WH

ITE

PA

PE

R

Extending Your Software Revenue in a Virtual WorldFlexNet Publisher Licensing Overview

Extending Your Software Revenue in a Virtual WorldFlexNet Publisher Licensing Overview

Executive SummaryVarious analysts purport that server virtualization has moved past the early adopter stage to that of strategic virtualization. For example, Forrester reports the adoption of server virtualization in enterprise IT will reach 65% by 2009 with 45% of x86 servers virtualized.1 This means software vendors must develop and communicate licensing policies that take into account that their license server and applications will run on virtual machines. It also means that licensing systems such as FlexNet Publisher must provide the appropriate enforcement and reporting tools to allow software vendors and their enterprise customers to confidently operate in this new virtual environment.

Flexera Software research indicates that most software vendors have not modified their license policies to deal with virtualization. Longer term, software vendors recognize that new monetization models based upon usage must be considered. However, in the short term existing hardware centric licensing models must be applied to virtual platforms.

This document describes how FlexNet Publisher enables software vendors to embrace virtualization by providing various means to enforce licensing on virtual machines. This paper describes approaches and technologies available today as well as those that are being considered in the future.

Compliance and Piracy Challenges of Virtualization Software vendors’ licensing policies and approaches range from compliance for trusted customers – to prevent accidental over use, to strict enforcement for piracy prevention efforts – for markets that pose more risk of intentional overuse or outright piracy. License enforcement technologies, design practices, and processes that are in use today do a good job at keeping honest customers honest and to discourage the casual exploiter.

Machine virtualization technologies have changed the landscape of IT organizations by making it easy to create multiple virtual machines on a single physical machine, any one of which easily possess the same characterist ics of any other machine. The very nature of machine virtualization is obvious and enticing for the enterprise customer, however this technology poses challenges for the software vendor

using license enforcement if the licensing enforcement does not account for machine virtualization. While the use of machine virtualization on the corporate desktop remains limited to specific tasks or verticals, virtualization in the back office is not only accepted but is the norm where if any given application is not virtualized it is considered an exception. Software vendors today face a real and credible threat from the risk of a license server being replicated on many virtual machines result ing in many more license entit lements than were originally purchased. This situation is depicted in Figure 1 below.

Guest OSLICENSESERVERCE

Guest OSLICLSEEC

t OSVNCEN

ERVVVENVNV

C NNt OSt OS

Guest OSLICENSESERVERCE

GGGuest OSGLICLSESEC

t OSGGVNCEN

ERVVVENVNV

C NN

Guest OGGG t OSG

GueGueuest Ot OSGGG SG

OOttesesueueGuGuGuest OS

LICENSESERVER

License Server Bound to Physical

Hardware is Hard to Replicate

License Server Bound to Virtual

Hardware is Easy to Replicate

Guest OS

Guest OS

Guest OS

Operat ing System

VM H

yper

viso

r

LICENSESERVER

GuGGGGst tGt OGGtGGGG

LICENSESERVER

Figure 1: License Server Instances Bound to Physical or Virtual Hardware

Over the past several years, Flexera Software has collaborated with leading virtualizat ion vendors as well as software vendors to develop specific approaches that mit igate the risk virtualized environments pose. Software vendors tell us that they want to include tradit ional license models in virtual environments as well as new software licensing models. This approach is not only important in

2 Flexera Software: FlexNet Publisher White Paper Series

1 As reported in the FORRESTER white paper ent it led “x86 Virtualizat ion Adopters Hit the Tipping Point,” November 30, 2007

Extending Your Software Revenue in a Virtual World

3Flexera Software: FlexNet Publisher White Paper Series

order to maintain backward compatibility with legacy clients deployed at many end user locat ions but also allows them to transit ion to new licensing models over t ime.The challenge for the software industry is the lack of a universal method to detect and interface with the mult itude of virtualizat ion platforms available today. Flexera Software has addressed this by engaging in dialogs with the virtualizat ion vendors to define a supported interface method between FlexNet Publisher and their virtualizat ion platforms.

