You are on page 1of 7

W H I T E PA P E R

Extending Your Software Revenue in a Virtual World
FlexNet Publisher Licensing Overview

Extending Your Software Revenue in a Virtual World
FlexNet Publisher Licensing Overview
Executive Summary
using license enforcement if the licensing enforcement does not account for machine virtualization. While the use of machine virtualization on the corporate desktop remains limited to specific tasks or verticals, virtualization in the back office is not only accepted but is the norm where if any given application is not virtualized it is considered an exception. Software vendors today face a real and credible threat from the risk of a license server being replicated on many virtual machines resulting in many more license entitlements than were originally purchased. This situation is depicted in Figure 1 below.
License Server Bound to Physical Hardware is Hard to Replicate License Server Bound to Virtual Hardware is Easy to Replicate

Various analysts purport that server virtualization has moved past the early adopter stage to that of strategic virtualization. For example, Forrester reports the adoption of server virtualization in enterprise IT will reach 65% by 2009 with 45% of x86 servers virtualized.1 This means software vendors must develop and communicate licensing policies that take into account that their license server and applications will run on virtual machines. It also means that licensing systems such as FlexNet Publisher must provide the appropriate enforcement and reporting tools to allow software vendors and their enterprise customers to confidently operate in this new virtual environment. Flexera Software research indicates that most software vendors have not modified their license policies to deal with virtualization. Longer term, software vendors recognize that new monetization models based upon usage must be considered. However, in the short term existing hardware centric licensing models must be applied to virtual platforms. This document describes how FlexNet Publisher enables software vendors to embrace virtualization by providing various means to enforce licensing on virtual machines. This paper describes approaches and technologies available today as well as those that are being considered in the future.

Guest OS VM Hypervisor Operating System

Guest OS Guest OS

LICENSE SERVER

LICENSE SERVER

Compliance and Piracy Challenges of Virtualization

Software vendors’ licensing policies and approaches range from compliance for trusted customers – to prevent accidental over use, to strict enforcement for piracy prevention efforts – for markets that pose more risk of intentional overuse or outright piracy. License enforcement technologies, design practices, and processes that are in use today do a good job at keeping honest customers honest and to discourage the casual exploiter. Machine virtualization technologies have changed the landscape of IT organizations by making it easy to create multiple virtual machines on a single physical machine, any one of which easily possess the same characteristics of any other machine. The very nature of machine virtualization is obvious and enticing for the enterprise customer, however this technology poses challenges for the software vendor
1

Guest Gues Gue t OS Guest O ue Guest OS Guest OS st t LC LIC N LICENSE CEN Guest OS SERVER SE V ERV E
LICENSE SERVER

LC LIC N LICENSE CEN SERVER SE V ERV E

Figure 1: License Server Instances Bound to Physical or Virtual Hardware

Over the past several years, Flexera Software has collaborated with leading virtualization vendors as well as software vendors to develop specific approaches that mitigate the risk virtualized environments pose. Software vendors tell us that they want to include traditional license models in virtual environments as well as new software licensing models. This approach is not only important in

As reported in the FORRESTER white paper entitled “x86 Virtualization Adopters Hit the Tipping Point,” November 30, 2007

2

Flexera Software: FlexNet Publisher White Paper Series

Extending Your Software Revenue in a Virtual World

order to maintain backward compatibility with legacy clients deployed at many end user locations but also allows them to transition to new licensing models over time. The challenge for the software industry is the lack of a universal method to detect and interface with the multitude of virtualization platforms available today. Flexera Software has addressed this by engaging in dialogs with the virtualization vendors to define a supported interface method between FlexNet Publisher and their virtualization platforms. In addition, Flexera Software has also developed a Virtualization API specification in collaboration with several virtualization vendors. This standard provides a uniform interface method that allows Flexera Software to more rapidly support virtualization platforms.

