FlexNet Publisher Trusted Storage Unique Identifier – Usage Guidelines


Published on

This White Paper presents an evolution of the various methods that FlexNet Publisher Trusted Storage has utilized to identify a client system to its server with an emphasis on best practice recommendations of using the Unique Machine Number (UMN).

Published in: Technology, Business
  • Be the first to comment

  • Be the first to like this

No Downloads
Total views
On SlideShare
From Embeds
Number of Embeds
Embeds 0
No embeds

No notes for slide

FlexNet Publisher Trusted Storage Unique Identifier – Usage Guidelines

  1. 1. W H I T E PA P E R FlexNet Publisher Trusted Storage Unique Identifier – Usage Guidelines
  2. 2. FlexNet Publisher Trusted Storage Unique Ident ifier Usage Guidelines FlexNet Publisher Trusted Storage Unique Identifier – Usage Guidelines Executive Summary The publisher can use these multiple sections of TS and This White Paper presents an evolution of the various apply stronger or lighter binding to that section, depending methods that FlexNet Publisher Trusted Storage has utilized on the binding configuration applied to that section. to identify a client system to its server with an emphasis on best practice recommendations of using the Unique Machine FlexNet Publisher’s flexible binding features mean that some Number (UMN). binding change can occur without the fulfillment records stored on the machine losing trust. However, since the Requirement for Client System Identification Machine Identifier includes all binding items, it will change Various methods of identifying a client system have been if any item changes. If more than half of the weighted introduced for different purposes at different stages in the binding items simultaneous change, this is known as a evolution of FlexNet Publisher Trusted Storage. All of these binding break. methods have been retained for backward compatibility. In addition, some legacy identifying methods may be This allows a publisher to trade off strong binding, with high necessary for some operational modes that are protection at the risk of a support call if some element of described below. the binding changes, against weak binding, where there is basic protection against fraud but much less chance of the Machine ID end user being inconvenienced if a physical characteristic of The Machine ID (MID) is generated from machine binding the system is changed. By default in FlexNet Publisher strong items as configured by the user. Binding items are individual binding is enabled. Weak binding can be physical characteristics of the machine that are used configured by explicitly disabling binding items in the individually or in combination to create a signature of the trusted configuration. system hardware. It is for this reason that Machine ID is also known as the “Binding Hash.” MIDs have their shortcomings. They are subject to change since they are based on multiple binding items that are user When implement ing Act ivat ion in FlexNet Publisher, license selectable. Furthermore, some binding items are more likely rights are held in a secure “vault” known as Trusted Storage to change than others (e.g., IP address). (TS). The Trusted Storage is unique to each machine and t his uniqueness is maintained by t he publisher who may Since this value can change when Trusted Storage is wish to apply different licensing strategies to individual repaired, the server must keep an audit trail of previous features or to complete software packages. To allow t his MIDs to track the client. Unfortunately, when system changes granularity, Trusted Storage can be divided into sect ions occur which are within security tolerance, they do not to match t he features or applicat ions of t hose ent itlements necessarily trigger repairs. The result is the activation server t hat are being managed. may not have a record of the most current MID on the client machine. Therefore, it is inadvisable to base a reinstall The MID is generated in the client at the request of the business decision solely on MID. server. In the case where multiple trusted storage sections exist on the machine’s hard drive, there will be more than This susceptibility to change (“brittleness”) may be reduced one MID on that system. by removing the HID_SYSTEM and HID_INTERNET binding items from the trusted configuration.2II Flexera Software: FlexNet Publisher White Paper Series
