17 replies to this topic

[Idov]

Hi!
Suppose that I have a license server that goes with my program.
The client installs both of them on his computers so when he tries to use a floating license, I can tell whether or not it is already in use.

The license server listens on a UDP port and the clients use it to communicate with the server and receive a TCP port number to which they should
connect in order to continue their conversation with the server.

Since the server is also installed at the clients, I cannot know which other processes run on the same computer while my server does and they might use the same UDP port. If they use the same UDP port, I'd either be blocked from using it or I'd have to share the port with the other process, losing messages since they go to the other process instead of going to my server.

How can I avoid this?
Should I use a configurable UDP port? The problem is that if I do it, the client will be able to run several license servers, each on a different port, unaware of each other while the clients will be able to use the same license on different instances of the server... I'll miss the whole point...

What should I do?
thanks

Edited by Idov, 14 September 2012 - 08:17 AM.

[Bacterius]

I don't understand your use case, why does the client have access to the license server? Doesn't that defeat the point?

[Idov]

I don't have a website yet, so the license server can't be there...
This also will allow computers which are disconnected from the internet to use it too.
(I think that Matlab, BoundsChecker, etc. do it this way too)

Edited by Idov, 14 September 2012 - 09:34 AM.

[l0calh05t]

Yes, FlexLM (the license server used by many professional CAD/CAE tools and Matlab) is similar. Maybe you should make the UDP port used part of the license? FlexLM uses an Ethernet ID (~MAC address) and the servers name.

[Idov]

But that won't solve it because if that license-dependent port is taken by another process, the problem will remain.

[GWDev]

Hello Idov,

are you sure, you need to check the license all the time?
Let the client "Check-out" a license for a number of days (or weeks) and after the time limit it has to have access the internet to connect a master license authority and renew its license. Like a certificate that expires.
Of course you would still have the problem, that if someone cloned a valid license over multiple VMs with exactly the same charactaristics you wouldn't be able to catch that. Someone might even reverse engineer your server to circumvent this all together.
Do you really expect that to be a major problem? Are we talking about a thousands of dollars per license software that has an extremly small market? If yes, you might need to check into professional solutions or even track every registers site of use.
But if you are talking about a 5 Dollar Game, than invest that time into the game and learn to live with the illigal copies out there.

--GWDev

[brx]

I don't understand your use case, why does the client have access to the license server? Doesn't that defeat the point?

Actually, not at all. As already mentioned, especially in the CAD/CAE/CFD field many license models work like that (e.g. StarCCM+, Flowtech Shipflow, NUMECA tools). You get a license issued to a server and several clients can connect to it. FlexLM is a great (and most commonly) used program to achieve that.

Back to the OP...
I assume FlexLM is no option for you. If we are talking about a software where each license is worth a couple of thousands dollars (or euros or the equivalent value in any other currency), then I'd say looking into professional solutions for this problem is definitely worth it. Again (as I am working in the CAD/CFD field and have good experience with it) FlexLM would be a very good option in that case.

Now, if you really want/need to roll your own:
Having a server application with non-configurable ports is a no-go imho.

First of all, (of course) the floating license needs to be node locked to the server it runs on. I assume that's a given, but I'd still like to stress it. HDD-serials and MAC-addresses are good candidates for that. They are easy to get from the OS and rarely change. Limiting the license to the OS is also a good way to go, to avoid "cracking" your license using parallels, for example.

To circumvent the problem of having multiple servers on the same machine I would take a shared memory approach. I don't know what language your server is in, but for C++ the boost interprocess library offers a ncie API.
I'd generate a signature based on the hardware infos stored in the license (which are neccessary and would prevent the license from working on that particular machine if they were changed) and put that into the shared memory. Then have every instance of the server access that shared memory and look for that signature. If it's there, the license is in use and cannot be used again. If it isn't, store the signature in the shared memory which locks it for other instances of the server.

About the VM thing... Sure if the original license was issued for a VM, it is possible to clone it which would cause the same hardware IDs to be generated and then multiple VMs could run on the same license.
However, for most VMs (VMWare, Virtual Box, for example) there are pretty good methods to detect them. It usually involves using some inline assembler, but google it, and then it's only copy paste ;)
So I would actually put a check in the server (which we do for our software, btw.) to prevent it from running on a VM. You might even put a switch in your license to allow customers that can explain why they want to run the server in a VM to do so (which we do).

