Sentinel LDK - v.7.0Software Licensing and Protection Guide

2 Sentinel LDK Software Licensing and Protection Guide

Revision History

Part number 007-012168-001, Rev A

Copyrights and Trademarks

Copyright © 2013 SafeNet, Inc. All rights reserved.

HARDLOCK, HASP, SENTINEL, SUPERPRO and ULTRAPRO are registered trademarks of SafeNet, Inc.and/or its subsidiaries and may not be used without written permission.

All other trademarks are property of their respective owners.

Disclaimer

We have attempted to make this document complete, accurate, and useful, but we cannotguarantee it to be perfect. When we discover errors or omissions, or they are brought to ourattention, we endeavor to correct them in succeeding releases of the product. SafeNet, Inc. is notresponsible for any direct or indirect damages or loss of business resulting from inaccuracies oromissions contained herein. The specifications contained in this document are subject to changewithout notice.

July 2013

Build 1308-3

3

SAFENET SENTINEL LDK PRODUCT END USER LICENSE AGREEMENT

IMPORTANT INFORMATION - PLEASE READ THIS AGREEMENT CAREFULLY BEFORE USING THECONTENTS OF THE PACKAGE AND/OR BEFORE DOWNLOADING OR INSTALLING THE SOFTWAREPRODUCT. ALL ORDERS FOR AND USE OF THE SENTINEL® LDK PRODUCTS (including withoutlimitation, the Developer's Kit, libraries, utilities, diskettes, CD_ROM, DVD, Sentinel keys, thesoftware component of SafeNet Sentinel LDK and the Sentinel LDK Software Protection andLicensing Guide) (hereinafter “Product”) SUPPLIED BY SAFENET, INC., (or any of its affiliates - eitherof them referred to as “SAFENET”) ARE AND SHALL BE, SUBJECT TO THE TERMS AND CONDITIONSSET FORTH IN THIS AGREEMENT.

BY OPENING THE PACKAGE CONTAINING THE PRODUCTS AND/OR BY DOWNLOADING THESOFTWARE (as defined hereunder) AND/OR BY INSTALLING THE SOFTWARE ON YOUR COMPUTERAND/OR BY USING THE PRODUCT, YOU ARE ACCEPTING THIS AGREEMENT AND AGREEING TO BEBOUND BY ITS TERMS AND CONDITIONS.

IF YOU DO NOT AGREE TO THIS AGREEMENT OR ARE NOT WILLING TO BE BOUND BY IT, DO NOTOPEN THE PACKAGE AND/OR DOWNLOAD AND/OR INSTALL THE SOFTWARE AND PROMPTLY (at leastwithin 7 days from the date you received this package) RETURN THE PRODUCTS TO SAFENET, ERASETHE SOFTWARE, AND ANY PART THEREOF, FROM YOUR COMPUTER AND DO NOT USE IT IN ANYMANNER WHATSOEVER.

This Agreement has 3 sections:

Section I applies if you are downloading or using the Product free of charge for evaluationpurposes only.

Section II applies if you have purchased or have been otherwise granted by SafeNet a license touse the Product.

Section III applies to all grants of license.

1. SECTION I - TERMS APPLICABLE TO GRANT OF EVALUATION LICENSE

License Grant. SafeNet hereby grants to you, and you accept, a nonexclusive license to use the Product in machine-readable, object code form only, free of charge, for the purpose of evaluating whether to purchase an ongoing licenseto the Product and only as authorized in this License Agreement. The evaluation period is limited to the maximumamount of days specified in your applicable evaluation package. You mayuse the Product, during the evaluation period,in the manner described in Section III below under “Extent of Grant.”.

DISCLAIMER OF WARRANTY. The Product is provided on an “AS IS” basis, without warranty ofany kind. IMPLIED WARRANTIES OF FITNESS FOR A PARTICULAR PURPOSE, SATISFACTION ANDMERCHANTABILITY SHALL NOT APPLY. SOME JURISDICTIONS DO NOT ALLOW EXCLUSIONS OF ANIMPLIED WARRANTY, SO THIS DISCLAIMER MAY NOT APPLY TO YOU AND YOU MAY HAVE OTHERLEGAL RIGHTS THAT VARY BY JURISDICTION. The entire risk as to the quality and performance ofthe Product is borne by you. This disclaimer of warranty constitutes an essential part of theagreement.

If you initially acquired a copy of the Product without purchasing a license and youwish to purchase a license, contact SafeNet or any SafeNet representative.

2. SECTION II - APPLICABLE TERMS WHEN GRANTED A LICENSE

4 Sentinel LDK Software Licensing and Protection Guide

License Grant. Subject to your payment of the license fees applicable to the type and amount of licenses purchased by youand set forth in your applicable purchase order, SafeNet hereby grants to you, and you accept, a personal,nonexclusive and fully revocable limited License to use the Software (as such term is defined in Section III hereunder, inthe Intellectual Property subsection), in executable form only, as described in the Software accompanying userdocumentation and only according to the terms of this Agreement: (i) youmay install the Software and use it oncomputers located in your place of business, as described in SafeNet's related documentation; (ii) youmay merge andlink the Software into your computer programs for the sole purpose described in the Sentinel LDK Software Protectionand Licensing Guide; however, any portion of the Software merged into another computer program shall be deemedasderivative work and will continue to be subject to the terms of this Agreement; and (iii) you are permitted to make areasonable number of copies of the Software solely for backup purposes. The Software shall not be used for anyotherpurposes.

Sub-Licensing. After merging the Software in your computer program(s) according to the LicenseGrant section above, you may sub-license, pursuant to the terms of this Agreement, the mergedSoftware and resell the hardware components of the Product, which you purchased from SafeNet,if applicable, to distributors and/or users. Preceding such a sale and sub-licensing, you shall makesure that your contracts with any of your distributors and/or end users (and their contracts withtheir customers) shall contain warranties, disclaimers, limitation of liability, and license termswhich are no less protective of SafeNet's rights than such equivalent provisions contained herein.In addition, you shall make it abundantly clear to your distributors and/or end users, that SafeNetis not and shall not, under any circumstances, be responsible or liable in any way for the softwareand software licenses contained in your computer programs which you merge with the SafeNetSoftware and distribute to your distributors and/or end users, including, without limitation, withrespect to extending license terms and providing maintenance for any software elements and/orcomputer programs which are not the SafeNet Software. SafeNet expressly disclaims anyresponsibility and liability with respect to any computer programs, software elements, and/orhardware elements which are not and do not form part of the SafeNet product.

Limited Warranty. SafeNet warrants, for your benefit alone, that (i) the Software, when and asdelivered to you, and for a period of three (3) months after the date of delivery to you, willperform in substantial compliance with the Sentinel LDK Software Protection and Licensing Guide,provided that it is used on the computer hardware and with the operating system for which it wasdesigned; and (ii) that the Sentinel key, for a period of twelve (12) months after the date ofdelivery to you, will be substantially free from significant defects in materials and workmanship.You may enable or disable certain features when applying the Sentinel LDK protection software bychanging settings in the Sentinel LDK tools in accordance with the Sentinel LDK SoftwareProtection and Licensing Guide; HOWEVER, IT IS IMPORTANT TO NOTE THAT WHEN ENABLING ORDISABLING SOME FEATURES YOU MIGHT REDUCE THE LEVEL OF PROTECTION PROVIDED BY THESOFTWARE.

Warranty Disclaimer. SAFENET DOES NOT WARRANT THAT ANY OF ITS PRODUCT(S) WILL MEETYOUR REQUIRMENTS OR THAT THEIR OPERATION WILL BE UNINTERRUPTED OR ERROR-FREE. TOTHE EXTENT ALLOWED BY LAW, SAFENET EXPRESSLY DISCLAIMS ALL EXPRESS WARRANTIES NOTSTATED HERE AND ALL IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIEDWARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE. NO SAFENET'SDEALER, DISTRIBUTOR, RESELLER, AGENT OR EMPLOYEE IS AUTHORIZED TO MAKE ANYMODIFICATIONS, EXTENSIONS, OR ADDITIONS TO THIS WARRANTY. If any modifications are madeto the Software or to any other part of the Product by you; if the media and the Sentinel key issubjected to accident, abuse, or improper use; or if you violate any of the terms of thisAgreement, then the warranty in Section 2.3 above, shall immediately be terminated. Thewarranty shall not apply if the Software is used on or in conjunction with hardware or program

5

other than the unmodified version of hardware and program with which the Software wasdesigned to be used as described in the Sentinel LDK Software Protection and Licensing Guide.

Limitation of Remedies. In the event of a breach of the warranty set forth above, SafeNet's soleobligation, and your sole remedy shall be, at SafeNet's sole discretion: (i) to replace or repair theProduct, or component thereof, that does not meet the foregoing limited warranty, free ofcharge; or (ii) to refund the price paid by you for the Product, or component thereof. Anyreplacement or repaired component will be warranted for the remainder of the original warrantyperiod or 30 days, whichever is longer. Warranty claims must be made in writing during thewarranty period and within seven (7) days of the observation of the defect accompanied byevidence satisfactory to SafeNet. All Products should be returned to the distributor from whichthey were purchased (if not purchased directly from SafeNet) and shall be shipped by thereturning party with freight and insurance paid. The Product or component thereof must bereturned with a copy of your receipt.

SECTION III - TERMS APPLICABLE TO ALL GRANTS OF LICENSE

Extent of Grant and Prohibited Uses. Except as specifically permitted in Sections 2.1 and 2.2 above, you agree not to (i)use the Product in anymanner beyond the scope of license purchased by you in accordance with your applicablepurchase order; (ii) use, modify, merge or sub-license the Software or any other of SafeNet's products except asexpressly authorized in this Agreement and in the Sentinel LDK Software Protection and Licensing Guide; and (iii) sell,license (or sub-license), lease, assign, transfer, pledge, or share your rightsunder this License with/to anyone else; and(iv) modify, disassemble, decompile, reverse engineer, revise or enhance the Software or attempt to discover theSoftware'ssource code; and (v) place the Software onto a server so that it is accessible via a public network; and (vi) useany back-up or archival copiesof the Software (or allow someone else to use such copies) for any purpose other than toreplace an original copy if it is destroyed or becomes defective. If you are a member of the European Union, thisagreement does not affect your rights under any legislation implementing the EC Council Directive on the LegalProtectionof Computer Programs. If you seek any information within the meaning of that Directive you should initially approachSafeNet.

Intellectual Property. THIS ISA LICENSEAGREEMENT AND NOT AN AGREEMENT FOR SALE. The softwarecomponent of the SafeNet Sentinel LDK Product, including any revisions, corrections, modifications, enhancements,updates and/or upgrades thereto, (hereinafter in whole or any part thereof defined as: “Software”), and the relateddocumentation, ARENOT FOR SALE and are and shall remain in SafeNet's sole property. All intellectual property rights(including, without limitation, copyrights, patents, trade secrets, trademarks, etc.) evidenced by or embodied in and/orattached/connected/related to the Product, (including, without limitation, the Software code and the work productperformed in accordance with Section II above) are and shallbe ownedsolely bySafeNet. This License Agreement doesnot convey to you an interest in or to the Software but only a limited right of use revocable in accordance with the terms ofthis License Agreement. Nothing in this Agreement constitutesa waiver of SafeNet's intellectual property rights under anylaw.

Audit. SafeNet shallhave the right, at its own expense, upon reasonable prior notice, to periodically inspect and audit yourrecords to ensure your compliance with the terms and conditions of this license agreement.

Termination. Without prejudice to any other rights, SafeNet may terminate this license upon the breach by you of any termhereof. Upon such termination bySafeNet, you agree to destroy, or return to SafeNet, the Product and theDocumentation and all copies and portions thereof.

Limitation of Liability. SafeNet's cumulative liability to you or any other party for any loss or damages resulting from anyclaims, demands, or actions arising out of or relating to this Agreement and/or the sue of the Product shall not exceed thelicense fee paid to SafeNet for the use of the Product/s that gave rise to the action or claim, and if no such Product/s is/areso applicable then SafeNet's liability shall not exceed the amount of license fees paid byYou to SafeNet hereunder duringthe twelve (12) months period preceding the event. UNDER NO CIRCUMSTANCESAND UNDER NO LEGAL

6 Sentinel LDK Software Licensing and Protection Guide

THEORY, TORT, CONTRACT, OROTHERWISE, SHALL SAFENET OR ITS SUPPLIERSORRESELLERSORAGENTSBE LIABLETO YOU OR ANYOTHER PERSON FOR ANY INDIRECT, SPECIAL, INCIDENTAL, ORCONSEQUENTIAL DAMAGESOF ANY TYPE INCLUDING, WITHOUT LIMITATION, DAMAGESFOR LOSSOFGOODWILL, BUSINESS INTERRUPTION, COMPUTER FAILURE ORMALFUNCTION, LOSSOF BUSINESSPROFITS, LOSSOF BUSINESS INFORMATION, DAMAGESFOR PERSONAL INJURY OR ANY AND ALL OTHERCOMMERCIALDAMAGES OR LOSSES, EVEN IF SAFENET SHALL HAVE BEEN INFORMED OF THEPOSSIBILITYOF SUCH DAMAGES, OR FOR ANY CLAIMBY ANYOTHER PARTY. SOME JURISDICTIONS DONOT ALLOW THEEXCLUSION OR LIMITATION OF INCIDENTAL OR CONSEQUENTIAL DAMAGES, SO THISLIMITATIONAND EXCLUSION MAYNOT APPLY TO YOU.

No other Warranties. Except and to the extent specifically provided herein, SafeNet makes no warranty or representation,either express or implied, with respect to its Products as, including their quality, performance, merchantability or fitness fora particular purpose.

Export Controls. YOU ACKNOWLEDGE THAT THESOFTWARE IS SUBJECT TO REGULATIONBY UNITEDSTATES,EUROPEAN UNION, AND/OR OTHER GOVERNMENT AGENCIES, WHICHPROHIBIT EXPORT OR DIVERSIONOF THESOFTWARETO CERTAIN COUNTRIES AND CERTAIN PERSONS. YOU AGREE TO COMPLY WITHALL EXPORT LAWS, REGULATIONS AND RESTRICTIONSOF THEUNITEDSTATES DEPARTMENT OF STATE,DEPARTMENTOF COMMERCEOROTHER LEGAL AUTHORITYWITHIN THEUNITEDSTATES OR ANYFOREIGN ENTITY WHICHREGULATES THEIR SHIPMENT. YOUWILL NOT EXPORT IN ANY MANNER, EITHERDIRECTLYOR INDIRECTLY, ANYSOFTWAREOR ANYPRODUCT THAT INCORPORATES ANYSOFTWAREWITHOUT FIRST OBTAINING ALL NECESSARY APPROVAL FROM APPROPRIATE GOVERNMENT AGENCIES.YOU AGREE TO INDEMNIFY SAFENET AGAINST ALL CLAIMS, LOSSES, DAMAGES, LIABILITIES, COSTS ANDEXPENSES, INCLUDING REASONABLEATTORNEYS' FEES, TO THEEXTENT SUCH CLAIMS ARISEOUT OFANYBREACHOF THIS SECTION 3.7.

Governing Law & Jurisdiction.This License Agreement shall be construed, interpreted and governed by the laws of theState of Delaware without regard to conflicts of laws and provisions thereof. The exclusive forum for any disputes arisingout of or relating to this License Agreement shallbe an appropriate federal or state court sitting in Harford County, Stateof Maryland, USA. The application of the United NationsConvention of Contracts for the International Sale of Goods isexpressly excluded. The failure of either party to enforce any rights granted hereunder or to take action against the otherparty in the event of any breach hereunder shall not be deemed a waiver by that party as to subsequent enforcement ofrightsor subsequent actions in the event of future breaches.

Third Party Software. The Product contains theOpen SSL Toolkit which includes the OpenSSL software, as set forth inExhibit A and the Original SSLeay software, as set forth in Exhibit B. Such third party's software is provided “As Is” anduse of such software shall be governed by the terms and conditions as set forth in Exhibit A and Exhibit B. If theProduct contains any software provided by third parties other than the software noted in Exhibit A and Exhibit B, suchthird parThird Party Software. The Product contains theOpen SSL Toolkit which includes the OpenSSL software, asset forth inExhibit A, the Original SSLeay software, as set forth in Exhibit B, LLVM http://opensource.org/licenses/UoI-NCSA.php, as set forth inExhibit C t), LLJVMsubproject http://da.vidr.cc/projects/lljvm/, and BEAEnginehttp://www.beaengine.org/licence. Such third party's software is provided “As Is” and use of such software shall begoverned by the terms and conditions as set forth inExhibit A, Exhibit B, and Exhibit C. If the Product contains anysoftware provided by third parties other than the software noted inExhibit A, Exhibit B, and Exhibit C, such thirdparty's software are provided “As Is” and shall be subject to the terms of the provisionsand condition set forth in theagreementscontained/attached to such software. In the event such agreements are not available, such third party'ssoftware are provided “As Is” without anywarranty of any kind and this Agreement shall apply to all such third partysoftware providers and third party software as if they were SafeNet and the Product respectively.ty's software areprovided “As Is” and shall be subject to the termsof the provisions and condition set forth in the agreementscontained/attached to such software. In the event such agreementsare not available, such third party's software areprovided “As Is” without anywarranty of any kind and this Agreement shall apply to all such third partysoftware providersand third partysoftware as if they were SafeNet and the Product respectively.

7

Miscellaneous. If the copy of the Product you received was accompanied by a printed or other form of “hard-copy” End UserLicense Agreement whose terms vary from this Agreement, then the hard-copy End User License Agreement governsyour use of the Product. This Agreement represents the complete agreement concerning this license and may beamended only by a writing executed byboth parties. THEACCEPTANCE OF ANYPURCHASEORDER PLACEDBYYOU, ISEXPRESSLYMADE CONDITIONAL ON YOUR ASSENT TO THE TERMS SET FORTH HEREIN,COMBINEDWITH THEAPPLICABLE LICENSESCOPE AND TERMS, IF ANY, SET FORTH IN YOUR PURCHASEORDER. If any provision of this Agreement is held to be unenforceable, such provision shall be reformed only to theextent necessary to make it enforceable. The failure of either party to enforce any rightsgranted hereunder or to takeaction against the other party in the event of any breach hereunder shall not be deemed awaiver by that party as tosubsequent enforcement of rights or subsequent actions in the event of future breaches.

© 2013 SafeNet, Inc. All rights reserved.

Exhibit A - Open SSL License

A. NoticesCopyright (c) 1998-2005 The OpenSSL Project. All rights reserved.

Redistributions of source code must retain the above copyright notice, this list of conditions andthe following disclaimer.

Redistributions in binary form must reproduce the above copyright notice, this list of conditionsand the following disclaimer in the documentation and/or other materials provided with thedistribution.

All advertising materials mentioning features or use of this software must display the followingacknowledgment: “This product includes software developed by the OpenSSL Project for use inthe OpenSSL Toolkit. (http://www.openssl.org/)”

The names “OpenSSL Toolkit” and “OpenSSL Project” must not be used to endorse or promoteproducts derived from this software without prior written permission. For written permission,please contact openssl-core@openssl.org.

Products derived from this software may not be called “OpenSSL” nor may “OpenSSL” appear intheir names without prior written permission of the OpenSSL Project.

Redistributions of any form whatsoever must retain the following acknowledgment: “This productincludes software developed by the OpenSSL Project for use in the OpenSSL Toolkit(http://www.openssl.org/)”

DISCLAIMER OF WARRANTY

THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ''AS IS'' AND ANY EXPRESSED OR IMPLIEDWARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITYAND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE OpenSSLPROJECT OR ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL,EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENTOF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESSINTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OFTHE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.

8 Sentinel LDK Software Licensing and Protection Guide

Exhibit B - Original SSLeay License

A. NoticesCopyright (C) 1995-1998 Eric Young (eay@cryptsoft.com). All rights reserved.

This package is an SSL implementation written by Eric Young (eay@cryptsoft.com).

The implementation was written so as to conform with Netscapes SSL.

This library is free for commercial and non-commercial use as long as the following conditions areadhered to. The following conditions apply to all code found in this distribution, be it the RC4,RSA, lhash, DES, etc., code; not just the SSL code. The SSL documentation included with thisdistribution is covered by the same copyright terms except that the holder is Tim Hudson(tjh@cryptsoft.com).

Copyright remains Eric Young's, and as such any Copyright notices in the code are not to beremoved.

If this package is used in a product, Eric Young should be given attribution as the author of theparts of the library used.

This can be in the form of a textual message at program startup or in documentation (online ortextual) provided with the package.

Redistributions of source code must retain the above copyright notice, this list of conditions andthe following disclaimer.

Redistributions in binary form must reproduce the above copyright notice, this list of conditionsand the following disclaimer in the documentation and/or other materials provided with thedistribution.

All advertising materials mentioning features or use of this software must display the followingacknowledgment: “This product includes cryptographic software written by Eric Young(eay@cryptsoft.com)”.

If you include any Windows specific code (or a derivative thereof) from the apps directory(application code) you must include an acknowledgement: “This product includes software writtenby Tim Hudson (tjh@cryptsoft.com)”

DISCLAIMER OF WARRANTY.

THIS SOFTWARE IS PROVIDED BY ERIC YOUNG ''AS IS'' AND ANY EXPRESS OR IMPLIED WARRANTIES,INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FORA PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BELIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES(INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OFUSE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OFLIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OROTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THEPOSSIBILITY OF SUCH DAMAGE.

Exhibit C - University of Illinois/NCSA Open Source License

Copyright (c) <Year> <Owner Organization Name> All rights reserved.

9

Developed by: <Name of Development Group>

<Name of Institution>

<URL for Development Group/Institution> Permission is hereby granted, free of charge, to anyperson obtaining a copy of this software and associated documentation files (the "Software"), todeal with the Software without restriction, including without limitation the rights to use, copy,modify, merge, publish, distribute, sublicense, and/or sell copies of the Software, and to permitpersons to whom the Software is furnished to do so, subject to the following conditions:

Redistributions of source code must retain the above copyright notice, this list of conditions andthe following disclaimers.

Redistributions in binary form must reproduce the above copyright notice, this list of conditionsand the following disclaimers in the documentation and/or other materials provided with thedistribution.

Neither the names of <Name of Development Group, Name of Institution>, nor the names of itscontributors may be used to endorse or promote products derived from this Software withoutspecific prior written permission.

THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR IMPLIED,INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, FITNESS FOR APARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE CONTRIBUTORS ORCOPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER LIABILITY, WHETHER IN ANACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, OUT OF OR IN CONNECTION WITHTHE SOFTWARE OR THE USE OR OTHER DEALINGS WITH THE SOFTWARE.

10 Sentinel LDK Software Licensing and Protection Guide

Environmental Impact Statements

产品中有毒有害物质或元素的名称及含量

Hazardous Substances Table

部件名称 (Parts) 有毒有害物质或元素 (Hazardous Substance)

铅(Pb)

汞(Hg)

镉(Cd)

六价铬(Cr+6)

多溴联苯(PBB)

多溴二苯醚(PBDE)

元器件components

× ○ ○ ○ ○ ○

外壳 shell ○ ○ ○ ○ ○ ○

印刷电路板 PCB ○ ○ ○ ○ ○ ○

连接器 connector ○ ○ ○ ○ ○ ○

○：表示该有毒有害物质在该部件所有均质材料中的含量均在SJ/T 11363-2006标准规定的限量要求以下。

○：Indicates that this hazardous substance contained in all homogeneous materials ofthis part is below the limit requirement in SJ/T 11363-2006.

×：表示该有毒有害物质至少在该部件的某一均质材料中的含量超出SJ/T 11363-2006标准规定的限量要求。(“X” 标识的元器件属欧盟RoHS指令2011/65/EU附录3中豁免项7c-1豁免范围。符合欧盟RoHS要求。)

×: Indicates that this hazardous substance contained in at least one of the homogeneousmaterials of this part is above the limit requirement in SJ/T 11363-2006. (The “X” item is exemptedby 7c-I of Annex III in RoHS Directive 2011/65/EU, and is RoHS conformity.)

This product is in conformity with the protection requirements of 2004/108/EC relatingto electromagnetic compatibility and the provision of the relevant specific standards.

This device complies with Part 15 of the FCC Rules. Operation is subject to thefollowing two conditions: (1) this device may not cause harmful interference, and (2)this device must accept any interference received, including interference that may

cause undesired operation.

NOTE: This equipment has been tested and found to comply with the limits for Class B digitaldevice, pursuant to Part 15 of the FCC Rules. These limits are designed to provide reasonableprotection against harmful interference in a residential installation. This equipment generates,uses and can radiate radio frequency energy and, if not installed and used in accordance with theinstructions, may cause harmful interference to radio communications. However, there is noguarantee that interference will not occur in particular installation. If this equipment does causeharmful interference to radio or television reception, which can be determined by turning the

11

equipment off and on, the user is encouraged to try to correct the interference by one or more ofthe following measures: --Reorient or relocate the receiving antenna. –Increase the separationbetween the equipment and receiver. –Connect the equipment into an outlet on a circuit differentfrom that to which the receiver is connected. –Consult the dealer or an experienced radio/TVtechnician for help.

Contents

Familiarizing Yourself with Sentinel Vendor Suite 22

Contents of the Sentinel License Development Kit 22Sentinel LDK - Demo Kit 22Sentinel LDK - Starter Kit 22

About This Guide 23Major Components of the Vendor Suite 24Contacting Us 26Training 26

Obtaining Support 26

PART 1 - GETTING STARTED 28

Chapter 1: Understanding Sentinel LDK Software Protection and Licensing 30

Fundamentals of Protection 30What is Protection? 30

Major Protection Solutions 31Hardware-based Solutions 31Software-based Solutions 31Comparative Benefits of Hardware-based and Software-based Solutions 32Advantages of a Combined Solution 32

Fundamentals of Licensing 33Flexible and Secure Licensing Solutions 33Licensing Planning and Models 33Updating and Enforcing Usage Terms 34

Principles of Sentinel LDK 34Protect Once—Deliver Many—Evolve Often 34Cross-locking 35Mixing and Matching Licenses and Sentinel protection keys 35

Customizing Your Unique Solution 35Personalized Vendor and Batch Codes 36Selecting the Best Key for Your Requirements 36Sentinel Vendor Keys 37End-User Keys 37

Protection Key Attributes 39Sentinel LDK Protection Process 39

Obtaining Additional Information About Sentinel LDK 40

PART 2 - PROTECTION 42

13 Sentinel LDK Software Licensing and Protection Guide

Chapter 2: Protecting Software 44

Sentinel LDK Protection 44Elements of Sentinel LDK Protection 44Selecting a Protection Method 46

Chapter 3: Sentinel Licensing API Protection 50

Overview 50Universal Sentinel Licensing API 51

Sentinel Licensing API Prerequisites 51Vendor Code 51

Learning About the Sentinel Licensing API 52Sentinel LDK ToolBox 52Sentinel Licensing API Samples 53

Implementation 53Planning Your Requirements 53Sentinel Licensing API Workflow 54Sentinel Licensing API Login Function 54

Sentinel Licensing API Functionality 56Function Groups 56

Chapter 4: Sentinel LDK Envelope Protection 58

Functionality 58Basic Protection Workflow 59Required and Optional Protection Parameters 60General Customizable Parameters 61

Sentinel LDK Envelope for Windows 62Prerequisites for Windows 62Running Sentinel LDK Envelope 62Protecting Windows Programs 63Enhancing Protection With "AppOnChip" 64Accessing and Encrypting Data Files for Windows Programs 65Running Sentinel LDK Envelope from a Windows Command-line 66

Protecting .NET Assemblies 67.NET Considerations 68Global Features in .NET Assemblies 68Method-level Protection 68Code and Symbol Obfuscation in .NET Assemblies 71Defining Sentinel LDK Envelope Protection Settings in Source Code 71

Sentinel LDK Envelope for Linux Applications 73Sentinel LDK Envelope Prerequisites for Linux 73Protecting Linux Applications 73

Sentinel LDK Envelope for Mac Binaries 74

14

Sentinel LDK Envelope Prerequisites for Mac 75Running Sentinel LDK Envelope for Mac 75Sentinel LDK Envelope for Mac Protection Parameters 75

Sentinel LDK Envelope for Java Executables 75Java Considerations 76Sentinel LDK Envelope Prerequisites for Java 76Running Sentinel LDK Envelope for Java Engines 77Sentinel LDK Envelope for Java Protection Parameters 77Protecting Java Executables 77

Chapter 5: Protection Strategies 78

Overview 78General Protection Guidelines 79Types of Attack and Their Sentinel LDK Defense 80Patching Executables and DLLs 80Modifying Key Memory 80Emulating Protection Keys 81Using Terminal Servers and Terminal Service Solutions 81Cloning Hardware Keys 81Clock Tampering 81Additional Sentinel LDK-specific Strategies 82

Chapter 6: Working with the Sentinel LDK Data Encryption Utility 84

Introduction 84When to Encrypt Data Files 84Data Encryption Utility Users 85Data Encryption for Mac 85

Data Encryption Prerequisites 86Launching Sentinel LDK Data Encryption Utility 86Supported Functionality 86Modifying Input 87

PART 3 - LICENSING 88

Chapter 7: Introduction to Sentinel EMS 90

Sentinel EMS Overview 90Sentinel EMS Major Workflows 90

Sentinel EMS Users and User Roles 92Getting Started With Sentinel EMS 93Prerequisites for the Sentinel LDK Administrator 94Using the Sentinel EMS Help 96

15 Sentinel LDK Software Licensing and Protection Guide

Sentinel License Generation API 96

Chapter 8: Preparing Your Sentinel LDK Licensing Plan 98

Licensing Overview 98Preparing Your Licensing Plan 99Identifying Functional Components (Features) 100Combining Features Into Products 100

Choosing the Protection Level for Your Products 101Sentinel HL Key Protection and Activation 102Sentinel SL Key Protection and Activation 102Specifying the Protection Level for Individual Orders 103

Designating Products for Trial or Grace Period Use 103Assigning License Terms to Features 104Specifying License Values for Individual Orders 104

Utilizing Protection Key Memory 105Using Your Licensing Plan With Sentinel EMS 105

Chapter 9: Implementing Your Sentinel LDK Licensing Plan 108

License Planning in Sentinel EMS 108Managing Features 109Defining Features 109Deleting Features 110

Managing Products 110Defining New Products 111Defining Provisional Products 116Product Status Values 116Duplicating a Product 117Withdrawing a Product 117

Maintaining Products and Licenses 117Managing Product Versions 118Canceling Product Licenses 119

Chapter 10: Sentinel LDK Entitlements, Production, and Development Tasks 122

Sentinel LDK Entitlement Processing and Production 122Managing Entitlements 123Defining Entitlements 124Entitlement Status Values 128Processing C2V Information 128Order Processing and Production Examples 129

Producing Entitlements 131Producing Sentinel HL Key Entitlements 132

16

Producing Entitlements for Product Keys 132Producing Protection Key Update Entitlements 133

Withdrawing Entitlements 133Customer Portal - Activating Entitlements 133Viewing License Updates 134Applying License Updates to SL AdminMode Keys 135Performing Development-related Tasks 135Generating Bundles of Provisional Products 136Generating the Sentinel LDK Run-time Environment Installer 137Exporting Definition Data 137Customizing and Branding the RUS utility 138

Enabling Trial Use and Grace Periods 138Example 1: Issuing a Provisional Product for Trial Use 138Example 2: Issuing a Product for a Grace Period 139

Chapter 11: Sentinel LDK Administration and Customer Services 140

Administration Tasks 140Maintaining User Details 141Maintaining Sentinel Master Keys 142

Customer Services 143

Chapter 12: Sentinel Remote Update System 144

RUS Utility Overview 144RUS Workflow 145Example: Using RUS for License Updates 146

Using RUS utility 146Instructions for Customers Using the RUS utility 146

Chapter 13: Generating Sentinel LDK Reports 150

Reports Facility Overview 150Permissions for Working With Reports 151Scheduling Reports 151Presentation Formats 152Export Formats 152Available Reports 152Custom Reports 152

PART 4 - DISTRIBUTING SOFTWARE 154

Chapter 14: Distributing Sentinel LDK With Your Software 156

17 Sentinel LDK Software Licensing and Protection Guide

Sentinel LDK Software for End Users 156Protection-related Software 156Network Environment Management 157Software for Updating Licenses 157

Distributing Sentinel LDK Run-time Environment 157Protection Keys That Require Sentinel LDK Run-time Environment 158Sentinel LDK Run-time Environment for Windows 159Sentinel LDK Run-time Environment for Mac 162Sentinel LDK Run-time Environment for Linux 163

Chapter 15: Sentinel Admin Control Center 164

Introduction to Admin Control Center 164Sentinel License Manager 165Types of License Managers 165Priority of Different Types of License Managers 166

Loss of Connection with a Network License 167Launching Admin Control Center 167Admin Control Center Interface 168Administrator’s Workflow 169Configuration Considerations 169

Applying Basic Configuration Changes Globally 172Customizing Admin Control Center Look and Feel 172Writing Templates 173Configuring Admin Control Center to Use Your Custom Template 175

Working With Sentinel Admin API 176

PART 5 - LICENSING MODELS 178

Chapter 16: Sentinel LDK Licensing Models: Overview 180

Introduction 180Sentinel LDK Licensing 181Determining the Best Protection and Licensing Method 182About This Section 182How to Use the Licensing Models 183

Chapter 17: Sentinel LDK Licensing Models: Description of Models 184

Evaluation Licensing Models 185Trialware 186High-security Time-limited Evaluation 187Execution-limited Evaluation 188

18

Demoware 189Component-based Licensing Models 190Module-based (Suites) 191Feature-based 192

Metered Licensing Models 193Time-limited Rental 194Phased Rental 195Micro-rental 196Subscription 197Pay-by-Peak Time (Peak Time) 199Time-based Overdraft 201Standard Counter 202Phased Counter 203Capacity (CPU/Memory/Disk) 204

Locked License Models 205Machine-locked 206User-locked 207

Mobile License Models 209Portable 210Commuter 211Software on a Key 212

Network License Models 213Limited Concurrent End Users in a Network 214Time-limited Concurrent End Users in a Network 215Execution-limited Concurrent End Users in a Network 216Volume 218Site 219

Sales Boosting Licensing Models 220KickStart (Quick-delivery Grace) 221Referral-based Sales 222Automatic Sales Agent 224

Perpetual Licensing Models 226Standard Perpetual Licensing model 227Perpetual Unlocked Licensing Model 228

PART 6 - APPENDICES 230

Appendix A: Understanding the Sentinel LDK Master Key Licenses 232

Licensing Concepts 233Activation Module License 234Standalone Licenses 234Network Seats 235

19 Sentinel LDK Software Licensing and Protection Guide

How New Activations and Update of Your Software Affect the Pool 236Additional Information 237

Trialware Module License 237Unlocked License Module 238Reporting Module License 238

Appendix B: Sentinel LDK Run-time Network Activity 240

Local Communications 241Remote Communications 242

Appendix C: Maximum Number of Features in a Sentinel HL Key 244

Appendix D: How Sentinel LDK Detects Machine Cloning 246

Overview 246Clone Detection for a Physical Machine 246Clone Detection for a Virtual Machine 247Virtual MAC Address 248CPU Characteristics 248UUID of the Virtual Machine 248

Appendix E: How Sentinel LDK Protects Time-based Licenses Locked toSentinel SL Keys 250

Tampering with the System Clock 250Re-enabling a Blocked Sentinel SL Key 251

Appendix F: How to Bundle Provisional Products Manually 252

Appendix G: How to Optimize Performance for Sentinel LDK Run-timeEnvironment 254

SL-UserMode License 254Run-time Environment 254Testing for Presence of Features 254

Appendix H: How to Upgrade a Sentinel HL Key to Driverless Configuration 256

Appendix I: How to Make Product Names Visible on the End User's Machine 260

Appendix J: Troubleshooting 262

20

Checklist 262Problems and Solutions 263

Glossary 266

Index 272

Familiarizing Yourself withSentinel Vendor Suite

This topic provides an introduction to Sentinel Vendor Suite. SafeNet recommends that you reviewthis information to familiarize yourself with:

n The contents of the Sentinel License Development Kit – Starter or Demo kit

n The major components of Sentinel Vendor Suite

n The information provided in this Guide

n How to obtain additional technical support for these products

Contents of the Sentinel License Development KitTwo Sentinel License Development Kits (Sentinel LDK) are available as part of the Sentinel VendorSuite—the Demo kit enables you to evaluate Sentinel LDK protection and licensing; the Starter kitenables you to apply Sentinel LDK protection and licensing to your software.

Sentinel LDK - Demo Kit

The Sentinel License Development Kit - Demo kit contains the software and hardware you need toevaluate Sentinel LDK protection and licensing. The following items are included:

n Sentinel Vendor Suite software on a single DVD

n Sentinel HL Demo keys to facilitate the evaluation process

n Sentinel LDK Software Protection and Licensing Quick Start card

n Sentinel LDK Software Protection and Licensing Tutorial

Additional documentation, including the Sentinel LDK Software Licensing and Protection Guide(this book) and the Sentinel LDK Installation Guide, can be found on the computer where SentinelLDK is installed and on the product DVD.

Sentinel LDK - Starter Kit

The Sentinel License Development Kit - Starter kit contains the software and hardware you need toapply Sentinel LDK protection and licensing. The following items are included:

n Sentinel LDK software on a single DVD

n Sentinel Vendor keys:

o Sentinel Developer key for applying protection

23 Sentinel LDK Software Licensing and Protection Guide

o Sentinel Master key for defining and applying license terms

n Sentinel LDK Software Protection and Licensing Quick Start card

n Sentinel LDK Software Protection and Licensing Tutorial

Additional documentation, including the Sentinel LDK Software Licensing and Protection Guide(this book) and the Sentinel LDK Installation Guide, can be found on the computer where SentinelLDK is installed and on the product DVD.

Sentinel HL keys for distribution to your customers must be ordered separately.

About This GuideThis guide is designed to help software publishers protect and license their software usingSentinel LDK. The guide provides background information and details about how Sentinel LDK canbest serve your protection and licensing requirements.

The guide is divided into the following parts.

n "PART 1 - GETTING STARTED" on page 28

Introduces Sentinel LDK, presents basic protection and licensing concepts, and leads youthrough the process of configuring the system. You should read this part after openingyour Sentinel LDK - Demo Kit or Sentinel LDK - Starter Kit.

n "PART 2 - PROTECTION" on page 42

Provides an in-depth presentation of Sentinel LDK protection methods. This part includesstrategies for maximizing the protection of your software using Sentinel LDK. This part isspecifically for software engineers who have the responsibility for using the Sentinel LDKprotection applications to protect software.

n "PART 3 - LICENSING" on page 88

Discusses the options that Sentinel LDK provides to enable you to apply flexible licensingterms to your software and provides case studies for you to examine. This part isparticularly relevant to product and business managers who have to make decisions abouthow their software is licensed. This part should also be read by operations staff and othersinvolved in production.

n "PART 4 - DISTRIBUTING SOFTWARE" on page 154

Details the Sentinel LDK software that can be delivered to end users to ensure optimalperformance of protected software. This part also describes the various ways of effectivelydelivering the Sentinel LDK software components.

n "PART 5 - LICENSING MODELS" on page 178

Provides an overview and detailed description of the various Sentinel LDK Licensing modelsthat you can use to distribute your software.

n "PART 6 - APPENDICES" on page 230

Major Components of the Vendor Suite 24

Provides the following supplementary information:

o A troubleshooting section that identifies various issues that you may encounter andprovides solutions

o Description of Sentinel LDK Run-time network activity

o Discussion of how Sentinel LDK detects machine cloning and how Sentinel LDKprotects time-based licenses

o Description of how to bundle Provisional Products manually

o Discussion of the Sentinel Master Key license modules

n " Glossary" on page 266

Major Components of the Vendor SuiteSentinel License Development Kit (Sentinel LDK) Vendor Suite contains many modules, tools, andAPIs that assist you to manage the protection and licensing of your application. This sectionprovides an overview of the most significant items in the Vendor Suite.