  3. 3. FlexNet Publisher Trusted Storage Unique Ident ifier Usage GuidelinesPreviously, the Machine ID was recommended as the best UMN, therefore, is derived according to the type of clientmeans to authenticate a system but an improved approach, system or “platform.” Mindful of the possibility that it maybased upon lessons learned, has superseded this method. not be possible to generate a UMN in certain circumstancesThis method is known as UMN and is described below. on certain machines, a second mechanism was defined for each platform, to be used as a backup approach.Unique Machine NumberThe Unique Machine Number (UMN) was introduced in This is the reason why there is a primary UMN1 andFlexNet Publisher v11.3 in an attempt to overcome the a fallback UMN2. UMN1 is the first-choice on eachshortcomings of the techniques described above. platform. It has been chosen to give the best chance that each machine will have a different UMN, but may not beUMN is designed to be unique and constant. Not available on all machines.dependent on being a stored value, it is intended that itcan be faithfully regenerated on a given piece of hardware UMN2 is the second-choice on each platform. It has beeneven after a complete system wipe and be used to positively chosen as being available on a very high percentage ofidentify itself as the client system that was originally issued machines but with a greater chance of duplication.license rights. Sources of UMNUMN is now the best practice method of establishing and FlexNet Publisher clients are supported on a wide range ofverifying client identity and is described in greater detail in platforms, and so a number of different means of generatingthe next section. UMN values exist depending on the underlying hardware.TSSN Since UMN was introduced in FlexNet Publisher v11.3,The TSSN is a randomly-generated, unique number stored in experience has been gained which has prompted a changea trusted storage file when it is first created. However, this is in strategy regarding the source of information used tonot linked to any physical attribute of a machine’s hardware. generate the UMN values. This change is manifested in FlexNet Publisher v11.6.1 and beyond.The TSSN can be used to identify a particular instance oftrusted storage (i.e., the file but not the machine it is on). UMN2 on Windows systems is now derived from the MAC address of the primary network interface. This is determinedUMN in Detail by ignoring any class of network interface that is not on aIntroduction physical bus. This means that removable and virtual networkUMN was introduced in FlexNet v11.3 to overcome the interfaces are not considered, ensuring the reliability ofconsistency problems with MID described above. UMN2 on Windows.The intent was to derive a means to uniquely identify an Diagram 1 lists UMN1 and UMN2 derivations for eachend user’s computer system for subsequent licensing supported platform.transactions. UMN identifies the client system to whichlicense rights apply.UMN is used when initially granting activation rights, inreturning license rights, and when repairing an activation(which requires confirmation of the client being the sameone that originally received the allowed activation).In an ideal world, all systems would have a globally-uniqueserial number burned into the main circuit board. Indeed,some of the high-end workstations from HP and SunMicrosystems provide this. However, for all other systemsthe next best identifying technique is UMN.Even with an unchanging, unique identifier, a softwareproducer’s business logic would still have to handle the casewhere the main hardware failed and had to be replaced,causing the unique identifier to change.Flexera Software: FlexNet Publisher White Paper Series 3
  4. 4. FlexNet Publisher Trusted Storage Unique Ident ifier Usage Guidelines v11.3 – 11.6.0 v11.6.1 onward Platform UMN1 UMN2 UMN2 Windows Boot disk serial number. Boot disk geometry. Primary Ethernet MAC address. Mac MAC Unique System ID. On newer systems, this ID is burned-in Primary Ethernet MAC Primary Ethernet MAC to the motherboard, so the number cannot be changed. For address. address. older systems, this information is on the disk and can only be overwritten by low-level formatting. Linux Hard disk serial number. Primary Ethernet MAC Primary Ethernet MAC Only available if FlexNet PublisherLicensingService is run. address. address. AIX Unique hardware serial number. Available on all PCI based AIX Primary Ethernet MAC Primary Ethernet MAC hardware. address. address. HP/UX Unique hardware security key Primary Ethernet MAC Primary Ethernet MAC address. address. Solaris Serial number generated during manufacturing and written Primary Ethernet MAC Primary Ethernet MAC to the EEPROM. Please note that this value changes on OS address. address. reinstallation on Sun or PC hardware but not on SPARC. Diagram 1. FlexNet Publisher clients are supported on a wide range of platforms, and so a number of different means of generating UMN values exist depending on the underlying hardware. Potential Shortcomings Best Practice As can be seen, the preferred UMN1 value is a hardware The following operations are presented as Best Practice: serial number when it’s available. In the case of x86- compatible systems (the Windows and Linux platforms), this Anchoring is not available, and so the next best identifier is the serial On Windows systems, both track 0 and registry anchoring number of the