[Idov]

The problem with multiple servers is when they run on different computers...
Servers running on the same computer be dealt with by not allowing 2 instances of the server to run on the same computer

Why does a floating license need to be node-locked? isn't it supposed to be not limited to a specific computer?

BTW: My program is a performance profiler, I don't know what the price is going to be yet...

[Idov]

are you sure, you need to check the license all the time?
Let the client "Check-out" a license for a number of days (or weeks) and after the time limit it has to have access the internet to connect a master license authority and renew its license. Like a certificate that expires.
--GWDev

I want to give other user the option to use the license if it was idle for a period of time, so every time a user wants to use it I check if it's idle or not.

[l0calh05t]

You can also check for other copies of your license server running on the same machine.

Edit: Somehow this post got delayed by a few hours. Kinda irrelevant now...

[brx]

Why does a floating license need to be node-locked? isn't it supposed to be not limited to a specific computer?

The purpose is that the license for the actual program (your performance profiler) is not limited to a specific computer. Limiting the license server to a specific computer doesn't affect that.
That is actually how it is handled in FlexLM. You get one "master" license file that only works a certain computer which is running the FlexLM server and which includes the maximum number of running instances (overall) for your program. Now when other computers start the program they contact the license server and if a slot is free the program will start.

[l0calh05t]

Some FlexLM licenses do support checking a license out for disconnected use, but that is the exception.

[Idov]

Hmm... so that means I'll have to create a "license activator" which will communicate with my still-non-existing website, right?
I'll give the user a license for the client and another license for the server, then in order to activate the server, he will feed in the server license, I combine it with his MAC address and send him a new license composed of the old license and the MAC address and the new license will go into the license server...
Did I get it right? is this how it's done?

[Idov]

oh... and one last question.
Will it be really bad if I ask the user to enter his MAC address on my future website (right after he inputs his username, company name, etc.) instead of doing it automatically?
He can find it out by typing "getmac" in the command line.
(I mean in terms of security and user experience.)

Edited by Idov, 15 September 2012 - 05:08 AM.

[GWDev]

Will it be really bad if I ask the user to enter his MAC address on my future website (right after he inputs his username, company name, etc.) instead of doing it automatically?

This might be a problem with business customers. The one buying the license might not know this information.
E.g. I simply tell IT Service to buy X of that and Y of this, but usually i do not include the MAC Adresses. And to be honest, this extra work to collect all the information (computers might not be delivered for new employees. Existing ones are changed every few years), i would do this for an absolute must have software. Otherwise i would simply choose to buy a different product (if available).
If you are not sure about the price of your software now, this might be something to think about before you invest time in a license server.
You could simply offer a company or site license and be done with this problem. This is only a problem with really expensive software.

[Idov]

ok, it's a bad idea
I'd rather that people will buy and steal it than simply ignore it...

about my initial problem:
I'm not sure about using node-lock license for the server because it seems like an overkill right now. Also I'm not sure how to do it yet.
I thought that maybe the server should scan a range of 50 - 100 (maybe more?) UDP ports in the middle of nowhere and stop when it find a free one.
The clients will also scan these ports and try to connect to the server. If it gets more than one response from the server - it will know that there are more than one server and will not connect to either of them!
Sounds good?

Edited by Idov, 15 September 2012 - 07:52 AM.

[brx]

That would be an option. But, applications that go around scanning ports might trigger security mechanisms.

About the hassle that companys go through to use your software: It all depends on how unique (and good) your software is. If there is no alternative companys will do quite a lot of stuff to use it. But it would be very inconvenient if the customer has to manually type in the hardware information. Plus, instead of you obtaining the actual hardware information, I think it would need to be some kind of hashed value.
What I would do is to have the server generate a license request including the hashed hardware information at install time. Then send that to you. The license file is then generated at your site and sent back. Of course, this would be a lot nicer if you would actually have a server to contact instead of having to use emails for that. Depending on the expected number of sales processing those emails may get quite annoying on your side as well.
I would also not only use the MAC address(es) of the server as it is actually possible to change them.

Yes, creating your own license system is quite a hassle. So, again, looking into exiting ones might be worth it.

Overall, I agree with GWDev. Site licenses (for example key based, similar to windows licenses) are probably the easiest way to go.

[Idov]

Ok, I'll check and see what I'm going to do.
Maybe I won't have node-locked licenses ar first but only floating and site licenses.

thanks everybody