Sentinel LDK Envelope and Sentinel Licensing API

Sentinel LDK Envelope is a tool that wraps your application in a protective shield. This shieldensures that:

n The application is protected against disassembly and reverse engineering. Your intellectualproperty is protected.

n The protected application cannot run unless a specified Sentinel protection key can beaccessed by the application.

An application that has been protected by Sentinel LDK Envelope can use the Data Encryptionfacility to write initial encrypted application data to disk and to read it back. You can use theSentinel LDK Data Encryption utility to provide encrypted application data that is installedtogether with the protected application.

You can use Sentinel Licensing API to provide enhanced protection for your application and toenable the licensing of specific Features in the application.

Sentinel LDK ToolBox

Sentinel LDK ToolBox is an interactive application that enables software developers to learn aboutthe following Sentinel APIs:

n Sentinel Licensing API

n Sentinel License Generation API

n Sentinel Admin API

In ToolBox, software developers can actually execute API functions, observe the behavior of thefunctions, and then copy the relevant source code into their own applications.

25 Sentinel LDK Software Licensing and Protection Guide

Admin Control Center

Sentinel Admin Control Center is a customizable, web-based, end-user utility that enablescentralized administration of Sentinel License Managers and Sentinel protection keys.

Sentinel RUS (Remote Update System)

Sentinel RUS utility is an advanced utility that enables you to perform secure, remote updating ofthe license and memory data of Sentinel protection keys after they have been deployed on theend user’s computer.

Sentinel EMS

Sentinel EMS is a web-based graphical application that is used to perform a range of functionsrequired to manage the licensing, distribution, and maintenance of protected applications.

You can use Sentinel EMS Web Services to perform the same functions programmatically. Thisenables you to integrate the EMS functionality into your own back end infrastructure.

Sentinel License Generation API

For ISVs who prefer to use their own ERP back-ends, Sentinel License Generation API providesaccess to the power and flexibility of Sentinel protection keys without the need to install the fullSentinel EMS system. You can use Sentinel LDK ToolBox to examine the API functions createlicense templates and to generate protection keys.

Sentinel HL Drive Partitioning Utility

Sentinel HL Drive is a device that includes Sentinel HL Max key functionality and a flash memorythat can be used as a mass storage device or as a CD ROM emulator (or both).

Using the Sentinel HL Drive Partitioning utility or the Sentinel HL Drive Partitioning API, you canload your Sentinel LDK-protected applications and data onto the CD ROM partition of a SentinelHL Drive, and deliver it to your customers. Your customers can save files to the Sentinel HL Drive,or load additional software on it, thus utilizing the convenience of disk-on-key functionality.

By default, the flash memory in Sentinel HL Drive is fully allocated as a mass storage device. Usingthe Partitioning utility or API, you can create a CD ROM emulation partition on which you canload your software data.

Sentinel EMS Customer Portal

Sentinel LDK provides an “activation” mechanism that enables a customer to quickly and easilyconvert a trialware version of your protected application to a fully-enabled version – whileprotecting your investment against software piracy. The end users can activate the trialwareversion using a unique product code that they receive from you after completing the requiredcommercial transaction to purchase a license for the application.

Sentinel EMS contains a separate Customer Portal. This is a Web portal that your customers canaccess in order to activate Provisional Products or Locked Products. The customer logs in to theCustomer Portal by providing a Product Key. The customer completes a registration form (if yourequire this) and then chooses the method to activate the Product. Online activation is completely

Contacting Us 26

automatic and activates the license on the local machine. Offline activation enables the customerto download a utility that can be used to activate the license manually on a different machine.

The Customer Portal is installed automatically as part of the Sentinel LDK Vendor Suite. TheSentinel LDK Product Activation Tutorial leads you through the complete process: define a Featurein EMS, define Products, enter an order, generate a product key, and finally activate the trialwareusing the Customer Portal.

Master Wizard

The Sentinel LDK Master Wizard tool allows software vendors to introduce their batch code intoSentinel EMS, for use with the various Vendor Suite applications. This tool also imports vendor-specific files from SafeNet servers, including API libraries and the vendor library used for software-based protection.

Contacting UsSafeNet has both international offices and many local distributors providing support forSentinel LDK—virtually whenever and wherever required.

Training

For additional information and training about Sentinel LDK implementation issues, contact ourteam of international consultants at the URL provided above. The consultants can provide youwith tailored training sessions on the following:

n Integration of Sentinel LDK into your product

n Analysis of the best protection strategy for your applications

n Assistance in implementation of your protection and licensing models

Obtaining SupportYou can contact us using any of the following options:

n Business Contacts - To find the nearest office or distributor, use the following URL:http://www.safenet-inc.com/contact-us/

n Technical Support - To obtain assistance in using SafeNet products, feel free to contactour Technical Support team:

o Phone: 800-545-6608 (US toll free), +1-410-931-7520 (International)

o E-mail: support@safenet-inc.com

o URL: http://sentinelcustomer.safenet-inc.com/sentinelsupport/

n Downloads - You may want to check out updated installers and other components here:www.sentinelcustomer.safenet-inc.com/sentineldownloads/

PART 1 - GETTING STARTEDIn this section:

n "Chapter 1: Understanding Sentinel LDK Software Protection and Licensing" on page 30

Provides an overview of the concepts of software and intellectual property protection andlicensing, discusses the primary protection solutions, and focuses on how Sentinel LDKprovides a comprehensive solution to all your protection requirements.

Chapter 1:Understanding Sentinel LDK

Software Protection and LicensingThis chapter provides an overview of the concepts of software and intellectual property protectionand licensing, discusses the primary protection solutions, and focuses on how Sentinel LDKprovides a comprehensive solution to all your protection needs.

SafeNet recommends that you familiarize yourself with the information in this chapter so that youcan maximize the benefits of using Sentinel LDK.

In this chapter:

n "Fundamentals of Protection" on page 30

n "Major Protection Solutions" on page 31

n "Fundamentals of Licensing" on page 33

n "Flexible and Secure Licensing Solutions" on page 33

n "Principles of Sentinel LDK" on page 34

n "Customizing Your Unique Solution" on page 35

Fundamentals of ProtectionThis section examines the nature of protection, and identifies the two types of protection that youneed to consider.

What is Protection?

Protection is the process of securing an application or intellectual property by incorporatingautomated and customized security strategies.

Protection is achieved by implementing specific security strategies, such as wrapping yourapplication in a security envelope, and incorporating various security measures within theapplication’s code during development. The greater the number of security measuresincorporated, and the higher the level of their complexity, the more secure your applicationbecomes.

1

31 Chapter 1: Understanding Sentinel LDK Software Protection and Licensing

It is not sufficient to protect only your software—you must also protect your intellectual property.Your professional expertise and the secrets that you use in developing your software, for examplealgorithms, must also be protected.

Copy Protection

Copy protection is the process of encrypting your software and incorporating various securitymeasures throughout the code and binding it to a key so that it can only be accessed byauthorized users who are in possession of the key. The more complex the copy protection appliedto your software, the less likely it is to be compromised.

Intellectual Property Protection

Your intellectual property is the foundation on which your products are developed. Intellectualproperty theft is surprisingly easy. Every year, companies report the loss of proprietaryinformation and intellectual property valued at many billions of dollars.

The algorithms and other secret information that you use to make your products unique andcompetitive must be protected against attempts to discover their secrets, or to apply reverseengineering to the software code.

Major Protection SolutionsWith Sentinel LDK, the ability to protect and license your software is facilitated by the use offlexible protection and licensing tools, together with a Sentinel protection key to which yoursoftware is subsequently bonded. This key may be either hardware-based or software-based.

Hardware-based Solutions

In hardware-based solutions, you supply an external hardware device together with yoursoftware. The functioning of your software is dependent on the device being connected to theend user’s computer. At run-time, your software communicates with the hardware device, andonly functions correctly if it receives an authentic response from the device.

Sentinel LDK provides a variety of hardware devices in the form of Sentinel HL keys. You can selectthe type of Sentinel HL key that best suits your requirements. For more information aboutSentinel HL keys, see "Sentinel HL Keys" on page 37.

Software-based Solutions

In software-based solutions, following the installation of your software on an end user’s computer,the protection and licensing is bonded to that specific machine. Your software will only functionafter a Product Key has been entered by the user. At run-time, the Sentinel License Managerchecks that the software is on the machine on which it is licensed to run and that it is being usedin accordance with the user’s license terms.

Sentinel LDK provides a robust software-based solution using Sentinel SL keys. A Sentinel SL keyresides in the secure storage of a specific computer and is patterned on the functionality of aSentinel HL key.

For more information about Sentinel SL keys, see "Sentinel SL Keys" on page 38.

Comparative Benefits of Hardware-based and Software-based Solutions

Strong protection and licensing security can be provided with either hardware- or software-basedsolutions. While many protection and licensing features are common to both options, each alsooffers specific strengths that might be comparatively limited in the other.

The following table highlights and compares some of the available benefits of hardware- andsoftware-based solutions, and the relative strengths of each option.

Feature Hardware-based Software-based

Software and Intellectual Propertyprotection

* * * * * * *

Secure Licensing * * * * * *

Trialware * * * * * *

Portability * * * * *

Electronic Software Distribution * * * * * *

Multiple Feature/Module Licensing * * * * * * *

Advantages of a Combined Solution

As shown in the preceding section, both solutions have their relative strengths in protecting andlicensing your software.

It is probable that you utilize various strategies for marketing, selling, and distributing yoursoftware. For example, these strategies may include:

n Determining the level of protection according to the price of the software

n Determining the level of protection according to market segments, including verticalmarkets

It is likely that your strategies will also require the following:

n The ability to turn trialware into a fully functional version using hardware- or software-based activation

n The ability to sell software over the Internet, protected with a hardware- or software-based key

Sentinel LDK Combined Solution

Sentinel LDK provides the industry’s first software DRM solution that combines hardware-basedand software-based protection and licensing.

This innovative, self-contained, flexible system enables you to:

n Implement multiple protection solutions

n Define multiple license models according to the requirements of your market, and applytheir usage terms independently of the protection process

Major Protection Solutions 32

33 Chapter 1: Understanding Sentinel LDK Software Protection and Licensing

n Select hardware-based (Sentinel HL) or software-based (Sentinel SL) protection keysindependently of the protection process

Fundamentals of LicensingIn addition to protecting your software and intellectual property, you need to protect the revenuefrom sales of your product. You want to ensure that your software is only available to theappropriate users, according to the terms that you define. This process is controlled by licensing.

Licensing provides you with the flexibility to implement your business strategies for your softwaredistribution. When you define the licensing terms on which your software is distributed or sold,you select the terms that are commercially beneficial to your company.

For example, you may decide that you initially want to distribute your software free of charge, sothat users can try it before purchasing. You will want to ensure that users can use it for only alimited time before it must be purchased.

Alternatively, you may publish very complex, expensive software. You may decide to make specificcomponents of that software available for a lower price, thus making parts of it accessible to userswho cannot afford the full-featured version. Such a decision creates an additional revenue source.

To obtain the maximum benefit from your company’s licensing strategy, you need a softwarelicensing system that provides you with the flexibility to tailor licensing terms to fit your businessstrategies, and to adapt quickly to changes in the market and in your business needs. Yourlicensing system must also be able to enforce your defined usage terms with secure licensingmethods.

Flexible and Secure Licensing SolutionsSentinel LDK gives you the flexibility to choose and apply licensing models and license terms foryour protected software on-the-fly. This enables your company to offer attractive softwarepackages and to adapt rapidly to changes in customer purchasing preferences.

Licensing Planning and Models

An important step in the development of a licensing strategy is the preparation of a licensing plan.Business decision-makers in an organization, such as product or marketing managers, defineprotection and business rules, and specify the licensing models required to meet the company’ssoftware distribution needs.

A licensing model is the logic behind a business transaction relating to licensing. For example, arental license model enables you to charge for the use of software for a specific period of time.

Sentinel LDK enables you to choose from a variety of built-in licensing models, and to customizeand build licensing models and software usage terms to meet your company’s individualrequirements.

Sentinel LDK supports numerous out-of-the-box license models, that can be used individually or incombination, including:

n Trialware (try-before-you-buy)

n Rental/Subscription

n Module-/Feature-based

n Floating Usage

n Time-based

n Execution-based

You can easily define custom licensing models and usage terms using the functionality providedby Sentinel LDK. For example, Sentinel LDK functionality enables you to utilize secure read-onlyand read/write memory storage, flexible counters, and a real-time clock incorporated in theSentinel protection key.

The separation of the engineering and licensing processes embodied in Sentinel LDK makes itpossible to modify your company’s licensing strategy as necessary when circumstances change,and to implement these changes quickly and efficiently.

Updating and Enforcing Usage Terms

When implementing a licensing plan, it is essential to ensure that the software usage termsdefined in the plan are securely applied and that licenses reach their legitimate owners. Newlicenses, and changes and extensions to licenses that have already been deployed, can be subjectto tampering if not adequately protected.

Sentinel LDK applies optimal security to the enforcement of usage terms and license extensions.License extensions sent to end users are highly protected, and require the return of a securereceipt. In addition, state-of-the-art Sentinel LDK technology prevents tampering with usage terms.

Principles of Sentinel LDKThe strength, uniqueness, and flexibility of Sentinel LDK are based on two primary principles:

n Protect Once—Deliver Many—Evolve Often: The concept of separating the Sentinel LDKengineering and business processes.

n Cross-Locking: The technology that supports the Protect Once—Deliver Many—EvolveOften concept, enabling a protected application to work with either a Sentinel HL key or aSentinel SL key.

Protect Once—Deliver Many—Evolve Often

At the heart of Sentinel LDK lies the Protect Once—Deliver Many—Evolve Often concept. Thisconcept is the process of protecting your software completely independently of the process ofdefining sales and licensing models.

Principles of Sentinel LDK 34

35 Chapter 1: Understanding Sentinel LDK Software Protection and Licensing

Separation of Protection and Business Functions

The engineering process—that is, the protection of your software—is performed by your softwareengineers using Sentinel LDK Envelope, Sentinel LDK ToolBox and the Sentinel Licensing APIprotection tools.

The business processes—that is, software licensing and selection of the appropriateSentinel protection key—are performed by business management using Sentinel EMS.

As part of the business processes, the Evolve Often stage delivers the capability for you and yourend-users to:

n Actively track delivery and activation status of end-user entitlements.

n Track when, how, and by whom your software is being consumed.

n Easily manage terms of each entitlement using Sentinel EMS.

The protection processes and the licensing processes—including selection of the appropriateSentinel protection key type—are performed completely independently of each other.

Cross-locking

Cross-locking is the Sentinel LDK process that enables you to choose the device to which yourprotected application and license will be locked—either to a Sentinel HL key or, via a Sentinel SLkey, to a specific computer.

The decision about the type of Sentinel protection key to which your software is locked isdetermined after protection has been implemented—you choose the options that best suit yourcurrent business strategies.

Mixing and Matching Licenses and Sentinel protection keys

Sentinel LDK gives you complete flexibility to choose the combination of license andSentinel protection key that best suits your business requirements. This means that you decidehow to bundle your protection, licensing and distribution requirements.

You may choose to release protected software as a downloadable product with a Trialware licensethat, after purchase, is activated with a Sentinel SL key. Additionally, you may choose to ship thesame protected software with a network license that is locked to a Sentinel HL key, and allowusers unlimited access to all features.

Sentinel LDK offers you an unprecedented number of possible options to combine licenses andSentinel protection keys.

Customizing Your Unique SolutionSentinel LDK provides you with a variety of applications and personalized devices that enable youto customize a protection and licensing solution that is appropriate to your business needs:

n Sentinel LDK Envelope enables you to wrap your software in a protective shield at thetouch of a button—without having to adjust your source code. It establishes a linkbetween your protected software and a Sentinel protection key, even though theselection of key is determined at a later time.

n Sentinel LDK ToolBox and the Sentinel Licensing API enable you to enhance the protectionoffered by Sentinel LDK Envelope, by incorporating complex protection mechanisms intoyour source code.

n Sentinel EMS enables you to create licenses and lock them to Sentinel protection keys, towrite specific data to the memory of a Sentinel protection key, and to update licensesalready deployed in the field. These processes are performed independently of theprotection process.

n Customized Sentinel Vendor keys are used in-house by your staff, together withSentinel LDK state-of-the-art security applications.

n A selection of Sentinel protection keys enable you to meet the specific requirements ofyour business. Your unique Sentinel protection keys ensure that your applications willonly function when the correct key, supplied by you, is present.

n Additional applications and utilities provide advanced support for these key elements ofSentinel Vendor Suite.

Personalized Vendor and Batch Codes

When you purchase a Sentinel License Development Kit – Starter from SafeNet, you are providedwith Sentinel Vendor keys that contain unique Vendor Codes that are specific to your company.The codes are used by Sentinel LDK to communicate with your Sentinel protection keys, and todifferentiate your keys from those of other software vendors.

Vendor Code

The Vendor Code is a unique confidential code assigned to you by SafeNet when you place yourfirst order for Sentinel protection keys. It is integrated into your Sentinel Vendor keys. When youare protecting your software and licenses to Sentinel protection keys for distribution, the VendorCode is extracted from your Sentinel Vendor keys.

Batch Code

A Batch Code consists of five characters that represent your company’s unique Vendor Code.When you order Sentinel protection keys from SafeNet, you specify your Batch Code, which isthen written to the keys before dispatch. To easily identify the batch to which a Sentinel HL keybelongs, the Batch Code is written on the outside of each key.

Selecting the Best Key for Your Requirements

Sentinel LDK protection and licensing are key-based. Your software is distributed with uniqueactual and/or virtual Sentinel protection keys that you code according to your requirements.

There is a strong inherent link between a protected application and its correspondingSentinel protection key. Protection is based on making access to the protected applicationdependent on the presence of a correct Sentinel protection key.

Customizing Your Unique Solution 36

37 Chapter 1: Understanding Sentinel LDK Software Protection and Licensing

Similarly, when licensing is implemented using Sentinel LDK, the operation of your software isdependent on the presence of a valid license in a Sentinel protection key.

A variety of Sentinel protection keys are available to provide you with the flexibility to sell yoursoftware in the ways that are most beneficial to your business goals.

Sentinel Vendor Keys

When you purchase Sentinel LDK, you are provided with two Sentinel Vendor keys—theSentinel Master key and the Sentinel Developer key. These keys enable you to apply protection toyour programs, program the Sentinel protection keys that you send to your end users, and tospecify the license terms under which your software can be used.

Sentinel Developer key

The Sentinel Developer key is used by your programmers in conjunction with the Sentinel LDKprotection tools to protect your software and data files.

Sentinel Master key

The Sentinel Master key is used by your production staff to create licenses and lock them toSentinel protection keys, to write specific data to the memory of a Sentinel protection key, and toupdate licenses already deployed in the field. To generate licenses, the Sentinel Master key mustbe connected to the machine where Sentinel EMS is installed or where the program that callsSentinel License Generation API is running. License generation cannot be performed over RDP(that is, over a remote connection to the system where the Master key is connected).

End-User Keys

Two types of Sentinel protection keys are available—Sentinel HL keys, which are physical USB orExpressCard keys that connect to a computer, and Sentinel SL keys, which are software-based keysthat lock your software to a specific machine. Your software and the user license are locked to theSentinel protection key that you select.

All Sentinel HL keys—with the exception of Sentinel HL Basic keys—contain internal read/writememory. You can use the memory to do any of the following:

n Control access to specific software modules and/or packages

n Assign a unique code to each software user

n Store licenses from your own licensing schemes

n Save passwords, program code, program variables, and other data

Sentinel SL keys are patterned on the functionality of Sentinel HL keys. However, the data islocated in the secure storage of the computer on which the Sentinel SL key resides.

Sentinel HL Keys

Sentinel HL keys are distributed with your software to end users. The keys connect to the endusers’ computers. A variety of Sentinel HL keys are available to suit your requirements. Sentinel HLkeys are available in either of two configurations:

n Sentinel HL (HASP configuration) keys: These keys are fully compatible with software thatrequires the older HASP HL keys.

Sentinel HL (HASP configuration) keys can be upgraded in the field to Sentinel HL(Driverless configuration) keys. For more information, see "Appendix H: How toUpgrade a Sentinel HL Key to Driverless Configuration" on page 256.

n Sentinel HL (Driverless configuration) keys: These keys provide several advantages overSentinel HL (HASP configuration) keys:

o (On a Windows machine) Employ HID drivers instead of HASP key drivers. (HIDdrivers are an integral part of the Windows operating system.) In many cases, it ispossible to use these keys without installing any additional support software.

o Support a higher number of Features.

o Provide larger on-key memory space.

Sentinel HL keys offer the highest level of security. In order for a user to access your software, andfor it to function correctly, the key must be accessible by the application. Furthermore,Sentinel LDK uses LicenseOnChip technology to protect Sentinel HL keys against license tampering.

Sentinel HL keys also have the advantage of portability. This means that the key can be movedfrom one computer to another. Software may therefore be installed on multiple computers butwill only run if the key is connected and authenticated by the software.

For full technical specifications of the available Sentinel protection keys, refer to the Sentinel HLdata sheet.

Sentinel LDK continues to support the older HASP HL keys. All references to Sentinel HLkeys in this document and other Sentinel LDK documents can be understood to includeHASP HL keys unless the context of the reference clearly states otherwise.

Sentinel SL Keys

Sentinel SL keys are virtual, software-based keys that reside in the secure storage of a specificcomputer. Sentinel SL keys provide the same functionality as Sentinel HL keys, without requiringphysical distribution.

After your software is installed on a computer, the end user typically enters a Product Key that issent, via the Internet or by file transfer, to Sentinel EMS, together with the fingerprint of themachine. Sentinel EMS confirms that the Product Key has not been used to activate the softwareon more than the permitted number of machines—as determined by you—then sends back theSentinel SL key, which is installed on the end user’s machine. This process is also used forupdating license terms.

Several types of Sentinel SL keys exist:

n SL Legacy - SL keys that were generated with versions of Sentinel HASP prior to SentinelLDK v.6.0

n SL AdminMode - SL keys that provide the highest level of security and functionality

n SL UserMode - SL keys that provide a greater level of flexibility under certaincircumstances

Customizing Your Unique Solution 38

39 Chapter 1: Understanding Sentinel LDK Software Protection and Licensing

For information about the attributes of Sentinel SL keys, see "Protection Key Attributes" on page39.

For information about how Sentinel LDK prevents tampering of time-based licenses locked toSentinel SL keys, see "Appendix E: How Sentinel LDK Protects Time-based Licenses Locked toSentinel SL Keys" on page 250.

Available Sentinel protection keys

For full technical specifications of the available Sentinel protection keys, refer to the relevantproduct data sheet.

Protection Key AttributesThe various types of Sentinel protection keys that are available provide different levels of securityand flexibility, as described below.

Type ofProtection Key

Level ofSecurity

SupportedOperatingSystems

SupportsApplications ThatUse Overlays

Network KeySupportsDetachableLicenses

SupportsRemoteProtectedApplication

HL + + + + + WindowsMacLinux

Yes No Yes (HLNetwork key)

SL AdminMode + + + + WindowsMacLinux

Yes Yes Yes (SL keywithconcurrency)

SL UserMode (Exceptfor Provisional)

+ + + Windows No No No

SL UserMode(Provisional)

+ Windows No No No

SL Legacy + + + + WindowsMacLinux

Yes Yes Yes (SL keywithconcurrency)

For additional information, see "Protection Keys That Require Sentinel LDK Run-timeEnvironment" on page 158.

Sentinel LDK Protection Process

When you are developing your software, your engineers integrate a variety of calls to data storedin the memory of the Sentinel protection key.

Encryption and Decryption

Sentinel LDK encryption and decryption are based on the Advanced Encryption Standard (AES)algorithm. The encryption secret of the algorithm is stored in the Sentinel protection key. To

enhance security, all communication between an application and a Sentinel protection key israndomly encrypted. This inhibits emulation of a Sentinel protection key.

Obtaining Additional Information About Sentinel LDKThis chapter has provided an overview of the major concepts and principles of Sentinel LDK, andthe comprehensive protection and licensing solution that Sentinel LDK provides.

The remainder of this guide explains in detail how you can best use the many elements ofSentinel LDK to meet your company’s software protection, licensing, and distributionrequirements.

Additional information is available in the help systems for the various Sentinel LDK tools, and inadditional Sentinel LDK documentation that you can download using the following URL:

www.sentinelcustomer.safenet-inc.com/sentineldownloads/

Obtaining Additional Information About Sentinel LDK 40

PART 2 - PROTECTIONIn this section:

n "Chapter 2: Protecting Software" on page 44

Provides an overview of Sentinel LDK software protection, including its fundamentalelements, a summary of how it works, and an introduction to Sentinel LDK protectionmethods.

n "Chapter 3: Sentinel Licensing API Protection" on page 50

Provides an overview of the Sentinel Licensing API, details the prerequisites for using theAPI, introduces the Sentinel LDK ToolBox application and describes the functionality of theAPI.

n "Chapter 4: Sentinel LDK Envelope Protection" on page 58

Provides an overview of software protection using Sentinel LDK Envelope, details theprerequisites for using the application, and describes its functionality. In addition, itdescribes the Sentinel LDK Envelope protection parameters and how to encrypt data files.

n "Chapter 5: Protection Strategies" on page 78

Outlines strategies for maximizing Sentinel LDK protection, including best practices andoptimizing the use of the Sentinel Licensing API and Sentinel LDK Envelope.

n "Chapter 6: Working with the Sentinel LDK Data Encryption Utility" on page 84

Describes data file protection using the Sentinel LDK Data Encryption utility. It includesinformation about who should encrypt data files and when they should be encrypted.

Chapter 2:Protecting Software

This chapter provides an overview of Sentinel LDK software protection, including its fundamentalelements, a summary of how it works, and an introduction to Sentinel LDK protection methods.

In this chapter:

n "Sentinel LDK Protection " on page 44

Sentinel LDK ProtectionSentinel LDK is an innovative, advanced solution for protecting software against illegal orunauthorized use. The solution deters illegal access and execution of protected applications.

A deployed Sentinel LDK-protected program requires access to a specific Sentinel protection key inorder to run. The protected program queries the Sentinel protection key for pre-definedinformation. If the Sentinel protection key is not present, or the information returned is incorrect,the program does not execute, or stops functioning.

After you have selected a Sentinel LDK protection method, implementation is straightforward.Regardless of the selected protection strategy, protected programs only work correctly if they canaccess the information stored in a specific Sentinel protection key.

Elements of Sentinel LDK Protection

The Sentinel LDK protection system is based on the following:

n Protecting programs and data files

n Identifying the Sentinel protection key

n AES encryption

n Confidential protection parameters

n Utilizing Protection Key memory

n Anti-debugging and reverse engineering measures

Protecting Programs and Data Files

Sentinel LDK provides two primary protection methods:

2

45 Chapter 2: Protecting Software

n Sentinel LDK Envelope

n Sentinel Licensing API

When you protect your software using either of these methods, you are essentially forming aninherent link between the protected application and a specific Sentinel protection key.

What can be Protected

Sentinel LDK enables you to protect a variety of applications and data files. You can applyprotection directly to:

n Compiled executables, DLLs and .NET assemblies

n Specific functions or entire programs. Sentinel LDK protects all levels of software fromfunction level to entire programs

n Sensitive data and intellectual property

All the above are protected against any attempt at reverse engineering.

For additional information about the available protection parameter options, see the followingchapters:

n "Chapter 3: Sentinel Licensing API Protection" on page 50

n "Chapter 6: Working with the Sentinel LDK Data Encryption Utility" on page 84

Availability of the Sentinel protection key

The Sentinel protection key, or to be more precise—the intelligence contained within theSentinel protection key—is the primary component of the Sentinel LDK protection system.

The main factor governing Sentinel LDK protection is whether a deployed program can identifyand access the intelligence contained in a specific Sentinel protection key at run-time. This factor isunambiguous—the Sentinel protection key is either available or is not available!

Regardless of the protection method adopted, protected programs only function when they canaccess the required information contained in a specific Sentinel protection key.

Sentinel protection keys, and their ‘intelligence’ cannot be cloned to replicate the link betweenthem and the protected program.

AES Encryption

A protected program relies on the ‘intelligence’ in the memory of a specific Sentinel protection keyin order to function. In addition to the checks for the Sentinel protection key, data can beencrypted and decrypted using the intelligence available in the Sentinel protection key.

AES Encryption and Decryption

The encryption engine in the Sentinel protection key is based on the AES algorithm. Sentinel LDKencryption uses a set of confidential 128-bit encryption keys that remain in the Sentinel protectionkey.

Your protection schemes should always involve greater sophistication than merely confirming thepresence of the required Sentinel protection key. However, verifying the requiredSentinel protection key through data encryption and decryption requires forward planning. First,encrypted data must be available. This data must then be sent to the Sentinel protection key,where it is decrypted.

If the data is correct, the Sentinel protection key is considered to be “present.” For additionalinformation, see "Time Functions" on page 57.

Confidential Protection Parameters

The essence of software protection is confidentiality. Without confidential elements, any softwaresecurity system is vulnerable to attack.

Vendor Code

Each Sentinel LDK customer is assigned a unique Vendor Code that must be kept confidential. TheVendor Code forms an integral part of the protection parameters that constitute the inherent linkbetween the protected programs and the Sentinel protection key. However, the Vendor Code isonly part of the link. The code on its own is insufficient to prevent illegal use of the software. Itmerely provides the protected software with access to the Sentinel protection key and itsresources.

All Sentinel LDK protection applications require the Vendor Code. For information on how toaccess the code, see "Extracting the Vendor Code from Sentinel Vendor Keys" on page 52.

Utilizing Protection Key Memory

The secure memory on Sentinel protection keys can be utilized (read and write) as a component ofthe protection scheme for the software. Confidential data can be stored in the Protection Keymemory, including snippets of program code, customer name, or any other data.

Use the memory editors included in Sentinel LDK ToolBox to read or write data in the ProtectionKey memory. For additional information, see "Memory Functions" on page 57.

Anti-Debugging and Reverse Engineering Measures

Sentinel LDK protects intellectual property and provides the functionality to combat anti-debugging and reverse engineering. Anti-debugging and reverse engineering usually try to unravelthe protection scheme of protected software by tracing a compiled application to its source code.Sentinel LDK Envelope implements contingency measures to ward off such attacks and preventhackers from uncovering algorithms used inside protected software.

Selecting a Protection Method

Sentinel LDK offers two software protection methods; Sentinel Licensing API and Sentinel LDKEnvelope. Both methods establish an inherent link between the protected software and theintelligence contained in a specific Sentinel protection key.

When selecting a protection method, the following issues must be considered:

n What the Sentinel protection key should protect

n How the Sentinel LDK protection parameters are best applied

Sentinel LDK Protection 46

47 Chapter 2: Protecting Software

n Whether the time required to implement the solution is a critical factor

n Whether flexibility in implementing the protection scheme is important

These issues are discussed in the following sections.

What to Protect

When protecting software with Sentinel LDK, there are various options for applying protection.Sentinel Licensing API is used to protect the software before it is compiled. Protection can also beapplied after the software is compiled using Sentinel LDK Envelope. You can choose whether toapply protection to an entire program, a subprogram, or simply to a Feature.

You may opt to use either the Sentinel Licensing API or the Sentinel LDK Envelope protectionmethod, or both, depending on your specific requirements. Use the following table to determinewhich method best meets your specific requirements.

Sentinel LDK Envelope Sentinel Licensing API

Quick, automatic protection process that shields your software Manual implementation ofcalls to Sentinel Licensing API

Define specific protection parameters for your programs Controlled process ensuringmaximum security. Thestrength of protection isproportional to the degree towhich the Sentinel LicensingAPI functionality is invested inimplementation.

No source code required Source code must be available

Anti-debugging and reverse engineering measures provided Maximum flexibility

Importance of Control over the Protection Scheme

When applying protection using Sentinel Licensing API, you control the entire protection process.You determine when the protected program queries the Sentinel protection key, and how itshould behave in different scenarios. With Sentinel LDK Envelope, compiled programs are wrappedwith random protection parameters. If you run Sentinel LDK Envelope twice to protect the sameprogram, two different output files are produced with different protective modules and shields.

Significance of the Time Factor

When a high protection level is specified in Sentinel LDK Envelope, file size increases and theprotected application takes longer to launch. Consider this factor when you are deciding on theprotection level settings that you choose. Aim for the optimal balance between protection leveland launch time.

How to Apply Protection

When using the Sentinel Licensing API, protection is integrated at the source code level in acarefully considered manner. You determine where in the source code to place calls to the SentinelLicensing API.

Sentinel LDK Envelope offers an automated, speedier method of protecting software. You definesettings for protection parameters that are applied to protected programs.

When enabling or disabling some features you might reduce the level of protectionprovided by the software.

Sentinel LDK Protection 48

Chapter 3:Sentinel Licensing API Protection

This chapter describes the Sentinel Licensing API protection method.

In this chapter:

n "Overview" on page 50

n "Sentinel Licensing API Prerequisites " on page 51

n "Learning About the Sentinel Licensing API" on page 52

n "Implementation" on page 53

n "Sentinel Licensing API Functionality" on page 56

OverviewThe Sentinel Licensing API (application programming interface) is a robust method of softwareprotection, the strength of which is wholly dependent on its implementation.

The extent to which the functionality afforded by the Sentinel Licensing API is utilized, determinesthe overall level of software security. To fully utilize the protection offered by the Sentinel LicensingAPI, strive to maximize the complexity and sophistication of your implementation.

It is essential that, before protecting your application, you are familiar with the overallfunctionality of the Sentinel Licensing API. For a description of the functions that make up theSentinel Licensing API, see the Sentinel LDK ToolBox help system.

To protect your software using the Sentinel Licensing API, you insert calls to a Sentinel protectionkey throughout your application’s source code. You can add calls to your application that checkfor the presence of a Sentinel protection key at any point during run-time, and you can designateresponses to these checks. For example, if the required Sentinel protection key is not found, youmight specify that the protected application suspend or terminate itself.

Your application can also check the memory of a Sentinel protection key for specific data. Inaddition, you can use the Sentinel Licensing API to encrypt or decrypt data.

To facilitate a speedy learning curve, SafeNet recommends that you familiarize yourself with andtest specific Sentinel Licensing API functions using Sentinel LDK ToolBox. Sentinel LDK ToolBox is aGUI-based application that interfaces with various Sentinel LDK APIs. For additional information,see "Learning About the Sentinel Licensing API" on page 52.

Sentinel LDK also includes Sentinel Licensing API sample folders for specific compilers. EachSentinel LDK interface includes a sample application demonstrating API usage and a specific header

3

51 Chapter 3: Sentinel Licensing API Protection

file. The sample applications are located in the Samples folder in the Windows directories on theSentinel LDK installation DVD.

Universal Sentinel Licensing API

The Sentinel Licensing API is a universal API that works with all Sentinel protection keys. SentinelLicensing API implementation and usage is independent of the Sentinel protection key you use.

Utilization of the Sentinel Licensing API is independent of the access mode used to search for aspecific Sentinel protection key. The same Sentinel Licensing API functions are used to enableprograms’ access to remote Sentinel protection keys, or Sentinel protection keys that are presentlocally.

Sentinel Licensing API PrerequisitesYou may have to install the Sentinel Run-time Environment in order to enable the Licensing API.For more information, see "Protection Keys That Require Sentinel LDK Run-time Environment" onpage 158. For additional information, see the Sentinel LDK Installation Guide.

Vendor Code

It is necessary to provide the Vendor Code in order to access a Sentinel protection key and itsresources, including memory. Vendor Codes are usually stored in the VendorCodes folder. On mostWindows installations, the directory is located at:

…\Documents and Settings\[userName]\My Documents\SafeNet\Sentinel LDK 7.0\VendorCodes

In the Sentinel LDK Demo Kit, customers are provided with Sentinel HL Demo keys that work withthe DEMOMA Vendor Code. This Vendor Code can be used to apply protection with the SentinelLicensing API.

Do not distribute software protected with a Sentinel HL Demo key. This Sentinel protectionkey is only for evaluation purposes.

The first time you order Sentinel protection keys, you also receive two Sentinel Vendor keys—aSentinel Developer key and a Sentinel Master key—that contain your company’s uniqueconfidential Vendor Code. The Sentinel Developer key is used by engineers for adding protectionto your software. The Sentinel Master key is used for producing licenses and orders.

Sentinel Vendor Suite applications (Sentinel LDK Envelope, Sentinel LDK ToolBox, and Sentinel EMS)must recognize and have access to the unique Vendor Code that was assigned to you when yourfirst order was supplied by SafeNet. The Vendor Code is stored inside your Sentinel Vendor keys.Sentinel Vendor keys are introduced using the Master Wizard, as described in the followingsection.

If you have already introduced your Sentinel Developer key, it is usually not necessary tore-introduce it.

Extracting the Vendor Code from Sentinel Vendor Keys

You need to extract the Vendor Code from your Sentinel Vendor keys so that the Sentinel LDKsystem will recognize it when you are working with any of the Vendor Suite applications.

Depending on your Sentinel LDK configuration, if you launch a Sentinel Vendor Suite application,and you have connected a new Sentinel Vendor key to your computer, the Master Wizard willlaunch automatically. Alternatively, you can launch the Master Wizard manually.

For detailed information on using the Master Wizard, see the chapter on introducing Vendor keysin the Sentinel LDK Installation Guide.

By default, your Vendor Code information is saved in the following directory:

n For Windows XP: %UserProfile%\My Document\SafeNet\Sentinel LDK 7.0\VendorCodes

n For Windows Vista or Windows 7: %LocalAppData%\SafeNet\Sentinel LDK 7.0\VendorCodes

Vendor-specific File Naming Conventions

The format of a Vendor Code file name is BatchCode.hvc. For example, if your Batch Code isW3FLY, the file name will be W3FLY.hvc. (The Batch Code is a representation of your confidentialVendor Code.) Your Sentinel Vendor keys and all your Sentinel HL keys are labeled with your BatchCode.

By default, Sentinel Vendor Suite applications search the VendorCodes folder for your VendorCode/Batch Code information.

The format of API library names (for Windows) is hasp_windows_language_vendorID.libraryExtension. For example, hasp_windows_demo.lib is a C-language API libraryassociated with a demo key.

Learning About the Sentinel Licensing APIThere are two components of Sentinel LDK that enable you to study how the Sentinel LicensingAPI works, and its range of capabilities.

n Sentinel LDK ToolBox: A utility with a graphical user interface that is part ofSentinel Vendor Suite. For more information, see "Sentinel LDK ToolBox" on page 52.

n Sentinel Licensing API Samples: A set of examples for implementing the Sentinel LicensingAPI. For more information, see "Sentinel Licensing API Samples" on page 53.

Sentinel LDK ToolBox

Sentinel LDK ToolBox is an interactive interface to work with various Sentinel LDK APIs. You canexecute calls to the Sentinel Licensing API using Sentinel LDK ToolBox. The calls are then relayed toa Sentinel protection key.

To use Sentinel Licensing API with Sentinel LDK ToolBox you must have a Sentinel Developer keyand a valid Vendor Code so that you can access Sentinel protection keys. Sentinel LDK ToolBox islaunched from Sentinel Vendor Suite. For more information, see the Sentinel LDK ToolBox helpsystem.

Learning About the Sentinel Licensing API 52

53 Chapter 3: Sentinel Licensing API Protection

API-related Functionality

Sentinel LDK ToolBox serves as a training tool for the Sentinel APIs. Sentinel LDK ToolBoxfunctionality enables you to:

n Display the source code generated for each function call. This generated source code canbe copied and pasted into your application source code.

n Evaluate manual implementation of each API . Every API function included in Sentinel LDKToolBox is displayed on a separate screen. To execute a function call, you provide specificinformation related to the selected function.

n Transfer memory buffers to the AES encryption engine in a Sentinel protection key. Theprogram can also be used to decrypt data buffers.

n Create multiple programming language interfaces for the various APIs.

