Adding per workplace license to an existing application [closed]
Want to improve this question? Update the question so it focuses on one problem only by editing this post.
Closed 7 years ago.
Improve this questionI've been asked to think about a licensing setup for our application.
- Customers 'hire' 10 workspaces (defined as a user with a workstation)
- Customers always have a server running with our softwarre.
We're thinking about the following setup.
- One of our internet facing servers* does the workspace validation (*license server)
- User machines have 'some' unique fingerprint that are reported to our license server
- The customer's local server 'tracks' all fingerprints in use and reports a list of validated workspaces to our license server
Our current problem is how to generate and collect an unique fingerprint for all user machines. Esp if they are running on virtualisation stacks like citrix.
For normal machines we can just use a mac address with some added extra details.
Is there a global unique hardware ID on all machines and especially citrix environments that is always unique per workstation?
Are there some must read links to people implementing lice开发者_开发知识库nse environments with stories based on experience.
Some extra information:
- The customer local server is always connected to the internet
- If our licensing server is down we can always use a grace period or a telephone unlock code.
Facts you'll have to think about:
- The machine or workstation notion is not really usable, now with Virtual Machines, Remote Sessions, Hypervisors, etc... the "hardware" does not exists anymore. Everything becomes "virtualware" :-)
- New Windows versions (aka Vista, 7) security have been considerably strenghened, including the UAC. This is good for users but not that good for developers. It means your users may not be able to read hardware information, or write on the disk outside of their environement (c:\users\john\...)
- Users simply move from machine to machine (roaming). And this is getting more and more true every day with the generalization of portables, pdas, etc...
It means, you'll have to think about a system more tied to users than to machines.
I would avoid installing drivers, dongles or hardware stuf, or special processes or services with elevated priviledges because this may not support every scenario, from now on.
So you can implement this by giving keys (like Microsoft product keys), tied to users (you can have a database that store user <-> key relations). You could store a key cache "per-user" on every machine where the user logs on, so every time a users logs in, you check if he has a valid key, and if he hasn't you "activate" it and store the key (or a hash preferrably). How you defined keys and how you store them (credit card, usb key, etc...) is up to you.
Using a usb dongle looks like the only alternative.
Check this link: http://www.answers.com/topic/dongle
But it may be tricky to make it work on virtual machines. The silver bullet here is using a network-attached USB hub (such as AnywhereUSB)
This means extra hardware cost to your company, plus angry customers.
I work for a company in the license management business (Agilis Software), where these issues have already been met and dealt with in the Orion License Manager (products from other companies such as Flexera or Safenet may also do so). Your requirements can readily be met by a software-only system (no dongles required), but for it to be effective and transparent to your legitimate users you do need to pay some attention to the details and think about the possible deployment scenarios.
First of all, while it is widely used I don't recommend the MAC address as the locking parameter. Many OSs allow the administrator to specify the MAC address, making this an insecure approach. It is better to use other hardware and software parameters, but the ones available will depend on the operating system and hardware platform. Obviously using more than just one parameter increases security, but then you probably want to provide some resiliency when people make minor changes to their system.
Virtual systems do preclude the use of these hardware parameters for locking, but each virtual session does still have invariant parameters you can use. For further security you can require each such session to periodically revalidate its license against the server (we call this a 'leased license').
Another issue you would need to think about is how users can reclaim and relocate a license if one of the workstations crashes.
If your customers are like many of the end-users Agilis's ISV customers sell to, you should also consider how the company can obtain their license if they don't have an Internet connection (perhaps they have an isolated internal network, or you can't get past their firewall). How will your on-site server obtain its license, and how can you be sure the customer doesn't replicate your server, so doubling their license entitlement?
(Needless to say, Agilis's systems do of course include solutions to these and other challenges).
Hope this helps,
Dominic
Take a look at this article : Add Network Floating License Capability To Your Software
It has information on the basics of network based floating licenses and how these are implemented by our licensing system CryptoLicensing. If you can use a commercial off the shelf system, I suggest you take a look at CryptoLicensing - it meets most of your requirements based on the scenario you have described.
Disclaimer: I work at LogicNP Software, the developers of CryptoLicensing.
精彩评论