architected with the idea that UUIDs are always unique. If the UUIDs are not unique the system will issue errors until this situation is corrected. In the scenario depicted in Figure 1, permission to run on a VM is granted and the licensing server is able to run on any machine so long as it remains within the specified VM container. This approach to binding gives confidence that license entitlements are not replicated on additional virtual machines. At the same time the IT administrator can take full advantage of the advanced VM functionalities like high-availability and fault tolerance, since the licensing system can move from one physical machine to another without reconfiguration. In this configuration, FlexNet Publisher report log contains both virtual and physical platform data and license checkout denial information. For those markets and customers deemed to be in the middle of the trust range, the publisher can compromise with the enterprise by allowing the licensing system to operate on a virtual machine but requiring the licensing server to be bound not to the characteristics reported in the virtual container (e.g. MAC address, HostName, etc.) but to the physical hardware of the host machine. Known as bare-metal binding, FlexNet Publisher includes a locking mechanism to ensure the license server is not able to issue licenses from a second VM on the same hardware platform. In this scenario, permission to run on a VM is granted but physical binding is also required to increase confidence that license entitlements are not replicated. The report log contains virtual and physical platform data along with license checkout denial information. This approach is more secure than VM container binding, but erodes much of the value of running the licensing system on the virtual platform since it can only be moved if new bindings are issued by the software vendor. The next sections explore in greater depth the three enforcement models available in FlexNet Publisher.

Flexera Software’s Approach to Licensing Enforcement in a Virtualized Environment

FlexNet Publisher enables software vendors to establish an enforcement strategy based upon the level of trust they have with their customers. The trust range is graphically shown in Figure 2 below.

STRONG

WEAK

NONE

Permission: Allow Report: Log File

Permission: Allow Permission: Prohibit Report: Log File Report: N/A

Binding: VM Container Binding: Physical Binding: N/A

Figure 2: Range of Trust between Software Producers and their Markets

For markets or customers where no trust exists, the vendor can detect the presence of virtual machines and decide not to allow the license server to run, or not issue a license to an application that is running in a virtual machine. Referring to the above diagram, permission to run on a virtual machine (VM) would be denied, therefore, no binding and reporting would come into play. This approach is perhaps the safest for the vendor and may be justified for risky markets. However, software vendors should consider the reality of enterprise virtualization and the effect on customer satisfaction that may result from such a strict stance that is applied generally. To the other extreme, for markets or customers where strong trust exists, the publisher can detect the presence of a virtual machine and then bind the license rights to the Universal Unique Identifier (UUID) of the VM container. While it is true that UUID’s can be replicated and applied to additional virtual machines (either on the same or on different physical machines), the virtualization platform is

No Trust - License Enforcement Using Virtual Machine Detection

Software licensing in a virtual machine is predicated on reliably detecting the presence of the virtual machine. FlexNet Publisher incorporates a number of techniques to identify the presence of a virtual machine platform. While the techniques implemented allow the detection of a number of different virtual machine platforms, currently the VMware ESX Server and Workstation products are supported. FlexNet Publisher provides a balance between possible false positives and ensures these techniques are not easily defeated. If FlexNet Publisher identifies that it is being run on a virtual machine, the software vendor can implement, within their software, an appropriate behavior based on a defined license policy for virtualization. These business policies include the ability to:

Flexera Software: FlexNet Publisher White Paper Series

3

Extending Your Software Revenue in a Virtual World

• Refuse to start the license server in a virtual environment. • Refuse to enable a particular feature of the application or an entire application in a virtual environment. • Restrict a software feature or entire application to be functional only in a virtual environment. The following segment describes some use cases where the virtual machine detection capabilities can be applied to product pricing and packaging. Included are examples of the FlexNet Publisher syntax needed to implement the desired capability: 1. Software vendor A deploys only a served licensing model. They market low-volume, high-cost software and both casual and intentional piracy is a big concern for them. They do not want their license server to be deployed in a virtual machine due to the ease with which this can lead to license over usage. They require the license server to be on a physical machine within the data center. • This is implemented by the software vendor by setting a compile time switch within the license server customization code. Specifically, within the file lsvendor.c the following variable setting is made and the license server is built: FLEX_VM_TYPE ls_allow_vm = PHYSICAL; /* Restrict VD to a physical m/c only */ 2. Software vendor B deploys both served and unserved licensing models. Certain features of their application cannot run on virtual machines (e.g., they require connecting a measurement instrument using a USB port that is not supported on a virtual platform). They would like to disable these features on virtual machines while at the same time allowing the other product features to function on both virtual and physical platforms. • This is implemented by the software publisher by using the license file keyword VM_PLATFORMS on the FEATURE line as shown below: FEATURE measure_voltage admld 2.5 01-jan-2012 4\ VM_PLATFORMS=PHYSICAL SIGN=”00E3 ……” 3. Software vendor C deploys their software primarily using the un-served, node-locked license model. They are concerned about software piracy, particularly with their non-enterprise users and would like to restrict their software to physical hardware. However, they do want to support certain trusted enterprise customers who want to use their software on virtual machine instances. In short, they want to control the ability of their software to function on a virtual machine (or not) via the license file.
4