Sentinel Licensing API Samples

Sample applications are provided to demonstrate how to implement Sentinel Licensing APIprotection in your source code. The samples demonstrate how the API functions work.

Your Sentinel LDK installation contains folders for various interfaces and compilers. Each folderincludes the requisite API libraries, a header file and a sample application. The Sentinel HL Demokey—marked DEMOMA—must be connected to your computer when using the sampleapplications.

See the Sentinel Web site and the Sentinel LDK Installation DVD for information onavailable samples for specific programming languages.

ImplementationThis section describes the pre-implementation issues you should consider, and the workflow forimplementing the Sentinel Licensing API. It also provides an overview of how to log in to and outof a session.

Planning Your Requirements

Before implementing the Sentinel Licensing API, the following preliminary issues should beconsidered.

n What do you want to protect?

This may seem obvious, but it is crucial when you decide where to place the calls to theSentinel protection key. Typically, you would want to verify the presence of theSentinel protection key at startup. However, you can also identify certain aspects of thesoftware to protect, and apply your Sentinel Licensing API calls accordingly.

n Will encrypted data be included in my implementation scheme?

If you plan to use encrypted data at run-time, use Sentinel LDK ToolBox to encrypt thedata. Insert the encrypted data when implementing the Sentinel Licensing API. The data isdecrypted at run-time by the Sentinel protection key.

n Is data going to be stored in the Protection Key memory?

If the software is protected by a Sentinel protection key with memory functionality, sensitivedata can be stored in the Sentinel protection key. The Sentinel Licensing API enables accessto read from or write to Protection Key memory. Use Sentinel LDK ToolBox to write databuffers to Protection Key memory.

Sentinel Licensing API Workflow

After planning what data is going to be protected and how that protection will be applied, you areready to protect your application with the Sentinel Licensing API.

The recommended workflow for implementing the Sentinel Licensing API is as follows:

1. Study the code of the sample application corresponding to your developmentenvironment.

2. In your application source code, insert a login call to the Sentinel protection key. Asuccessful login establishes a login session. The login session has its own unique handleidentifier.

The session identifier is self-generated and applies to a single login session. For moreinformation, see the description of the hasp_login_scope function in the Sentinel LicensingAPI help system or in the Sentinel LDK ToolBox help system.

3. After a login session is established, you can use other Sentinel Licensing API functions tocommunicate with the Sentinel protection key. For example, you can use the hasp_decryptfunction to decrypt important data used by your application. You can also read data storedin the Sentinel protection key memory, set timestamps, and other actions.

4. Using the output generated in Step 3, check for potential mismatches and notify the useraccordingly.

5. Repeat steps 2–4 throughout the code.

6. Compile the source code.

After you have compiled the source code, use Sentinel LDK Envelope to add an extra layerof protection to your software. This process also prevents reverse engineering of protectedcode.

Sentinel Licensing API Login Function

The login function is the gateway to Sentinel Licensing API implementation. You must open asuccessful login session to search for and communicate with a Sentinel protection key. To log intoa Sentinel protection key, you need to provide a Feature ID and a valid Vendor Code.

Implementation 54

55 Chapter 3: Sentinel Licensing API Protection

If the Sentinel protection key is not accessible by the computer, an error message is displayed. Anerror message is also displayed if the declared Vendor Code is not valid for a detectedSentinel protection key.

Sentinel LDK Login Operation Summary

Login Options

When using the Sentinel Licensing API implementation, login calls are not dependent on specificSentinel protection keys. However, when performing login calls you must specify what it is thatyou are actually logging into. When logging in you must declare:

n If you are logging into a default or a specific Feature

n How to search for the Sentinel protection key

n How the login counter should be handled

n Whether to enable or disable connection to the Sentinel protection key via a terminalserver

Declaring Feature IDs

You can either log into a specific Feature, or to the default Feature stored in theSentinel protection key. The default Feature is assigned Feature ID 0.

When logging into a licensed Feature, the protected application not only checks for the presenceof the Sentinel protection key, it also checks the terms of the license contained in that key. If thelicense is valid, the Feature is enabled.

Controlling Login Calls

Additional aspects of a login call can be controlled when implementing the Sentinel Licensing API,as follows:

n Search options

n Login counter

n Terminal server detection

n Enabling access to Sentinel HL v.1.x keys

Search Options

The default search setting enables a protected application to search both the local computer andthe network for the required Sentinel protection key. You can limit the Sentinel protection keysearch option, as follows:

n Search only the local PC for a Sentinel protection key

n Search only the network for a connected Sentinel protection key

Login Counter

By default, when a Sentinel LDK license is accessed in a Sentinel HL Net key, license usage isdetermined by counting the number of workstations that use the protected application. You canchange this condition so that license usage is based on the number of protected applicationprocesses that are in use.

Access to Legacy Memory on Sentinel HL Key

By default, the Sentinel LDK system does not enable access to the legacy memory on Sentinel HLkeys. To override this restriction, select the Allow access to Sentinel HL v.1.x check box in theSentinel LDK ToolBox Settings window.

Every Sentinel protection key login session must be terminated with a correspondinglogout call.

Sentinel Licensing API FunctionalityThe extent of the protection afforded by the Sentinel Licensing API is dependent on the way that itis implemented. Calls to a Sentinel protection key that are inserted in the source code controlaccess to the application at run-time.

This section describes the Sentinel Licensing API options that are available after a successful loginsession is established. For a detailed discussion about how to optimize your Sentinel Licensing APIimplementation, see "Chapter 5: Protection Strategies" on page 78. For a demonstration of howthe Sentinel Licensing API works, use Sentinel LDK ToolBox.

Function Groups

Sentinel Licensing API functions are categorized into five groups, based on common functionalityand linkage.

n Session functions

n Encryption/Decryption functions

n Memory functions

Sentinel Licensing API Functionality 56

57 Chapter 3: Sentinel Licensing API Protection

n Time functions

n Management functions

Session Functions

A session is created by executing a successful login call to a license residing in a specificSentinel protection key. For more information about logging in, see "Login Options" on page 55.At the end of a session, use the logout function to close the session.

Encryption Functions

You can encrypt or decrypt data buffers using the AES-based encryption engine in theSentinel protection key. The encryption engine uses symmetric encryption. This means that thesame encryption key is used later to decrypt the data buffer.

Memory Functions

Use the memory to store data to be used by the application at run-time, and information that canbe used later to verify and identify an end-user. Control of access to sensitive data forms anintegral part of your protection scheme.

The Sentinel Licensing API can be used to:

n Read data buffers stored in the Sentinel protection key memory

n Write data buffers to the Sentinel protection key memory

The size of the data buffers is restricted by the memory available in the specific Sentinel protectionkey type. For information about the memory capacity of the available Sentinel protection keys,refer to the relevant product data sheet.

Time Functions

If you are using a Sentinel HL Time key or Sentinel HL NetTime key, the Sentinel Licensing API canbe used to access the real-time clock in the key. This functionality enables you to read the time.Two date and time conversion functions are included in the Sentinel Licensing API.

Management Functions

The Sentinel Licensing API includes functions that enable you to retrieve information on thesystem components, the current login session, the status of a deployed Sentinel protection key,and license updates.

When using Sentinel SL keys, the transfer function enables you to:

n detach a license from a pool of network seats

n rehost a protection key from one computer to another at the customer site.

You can also use the hasp_update function to install updates. You do not need to be logged in toa session in order to perform this function. For additional information, see the help system for theSentinel Licensing API or the Sentinel LDK ToolBox.

Chapter 4:Sentinel LDK Envelope Protection

This chapter describes software protection using Sentinel LDK Envelope.

In this chapter:

n "Functionality" on page 58

n "Sentinel LDK Envelope for Windows" on page 62

n "Accessing and Encrypting Data Files for Windows Programs" on page 65

n "Protecting .NET Assemblies" on page 67

n "Sentinel LDK Envelope for Linux Applications" on page 73

n "Sentinel LDK Envelope for Mac Binaries" on page 74

n "Sentinel LDK Envelope for Java Executables" on page 75

FunctionalitySentinel LDK Envelope is a wrapping application that protects your applications with a secureshield. This application offers advanced protection features to enhance the overall level of securityof your software.

Sentinel LDK Envelope protects Win32, Windows x64, and .NET executables and DLLs, and Javaexecutables—providing a means to counteract reverse engineering and other anti-debuggingmeasures.

Sentinel LDK Envelope can also be used to protect Mac executables and dynamic shared libraries(Mach-O), and Linux executables and shared objects. For more information, see "Sentinel LDKEnvelope for Mac Binaries" on page 74, and see "Sentinel LDK Envelope for Linux Applications" onpage 73.

The word program is used throughout this chapter as a generic reference to the variousfile types that can be protected using Sentinel LDK Envelope, regardless of whether theyare executables, binaries, assemblies, libraries or shared objects.

By using Sentinel LDK Envelope to protect your software, you establish a link between theprotected software and a Sentinel protection key. This link is broken whenever the protectedsoftware cannot access the required Sentinel protection key.

4

59 Chapter 4: Sentinel LDK Envelope Protection

Implementing Sentinel LDK Envelope protection is the fastest way to secure your software withoutrequiring access to your software source code.

Sentinel LDK Envelope provides both graphical user interface (GUI) and command-line utilityoptions. The graphical interface enables you to:

n Protect Windows and .NET executables and DLL files, and Java executables

n Enhance the protection of .NET and Java executables by defining Method-level protection

n Protect Mac Mach-o binaries

n Protect 32-bit and 64-bit Linux executables and shared objects

n Define a variety of global protection parameters for your program

n Specify a Vendor Code to authenticate the presence of a specific Sentinel protection key

n Customize the run-time messages that will be displayed to end users running protectedprograms

In addition to linking protected programs to a specific Sentinel protection key, Sentinel LDKEnvelope wraps the application file with numerous protection layers that are randomly assembled.

The random multi-layer wrapping of protected applications by Sentinel LDK Envelopeensures that implemented protection strategies differ from one protected program toanother.

Command-line utilities enable you to protect:

n Win32, Windows x64, and .NET executables and DLL files

n Java executables

n 32-bit and 64-bit Linux executables and shared objects

n Mac binaries

The command-line utilities also enable you to easily apply protection parameters that weredefined using the Sentinel LDK Envelope GUI. This simplifies the process of reapplying protectionparameters to your program during the development process.

Basic Protection Workflow

This section provides a workflow that describes the elements of protecting applications usingSentinel LDK Envelope. Additional information about specific procedures is provided in theSentinel LDK Envelope help system.

1. Launch the Sentinel LDK Envelope graphical interface from Sentinel Vendor Suite.

2. Add the executable, library, or .NET assembly you want to protect to the project.

3. Define protection parameters for the protected program.

4. Protect the program.

5. Distribute the protected software together with your encrypted Sentinel protection keys.

Sentinel LDK Envelope does not affect the files being protected. However, it is highlyrecommended that you designate a separate output folder for the protected application inorder to distinguish between source (unprotected) and output (protected) files.

Sentinel LDK Envelope protection involves the application of protection parameters that arecontrolled by the engines running Sentinel LDK Envelope. You apply these parameters to anunprotected source.

Sentinel LDK Envelope does not affect the original files or the way a protected application actuallyworks. The only modification is that user access is conditional on the presence of a requiredSentinel protection key. If the Sentinel protection key is present, the protected file runs.

The logic of Sentinel LDK Envelope protection is illustrated in the following diagram. Note that theoriginal file can be a Win32, or Windows x64 executable or DLL; a Windows .NET assemblyexecutable or dynamic library; a Java executable; a Linux executable or shared object; or a Macbinary.

To ensure the highest level of security for your software, Sentinel LDK Envelope for Win32removes debugging data from the programs that it is protecting.

It is recommended that Linux software engineers strip extraneous symbols from the executableprior to protecting with Sentinel LDK Envelope.

Required and Optional Protection Parameters

This section outlines the mandatory and customizable parameters that can be specified forprotecting software with Sentinel LDK Envelope.

Mandatory Parameters

The following information must be provided in order to protect software using Sentinel LDKEnvelope:

n Input file location: You must specify the location of the program that you want toprotect. By default, this is the directory from which you added the program to theproject.

n Output file location: You must specify the directory where the protected output will besaved. By default, the directory is

[user’s home directory]\SafeNet\Sentinel LDK 7.0\VendorTools\VendorSuite\Protected

Functionality 60

61 Chapter 4: Sentinel LDK Envelope Protection

n Vendor Code: You must provide a valid Vendor Code in order to access aSentinel protection key. On initial activation of Sentinel LDK Envelope, the default VendorCode is specified as DEMOMA. Select your Vendor Code in the Sentinel Vendor Codescreen.

This information is sufficient to protect a program.

General Customizable Parameters

The customizable parameters described in this section are identical for all supported applications,assemblies and dynamic libraries.

n Feature ID: You can select a unique Feature to protect your program. For additionalinformation about Features, see "Using Features to Protect Programs" on page 61.

n Protection key search mode: You can determine where a protected program searches forthe Sentinel protection key. For additional information, see "Searching for aSentinel protection key" on page 61.

When enabling or disabling some features you might reduce the level of protectionprovided by the software.

Searching for a Sentinel protection key

Sentinel LDK Envelope enables you to determine where a protected application searches for arequired Sentinel protection key.

The following options are available:

n Local and remote: The protected application first searches the local machine for arequired Sentinel protection key (default), and then the network.

n Local only: The protected application searches only the local computer for a requiredSentinel protection key.

n Remote only: The protected application searches only the network for a requiredSentinel protection key.

Using Features to Protect Programs

A Feature is an identifiable functionality of a software application. Features may used to identifyentire executables, software modules, .NET or Java methods, or a specific functionality such asPrint, Save or Draw. Each Feature is assigned unique identifier called a Feature ID. The defaultFeature ID in Sentinel LDK Envelope is Feature ID 0.

For additional information on Features and licensing, see "Identifying Functional Components(Features) " on page 100 and "Managing Features " on page 109.

When you protect a Win32, Windows x64, Mac or Linux application with Sentinel LDK Envelope,you specify a single Feature ID for the entire executable. If you wish to apply unique Features toseparate components or functionalities, you must use the Sentinel Licensing API. For additionalinformation, see "Chapter 3: Sentinel Licensing API Protection" on page 50.

Protecting .NET Assemblies

When you protect a .NET assembly with Sentinel LDK Envelope, you have the flexibility to specifyFeatures at two levels:

n A global Feature that relates to the entire .NET assembly, with the exception ofindividually-protected methods. For additional information, see "Global Features in .NETAssemblies" on page 68.

n Method-specific Features. For additional information, see "Method-specific Features andParameters in .NET Assemblies" on page 69.

At run-time, a protected .NET assembly searches for all Features in the Sentinel protection key.

Sentinel LDK Envelope for WindowsThis section describes how to use Sentinel LDK Envelope on Windows platforms.

Prerequisites for Windows

To use Sentinel LDK Envelope, all of the following components must be installed on your system:

n Sentinel LDK Run-time Environment

n Sentinel Vendor Suite

n A valid Vendor Code stored in the VendorCodes folder. For additional information, see"Extracting the Vendor Code from Sentinel Vendor Keys" on page 52.

n dfcrypt.exe (if you are planning to encrypt data files by means of a command line)

n The Win32, Windows x64, .NET or Java executables or DLLs that you want to protect

n .NET Framework 2.0 or later (if you are protecting .NET assemblies)

Running Sentinel LDK Envelope

In the Start menu, select Programs > SafeNet Sentinel > Sentinel LDK > Vendor Suite. From theSentinel Vendor Suite program selection screen, launch Sentinel LDK Envelope.

Sentinel LDK Envelope Protection Parameters

After your program has been included in a Sentinel LDK Envelope project, protection can beperformed effortlessly, based on the default Sentinel LDK Envelope settings. In addition, you candefine and calibrate a range of protection parameters that affect the attributes and behavior ofthe protected program.

Sentinel LDK Envelope customizable parameters are displayed in the Protection Details screen andthe Default Protection Settings screen. You can select a specific program in the Project pane and,from the Protection Details screen, view and edit the application’s parameters using the followingthree tabs:

Sentinel LDK Envelope for Windows 62

63 Chapter 4: Sentinel LDK Envelope Protection

n General tab

n Advanced tab

n Protection Settings tab

All parameters are detailed in the Sentinel LDK Envelope help system.

This section provides an overview of the Sentinel LDK Envelope protection settings that arecommon to all program types. Mandatory parameters that are required in order to protect aprogram are described in "Mandatory Parameters" on page 60. Other common parameters aredescribed in "General Customizable Parameters" on page 61.

Sentinel LDK Envelope also provides settings that are specific to the type of program protected.

n For additional information about settings for Win32 or Windows x64 programs, see"Protecting Windows Programs" on page 63, and "Accessing and Encrypting Data Files forWindows Programs" on page 65.

n For additional information about settings for .NET assemblies, see "Protecting .NETAssemblies" on page 67, and "Code and Symbol Obfuscation in .NET Assemblies" on page71.

n For additional information about settings for Java executables, see "Protecting JavaExecutables" on page 77.

Protecting Windows Programs

When you protect a Windows program with Sentinel LDK Envelope, you can determine protectionattributes and aspects of the behavior of the protected program.

Protected Program Behavior

Sentinel LDK Envelope enables you to define the following additional properties for Win32 andWindows x64 programs:

n The frequency at which random queries are sent to a Sentinel protection key. Thesequeries include random encryption and decryption procedures.

n The time interval between checks for the presence of a required Sentinel protection key.

n Whether support for programs that require overlays to execute correctly should beenabled.

n The length of time that the protected application waits for the Sentinel LDK Run-timeEnvironment to load.

Protection Attributes

You can define specific security attributes for protected Win32 and Windows x64 programsincluding parameters for:

n Detection of both system and user-level debugging measures. You can activate measuresto be undertaken by the Sentinel LDK system to block potential attacks intended toundermine the protection scheme.

n Specifying the frequency of Sentinel protection key access for encryption. The parametercontrols the compactness of the Sentinel protection key calls made by the protectedapplication.

Enhancing Protection With "AppOnChip"

Sentinel LDK Envelope incorporates AppOnChip protection to significantly increase the security ofan application that is protected with a Sentinel HL (Driverless configuration) key.

Currently, the following limitations apply for the application to be protected using AppOnChip:

n Windows 32-bit applications only

n EXE files only (no DLL support)

n Native binaries only (.NET assemblies are not supported)

An application that is protected using AppOnChip is not compatible with Sentinel SL keysor with any HL keys other than Sentinel HL (Driverless configuration) keys.

During the protection process, AppOnChip uses a code transformation engine to analyze theapplication code. AppOnChip uses the map file provided with the application code to identify thefunctions contained in the code. AppOnChip determines which functions are eligible to beexecuted by the virtual machine in the Sentinel HL key. The eligible functions are listed in a tableon the AppOnChip tabbed page in the Sentinel Envelope interface.

(In addition to functions identified using the map file, if eligible exported functions are found inthe application code, they will be included in the list of eligible functions.)

You examine the list of eligible functions and select the functions that you want AppOnChip toprotect.

When Envelope generates the protected application, AppOnChip automatically extracts the codeor code segments for selected functions from the protected binary of the application and replacesthe extracted code with a placeholder. The extracted code is encrypted and signed with a vendor-specific sign key, and saved in a separate binary.

Note that protection process is fully automatic. It is not necessary for you to make any changes toyour application code to accommodate this process.

At run-time, when the application calls one of the protected functions, the encrypted functioncode is uploaded to the Sentinel HL key. Within the key, the code is decrypted and loaded into avirtual machine. Once loaded, the code is executed by the virtual machine. The output of the codeis passed back to the protected application through the placeholder that was inserted into thefunction during the protection process.

As a result of this process, protected functions are never exposed in any manner that wouldenable a cracker to analyze or disassemble the code.

For more information regarding the AppOnChip functionality, see the Sentinel LDK Envelope helpsystem.

Sentinel LDK Envelope for Windows 64

65 Chapter 4: Sentinel LDK Envelope Protection

Accessing and Encrypting Data Files for Windows Programs

If your protected program (Win32 or Windows x64) accesses separate data files, you can useSentinel LDK to protect these files, in addition to Sentinel LDK Envelope-protection of the programitself, as follows:

n You can control if and when the protected program accesses such data files. Foradditional information, see "Data File Handing" on page 65.

n You can apply Sentinel LDK encryption to the data files. For additional information, see"Encrypting Data Files" on page 65.

Data File Handing

Your protected Windows program may require access to data files during run-time. Sentinel LDKEnvelope enables you to control the access of data files by the protected software. Sentinel LDKEnvelope offers the following control mechanisms:

n Data filters: You can determine what file types can be accessed at run-time by theprotected software. You can also determine what files to exclude.

n Data encryption keys: Eight printable characters used to create an encryption key forencrypting and decrypting data files.

Use the same encryption key when multiple applications access the same document set.

Sentinel LDK Envelope includes the data filters and encryption key information as part of theprotection scheme applied to the protected application. The encryption of data files is handled bythe Sentinel LDK Data Encryption utility. For additional information, see "Chapter 6: Working withthe Sentinel LDK Data Encryption Utility" on page 84. Alternatively, you can use a command-lineutility. For additional information, see "Using dfcrypt.exe" on page 66.

Setting Data File Filters

Sentinel LDK Envelope enables you to create file filters for protected Windows programs. File filtersdetermine which data files and data file types can work in conjunction with protected programs.For more information, see the Sentinel LDK Envelope help system.

Run-time User Support

You can customize run-time messages for end users who are using applications protected bySentinel LDK Envelope. Sentinel LDK Envelope includes a set of message codes. Each code is mappedto a corresponding message that is displayed at run-time of the protected application.

In addition, you can choose to display a message for end users during startup of a protectedapplication that explains there may be delays due to required data decryption.

Encrypting Data Files

Windows programs protected with Sentinel LDK Envelope can access encrypted data files that aredefined by data filters and use a specific encryption key. Sentinel LDK Envelope itself does notencrypt data files. However, you can encrypt data files using the Data Encryption Utility interface,or you can use the dfcrypt.exe command-line utility. For additional information about using theData Encryption Utility interface, see "Chapter 6: Working with the Sentinel LDK Data EncryptionUtility" on page 84.

Using dfcrypt.exe

Instead of using the Data Encryption utility, you can use a command-line utility to encrypt datafiles. The dfcrypt.exe utility generates data files that can be processed by executables protectedby Sentinel LDK Envelope.

The command-line utility requires a specific set of input parameters to function. After theseparameters have been applied to a defined set of data files, the encrypted files can be accessed bySentinel LDK Envelope.

To use dfcrypt.exe, specify the following:

n A command switch

n A list of source files and directories

n A destination for the encrypted output

When specifying multiple source files or a directory, the destination input specified must be anexisting directory.

The following format must be used to input parameters:dfcrypt<option> source destination

For example:

dfcrypt -c:demoma.hvc -k:4873Asdb data.txt data_crypt.txt

Available dfcrypt.exe Commands

The following table lists the available dfcrypt.exe commands.

Command Action

-e, --encrypt Encrypts data, available by default

-d, --decrypt Decrypts data

-c, --vcf:<file> Specifies a Vendor Code file (mandatory)

-k, --key:<key> Specifies an encryption key to be used to encrypt data files. Must contain 8printable characters (mandatory)

-o, --overwrite Overwrites destination files

-r, --recursive Enables recursive handling of subdirectories

-h, --help Displays the help screen, listing dfcrypt.exe commands

-q, --quiet Suppresses output by excluding copyright information and the progressindicator. Only error messages are displayed. This is particularly useful inMakefile integration.

Running Sentinel LDK Envelope from a Windows Command-line

Sentinel LDK Envelope can be initiated using a command-line prompt. This is useful when runningautomated processes that do not require a graphical interface.

Sentinel LDK Envelope for Windows 66

67 Chapter 4: Sentinel LDK Envelope Protection

The command-line version of Sentinel LDK Envelope is primarily used for automatedprocesses. Before running the command-line utility, create and save protection projectsusing envelope.exe.

To access the command-line version of Sentinel LDK Envelope, go to …\Program Files\SafeNetSentinel\Sentinel LDK\VendorTools\VendorSuite\envelope.com

(For Windows x64, go to \Program Files (x86)\...)

To start the command-line version of Sentinel LDK Envelope, type ENVELOPE in the command line.

Command-line Options

The following parameters are available for use with the Sentinel LDK Envelope command-lineversion:

Command Description

-h /--help Displays the list of command-line parameters. Press Enter to return tothe command-line console.

-p /--protect <project> The command-line utility uses the specified project as input data forthe application-wrapping process—all the files included in the projectare protected.

<project> The command-line version starts the GUI version with the specifiedproject running as the current project.

-a / --accesscode<code><project>

Specifies the access code for the connected Sentinel Vendor key. Thisswitch is only required if an access code has been specified using theMaster wizard.

Protecting .NET AssembliesSentinel LDK Envelope provides significant flexibility when protecting .NET assemblies. In additionto global protection settings that you specify using the Protection Details and ProtectionTemplate Settings functionalities, you can also specify Method-level protection, by definingindividual methods in the .NET assembly.

You can also define protection settings in your source code using custom attributes.

For details about the prerequisites for protecting a .NET assembly, and other considerations totake into account, see ".NET Considerations" on page 68.

When you protect a .NET assembly with Sentinel LDK Envelope, you specify a global Feature thatprotects the entire assembly. For additional information, see "Global Features in .NET Assemblies"on page 68.

In addition to the global Feature, you can define Features for individual methods. You can alsodefine other method-specific parameters. For additional information, see "Method-specificFeatures and Parameters in .NET Assemblies" on page 69.

You can also apply different levels of obfuscation to your .NET assembly. For additional information,see "Code and Symbol Obfuscation in .NET Assemblies" on page 71.

.NET Considerations

When protecting .NET assemblies, consider the following issues:

n You must protect your assemblies in a development environment. Sentinel LDK Enveloperequires libraries that are not part of the .NET framework, but are included in thedevelopment environment.

n Sentinel LDK Envelope for .NET requires access to all assemblies and their dependencies.

n Sentinel LDK Envelope breaks the strong name signature of signed assemblies. You canchoose to re-sign the assembly in Sentinel LDK Envelope, as part of the protectionprocess.

n When you protect a .NET Framework 1.x assembly, the Sentinel LDK Envelope output is inFramework 2.0, requiring Framework 2.0 to be installed on the end-user machine.

n For your protected .NET assembly to function at run-time, a Sentinel LDK DLL is required.For more information, see "Protection-related Software" on page 156.

Global Features in .NET Assemblies

When you protect a .NET assembly with Sentinel LDK Envelope, you specify a global Feature thatprotects any methods that have not had individual protection parameters applied. The globalFeature is also used when background checks are implemented.

Method-level Protection

When you select a .NET assembly for protection, Sentinel LDK Envelope automatically determinesthe Protection type that will provide the best protection for your program, depending on whetheryou are protecting an executable or a DLL. The Protection type determines the methods that areavailable for individual protection.

It is recommended that you do not change the automatic Protection type settings.

This section describes how you select individual methods and the behavior of different methodtypes, in addition to the parameters you can select for the methods.

Selecting .NET Methods for Protection

The .NET assembly is displayed in the Protection Details screen, in the Methods selected forprotection list. The list displays class constructors and methods, in a tree layout that mimics thestructure of the .NET assembly.

Items in the list are identified by icons that indicate the method type, and by the class or methodname. Method signatures are displayed as a tool tips.

When the check box to the left of a method is selected, that method is selected for Sentinel LDKEnvelope protection.

n Selecting or clearing the check box of a higher-level item does not affect nesteditems. For example, if you clear the check box of a class constructor, methods

Protecting .NET Assemblies 68

69 Chapter 4: Sentinel LDK Envelope Protection

nested under it remain selected.

n When a method name is grayed-out, it cannot be selected for protection.

n If the Protection type is Only Win32 shell or Only Windows x64 shell, youcannot protect individual methods in that .NET assembly.

n An assembly cannot be protected when the check boxes for all items in the listhave been cleared.

Method-specific Features and Parameters in .NET Assemblies

You can use Sentinel LDK Envelope to define separate Feature IDs for individual methods inyour .NET assembly. This enables you to:

n Make use of the separate encryption key inherent in each Feature to provide enhancedsecurity for individual methods

n Determine how often the protected program logs into an individual method

At run-time, the protected program searches for all relevant Feature IDs in the Sentinel protectionkey.

You can determine how often the protected program logs into each Feature ID in theSentinel protection key and performs decryption using that Feature ID by specifying the Frequencyfor specific methods.

n You can only specify the Feature ID and Frequency for methods that have beenselected for protection.

n If the Protection type is Only Win32 shell or Only Windows x64 shell, youcannot specify a Feature ID or Frequency for individual methods.

n You can select multiple methods and specify the same Feature ID and Frequencyfor all selected items.

The available Frequency options are described in the following table:

FrequencyType

Description

Once perprogram(Default)

A check is performed the first time a method using the Feature ID indicated for thatmethod is called, regardless of the number of methods that share the sameFeature ID across the program.

Once perclassinstance

A check is performed when the method is run, once for each Feature ID within thesame class.If the same Feature ID is also assigned to the class constructor, the check isperformed the first time the .ctor method is run.If the same Feature ID is used in other classes, the check is performed separatelyfor each class.

The Once per class instance frequency is available only for Instancemethods.

FrequencyType

Description

Every time A check is performed every time the method is called

Recommendations:

n Use the Once per Application default setting. The Once per Instance and Every timesettings may slow the performance of your program.

n If a counter-based license is being defined, use the Every time setting only for the methodthat determines licensing, as the counter is decremented every time the method is called.

If you choose to assign separate Feature IDs for individual methods, you must ensure that yourapplication code can only call the Feature IDs for those methods for which a valid license has beeninstalled in a Sentinel protection key.

If methods that do not have a valid license in a Sentinel protection key are called, it will causeSentinel LDK Envelope to generate an error loop that can only be stopped by installing a validlicense.

An API is provided as part of the Sentinel LDK installation that enables you to ensure that the errorloop does not occur. The API is located in …\Program Files\SafeNetSentinel\Sentinel LDK\Samples\Envelope\EnvelopeRuntime.NET. (For Windows x64, go to \ProgramFiles (x86)\...)

To use the API

To prevent an error loop occurring if a method for which a license has expired or does not exist,register a NotificationDelegate handler, as follows:

1. Include the Aladdin.HASP.EnvelopeRuntime assembly in your source code.

2. Select one of the following handlers, depending on the behavior that you require when thehandler is invoked.

EnvelopeRuntimeStatus.StatusThrowException Discontinue execution path by throwing anexception

EnvelopeRuntimeStatus.StatusReturnNothing Discontinue execution path by returning a nullreference (Nothing)

EnvelopeRuntimeStatus.StatusAlertAndRetry DefaultDisplay message box that asks the user for thelicense, then retry.

EnvelopeRuntimeStatus.StatusRetry Transparently retry

The NotificationDelegate handler will be invoked whenever the Sentinel LDK Envelope run-time cannot decrypt a protected method. It will also receive the appropriate Sentinel LDK errorstatus code. You can use this information in your own “license required” error message,instructing your user to abort or retry their action.

Protecting .NET Assemblies 70

71 Chapter 4: Sentinel LDK Envelope Protection

Code and Symbol Obfuscation in .NET Assemblies

Obfuscation is the process of turning meaningful strings into random strings of letters ornumbers. Using Sentinel LDK Envelope, you can apply obfuscation as an anti-reverse engineeringsecurity measure.

By default, all symbol names in the protected .NET assembly are obfuscated as part of theprotection process. In addition, you can choose to obfuscate the entire code of a selectedmethod. Since code obfuscation may slow the performance of your program, it is not selected bydefault.

You can apply Code obfuscation to a method regardless of whether it is selected for protection inthe Methods selected for protection list.

Defining Sentinel LDK Envelope Protection Settings in Source Code

Instead of specifying your protection settings using the Sentinel LDK Envelope GUI, you can usethe .NET framework custom attributes for the Aladdin.HASP.Envelope assembly to adddefinitions directly to your source code.

The custom attributes can be applied to assemblies, classes, and methods. Protection settings inyour source code are processed according to hierarchy, in descending order of method, class, andassembly.

Protection settings that are defined in your source code override settings already specified in theSentinel LDK Envelope GUI, and you cannot use the GUI to edit the settings once they have beenintegrated in your code. However, you can use the GUI to view the protection settings that havebeen specified in your code.

To use the custom attributes, you must include the Aladdin.HASP.Envelope assembly in yourproject.

Aladdin.HASP.Envelope.dll is not required for protected assemblies and does not haveto be distributed to your customers.

Using the custom attributes, you can define the following protection settings:

Name Description Type Default Value

Protect Protect this method bool true

FeatureId Feature ID to be used forprotection

int -1 (global Feature)

Encrypt Encrypt this method bool true

CodeObfuscation

Obfuscate complete code forthis method

bool false

Frequency When license for method is tobe checked

EnvelopeMethodProtectionFrequency

CheckOncePerApplication

Sample

The following sample shows how protection settings can be applied in source code. The sourcecode comments are italicized.

using System;using Aladdin.HASP.Envelope;

/// do not protect any methods in this assembly[assembly: EnvelopeMethodProtectionAttributes(Protect=false)]namespace MyProgram{

/// methods in this class do not get protected, because protection/// settings are inherited from assemblyclass MyExample{

/// this method does not get protectedstatic void Main(string[] args){

Console.WriteLine("{0} + {1} = {2}", 3, 4, MyClass.Add(3, 4));Console.WriteLine("{0} * {1} = {2}", 3, 4, MyClass.Multiply(3, 4));

}}

/// protect all methods in this class with Feature ID 0[EnvelopeMethodProtectionAttributes(Protect=true, FeatureId=0)]class MyClass{

/// protect the Add method using Feature ID 1, obfuscate the code,/// check the license everytime this method is invoked[EnvelopeMethodProtectionAttributes(Protect=true, FeatureId=1, Encrypt=true,

CodeObfuscation=true, Frequency=EnvelopeMethodProtectionFrequency.CheckEveryTime)]

public int Add(int a, int b){

return a + b;}

/// protection settings for this method are inherited from the settings of the classpublic int Multiply(int a, int b){

return a * b;}

}}

Additional Sentinel LDK Envelope .NET API Information

n The protection definitions and defaults are based on those provided in the Sentinel LDKEnvelope GUI

n By default, static methods and methods that have a very small footprint are notprotected. To protect these methods, you must specify the protection settings at methodlevel in your source code.

Protecting .NET Assemblies 72

73 Chapter 4: Sentinel LDK Envelope Protection

Sentinel LDK Envelope for Linux ApplicationsSentinel LDK Envelope protection can be implemented for Linux executables and shared objectsusing a command-line utility.

Sentinel LDK Envelope Prerequisites for Linux

To use the Sentinel LDK Envelope utility, all of the following components must be installed on yoursystem:

n Sentinel LDK Run-time Environment

n Sentinel Vendor Suite, containing the Sentinel LDK Envelope command-line utility for Linuxand the Master wizard

n A valid Vendor Code stored in the VendorCodes folder. For additional information, see"Extracting the Vendor Code from Sentinel Vendor Keys" on page 52.

n The Linux executables and shared libraries that you want to protect. Both x86 and x86_64ELF executables and shared libraries are supported.

Protecting Linux Applications

You protect Linux applications by:

1. Defining and storing protection parameters in a Sentinel LDK Envelope configuration file

2. Accessing the Linux project file during the protection session

Sentinel LDK Envelope can be used on a 32-bit or 64-bit platform to protect both 32-bit and64-bit executables and shared objects.

Parameter Description

-c <config filename> Mandatory parameter for the name of the configuration file

-i <input filename> Optional parameter pointing to the input executable contained inthe application file bundle

-o <output filename> Optional parameter pointing to the output executable contained inthe application file bundle

-v <vendor code filename> Optional parameter for the Vendor Code used by the protected fileto access a required Sentinel protection key

-m <messages filename> Optional parameter for the file containing the definitions formessages displayed to end users at run-time

Sentinel LDK Envelope configuration parameters are detailed in Envelope Project Settings forLinux.pdf, available in the Docs folder in the Sentinel LDK for Linux installation and on theSentinel LDK installation DVD.

For Linux applications that were protected using Sentinel LDK Envelope: The installer forthe protected application should determine if libXaw libraries are present on the end user'scomputer and, if not, install them.

Activating Sentinel LDK Envelope on Linux

After protection parameters are defined and stored in the Sentinel LDK Envelope configuration file,you activate Sentinel LDK Envelope using one of the following methods:

1. Using the command-line utility, specify the mandatory Sentinel LDK Envelope parameters,then run Sentinel LDK Envelope using the default settings.

2. Open the Sentinel LDK Envelope configuration file and edit the settings as required. Usingthe command-line utility, program the utility to parse the Sentinel LDK Envelopeconfiguration file, then run Sentinel LDK Envelope. The configuration file is calledenvconfig.cfgx

When running the Sentinel LDK Envelope command-line utility, use either the command-line switches, or the configuration file.

Overwrite Parameters for Configuration File

Several parameters defined in the configuration file can be overwritten by the optional argumentslisted in the following table.

Parameter Description

-v --vcf:<filename> Vendor Code file

-f --fid:<id> Feature ID. If no Feature ID is specified, default Feature ID will be used.

-b --bgchk:<time> Enables background checks. Time is in seconds. (0 = off, default = 300)

-e --enclevel:<level> Encryption level. (1–5, default = 4)

-c --cfg:<file> Sentinel Envelope configuration file for Linux

-m --msg:<file> Message file

-m --msg-out:<val> The message output mode at run-time.n 0 = no message outputn 1 = GUIn 4 = consolen 5 = GUI and console (default = 1)

-m --wchar Writes run-time errors as wide character strings. Required when youspecify that messages will be output to a console (values 4 or 5 in theprevious switch).

-h --help Displays help screen

-q --quiet Specifies that only error and warning messages are displayed

Sentinel LDK Envelope for Mac BinariesSentinel LDK Envelope for Mac enables you to protect Mach-O executables and dynamic libraries(referred to as binaries). Both GUI and command-line versions of the application are available.

Sentinel LDK Envelope for Mac Binaries 74

75 Chapter 4: Sentinel LDK Envelope Protection

Before using Sentinel LDK Envelope for Mac, it is recommended that you familiarize yourself withthe general Sentinel LDK Envelope information about Sentinel LDK Envelope protection that isprovided at the beginning of this chapter.

Sentinel LDK Envelope Prerequisites for Mac

To use the Sentinel LDK Envelope utility, all of the following components must be installed on yoursystem:

n Sentinel LDK Run-time Environment

n Sentinel Vendor Suite, containing the Sentinel LDK Envelope and the Master wizard

n A valid Vendor Code stored in the VendorCodes folder. For additional information, see"Extracting the Vendor Code from Sentinel Vendor Keys" on page 52.

n The Mac binaries that you want to protect

Running Sentinel LDK Envelope for Mac

Navigate to the location in which Sentinel LDK is stored. Select MacOS > VendorTools >VendorSuite > Envelope. Sentinel LDK Envelope is launched.

To access the command-line version of Sentinel LDK Envelope, go to:...\MacOS\VendorTools\VendorSuite\envelope_darwin

Type envelope_darwin -h in the command line to start the command-line version of Sentinel LDKEnvelope.

Sentinel LDK Envelope for Mac Protection Parameters

After your Mac executable or dynamic library has been included in a Sentinel LDK Envelopeproject, protection can be performed effortlessly, based on the default Sentinel LDK Envelopesettings. In addition, you can define and calibrate a range of protection parameters that affect theattributes and behavior of the protected binary.