hard disk retrieved programmatically. should be enabled (i.e. stick with the default). Unfortunately, for FlexNet Publisher client systems based Binding on Windows, there is not a consistent and reliable means Initial trusted configurations should use the default settings of interrogating the hard disk serial number. It can also for binding with everything enabled. However, to overcome be seen that all systems derive the fallback UMN2 value the brittleness of MID, it is recommended that the system from the system’s primary Ethernet MAC address, except (HID_SYSTEM) and IP address (HID_INTERNET) binding Windows systems. This can lead to problems explained in items be excluded. more details in the section Things that can go wrong with UMN. If Track 0 anchoring is turned off by default, as is the case in FlexNet Operations versions until 11.5, then it is UMN Post v11.6.1 recommended that track 0 is turned back on. If track 0 is not The shortcomings alluded to above (and described in turned on, then the binding item HID_MSN should also be more detail in a later section) prompted a move to derive excluded from binding. This is because HID_MSN is stored UMN2 from the Ethernet MAC address of the system’s in anchors, and could be subject to change in the case of a primary network interface. This was not done previously, in bona fide system restore. part, because network interfaces on Windows PC systems historically were usually add-in cards. The presence or lack Use UMN of a card, or indeed the possibility of exchanging cards, did Use UMN1 and UMN2 to assist in deciding whether to not suggest a reliable source of system identifier. approve a repair transaction. However, today network interface hardware on Windows Recommendations for the use of UMN on Windows platforms is typically a feature of the system’s main board, platforms and suitable fallback strategies now differ especially for notebook computers. It is now a more between the pre and post 11.6.1 versions of FlexNet obvious choice. Publisher. Accordingly, these recommendations are presented separately. Therefore, for FlexNet Publisher v11.6.1 and beyond, UMN2 for Windows platforms has been brought into Best Practice versions 11.3 to 11.6.0 line with the other clients to use the primary Ethernet For activations, repairs, and re-installations, it is MAC address. recommended that UMN1 be used as the first choice.4 Flexera Software: FlexNet Publisher White Paper Series
  5. 5. FlexNet Publisher Trusted Storage Unique Ident ifier Usage GuidelinesSoftware producers who have previously used Machine ID UMN2or TSSN to identify machines should update their licensing In FlexNet Publisher client versions before 11.6.1, thedatabase to record UMNs as a machine’s identity. The fallback UMN2 value for Windows systems is derived fromMachine ID is still available post v11.6.1 in all standard the geometry of the system’s primary hard disk. Note thatXML requests and the TSSN in repair requests. This means two hard disk drives with the same model number fromthey can be used to find out if a machine already the same manufacturer will have the same disk geometry.exists on the database and then to update the record to This approach has been found to be problematic in certaininclude UMN. situations where a cluster of client systems are of identical specification (e.g., having been specified and boughtProducers who use Machine ID or TSSN as the input to their en masse for a particular project). In this scenario, allbusiness logic (e.g., in deciding whether to allow repeated the UMN2 values are identical since the hard drives arerepairs) should now use UMN as the recommended form of identical and have identical geometries. This results in non-client identifier. unique UMN2 values being presented to the server with each client appearing to be the same.Things that can go wrong with UMN pre- v11.6.1While UMN is the best method to identify a client to Also, in RAID or virtual machine configurations, if thereits server, no technique is perfect. Several variables can were problems obtaining a serial number from the primarycontribute to problems with UMN. drive (as will often be the case), there may also be problems in obtaining the disk geometry.In decreasing order of severity: 1. Non-consistent or random UMN In these pre- FlexNet Publisher v11.6.1 Windows client – UMN changes when the query is refreshed or scenarios, it is recommended that UMN2 not be used. sometimes after reboot (common with RAID) Instead, the fallback is to use Machine ID with the HID_ 2. Non-unique UMN in some rare situations SYSTEM and HID_INTERNET binding items excluded. An 3. Brittleness example trusted configuration file that shows how to disable – Value changes after a hardware upgrade/repair. binding items can be found in Appendix A of the Trusted 4. Not obtainable Storage-based Licensing Programming Reference guide. – UMN not supported by the underlying driver or device. In