• This is implemented by the software publisher by using the license file keyword VM_PLATFORMS on the FEATURE line as shown below and granting these licenses on a case-by-case basis: FEATURE ultraplot admld 3.5 01-may-2011 4 \ VM_PLATFORMS=VM_ONLY SIGN=”00E3 ……”

Strong Trust - License Enforcement Using the UUID

In situations where strong trust exists between software vendors and their customers, it may be desirable to define a more flexible binding method that can be included within a licensing policy. FlexNet Publisher provides the capability to detect that the licensing system is operating inside a virtual container and then bind the license server to the UUID of the virtual machine container. While a UUID can be replicated and applied to additional virtual machines, the architecture of virtualization platform requires that the UUID is unique on the network. So while this could be used as a vector for piracy, virtualization platforms in legitimate enterprises would never have a situation where existing container UUIDs are duplicated.

Virtualizat ion Management VM1 UUID=XYZ
License Server UUID= XYZ

VM4 License UUID=AAA Server
UUID UID UUID= XYZ

VM2 License UUID=ABC Server
UUID UUID= Z XYZ

VM5 UUID=BBB

License Server UUID UUID= Z XYZ

VM3 Lic se License Serve erver ver e UUID=123 Server
UUID= UUID D= XYZ YZ Z

VM6 License erver UUID=CCC Server
UUID= UUID XYZ YZ Z

ESX SERVER PHYSICAL MACHINE

ESX SERVER PHYSICAL MACHINE

Figure 3: Binding to the UUID of the VM Container

Allowing the enterprise customer to bind to the UUID of the virtual machine container will allow them to support the license server and the flexibility to take advantage of other advanced virtualization management capabilities (such as a high-availability configuration) providing greater flexibility and security to their operation. • This is implemented by the software vendor specifying on the SERVER line of the license file the UUID value that should be verified before the license server runs. For example, on VMware ESX to bind the license server to only run in a container with a UUID value of 1234, specify: SERVER this_host VMW_UUID=1234…
Flexera Software: FlexNet Publisher White Paper Series

Extending Your Software Revenue in a Virtual World

Weak Level of Trust - License Enforcement Using Bare Metal Binding

Binding licenses to a virtual container ID (UUID) could result in license over usage in situations where the level of trust between the software vendor and the enterprise is weak. At the same time, strictly prohibiting it may complicate deployment models and overly impact customer satisfaction. The compromise for these situations is to allow the licensing system to operate on the virtual platform when it detects itself running in a virtual machine but require that the license system is bound to the physical hardware. In this method, the license server running on virtual machines will bypass the virtual hardware and establish bindings with the host system, referred to as bare-metal binding. In this situation, even if the virtual machine in which the license server is running is later copied, the bindings break rendering the license server inoperable. While the bare metal binding solves the problem of a license being copied from one physical host to the next that alone does not eliminate the possibility of over usage. Securing the licensing system to a single physical machine does not go far enough though. The licensing system must be aware that it is operating in a virtual environment, detect other instances of the licensing system, and prevent more than one copy from running on the single physical machine. FlexNet Publisher eliminates this possibility by enforcing the requirement to only allow one instance of a license server (of a software vendor) to run on a given physical machine. The capabilities of FlexNet Publisher for licensing situations where the trust levels are weak are depicted in figure 4 below.
Bare Metal Binding wit h Mutex Lock Prevents Mult iple Instances of t he License Server on t he Same Physical Box

This approach provides advantages to both the software vendor and their enterprise customers. The software vendor has reasonable assurance of a relatively secure licensing solution, while the license administrator can deploy the licensing solution in a data center with virtual machine installations. The following segment describes some use cases where both virtual machine detection and bare metal binding capabilities can be combined using FlexNet Publisher features and syntax to implement a robust license enforcement capability where trust levels are weak: 1. Using the capabilities available in FlexNet Publisher, software vendor A from above can expand upon the virtualization detection implemented previously to include bare metal binding and licensing system detection for additional license enforcement capability, while not having to build different versions of the license server. This allows the producer to selectively relax their requirement of a license server only running on a physical machine on a case-by-case basis for increased customer satisfaction. • The software vendor implements this by specifying keywords on the SERVER line in the license files. This keyword specify: a) the platform type that the license server is authorized to run on, and b) the hostid type. Some examples are shown below: • Example 1: To restrict the license server to VMware ESX server and to use the Ethernet address of the physical hardware, specify: SERVER this_host VMW_ETHER=1234 • Example 2: To restrict the license server to a physical machine and to use the IP address of the machine as the hostid type, specify: SERVER this_host PHY_INTERNET=10.10.12.101