In addit ion, Flexera Software has also developed a Virtualizat ion API specification in collaborat ion with several virtualizat ion vendors. This standard provides a uniform interface method that allows Flexera Software to more rapidly support virtualizat ion platforms.

Flexera Software’s Approach to Licensing Enforcement in a Virtualized EnvironmentFlexNet Publisher enables software vendors to establish an enforcement strategy based upon the level of trust they have with their customers. The trust range is graphically shown in Figure 2 below.

Figure 2: Range of Trust between Software Producers and their Markets

For markets or customers where no trust exists, the vendor can detect the presence of virtual machines and decide not to allow the license server to run, or not issue a license to an applicat ion that is running in a virtual machine. Referring to the above diagram, permission to run on a virtual machine (VM) would be denied, therefore, no binding and report ing would come into play. This approach is perhaps the safest for the vendor and may be just ified for risky markets. However, software vendors should consider the reality of enterprise virtualizat ion and the effect on customer sat isfact ion that may result from such a strict stance that is applied generally.

To the other extreme, for markets or customers where strong trust exists, the publisher can detect the presence of a virtual machine and then bind the license rights to the Universal Unique Ident ifier (UUID) of the VM container. While it is true that UUID’s can be replicated and applied to addit ional virtual machines (either on the same or on different physical machines), the virtualizat ion platform is

architected with the idea that UUIDs are always unique. If the UUIDs are not unique the system will issue errors until this situat ion is corrected. In the scenario depicted in Figure 1, permission to run on a VM is granted and the licensing server is able to run on any machine so long as it remains within the specified VM container. This approach to binding gives confidence that license ent it lements are not replicated on addit ional virtual machines. At the same t ime the IT administrator can take full advantage of the advanced VM funct ionalit ies like high-availability and fault tolerance, since the licensing system can move from one physical machine to another without reconfigurat ion. In this configurat ion, FlexNet Publisher report log contains both virtual and physical plat form data and license checkout denial information.

For those markets and customers deemed to be in the middle of the trust range, the publisher can compromise with the enterprise by allowing the licensing system to operate on a virtual machine but requiring the licensing server to be bound not to the characterist ics reported in the virtual container (e.g. MAC address, HostName, etc.) but to the physical hardware of the host machine. Known as bare-metal binding, FlexNet Publisher includes a locking mechanism to ensure the license server is not able to issue licenses from a second VM on the same hardware platform. In this scenario, permission to run on a VM is granted but physical binding is also required to increase confidence that license ent it lements are not replicated. The report log contains virtual and physical plat form data along with license checkout denial information. This approach is more secure than VM container binding, but erodes much of the value of running the licensing system on the virtual plat form since it can only be moved if new bindings are issued by the software vendor.

The next sect ions explore in greater depth the three enforcement models available in FlexNet Publisher.

No Trust - License Enforcement Using Virtual Machine Detect ionSoftware licensing in a virtual machine is predicated on reliably detect ing the presence of the virtual machine. FlexNet Publisher incorporates a number of techniques to ident ify the presence of a virtual machine platform. While the techniques implemented allow the detect ion of a number of different virtual machine platforms, current ly the VMware ESX Server and Workstat ion products are supported.

FlexNet Publisher provides a balance between possible false posit ives and ensures these techniques are not easily defeated. If FlexNet Publisher ident ifies that it is being run on a virtual machine, the software vendor can implement, within their software, an appropriate behavior based on a defined license policy for virtualizat ion. These business policies include the ability to:

STRONG NONEWEAK

Permission: AllowBinding: VM ContainerReport: Log File

Permission: AllowBinding: PhysicalReport: Log File

Permission: ProhibitBinding: N/AReport: N/A

Extending Your Software Revenue in a Virtual World

4 Flexera Software: FlexNet Publisher White Paper Series

• Refuse to start the license server in a virtual environment.