Sentinel LDK Envelope customizable parameters are displayed in the Protection Details screen andthe Default Protection Settings screen. You can select a specific binary in the Project pane and,from the Protection Details screen, view and edit the binary’s parameters using the followingthree tabs:

n General tab

n Advanced tab

n Protection Settings tab

All parameters and procedures are detailed in the Sentinel LDK Envelope help system.

Sentinel LDK Envelope for Java ExecutablesSentinel LDK Envelope for Java enables you to protect JAR and WAR executables. Before usingSentinel LDK Envelope for Java, it is recommended that you familiarize yourself with the general

Sentinel LDK Envelope information about Sentinel LDK Envelope protection that is provided at thebeginning of this chapter.

Protection of your software is performed on a Windows machine, after which you distribute theprotected software together with the appropriate Java run-time libraries for the end-useroperating system—Windows, Mac, or Linux.

Java applications that have been obfuscated, or protected using third-party tools, are notsupported by Sentinel LDK Envelope.

Java Considerations

When protecting Java executables, consider the following issues:

n The methods selected for protection by Sentinel LDK Envelope by default are not theoptimal choices for your application or library. You must review and modify the list ofselected methods to provide the best mix of security and performance. For moreinformation, see the description of optimizing protection settings in the Sentinel LDKEnvelope help system.

n Sentinel LDK Envelope does not support protection of Java paint methods, but it allowsyou to select them in the user interface. As a result, the protected program may cause adeadlock when it executes a protected paint method at runtime with noSentinel protection key connected. To prevent this issue from occurring, you can deselectall paint methods. Note that paint methods do not usually contain application logic;therefore, deselecting them typically has no impact on security. As an alternative, you canselect console output for messages by enabling stderr output instead of windows in theAdvanced settings panel.

n When you test Sentinel LDK Envelope for the first time with your application, it isrecommended that you clear the default selection and start with the protection of a singlemethod that you want to protect. After you protect the method, test your application. Ifthe application works as expected, continue to protect additional methods and test aftereach addition until you have reached the desired protection selection for the application.Do not try to apply this selection to different applications.

Sentinel LDK Envelope Prerequisites for Java

To use the Sentinel LDK Envelope for Java engine, all of the following components must beinstalled on your system:

n The Java JRE or JDK must be installed

n Sentinel LDK Run-time Environment

n Sentinel Vendor Suite, containing the Sentinel LDK Envelope and the Master wizard

n A valid Vendor Code stored in the VendorCodes folder. For additional information, see"Extracting the Vendor Code from Sentinel Vendor Keys" on page 52.

n The JAR or WAR executables that you want to protect

Sentinel LDK Envelope for Java Executables 76

77 Chapter 4: Sentinel LDK Envelope Protection

Before your JAR/WAR archive is protected, include the following customized Sentinel Licensing APIdynamic libraries with the archive:

Operating System Customized Sentinel Licensing API Dynamic Libraries

Windows (32/64-bit) hasp_windows_****_<vendorId>.dll

Mac OSX hasp_darwin_<vendorId>.dylib

Linux (32/64-bit) libhasp_linux_***_<vendorId>.so

During protection of the Java applications, Sentinel LDK Envelope copies these librariesautomatically to the output directory.

For your protected Java executables to function at run-time, one or more Sentinel LDK DLLs arerequired. For more information, see "Protection-related Software" on page 156

Running Sentinel LDK Envelope for Java Engines

In the Start menu, select SafeNet Sentinel > Vendor Suite. From the Sentinel Vendor Suiteprogram selection screen, launch Sentinel LDK Envelope.

Sentinel LDK Envelope for Java Protection Parameters

After your Java executable has been included in a Sentinel LDK Envelope project, protection can beperformed, starting from the default Sentinel LDK Envelope settings. In addition, you can defineand calibrate a range of protection parameters that affect the attributes and behavior of theprotected file.

Sentinel LDK Envelope customizable parameters are displayed in the Protection Details screen andthe Default Protection Settings screen. You can select a specific Java executable in the Projectpane and, from the Protection Details screen, view and edit its parameters using the availabletabbed pages.

Protecting Java Executables

When you protect a Java executable with Sentinel LDK Envelope, you can determine protectionattributes and aspects of the behavior of the protected program.

Protected Program Behavior

Sentinel LDK Envelope enables you to define the following additional properties for Javaexecutables:

n The compression level of protected classes.

n The time interval between checks for the presence of a required Sentinel protection key.

All parameters and procedures are detailed in the Sentinel LDK Envelope help system.

Chapter 5:Protection Strategies

Sentinel LDK provides the best hardware and software tools available in the market today. Thecontribution that Sentinel LDK can make to the protection of your software and intellectualproperty has already been well documented in the previous chapters. However, it is the strengthand sophistication of the strategies that you employ in partnership with Sentinel LDK that willtruly maximize your software protection.

In this chapter:

n "Overview" on page 78

n "General Protection Guidelines" on page 79

n "Types of Attack and Their Sentinel LDK Defense" on page 80

OverviewParallel with advances in software and software security development, software crackers aredeveloping more sophisticated means of deconstructing software protection measures—in orderto duplicate and distribute illegal copies of unlicensed software—and to reverse engineer code inorder to steal intellectual property.

To maintain the rights to your revenue stream, it is essential that you remain vigilant about thestrategies of your “enemies”, and that you continually and wisely implement the latest andstrongest techniques for protecting your software.

The degree of investment that you make in limiting the ability of software crackers to illegallyaccess your software will depend on a number of considerations, including:

n The value of your software

n The history of previous cracking attempts related to your software

n The geographical region in which your software will be distributed

n The target market for your software (for example, whether it is intended to be sold toindividual consumers, small office/home office users, or enterprise users)

There is no software protection that is absolutely uncrackable. However, if you constantlyimplement up-to-date strategies using the strongest software protection methods, yousignificantly decrease your vulnerability to such attacks.

5

79 Chapter 5: Protection Strategies

This chapter describes general protection strategies for software vendors. It then outlines some ofthe methods that software crackers employ in order to identify and negate software protectionand security, and recommends Sentinel LDK measures that you can use to enhance your softwaresecurity.

In addition to the information described in this manual, our team of SafeNet Consultants providespersonalized assistance in strengthening software security and protection. They can provide helpon a wide range of issues, including additional protection strategies and implementationtechniques.

For information on consultation services offered by SafeNet, contact your local SafeNetrepresentative.

General Protection GuidelinesThe following guidelines should be followed, regardless of the software protection strategies beingimplemented.

SafeNet thoroughly and constantly investigates potential and actual threats to software security,and Sentinel LDK is continuously being updated to counter such threats—before they cancompromise the security of your software.

Use the Most Up-to-date Protection Software

Protection software updates generally include enhancements to counter the most recent threats.Always check for and use the most recent version of Sentinel LDK protection software that isavailable. The latest software can be downloaded from the Sentinel Web site, at www.safenet-inc.com/SentinelLDK/InstallationDVD.

Constantly Re-evaluate Protection Strategies

Frequently consider what protection strategies you can upgrade or enhance to provide strongersecurity for your software.

Use Evolving Strategies to Prevent Predictability

Vary the strategies that you implement between your software releases. If a software cracker isable to detect a pattern to your protection strategies, the strategies can more easily be negatedor evaded.

Vary Behavior when Cracking Attempt is Detected

When a cracking attempt is detected (for example, through using a checksum—described later inthe chapter), delay the reactive behavior of your software, thus breaking the logical connectionbetween “cause” and “effect.” Delayed reaction confuses a software cracker by obscuring the linkbetween the cracking attempt and the negative reaction of the software to that attempt.

Behavior such as impairing program functionality when a cracking attempt is detected can be veryeffective. Additional behaviors could include causing the program to crash, overwriting data files,or deliberately causing the program to become inaccurate, causing the program to becomeundependable.

Types of Attack and Their Sentinel LDK DefenseIt is important to “know your enemy.” When you are well informed about the types of attacksthat a software cracker may make, you will be best able to devise and implement strategies thatlimit or prevent their success.

This section describes the elements of some of the more common attacks that software crackersuse, and refers you to specific Sentinel LDK strategies that you can implement to counter suchattacks.

Patching Executables and DLLs

A software cracker disassembles and/or debugs EXE or DLL files to find protected code. The actualfile is then patched in order to modify run-time flow, or to remove calls in the code.

Commonly, the software cracker sends a small, standalone patch executable that the end userruns in order to patch your software.

Sentinel LDK Solution

The more files that are protected, the longer it takes a software cracker to remove protection. Youcan protect multiple executable and DLL files using Sentinel LDK Envelope. You can also use theData Encryption facility of Sentinel LDK Envelope to encrypt and protect data files.

Modifying Key Memory

Licensing data is normally stored in the memory of a software protection key. A software crackerattempts to access the Protection Key memory in order to modify the licensing terms. Forexample, a depleted execution-based license might be changed to a perpetual license, or a featurethat has not been paid for might be enabled.

Sentinel LDK Solution

In the context of Sentinel LDK, Read-only memory (ROM) is a segment of the memory that cancontain data that the protected application can access, but cannot overwrite. Sentinel protectionkeys contain two ROM segments, one of which contains Sentinel LDK Feature-based licenses. Thesecond segment provides an area in which vendor-customized data can be stored. Thesesegments can only be updated using remote updates.

Sentinel LDK automatic Feature-based licenses utilize read-only memory of Sentinel protectionkeys. The different types of available licenses are sufficient for almost any licensing model.

You can customize your own licenses and still use a ROM segment in a Sentinel protection key’smemory. Note however that licenses that have been customized must remain static (for example,such licenses cannot include a decremented number of executions).

For additional information about licensing models, see "PART 5 - LICENSING MODELS" on page178.

Types of Attack and Their Sentinel LDK Defense 80

81 Chapter 5: Protection Strategies

Emulating Protection Keys

To emulate the software of a protection key manufacturer, a software cracker creates anapplication that replays previously recorded calls, as if an actual protection key is returning thecalls.

Limited functionality emulators only record and replay calls. Full-functionality emulators alsoemulate the key, including its encryption. A software cracker requires access to the encryption keyto create a full-functionality emulator.

There are several places in which emulators can reside. Primarily, they are an attempt to replacethe driver.

Sentinel LDK Solution

Sentinel LDK provides a secure channel between an application and the Sentinel HL key. Data thatpasses between the protected application and the key is encrypted. Taking advantage of thesecure channel functionality between your application and a Sentinel HL key provides you with thestrongest possible protection.

A different encryption key is used in every session. This means that someone recording datapassing through the secure channel cannot replay the data, since the encryption key used toencrypt the data will differ from that used to decrypt the data.

Using Terminal Servers and Terminal Service Solutions

When using the terminal servers of some operating systems, it might be possible for an end userwith a locally connected protection key to enable software on multiple concurrent terminals.

Sentinel LDK Solution

The Sentinel LDK protection includes mechanisms to determine if a protected application isrunning on a terminal server. If such a scenario is detected, and the license is on a local protectionkey, the program will not function, subject to vendor overrides. If the license is on a network key,one of the concurrent licenses will be consumed, subject to vendor overrides.

Cloning Hardware Keys

The software cracker reverse-engineers a hardware protection key, then creates duplicates. Suchan attack is extremely costly to the cracker, both in terms of the reverse engineering tools and theexpertise required. It is also costly in terms of ongoing production of hardware keys.

Sentinel LDK Solution

Sentinel HL keys are each unique and have their own ID. Keys that are in the same batch andbehave identically are each uniquely encrypted, the key’s customized controller and memoryforming a unique locked pair. This means that if the memory of one Sentinel HL key is copied toanother Sentinel HL key, the second key will not function.

Clock Tampering

Clock tampering relates to either the system clock of the machine on which the protectedsoftware is running, or to a real-time clock contained in keys. The software cracker resets the time

to enable extended, unlicensed use of the software.

Sentinel LDK Solution

Use either the Sentinel HL Time or Sentinel HL NetTime keys when implementing time-basedlicenses for your software. Both the clock itself, and the license which is stored in read-onlymemory, cannot be modified.

Additional Sentinel LDK-specific Strategies

This section describes additional general protection strategies that are available to users ofSentinel LDK.

Use Both the Sentinel Licensing API and Sentinel LDK Envelope

Maximize security by using the Sentinel Licensing API to implement calls to a Sentinel protectionkey, and protect the application with Sentinel LDK Envelope. Using one protection method doesnot preclude the use of the other.

Insert Multiple Calls in your Code

Inserting many calls, throughout the code, to the Sentinel protection key in order to check thepresence of the key, and binding data from the key with the software functionality, frustratesthose attempting to crack your software. Multiple calls increase the difficulty in tracing aprotection scheme.

You can also add obstacles to a potential software cracker’s progress by encrypting data that hasno bearing on the application. Similarly, you can divert attention by generating “noise” throughrandom number generators, time values, intermediate results of calculations, and othermechanisms that do not lead to meaningful results or actions.

Encrypt/Decrypt Data with a Sentinel protection key

Encryption and decryption processes are performed inside a Sentinel protection key, well beyondthe reach of any debugging utility.

Encrypting data with the Sentinel LDK AES-based encryption engine considerably enhancessoftware security. By encrypting data used by your application, the decryption process dependson both the presence of a Sentinel protection key and its internal intelligence.

By implementing a Sentinel Licensing API scheme in which data is decrypted by aSentinel protection key, the association between the protected application and theSentinel protection key cannot easily be removed. Cracking the software also necessitates thesoftware cracker decrypting the data.

Use a Checksum to Verify Integrity of Executable Files

Compare the value in the executable file with a checksum stored in Sentinel protection keymemory. If the two values are not equal, you can assume that someone has attempted to modifythe files. Repeat this check in various places in the code, varying it in each place to make it moredifficult for a software cracker to detect.

Types of Attack and Their Sentinel LDK Defense 82

Chapter 6:Working with the Sentinel LDK Data

Encryption Utility

This chapter describes data file protection using the Sentinel LDK Data Encryption utility.

In this chapter:

n "Introduction" on page 84

n "Data Encryption Prerequisites " on page 86

IntroductionThe Sentinel LDK Data Encryption facility enhances the default Sentinel LDK Envelope protection byinjecting a protected program with the ability to encrypt and decrypt specified data files. Theprotected application can write encrypted data to external files and read the encrypted data back.In addition, you can also use the standalone Data Encryption utility to encrypt data files that youwant to secure and distribute with your protected application. These files can be read later by theprotected application. Decryption occurs when a data file is opened and encryption occurs when adata file is saved.

The ability to implement Sentinel LDK Data Encryption functionality is enabled at the time yourapplication is protected using Sentinel LDK Envelope. The types of files that are to be encryptedand decrypted are specified at that time.

When to Encrypt Data Files

Protect your data files if:

n You want to maximize your software’s security. When your software is being protected,consider adding another layer of security by protecting those data files that are accessedby your software.

n You want to protect your intellectual property. Your data files represent yourinvestments, so it is worthwhile preventing your intellectual property from being exposedwithout protection.

6

85 Chapter 6: Working with the Sentinel LDK Data Encryption Utility

Data Encryption Utility Users

Anyone involved in the production or maintenance of data files for your protected softwareshould use Sentinel LDK Data Encryption utility. This could include people in roles such as graphicartists, information developers, or accountants.

Sentinel LDK Data File Handling

Sentinel LDK Data Encryption utility generates data files that can be processed by programsprotected by Sentinel LDK Envelope. After a specific set of data files has been encrypted, thosefiles can be accessed by Sentinel LDK Envelope.

An application that has been protected using Sentinel LDK Envelope contains the Data Encryptionfacility. This facility enables the protected application to read and write encrypted data to anexternal file. You can use the Data Encryption utility to provide an initial encrypted applicationdata file that is installed together with the protected application.

The following diagram illustrates how application data is initially encrypted, and then used by theprotected application.

Data Encryption for Mac

Sentinel LDK Envelope for Mac provides the capability for a protected application under Mac OS Xto encrypt and decrypt data that is written to and read from an external file.

Data files that will be delivered together with the protected application must be pre-encryptedusing the Sentinel LDK Data Encryption utility for Mac or for Windows.

When using Sentinel LDK Data Encryption utility to encrypt files for Mac:

n The Data Encryption utility ignores TYPE/CREATOR for files.

n The Data Encryption utility does not work with document types stored in File Bundles (forexample: Keynote presentations) since these are directory structures and not typical files.

Data Encryption PrerequisitesTo use the Sentinel LDK Data Encryption utility, you must have the following componentsinstalled. In addition, you need to know the location of the appropriate Sentinel LDK Envelopeproject, and the files that you want to encrypt.

n Sentinel protection keys: Ensure that the Sentinel protection key that is used to protectthe program is accessible when protecting data.

While encryption and decryption of data is performed in the protected device driver, theSentinel protection key generates the encryption key. This method ensures maximumprotection while maintaining the high performance that is required when large volumes ofdata are decrypted.

n Run-time Environment: Before using Sentinel LDK Data Encryption utility, ensure that theappropriate run-time environment is installed on your machine.

n Input: To use Sentinel LDK Data Encryption utility correctly, the following must be readilyavailable in known directories:

o A saved Sentinel LDK Envelope project containing a program or programs withenabled data filters

o Data files you want to encrypt. These files must satisfy the file filters specified forthe program(s)

To use the Sentinel LDK Data Encryption facility in a protected application to encrypt and decryptdata in an external file, the protected application must be installed with the Run-timeEnvironment.

Launching Sentinel LDK Data Encryption Utility

You can launch Sentinel LDK Data Encryption utility directly from Sentinel LDK Envelope after youhave defined data filters. Alternatively, you can click the datahasp.exe file, located in the followingdirectory on your system:

…\Program Files\SafeNet Sentinel\Sentinel LDK\VendorTools\VendorSuite

Supported Functionality

The Sentinel LDK Data Encryption utility has a conveniently designed interface that manages allaspects of data encryption projects. The interface enables you to:

n Open Sentinel LDK Envelope projects and list the programs they contain

n Edit existing Data Encryption projects

n Add files or directories for data encryption

n Encrypt data files and directories for specific programs protected by Sentinel LDK Envelope

n View and save encryption process logs

n Access all Sentinel Vendor Suite applications and the Sentinel Web site

Data Encryption Prerequisites 86

87 Chapter 6: Working with the Sentinel LDK Data Encryption Utility

Modifying Input

Data files are subject to regular modification. The design of the Data Encryption utility anticipatesthe requirement to regularly update data file content. After you have encrypted modified datafiles, they can only be accessed if a specific Sentinel protection key is detected.

PART 3 - LICENSINGIn this section:

n "Chapter 7: Introduction to Sentinel EMS" on page 90

Provides an overview of Sentinel EMS and the major processes it facilitates, lists itsprerequisites, and explains how to use the application.

n "Chapter 8: Preparing Your Sentinel LDK Licensing Plan " on page 98

Outlines the importance of licensing your software products, describes the licensing optionsprovided by Sentinel LDK, and explains how to prepare a licensing plan for use withSentinel EMS.

n "Chapter 9: Implementing Your Sentinel LDK Licensing Plan" on page 108

Describes how to use Sentinel EMS to define and manage the Features and Productsincluded in your Sentinel LDK licensing plan, and how to maintain Products and licenses ascircumstances change.

n "Chapter 10: Sentinel LDK Entitlements, Production, and Development Tasks" on page122

Describes how to use Sentinel EMS to manage and produce entitlements, and to performadditional development-related tasks.

n "Chapter 11: Sentinel LDK Administration and Customer Services" on page 140

Describes how to use Sentinel EMS to define Sentinel LDK user details, maintain BatchCodes, configure system settings, perform manual Product activation and maintaincustomer data.

n "Chapter 12: Sentinel Remote Update System" on page 144

Describes the Sentinel Remote Update System utility (RUS utility) and explains how to usethe RUS utility to remotely update license data in deployed Sentinel protection keys.

n "Chapter 13: Generating Sentinel LDK Reports" on page 150

Provides an overview of the Sentinel EMS Reporting facility and describes some of the mainfeatures of the facility.

Chapter 7:Introduction to Sentinel EMS

This chapter provides an overview of Sentinel EMS and the major processes it facilitates. It alsodescribes the user roles and their functions in Sentinel EMS, lists its prerequisites, and explainshow to start using the application.

An alternative to Sentinel EMS, the Sentinel License Generation API, is also described.

In this chapter:

n "Sentinel EMS Overview" on page 90

n "Sentinel EMS Users and User Roles" on page 92

n "Getting Started With Sentinel EMS" on page 93

n "Sentinel License Generation API" on page 96

This chapter provides high-level information on Sentinel EMS processes. For detailedpractical instructions for using each function in Sentinel EMS, see the Sentinel EMS helpsystem.

Sentinel EMS OverviewSentinel EMS is a powerful role-based application designed to manage the business activitiesrequired to implement and maintain Sentinel LDK in your organization.

Sentinel EMS streamlines the major workflows in the licensing lifecycle of a protected softwareapplication, from the moment it is developed, through its packaging, marketing, selling, andorder-taking, to its distribution and upgrading.

Sentinel LDK separates the software protection process (implemented with Sentinel Licensing APIor Sentinel LDK Envelope) from the licensing and production processes (implemented withSentinel EMS), enabling you to modify your company’s licensing strategy as necessary whencircumstances change, and to implement these changes quickly and efficiently.

Sentinel EMS Major Workflows

Sentinel EMS is installed as a service under Windows. The Sentinel EMS Service handles threemajor workflows: license planning, order processing and production, and software activation.

7

91 Chapter 7: Introduction to Sentinel EMS

License Planning

Before starting to use Sentinel EMS, it is recommended that business decision-makers in yourorganization, such as product or marketing managers, prepare a licensing plan based on thecompany’s licensing strategy.

The licensing plan identifies each individual functional component in your software applicationsthat can be independently controlled by a license. In Sentinel LDK, these components are referredto as Features. A Feature may be an entire application, a module, or a specific functionality suchas Print, Save or Draw. Over 64,000 Features can be defined using Sentinel EMS.

In addition, the licensing plan can include the Products that your company wants to sell and/ordistribute for evaluation. In Sentinel LDK, a Product is a collection of one or more licensedFeatures that can be sold or distributed as an item.

After completing the licensing plan, the Features and Products can be defined in Sentinel EMS. Theoutput of this process is a repository of Products that are stored in the Sentinel EMS database—ready for customer orders.

You can make changes to your licensing plan and license models at any time, addingFeatures and Products as required.

For additional information on preparing a licensing plan for use with Sentinel LDK, see "Chapter 8:Preparing Your Sentinel LDK Licensing Plan " on page 98.

For a description of the many types of model licenses you can implement using Sentinel LDK, see"PART 5 - LICENSING MODELS" on page 178.

For additional information on defining Features and Products in Sentinel EMS, see "Chapter 9:Implementing Your Sentinel LDK Licensing Plan" on page 108.

Order Processing and Production

Staff in your organization’s orders department receive and fulfil entitlements. An entitlement is anorder for Sentinel LDK items, and can be one of the following:

n An order for Products to be supplied with one or more Sentinel protection keys

n A Protection Key Update that specifies changes to be made to the license terms and/ordata stored in Sentinel protection keys that have already been deployed

Order processing personnel process the entitlement details using Sentinel EMS. The license termsof each Feature in the ordered Products may be specified when the Product is defined, or whenthe entitlement is processed.

When all the details of an entitlement have been defined, the entitlement can be produced. TheProduct details, including the license terms and memory data, are stored in the specifiedSentinel protection keys at the production stage or when the Product is activated, and can beupdated after the keys have been deployed.

For additional information on processing and producing entitlements in Sentinel EMS, see"Chapter 10: Sentinel LDK Entitlements, Production, and Development Tasks" on page 122.

Software Activation and Online Updates

Product activation and online updates are performed using Sentinel EMS when your software is atthe end user’s site.

Product Activation with Sentinel SL Keys

With Sentinel SL keys, the software is only activated and usable after the following steps arecompleted:

1. A Product Key is produced in Sentinel EMS and supplied to the end user.

2. The end user sends the Product Key to Sentinel EMS for validation.

3. A Sentinel SL key with license terms is sent back and installed on the end user’s computer.

Online Updates

Online updates can be implemented in the following ways:

n The Protection Key Update information is stored in Sentinel EMS for use in software thatyou provide to your end users. The update is then implemented as part of the end users’installation process.

n A file that contains the Protection Key Update information is generated and sent to theend user. This file can then be used with the Sentinel Remote Update System (RUS utility)utility to ensure secure, remote updating of the deployed Sentinel protection keys.

For additional information on RUS utility, see "Chapter 12: Sentinel Remote UpdateSystem" on page 144.

A receipt can be generated when a Protection Key Update is processed, to verify that the updatehas been applied.

Sentinel EMS Users and User RolesSentinel EMS is a role-based application. The functions and tasks that you can perform aredetermined by the user roles assigned to you by the Sentinel LDK Administrator.

The table that follows describes the roles available. (Almost all of the tasks listed in the table relateto functionality in Sentinel EMS.)

Role Authorized Tasks For more informationProduct Manager Define and manage Features and Products "Chapter 8: Preparing Your

Sentinel LDK Licensing Plan " onpage 98"Chapter 9: Implementing YourSentinel LDK Licensing Plan" onpage 108

Entitlement Manager Define and manage customersEnter and manage entitlements

"Chapter 10: Sentinel LDKEntitlements, Production,and Development Tasks" onpage 122

Sentinel EMS Users and User Roles 92

93 Chapter 7: Introduction to Sentinel EMS

Role Authorized Tasks For more informationProduction Produce entitlements "Chapter 10: Sentinel LDK

Entitlements, Production,and Development Tasks" onpage 122

Customer Services Define and manage customersManage Product activations

"Chapter 11: Sentinel LDKAdministration and CustomerServices" on page 140

Report Generation Run and view reportsSchedule generation of and arrangedistribution of reports.

"Chapter 13: GeneratingSentinel LDK Reports" on page150

Development Perform development-related tasksOperate Sentinel LDK ToolBox andSentinel LDK Envelope

"Chapter 10: Sentinel LDKEntitlements, Production,and Development Tasks" onpage 122

Batch Code Admin Can perform the following functions forthe assigned Batch Codes:

n Manage Sentinel LDK usersn Maintain Master keysn Configure system settingsn Generate reportsn Manage scheduled reports

"Chapter 11: Sentinel LDKAdministration and CustomerServices" on page 140

Super User Can perform the following functions for allBatch Codes:

n Manage Sentinel LDK usersn Maintain Master keysn Configure system settingsn Generate reportsn Manage scheduled reports

"Chapter 11: Sentinel LDKAdministration and CustomerServices" on page 140

The “admin” user is authorized to perform all functions in Sentinel LDK. Only the admin user canassign the Super User role to another user.

Getting Started With Sentinel EMSBefore you start to use Sentinel EMS, ensure that:

n You have a URL to access the installation of Sentinel EMS at your site.

n You have received a Sentinel LDK user name and password from your Sentinel LDK systemadministrator.

After you have logged in to Sentinel EMS, you can change the Sentinel LDK password that youreceived to a password of your own choice. For additional information on changing yourpassword, see the Sentinel EMS help system.

Sentinel LDK passwords are case-sensitive, so ensure that you use upper-case and lower-case letters correctly when you type your password.

Prerequisites for the Sentinel LDK Administrator

If you are performing administration functions for Sentinel LDK in your organization, it is essentialthat you check the following requirements before you (or other users) start to use Sentinel EMS:

n A valid connection to the Sentinel EMS Server machine must exist. For additionalinformation on installing Sentinel EMS, see the Sentinel LDK Installation Guide.

n You must have a Sentinel Master key that contains your license for Sentinel LDK and yourcompany’s specific Vendor Code. If not previously introduced, the Sentinel Master key isintroduced during the Sentinel EMS Service installation process.

n The Sentinel Master key must remain connected to the Sentinel EMS Server machine inorder to enable you to perform Sentinel EMS functions. If Sentinel EMS is installed onmore than one machine, each machine must have a separate Sentinel Master keyconnected locally.

If you are evaluating Sentinel EMS, you can use the DEMOMA Batch Code provided, whichdoes not require a Sentinel Master key.

n You must define user names, passwords, roles, and batch access for each Sentinel EMSuser, and also for yourself. For additional information, see "Maintaining User Details " onpage 141.

A default user name and password is provided with Sentinel LDK to enable you to log in toSentinel EMS as the Sentinel LDK Administrator. The default user name and password isadmin.

For additional information on the Sentinel LDK administration tasks and options in Sentinel EMS,see "Administration Tasks" on page 140.

Sentinel EMS Home Screen

When you log in, the Sentinel EMS Home screen is displayed.

Getting Started With Sentinel EMS 94

95 Chapter 7: Introduction to Sentinel EMS

The Sentinel EMS Home screen provides a snapshot of the current status of importantinformation in Sentinel EMS. The information relates to all the Batch Codes for which the currentuser has authorizations.

To return to this screen at any later time, click the Home tab.

The functions that each user sees on the Function bars will vary based on the roles that areassigned to the user.

Sentinel EMS Screen

When you select any of the Function bars, the Sentinel EMS screen is displayed.

Sentinel EMS top-level web screens typically includes the following:

n Function bars, in which you select the function to perform.

n Main pane, in which you view and select items.

n Filter tool, which you can use to filter the items that are listed in the main pane.

n Details pane, in which you view details of the item selected in the Main pane.

n Task buttons, which you use to perform actions for the selected item.

The functions that each user sees on the Function bars will vary based on the roles that areassigned to the user.

Using the Sentinel EMS Help

Detailed instructions for using each function and task in Sentinel EMS are provided in theSentinel EMS help system.

To access help, click the Help link at the top right of the screen. Many individual screens alsocontain a help button for information about the contents of the screen.

Sentinel License Generation APIFor sites that already have a licensing infrastructure in place or that prefer to implement analternative to Sentinel EMS, Sentinel LDK offers a standalone licensing solution.

You can use Sentinel License Generation API together with your existing licensing server softwareand ERP and CRM back office systems for maximum flexibility and control over your businessprocesses.

Sentinel License Generation API provides the functionality required to generate and maintainSentinel protection keys, but without any of the back office services that are provided by Sentinel

Sentinel License Generation API 96

97 Chapter 7: Introduction to Sentinel EMS

EMS. All the required services are provided by the system that you choose to implement. Youwould use Sentinel LDK only to handle the protection and Feature-control functions for yourapplications.

Sentinel License Generation API is included in Sentinel LDK ToolBox. Documentation for the API isincluded in the ToolBox help system.

To generate licenses, the Sentinel Master key must be connected to the machine wherethe program that calls Sentinel License Generation API is running. License generationcannot be performed over RDP (that is, over a remote connection to the system where theMaster key is connected).

Chapter 8:Preparing Your Sentinel LDK

Licensing Plan

Before you start to use Sentinel EMS in your organization, you may want to prepare a detailedlicensing plan for use with Sentinel LDK. Although it is recommended that you prepare a licensingplan, it is not a prerequisite for using Sentinel EMS. Licensing decisions can be implemented ormodified at any point.

This chapter outlines the importance of licensing your software products, describes the licensingoptions provided by Sentinel LDK, and suggests how you might prepare a detailed licensing planfor use with Sentinel EMS.

In this chapter:

n "Licensing Overview" on page 98

n "Preparing Your Licensing Plan" on page 99

n "Choosing the Protection Level for Your Products" on page 101

n "Designating Products for Trial or Grace Period Use" on page 103

n "Assigning License Terms to Features" on page 104

n "Utilizing Protection Key Memory" on page 105

n "Using Your Licensing Plan With Sentinel EMS" on page 105

This chapter provides high-level information about Sentinel LDK licensing options. Fordetailed practical instructions for implementing the licensing options in Sentinel EMS, seethe Sentinel EMS help system.

Licensing Overview"PART 2 - PROTECTION" on page 42, in this Guide explained in detail how to protect yoursoftware and intellectual property. In addition to protecting these valuable assets, it is essentialthat you protect your company’s revenue by ensuring that your software is available only to theappropriate users, according to the terms that you define. This process is controlled by licensing.

8

99 Chapter 8: Preparing Your Sentinel LDK Licensing Plan

Licensing provides you with the flexibility to implement your business strategies for the sale anddistribution of your software products. You define the licensing terms with which your software isdistributed or sold according to your decisions about what is commercially beneficial to yourcompany.

For example, you may decide that you initially want to distribute your software free of charge, sothat users can try it before purchasing. You will want to ensure that users can use it for only alimited time before it must be purchased.

Alternatively, you may publish very complex, expensive software. You may decide to make specificcomponents of that software available for a lower price, thus making parts of it accessible to userswho cannot afford the full-featured version.

The versatility of Sentinel LDK enables you to implement a wide variety of licensing models. Formore information on the many models you can apply to your software offering, see "PART 5 -LICENSING MODELS" on page 178.

Preparing Your Licensing PlanA useful step in the development of a licensing strategy is the preparation of a licensing plan.Business decision-makers in your organization, such as product managers or marketing managers,define protection and business rules, and specify the licensing models required to meet yourcompany’s business needs.

A licensing model is the logic behind a business decision relating to the way a Product is licensed.For example, a rental license model enables you to charge for the use of software for a specificperiod of time.

Sentinel LDK enables you to choose from a variety of out-of-the-box licensing models, including:

n Trialware (try-before-you-buy)

n Rental/Subscription

n Module-based

n Feature-based

n Floating users

n Time-based

n Execution-based

n Perpetual

n Unlocked

You can define additional licensing models and software usage terms to meet your company’sindividual requirements.

It is recommended that you prepare a licensing plan before you start to use Sentinel LDK tostreamline the implementation of your company’s licensing strategy. Your Sentinel LDK licensingplan should be based on the detailed licensing requirements that you define for all the protectedsoftware applications to be sold by your company, and/or distributed for trial use.

The process of preparing a Sentinel LDK licensing plan can include the following steps:

1. Analyzing all the relevant software applications and identifying each functional componentthat can be licensed individually.

2. Combining these components into licensed entities that can be offered to customers.

3. Deciding which Sentinel protection keys you want to supply with your softwareapplications.

4. Specifying the detailed licensing terms to be applied, according to your licensing strategy.

The output of such a process is a comprehensive licensing plan that can be implemented usingSentinel EMS.

You can make changes to your licensing plan and license models at any time.

Identifying Functional Components (Features)

The recommended first step in evaluating and planning your licensing requirements involvesanalyzing your software applications and identifying their functional components. Mostapplications can be segmented into a number of distinct functional components. In Sentinel LDK,these components are referred to as Features.

Each individual Feature is an identifiable functionality of a software application that can beindependently controlled by a license. In Sentinel LDK, a Feature may be an entire application, amodule or a specific functionality such as Print, Save or Draw.

Example: Specifying Features

Scenario: The Product Manager of High Quality Software Ltd. (HQ Software), a company providingdesign software for the construction industry, identifies the specific functional components thatthe company wants to license, and assigns a Feature name to each component.

The following table lists the defined functional components and the Feature names assigned toeach component:

Functional Component Feature

Drawing design plans DRAW

Viewing design plans VIEW

Saving projects SAVE

Printing designs PRINT DESIGNS

Printing predefined reports PRINT REPORTS

Generating tailored reports REPORT GENERATOR

Combining Features Into Products

After you have identified and listed all the individual Features to license, you can define thedifferent combinations of licensed Features that your company wants to sell.

Preparing Your Licensing Plan 100

101 Chapter 8: Preparing Your Sentinel LDK Licensing Plan

In Sentinel LDK, a collection of one or more licensed Features that can be sold as an item isreferred to as a Product. Products can differ from each other, not just in the Features that theycontain, but also in the license terms specified for each Feature.

Your licensing plan can contain the names of all the Products that your company wants to selland/or distribute for evaluation, and the Features that each Product includes.

In Sentinel LDK, you have full control over the specific Products you define, the Features theyinclude, and the license terms assigned to each Feature in each Product.

Example: Defining Products

Scenario: The HQ Software Product Manager decides to define a trial Product intended fordistribution to customers who want to evaluate their software. This Product, HQ Design Demo,includes only the VIEW and PRINT DESIGNS Features.

In addition, the company defines:

n A Product intended for small-office customers, HQ Design Lite, offering the Featuresincluded in HQ Design Demo, with the addition of DRAW and SAVE

n A Product targeted towards larger customers, HQ Design Pro, that offers all availableFeatures

(The REPORT GENERATOR Feature has not yet been fully developed and is not currently includedin the HQ Design Pro Product. This Feature is planned for a future release.)

Choosing the Protection Level for Your ProductsYour choice of the Sentinel protection keys to be distributed together with your licensed softwarereflects the level of protection you wish to apply and the way you intend to control the use of oraccess to each Product.

Two types of Sentinel protection keys are available:

n Sentinel HL keys: The hardware-based protection and licensing component ofSentinel LDK that provides the safest and strongest level of protection.

n Sentinel SL keys: The software-based protection and licensing component ofSentinel LDK—virtual Sentinel HL keys. Sentinel SL keys are further divided intoAdminMode and UserMode keys

For more information on the different types of keys and a comparison of the benefits for eachtype, see "End-User Keys" on page 37.

Your software and the user license are both locked to the Sentinel protection key that you select.

When you define the Products to be included in your licensing plan, you also select whichSentinel LDK locking type to assign to each Product. The locking type determines the level ofprotection for each Product, as follows:

n HL hardware-based level of protection

n SL AdminMode or SL UserMode: software-based level of protection

n HL or SL AdminMode or HL or SL AdminMode or SL UserMode: software-based level ofprotection

Sentinel HL Key Protection and Activation

A Product that is protected with a Sentinel HL key can be activated only after the end userreceives a Sentinel HL key containing the license terms for the Product and connects the key tothe computer.

Benefits of Sentinel HL Key Protection

Sentinel HL key protection provides the strongest level of protection against piracy. The correctfunctionality of the software depends on the internal logic of the Sentinel HL key, which is virtuallytamper-proof.

In addition, Sentinel HL key protection:

n Offers the strongest enforcement for license terms, which are stored and protected insidethe Sentinel HL key.

n Enables portability—the software can be used on any computer to which the Sentinel HLkey is connected.

n Does not require transaction with the software vendor to enable activation of theProduct.

Sentinel SL Key Protection and Activation

A Product that is protected with a Sentinel SL key can be activated only after the following stepshave been completed:

1. A Product Key, consisting of a string of characters, is generated in Sentinel EMS andsupplied to the end user.

2. The end user returns the Product Key as proof of purchase.

3. The Product Key is sent to Sentinel EMS for verification.

4. A Sentinel SL key with license terms is sent back and installed on the end user’s computer.

(The end user can perform steps 2, 3, and 4 automatically with the Sentinel EMS Customer Portal.)

Benefits of Sentinel SL Key Protection

With Sentinel SL key protection:

n Product activation is instantaneous. End users can immediately start using the softwarewith its fully licensed functionality.

n The activation process for end users is convenient and transparent.

n The online connection with end users can enable user registration data to be collectedand used for marketing purposes.

Choosing the Protection Level for Your Products 102

103 Chapter 8: Preparing Your Sentinel LDK Licensing Plan

n When using a network license that is locked to a Sentinel SL key, you can specify that alicense can be detached from the pool of network seats and attached to a remoterecipient machine.

Specifying the Protection Level for Individual Orders

Sentinel LDK gives you the flexibility to choose the Sentinel protection keys for a Product oraccording to the requirements of each individual order.

If you prefer not to specify the protection level in advance, you can assign the HL or SLAdminMode or SL UserMode locking type to a Product. With this locking type, the decision onwhich type of Sentinel protection key is to be shipped with the Product is made when each orderis processed.

WARNING

A P r odu c t th a t c an be d i s t r i b u te d w i th bo th HL and S L k e y s i s a lw ay s su pp l i e dw i th th e S L k e y - l e v e l o f p r o te c t i o n , e v e n w he n i t i s s h i p p e d w i th HL k e y s .