Bare Metal Binding Makes t he Licenses Hard to Copy

Guest OS VM Hypervisor

Guest OS

L LICENSE S SERVER

Guest OS

G Gu t O Guest OS

Best Practices for the Software Vendor

Guest OS

LICENSE SERVER

G t Guest OS

LICENSE SERVER

Figure 4: Solutions with Bare Metal Binding and Mutex Lock

The implementation details within a licensing system are the expression of the relationship between the software vendor and the customer. Pricing, packaging, support, and more feed into the licensing system which enforces important aspects of that relationship. Before embarking on the implementation details within the licensing system, software vendors should review the impact that machine virtualization has on pricing, packaging, support, etc. From that review the implementation details will become clear for what the licensing system should enforce.

Flexera Software: FlexNet Publisher White Paper Series

5

Extending Your Software Revenue in a Virtual World

Flexera Software recommends that software vendor start with a more restrictive approach to their policy of the licensing system in a virtual environment and then later relax the policy on a case-by-case basis. An example would be to restrict to a physical machine only, then that restriction can be relaxed for specific products, customers or geographies without needing to change the software deployed at customers. Caution: If you are using certificate style licensing, once the license rights are issued it is not possible to recover or replace the license rights with any level of confidence that they are not still in use. Only if an expiration date is set in the license rights will the license rights ever cease to be valid, and then only once the date has passed.

• FlexNet Publisher is considered the industry de facto standard and Flexera Software was recognized as setting the standard in the industry – Amy Konary, IDC, June 2009 FlexNet Publisher is part of Flexera Software’s Entitlement and Compliance Management Solution, delivering broad capabilities for software licensing, entitlement management, software updates and software distribution.

About Flexera Software

Conclusion/Summary

Virtualization impacts all aspects of how a software vendor prices, packages, supports and sells their software. The natural extension of this impact is to understand how your licensing enforcement system is able to respond. Machine virtualization is real and widely deployed in all enterprises today, big and small. Flexera Software has collaborated with the leading virtualization platform manufacturers along with software vendors such as yourself to provide a rich set of capabilities that allow you to address the situation in a manner that provides a compromise between possible revenue leakage and customer satisfaction. Research by software industry analysts substantiates the industry trend away from hardware based licensing models toward usage based models such as subscription and SaaS. And as has been presented in this paper, the fundamental by-product of virtualization technology serves to remove the time-honored hardware hooks and metrics that producers have depended upon to secure and monetize their software. FlexNet Publisher provides you with the capabilities needed to embrace the machine virtualization wave that is prevalent today in the enterprises you serve.

Flexera Software is the leading provider of strategic solutions for Application Usage Management; solutions delivering continuous compliance, optimized usage and maximized value to application producers and their customers. Flexera Software is trusted by more than 80,000 customers that depend on our comprehensive solutionsfrom installation and licensing, entitlement and compliance management to application readiness and enterprise license optimization - to strategically manage application usage and achieve breakthrough results realized only through the systems-level approach we provide. For more information, please go to: www.flexerasoftware.com For more information on FlexNet Publisher and FlexNet Producer Suite, please visit: www.flexerasoftware.com/fnp

About FlexNet Publisher

FlexNet Publisher is the proven solution to enable software vendors and high-tech manufacturers to increase software revenues and simplify customer relationships by protecting against piracy and allowing them to quickly and efficiently adapt to new and evolving markets through the creation of new pricing models and versatile product configurations. • Over 3,000 software vendors and high-tech manufacturers leverage FlexNet Publisher licensing technology. • Over 20,000 FlexEnabled applications exist today. • FlexNet Publisher was awarded “Best Software Product for Software vendors” by SIIA in 2007.

6

Flexera Software: FlexNet Publisher White Paper Series

Flexera Software LLC 1000 East Woodfield Road, Suite 400 Schaumburg, IL 60173 USA

Schaumburg (Global Headquarters): +1 800-809-5659

United Kingdom (Europe, Middle East Headquarters): +44 870-871-1111 +44 870-873-6300

Japan (Asia, Pacific Headquarters): +81 3-4360-8291

For more office locations visit: www.flexerasoftware.com

Copyright © 2011 Flexera Software LLC. All other brand and product names mentioned herein may be the trademarks and registered trademarks of their respective owners. FNP_WP_Virtualization_Oct11