summary, UMN1 on Windows systems generally works well, but some operational issues concerning UMN1UMN 1 have arisen due to the lack of a reliable, hardware-There is the possibility on Windows platforms using SSD, based identifier.RAID, or virtual machines (e.g., using VirtualPC or VMWare)that the UMN1 value may be random resulting in multiple Unfortunately, when difficulties do arise in deriving UMN1,re-install requests. For these same reasons, the UMN the fact that UMN2 on Windows is not guaranteed tovalue can also be non-unique, resulting in giving away be unique tends to compound the problem, especially inentitlements to multiple clients since they all have the same workgroups where identical hardware has been sourced orUMN identifier. if RAID or virtual machines are used.In these cases, including the condition where UMN1 is Best Practice for v11.6.1 and Beyondreported as being “not available”, it is advisable to use For activations, repairs, and re-installations, it is suggestedMID instead. that UMN1 be used as the first choice.It is recommended to upgrade to the latest version of the The behavior of UMN1 generation on Windows clients hasFlexNet Windows Licensing Service (available in the been improved in v11.6.1 with respect to handling SSD,FlexNet Publisher v11.6.1 and above) in order to remove RAID, and Virtual Machine disk configurations.random or non-unique UMN1 values from these types ofsystems. This version of the service will return the UMN1 In cases where FlexNet Publisher versions pre- 11.6.1 mayvalue as being “not available.” have become confused and produced changing UMN1 values, the enhancements described in this document willThe Windows FlexNet Licensing Service is designed to now yield a consistent UMN1 value or none at all. Thisalways be backward compatible with earlier versions of behavior is more predictable and robust and will removeFlexNet Publisher (back to v11.3). The licensing service may spurious re-install requests that were previously experiencedbe installed from the latest FlexNet Publisher kit. in these particular configurations.Flexera Software: FlexNet Publisher White Paper Series 5
  6. 6. FlexNet Publisher Trusted Storage Unique Ident ifier Usage Guidelines When a UMN1 value is not available, UMN2 should be will not resolve this issue. Therefore, UMN1 should not be used instead because it is much improved in v11.6.1 and used in such systems in versions of FlexNet Publisher prior to beyond since it is disconnected from the primary disk 11.6.1. configuration details. The behavior for UMN1 in v11.6.1 is for UMN1 to be Producers who have previously used Machine ID or TSSN denoted as “not available”, and UMN2 should be used. to identify machines should update their licensing database to record UMNs as a machine’s identify. The Machine ID is Virtual Machines still available in all standard XML requests (and the TSSN The same issue mentioned above for RAID systems also in repair requests) in v11.6.1 so these requests can be used causes non-unique values to be generated for UMN1 in to find out if a machine already exists on the database and virtualized environments. This has been fixed in the FlexNet then update the record to include UMN. Publisher v11.6.1 client code, so it is not possible to pick up this fix by updating just the FlexNet Licensing Service. Producers who use Machine ID or TSSN as the input to their UMN1 should not be used in such systems in versions of business logic (e.g., in deciding whether to allow repeated FlexNet Publisher prior to 11.6.1. repairs) should now use UMN as the recommended form of client identifier. The behavior for UMN1 in v11.6.1 is for UMN1 to be denoted as “not available”, and the fallback strategy is for Side Effects of Changing the Source of UMN2 on UMN2 to be used, as described above. Windows In the unlikely event that a producer has been using UMN2 Note that while MAC addresses are unique in virtual on Windows clients (only in the small percentage of cases machine instances, it is possible for a user to modify them when UMN1 is not available) and then upgrades to FlexNet which is a possible area for license circumvention. Publisher v11.6.1, a re-install will be required since the value of UMN2 will be different due to the change in source FlexNet Operations used for it generation. In versions of FlexNet Operations prior to 11.5, only MID was used. It should be noted that FlexNet Operations has never used UMN2 for Windows activations pre-v11.6.1 so this will In versions of FlexNet Operations from 11.5, the following only affect LGT users. fallback is in place: Solid State Drive (SSD) All platforms: A number of Windows machines have been evaluated • UMN1, then for use with FlexNet Publisher that feature an SSD as the • MID primary drive. Those devices whose software drivers present them as an IDE drive appear to work as any normal disk In transactions between FlexNet Publisher client and FlexNet drive