Designating Products for Trial or Grace Period UseSentinel LDK enables you to create, protect, and distribute secure trialware versions of yoursoftware. You can invite users to download your trial software from networks, to share it withother users, and to give it away to their friends or colleagues. End users then have the option topurchase your software and to turn their trial copy of into a fully-functional version by activating itwith a Sentinel protection key.

You can also use Sentinel LDK to define grace periods for your software. During the grace period,and even after activation, end users can pass copies of their purchased software to as manyfriends as they wish. When a friend installs the software, it automatically reverts to a limited trialversion for the entire grace period. After the grace period expires, the software can no longer rununtil it is activated with a Sentinel protection key.

Sentinel LDK enables you to define trial and grace periods for software protected with any type ofSentinel protection key.

For example, software protected with Sentinel HL keys can be purchased and delivered over theInternet while the Sentinel HL keys are shipped, and end users can start using the software whilewaiting for the arrival of their key.

Similarly, end users who purchase and install a software application can use it for a 30-day graceperiod without activating it. During this grace period, they can activate the software remotely andreceive a Sentinel SL key, after which the software will run according to the purchased licenseterms stored in the keys. If the grace period expires and the software has not been activated, itwill stop running until activated by the end user.

In Sentinel LDK, a Product that is intended for distribution as trialware or for use during a graceperiod is referred to as a Provisional Product. Sentinel LDK locking types are not applicable toProvisional Products, since these Products are distributed without Sentinel protection keys.

Your licensing plan can include all the Provisional Products to be offered by your organization.

Assigning License Terms to FeaturesSentinel LDK enables you to assign individual license terms to each Feature in each Product thatyou define. You can also define Products that include the same Features, but with different licenseterms. Such decisions are based on the commercial requirements of your organization, and on thelicense models that you choose to implement.

You can control Feature usage through the license by specifying the license type to be applied.You can choose one of the following license types:

n Perpetual: Indicates that the license can be used an unlimited number of times for anunlimited period of time.

n Expiration Date: Specifies the date on which the license expires.

n Executions: Specifies the maximum number of times that the Feature can be used.

n Time Period: Specifies the number of days until the license expires, from the date of firstuse.

After you select the type of license to apply to each Feature in a Product, you can specify itsvalue, for example, the number of times that a Feature can be used.

If the Feature is intended to be used on a network or remote desktop, you can also specify thenumber of concurrent instances (network seats) allowed, and you can specify how concurrentinstances are to be counted for the purpose of the license. In addition, if the Feature will be usedin Products that are locked to Sentinel SL keys, you can specify that the Feature and its licensemay be temporarily detached from the network for attachment to a remote recipient machine.

Specifying License Values for Individual Orders

Sentinel LDK offers you maximum flexibility with regard to license terms, enabling you to supplythe same Product to different customers with different license term values.

You do not have to specify in advance the exact values for the license type or the number ofconcurrent instances for each Feature in the Product. When each order for the Product isprocessed, the person processing the order defines the values required for that specific order.

Example: Specifying License Terms and Protection Levels

Scenario: The HQ Software Product Manager decides to specify the following license terms for itsthree Products:

n A trial period of 30 days for the PRINT and VIEW Features in its HQ Design Demo Product

n A low-cost annual rental license for the DRAW and SAVE Features in the HQ Design LiteProduct, with unlimited usage for the PRINT and VIEW Features

n A more costly, full-featured license for the HQ Design Pro Product that specifies unlimitedusage for all Features

The following protection levels are defined for each of the Products:

Assigning License Terms to Features 104

105 Chapter 8: Preparing Your Sentinel LDK Licensing Plan

n HQ Design Demo is defined as a Provisional Product, to enable it to be distributed freelyfor evaluation

n HQ Design Lite is supplied with Sentinel SL key protection, enabling electronic distribution

n HQ Design Pro is supplied with Sentinel HL key protection, for maximum security

The following table summarizes the three Products, their protection levels, and their licensedFeatures:

Product: HQ Design Demo HQ Design Lite HQ Design Pro

Protection Level: Provisional Sentinel SL keys Sentinel HL keys

License Model: Trial Rental Unlimited

Feature

DRAW – Expires after 1 year Unlimited

VIEW 30 days Unlimited Unlimited

SAVE – Expires after 1 year Unlimited

PRINT DESIGNS 30 days Unlimited Unlimited

PRINT REPORTS – – Unlimited

REPORT GENERATOR – – Not yet available

Utilizing Protection Key MemoryAll Sentinel protection keys—with the exception of Sentinel HL Basic keys—contain secure internalread-only and read/write memory. You can define specific segments for memory data and choosewhether the data is added when you create a Product or when an order is being processed.

You can use the memory, for example, to:

n Store licenses from your own licensing schemes

n Save passwords, program code, program variables, and other data

Memory data can be defined for each Product. The contents of the memory are transferred to thesecure memory of the selected Sentinel protection keys together with the Features, license termsand other data defined for the Product.

You can add any specific data that is required to be stored in memory for each Product to yourlicensing plan.

Using Your Licensing Plan With Sentinel EMSYour licensing plan can be implemented using Sentinel EMS. As your licensing requirementschange, you can revise the licensing plan and ensure that the changes are implemented usingSentinel EMS. Your licensed Products can be easily and securely updated as required, after theyhave been deployed to customers.

For additional information on implementing and maintaining your licensing plan, see "Chapter 9:Implementing Your Sentinel LDK Licensing Plan" on page 108.

Sentinel LDK offers you the flexibility to update your licensing strategy as necessary, and to adaptrapidly to changes in the market, in your company’s business strategy, or in customer purchasingpreferences.

Using Your Licensing Plan With Sentinel EMS 106

Chapter 9:Implementing Your Sentinel LDK

Licensing Plan

This chapter is intended for Sentinel EMS users who are assigned the Product Management role.It describes how to use Sentinel EMS to define and manage Features and Products in Sentinel LDK,and to maintain Products and licenses as circumstances change.

For information on preparing a licensing plan and on Sentinel LDK licensing options, see "Chapter8: Preparing Your Sentinel LDK Licensing Plan " on page 98.

For an overview of Sentinel EMS and for information on starting to use the application, see"Chapter 7: Introduction to Sentinel EMS" on page 90.

In this chapter:

n "License Planning in Sentinel EMS" on page 108

n "Managing Features " on page 109

n "Managing Products" on page 110

n "Maintaining Products and Licenses" on page 117

This chapter provides high-level information on license planning and definition processes.For detailed practical instructions for using each function in Sentinel EMS, see theSentinel EMS help system.

License Planning in Sentinel EMSBefore you start to use Sentinel EMS for license planning, it is suggested that you prepare alicensing plan. For additional information, see "Chapter 8: Preparing Your Sentinel LDK LicensingPlan " on page 98.

When you start Sentinel EMS, you have access to the Licensing Plan group of functions, including:

n Managing Features

n Managing Products

Each of these functions is described in this section.

9

109 Chapter 9: Implementing Your Sentinel LDK Licensing Plan

All Sentinel LDK Features and Products are associated with a Sentinel LDK Batch Code. Foradditional information on Batch Code, see "Personalized Vendor and Batch Codes" onpage 36.

Managing FeaturesWhen you display the Features screen in the Sentinel EMS window, you can view the details of alldefined Features associated with the selected Batch Code. You can perform the following tasksusing the Features screen in Sentinel EMS:

n Define Features

n Withdraw Features from use

Defining Features

If you have prepared a licensing plan, the first stage in its implementation is to use Sentinel EMSto define all the Features that you listed in the plan.

Before you begin to define Features, ensure that you have the following information available foreach new Feature:

n The Batch Code associated with the Feature

n A Feature Name that is unique in the selected batch (mandatory). The maximum lengthfor a Feature Name is 50 characters.

n A free-text description that provides additional information about the Feature (optional)

n The ID number that you want to assign to the Feature (optional). The ID must be uniquein the selected batch. The same Feature ID may be used in more than one batch.

After you have defined a Feature, and until the Feature is included in a Product, you can changethese properties in Sentinel EMS. After the Feature has been included in one or more Products,you can open the Feature to view its details, but you cannot change them.

License terms are Feature-specific in Sentinel LDK. However, they are not defined as part ofthe Feature properties. The license terms for a Feature are specified when the Feature isadded to a Product, or when the Product is added to an entitlement. This is because thesame Feature may be included in a number of Products, and the license terms for theFeature may vary according to the requirements of the Product or of the entitlement.

Feature Identification

By default, Sentinel EMS generates a unique Feature ID for each new Feature. You can assign yourown numeric identifier to the Feature, for example, to maintain consistency with existing Featuredata. The Feature ID that you specify must be unique in the selected batch.

Transferring Feature Definitions for Development Use

After you have defined the Features for a selected batch, users authorized to performDevelopment tasks can transfer the Feature data to a file that can be used for development andprotection purposes. For more information on transferring Feature definitions, see "ExportingDefinition Data" on page 137.

Feature Status Values

When a Feature is first defined, you can edit the Feature and modify any of its attributes,including the Feature Name and Feature ID.

Once the Feature has been included in one or more Products, the Feature Name and Feature IDcan no longer be modified.

Deleting Features

If the Feature has not been included in any Product, you can delete it. A Feature cannot bedeleted once it has been deployed in at least one Product.

Managing ProductsWhen you display the Products screen in the Sentinel EMS window, you can view the details of alldefined Products associated with the selected Batch Code.

Managing Products 110

111 Chapter 9: Implementing Your Sentinel LDK Licensing Plan

You can perform the following tasks using the Products screen in Sentinel EMS:

n Define new Base Products

n Define new Provisional Products

n Copy existing Products

n Define new Modification Products

n Define Cancellation Products

n Open a Product to view or modify details

n Withdraw Products from use

n Restore Products that have been made obsolete

n Delete a Product

You cannot modify license terms for a Product or delete a Product that has been fullydefined (with the Complete status).

Defining New Products

Before you start to define the new Products in your licensing plan, ensure that you have thefollowing information available for each Product:

n The Batch Code associated with the Product

n A Product Name that identifies the Product and is unique in the selected batch(mandatory). The maximum length for a Product Name is 50 characters.

n A free-text description that provides additional information about the Product, forexample, the functionality it includes (optional)

n Product reference information that can identify the Product in a different system, forexample, a product code in your company's ERP system (optional)

n The level of protection (locking type) that you want to apply to the Product

n The Features to be included in the Product

n The license terms for each Feature to be included in the Product

n The data to be stored in the memory associated with the Product

After a Product has been defined, it can be included in orders. For additional information onprocessing orders, see "Defining Entitlements" on page 124.

Until the Product is included in an order, you can change the Product properties, Features, andmemory contents in Sentinel EMS. After the Product has been included in at least one order, youcan open the Product to view its details. However, you cannot make any changes.

The only changes that can be made after a Product is included in an order are those related tolicensing terms and memory data that have been previously specified as definable at order time,and these changes are made when the order is being processed.

Product Types

The basic unit on which all Products are built is the Base Product. A Base Product can contain allthe Product attributes such as Features, licensing data and memory—and can be used as aProduct that you offer for sale, and/or as a “shell” on which other Product types are built.

You can define Provisional Products for use during a grace period or as trialware. A ProvisionalProduct can also be defined with a perpetual license for distributing Unlocked Products. Theproperties for Provisional Products are not identical to those for standard Products. For additionalinformation, see "Defining Provisional Products" on page 116.

You can copy an existing Product to create a new Product. For additional information, see"Duplicating a Product" on page 117.

You can define Modification Products and Cancellation Products to modify or cancel Productsthat have been deployed at customer sites. For additional information, see "Maintaining Productsand Licenses" on page 117.

Selecting the Locking Type for the Product

When you define a Product, you must select a locking type. The locking type determines:

n The level of protection for the Product

n The type of Sentinel protection keys that can be shipped with the Product

n The way that the Product can be activated

Managing Products 112

113 Chapter 9: Implementing Your Sentinel LDK Licensing Plan

The locking type options are described in "Choosing the Protection Level for Your Products" onpage 101

Protection Against Cloning

This section describes the protection of your protected application against attempts to clone thephysical or virtual machine on which the protected application is installed.

One of the methods sometimes employed to enable the illegitimate use of licensed software ismachine cloning. Machine cloning involves creating an image of one machine (including yoursoftware and its legitimate license) and copying this image to one or more other machines. Ifthere is no way to detect that the new image is running on different hardware than that on whichit was originally installed, multiple instances of the software are available even though only asingle license was purchased.

Sentinel LDK can detect probable machine cloning and disable protected software that is locked toSentinel SL keys. Clone detection is effective whether the protected software is installed on aphysical machine or on a virtual machine.

When software is locked to a Sentinel HL key, the physical key must be present in orderfor the software to run. Even if a machine image, including your software, is cloned, thesoftware cannot run without the Sentinel HL key to which the software license is locked.

Protection against cloning is applied automatically when a protection application is locked to aSentinel SL key

For each Feature, you specify whether you want to allow the Feature to be accessible on virtualmachines at the time you add the Feature to the Product or when preparing the order for theProduct. By default, each Feature is accessible on virtual machines.

The clone protection functionality is tuned to minimize the occurrence of potential false positives(detection of a clone when no cloning exists), and reduce unnecessary calls to your technicalsupport. As a result, it is possible that the clone protection functionality may not detect a clonedmachine in every case. However, the possibility of this occurrence is low, especially when physicalmachines are cloned. (For information on how Sentinel LDK detects cloned software, see"Appendix D: How Sentinel LDK Detects Machine Cloning" on page 246.)

When the Sentinel LDK Run-time Environment detects cloning, it disables the licenses for whichclone protection was specified. The end user is unable to log in to the software for which clonedlicenses have been detected. The end user must activate the software before it can be used. Otherlicenses for which clone protection was not specified are not affected and the user may continueto log in and use the applications.

Detection of cloned licenses is recorded in the Sentinel License Manager and displayed in theSentinel Admin Control Center. For additional information, see the Admin Control Center helpsystem.

The following workflows provides an overview of how to enable clone detection for licenses lockedto Sentinel SL keys, and how to manage licenses that have been disabled due to the detection ofmachine cloning.

During software protection:

n During protection of your software, use the Sentinel Licensing API to define how yourapplication should behave when machine cloning is detected. For example, the applicationmight display a message telling the end user that the software is disabled due to clonedetection and that they should contact your customer services team.

If you use only Sentinel LDK Envelope for applying protection, (that is, withoutincorporating any additional software engineering), software that is disabled due todetection of cloning will return the following message to the end user: Unknown error.H64

During Product definition:

n When defining Products in Sentinel EMS:

o For each Feature, decide whether the Feature should be accessible on virtualmachines (this can also be decided during order entry). By default, accessibility onvirtual machines is enabled.

During Product activation:

1. When Sentinel EMS detects cloning via the C2V file, it disables the protected application onthe end user's machine.

2. To enable the protected on the end user's machine, the end user must send a newfingerprint for machine. This fingerprint can be generated with the RUS utility, or with thehasp_get_info() function in Sentinel Licensing API. Use the fingerprint to generate a newentitlement for the end user.

Additional Information about Clone Protection

n If you attempt to check in a C2V file, and Sentinel EMS detects that the C2V is from acloned machine, you cannot check the file into the Sentinel EMS database. Similarly, youcannot use a C2V file from a cloned machine to create a license update.

You can click View Details in the Check in Key screen to view details of the C2V if required.

Specifying the License Terms for Features in a Product

When you include a Feature in a Product, the following default license terms are assigned:

n License type: Perpetual

n Number of concurrent instances: Unlimited

To specify the required license terms for the Feature, you can:

n Select a different license type:

o Expiration Date

o Executions

o Time Period

Managing Products 114

115 Chapter 9: Implementing Your Sentinel LDK Licensing Plan

n Assign a value for the selected license type:

o The expiration date

o The number of executions

o The number of days until the license expires, from the date of first use

If the Feature is intended to be used on a network, virtual machine, or remote desktop, you canspecify the number of concurrent instances allowed, and you can select how concurrent instancesare counted:

n Station: Each login request for a single machine is counted as an instance (default)

n Login: Each login request is counted as an instance

n Process: Each login request for a single process is counted as an instance

If the Feature is in a Product that will be locked to a Sentinel SL key, and is defined to be used ona network, you can specify that the license is allowed to be temporarily detached from thenetwork pool. This means that the license can be attached to a remote recipient machine that isnot connected to the network, to enable a user to work offline.

If required, you can specify that a user working in Remote Desktop (terminal machine) mode canaccess the license. Similarly, you can specify that the license for a Feature in a Product that will belocked to a Sentinel SL key can be enabled to run on a virtual machine.

If you choose to make a Feature excludable, you enable the decision about whether the Feature isto be included in a specific order to be made at the time the order is being produced.

You can leave the value for the license type undefined at this stage, and specify that the exactvalue will be defined when each order for the Product is processed.

Similarly, you can specify that the number of concurrent instances will be defined when an orderfor the Product is processed.

The above license term options do not apply to Provisional Products. For additionalinformation, see "Defining Provisional Products" on page 116.

Defining Sentinel LDK Memory Data

When you define a Product in Sentinel EMS, you can define the layout and contents of thememory data associated with the Product.

You can define areas (segments) in Protection Key memory and enter data into them as required.You can also specify that data is entered in one or more of the memory segments at order time.You can select different colors for each segment to make it easy to identify them, and you canredefine the data and the layout as required.

You can select the memory type for each segment that you define, according to the type andpurpose of the data you want to store:

n Read/Write Memory: Data that can be updated when the deployed, protected program isrunning, such as dynamic values for counters, or information retrieved during interaction

with the user.

n Read-Only Memory: Data that can be read when the protected program is running butcannot be changed. For example: the Product version number, text to be used in a“Welcome” message, fixed threshold values for counters.

You can use either or both types of memory to store and control licenses from your own licensingschemes.

The memory in the protection key is shared by all Products in the key. When you allocatememory for a Product: Make sure that the memory space does not conflict with memoryspace for any other Product that may be protected with the same protection key.

The data defined in memory is written to the secure memory of the Sentinel protection keystogether with the Features, license terms and other data defined for the Product.

Defining Provisional Products

A Provisional Product can be created:

n to be distributed for use during a grace period or as trialware.

n to be distributed as an Unlocked Product, which is, in effect, a perpetual ProvisionalProduct. The vendor can use Sentinel LDK to protect the application, but can use amechanism other than Sentinel LDK to license the application (or can impose no licenserestrictions on the application). Note: To generate an Unlocked Product, the vendor mustpurchase the Unlocked License Module for the Sentinel Master key.

The properties of a Provisional Product are similar to those for a standard Product, with thefollowing exceptions:

n Locking Type: Provisional Products do not require a locking type, since they can beactivated and used for a limited period without a Sentinel protection key.

n License Terms: Each Feature in a Provisional Product is automatically assigned a TimePeriod value of 30 days. This value can be changed to a value with the range of 1–90days. For an Unlocked Product, each Feature can be assigned a Perpetual license.

For additional information on the purpose and use of Provisional Products for trialware, see"Designating Products for Trial or Grace Period Use" on page 103.

Provisional Products are not available for inclusion in customer orders. Users authorized toperform Development tasks can bundle Provisional Products for distribution. For additionalinformation, see "Generating Bundles of Provisional Products" on page 136.

Product Status Values

A Product can be assigned one of the following statuses:

Draft - The Product is not ready for distribution. The Product can be modified or deleted.

Complete - The Product can be included in an entitlement. The Product can be modified.However, it cannot be deleted. You can change its status to End of Life if you do not want the

Managing Products 116

117 Chapter 9: Implementing Your Sentinel LDK Licensing Plan

Product to be distributed any longer. Once the Product has been included in an entitlement("Deployed"), the license terms can no longer be modified.

End of Life - The Product cannot be included in an entitlement. The Product's license termscannot be modified. However, if you edit and save the Product, its status changes back toComplete and the Product can again be included in an entitlement.

Duplicating a Product

After you have defined a Product, you can easily define additional Products with similar details,using the Copy option in Sentinel EMS. This option creates a new Product using the definedproperties, Features, and memory contents of the original Product, and enables you to make anychanges you require, with the exception of changing the Base Product or the Product lockingtype.

If you duplicate a Base Product, you can give it a new name.

Withdrawing a Product

At some stage, you may want to withdraw a selected Product from use and specify that it can nolonger be included in orders, for example, if it is being replaced by an updated version.

If the Product has the status Draft, you can delete it. A Product cannot be deleted once it hasbeen assigned the status Complete. You can, however, withdraw the Product from use bymarking it as End of Life.

A withdrawn Product cannot be added to entitlements, but its details are maintained inSentinel EMS for tracking purposes, and it continues to be functional when already at the enduser’s site.

Restoring a Product

A Product whose status is End of Life can be restored to the Complete status. A restored Productcan be used in the same way as any other Product.

Maintaining Products and LicensesAfter you have defined the initial Features and Products, you can use the Licensing Plan options inSentinel EMS to cater for changing circumstances, such as the release of new software versionsand changes in customer requirements.

Sentinel EMS enables you to maintain your licensing plan by defining new Features and Productsas required. In addition, you can use Sentinel EMS to:

n Manage Product versions

n Cancel Product licenses

Managing Product Versions

After you have implemented your initial licensing plan, you need to continue to review andupdate it to allow for changes in your company’s software applications, in customer demand, inthe market, and other considerations. For example:

n Your company develops an enhanced version of an existing Product and you want tooffer the new versions for sale instead of (or in addition to) the original Products.

n You want to offer your existing customers the opportunity to replace their current versionof a Product with an upgraded version that has additional Features.

n Feedback from your customers indicates that they want to purchase a specific Productwith different license terms than you are currently offering.

In circumstances such as these, since you cannot change the properties of an existing Productafter it has been ordered, you can define a Modification Product based on the Base Product.

AModification Product is a modified version of an existing Product, containing changes such as:

n A software upgrade

n Extended license terms

n Added or removed Features

You can define several Modification Products for the same Base Product, with different Features,memory and/or license terms.

You can also define Modification Products based on an existing Modification Product.

Defining a Modification Product

Before you start to define a Modification Product, ensure that you have the following informationavailable:

n The name of the Product that is being modified

n The Batch Code associated with the Product that is being modified

n A Product Name that identifies the Modification Product and is unique in the selectedbatch (mandatory). The maximum length for a Product Name is 50 characters.

n A description (free text) that provides additional information about the ModificationProduct, for example, the changes it includes (optional)

n The details of the required changes, including Features to be added or removed, memoryand license term updates, or any combination of these.

Specifying License Terms and Memory for a Modification Product

To change the license terms for each Feature in the Modification Product, you can:

n Change the value for the license type by adding or subtracting days or number ofexecutions

Maintaining Products and Licenses 118

119 Chapter 9: Implementing Your Sentinel LDK Licensing Plan

n Change the settings for concurrent instances, if appropriate

n Overwrite the license terms including selecting a new license type

n Change memory segments or data

n Cancel the license

You can leave the license type value and the concurrent instances settings unchanged at thisstage, and specify that they will be changed when each individual order for the ModificationProduct is processed.

Example: Defining a Modification Product

Scenario: When the Product Manager of HQ Software originally defined the HQ Design ProProduct (in the example "Example: Specifying License Terms and Protection Levels " on page 104),the REPORT GENERATOR Feature was not yet available.

This Feature has now been developed, tested, and protected, and has been included in anenhanced version of HQ Design Pro (v.2.0). This version of the Product is ready for sale to newcustomers, and can also be issued to customers who hold current licenses.

Accordingly, the Product Manager for HQ Software defines a Modification Product for the HQ DesignPro Product, named HQ Design Pro v.2.0.

When the Modification Product is defined, the REPORT GENERATOR Feature is added to theProduct, with the same license terms as for the other Features.

Issuing Modification Products

Modification Products can be included in orders in the same way as the original Products.

For example, if the Modification Product is intended to replace the Product in Sentinel protectionkeys that have already been deployed, it can be included in a Protection Key Update order. Whenthe Protection Key Update is applied, the data for the Modification Product is added to the datafor the original Product in the Sentinel protection keys.

For additional information on defining and producing orders, see "Chapter 10: Sentinel LDKEntitlements, Production, and Development Tasks" on page 122.

Canceling Product Licenses

In certain circumstances, it may be necessary to cancel the license terms for one or more Featuresin a Product that has been delivered to a customer, for example:

n To revoke a deployed license

n To cancel the license for a Product that has been returned before its license terms haveexpired

A Cancellation Product can be defined for the Product, with values that cancel previous licenseterms. This Cancellation Product can be used whenever the license terms of the original Productneed to be cancelled.

The process of canceling the license terms of a specific instance of a Product can include thefollowing stages:

1. When the original Product needs to be cancelled, a Customer-to-Vendor (C2V file) isrequested from the customer, containing the required license information.

2. An order for the Cancellation Product is defined and produced.

3. If the Product license is being moved to another computer, a new order for the originalProduct is produced with the appropriate details.

4. The changed license information is sent to the customer.

5. An acknowledgement receipt is returned by the customer when the change has beenimplemented.

For additional information on C2V files and on defining and producing orders, see "Chapter 10:Sentinel LDK Entitlements, Production, and Development Tasks" on page 122.

Defining a Cancellation Product

Before you start to define a Cancellation Product, ensure that you have the following informationavailable:

n The name of the Product to be cancelled

n The Batch Code associated with the Product to be cancelled

n A Product Name that identifies the Cancellation Product and is unique in the selectedbatch (mandatory). The maximum length for a Product Name is 50 characters.

n A description (free text) that provides additional information about the CancellationProduct, for example, the reason it is required (optional)

n The Features to be cancelled

Specifying License Terms or Memory for a Cancellation Product

The options for defining the license terms for a Cancellation Product are exactly the same as for aModification Product. For additional information, see "Specifying License Terms and Memory for aModification Product" on page 118.

Example: Canceling a License

Scenario: A new customer, TOP Construction, purchased a one-year rental license for theHQ Design Lite Product. After three months, the customer wants to cancel the license and receivea refund.

HQ Software defines a Cancellation Product for the HQ Design Lite Product, with the license termscancelled for all the Features in the Product. This Cancellation Product is only defined once—it cansubsequently be used whenever required in similar circumstances.

TOP Construction is asked to send a Customer-to-Vendor (C2V) file. The file is received andprocessed in Sentinel EMS.

A Protection Key Update order is defined and produced for the HQ Design Lite CancellationProduct. The resulting Vendor-to-Customer (V2C) file containing the changed license details is sent

Maintaining Products and Licenses 120

121 Chapter 9: Implementing Your Sentinel LDK Licensing Plan

to TOP Construction. TOP Construction applies the V2C file, then generates and returns a C2V file,confirming that the license cancellation has been applied. HQ Software then issues a refund.

For additional information on C2V and V2C files, and on defining and producing orders, see"Chapter 10: Sentinel LDK Entitlements, Production, and Development Tasks" on page 122.

Chapter 10:Sentinel LDK Entitlements,

Production, and Development Tasks

The first part of this section is intended for users assigned the Entitlement Manager andProduction roles in Sentinel EMS. It describes how to use Sentinel EMS to manage and produceentitlements (customer orders).

The final part of this section is intended for users assigned the Development role. It describes howto use Sentinel EMS to perform development-related tasks, including generating bundles ofProvisional Products and Sentinel LDK Run-time Environment installer files, and exportingdefinition files.

For an overview of Sentinel EMS and for information on starting to use the application, see"Chapter 7: Introduction to Sentinel EMS" on page 90.

In this chapter:

n "Sentinel LDK Entitlement Processing and Production " on page 122

n "Managing Entitlements " on page 123

n "Producing Entitlements" on page 131

n "Performing Development-related Tasks" on page 135

n "Enabling Trial Use and Grace Periods" on page 138

This chapter provides high-level information on the entitlement management, production,and development-related processes in Sentinel EMS. For detailed practical instructions forusing each function, see the Sentinel EMS help system.

Sentinel LDK Entitlement Processing and ProductionAn entitlement is the execution of a customer order for Sentinel LDK items, and can be one of thefollowing:

n An order for Products to be supplied with one or more Sentinel protection keys

n A Protection Key Update that specifies changes to be made to the license terms and/ordata stored in Sentinel protection keys that have already been deployed

10

123 Chapter 10: Sentinel LDK Entitlements, Production, and Development Tasks

For entitlements that generate Product Keys, the customer receives an email from Sentinel EMSthat contains the keys. The customer is able to log in to the EMS Customer Portal using theProduct Key in order to activate the Product.

After Features and Products have been defined in Sentinel EMS, entitlements can be processedand produced using the Production group of functions, including:

n "Managing Entitlements " on page 123

n "Producing Entitlements" on page 131

n "Performing Development-related Tasks" on page 135

The specific Sentinel EMS functions you can access in the Production group of functions dependon the role assigned to you, as follows:

n If you have been assigned the Entitlement Manager role, you have access to both theOrder Management and the Customer Services functions

n If you have been assigned the Production role, you have access only to entitlementproduction functions

n If you have been assigned the Development role, you have access only to theDevelopment functions

Managing EntitlementsThis section is intended for users assigned the Entitlement Manager role.

When you select the Entitlements > Entitlements tab in the Sentinel EMS window, you can viewthe details of all entitlements associated with the selected Batch Code.

For additional information on Batch Codes, see "Personalized Vendor and Batch Codes" onpage 36.

Management of entitlements includes the following tasks:

n Define new customers

n Define entitlements

n Delete entitlements

n Process Customer-to-Vendor (C2V) information

Defining Entitlements

Before you start to define an entitlement for a customer in Sentinel EMS, ensure that you havethe following information available:

n Details of the customer who placed the order (optional)

n The Products to be included in the entitlement

n The required values to specify in the entitlement for any license terms that were notspecified in the Products

n The production requirements, according to the type of entitlement:

o Entitlement for Sentinel HL keys

o Entitlement for Product Keys

o Entitlement for Protection Key Update

n Additional entitlement information (optional)

Sentinel EMS generates a unique entitlement ID (EID) for each new entitlement.

Defining the Customer for the Entitlement

When you define the entitlement in Sentinel EMS, you can specify the customer who placed theorder. You can search for an existing customer, using the customer name or other identifyingdetails, or you can define a new customer.

You can also define a new customer using the Customers page.

Including Products in the Entitlement

An entitlement can contain one or more Products. All Sentinel LDK Products are associated with aSentinel LDK Batch Code. You select the Batch Code before you create a new entitlement.

Provisional Products (Products defined for use during a grace period or as trialware, orUnlocked Products) are not available for inclusion in entitlements. The process ofgenerating files containing Provisional Products is a Development task. For additionalinformation, see "Generating Bundles of Provisional Products" on page 136.

Managing Entitlements 124

125 Chapter 10: Sentinel LDK Entitlements, Production, and Development Tasks

Each Product is assigned a locking type when it is defined. The locking type determines the levelof Sentinel LDK protection and the type of Sentinel protection key that can be supplied with theProduct.

The locking type assigned to a Product may determine the type of entitlement that can beproduced:

n Products defined only with the HL locking type can be included in entitlements forSentinel HL keys, Product Keys, or for Protection Key Updates.

n Products defined only with the SL AdminMode or SL UserMode locking type can beincluded only in entitlements for Product Keys or for Protection Key Updates.

n Products defined with the HL or SL AdminMode or HL or SL AdminMode or SLUserMode locking type can be included in entitlements for Sentinel HL keys, ProductKeys, or for Protection Key Updates

You cannot add a Product defined only with the HL locking type and another Product defined onlywith the SL locking type (whether AdminMode or UserMode) to the same entitlement.

For additional information on locking types, see "Choosing the Protection Level for Your Products"on page 101.

Specifying License Term Values

When a Product is initially defined in Sentinel EMS, the exact license term values for each Featurecan be left unspecified. This enables you to include the same Product in different entitlementswith different license term values.

In this case, the license values must be specified when each entitlement for the Product isprocessed.

You may be required to specify one or more of the following license term values for Featureswhen processing an entitlement:

n The date on which the license expires

n The maximum number of times that the Feature can be used

n The number of days until the license expires

You may also be required to specify the number of concurrent instances for one or moreFeatures. This value specifies the number of instances of simultaneous usage that the licenseallows on the customer’s network. Concurrent instances may relate to the network, processes, ormachines.

An entitlement can be produced only after the license term values have been specified for all theFeatures in every Product included in the entitlement.

Specifying Protection Key Memory Data

When a Product is initially defined in Sentinel EMS, memory data can be left unspecified. Thisenables you to customize memory data for each Product when defining the entitlement. Forexample, customer-specific memory data can be added to the Product when an entitlement isbeing processed.

Specifying an Entitlement for Sentinel HL Keys

When an entitlement for Sentinel HL keys is produced, the ordered Products are programmed(burned) on one or more Sentinel HL keys to be shipped to the customer. For additionalinformation on Sentinel HL keys, see "Sentinel HL Keys" on page 37.

When you define the entitlement, you must specify the total number of Sentinel HL keys to beproduced for the entitlement.

Specifying an Entitlement for Product Keys

An entitlement for Product Keys enables you to produce activation strings for Sentinel protectionkeys.

The Products in the entitlement are associated with one or more Sentinel LDK Product Keys. AProduct Key is a string of characters generated by Sentinel EMS and stored in a file for delivery tothe customer.

After the end user receives the Product Key and returns it as proof of purchase, Sentinel EMSvalidates the Product Key and produces a Sentinel protection key. The Sentinel protection key isthen sent back with the license terms and installed on the end user’s computer, enabling theProduct to be activated.

When you define an entitlement for Product Keys, you must specify the following information:

n The number of Product Keys to be produced for the entitlement

n The number of activations allowed for each Product Key. This is the number of machineson which each Product Key can be used.

While it is mandatory to used Product Keys for activation of software locked to Sentinel SL keys,Product Keys can also optionally be used for activating software that is locked to Sentinel HL keys.

Before a Sentinel SL key can be used on an end user’s computer, a Provisional Product istypically installed on the computer. When the Provisional Product is installed, it initializesthe Sentinel LDK Run-time Environment, which is required for communication between theSentinel SL key and the software.

The process of generating files containing Provisional Products is a Development task. Foradditional information, see "Generating Bundles of Provisional Products" on page 136.

Specifying a Protection Key Update Entitlement

A Protection Key Update entitlement specifies changes to be made to the license terms, Products,and/or data stored in Sentinel protection keys that have already been deployed to end users. AProtection Key Update can be applied remotely to Sentinel HL keys or Sentinel SL keys as follows:

n Using the Sentinel Licensing API by calling the hasp_update function

n By using the Sentinel Remote Update System utility

n (For SL AdminMode keys) By placing the file that contains the update information in theappropriate directory on the end user's computer.

Managing Entitlements 126

127 Chapter 10: Sentinel LDK Entitlements, Production, and Development Tasks

When the Protection Key Update entitlement is produced, a file containing the details of thechanges is generated for each Sentinel protection key to be updated.

This file can be one of the following:

n An executable file (EXE) that can be delivered to end users for use as instructed by yourcompany

n A Vendor-to-Customer (V2C) file that end users can process using the Sentinel RemoteUpdate System utility (RUS utility)

For additional information on the RUS utility, see "Chapter 12: Sentinel Remote Update System"on page 144. For additional information on updating SL AdminMode keys, see "Applying LicenseUpdates to SL AdminMode Keys" on page 135.

When you define a Protection Key Update entitlement, you must specify the total number ofSentinel protection keys to be updated as a result of this entitlement. You may also need to selectthe specific Sentinel protection keys to be updated.

Locating the Sentinel protection keys to Update

When you define an entitlement for Protection Key Update, you may need to select the specificSentinel protection keys to be updated. For example, the entitlement may be for an organizationwith 100 Sentinel protection keys, and this entitlement is required to update the keys for only 10specific users.

In Sentinel EMS, you can:

n Display a list of the customer’s Sentinel protection keys

n View the contents of each key

n Select the keys to be updated

You cannot select more Sentinel protection keys than the total number of product keysspecified in the Product Details area in the New Entitlement screen.

Optional Entitlement Information

You can add the following optional information to the entitlement:

n Order reference information that can identify the order in a different system, for example,an order number in your company's ERP system.

n A comment that provides additional information about the order.

Adding the Entitlement to the Production Queue

After you have specified all the necessary information for an entitlement, you can produce itimmediately or "queue" it to add it to the production queue. The queue is a list of all entitlementsthat are awaiting production.

Entitlements in the production queue can be selected for production according to the criteriadetermined by your organization.

Sentinel EMS enables you to save as "draft" any entitlement that have not been completelydefined, without losing the information that you may have already specified. You can open theentitlement and continue to define the entitlement details when convenient.

Entitlement Status Values

During the course of its life cycle, an entitlement is assigned statuses as follows:

User ActionResultingEntitlementStatus

Description of Status

Create a new entitlement,click Save OR Re-open anentitlement.

Draft This status indicates that the entitlement isnot yet ready for production. The entitlementdetails can be modified, or the entitlementcan be deleted.

Create a new entitlement oredit an existing entitlement,click Queue.

Queued This status indicates that the entitlement is inthe production queue, awaiting production.The details of a Queued entitlement cannotbe changed. However, it can be deleted.

In an entitlement for ProductKeys, select one or moreProducts and click Produce.

Product KeysGenerated

Indicates that Product Keys for one or moreProducts in the entitlement have beengenerated. If the entitlement containscustomer information, the customer receivesan email. The email contains the ProductKeys and information on how to log in theSentinel EMS Customer Portal and activatethe protection key.

Produced In an entitlement that includes multipleProduct Keys, at least one Product Key hasbeen used to activate the protected software.The entitlement contains additional ProductKeys that have not yet been used.

Completed In an entitlement for protection key updatesor for HL keys, the entire entitlement hasbeen produced. In an entitlement for ProductKeys, all the Product Keys have been used toactivate the protected applications.

Acknowledged The end user has verified that the entitlementwas applied at the customer site.

Processing C2V Information

C2V files contain protected information about the license terms and data stored in deployedSentinel protection keys. They do not contain private customer information.

Managing Entitlements 128

129 Chapter 10: Sentinel LDK Entitlements, Production, and Development Tasks

C2V files can be generated using the Sentinel Remote Update System utility (RUS utility). Foradditional information on the RUS utility, see "Chapter 12: Sentinel Remote Update System" onpage 144.

C2V information stored in Sentinel HL keys and in C2V files can be retrieved for use in connectionwith Protection Key Update orders.

When a C2V file or Sentinel HL key is received from a customer, you must check in theinformation, in order to make the data in the file or key available to Sentinel EMS. The process ofchecking in the C2V information stores the data securely in Sentinel EMS, and enables you to viewsome of the information.

When you check in a C2V file, you can view the identifying information for the Sentinel protectionkey associated with the file, including the Batch Code, ID and key type. You can also view theProduct details contained in the file. When you check in a Sentinel HL key, you can view similarinformation.

If you attempt to check in a C2V file for a Sentinel SL key, and Sentinel EMS detects that ithas come from a cloned machine, you will not be able to check the C2V file into thedatabase. For additional information about dealing with cloned Sentinel SL keys, see"Protection Against Cloning" on page 113.

Formatting a Sentinel HL Key

You can format a Sentinel HL key to make it available for reuse. The process of formatting aSentinel HL key deletes any orders that have been defined for the key but not yet produced. Italso produces a V2C file that contains Protection Key Update information to be applied to the keyusing the RUS utility. Applying the Protection Key Update erases all license and memory datastored in the key.

Order Processing and Production Examples

In the examples in this section, HQ Software defines the following orders for its customers:

1. Order for Sentinel HL keys

2. Order for Product Keys (Sentinel SL keys)

3. Protection Key Update order

Order Example 1: Order for Sentinel HL Keys

Scenario: A new customer, ABC Design, orders the SafeNetCAD Office Product from HQ Softwarewith a license for 20 users.

Since the SafeNetCAD Office Product is defined with Sentinel HL key protection, the details forthis order are defined as follows:

n Customer: ABC Design

n Product: SafeNetCAD Office

n Order type: Sentinel HL keys

n Number of keys: 20

When this order is produced, the SafeNetCAD Office Product license is programmed on20 Sentinel HL keys, which are then shipped to the customer.