• Refuse to enable a part icular feature of the applicat ion or an ent ire applicat ion in a virtual environment.

• Restrict a software feature or ent ire applicat ion to be funct ional only in a virtual environment.

The following segment describes some use cases where the virtual machine detect ion capabilit ies can be applied to product pricing and packaging. Included are examples of the FlexNet Publisher syntax needed to implement the desired capability:

1. Software vendor A deploys only a served licensing model. They market low-volume, high-cost software and both casual and intent ional piracy is a big concern for them. They do not want their license server to be deployed in a virtual machine due to the ease with which this can lead to license over usage. They require the license server to be on a physical machine within the data center.

• This is implemented by the software vendor by sett ing a compile t ime switch within the license server customization code. Specifically, within the file lsvendor.c the following variable sett ing is made and the license server is built:

FLEX_VM_TYPE ls_allow_vm = PHYSICAL; /* Restrict VD to a physical m/c only */

2. Software vendor B deploys both served and un-served licensing models. Certain features of their applicat ion cannot run on virtual machines (e.g., they require connect ing a measurement instrument using a USB port that is not supported on a virtual plat form). They would like to disable these features on virtual machines while at the same t ime allowing the other product features to funct ion on both virtual and physical plat forms.

• This is implemented by the software publisher by using the license file keyword VM_PLATFORMS on the FEATURE line as shown below:

FEATURE measure_voltage admld 2.5 01-jan-2012 4 \

VM_PLATFORMS=PHYSICAL SIGN=”00E3 ……”

3. Software vendor C deploys their software primarily using the un-served, node-locked license model. They are concerned about software piracy, part icularly with their non-enterprise users and would like to restrict their software to physical hardware. However, they do want to support certain trusted enterprise customers who want to use their software on virtual machine instances. In short, they want to control the ability of their software to funct ion on a virtual machine (or not) via the license file.

• This is implemented by the software publisher by using the license file keyword VM_PLATFORMS on the FEATURE line as shown below and grant ing these licenses on a case-by-case basis:

FEATURE ultraplot admld 3.5 01-may-2011 4 \ VM_PLATFORMS=VM_ONLY SIGN=”00E3 ……”

Strong Trust - License Enforcement Using the UUIDIn situat ions where strong trust exists between software vendors and their customers, it may be desirable to define a more flexible binding method that can be included within a licensing policy. FlexNet Publisher provides the capability to detect that the licensing system is operat ing inside a virtual container and then bind the license server to the UUID of the virtual machine container.

While a UUID can be replicated and applied to addit ional virtual machines, the architecture of virtualizat ion platform requires that the UUID is unique on the network. So while this could be used as a vector for piracy, virtualizat ion platforms in legit imate enterprises would never have a situat ion where exist ing container UUIDs are duplicated.

ESX SERVERPHYSICAL MACHINE

Virtualizat ionManagement

VM6UUID=CCC

LicenseServerUUID=XYZ

VM5UUID=BBB

LicenseServerUUID=XYZ

VM4UUID=AAA

LicenseServerUUID=XYZ

Licenseerver

UUIDZ

LicenseServerUUID=

YZ

LicenseServerUUID

Z

LicenseServerUUIDXYZ

ServerUIDXYZ

LicenseServerUUIDXYZ

ESX SERVERPHYSICAL MACHINE

VM3UUID=123

LicenseServerUUID=XYZ

VM2UUID=ABC

LicenseServerUUID=XYZ

VM1UUID=XYZ

LicenseServerUUID=XYZ

Licenseerver

UUIDZ

LicverD=

YZ

ese

ServeUUID

LicenseServerUUID

Z

LicenseServerUUIDXYZ

Figure 3: Binding to the UUID of the VM Container

Allowing the enterprise customer to bind to the UUID of the virtual machine container will allow them to support the license server and the flexibility to take advantage of other advanced virtualizat ion management capabilit ies (such as a high-availability configurat ion) providing greater flexibility and security to their operat ion. • This is implemented by the software vendor

specifying on the SERVER line of the license file the UUID value that should be verified before the license server runs. For example, on VMware ESX to bind the license server to only run in a container with a UUID value of 1234, specify:

