If you receive errors when attempting to view this white paper, please install the latest version of
Adobe Reader.
"Agilis's Orion Network Licensing Platform is a complete product activation solution, since Orion allows software vendors to accommodate all their varying user environments: network-connected, partially-connected, firewall-protected and disconnected, while retaining full licensing flexibility and security across all these user scenarios."
Source: Agilis Software
Considering Product Activation? You Need to Think about These 10 Issues
Product Activation is also known as :
Product Activation License,
Software Product Activation,
Product Activation Application,
Activation Key,
Product Activation Licensing,
Activation Products,
Anti Product Activation,
Change Product Activation,
Online Product Activation,
Product Activation,
Product Activation Center,
Product Activation Crack,
Product Activation Failed,
License Validation Procedure,
Product Activation Generator,
Product Activation Keys,
Product Activation Number,
Information Product Activation,
Product Activation Patch,
Product Activation Phone,
Product Activation Process,
Product Activation Registry,
Product Activation Policy,
Product Activation Needs,
Product Activation Service,
Product Activation Technology,
Product Key Activation,
Registry Activation,
Product Activation Tips,
Reset Product Activation.
Product activation is unobtrusive, secure and flexible - if you do it right.
This paper describes some obvious, and some not-so-obvious, issues for software
developers to consider.
Product activation is a popular approach for securing software licenses.
However, software developers need to consider all the requirements for a capable
activation system, from the license models they'll need to support to how
they'll deal with the corner-case customer environments.
The basic activation process is typically as follows. Upon purchase the
software vendor sends a unique product serial number to the user. When the user
installs the application they are prompted to enter their product serial number.
Their application connects to the vendor's hosted license server over the
Internet to confirm that this product serial number is valid and has not already
been used to activate a license. It also obtains from the license server the
license limits that apply to that user's license, such as a time limit or
enabling of product features. Finally it locks the license to the user's system
by reading certain machine parameters, such as the MAC address or hard disk ID,
and encrypts the license limit and locking information in a file which is saved
on the user's system. Once activated the application interrogates that local
encrypted file to perform its license check, so continues working on that user's
specific machine within the defined license limits with no further communication
required with the vendor's systems.
Sounds simple enough... but here are the ten areas you need to consider as
you select a product activation system.
License models
What are the license models you wish to offer across your target markets? Are
there other models Marketing might want to offer next year? Here are some
possibilities:
- Time-limited licenses, for trials or subscription
licensing
- Feature-enabling, to offer different price points or to
package your product for different verticals e.g. a customer's license might
have Feature A to be OFF, Feature B at the Pro level, Feature C at level 5,
Feature D on a 30-day trial and so on.
- Usage-based licensing. This could be metered (where the
usage is tracked for subsequent reporting and billing, but not limited) or
debiting (where the user purchases a usage quota which is depleted as the
application is used).
- Custom licensing. Maybe you need to communicate some
licensing parameters to your application, such as the Terabytes of data to
address, number of communication channels to support, number of pages open
at any one time and so forth.
- Some combination of the above e.g. enabling each
feature with its own usage and time limit.
Disconnected systems
Not all computers have an Internet connection, so you need to consider how
you will support your users who are on isolated corporate networks, or just
can't get a network connection from their laptop. The whole point of product
activation is automation and convenience - you don't want to have to set up
phone support (during working hours, 24x7?, multi-lingual?) to help people
without a network connection. Luckily, there are some solutions... if you pick
the right system. For example:
- User self-service activation. Does the activation system provide a way
for users to activate licenses on disconnected systems? A common approach is
for the licensing software, when it finds it can't connect to the hosted
license, to encrypt the locking and product serial number information in a
file, which the user then hand-carries to any web browser for upload to the
vendor's self-service web page. The vendor's system accepts the file, checks
it, and returns the encrypted file needed to enable the license. This file
exchange can also be done by email, or even snail mail.
- Proxy server support. In many sectors such finance, mil/aero and
government, users' systems don't have a direct connection to the Internet
but can access it via an HTTP proxy server. Can your applications access
your hosted license server via an existing HTTP proxy server?
- Install your own proxy server. If there isn't a suitable HTTP proxy
server available, does the activation solution include its own proxy server
for installation on the customer's network?
Security
The idea is to protect your applications from hacking and 'honest abuse'
(oversubscription by legitimate customers), so you need robust security. Here
are some questions to consider:
- If you issue time-limited licenses for trials or subscriptions, is there
protection against users who try to extend their license by turning back
their system clock?
- Is there protection against users who try to hack or spoof the licensing
library built into your application?