Order Example 2: Order for Product Keys (Sentinel SL Keys)

Scenario: On March 15, 2007, another customer, JL Optics, orders the SafeNetCAD HomeProduct, with a license for use on two computers.

The SafeNetCAD Home Product is defined with Sentinel SL key protection and an annual rentallicense. To ensure that the customer enjoys a full year’s licensed use, the expiration date needs tobe specified when the order is placed.

The details for this order are defined as follows:

n Customer: JL Optics

n Product: SafeNetCAD Home

n Expiration date for DRAW and SAVE: March 15, 2008

n Order type: Product Key-based

n Number of Product Keys: 1

n Number of Activations per Product Key: 2

This example assumes that JL Optics has installed and used the SafeNetCAD Home[Trial]Provisional Product on the two computers before ordering the SafeNetCAD HomeProduct. As a result, the Sentinel LDK Run-time Environment for Sentinel SL has alreadybeen initialized on those computers.

When this order is produced, a file is generated containing a Product Key. HQ Software sends thisfile to JL Optics by e-mail.

Two end users at JL Optics open the file and enter the Product Key as required on theHQ Software Web site. The HQ Software customer interface application sends the Product Key toSentinel EMS, which validates the Product Key and returns a Sentinel SL key to the customer.

The Sentinel SL key is installed on the two computers at JL Optics with the license information, andthe SafeNetCAD Home Product can be activated under the terms of the license.

Order Example 3: Order for Protection Key Update

Scenario: HQ Software informs ABC Design that a new version of SafeNetCAD Office has beenreleased, containing the REPORT GENERATOR Feature, and that an upgrade is available forpurchase. ABC Design orders the enhanced Product for five of its 20 users.

HQ Software has defined a Modification Product for the new version, SafeNetCAD Office v.2.0.This Product is ready for inclusion in customer orders.

Before defining the Protection Key Update order, HQ Software needs to receive C2V files for thefive Sentinel HL keys to be updated. ABC Design uses the RUS utility to generate the required C2Vfiles and sends them to HQ Software.

Managing Entitlements 130

131 Chapter 10: Sentinel LDK Entitlements, Production, and Development Tasks

After the C2V files have been received and checked in, HQ Software defines a Protection KeyUpdate order for the Modification Product.

The details for this order are defined as follows:

n Customer: ABC Design

n Product: SafenetCAD Office v2.0

n Order type: Protection Key Update

n Number of Sentinel protection keys to be updated: 5.

During the order definition process, the five Sentinel HL keys to be updated are selected from allthe keys issued to ABC Design, according to the C2V files received.

When this order is produced, a V2C file is generated for each selected Sentinel HL key and sent tothe customer.

The selected five end users install the update on their Sentinel HL keys, using the RUS utility. Theyare then able to activate the upgraded version of SafeNetCAD Office and to generate tailoredreports.

Producing EntitlementsThis section is intended for Sentinel EMS users assigned the Entitlement Manager or Productionrole.

On the Entitlements page in Sentinel EMS, you can view the details of all entitlements awaitingproduction.

You can perform the following production tasks using the Entitlements page:

n Produce Entitlements

n View Entitlements

If you have been assigned both the Entitlement Manager and the Production roles, youcan choose to produce an entitlement immediately after you finish defining it.

The process of producing an entitlement is determined by the type of entitlement:

n Order for Sentinel HL keys

n Order for Product Keys

n Order for Protection Key Update

While producing any entitlement, you can open the entitlement and view its details.

Producing Sentinel HL Key Entitlements

Before you start to produce an entitlement for Sentinel HL keys, Sentinel EMS enables you toprepare the appropriate Sentinel HL keys to use for the entitlement, by displaying:

n The Sentinel HL key types that are valid for the entitlement

n The number of Sentinel HL keys to be produced, as specified in the entitlement

Sentinel EMS determines which Sentinel HL keys are valid for the entitlement according to anumber of factors, including:

n The license terms defined for the Features in the Products included in the entitlement

n The data defined in memory for each Product

n The space required on the key to accommodate the entitlement

For example, if the license terms for a Product in the entitlement are based on a number of daysor an expiration date, the entitlement can be produced only on Sentinel HL keys with date andtime monitoring capabilities, such as Sentinel HL Time.

Similarly, if the license terms for a Product in the entitlement specify a number of concurrentinstances in a network environment, the entitlement can be produced only on Sentinel HL keyswith network monitoring capabilities, such as Sentinel HL Net.

For additional information about Sentinel HL key types and their capabilities, see "AvailableSentinel protection keys" on page 39.

Producing Entitlements for Product Keys

When you produce an entitlement for Product Keys, a TXT file is generated containing the ProductKeys.

Before you generate the file, you must specify its required location, or accept the default location.The file is saved in the format Product_Keys_[order ID].txt.

Producing Entitlements 132

133 Chapter 10: Sentinel LDK Entitlements, Production, and Development Tasks

After the file has been generated, the Product Keys are available for use. If customer informationwas provided in the entitlement, an email containing the Product Keys is generated automaticallyand sent to the customer. You could also print the Product Keys on the cover of a CD.

Producing Protection Key Update Entitlements

The entitlement production process generates a file containing the Protection Key Updateinformation for each Sentinel protection key to be updated. After the files have been generated,they can be sent to the customer.

Before you generate the file, you must select the required location and the type of files to begenerated for delivery to end users:

n Vendor-to-Customer (V2C) files that can be processed using the Sentinel Remote UpdateSystem utility (RUS utility)

n Executable files (EXE) that contain V2C data and can be used as instructed by yourcompany

For additional information on the RUS utility, see "Chapter 12: Sentinel Remote Update System"on page 144.

A default file location for V2C files may have been specified by the Sentinel LDKAdministrator.

Withdrawing EntitlementsUnder certain circumstances, you may need to withdraw an entitlement before it has beenproduced, or if it has been only partly produced. For example: If the customer cancels the orderor significantly changes the order requirements.

If the entitlement is not yet in the production queue (Queued status), you can delete it. Anentitlement cannot be deleted after it has been added to the production queue. You can,however, remove the entitlement from the production queue by reopening it. This changes thestatus of the entitlement to Draft.

A Draft entitlement is no longer available for production, but its content are available to view forreference.

Customer Portal - Activating EntitlementsIf an entitlement includes customer information, then at the time Product Keys are generated, anemail is automatically sent to the customer. The email contains the Product Keys and a link to theSentinel EMS Customer Portal in Sentinel EMS.

To log in to the Customer Portal, the customer clicks the provided link. At the login screen, thecustomer enters a Product Key.

If you specified in the entitlement that user registration is desired (or mandatory), the customer isrequested (or required) to fill out a registration form.

Next, a screen similar to the following is displayed:

This screen displays the status of the Product Key, including the number of activations remaining.

The customer uses this screen to activate the entitlement as follows:

n If the customer logged in to the Customer Portal from the machine where the licenseshould be installed, the customer can click Online Activation. Activation of theentitlement proceeds automatically.

n If the customer did not log in to the Customer Portal from the machine where the licenseshould be installed, the customer can click Offline Activation. The customer can thendownload the RUS utility. The customer uses this utility in order to generate a C2V file andperform the activation process manually.

Viewing License UpdatesWith certificate-based Sentinel SL keys, you can examine the sequence of updates that wereapplied to a Protection Key at a customer site. The V2C files that were applied to a protection keyreside in a directory on the computer where the protection key is located.

(For protection keys that were rehosted from a different computer, you can also examine the H2Hfiles that contain rehost information.)

The licensing information in each V2C file is specified using XML tags. You can open any of thesefiles using a simple text editor and read the contents. If you examine the files for a specificProtection Key ID in sequence, you can follow the history of updates that were applied to the key.

Information regarding SL legacy protection keys is not available in these files.

The V2C files on a given computer can be found in the following locations:

Viewing License Updates 134

135 Chapter 10: Sentinel LDK Entitlements, Production, and Development Tasks

n For SL AdminMode keys:

Windows ...\Program Files\Common Files\SafeNet Sentinel\SentinelLDK\installed\vendorID\(For Windows x64, look in \Program Files (x86)\...)

Linux, Mac \var\hasplm\SafeNet Sentinel\Sentinel LDK\installed\vendorID\

n For SL UserMode keys:

...\Documents and Settings\All Users\Application Data\SafeNet Sentinel\Sentinel LDK\SLAdminMode keys \

The naming convention for the files is as follows:

keyID_provisional.v2c Provisional ProductkeyID_base.v2c Base ProductkeyID_updateX.v2c Update to a Base Product. Updates are numbered sequentially.keyID_rehost.h2h Rehost of a protection key

keyID is the Protection Key ID.

Do not remove or modify these files. If any of these files are removed or modified, theprotection key may become invalid.

Applying License Updates to SL AdminMode KeysSeveral methods exist to apply updates to a Sentinel protection key. However, for SL AdminModekeys, an additional simplified method to apply updates exists.

You can do either of the following:

n Programatically place the V2C file containing the license update directly into the installeddirectory described above (see "Viewing License Updates" on page 134).

n Instruct the end user to place the file into the installed directory. The Sentinel LicenseManager detects the V2C file in the installed directory and automatically applies thelicense update.

If the license update is applied successfully, the Sentinel License Manager then moves the V2C filefrom the installed directory to the appropriate installed\vendorID\ subdirectory.

If the license update installation fails, the Sentinel License Manager moves the V2C file to aseparate directory called invalid. The failure is recorded in the Admin Control Center access log.The log can be viewed from the Access Log option in Admin Control Center.

Performing Development-related TasksThis section is intended for users assigned the Development role.

From the Developer tab in the Sentinel EMS screen, you can select one of the followingdevelopment-related activities:

n Generate bundles of Provisional Products

n Export catalog data definitions to a file

n Customize the Sentinel Remote Update System utility (RUS utility)

n Generate a customized Sentinel LDK Run-time Environment (RTE) installer file

Generating Bundles of Provisional Products

When a Product is defined in Sentinel EMS, it can be specified as a Provisional Product fordistribution as trialware or for use during a grace period.

Bundles of one or more Provisional Products can be shipped for use for a restricted period oftime, (currently maximum 90 days).

Software that has been supplied with a trial license or for a grace period can be activatedafter a valid license is purchased, with either a Sentinel HL key or a Sentinel SL key.

For additional information on the purpose and use of Provisional Products, see "DesignatingProducts for Trial or Grace Period Use" on page 103.

The process of generating a bundle of Provisional Products involves:

n Selecting the Provisional Products to be included in the bundle

n Producing a file containing the Provisional Product license and Vendor library. This file canbe:

o An EXE file containing V2C data

o A V2C file that can be used with the RUS utility. For additional information on theRUS utility, see "Chapter 12: Sentinel Remote Update System" on page 144.

The output file from this process must be installed on each end user’s computer in order to:

n Create an initial Sentinel LDK Run-time Environment that enables your protected softwareto communicate with Sentinel SL keys.

n Enable a trialware or grace period license.

When a bundle of Provisional Products is installed on an end user’s computer, aprovisional Key ID is generated. This is replaced by a Sentinel protection key ID when a fullylicensed Product is installed on that computer.

To simplify the installation process at end users’ sites, it is recommended that you generate aSentinel LDK Run-time Environment installer executable. You can embed the Run-timeEnvironment installer in your software setup to create a ready-to-run Sentinel LDK-protected andlicensed application.

To generate a Sentinel LDK Run-time Environment installer executable, you need to specify theV2C file generated when a Provisional Product bundle is produced. An EXE file containing V2C datacannot be used to generate a Sentinel LDK Run-time Environment installer.

Performing Development-related Tasks 136

137 Chapter 10: Sentinel LDK Entitlements, Production, and Development Tasks

Generating the Sentinel LDK Run-time Environment Installer

You can generate a Sentinel LDK Run-time Environment installer that simplifies the installationprocess at end users' sites, for Provisional Products or Locked Products.

The input to this process is a V2C file that contains your vendor-specific data. For ProvisionalProducts, the V2C file also contains the Provisional Product bundle data.

The output can be one of the following:

n An executable file that creates a Run-time Environment command-line installer

n A DLL that can be used with the Sentinel LDK Run-time Environment installer API

n A Mac PKG Sentinel LDK Run-time Environment installer

You can embed the Sentinel LDK Run-time Environment installer in your software setup to create aready-to-run application that is protected and licensed by Sentinel LDK.

Generating a Sentinel LDK Run-time Environment Installer for a Locked Product or DetachedProduct

You have the option of installing a Locked Product or Detached Product license on the end usercomputer. In this case, the Product is never installed as a Provisional Product.

To install Sentinel LDK Run-time Environment on the computer, you generate the Sentinel LDKRun-time Environment Installer without providing a V2C file. In this case, the installer containsonly the Run-time Environment and the vendor libraries.

Exporting Definition Data

You can export data about Features, Products, vendors, and other information in various fileformats. This information can then be used for development, protection backup, and otherpurposes. You can also export metadata for use in Admin Control Center.

You can use the Export Definitions function to produce the following output file types:

n Metadata in Admin Control Center format

n Features and Products in a C-style header file

n Features and Products in a CPP-style header file

n Features and Products in XML format

n Features in CSV format

For examples of the output file contents, see the Sentinel EMS help system.

Before you export the Features, you must select the required Batch Code, specify the required filetype, and define the name and location for the file.

As your software develops and additional Features are defined, you can use the ExportDefinitions function whenever you want to retrieve the data definitions from Sentinel EMS.

Customizing and Branding the RUS utility

The RUS utility is a tool that can be distributed to end users to enable secure, remote updating ofthe license and memory data of Sentinel protection keys after they have been deployed.

End users can invoke the RUS utility directly in order to generate a C2V file, or they can launch theutility by double-clicking an EXE file containing a license update.

Before you distribute the RUS utility, you must customize it with the Batch Code associated withthe Sentinel protection keys that you have deployed to your end users, in order to enable themto generate C2V files, or to process files containing V2C information.

In addition, you can brand the text that is displayed to an end user when the RUS utility isopened. For example, you may want to display your company name and information about yoursoftware.

The RUS Branding option in Sentinel EMS enables you to associate the RUS utility with theselected Batch Code. You can also use the simple HTML editor provided to enter, format, andpreview the text to be displayed in the RUS utility.

It is recommended that you distribute your protected software with a customized and brandedversion of the RUS utility.

For additional information on the RUS utility, see "Chapter 12: Sentinel Remote Update System"on page 144,

Enabling Trial Use and Grace PeriodsThis section provides examples that demonstrate the use of Provisional Products:

n To distribute a Product for use on a trial basis for a limited period

n To enable use of a licensed Product during a grace period

Example 1: Issuing a Provisional Product for Trial Use

Scenario: HQ Software decides to offer visitors to their Web site the option of downloading andusing their HQ Design Demo Product for 30 days.

When the original licensing plan definitions were implemented, the HQ Design Demo Product wasdefined as a Provisional Product.The license terms for the two Features were automatically set to Time Period with a value of 30days.

The software developer at HQ Software defines a bundle of Provisional Products that contains theHQ Design Demo Product, and generates the bundle as a V2C file.

A Sentinel LDK Run-time Environment installer is then generated as an EXE file, using this V2C fileas input.

The HQ Software Web master adds the EXE to the Web site, with download instructions forpotential trial users.

Enabling Trial Use and Grace Periods 138

139 Chapter 10: Sentinel LDK Entitlements, Production, and Development Tasks

Example 2: Issuing a Product for a Grace Period

Scenario: A new customer, XYZ Construction, has purchased a 50-user license for the HQ DesignPro Product, which is available only with Sentinel HL key protection. The Sentinel HL keys arebeing prepared and shipped, but meanwhile the customer wants to start using the HQ Design ProProduct immediately.

HQ Software needs to enable XYZ Construction to activate and use the HQ Design Pro Productduring a grace period, until the Sentinel HL keys arrive and are distributed to the end users.

For this purpose, a version of the HQ Design Pro Product is defined as a Provisional Product, withthe Product name HQ Design Pro Grace. The PRINT REPORTS Feature is removed from thisversion. The license terms for the remaining four Features are automatically set to Time Periodwith a value of 30 days.

A bundle of Provisional Products is defined containing the HQ Design Pro Grace Product, andgenerated as a V2C file.

A Sentinel LDK Run-time Environment installer is then generated as an EXE file, using this V2C fileas input.

The EXE file is sent to the customer, for distribution to the end users. End users can run the EXE,which installs the Sentinel LDK Run-time Environment and the HQ Design Pro Grace Product ontheir computers. They can then use the program for 30 days until they receive their Sentinel HLkeys and can activate the full Product.

Chapter 11:Sentinel LDK Administration and

Customer Services

The first part of this chapter is intended for users authorized to perform Sentinel LDKAdministration tasks. It describes how to use Sentinel EMS to define user details, manageSentinel LDK licenses and Sentinel Master keys, and configure system settings.

The second part of this chapter is intended for users authorized to perform Sentinel EMSCustomer Services tasks. It describes how to use Sentinel EMS to view and edit customer details,and to perform manual Product activation for customers.

For an overview of Sentinel EMS and for information on starting to use the application, see"Chapter 7: Introduction to Sentinel EMS" on page 90.

In this chapter:

n "Administration Tasks" on page 140

n "Customer Services" on page 143

This chapter provides high-level information on the Administration and Customer Servicesprocesses in Sentinel EMS. For detailed practical instructions for using each function inSentinel EMS, see the Sentinel EMS help system.

Administration TasksAfter you first install Sentinel LDK in your organization, you can log in to Sentinel EMS using thedefault user name and password (admin) provided for your use by SafeNet. By default, this user isauthorized to perform all tasks in Sentinel EMS, including Administration tasks.

The ‘admin’ administrator details cannot be viewed or modified. Only the password can bechanged.

After logging in to Sentinel EMS the first time, it is recommended that you select the ChangePassword function at the top of the screen and change your user password as soon as possible.

To be able to use Sentinel LDK with your company-specific Batch Codes and license, you must firstintroduce the Sentinel Master keys provided for your use by SafeNet.

11

141 Chapter 11: Sentinel LDK Administration and Customer Services

For additional information on Sentinel Vendor keys, see "Personalized Vendor and Batch Codes"on page 36.

For additional information on introducing Sentinel Master keys, see "Maintaining Sentinel MasterKeys" on page 142.

From time to time, you will need to renew your Sentinel LDK license, or to replenish your pool ofStandalone licenses or Network Seat licenses. You can schedule email notifications to be sentwhen it is time to renew or reorder, ensuring you uninterrupted use of Sentinel LDK.

For additional information about the Sentinel Master Key modules, Standalone licenses andNetwork seats, see "Appendix A: Understanding the Sentinel LDK Master Key Licenses" on page232.

For additional information about configuring and scheduling email notifications, refer to theSentinel EMS help system.

If you are evaluating Sentinel EMS, you can use the provided DEMOMA Batch Code, whichdoes not require a Sentinel Master key.

You can now define additional Sentinel LDK users in your organization, including assigning theusers the appropriate roles and authorizing access to Batch Codes. For additional information, see"Maintaining User Details " on page 141.

Maintaining User Details

When you select the Users function in Sentinel EMS, you can view the Sentinel LDK details of allcurrently defined Sentinel LDK users.

You can perform the following tasks using the Users function in Sentinel EMS:

n Define Sentinel LDK users

n Change user details and passwords

n Control user access

Defining Sentinel LDK Users

Before you start to define Sentinel LDK users, ensure that you have the following informationavailable for each new user:

n The user name to be assigned to the user for the purpose of logging in to Sentinel LDK

n The password to be assigned to the user

Users can change their own passwords after logging in to Sentinel EMS.

n The user's email address

n The batches that the user is authorized to access

n The roles to assign to the user. For additional information on the functions authorized foreach role, see "Sentinel EMS Users and User Roles" on page 92.

Changing User Details and Passwords

After you have defined a user, you can change any of the user’s details.

Users can change their own passwords. However, if necessary, you can change the password for auser without knowing the current password. This is useful in the event that the user has lost orforgotten his/her password.

Controlling User Access

In certain circumstances, you may want to prevent a user from logging in to Sentinel LDK. If theuser has left the company, for example, or will no longer be using Sentinel LDK, you can delete theuser details.

You can prevent or allow a user to access Sentinel LDK by clearing or selecting the Login Allowedcheck box.

Maintaining Sentinel Master Keys

When you select the Administration > Master function in Sentinel EMS, you can view the details,for the selected Batch Code, of all available Sentinel Master keys that are currently connected tothe EMS Server.

You can perform the following tasks using the Master page in Sentinel EMS:

n Generate a C2V file for a selected Sentinel Master key. You send this file to your SafeNetrepresentative when you want to:

o update your Sentinel Master key license modules

o replenish your pool of Standalone licenses

o replenish your pool of Network Seat licenses

n Apply the V2C file returned to you by your SafeNet representative to the Sentinel Masterkey. This updates the Master key with the contents of your order.

n Specify Mail Notification properties

For more information on the Sentinel Master key, see "Appendix A: Understanding theSentinel LDK Master Key Licenses" on page 232.

Introducing Sentinel Vendor Keys

Before you can work effectively, you must introduce your Sentinel Master key(s) on the SentinelEMS Server machine. The Sentinel Master Wizard is available from the Sentinel Vendor Suite. Youmust have a separate Sentinel Master key connected to each machine on which Sentinel EMS isinstalled.

You can introduce additional Sentinel Vendor keys—Sentinel Master keys or Sentinel Developerkeys—in order to enable Batch Codes for use with Sentinel LDK applications.

When you introduce a Sentinel Vendor key, you can select the libraries for which you want togenerate APIs.

Administration Tasks 142

143 Chapter 11: Sentinel LDK Administration and Customer Services

Generating a C2V File

When you submit an order for an update to your Sentinel LDK Master Key licenses, regardless ofwhether it is to renew a license or to replenish your pools of Standalone licenses or Network Seatlicenses, you need to generate a C2V file for the Sentinel Master key that is to be updated. Youthen send the C2V to your Sentinel LDK supplier, together with your order. The C2V file containsencrypted information about the current status of your Sentinel Master key, including its uniqueID.

Defining Mail Notification Properties

You can specify who is to receive notifications that your Sentinel LDK Master Key licenses andpools of Standalone licenses or Network Seat licenses are about to expire. In addition, you candefine the thresholds after which the notifications are sent.

Customer ServicesIf you have been assigned the Customer Services role, you can manage the list of customers —you can define customers, change customer details, and mark customers as obsolete.

You can enable or disable a Product key for a customer, or increase the number of activationsavailable for a Product key.

If a customer is unable for any reason to activate a Product remotely, you can activate theProduct manually for the customer, using the Product Key and a Customer-to-Vendor (C2V) file forthe customer’s Sentinel protection key.

The output of the manual activation process is a Vendor-to-Customer (V2C) file that can be sent tothe customer. You can request that the customer returns a C2V file to confirm that the Producthas been activated.

For additional information on C2V files, see "Processing C2V Information" on page 128.

Chapter 12:Sentinel Remote Update System

This chapter describes the Sentinel Remote Update System utility (RUS utility) and explains how touse this utility to update license data remotely for deployed Sentinel protection keys.

You can also apply updates to a deployed Sentinel protection key using the SentinelLicensing API, by calling the hasp_update function. For additional information, see theSentinel Licensing API help system. For SL AdminMode keys, also see "Applying LicenseUpdates to SL AdminMode Keys" on page 135.

In this chapter:

n "RUS Utility Overview" on page 144

n "RUS Workflow " on page 145

n "Using RUS utility" on page 146

RUS Utility OverviewThe RUS utility is an advanced utility that enables secure, remote updating of the license andmemory data of Sentinel protection keys after they have been deployed. As part of the basicconcept underlying Sentinel LDK, the RUS utility facilitates ongoing licensing well after protectionhas been implemented. For additional information on Sentinel LDK concepts, see "Protect Once—Deliver Many—Evolve Often" on page 34.

The RUS utility is used for the following;

n The RUS utility provides a simple and secure method of updating your licenses remotely,after you have delivered your protected software together with the Sentinel protectionkeys. You simply need to update the license and deliver update files to your customers.

n The RUS utility enables you to receive information on the current status of Sentinel LDKlicenses at your customers’ sites, and to securely extend or reduce the functionality ofthese licenses, without recalling the Sentinel protection keys.

n The RUS utility can be used by an end user to generate the fingerprint of a computer atyour customer's site. You can use this fingerprint to generate a V2C file for the customer.The customer can then use the RUS utility to apply the V2C file and generate an SL key forthe protected application.

12

145 Chapter 12: Sentinel Remote Update System

n The RUS utility can be used to transfer (rehost) an SL key from one computer to anotherat your customer's site, without any intervention on your part. (An SL key can only berehosted if this function was enabled by the vendor when the SL key was generated.)

All Sentinel protection keys except the Sentinel HL Basic key can be updated using RUSutility.

The RUS utility is an executable utility (rus.exe) that can be distributed to end users with yoursoftware.

It is important that you customize the RUS utility with the Batch Code associated with theSentinel protection keys that you produce for your customers, before you distribute theexecutable to them. For additional information on Batch Codes, see "Personalized Vendor andBatch Codes" on page 36.

You can use Sentinel EMS to customize the RUS utility with the required Batch Code, and also tobrand the GUI to display your vendor-specific information to end users. For additionalinformation, see "Customizing and Branding the RUS utility" on page 138.

RUS WorkflowWhen you deliver your Products to a customer, you can include a customized version of the RUSutility with the installation package. You can also include the instructions for using RUS.

(To perform rehost, your customer will require a customized version of the RUS utility.)

When a license update is required, you have the option of either retrieving customer licensinginformation from Sentinel EMS, or of requesting that a customer produces and sends you aCustomer-to-Vendor (C2V) file for the Sentinel protection keys to be updated. C2V files have a.c2v extension and contain information on the licensing and memory content of theSentinel protection keys.

When you receive C2V files from a customer, you check them in using Sentinel EMS. For additionalinformation, see "Processing C2V Information" on page 128.

Regardless of whether you obtain the data from Sentinel EMS or in the form of a C2V file fromyour customer, the collected data enables you to produce an update most suited to thecustomer’s needs. At no point in this workflow is it necessary to reconfigure security or protectionat the customer’s site.

You define the requested license updates in Sentinel EMS as Protection Key Update orders fordelivery to the customer. For more information on defining Protection Key Update orders, see"Defining Entitlements" on page 124.

The process of producing a Protection Key Update order generates a file for eachSentinel protection key to be updated. This can be either a Vendor-to-Customer (V2C) file or anexecutable that contains the license update data. For more information on the Protection KeyUpdate order production process, see "Producing Protection Key Update Entitlements" on page133.

The output file is then delivered to the end user, who either runs the executable as instructed byyou, or uses the RUS utility to apply the license update data contained in the V2C file.

Example: Using RUS for License Updates

Scenario: One of HQ Software’s customers, ABC Design, has ordered the upgraded version of HQDesign Pro that contains the new REPORT GENERATOR Feature, for five of its 20 HQ Design Prousers. The customer is asked to send C2V files containing details of the five deployed Sentinel HLkeys to be updated.

ABC Design uses the RUS utility to generate the C2V files and sends them to HQ Software. Thesefiles contain the current status of the license on the specific Sentinel HL keys.

HQ Software checks in the C2V files, defines a Protection Key Update order for the HQ Design Prov.2.0 Modification Product, and produces a license update contained in five V2C files. Foradditional information on this example order, see "Order Example 3: Order for Protection KeyUpdate" on page 130.

The V2C files are sent by email to ABC Design. Each of the five end users applies the update totheir Sentinel HL key using the RUS utility, and returns a C2V file containing a confirmation receipt.

Using RUS utilityThe RUS utility window consists of the following tabs:

n Collect Status Information: The parameters in this tab are used to collect information onthe current status of the licenses in the Sentinel protection key or collecting fingerprintinformation. The end user specifies a name and location for the generated C2V file. Ifmore than one Sentinel protection key is installed, the user selects the required key.No private customer data is included in the C2V file.

n Apply License Update: The parameters in this tab are used to apply a V2C file and updatelicenses in a Sentinel protection key.

n Transfer License: The parameters in this tab are used on the source computer andrecipient computer to rehost an SL key from the source computer to the recipientcomputer.

Instructions for Customers Using the RUS utility

The following sections contain information and instructions that you can customize and send toyour customers.

Instructions for Using the RUS utility

If you are using the RUS utility with a Sentinel HL key, (hardware-based key) you must connect thekey before performing either of the following procedures. The RUS utility automatically locates anySentinel SL keys (software-based keys) installed on your computer.

Collecting Sentinel protection key License Data

You can use the RUS utility to produce a Customer-to-Vendor (C2V) file containing information onthe current status of the licenses in your Sentinel protection keys. You can then send this file inorder to receive a license update.

Using RUS utility 146

147 Chapter 12: Sentinel Remote Update System

To retrieve the current license information from a Sentinel protection key:

1. Launch the RUS utility (rus.exe).

2. Click the Collect Status Information tab.

3. Ensure that Update of Existing Protection Key is select at the bottom of the screen.

4. Click Collect Information. The Save key status as window is displayed.

5. Specify the directory where you want to store the C2V file. Enter a file name and click Save.

6. If more than one Sentinel protection key is located, a list of the keys is displayed. Select therequired key, or disconnect the keys that are not required, and click Refresh.

7. The C2V file for the Sentinel protection key is generated and saved in the required location.The file can now be sent for processing to produce an update.

Collecting Computer Data

You can use the RUS utility to produce a Customer-to-Vendor (C2V) file containing information onthe computer where you want to install a Sentinel protection key for a protected application. Youcan then send this file in order to receive a license update. This procedure would be used if aSentinel protection key does not currently exist on the computer.

To retrieve the current computer information :

1. Launch the RUS utility (rus.exe).

2. Click the Collect Status Information tab.

3. Ensure that Installation of New Protection Key is select at the bottom of the screen.

4. Click Collect Information. The Save key status as window is displayed.

5. Specify the directory where you want to store the C2V file. Enter a file name and click Save.

6. The C2V file for the Sentinel protection key is generated and saved in the required location.The file can now be sent for processing to produce a Sentinel protection key.

Applying an Update

You can use the RUS utility to apply an update to the licenses stored in your Sentinel protectionkeys.

To update the licenses in Sentinel protection keys:

1. Launch the RUS utility (rus.exe) or double-click the Vendor-to-Customer (V2C) file that youhave received containing the update data.

If you have received an update as an executable, double-click the file and it willautomatically launch RUS utility.

2. Click the Apply License File tab. (This might be the only tab displayed.)

Rehosting a Sentinel protection key

You can use the RUS utility to transfer a Sentinel protection key from one computer (the sourcecomputer) to another (the recipient computer). This is a three-step procedure that uses the RUSutility on both computers.

Step 1: Collect Information About the Recipient Computer

1. On the recipient computer, launch the RUS utility (rus.exe).

2. Click the Transfer License tab.

3. Follow the instructions labeled "Step 1" to collect information about the computer and saveit to a file. Make sure that the file (or a copy of the file) is accessible on the sourcecomputer.

Step 2: Generate the License Transfer File

1. On the source computer, launch the RUS utility (rus.exe).

2. Click the Transfer License tab.

3. Follow the instructions labeled "Step 2" to select the SL key to transfer, read the recipientinformation file, and generate a license transfer (h2h) file. Make sure that the licensetransfer file (or a copy of the file) is accessible on the recipient computer.

After you perform this step, the SL key is no longer available on the source computer. Besure to keep a copy of the transfer file until you have completed the transfer procedure.

Step 3: Apply the License Transfer File

1. On the recipient computer, in the RUS utility, click the Apply License File tab

2. In the Update File field, click the browse button and locate the license transfer (h2h) file.

3. Click Apply Update. The SL key is installed on the recipient computer.

To ensure the success of the transfer procedure, all the steps in the procedure should becompleted within no more than a few days of the time you first start the process.

Using RUS utility 148

Chapter 13:Generating Sentinel LDK Reports

This chapter describes the Reporting facility in the Sentinel EMS.

In this chapter:

n "Reports Facility Overview" on page 150

n "Permissions for Working With Reports" on page 151

n "Scheduling Reports" on page 151

n "Presentation Formats" on page 152

n "Export Formats" on page 152

n "Available Reports" on page 152

n "Custom Reports" on page 152

Reports Facility Overview

The Sentinel EMS Reports facility provides you with the ability to produce reports with valuablebusiness information, based on data in the Sentinel EMS database. With this tool, managers canobtain data for analyzing how their software is used and the purchasing preferences of theircustomers. The information can also be leveraged to maximize revenues from license renewals, toup-sell existing customers, and turn trial users into buyers.

13

151 Chapter 13: Generating Sentinel LDK Reports

The Sentinel EMS Reports facility connects directly to the Sentinel EMS database, and generatesreports based on SQL queries. Both predefined and custom (user-defined) reports are available.

The Sentinel EMS Reports facility can present information both in tabular and (where appropriate)graphical formats, and can export report data in a variety of formats for further processing andanalysis.

The remainder of this chapter provides an overview of features and options available in theReports facility.

For detailed information on operating the facility, see the Sentinel EMS help system.

Permissions for Working With ReportsAccess to the Reports facility is limited to Sentinel EMS users who have been granted the roleReport Generation or Batch Code Admin. Only these users can view reports directly inSentinel EMS. (The role Report Generation provides access only to the Reports facility, and onlyfor the specific Batch Codes selected.)

However, using the scheduling option in the Reports facility, an authorized user can define adistribution list for each report. Each member of the distribution list receives the report by e-mail.The list can include Sentinel EMS users (for whom an e-mail address has been specified inSentinel EMS) or any valid e-mail address.

No special authorization is required to receive reports by e-mail.

Scheduling ReportsAn authorized Sentinel EMS user can generate and view reports on demand. In addition, the usercan define a schedule for generation of each report and a distribution list of people to receive thereport automatically by e-mail each time the report is generated. Both predefined and customreports can be scheduled.

Reports can be scheduled for generation and distribution based on a daily, weekly, or monthlyscheduling definitions. A scheduled report can also be generated and distributed on-demand.

Presentation FormatsAll reports are generated in tabular (text-based) format. In addition, where relevant, each reportincludes a graphical presentation of the data, in either pie chart or bar chart format.

Export FormatsEach report can be exported from Sentinel EMS or sent to the recipients in the distribution list inany of the following formats:

n Adobe Acrobat (PDF file)

n Microsoft Word (RTF file)

n Microsoft Excel (XLS file)

n HTML file

n Comma-separated values (CSV file)

Available ReportsThe reports listed below are available in the Sentinel EMS Reports facility.

Report Name Report Description

Entitlements

Customer Entitlement Lists all entitlements for customers and channel partners.

Customer Activation Lists activations by customer

Total Entitlement Utilization Summarizes total and activated entitlements by Product

Licenses

License Expiration Lists all licenses due to expire within a specific period.

Most Popular ProductsOrdered

Indicates orders for Products during a given period by channelpartner

Custom ReportsThe Sentinel EMS Reports facility provides you with the capability of defining custom reports. Thisenables you to design reports that satisfy the specific business requirements for yourorganization.

Custom Reports are defined by creating an SQL query that extracts the specific information yourequire from the Sentinel EMS database. For more information, select the Administration >Custom Reports tab in the Sentinel EMS window.

Presentation Formats 152

153 Chapter 13: Generating Sentinel LDK Reports

The Custom Reports facility is licensed separately from Sentinel EMS. To obtain a license to usethe Custom Reports facility, contact your SafeNet representative.

PART 4 - DISTRIBUTING SOFTWAREIn this section:

n "Chapter 14: Distributing Sentinel LDK With Your Software" on page 156

Describes options for distributing required software to your end users.

n "Chapter 15: Sentinel Admin Control Center" on page 164

Describes the configuration and management functionality of Sentinel Admin ControlCenter, an end-user utility that enables centralized administration of Sentinel LicenseManagers and Sentinel protection keys.

Chapter 14:Distributing Sentinel LDK With Your

Software

This chapter introduces options for distributing required software to your end users.

In this chapter:

n "Sentinel LDK Software for End Users" on page 156

n "Distributing Sentinel LDK Run-time Environment" on page 157

Sentinel LDK Software for End UsersEvery Sentinel LDK installation includes software that you need to distribute to your end users.This software must be installed at your customer’s site to ensure that your protected and licensedsoftware functions correctly.

Protection-related Software

In many instances, the Sentinel LDK Run-time Environment must be installed on the computer ofeach end user who will use the protected application so that the application can communicatewith the Sentinel protection key. For information on when the Run-time Environment is required,see "Protection Keys That Require Sentinel LDK Run-time Environment" on page 158.

There are a number of ways in which the Run-time Environment can be installed. For moreinformation, see "Distributing Sentinel LDK Run-time Environment" on page 157.

For protected .NET assemblies or Java applications, the following additional files must bedistributed with your protected application:

Type ofProtectedApplication

End UserOperatingSystem

Additional File Required

.NET assembly 32-bit Windows haspdnert.dll

64-bit Windows haspdnert_x64.dll

14

157 Chapter 14: Distributing Sentinel LDK With Your Software

Type ofProtectedApplication

End UserOperatingSystem

Additional File Required

Java application 32-bit Windows HASPJava.dll

64-bit Windows HASPJava_x64.dll

Mac OSX libHASPJava.dyliblibHASPJava.jnilib

32-bit Linux libHASPJava.so

64-bit Linux libHASPJava_x86_64.so

All Customized Sentinel Licensing API dynamic libraries (copiedautomatically to the output directory by Sentinel Envelope)

These native library files enable the protected application to communicate with theSentinel protection key.

For Linux applications that were protected using Sentinel LDK Envelope and that run underRed Hat EL 6.4: The installer for the protected application should determine if libXawlibraries are present on the end user's computer and, if not, install them.

Network Environment Management

Your end users can manage their network licenses online using Sentinel Admin Control Center.Ensure that you send them the URL for accessing this application. For additional information, see"Chapter 15: Sentinel Admin Control Center" on page 164.

Software for Updating Licenses

Sentinel Remote Update System is distributed when remotely updating licenses in deployedSentinel protection keys. For additional information on this utility, see "Chapter 12:Sentinel Remote Update System" on page 144.

Distributing Sentinel LDK Run-time EnvironmentDepending on the type of Sentinel protection key, Sentinel LDK Run-time Environment may berequired on the end user's computer to enable your protected software to run by communicatingwith Sentinel protection keys. For more information, see "Protection Key Attributes" on page 39.(For Mac and Linux, Sentinel LDK Run-time Environment is always required.

The following sections describe when the Run-time Environment is required and the variousoptions available for distributing the Run-time Environment to your end users.

n "Protection Keys That Require Sentinel LDK Run-time Environment" on page 158

n "Sentinel LDK Run-time Environment for Windows" on page 159

n "Sentinel LDK Run-time Environment for Mac" on page 162

n "Sentinel LDK Run-time Environment for Linux" on page 163

Protection Keys That Require Sentinel LDK Run-time Environment

Sentinel LDK Run-time Environment is a system component that enables communication betweena protected program and a Sentinel protection key. Sentinel LDK Run-time Environment alsocontains Sentinel Admin Control Center, used to manage licenses.

Installation of Sentinel LDK Run-time Environment requires administrator privileges on the targetcomputer. However, on a Windows computer, Sentinel LDK Run-time Environment is not requiredfor all protected applications.

The tables that follow indicate when a protected application requires the presence of Sentinel LDKRun-time Environment in order to execute.

Sentinel LDK Run-time Environment is always required under the following circumstances:

n When the protected application executes under Mac or Linux.

n When the protected application uses the Data Encryption facility to encrypt anddecrypt data in an external file.

Standalone Licenses

A Standalone license is for a single protected application that executes on the computer where theprotection key is located (no concurrency).

Key TypeRun-time Environment required on the computer where theprotected application executes?