SERVER this_host VMW_UUID=1234…

Extending Your Software Revenue in a Virtual World

5Flexera Software: FlexNet Publisher White Paper Series

Weak Level of Trust - License Enforcement Using Bare Metal BindingBinding licenses to a virtual container ID (UUID) could result in license over usage in situat ions where the level of trust between the software vendor and the enterprise is weak. At the same t ime, strict ly prohibit ing it may complicate deployment models and overly impact customer sat isfact ion. The compromise for these situat ions is to allow the licensing system to operate on the virtual plat form when it detects itself running in a virtual machine but require that the license system is bound to the physical hardware. In this method, the license server running on virtual machines will bypass the virtual hardware and establish bindings with the host system, referred to as bare-metal binding. In this situat ion, even if the virtual machine in which the license server is running is later copied, the bindings break rendering the license server inoperable.

While the bare metal binding solves the problem of a license being copied from one physical host to the next that alone does not eliminate the possibility of over usage. Securing the licensing system to a single physical machine does not go far enough though. The licensing system must be aware that it is operat ing in a virtual environment, detect other instances of the licensing system, and prevent more than one copy from running on the single physical machine. FlexNet Publisher eliminates this possibility by enforcing the requirement to only allow one instance of a license server (of a software vendor) to run on a given physical machine.

The capabilit ies of FlexNet Publisher for licensing situat ions where the trust levels are weak are depicted in figure 4 below.

Bare Metal Binding Makes the Licenses

Hard to Copy

Bare Metal Binding with Mutex Lock Prevents

Mult iple Instances of t he License Server on the

Same Physical Box

Guest OS

Guest OS

Guest OS LICENSESERVER

LICENSELSERVERS

Guest OS

Guest OS

Guest OS

VM H

yper

viso

r

LICENSESERVER

t O

G t OS

GuGuGGG

Figure 4: Solut ions with Bare Metal Binding and Mutex Lock

This approach provides advantages to both the software vendor and their enterprise customers. The software vendor has reasonable assurance of a relat ively secure licensing solut ion, while the license administrator can deploy the licensing solut ion in a data center with virtual machine installat ions.

The following segment describes some use cases where both virtual machine detect ion and bare metal binding capabilit ies can be combined using FlexNet Publisher features and syntax to implement a robust license enforcement capability where trust levels are weak:

1. Using the capabilit ies available in FlexNet Publisher, software vendor A from above can expand upon the virtualizat ion detect ion implemented previously to include bare metal binding and licensing system detect ion for addit ional license enforcement capability, while not having to build different versions of the license server. This allows the producer to select ively relax their requirement of a license server only running on a physical machine on a case-by-case basis for increased customer sat isfact ion.

• The software vendor implements this by specifying keywords on the SERVER line in the license files. This keyword specify: a) the plat form type that the license server is authorized to run on, and b) the host id type. Some examples are shown below:

• Example 1: To restrict the license server to VMware ESX server and to use the Ethernet address of the physical hardware, specify:

SERVER this_host VMW_ETHER=1234

• Example 2: To restrict the license server to a physical machine and to use the IP address of the machine as the host id type, specify:

SERVER this_host PHY_INTERNET=10.10.12.101

Best Pract ices for the Software VendorThe implementat ion details within a licensing system are the expression of the relat ionship between the software vendor and the customer. Pricing, packaging, support, and more feed into the licensing system which enforces important aspects of that relat ionship. Before embarking on the implementat ion details within the licensing system, software vendors should review the impact that machine virtualizat ion has on pricing, packaging, support, etc. From that review the implementat ion details will become clear for what the licensing system should enforce.