- Is the communication between the licensed application and the license
server secure against man-in-the-middle attacks, replay attacks, and
counterfeit attacks?
- If you are tracking license limit data locally for each user, are these
records secure against hacking and rollback to prior versions?
- Can no-one else set up a license server and issue licenses for your
product?
Node-locking
The general approach to preventing a license from simply being copied onto
another system is to lock each license to your desired parameters of the target
system, such as the MAC address, host ID, hard disk ID and so on.
So far so good, but here are some node-locking questions to ask:
- Is the node-locking mechanism flexible and extensible, so you can lock
to the parameters you wish?
- Does the node-locking mechanism follow generally-accepted computer
science principles, and not do such tricks as bypassing the operating
system, with all its unforeseeable consequences (such as breaking just
because the user installed a boot manager, or upgraded their operating
system)?
- Can you secure licenses on virtualized systems (e.g. VMWare), where the
hardware parameters can legitimately change for a licensed user? How about
supporting users who run Windows on a Mac?
- If you want, can the node-locking mechanism provide resiliency against
small changes, so not inconveniencing users who make a minor system upgrade?
- Can you specify a set of locking parameters, with the license working if
any one of them is matched? For example, perhaps your user wants to be able
to run their license in one of any four machines - can you accommodate this?
- If some users really prefer dongle-based licensing, can you lock to a
dongle as well?
- If you sell a system with your own custom hardware in it, can you lock
the license to, say, the serial number in your custom hardware?
- How do you deal with the inevitable 'My machine crashed - how do I
restore my license?' user inquiry?
License Relocation
The fact of life is that users often want to move their license to a
different system, months or maybe years after it is first activated. This
appears straightforward, but there are some
issues to consider:
- Maybe you don't want to offer this facility to everyone. Can you control
which users are allowed to relocate their licenses?
- For users who are allowed to relocate their license, can you control how
often they can do so? You may not want them doing so every day (that sounds
like they're sharing the license with others).
- Is there are any intervention required on your part during a license
relocation, or does the product activation system take care of it? Is it
secure?
- Can licenses be deactivated on disconnected systems?
- Your application may well have some settings your users adjust as they
work with it, so your application runs exactly as they like it. Do they have
to set these up again on the new installation (that would be annoying), or
can you transfer them automatically?
- Does the product activation system track license relocations, so you
know what your users are doing? Could it alert you when a relocation is
done?
License Revocation
Maybe you don't fully trust your customers, or perhaps you sell your product
on credit, or on a monthly subscription, so might need to revoke a user's
license if they didn't pay up or re-subscribe.
- Can your activation system revoke a user's license?
Reseller sales
Perhaps you sell via resellers or OEMs now, or plan to do so. Maybe your
sales department is looking for resellers overseas, or has it in their strategic
plan? In that case, you'd better be ready to deal with the basic issue: how do
you delegate order fulfillment (if desired) to your reseller, while still
keeping track of the licenses they issue?
- Can your activation system allow resellers to issue licenses?
- If it does, can you restrict the range of licenses they can issue? For
example, can you prevent them enabling certain features that aren't part of
their agreement with you, can you limit the number of licenses they issue,
or set a maximum time limit on the licenses they issue?
- Can you generate a report on the licenses they've issued? Can they?
- Can you receive an alert when they issue a license?
Extensibility
While you may think that all your customers' needs will be met with a product
activation approach, what if that isn't the case? Perhaps some users will not
want any information to go out of their organization at all (often the case with
some government and financial institutions).
- Can your activation system also support, say, dongle-based or floating
licensing over your customers internal network, with no outside
communication required at all?
- If you do need to support floating licensing or dongle-based licensing,
does engineering have to re-do the licensing integration, or does the
existing licensing system they integrated for product activation support it
without needing any modification or replacement?
Platform support
Of course you need to protect your application on all the computer platforms
you support.
- Does the activation system provide a client library for all your current
platforms?
- How about platforms in your product roadmap?
- How about 64-bit platforms?
- What if a major customer requires support for a non-standard platform -
can you readily obtain it?
- If your application is in Java, and you take advantage of Java's
platform independence, is the licensing library actually multi-platform, or
are you introducing platform dependency?
Back-office integration and infrastructure
If your business involves a large number of licenses, or you expect it to,
you may want to automate license fulfillment.
- Can you automate fulfillment from your back-office/CRM system, say via
Web Services?
- Can you automate management tasks, such as backup, archival and
reporting for the licensing system?
- Maybe you don't want to host the license server at all. Is there a
3rd-party managed service available?
Clearly not all of these questions will apply to all software vendors,
however they hopefully provide food for thought, and suggest areas you should
consider to ensure your product activation deployment is successful.