SL AdminMode key Yes

SL UserMode key No

Sentinel HL(Driverlessconfiguration) key

No

Sentinel HL (HASPconfiguration) key

Yes

HASP HL key Yes

SL Legacy key Yes

Network Seat Licenses

A Network Seat license (Sentinel SL key with concurrency or Sentinel HL Network key) is installedon a single computer with a Run-time Environment. The protected applications can run on remotecomputers in the same network. The table below describes the requirements for the remotecomputers where the protected applications execute.

Key TypeRun-time Environment required on the remotecomputer where the protected applicationexecutes?

SL AdminMode key(with

No (However, to attach a Detachable license, Run-timeEnvironment is required on the remote computer.)

Distributing Sentinel LDK Run-time Environment 158

159 Chapter 14: Distributing Sentinel LDK With Your Software

Key TypeRun-time Environment required on the remotecomputer where the protected applicationexecutes?

concurrency)

SL UserMode key Does not support Network Seat licenses

HL Network key No

SL Legacy key(with concurrency)

Yes

Sentinel LDK Run-time Environment for Windows

The following options are available for distributing Sentinel LDK Run-time Environment forWindows operating systems:

n Use Windows Update to download the Sentinel LDK Run-time Environment. An Internetconnection is required for this process.

n Integrate installation of the Sentinel LDK Run-time Environment into your application’sinstaller using either of the two options below:

o Sentinel LDK Run-time Environment Merge module

o Sentinel LDK Run-time Environment Installation API

n Deliver either of the following Sentinel LDK Run-time Environment installation utilities toyour end users:

o HASPUserSetup.exe: A GUI-based installer

o haspdinst.exe: A command-line utility

Each of these methods is described in greater detail in this section.

Windows Update

If your end users are running the protected software on Windows XP or later platforms, and canaccess the Internet, they simply need to connect a Sentinel protection key on their machines. TheSentinel LDK Run-time Environment is certified by Microsoft, and is therefore automaticallydownloaded from the Microsoft Update site.

When your end users connect a Sentinel protection key:

1. The system informs them that a new component has been detected.

2. The Sentinel LDK Run-time Environment is automatically installed.

3. The LED on the Sentinel protection key lights up, indicating that the installation process iscomplete.

Sentinel LDK Run-time Environment Merge Module

The Sentinel LDK Run-time Environment installation is available as a merge module, in the filehaspds.msm. You can use the merge module to seamlessly integrate the Sentinel LDK Run-time

Environment installation in your MSI installation. Merge modules deliver shared Windows Installercomponents, code, files, resources, registry entries and setup logic in a single, composite file.

The haspds.msmmerge module cannot be run as a standalone application.

When integrated with your MSI installer, the haspds.msm merge module copies the haspds_windows.dll into the Win32 system directory of the end user’s computer. The haspds_windows.dll is called by the MSI module to install or uninstall the Sentinel LDK Run-timeEnvironment.

The benefits of using the Sentinel LDK installation merge modules in a single unified MSI installerinclude:

n Providing end users with a single, compound file for your application that includes theSentinel LDK Run-time Environment installation

n Installation self-repair provided by reusing the MSI installer

A demonstration of the use of the haspds.msm merge module is provided. For more information,see "Sample Merge Module Installer" on page 161.

Implementation Requirements

Before including the Sentinel LDK merge module in your installer, review the followingrequirements:

n The Sentinel LDK merge module require Windows Installer version 2.0 or later.

n To successfully execute the Run-time Environment installation, end users requireadministrator rights. Ensure that this is accounted for in your installation scripts.

n Processes that require the Sentinel LDK Run-time Environment should not be active in thebackground when installing the Run-time Environment.

n Before validating the WSM module, change the project properties to relate to yourspecific development environment.

n If you intend to apply a digital signature to your installer, ensure that you first adjust theproperties in our development environment.

n Before compiling the MSI project, change the path to external files to match yourdevelopment environment

Implementation

Implementation of Sentinel LDK merge modules is a straightforward process that simply requiresyou to add the .msm file containing the Run-time Environment installation to your MSI-compliantinstaller setup. After you have created your MSI installer, the wrapped file automatically includesthe Sentinel LDK installation merge module.

The haspds.msm merge module can be found in: …\Program Files\SafeNetSentinel\Sentinel LDK\API\RuntimeInstall\MSI

n Do not alter the versioning data in the default merge module, or the MSI DLL

Distributing Sentinel LDK Run-time Environment 160

161 Chapter 14: Distributing Sentinel LDK With Your Software

sample.

n Do not alter any entity in the default merge module.

n When the Run-time Environment is already installed on a target machine:

o If you install a version of haspds_windows.dll that is newer than thealready-installed haspds_windows.dll, the installed DLL will be replaced withthe new one.

o If a new version of haspds_windows.dll is the same as the previousversion, the file timestamp will be compared. If the version of the DLL thatis being installed is equal to or older than the existing haspds_windows.dll,the DLL will not be replaced.

In any case the haspds_windows.dll will be executed.

Sample Merge Module Installer

A sample MSI installer containing the Sentinel LDK merge module is provided and should bereviewed before implementing the haspds.msm merge module into your own installer.

The sample installer is a full MSI-installer containing the Sentinel LDK Run-time Environmentinstallation merge module and the required shared libraries for installing the Run-timeEnvironment.

The sample installer does the following:

n Verifies that the user has the requisite administrator rights to install the Run-timeEnvironment

n Stops a running Sentinel License Manager service before the Run-time Environment isinstalled, and re-starts the service after the installation is complete.

n Installs or removes Run-time Environment

The sample installer can be found in: …\Program Files\SafeNetSentinel\Sentinel LDK\Samples\RuntimeInstall\MSI

Before attempting to try the sample installer, review the following requirements:

n Administrator rights are generally required in order to install the Driver sample. However,it is possible for a restricted user to install the Driver. For more information, see MicrosoftSupport Knowledge Base article # 259459 (http://support.microsoft.com/kb/259459/en-us).

n You must change the resource path to your own environment in the project files (*.wsi,*.wsm) in order to successfully compile the samples.

You can incorporate a branded DLL into the sample by replacing the name of the demoDLL with the name of the branded DLL.

Sentinel LDK Run-time Environment Installer API

Use the Sentinel LDK Run-time Environment installer API to integrate the installation process intoyour custom setup application. For additional information, see the separate help file in the

…\Program Files\SafeNet Sentinel\Sentinel LDK\API\RuntimeInstall\ directory.

haspdinst.exe

haspdinst.exe is a command-line utility that installs the Sentinel LDK Run-time Environment.Following installation of Sentinel Vendor Suite , the file is located in …\Program Files\SafeNetSentinel\Sentinel LDK\Redistribute\Runtime Environment\cmd Install. You can distribute thisstandalone application to your end users.

To install the Sentinel LDK Run-time Environment using haspdinst.exe:

n At the command-line prompt, type haspdinst -i.

For a full list of the available switches for the haspdinst.exe utility, see the Sentinel LDKInstallation Guide.

HASPUserSetup.exe

HASPUserSetup.exe is a GUI-based installation program to independently install the Sentinel LDKRun-time Environment. Following installation of Sentinel Vendor Suite, the file is located in…\Program Files\SafeNet Sentinel\Sentinel LDK\Redistribute\Runtime Environment\Setup.

This easy-to-use program has an intuitive GUI-based wizard. After your end users run the file, theyshould follow the on-screen instructions to complete the Run-time Environment installation.

Sentinel LDK Run-time Environment for Mac

Distribute the Sentinel LDK daemons—aksusbd and hasplmd—to end users running protectedand licensed applications on Mac OS X platforms.

All the Sentinel LDK software for Mac that is required for distribution to end users is provided inthe MacOS/Redistribute/ directory on your Sentinel LDK installation DVD.

Options for Distributing the Sentinel LDK Daemons

The software required to distribute the daemons is provided in the MacOS/Redistribute/ directoryon the Sentinel LDK installation DVD.

Multiple options are available for distributing the Mac daemons to end users. The following twooptions are described:

n Installer Distribution Using a Multi-packager

n Installer Scripts

Installation Using a Multi-packager

The installation package can be integrated into any multi-package installer that includes theinstallation for your own application. Include the Sentinel Runtime Installer.pkg in the mpkg.

To locate the Sentinel Runtime Installer.pkg:

1. In the MacOS/Redistribute/ directory, double-click Sentinel Runtime.dmg. The file opens.

2. Click the Install Sentinel Runtime Environment icon and select Show Original. The.Packages window opens and Sentinel Runtime Installer.pkg is displayed.

Distributing Sentinel LDK Run-time Environment 162

163 Chapter 14: Distributing Sentinel LDK With Your Software

For additional information, see the welcome.rtf file provided in the MacOS/Redistribute/directory.

Installer Scripts

Installation scripts are provided in MacOS/Redistribute/ on the Sentinel LDK installation DVD.Open the directory and click Sentinel Runtime Installer Scripts.dmg. A new volume namedSentinel Runtime Installer Scripts is mounted on your desktop. The volume contains dinst anddunst files and the payload/ directory.

You can copy the files in the volume and integrate them in your customized installer. The scriptsare not configurable.

For additional information on using the scripts, see the ReadMe.html file provided in theSentinel Runtime Installer Scripts volume.

Sentinel LDK Run-time Environment for Linux

Distribute the Sentinel LDK daemons—aksusbd and hasplmd—to end users running protectedand licensed applications on Linux platforms. Without the daemons, the end user’s system willnot recognize the connected Sentinel protection keys, and the protected applications will not run.

All the Sentinel LDK software for Linux that is required for distribution to end users is provided inthe Linux/Redistribute/ directory on your Sentinel LDK installation DVD.

Using the Installer Scripts to Distribute the Sentinel LDK Daemons

Open the Linux/Redistribute/Runtime/script directory. The directory contains dinst (install) anddunst (uninstall) scripts and the Sentinel LDK Run-time Environment.

You can integrate the scripts in your installer. The scripts are not configurable.

Using the DEB or RPM File to Distribute the Sentinel LDK Daemons

This option is available for Ubuntu, Debian, SUSE, CentOS, and RedHat Linux.

Open the Linux/Redistribute/Runtime directory. The directory contains the Sentinel LDK Run-timeEnvironment and the following files:

n For Ubuntu or Debian: aksusbd_version_i386.deb

n For RedHat, SUSE or CentOS: aksusbd-version.i386.rpm

Chapter 15:Sentinel Admin Control Center

Sentinel Admin Control Center is a customizable, Web-based, end-user utility that enablescentralized administration of Sentinel License Managers and Sentinel protection keys. This chapterdescribes the configuration and Sentinel LDK management functionality.

In this chapter:

n "Introduction to Admin Control Center" on page 164

n "Loss of Connection with a Network License" on page 167

n "Launching Admin Control Center" on page 167

n "Admin Control Center Interface" on page 168

n "Administrator’s Workflow" on page 169

n "Applying Basic Configuration Changes Globally" on page 172

n "Customizing Admin Control Center Look and Feel" on page 172

n "Working With Sentinel Admin API" on page 176

Introduction to Admin Control CenterAdmin Control Center is designed to provide your end-user’s system administrator with themeans of managing the use of your licensed software by members of the organization. It hasbeen engineered in a way that provides both flexibility and customizability, making it a useful add-on to your Sentinel LDK-protected and licensed software.

Following are some of the benefits of Admin Control Center:

n Web-based, meaning that it can be easily accessed from any Web browser. Theadministrator does not have to be physically present at your end user’s site in order tomanage the software licenses.

n Cross-platform capable, enabling it to be used on any platform on which a browser isavailable.

n Fully customizable, enabling you to change the displayed information, appearance andbehavior so that it will, for example, integrate seamlessly into other applications or match

15

165 Chapter 15: Sentinel Admin Control Center

corporate styles. In addition, Admin Control Center can be displayed in a variety oflanguages.

n Easy to use, meaning that it can be used with minimal configuration. In addition, the GUIis intuitive, enabling the administrator to manage licenses without the need for a steeplearning curve.

n Enables configuration and control of licenses in a network.

All of the functionality that is available in Admin Control Center can also be accessed from anyprogram by calls to the Admin API. For more information, see "Working With Sentinel Admin API"on page 176.

Sentinel License ManagerThe Sentinel License Manager is a component of Sentinel LDK that is located on the computerwhere the protected applications.

The License Manager provides the protected application with information about the availability oflicenses (both local and remote) and manages access to the licenses. When multiple licenses areavailable, The License Manager assigns priority to determine which of the available licenses shouldbe used by the protected application.

Types of License Managers

Several types of License Managers exist.

n Admin License Manager

The Admin License Manager is part of the Run-time Environment. The Run-timeEnvironment also includes device drivers, data file encryption drivers, and Sentinel AdminControl Center, which is the user interface for the License Manager. (Installation of theRun-time Environment on a computer requires admin rights.) The Admin License Managercan manage all Sentinel HL and Sentinel SL keys, except for SL UserMode keys. (Additionof management for SL UserMode keys is planned for a future release.)

(Windows only) The Admin License Manager is never used for access to remote keys.However, when the Sentinel LDK License Manager service is active, the Integrated LicenseManager or External License Manager uses the search parameters defined in the AdminLicense Manager in order to locate protection keys. The search parameters are specified inAdmin Control Center (Configuration option > Access to Remote License Managertabbed page > Specify Search Parameters field).

n Integrated License Manager

(Windows only) The Integrated License Manager is included in all applications that areprotected with Sentinel LDK Envelope. Admin rights are not required. This LicenseManager can only handle SL Usermode keys and Sentinel HL Driverless mode keys. TheIntegrate License Manager has no user interface.

n External License Manager

(Windows only) The External License Manager is similar to the Integrated LicenseManager. However, the External License Manager is contained in a standalone file (hasp_rt.exe). This file is placed by Sentinel LDK Envelope in the same directory as the protectedapplication. (Your customized Vendor library must also be placed in this directory.) Unlikethe Integrated License Manager, the External License Manager can be upgraded by simplyreplacing the haspr_rt.exe file with a later version of the file. Admin rights are notrequired. This License Manager can only handle SL Usermode keys and Sentinel HLDriverless mode keys.

ISVs who choose not to use the Admin-mode Sentinel LDK Run-time Environment(for example, for reasons of limited end-user permissions) are advised to upgrade tothe External License Manager. The External License Manager, introduced withSentinel LDK 7.0, is supported in this release as an alternative to the less-flexibleIntegrated License Manager. The Integrated License Manager will be discontinued inthe next Sentinel LDK release, leaving the External License Manager as the onlyUserMode License Manager option to be supported in Sentinel LDK. To start usingthe External License Manager, simply compile your software with LDK 7.0 LicensingAPI libraries and include the file hasp_rt.exe in the same directory as the protectedapplication.

The table that follows summarizes which type of protection keys are supported by each type ofLicense Manager.

Type of Protection Key Admin License ManagerExternalLicenseManager

IntegratedLicenseManager

Sentinel HL (Driverlessconfiguration) key

Yes Yes Yes

Sentinel HL (HASP configuration)key and HASP HL key

Yes No No

SL AdminMode key Yes No No

SL UserMode key No Yes Yes

SL Legacy key Yes No No

Remote network key Yes Yes Yes

Priority of Different Types of License Managers

A protected application may have more than one type of License Manager available to it. Theapplication selects the License Manager to work with in the following order:

Sentinel LicenseManager 166

167 Chapter 15: Sentinel Admin Control Center

1. Admin License Manager (highest priority)

n For local Sentinel HL (Driverless configuration) keys

n For local Sentinel HL (HASP configuration) keys and HASP HL keys

n For local SL Legacy keys and SL AdminMode keys

2. External License Manager

n For local Sentinel HL (Driverless configuration) keys

n For remote keys and for SL UserMode keys

3. Integrated License Manager (lowest priority)

n For local Sentinel HL (Driverless configuration) keys

n For remote keys and for SL UserMode keys

Loss of Connection with a Network LicenseA network-type protection key (HL or SL) that contains Features with concurrency typically doesnot reside on the same computer as the protected application.

Under certain circumstances, the communication between the protected application and theprotection key may be lost. For example, the protected application may fail or the computer thathosts the protected application may crash. As a result, the protection key has an open session fora non-existent instance of the protected application, reducing the number of available networkseats for the application in the license.

Sentinel License Manager contains an automatic function that identifies instances where anetwork protection key and the relevant protected application (on separate computers) havebecome disconnected. License Manager handles this situation as follows:

n If both computers contain active instances of License Manager, but the protectedapplication fails, License Manager on the computer that hosts the network protection keyimmediately closes the session and frees the network seat for re-use.

n If only the computer that hosts the network protection key contains an active instance ofLicense Manager, the session times out after three minutes. At that point, LicenseManager frees the network seat for re-use.

This functionality is completely automatic and requires no setup or configuration activities by theISV or the end user.

Launching Admin Control CenterAdmin Control Center is installed as part of the Sentinel LDK Run-time Environment driverinstallation process.

Admin Control Center is launched by typing http://<machine_name or ip_address>:1947 in theaddress field of the browser. If you are accessing the Sentinel License Manager residing on yourown machine, type http://localhost:1947.

Admin Control Center InterfaceWhen you launch Sentinel Admin Control Center, the Web interface displays a number ofAdministration Options on the left of the page. The Sentinel Admin Control Center help systemprovides information about the fields for each option. Note that the options relate toSentinel License Manager on the machine whose name or IP address appears in the title bar ofAdmin Control Center. The following options are available:

n Sentinel Keys enables you to identify which Sentinel protection keys are currently presenton the network, including locally connected keys.

n Products enables you to view a list of all the Base Products available on allSentinel License Managers (local and network). In addition, when a Product containsFeatures with detachable licenses you can see the number of licenses for the Product thatare currently available to be detached from the network and the maximum duration forwhich they may be detached. This option also enables you to access the Detach/Extendfunctions.

The Product name for Products that are licensed with Sentinel HL keys are notnecessarily displayed in Admin Control Center. For more information, see"Appendix I: How to Make Product Names Visible on the End User's Machine" onpage 260.

n Features enables you to view a list of the Features that are licensed in each of theSentinel protection keys that are currently present on the network, including locallyconnected keys. In addition, you can see the conditions of the license, and the currentactivity related to each Feature.

n Sessions lists all the sessions of clients on the local machine, and those remotely logged into Sentinel License Manager on the local machine. You can view session data andterminate sessions.

n Update/Attach enables you to update existing licenses on a Sentinel protection key in thefield and, in the case of Sentinel SL keys, to attach a detachable license to a recipientmachine. It also enables you to apply identification details of an offline recipient machineto a host machine in order to create a file for a detachable license.

n Access Log enables you to view a history of log entries for the server on whichSentinel License Manager is running.

n Configuration enables you to specify certain operating settings for Sentinel Admin ControlCenter running on the connected machine. You can set parameters relating to useraccess, access to remote Sentinel License Managers, and access from remote clients. Inaddition, you can customize log template files in terms of the data they return.

n Diagnostics enables you to view operating information for the Sentinel License Managerto which you are currently logged in, to assist in diagnosing problems. You can generatereports in HTML format. This option also enables you to view miscellaneous data relatingto the use of the server on which Sentinel License Manager is running.

Admin Control Center Interface 168

169 Chapter 15: Sentinel Admin Control Center

n Help displays the Sentinel Admin Control Center help system. Context-sensitive help isavailable within each of the functions described above, by clicking the Help link at thebottom of the page.

n About provides information about the version of Sentinel License Manager, and a link tothe SafeNet, Inc. Web site.

n Country Flags enables you to change the language of the user interface by clicking on theflag of the country appropriate to the language you require. Languages other than Englishcan be downloaded from the Sentinel Web site.

Administrator’s WorkflowWhen you first launch Admin Control Center, the utility is pre-configured to run automatically.However, you may want to customize it to your requirements and to specify users and theiraccess permissions, and access permissions between remote machines and local servers. Changesto the configuration of Admin Control Center are made in the Configuration tab of the application.

The basic configuration changes that you can make include:

n Specifying a name for the local machine

n Enabling access from remote machines to the Admin Control Center on this machine

n Setting the display refresh time

n Defining how many rows of data will be displayed on a page

n Specifying the logs that are to be created and their content, and customizing informationthat will be displayed in the log

n Setting an Admin password

Following the configuration set up, you can define:

n Users and their access privileges

n Access parameters to remote Sentinel License Managers

n Access privileges from remote client machines to a Sentinel License Manager on thecurrent machine

Configuration Considerations

Before you make certain configuration changes to Admin Control Center, it is recommended thatyou consider their implications. This section provides a guide to assist you in this process.

Customizing Log Parameters

You can specify whether Admin Control Center should create an access log and the data thatshould be included in the log file.

Access the Edit Log Parameters page by clicking Edit Log Parameters in the Basic Settings tab ofthe Configuration page.

The Edit Log Parameters page contains two fields. The upper field displays the parameters of thecurrent template. The Available tags for log field lists all the tags and their descriptions. Byselecting a tag and clicking Add, the tag is appended to the text in the upper field.

The default log parameters are used the first time that Admin Control Center is launched and willalso be used if an empty template is submitted. The default template is:

{timestamp} {clientaddr}:{clientport} {clientid} {method} {url} {function} ({functionparams}result ({statuscode}){newline}

You can reset your log parameters to the factory default by clicking Set Defaults in the Edit LogParameters page. The default log parameters will also be used if there is no data in the upper fieldof the Edit Log Template page.

Managing Access to Sentinel License Managers

Managing Access to Sentinel License Managers is performed in the Users and Access from RemoteClients tabs in the Configuration page. The following paragraphs discuss the issues that you needto consider when setting these parameters.

Users

The user restrictions that you define are evaluated in the order in which they are specified, andthe evaluation process stops when the first match is found. You therefore need to take care thatthe restrictions are listed in an order that satisfies this logic.

The value allow=all@all is implicitly added to the end of the list. According to the logic justdescribed, if this value was at the beginning of the list, all subsequent restriction values would beignored.

Additional information about defining restriction values is provided in the Admin Control Centerhelp system.

Access from Remote Clients

When you define criteria relating to the remote machines that can access Sentinel LicenseManager on the current machine, you need to define access restrictions. The remote client accessrestrictions that you define are evaluated in the order in which they are specified, and theevaluation process stops when the first match is found. You therefore need to take care that therestrictions are listed in an order that satisfies this logic.

The value allow=all is implicitly added to the end of the list. According to the logic just described,if this value was at the beginning of the list, all subsequent restriction values would be ignored.

Additional information about defining remote client access restriction values is provided in theAdmin Control Center help system.

Accessing Sentinel License Manager Located on a Different Subnet

When a Windows application that is protected with Sentinel LDK v.6.0 or later is located on adifferent subnet than Sentinel License Manager and the Sentinel protection key, you must create aseparate configuration file to enable the application to find the License Manager. Create a filecalled hasp_vendorID.ini, where vendorID is the Vendor ID associated with your Batch Code (forthe DEMOMA Batch Code, use hasp_demo.ini). Place the file on the same machine as theprotected application, in the following directory:

Administrator’s Workflow 170

171 Chapter 15: Sentinel Admin Control Center

n For Windows XP: %UserProfile%/Local Settings/Application Data/SafeNetSentinel/Sentinel LDK/

n For Windows Vista or Windows 7: %LocalAppData%/SafeNet Sentinel/Sentinel LDK/

For example, for Vendor ID 37517 and a user named test1, create the following file:

n For Windows XP:

C:\Documents and Settings\test1\Local Settings\Application Data\SafeNetSentinel\Sentinel LDK\hasp_37517.ini

n For Windows Vista or Windows 7:

C:\Users\test1\AppData\Local\SafeNet Sentinel\Sentinel LDK\hasp_37517.ini

A separate .ini file must be created on the machine for each user of the protectedapplication.

The hasp_vendorID.ini file should contain the following line:

SERVERADDR = remoteServerAddress

where remoteServerAddress is the IP address or computer name of the remote machine thatcontains Sentinel License Manager and the protection key.

Searching for Sentinel License Managers

The Access to Remote License Manager tab in the Configuration page is used determine whichlocations to include when the local Sentinel License Manager searches for remote Sentinel LicenseManagers.

When you define criteria relating to the machines that may be searched for Sentinel LicenseManager, you can choose to:

n Enable a “broadcast” that searches all machines on the local network

n Search the default local group in an IPv6 subnet

n Restrict the search to specific machines. In this case, it is necessary to specify eachmachine that may be searched—by specifying either its name or its IP address.

Configuring Detachable License Definitions

In Sentinel EMS, it is possible to flag network-based licenses for Features in Products that will belocked to Sentinel SL keys as being detachable. This means that the Product license can betemporarily detached from a pool of network seats and attached to a remote recipient machinefor a specific period of time. At the end of the detachment period, the license is automaticallyrestored to the network pool. Prior to the expiration of the license, it is possible to extend itsdetachment period, or to cancel the detachment and to return the license to the network poolearly.

Licenses cannot be detached unless this functionality is enabled as described in thissection.

You enable or disable the ability to detach licenses in the Detachable License tab of theConfiguration page. You can also specify criteria relating to the number of licenses that can bedetached from the pool of network seats and the maximum period for which the licenses can bedetached. You can specify global settings for all Products, or click the Per-Product Settings buttonto customize settings for individual Products. Global settings will also affect any Products forwhich individual settings have not been specified.

Diagnostics

The Diagnostics page enables you to view and extract operating information for theSentinel License Manager to which you are currently logged in, to assist in diagnosing problems.You can generate diagnostics reports in HTML format.

Occasionally, it is necessary to create a file containing the machine identity details of a remoterecipient machine. This information is required in order for a host machine to identify whichmachine a detachable license will be attached to. The Diagnostics page enables you to create thisfile for the local machine on which Admin Control Center is running by using the Create ID Filebutton.

Additional information about the data provided in the Diagnostics page is available in the AdminControl Center help system.

Applying Basic Configuration Changes GloballyYou can make configuration changes to Admin Control Center, and deploy them to multiplemachines on the network, as follows:

1. Make the required changes on one machine, using the configuration page of Admin ControlCenter. The changes are saved in the hasplm.ini file.

2. Locate the hasplm.ini file using one of the following methods:

o Read the full path name of hasplm.ini, which is located at the bottom of theConfiguration page. The Sentinel LDK base directory is the directory in which thehasplm.ini file resides.

o If you are using Windows in a language other than English, locate the directory inwhich the common files are stored. (In English Windows, the Common Files folder).

3. Copy hasplm.ini and use it to overwrite hasplm.ini on all the other machines on thenetwork.

Customizing Admin Control Center Look and FeelYou can change the language, displayed information, appearance, and behavior of Admin ControlCenter so that, for example, it will integrate into other applications or match your organization’scorporate styles.

The Admin Control Center user interface consists of HTML, GIF, and other files, which are locatedinside the executable (EXE) file hasplms.exe. When you implement additional template sets, youmust add them to a fixed directory structure under the Sentinel LDK base directory.

Applying Basic Configuration Changes Globally 172

173 Chapter 15: Sentinel Admin Control Center

As an alternative to customizing Admin Control Center, you can develop your owninterface to Admin Control Center functionality by using the Sentinel Admin API. For moreinformation, see "Working With Sentinel Admin API" on page 176.

To create a directory for a custom template:

1. Locate the templates directory inside the Sentinel LDK base directory. The Sentinel LDKbase directory is:

For Windows: ...\Program Files\Common Files\Aladdin Shared\HASPFor Mac: /var/hasplmFor Linux: /etc/hasplm

To determine the precise location of this directory on your system:

o Open Admin Control Center on your local machine (http://127.0.0.1:1947). UnderAdministration Options, click Configuration. Read the full path name of hasplm.ini, whichis located at the bottom of the page. The Sentinel LDK base directory is the directory inwhich the hasplm.ini file resides.

o If the folder is empty, click Submit. The base path of hasplm.ini is updated at the bottomof the Configuration page.

Add \SafeNet Sentinel\Sentinel LDK\templates\<your_template_folder_name> to the directory.For example, using an English version of Windows XP, the full path is

C:\Program Files\Common Files\Aladdin Shared\HASP\templates\<yourTemplateDirectory>

You can create multiple templates inside your templates directory.

Each time Sentinel License Manager is launched, the application reads the files in all thedirectories (except .bak files). To expedite the launch time, it is recommended that youkeep the directories free of unnecessary files.

3. Restart the Sentinel License Manager,ORCall http://127.0.0.1:1947/action.html?reload_templates to reload the new template.

To verify your customized template, from a browser on your local machine, open:http://127.0.0.1:1947/<yourTemplateDirectory>.

Writing Templates

A template is an ASCII text file (typically HTML, but also XML, CSV, or other possibilities) thatcontains place holders (tags) for variables that are inserted by the Sentinel License Manager whena request is made via HTTP.

In addition, the file may contain block tags that surround a block of text and tags, and generallyiterate a list (of Sentinel protection keys, Features, sessions, or other entities). For example,{tagname}repeatingblock{/tagname}

The place holders are written as {placeholdername}. For a complete list of available place holdernames, their description and usage, see tagxref.txt in…\Program Files\SafeNet Sentinel\Sentinel LDK\Docs\Manuals &Tutorials\Admin Control Center Customization\templates.

Not all tags work in every context, and some will have different values depending on how they areused. For example, when {logincount} is used in a global context, it returns the total login countfor the server. When logincount is used inside {devicelist} {/devicelist}, it returns the logincount for the currently selected Sentinel protection key. If logincount is used inside{featurelist} {/featurelist}, it returns the login count for the currently selected Feature.

A special include tag is available—{#include "filename.ext"}—that will return the contents of aspecific file instead of a value. Includes (included files) must not be nested, and must not include apath (meaning that included files must reside in the same directory as the template).

If a table displayed in a browser page returns *** illegal tag: xxx ***, the tag is eitherunrecognized, or is illegal in the current context.

In JavaScript, {placeholders} are replaced. To use an opening curly bracket {, without it beingreplaced or generating an illegal tag error, ensure that a white space (space, CR, LF, or tab)follows the curly bracket. In this case, it will be passed without modification.

To output something such as {this} without it being parsed, use the HTML notation for a curlybracket—&#123;this}.

For additional assistance, refer to the sample templates in…\Program Files\SafeNet Sentinel\Sentinel LDK\Docs\Manuals &Tutorials\Admin Control Center Customization\templates.

Default Templates and Samples

Three sets of template source code are provided:

n sample provides a very simple example of how to use templates and tags.

n csv provides an example for generating a comma-separated (.csv) file for importing to aspreadsheet or database, or for processing by your own program. It produces a CSV listof all available Features.

n en is the complete English-language version of Admin Control Center, as included in theSentinel License Manager application (hasplms.exe). The template uses AJAX technologiesto increase ease of use. For translations, or creating a specific corporate identity, use thistemplate set as a starting point.

You can also incorporate some or all of the Sentinel Admin Control Center functionality into yourown Web application, possibly with the use of (i)frames or other methods.

Sample CSV Output

This section provides a sample CSV output. Such output is useful for tasks such as importing thedata into spreadsheets or databases.

Using a template such as:

c:\>type templates\csv\features.txt{featurelist}{index}, {hhlid}, {featureid}, "{local}", "{concurrtext}", {priority}, {fileid},{filetag}, {logincount}, {loginlimit}, {sessioncount}{/featurelist}

The following output is produced:

Customizing Admin Control Center Look and Feel 174

175 Chapter 15: Sentinel Admin Control Center

c:\&gt;wget http://10.24.2.23:1947/csv/features.txt -Of.txt &amp; type f.txt--17:23:44-- http://10.24.2.23:1947/csv/features.txt=&gt; `f.txt'Connecting to 10.24.2.23:1947... connected!HTTP request sent, awaiting response... 200 OKLength: 1,411 [text/plain]1, 0x335918F1, 0x00000000, "local", "L", 0, 0xFFCB, 0x0B, 0, 0, 02, 0x335918F1, 0x0000BEEF, "local", "LNS", 0, 0x1234, 0x0C, 0, 7, 03, 0x335918F1, 0x00001357, "local", "L", 0, 0xABCD, 0x0B, 0, 0, 04, 0x335918F1, 0x000CAFF1, "local", "L", 0, 0xCAF1, 0x0B, 0, 0, 05, 0x335918F1, 0x000CAFF2, "local", "L", 0, 0xCAF2, 0x0B, 0, 0, 06, 0x335918F1, 0x000000A1, "local", "LNS", 0, 0xCAF3, 0x0C, 1, 7, 47, 0x335918F1, 0x000000A2, "local", "LNS", 0, 0xCAF4, 0x0C, 0, 7, 08, 0x335918F1, 0x0000BEEF, "local", "LNS", 0, 0x1235, 0x0C, 0, 7, 09, 0x335918F1, 0x0000BEEF, "local", "LNS", 0, 0x1236, 0x0C, 0, 7, 010, 0x335918F1, 0x0000BEEF, "local", "LNS", 0, 0x1237, 0x0C, 0, 7, 011, 0x335918F1, 0x0000BEEF, "local", "LNS", 0, 0x1238, 0x0C, 0, 7, 012, 0x389C1FAB, 0x00000000, "local", "L", 0, 0xFFCB, 0x0B, 0, 0, 013, 0x389C1FAB, 0x00012345, "local", "LNS", 0, 0xAFFE, 0x0C, 0, 7, 014, 0x389C1FAB, 0x00055779, "local", "L", 0, 0xBEEF, 0x0B, 0, 0, 015, 0x33C90F7A, 0x00011223, "10.24.2.17", "LNS", 0, 0xAFFE, 0x0C, 0, 7, 016, 0x33C90F7A, 0x00097531, "10.24.2.17", "LNS", 0, 0x1234, 0x0C, 0, 7, 017, 0x33C90F7A, 0x00002FAC, "10.24.2.17", "LNS", 0, 0xCAF2, 0x0C, 0, 7, 018, 0x33C90F7A, 0x000AFFEE, "10.24.2.17", "LNS", 0, 0xCAF5, 0x0C, 0, 7, 019, 0x33C90F7A, 0x000DFEED, "10.24.2.17", "LNS", 0, 0xCAF9, 0x0C, 0, 7, 020, 0x33C90F7A, 0x000FFE01, "10.24.2.17", "LNS", 0, 0x00A1, 0x0C, 0, 7, 0

Configuring Admin Control Center to Use Your Custom Template

After you have created your template, you want to be sure that Admin Control Center loads yourcustomized settings whenever it launches.

By default, when you enter http://[servername]:1947 in your browser, the internal factory defaulttemplates are used. The URL is redirected to http://[servername]:1947/_int_/index.html. _int_ denotes theinternal directory. If you replace _int_ with sample, the templates from the sample directory areused.

To direct Admin Control Center to use your Custom Template:

1. Open Admin Control Center in your browser. By default, the application opens at this URL:http://[servername]:1947/_int_/index.html

2. In the URL, replace _int_with the name of the custom template you wish to use.

3. Create a shortcut to the address of Admin Control Center with your template.

Using this process, multiple browser windows can use multiple templates simultaneously.

URL Redirections Using HTTP 302

Following is a list of sample URLs to which the browser is redirected when a specific URL isentered.

Note that you do not require this information for translation or simple layout changes in yourtemplate. However, it is required if you are changing the logic of Admin Control Center (forexample, by adding or removing pages, or merging Admin Control Center functions into anotherapplication).

URL Entered URL Displayed

[server name]:1947Provides a shortcut to the main Admin Control Center page

[server name]:1947/_int_/index.html

[server name]:1947/corporate.htmlAutomatically switches to the internal template. (_ini_) is setwhen no template has been specified

[server name]:1947/_int_/corporate.html

[server name]:1947/csv/devices.txtDoes not change because the template (csv) and file name arespecified

[servername]:1947/csv/devices.txt

[server name]:1947/sampleAutomatically redirects to the index.html file when no file namehas been specified

[servername]:1947/sample/index.html

It is sufficient to type only the URL of Sentinel Admin Control Center— it automaticallyredirects to the index page.

Working With Sentinel Admin APISentinel Admin API provides the functionality available in Admin Control Center and SentinelLicense Manager in the form of callable API functions. You can call functions to retrieveinformation from local or remote License Managers and to perform actions in these LicenseManagers. For example, you can call functions to:

n Examine the configuration of a License Manager installation and make modifications tothe configuration

n Examine a list of accessible protection keys; retrieve all Feature data for a specificprotection key

n Detach a protection key from one computer and attach it to a different computer

n Apply a V2C file

Sentinel Admin API is incorporated into Sentinel LDK ToolBox. The ToolBox help system includesdescriptions of the API functions and the XML templates required to work with the API.

Working With Sentinel Admin API 176

PART 5 - LICENSING MODELSIn this section:

n "Chapter 16: Sentinel LDK Licensing Models: Overview" on page 180

Provides an overview of Sentinel LDK Licensing models.

n "Chapter 17: Sentinel LDK Licensing Models: Description of Models" on page 184

Provides a detailed description of the various Sentinel LDK Licensing models that you canuse to distribute your software.

Chapter 16:Sentinel LDK Licensing Models:

OverviewIn this chapter:

n "Introduction" on page 180

n "Sentinel LDK Licensing" on page 181

IntroductionToday’s software industry is more competitive than ever. As with many other industries that onceenjoyed exceptionally high margins, software products are increasingly regarded as commodities,with resulting deterioration in both revenues and bottom line profits. To counteract these trends,software publishers and vendors now see the need to change the way they market their products,to increase the value they offer their customers and to better differentiate their offerings from thecompetition.

Licensing is among the most promising approaches for achieving more-competitive, value-basedofferings. Today, software publishers and vendors are seeking ways of moving away from thetraditional model—based on perpetual licenses and printed End User License Agreements—towardmore flexible licensing models. New licensing tactics such as trialware, demoware, module- andfeature-based licensing, rental, subscription, network licensing—and combinations of these—enable software publishers and vendors to adapt to dynamic markets by offering compellingproducts that target broader, more segmented markets.

Sentinel LDK is designed specifically to assist software publishers and vendors in pursuit of morecompetitive product offerings. It not only offers the highest possible level of protection—bothagainst illegal copying and in securing critical intellectual property (IP)—it also enables rapidimplementation of novel licensing and distribution models, without the need for extensiveengineering of product source code. This enables software publishers and vendors to aggressivelyextend their market reach and penetration, without negatively impacting their operating margins,to protect the bottom line.

This section describes a wide range of licensing strategies and models designed to provide endusers with greater value and additional options for purchasing software products. UsingSentinel LDK’s versatile abilities, these strategies and models can be implemented immediately,and can serve as the basis for elaboration and for creating new, tailor-made licensing models.

16

181 Chapter 16: Sentinel LDK Licensing Models: Overview

Sentinel LDK LicensingSentinel LDK offers a wide range of options and unprecedented flexibility for making and revisingboth licensing and protection strategies. Virtually any licensing model can be created—supportedby the following fundamental Sentinel LDK concepts, technologies and applications:

n Protect Once—Deliver Many—Evolve Often™

The process of protecting software is completely autonomous of marketing and licensingprocesses, so that after protection has been implemented, diverse licensed products can becreated without necessitating changes in the code.

n Cross-Locking™

Using Sentinel LDK, the software vendor can choose the device to which the protectedsoftware and license are locked—either to one of the many hardware-based Sentinel HLkeys, or to a specific computer by means of a versatile software-based Sentinel SL key. Therequired level of protection, the licensing model, and the manner in which the software willbe accessed and used collectively determine the most appropriate type ofSentinel protection key. Locking the license to a hardware-based Sentinel HL key providesthe strongest security.

n Sentinel Remote Update System utility (RUS utility)

The RUS utility provides a simple and secure method of remotely updating the licenses ondeployed Sentinel protection keys. Using the RUS utility, software vendors can renew,extend, revise or revoke a license.

n LicenseOnChip® and UpdateOnChip

When a license is supplied on a hardware-locked Sentinel HL key, the licensing logic isembedded in the key’s chip, employing Sentinel LDK’s patented LicenseOnChip technology.This practice ensures that licenses are hardware-secured and effectively tamper-proof.Likewise, license updates are authenticated in the key’s chip.

n Role-based licensing application

Sentinel EMS is a role-based application in which access to each type of task is restricted toauthorized personnel. Restricted access provides separation of business activities from ordercreation, license manufacture and customer follow-up.

n Versatile Implementation

Software protection can be implemented using the GUI-driven Sentinel LDK Envelope, theSentinel Licensing API, or a combination of both. The considerations for choosing aprotection method are provided in "Determining the Best Protection and LicensingMethod" on page 182.

n Detachable Licenses

A detachable license is available for Products that are locked to Sentinel SL keys in anetwork environment. Such a license can be temporarily detached from the network poolfor use on a remote recipient machine for a defined period.