Extending Your Software Revenue in a Virtual World

6 Flexera Software: FlexNet Publisher White Paper Series

Flexera Software recommends that software vendor start with a more restrict ive approach to their policy of the licensing system in a virtual environment and then later relax the policy on a case-by-case basis. An example would be to restrict to a physical machine only, then that restrict ion can be relaxed for specific products, customers or geographies without needing to change the software deployed at customers.

Caut ion: If you are using cert ificate style licensing, once the license rights are issued it is not possible to recover or replace the license rights with any level of confidence that they are not st ill in use. Only if an expirat ion date is set in the license rights will the license rights ever cease to be valid, and then only once the date has passed.

Conclusion/SummaryVirtualizat ion impacts all aspects of how a software vendor prices, packages, supports and sells their software. The natural extension of this impact is to understand how your licensing enforcement system is able to respond. Machine virtualizat ion is real and widely deployed in all enterprises today, big and small. Flexera Software has collaborated with the leading virtualizat ion platform manufacturers along with software vendors such as yourself to provide a rich set of capabilit ies that allow you to address the situat ion in a manner that provides a compromise between possible revenue leakage and customer sat isfact ion.

Research by software industry analysts substant iates the industry trend away from hardware based licensing models toward usage based models such as subscript ion and SaaS. And as has been presented in this paper, the fundamental by-product of virtualizat ion technology serves to remove the t ime-honored hardware hooks and metrics that producers have depended upon to secure and monetize their software.

FlexNet Publisher provides you with the capabilit ies needed to embrace the machine virtualizat ion wave that is prevalent today in the enterprises you serve.

About FlexNet Publisher FlexNet Publisher is the proven solut ion to enable software vendors and high-tech manufacturers to increase software revenues and simplify customer relat ionships by protect ing against piracy and allowing them to quickly and efficient ly adapt to new and evolving markets through the creat ion of new pricing models and versat ile product configurat ions.

• Over 3,000 software vendors and high-tech manufacturers leverage FlexNet Publisher licensing technology.

• Over 20,000 FlexEnabled applicat ions exist today. • FlexNet Publisher was awarded “Best Software Product

for Software vendors” by SIIA in 2007.

• FlexNet Publisher is considered the industry de facto standard and Flexera Software was recognized as sett ing the standard in the industry – Amy Konary, IDC, June 2009

FlexNet Publisher is part of Flexera Software’s Ent it lement and Compliance Management Solut ion, delivering broad capabilit ies for software licensing, ent it lement management, software updates and software distribut ion.

About Flexera SoftwareFlexera Software is the leading provider of strategic solut ions for Applicat ion Usage Management; solut ions delivering cont inuous compliance, optimized usage and maximized value to applicat ion producers and their customers. Flexera Software is trusted by more than 80,000 customers that depend on our comprehensive solut ions- from installat ion and licensing, ent it lement and compliance management to applicat ion readiness and enterprise license optimization - to strategically manage applicat ion usage and achieve breakthrough results realized only through the systems-level approach we provide. For more information, please go to: www.flexerasoftware.com

For more information on FlexNet Publisher and FlexNet Producer Suite, please visit: www.flexerasoftware.com/fnp

WH

ITE

PA

PE

R

Flexera Software LLC1000 East Woodfield Road, Suite 400Schaumburg, IL 60173 USA

Schaumburg (Global Headquarters):+1 800-809-5659

United Kingdom (Europe, Middle East Headquarters):+44 870-871-1111+44 870-873-6300

Japan (Asia, Pacific Headquarters):+81 3-4360-8291

For more office locat ions visit:www.flexerasoftware.com

Copyright © 2011 Flexera Software LLC. All other brand and product names ment ioned herein may be the trademarks and registered trademarks of their respect ive owners. FNP_WP_Virtualizat ion_Oct11