirm the public key’s authenticity, and any information about licenses already in the container (including a counter).
The user takes this context file to a computer that is connected to the Internet, from where it can be uploaded to WebDepot. An update file with the chosen license updates is then prepared and ready for download, while the system runs several automatic processes in the background. The user brings that update file back to the target computer, which can now access the fresh licenses in the CmContainer. In a third, optional step, the user could create a receipt for the process, which comes in the form of another context file to confirm the update by uploading the receipt to WebDepot.
Coming back to the automatic processes: The data they need are the serial number and the counter contained in the context file. With the serial number or, more precisely, the public key, the system can be sure that the update file can only be imported into the CmContainer it is meant for. It could not be decrypted outside of that container, nor could it be moved into a different container.
The counter is then automatically increased for each license update. When a context file is uploaded, WebDepot passes it on to CodeMeter License Central, which reads the counter first and immediately confirms all updates up to the current count. CodeMeter License Central then checks whether there are any updates not yet confirmed and creates an update file to exactly match the status of the last missed update. In the last step, the missed updates and the new update are combined in a shared update file. CodeMeter Runtime also uses the counter to understand which updates have already been imported and skips any redundant updates. This means that even if the user imports an outdated context file by mistake, the CmContainer is always updated to the most recent correct state.
Offline Made Easy
Push updates make life even easier for offline updates: They allow the user to select the right CmContainer from a list on WebDepot, removing the need for a context file of the target device altogether. The user only has to download the resulting update file and import it to the device, optionally with a receipt to confirm the transaction in WebDepot. A receipt is a good idea for support purposes, as it lets WebDepot know about the current state of the user’s device and can slim down the next update file by skipping any unnecessary license updates.
Other Standard Functions
WebDepot also makes it easy for users to move their licenses from one computer to the next. To do so, the license is formally returned from the original device; once this has been confirmed with a mandatory receipt, the license can be reactivated on the new device. The same mechanism can be used to simply return licenses, even though there are other and better options for this. Again, the developer decides whether the user has access to this function, which can be set individually for each license. Can this be limited to a number of instances or period of time? The answer should be clear from the tenor of this article: Flexibility – the standard setting sets no restrictions, but the system can accommodate any limit the developer wants to define as a rule.
Like all earthly things, licenses are also prone to getting lost. Computers can crash, and a dongle can end its life prematurely as a dog’s chewy toy. In these cases, the users can recover and reactivate their licenses to the extent allowed by the software’s developer. The old license or the old CmContainer would then be blacklisted to prevent fraud.
Over their working lives, licenses might have to be changed or edited by the developer as well. This could be done to expand a license, to change it, or to withdraw it if a user wants to return it or has simply stopped paying for the software. All these changes can be delivered automatically in the actual CmContainer via WebDepot.
One relatively recent addition to WebDepot is the ability to renew checkpoint licenses. These are special licenses that are meant to act like permanent licenses but are technically limited to a specific lifespan. They need to be refreshed regularly, which can be done with a simple WebDepot action or, more typically, by a background process started by the Software Activation Wizard in the protected software itself.
Software Activation Wizard
All functions of WebDepot and most of the expanded functions of the license portal kit can also be accessed from within the protected software itself, usually by way of a separate Software Activation Wizard. It communicates with a version of the license portal via a gateway, offering no GUI, but typically having the full range of features and abilities as the full license portal.
Portal or Wizard – what sounds like something out of a fantasy story is a simple question of use cases: A Software Activation Wizard is the perfect choice for users who will be online when licenses are updated automatically, which applies in particular to checkpoint licenses. WebDepot, on the other hand, can also be used to license software on offline devices, on top of other convenient features like a portable license overview. It is not a question of either-or, but of the right balance between portals and wizards to match the most likely use scenario.
The top expansion module is user management, which offers two options: If the software developer has already established some system to manage the software’s users, the license portal can easily be integrated with that system, generally using OAuth2, SAML, or SOAP. The benefits are obvious, as the actual end user only needs one account.
If there is no user admin system in place or no interface available to integrate it with the licensing system, Wibu-Systems has prepared its own user admin module, including user registration capabilities, with a flexible choice of user data that the system would require, ranging from email addresses, to country, company domain, user names to many other options. The resulting database can, of course, be migrated to an integrated solution once it is available.
Technically, user admin means the allocation of tickets to one or more users. Instead of entering all tickets manually, the user simply logs in to the license portal to see a list of all tickets and licenses.
Multi-Level User Administration
A far more common type of user administration works with several tiers and levels of users, e.g. in the following typical cases:
- Education licenses for schools and universities (faculty to students)
- Resellers (resellers to end users)
- Commercial clients (administrators to users)
In these cases, there is a qualified administrator (e.g. a faculty member, a licensed reseller, or a system admin) who manages licenses from their admin account, which the licenses can already be allocated to by the original vendor if the administrator is known. The administrator can then assign and distribute the licenses to the end users or students as required, with the developer having the right to decide whether the end users can activate the licenses anonymously with a ticket or need to create their own account. This gives resellers an easy means for collecting information about end users. With the privacy rules of the EU GDPR in mind, this is done with due consideration for the principles of data minimization and the right to be forgotten.
Users are sometimes given the right to sell their licenses on to other users. This can be necessary e.g. for companies selling on production machinery they no longer need. The new owner would need the license for the software running their new machine. This is possible with an additional option that allows the new owners to change the ticket to complete the license’s transfer. It works either by the ERP requesting this data or by the ERP system initiating the transfer process in the first place, with the old license taken back by the developer and a new license returned to the new user.
Many organizations want their members to have easy access to licenses without having to kick-start a complex process via the organization’s ERP system. There is an expansion module for this purpose that allows internal tickets to be used to create new single-user licenses. This bulk-ticket method can also be used for free demo or trial licenses.
What happens when the maximum number of license recoveries has been reached, or if the software vendor decides to allow no recoveries? In these cases, users can have the option of requesting a temporary emergency license via their license portal. The best practice for emergency licenses is to have them bound to the original ticket and limited to a duration of only a few days, but not limited in terms of the software’s features and functions. A limit can also be set to the total number of emergency licenses, with a threshold defined at which the service desk would be notified and given the power to decide on a case-by-case basis about each emergency license request’s merits.
Emergency licenses can be created in CodeMeter License Central, or a dedicated emergency CodeMeter License Central can be operated at a separate site by Wibu-Systems. There has never been an incident that needed such a secondary system running in the decade since the service was introduced – but it is a great feeling to know that the option is always there.
Electronic Software Distribution
The newest member of the family is the Electronic Software Distribution expansion module, which is used to keep track of available software packages and the related user licenses. By comparing the version of the software installed by the user and the activated license, one can ascertain which of the following three cases applies:
- The user already works with the current version of the software.
- There is a new version of the software that the user could enjoy.
- There is a new version of the software, but it is not supported by the user’s current license.
In the latter case in particular, this information allows software vendors to make their users an attractive offer to move over to a new version.
KEYnote 40 – Edition Fall 2020