and yield a serial number for UMN1. Operations, the first choice for client identification made by the server is UMN1. Should UMN1 be unavailable, noted As previously stated, some SCSI devices present a problem by the lack of a UMN1 entry in the activation request, the in obtaining the disk serial number in FlexNet Publisher fallback is to Machine ID (MID). versions prior to 11.6.1. Since some SSDs appear as SCSI devices, this same condition may occur. In scenarios that do In versions of FlexNet Operations starting with 12.7 (where not yield a consistent UMN1 value, the fallback should be UMN2 is used), the fallback will be: used. This condition has been fixed in the FlexNet Licensing Service for Windows available in FlexNet Publisher All platforms: v11.6.1. • UMN1, then • UMN2, then RAID • MID Another issue has been found which allows non-unique and/or random values to be generated for UMN1 when the FlexNet Operations can detect this since the version number primary hard disk in an FlexNet Publisher client is a RAID is included in activation requests with the client and FlexNet configuration. Publisher v11.6.1 supports a robust UMN2. This has been fixed in the FlexNet Publisher v11.6.1 client code, so updating to the latest FlexNet Licensing Service6 Flexera Software: FlexNet Publisher White Paper Series
  7. 7. FlexNet Publisher Trusted Storage Unique Ident ifier Usage GuidelinesUsing UMN in the License Generator Toolkit (LGT) In summary, best practices for using UMN on WindowsThe recommendation is to adopt the same mechanism as in platforms are:FlexNet Operations, described above. • Enable all anchorsThe activation request contains the FlexNet Publisher versionnumber, platform type, UMN1, and UMN2 as shown in the • Exclude the two “brittle” host IDs from binding (HID_file snippet below: SYSTEM and HID_INTERNET) <OriginData> • For versions of FlexNet Publisher pre-11.6.1, <ClientVersion>11.6.1</ClientVersion> – Use UMN1 as primary client identifier <ConfigData> – Use Machine ID (MID) as the fallback <IsServer>0</IsServer> </ConfigData> • For versions of FlexNet Publisher post-11.6.1, <Platform> – Use UMN1 as primary client identifier <PlatformTypeName>i86_n3</PlatformTypeName> – Use UMN2 as the first fallback <OperatingSystem> – Use Machine ID (MID) as the second fallback <Info>none</Info> </OperatingSystem> • Always use the latest version of the FlexNet Windows </Platform> Licensing Service <UniqueMachineNumbers> <UniqueMachineNumber> • Incorporate appropriate reinstall and repair policies in <Type>1</Type> the back office <Value>024277395D31F263C350A0255CE3C282C7D3AEBF</Value> About Flexera Software </UniqueMachineNumber> Flexera Software is the leading provider of strategic solutions <UniqueMachineNumber> for Application Usage Management; solutions delivering <Type>2</Type> continuous compliance, optimized usage and maximized <Value>BA4E766C2FC6387A5F31B03683E445E2B9304 value to application producers and their customers. Flexera4A6</Value> Software is trusted by more than 80,000 customers that </UniqueMachineNumber> depend on our comprehensive solutions- from installation </UniqueMachineNumbers> and licensing, entitlement and compliance management to <SequenceNumber>7</SequenceNumber> application readiness and enterprise license optimization </OriginData> - to strategically manage application usage and achieve breakthrough results realized only through the systems-levelRepair and reinstallation policies approach we provide. For more information, please go to:By allowing one or two reinstall requests, the publishers can www.flexerasoftware.comgracefully accommodate the UMN brittleness problem.Conclusions For more information on FlexNet Publisher andA number of mechanisms are employed in FlexNet Publisher FlexNet Suite, please visit:to identify clients to their servers. The merits of these were www.flexerasoftware.com/fnppresented with the recommendation to use the UMN values.In Windows systems, problems in acquiring consistent andunique values have been experienced in a small number ofcases. However, enhancements made to the v11.6.1 FlexNetPublisher client have greatly reduced the likelihood of theseproblems occurring in the future.The final recommendation is for users of Windows systems toupgrade to the latest version of FlexNet Publisher to benefitfrom the improvements to the generation of UMN.Flexera Software: FlexNet Publisher White Paper Series 7
  8. 8. Flexera Software LLC Schaumburg United Kingdom (Europe, Japan (Asia, For more office locations visit:1000 East Woodfield Road, (Global Headquarters): Middle East Headquarters): Pacific Headquarters): www.flexerasoftware.comSuite 400 +1 800-809-5659 +44 870-871-1111 +81 3-4360-8291Schaumburg, IL 60173 USA +44 870-873-6300Copyright © 2011 Flexera Software LLC. All other brand and product names mentioned herein may be the trademarks and registered trademarks of their respective owners. FNP_WP_TrustedStorage_Oct11