Determining the Best Protection and Licensing Method

Sentinel LDK offers two software protection methods that establish an inherent link between theprotected software, the license, and the intelligence contained in a specific Sentinel protection key.

n Envelope-based protection (automatic)

Sentinel LDK Envelope automatically wraps software in a protective shield and validates thelicensing terms. Sentinel LDK Envelope protection offers ease of use, short time-to-delivery,and anti reverse-engineering features such as file encryption and anti-debugging. It issuitable for protecting compiled executables and DLLs.

n API-based protection (automatic or customized)

Executables or specific functions are protected using Sentinel Licensing API calls that areembedded in the software code. This protection method offers maximum flexibility, andcompatibility with a wide variety of development tools and operating systems. API-basedprotection can be based on predefined Sentinel LDK functions and calls so that licensingterms are validated automatically, or can apply a customized license validation mechanismin order to implement specialized licensing models.

Most licensing models discussed in this guide can be applied using either Envelope-basedprotection or API-based protection. However, some specialized models require customizedimplementation using the Sentinel Licensing API. Each licensing model notes the appropriatemethod or methods.

To enhance the security of your application, when you choose an API-based protectionmethod, it is recommended that you also protect your application with Sentinel LDKEnvelope. You can do this using a dedicated Feature ID or with Feature ID 0, which is notlinked to a specific license.

For additional information, see "Chapter 8: Preparing Your Sentinel LDK Licensing Plan " on page98.

About This Section

This section describes a wide variety of licensing models, and provides guidelines for implementingthem using Sentinel LDK. The licensing models include:

n Evaluation licenses (trialware or demoware)

n Component-based licenses

n Metered licenses

n Locked licenses

n Mobile licenses

n Network licenses

n Sales-assisting licenses

n Perpetual licensing

Sentinel LDK Licensing 182

183 Chapter 16: Sentinel LDK Licensing Models: Overview

This section provides an outline of how to use Sentinel LDK to implement the describedlicensing models. For detailed instructions on how to protect and license your software,refer to earlier sections in this book and to the integral help system included in each of theSentinel LDK applications.

How to Use the Licensing Models

Each licensing model in this section is introduced with a legend that describes the following:

n Sentinel LDK functionality—the Sentinel LDK functionality that enables creation of thedescribed licensing model

n Software distribution method—the available methods for software distribution whenusing the described licensing model (physical package or electronic distribution)

n Applicable key types—the Sentinel protection keys that can be used to implement thelicensing model

n Protection method—the Sentinel LDK protection methods (Sentinel LDK Envelope or theSentinel Licensing API) that can be used to implement the licensing model

For example:

Sentinel LDKFunctionality

Manages the maximum number of software executions

Software DistributionMethod

n Physical packagen Electronic distribution

Applicable Key Types n All Sentinel HL keys except Sentinel HL Basicn Sentinel SL

Protection Method n Envelope-based automatic implementationn API-based automatic implementation

The legend is followed by:

n A short description of the licensing model

n Guidelines for implementation using Sentinel LDK

Chapter 17:Sentinel LDK Licensing Models:

Description of ModelsThis chapter provides a detailed description of the many types of licensing models that you candefine using Sentinel LDK.

In this chapter:

n "Evaluation Licensing Models" on page 185

n "Component-based Licensing Models" on page 190

n "Metered Licensing Models" on page 193

n "Locked License Models" on page 205

n "Mobile License Models" on page 209

n "Network License Models" on page 213

n "Sales Boosting Licensing Models" on page 220

n "Perpetual Licensing Models" on page 226

17

185 Chapter 17: Sentinel LDK Licensing Models: Description ofModels

Evaluation Licensing ModelsEvaluation licensing models are marketing tools for the software publisher, providing potentialend users with the opportunity to test software without making a financial commitment. Anevaluation license can be based on fully-functional trialware or on semi-functional demoware. Thelicense can be limited by time or by executions.

When a potential end user subsequently decides to purchase the software, the software vendorcan offer any of the paid licensing models described in this guide, with the appropriate key typeand locking type. The software vendor uses Sentinel EMS to create and produce the new license.The evaluation license is then seamlessly converted to a purchased license at the end-user site,using the RUS utility.

The evaluation licensing models described below are:

n "Trialware" on page 186

n "High-security Time-limited Evaluation" on page 187

n Execution-limited Evaluation

n "Demoware" on page 189

Trialware

Sentinel LDKFunctionality

Creates a time-limited, software-based trialware license

Software DistributionMethod

n Physical packagen Electronic distribution

Applicable Key Types Sentinel SL

Protection Method n Envelope-based automatic implementationn API-based automatic implementation

Description

Trialware is fully functional software that is made available for a limited time period (currently forany period between 1 and 90 days) as a marketing tool. The software is protected with a software-based license, so that it can be distributed both electronically—for example, via a Web site, andon media such as a CD.

The time-limited trialware license does not use a dedicated Sentinel protection key and does notrequire activation during the trial period. The license is linked to the machine on which thetrialware is installed. After the time period expires, the software can no longer run on thatmachine. However, it can be installed on other machines, creating a super-distribution mechanismwhen the trialware is referred to others.

Implementation

n Select the executable file that you want to license, and determine by which Feature ID itwill be identified.

n Select your protection method:

o Envelope-based automatic implementationProtect the executable file using Sentinel LDK Envelope, specifying its Feature ID.

o API-based automatic implementationIn your code, insert a Sentinel Licensing API Login call to the Feature ID.

n Create a Provisional Product in Sentinel EMS, including the Feature IDs you defined.

n Distribute your trialware with Sentinel LDK Run-time Environment.

n When a fully licensed product is purchased, provide the end user with the appropriateSentinel protection key programmed with the license.

Evaluation Licensing Models 186

187 Chapter 17: Sentinel LDK Licensing Models: Description ofModels

High-security Time-limited Evaluation

Sentinel LDKFunctionality

Manages the period over which your software can be activated

Software DistributionMethod

Physical package

Applicable Key Types n Sentinel HL Timen Sentinel HL NetTime

Protection Method n Envelope-based automatic implementationn API-based automatic implementation

Description

The time-limited evaluation software is distributed, protected with a Sentinel HL key for maximumsecurity. Due to the extra cost of providing software with a hardware-based Sentinel HL key, thisevaluation method is suitable for high-end software or for software with a high evaluation-to-purchase conversion rate.

Implementation

n Select the executable file that you want to license, and determine by which Feature ID itwill be identified.

n Select your protection method:

o Envelope-based automatic implementationProtect the executable file using Sentinel LDK Envelope, specifying its Feature ID.

o API-based automatic implementationIn your code, insert a Sentinel Licensing API Login call to the Feature ID.

n Create the evaluation Product in Sentinel EMS and define the expiration date for eachFeature ID included in the Product.

n Distribute the evaluation software with a Sentinel HL key programmed with the license.

n Create the licensed Product in Sentinel EMS and define the required licensing terms foreach Feature ID included in the Product.

n When a fully licensed product is purchased, update the Sentinel HL key using the RUSutility.

Execution-limited Evaluation

Sentinel LDKFunctionality

Manages the maximum number of software executions

Software DistributionMethod

n Physical packagen Electronic distribution

Applicable Key Types n All Sentinel HL keys except Sentinel HL Basicn Sentinel SL

Protection Method n Envelope-based automatic implementationn API-based automatic implementation

Description

Evaluation software that is restricted to a pre-determined number of executions. The evaluationsoftware can be distributed with a Sentinel SL key—for example, via a Web site or on a demo CD.Alternatively, it can be distributed with a Sentinel HL key, providing maximum security.

Using a Sentinel HL key for evaluation purposes is usually applicable for high-end software or forsoftware with a high evaluation-to-purchase conversion rate.

When distributing the evaluation software with a Sentinel HL key, the type of key provided mustbe compatible with the licensing model that will subsequently be applied to the paid license. Forexample, if the paid license is a rental license, a Sentinel HL Time or Sentinel HL NetTime key mustbe used.

Implementation

n Select the executable file that you want to license, and determine by which Feature ID itwill be identified.

n Select your protection method:

o Envelope-based automatic implementationProtect the executable file using Sentinel LDK Envelope, specifying its Feature ID.

o API-based automatic implementationIn your code, insert a Sentinel Licensing API Login call to the Feature ID.

n Create the evaluation Product in Sentinel EMS and define the permitted number ofexecutions for each Feature ID included in the Product.

n Distribute the evaluation software with a Sentinel protection key programmed with thelicense.

n Create the licensed Product in Sentinel EMS, defining the licensing terms for eachFeature ID included in the Product.

n When the end user purchases a fully licensed product, update the Sentinel protection keyusing the RUS utility.

Evaluation Licensing Models 188

189 Chapter 17: Sentinel LDK Licensing Models: Description ofModels

Demoware

Sentinel LDK Functionality Manages active and inactive software functionality

Software DistributionMethod

n Physical packagen Electronic distribution

Applicable Key Types n All Sentinel HL keys except Sentinel HL Basicn Sentinel SL

Protection Method API-based automatic implementation

Description

The demo version of the software is limited to a subset of the functions provided in the fullylicensed product. Demoware can be distributed either with a Sentinel SL key (for example via aWeb site or on a demo CD), or with the superior protection of a Sentinel HL key.

Demoware provides prospective end users with limited software functionality, at no charge. Evenif the end user does not subsequently purchase the software, the demoware is not discarded,serving as a constant reminder that more powerful functionality can be purchased, with yourbrand name at the forefront.

When distributing the demoware with a Sentinel HL key, the type of key provided must becompatible with the licensing model that will subsequently be applied to the paid license.For example, if the paid license is a rental license, a Sentinel HL Time or Sentinel HLLNetTime key must be used.

Implementation

n Select the software functions that you want to license separately, and determine by whichFeature ID they will be identified.

n In your code, insert a Sentinel Licensing API Login call to the Feature ID.

n Create two Products in Sentinel EMS:

o The demoware Product, including only those Feature IDs that are designated forthe demoware. Define a Permanent license for these Features.

o The fully licensed Product, including the full set of Feature IDs. Define the requiredlicense terms for these Features.

n Envelope your software for additional security (optional).

n Distribute the demoware.

n When the end user purchases the software, send a Sentinel protection key programmedwith the full license.

Component-based Licensing ModelsOften, software vendors do not want to sell all the software functionality as a single package,preferring to mix and match components in order to create different offerings. Using Sentinel LDK,software vendors have complete freedom to determine the granularity of licensed items, at thelevel of a specific functionality or component, or at the level of an executable file.

The component-based licensing models described below are:

n "Module-based (Suites)" on page 191

n "Feature-based" on page 192

Component-based Licensing Models 190

191 Chapter 17: Sentinel LDK Licensing Models: Description ofModels

Module-based (Suites)

Sentinel LDK Functionality Manages licensing of individual executables

Software DistributionMethod

n Physical packagen Electronic distribution

Applicable Key Types n All Sentinel HL keys except Sentinel HL Basicn Sentinel SL

Protection Method n Envelope-based automatic implementationn API-based automatic implementation

Description

Each module (executable file) is licensed separately. Assorted software can be bundled into a suite,including software from other software vendors. The license for the entire suite is supplied on asingle Sentinel protection key.

Implementation

n Select the executable files that you want to license separately, and determine by whichFeature ID they will be identified.

n Select your protection method:

o Envelope-based automatic implementationProtect the executable file using Sentinel LDK Envelope, specifying its Feature ID.

o API-based automatic implementationIn your code, insert a Sentinel Licensing API Login call to the Feature ID.

n In Sentinel EMS:

a. Create one or more Products.

b. Include the required Feature IDs in each Product.

c. Define the appropriate license terms for each Feature—for example, the number ofexecutions, expiration date or concurrency.

n Distribute your software suite with the appropriate Sentinel protection key programmedwith the license.

Feature-based

Sentinel LDKFunctionality

Manages licensing of separate functional components

Software DistributionMethod

n Physical packagen Electronic distribution

Applicable Key Types n All Sentinel HL keys except Sentinel HL Basicn Sentinel SL

Protection Method API-based automatic implementation

Description

Software components or functionality are licensed separately, without necessitating changes inthe code. Feature-based licensing can be useful in many different scenarios.

n Example 1: Basic Software with Add-onsYour basic software is provided with a perpetual license. Additional features are licensedseparately, and are available at a charge.

n Example 2: Software LevelsDifferent levels of your software are offered—for example, Student, Light, Standard, andProfessional versions. The protection method determines which components are active ineach version.

n Example 3: Customized SoftwareYour software is customized to display or hide functionality depending on therequirements of different end users.

n Example 4: Skins or ThemesThe end user is able to choose from a selection of skins or themes, or a user-specificdesign is created and applied.

Implementation

n Select the software functions that you want to license separately, and determine by whichFeature ID they will be identified.

n In your code, insert a Sentinel Licensing API Login call to each Feature ID.

n In Sentinel EMS:

a. Create one or more Products.b. Include the required Feature IDs in each Product.c. Define the appropriate license terms for each Feature—for example, number of

executions, expiration date or concurrency.

n Envelope your software for additional security (optional).

n Distribute your software with the appropriate Sentinel protection key programmed withthe license.

Component-based Licensing Models 192

193 Chapter 17: Sentinel LDK Licensing Models: Description ofModels

Metered Licensing ModelsIn recent years, licensing models that are based on usage, rather than providing an end user withownership of the software, have become more prevalent. These models all apply some form ofmetering, the most common of which are rental (time-based) and execution (counter-based)metering. Some models require a prepaid fee, while others enable payment for each use. Themodels in this section include:

n Rental packages—Time-limited rental, phased rental, micro-rental, subscription.

In this group of license models, the license is prepaid or paid on a monthly basis. When itexpires, the end user can only continue using your software by extending the license.

n Pre-paid execution-based packages—Standard counter and phased counter.

The license provides a prepaid number of executions. When these have been consumed,the end user must purchase a new package of executions.

n Specialized packages—Capacity, pay-by-peak time, time-based overdraft, counter-basedoverdraft.

The metered licensing models described below are:

n "Time-limited Rental" on page 194

n "Phased Rental" on page 195

n "Micro-rental" on page 196

n "Subscription" on page 197

n "Pay-by-Peak Time (Peak Time)" on page 199

n "Time-based Overdraft" on page 201

n "Standard Counter" on page 202

n "Phased Counter" on page 203

n "Capacity (CPU/Memory/Disk)" on page 204

Time-limited Rental

Sentinel LDK Functionality Manages the time period over which your software can be used

Software DistributionMethod

n Physical packagen Electronic distribution

Applicable Key Types n Sentinel HL Timen Sentinel HL NetTimen Sentinel SL

Protection Method n Envelope-based automatic implementationn API-based automatic implementation

Description

The end user pre-pays a fee for a specific period of time, either for a predetermined number ofdays or terminating on a pre-determined expiration date.

End users can monitor the remaining time using Sentinel Admin Control Center, and can order alicense renewal before the license expires. License renewal is implemented using the RUS utility.

You can also specify a licensing period that is shorter than one day, as described in "Micro-rental" on page 196

Implementation

n Select the executable file that you want to license, and determine by which Feature ID itwill be identified.

n Select your protection method:

o Envelope-based automatic implementationProtect the executable file using Sentinel LDK Envelope, specifying its Feature ID.

o API-based automatic implementationIn your code, insert a Sentinel Licensing API Login call to the Feature ID.

n In Sentinel EMS, create a Product that includes the Feature ID and define either anexpiration date or the number of days until expiration.

n Distribute your software with the appropriate Sentinel protection key programmed withthe license.

n Renew the license remotely using the RUS utility.

Metered Licensing Models 194

195 Chapter 17: Sentinel LDK Licensing Models: Description ofModels

Phased Rental

Sentinel LDK Functionality Manages the time period over which your software can be used

Software DistributionMethod

n Physical packagen Electronic distribution

Applicable Key Types n Sentinel HL Timen Sentinel HL NetTimen Sentinel SL

Protection Method n Envelope-based automatic implementationn API-based automatic implementation

Description

The end user pays a monthly fee, with a phased pricing structure, which can be associated with anentire product or a specific functionality. The transition from one phase to another isimplemented using the RUS utility.

n Phase 1: A fraction of the regular usage price is charged (micro-payment) for a limitedperiod of time. This provides an incentive for the end user to enter into a rentalagreement for use of the software. If payment is not received for Phase 2, the licenseexpires at the end of the defined time period.

n Phase 2: The full monthly rental price is charged, for an indefinite time period.

Implementation

n Select the executable file or software functions that you want to license, and determine bywhich Feature ID each file or function will be identified.

n Select your protection method:

o Envelope-based automatic implementationProtect the executable file using Sentinel LDK Envelope, specifying its Feature ID.

o API-based automatic implementationIn your code, insert a Sentinel Licensing API Login call to the Feature ID.

To set the time limit for a specific functionality, apply API-based automaticimplementation. To set the time limit for an executable file, apply either Sentinel LDKEnvelope-based or Sentinel Licensing API-based automatic implementation.

n In Sentinel EMS, create a Product that includes the Feature ID and define an expirationdate or the number of days until expiration of Phase 1.

n Distribute your software with the appropriate Sentinel protection key programmed withthe license.

n Subject to receiving payment for Phase 2 from the user, extend the license remotely usingthe RUS utility.

Micro-rental

Sentinel LDKFunctionality

Manages the time period over which your software can be used

Software DistributionMethod

n Physical packagen Electronic distribution

Applicable Key Types n Sentinel HL Timen Sentinel HL NetTimen Sentinel SL

Protection Method API-based automatic implementation

Description

The end user purchases a predefined number of “usage hours.” When the hours are consumed, anew package of hours is purchased.

Implementation

n Select the executable file that you want to license, and determine by which Feature ID itwill be identified.

n In your code, insert a Sentinel Licensing API Login call to the Feature ID.

n Determine what constitutes “active” for the purpose of counting usage and define this inyour code, for example:

o Your software window is focused and activity is detected.

o Your software is active, performing calculations, even if the window is not focused.

n In Sentinel EMS, in the Protection Key memory, define the total number of softwareactivity hours that has been purchased.

n Envelope your software for additional security (optional).

n Distribute your software with the appropriate Sentinel protection key programmed withthe license.

n Using the Sentinel Licensing API and the key’s built-in clock:

a. Calculate the accumulated active time.

b. Write the result to the Protection Key memory.

c. Verify that the accumulated time has not exceeded the number of purchasedhours.

d. When the number of purchased hours is about to expire, display a warningmessage.

n When payment is received for additional usage, renew the license remotely using the RUSutility.

Metered Licensing Models 196

197 Chapter 17: Sentinel LDK Licensing Models: Description ofModels

Subscription

Sentinel LDK Functionality Creates an unconditional license that can be updated remotely

Software DistributionMethod

n Physical packagen Electronic distribution

Applicable Key Types n Sentinel HL Timen Sentinel HL NetTimen Sentinel SL

Protection Method n Envelope-based automatic implementationn API-based automatic implementation

Description

The end user pays a monthly subscription fee that covers the initial software package plusperiodical updates. If the end user does not renew the subscription, the basic package and all paidupdates remain the property of the end user. New updates are not provided.

Implementation

n Select the executable file that you want to license, and determine by which Feature ID itwill be identified.

n Select the protection method for your software:

o Envelope-based automatic implementationProtect the executable file using Sentinel LDK Envelope, specifying its Feature ID.

o API-based automatic implementationIn your code, insert a Sentinel Licensing API Login call to the Feature ID.

n In Sentinel EMS, create a Product that includes the Feature ID for your initial software anddefine a perpetual license for the Feature.

n Create a component in your software that manages the installation of software updates,and assign it a Feature ID. Select and implement your protection method for thatcomponent (Sentinel LDK Envelope or Sentinel Licensing API-based).

n In Sentinel EMS, create a Product that includes the Feature ID for the update-installationcomponent and define an expiration date for that Feature.

n Envelope your software for additional security (optional).

n Distribute your software with the appropriate Sentinel protection key programmed withthe license.

n During the subscription period, use the RUS utility to send updates to the subscriber. Theupdates are handled by the update-installation component in your software. Optionally,use Sentinel LDK to encrypt the update files so that the Sentinel protection key is requiredto decrypt them.

n Continue sending updates as long as the end user’s subscription is valid.

n When the end user renews the subscription, use the RUS utility to update the expirationdate for the update-installation component’s license.

Metered Licensing Models 198

199 Chapter 17: Sentinel LDK Licensing Models: Description ofModels

Pay-by-Peak Time (Peak Time)

Sentinel LDK Functionality Compares a value in the Protection Key memory with a valuecollected during run-time

Software DistributionMethod

n Physical packagen Electronic distribution

Applicable Key Types n Sentinel HL Timen Sentinel HL NetTimen Sentinel SL

Protection Method API-based automatic implementation

Description

The end user purchases a predefined number of “usage units”. Differential charging is calculatedaccording to the hour of the day or the day of the week in which your software is used. Whenyour software is used at peak demand time, more “usage units” are consumed than at lowdemand time. This type of license might be applicable in an environment such as a learningfacility, in order to encourage students to use resources at low demand time.

Implementation

n Select the executable file that you want to license, and determine by which Feature ID itwill be identified.

n In your code, insert a Sentinel Licensing API Login call to the Feature ID.

n Determine what constitutes “active” for the purpose of calculating usage and define thisin your code, for example:

o Your software window is focused and activity is detected.

o Your software is active, performing calculations, even if the window is not focused.

n In Sentinel EMS, in the Protection Key memory, define the total number of “usage units”that has been purchased and the pricing structure (number of “usage units” for each timeunit and each rate).

n Envelope your software for additional security (optional).

n Distribute your software with the appropriate Sentinel protection key programmed withthe license.

n Using the Sentinel Licensing API and the key’s built-in clock:

a. Calculate the accumulated active time for each separate rate.

b. Calculate the total number of “usage units” consumed.

c. Write the result to the Protection Key memory.

d. Verify that the accumulated consumption has not exceeded the total number of“usage units” defined in the Protection Key memory.

e. When the “usage units” are about to expire, display a warning message.

n Using the RUS utility, replenish the pool of “usage units” when the license is renewed.

Metered Licensing Models 200

201 Chapter 17: Sentinel LDK Licensing Models: Description ofModels

Time-based Overdraft

Sentinel LDK Functionality Manages the time period over which software can be used

Software DistributionMethod

n Physical packagen Electronic distribution

Applicable Key Types n Sentinel HL Timen Sentinel HL NetTimen Sentinel SL

Protection Method API-based automatic implementation

Description

A differential pricing structure is implemented, in which a nominal price is charged for use of yoursoftware until a defined expiration date. Following expiration, a higher price may be charged for alimited period, to enable the end user to continue using your software until the license isrenewed.

Implementation

n Select the executable file that you want to license, and determine by which Feature ID itwill be identified.

n In your code, insert a Sentinel Licensing API Login call to the Feature ID.

n In Sentinel EMS, create a Product that includes the Feature ID and define either anexpiration date or the number of days until expiration. Include both the regular usageperiod and the overdraft period in the time that you define.

n Envelope your software for additional security (optional).

n Distribute your software with the appropriate Sentinel protection key programmed withthe license.

n Using the Sentinel Licensing API and the key’s built-in clock:

o Calculate the time period.

o When the regular usage period terminates, display a message informing the enduser that the usage is now subject to overdraft terms and state the expiration dateof the overdraft period.

o When the end user renews the license, billing includes payment for the overdraftusage in addition to the license renewal.

o After payment has been received, renew the license remotely using the RUS utility.

Standard Counter

Sentinel LDK Functionality Manages the maximum number of software executions

Software DistributionMethod

n Physical packagen Electronic distribution

Applicable Key Types n All Sentinel HL keys except Sentinel HL Basicn Sentinel SL

Protection Method n Envelope-based automatic implementationn API-based automatic implementation

Description

The end user purchases a predefined number of software executions, which can be defined foryour software or for specific functionality. A counter-based license might appeal to end users whouse your software or a software functionality sporadically, and prefer to pay only when theyactually run your software or use the functionality.

End users can monitor the remaining executions using Sentinel Admin Control Center, and canorder a license renewal before the license expires. The license renewal is implemented using theRUS utility.

Implementation

n Select the executable file or software function that you want to license, and determine bywhich Feature ID the file or function will be identified.

n Select your protection method:

o Envelope-based automatic implementationProtect the executable file using Sentinel LDK Envelope, specifying its Feature ID.

o API-based automatic implementationIn your code, insert a Sentinel Licensing API Login call to the Feature ID.

To set a counter for a specific functionality, apply API-based automatic implementation. Toset a counter for an executable file, apply either Sentinel LDK Envelope-based or SentinelLicensing API-based automatic implementation.

n In Sentinel EMS, create a Product that includes the Feature ID and define the number ofexecutions.

n Distribute your software with the appropriate Sentinel protection key programmed withthe license.

n Renew the license remotely using the RUS utility.

Metered Licensing Models 202

203 Chapter 17: Sentinel LDK Licensing Models: Description ofModels

Phased Counter

Sentinel LDK Functionality Manages the maximum number of software executions

Software Distribution Method n Physical packagen Electronic distribution

Applicable Key Types n All Sentinel HL keys except Sentinel HL Basicn Sentinel SL

Protection Method n Envelope-based automatic implementationn API-based automatic implementation

Description

The end user purchases a predefined number of software executions, which can be associatedwith all of your software or a specific functionality. The pricing structure is phased, and thetransition from one phase to another is implemented using the RUS utility.

n Phase 1: For a limited number of executions, the end user pays a fraction of the regularusage price (micro-payment). This provides an incentive for the end user to startpurchasing executions. If payment is not received for Phase 2, the license expires whenthese executions have been consumed.

n Phase 2: The end user pays the regular price for each software execution.

Implementation

n Select the executable file or software function that you want to license, and determine bywhich Feature ID the file or function will be identified.

n Select your protection method:

o Envelope-based automatic implementationProtect the executable file using Sentinel LDK Envelope, specifying its Feature ID.

o API-based automatic implementationIn your code, insert a Sentinel Licensing API Login call to the Feature ID.

To set a counter for a specific functionality, apply API-based automatic implementation. Toset a counter for an executable file, apply either Sentinel LDK Envelope-based or SentinelLicensing API-based automatic implementation.

n In Sentinel EMS, create a Product that includes the Feature ID and define the number ofexecutions included in Phase 1.

n Distribute your software with the appropriate Sentinel protection key programmed withthe license.

n Subject to receiving payment for Phase 2 from the end user, replenish the number ofexecutions remotely using the RUS utility.

Capacity (CPU/Memory/Disk)

Sentinel LDK Functionality Manages resource usage

Software DistributionMethod

n Physical packagen Electronic distribution

Applicable Key Types n All Sentinel HL keys except Sentinel HL Basicn Sentinel SL

Protection Method API-based automatic implementation

Description

License consumption depends on utilization of resources—for example, CPU usage or disk space.The more resources the end user consumes, the sooner the license runs out. This type of licensemight be applicable in an environment such as a learning facility, in order to limit the resourcesconsumed by students.

Implementation

n Select the executable file that you want to license, and determine by which Feature ID itwill be identified.

n In your code, insert a Sentinel Licensing API Login call to the Feature ID.

n Determine the parameters for calculating software usage, and define them in your code,for example:

o CPU activity related to your software.

o Disk space usage each time a file is saved from your software.

n In Sentinel EMS, create a Product that includes the Feature ID and define the licenseterms—for instance, a perpetual license or a time-limited license.

n In Sentinel EMS, in the Protection Key memory, define the capacity that has beenpurchased.

n Envelope your software for additional security (optional).

n Distribute your software with the appropriate Sentinel protection key programmed withthe license.

n Using the Sentinel Licensing API:

a. Calculate the accumulated usage.

b. Write the result to the Protection Key memory.

c. Verify that the accumulated usage has not exceeded the purchased capacity.

d. When purchased capacity has almost expired, display a warning message.

n When payment is received for additional usage, renew the license remotely using the RUSutility.

Metered Licensing Models 204

205 Chapter 17: Sentinel LDK Licensing Models: Description ofModels

Locked License ModelsA locked license is limited to usage on a specific machine or by a specific end user.

The locked license models described below are:

n "Machine-locked" on page 206

n "User-locked" on page 207

Machine-locked

Sentinel LDKFunctionality

Creates an activation key that is locked to a specific machine

Software DistributionMethod

n Physical packagen Electronic distribution

Applicable Key Types n All Sentinel HL keys except Sentinel HL Basicn Sentinel SL

Protection Method n Envelope-based automatic implementationn API-based automatic implementation

Description

The license can only be used on the machine on which it was installed. A machine-locked licensecan be combined with any of the licensing models in this guide.

Implementation 1—Locking to a Sentinel SL key

This model is applicable when a Sentinel SL key provides sufficient security for your needs.

n Select and implement the required licensing model.

n Distribute your software using a Sentinel SL key. Sentinel SL keys are always locked to aspecific machine.

Implementation 2—Combined locking to both a Sentinel SL key and a Sentinel HL key

This model is applicable when you want to lock your software to a Sentinel HL key for enhancedsecurity, and also wants to use a Sentinel SL key to lock your software to a specific machine. TheSentinel SL key will require remote activation.

n Select the executable file that you want to license, and determine two Feature IDs bywhich it will be identified. One Feature ID will be used to lock the license to the Sentinel HLkey, and the other to lock the license to the Sentinel SL key and the machine.

n Select your protection method:

o For combined Envelope-based and API-based automatic implementationProtect the executable file using Sentinel LDK Envelope , specifying one of theFeature IDs. In your code, insert a Sentinel Licensing API Login call to otherFeature ID.

o For API-based automatic implementationIn your code, insert Sentinel Licensing API Login calls to both Feature IDs.

n In Sentinel EMS, create two Products, one for each Feature ID. Define the license terms forboth Products—for example, a counter-based license or a time-limited license.

n Burn a Sentinel HL key for one of the Products and create a Sentinel SL Product Key forthe other Product.

n Distribute your software with both Sentinel protection keys.

Locked LicenseModels 206

207 Chapter 17: Sentinel LDK Licensing Models: Description ofModels

Implementation 3—Locking to a Sentinel HL key

This model is applicable when you want to lock the license to both a machine and a Sentinel HLkey—but for security reasons, the end user will not be able to activate a Sentinel SL key online.

This implementation requires a utility to be written that will collect the required identifiers fromthe machine before or during installation of your software, and subsequently every time yoursoftware is run. The initial identifiers are saved in the Read-only memory of the protection key,and the run-time identifiers are written to the Read/Write memory on the Sentinel HL key andvalidated against the initial identifiers.

It is recommended that you contact SafeNet Sentinel Professional Services for a detailedimplementation plan.

User-locked

Sentinel LDKFunctionality

Compares end user data saved in the Protection Key memory with avalue collected during run-time

Software DistributionMethod

n Physical packagen Electronic distribution

Applicable Key Types n All Sentinel HL keys except Sentinel HL Basicn Sentinel SL

Protection Method API-based automatic implementation

Description

The license can only be run by a specific logged-in end user. A user-locked license ensures thatonly an entitled end user can activate your software. This model can be particularly useful whenyour software resides on a server, or is activated by a remote end user. A user-locked license canbe combined with any of the licensing models in this guide.

Implementation

Select and implement the required licensing model, and distribute your software with theappropriate Sentinel protection key programmed with the license.

There are two ways to lock the key to a specific end user:

n Option 1: Predefined locking

Identification is based on the login user name defined in the operating system. Predefinedlocking enables a number of authorized end users to access your software residing on asingle machine.

n When a license is purchased, request the login user name of the end user for whomthe license is intended.

n Use Sentinel EMS to save the user name to the Read-Only memory of aSentinel protection key.

n During run-time, read the user name from the machine, and use the Sentinel LicensingAPI to validate it against the user name saved on the Sentinel protection key.

n Option 2: Password locking

During installation, the end user defines a user name and password, which are laterrequired in order to log in to your software. Password locking is less convenient for an enduser, but provides extra security. When a Sentinel HL key is used, your software can beinstalled on more than one computer, but can only be accessed when the Sentinel HL key isconnected.

n During installation, request the end user to define a user name and password.

n Use the Sentinel Licensing API to save the data to the Read/Write memory on theSentinel HL key.

n During run-time, require the end user to log in, and validate the user name andpassword against the data saved on the Sentinel protection key.

Locked LicenseModels 208

209 Chapter 17: Sentinel LDK Licensing Models: Description ofModels

Mobile License ModelsMany software vendors are looking for ways in which they can accommodate the growing trendtowards a mobile workforce. The models in this section provide options for mobile licenses.

The mobile license models described below are:

n "Portable" on page 210

n "Commuter" on page 211

n "Software on a Key" on page 212

Portable

Sentinel LDK Functionality Locks the license to a hardware-based Sentinel HL key

Software DistributionMethod

Physical package

Applicable Key Types All Sentinel HL keys

Protection Method n Envelope-based automatic implementationn API-based automatic implementation

Description

Your software can be installed on any number of machines, providing flexibility, but can only runon the machine to which the Sentinel HL key is connected.

Implementation

n Select and implement the required licensing model.

n Distribute your software with the appropriate Sentinel HL key, programmed with thelicense.

Mobile LicenseModels 210

211 Chapter 17: Sentinel LDK Licensing Models: Description ofModels

Commuter

Sentinel LDKFunctionality

Enables a network-based license to be detached to a separate machinewhile locked to a Sentinel SL key

SoftwareDistribution Method

Electronic distribution

Applicable Key Types Sentinel SL Net

Protection Method n Envelope-based automatic implementationn API-based automatic implementation

Description

A license can be temporarily detached from a network pool—using Sentinel Admin ControlCenter—to enable off-line use of your software. For example, when employees leave the office towork off site, they can take their laptops with them and continue using the protected softwarelocally.

Implementation

n Select and implement the network concurrency licensing model, ensuring that the licensecan be locked to a Sentinel SL key and that detachable licenses are enabled.

n Distribute your software with a Sentinel SL key, ensuring that the system administrator atyour end-user site knows how to permit and manage detachable licenses.

n If the employee requires the detached license for less time than originally planned, thelicense can be manually returned to the network pool before its expiration date.

Software on a Key

Sentinel LDK Functionality Locks the license to a Sentinel HL Drive key that also contains yoursoftware

Software DistributionMethod

Physical package

Applicable Key Types Sentinel HL Drive

Protection Method n Envelope-based automatic implementationn API-based automatic implementation

Description

Both your software and the license are stored on a Sentinel HL Drive key, providing maximalmobility. The Sentinel HL Drive key contains 2 GB or 4 GB of flash memory in addition to thelicense data memory, enabling all of your software to reside on the key. This method is applicablefor software that can be run from an external key without necessitating installation on a hard disk.

This method can be applied to all license models for which a hardware-based key is used, exceptthose requiring Sentinel HL Time, Sentinel HL NetTime or Sentinel HL Net keys.

Implementation

n Select and implement the required licensing model.

n Distribute your software on a Sentinel HL Drive key, together with the software’s license.

Mobile LicenseModels 212

213 Chapter 17: Sentinel LDK Licensing Models: Description ofModels

Network License ModelsNetwork licenses are designed for a network environment, in which the vendor’s software is runby multiple end users or on multiple workstations. In such an environment, a singleSentinel protection key can be used to protect and monitor usage of the vendor’s software acrossthe network. Network licenses can be implemented in conjunction with other licensing modelssuch as component-based or metering. A network license can be concurrency-based, site-specific,or both.

The network license models described below are:

n "Limited Concurrent End Users in a Network" on page 214

n "Time-limited Concurrent End Users in a Network" on page 215

n "Execution-limited Concurrent End Users in a Network" on page 216

n "Volume" on page 218

n "Site" on page 219

Limited Concurrent End Users in a Network

Sentinel LDK Functionality Manages the number of concurrent software end users

Software DistributionMethod

n Physical packagen Electronic distribution

Applicable Key Types n Sentinel HL Netn Sentinel HL NetTimen Sentinel SL

Protection Method n Envelope-based automatic implementationn API-based automatic implementation

Description

A concurrency-limited network license limits the number of end users concurrently accessing thelicensed application in a network environment, preventing additional activations and unintentionalpiracy if the maximum number of allowed concurrent licenses has been reached. The same licensecan be used by more than one end user or workstation, so long as the total number of usersremains within the concurrency limit.

Sentinel Admin Control Center provides the end users’ system administrator with the tools totrack license users, and to terminate an inactive session.

Implementation

n Select the executable file that you want to license, and determine by which Feature ID thefile or function will be identified.

n Select your protection method:

o Envelope-based automatic implementationProtect the executable file using Sentinel LDK Envelope, specifying its Feature ID.

o API-based automatic implementationIn your code, insert a Sentinel Licensing API Login call to the Feature ID.

n In Sentinel EMS:

a. Create a Product that includes the Feature ID, and define the license type asPerpetual.

b. Set the concurrency counter to the required maximum number of concurrentlicenses, and determine whether concurrent instances will be counted for eachstation, each login or each process.

T i p :

You can specify the number and type of concurrent instances each time aspecific order is created. This enables you to use the same Product to producemore than one license, each with a different number of seats.

n Distribute your software with a Sentinel protection key programmed with the license.

Network LicenseModels 214

215 Chapter 17: Sentinel LDK Licensing Models: Description ofModels

Time-limited Concurrent End Users in a Network

Sentinel LDKFunctionality

Manages the number of concurrent software end users in a network and thetime period over which your software can be used

SoftwareDistributionMethod

n Physical packagen Electronic distribution

Applicable KeyTypes

n Sentinel HL NetTimen Sentinel SL

ProtectionMethod

n Envelope-based automatic implementationn API-based automatic implementation

Description

A combined concurrency- and time-limited network license restricts both the number of end usersconcurrently accessing the licensed application in a network environment and the period duringwhich the license is valid. The same license can be used by more than one end user or machine,so long as the total number of users remains within the concurrency limit.

Sentinel Admin Control Center provides the end user’s system administrator with the tools totrack license users, and to terminate an unused session.

Implementation

n Select the executable file that you want to license, and determine by which Feature ID itwill be identified.

n Select your protection method:

o Envelope-based automatic implementationProtect the executable file using Sentinel LDK Envelope, specifying its Feature ID.

o API-based automatic implementationIn your code, insert a Sentinel Licensing API Login call to the Feature ID.

n In Sentinel EMS:

a. Create a Product that includes the Feature ID, and define the expiration date ornumber of days until expiration.

b. Set the concurrency counter to the required maximum number of concurrentlicenses, and determine whether concurrent instances will be counted for eachstation, each login or each process.

T i p

You can specify the number and type of concurrent instances each time aspecific order is created. This enables you to use the same Product to producemore than one license, each with a different number of seats.

n Distribute your software with the appropriate network-based Sentinel protection keyprogrammed with the license.

Execution-limited Concurrent End Users in a Network

Sentinel LDKFunctionality

Manages the number of concurrent software end users in a network andthe maximum number of software executions

SoftwareDistributionMethod

n Physical packagen Electronic distribution

Applicable KeyTypes

n Sentinel HL Netn Sentinel HL NetTimen Sentinel SL

Protection Method n Envelope-based automatic implementationn API-based automatic implementation

Description

A combined concurrency- and execution-limited network license restricts both the number of endusers concurrently accessing the licensed application in a network environment and the totalnumber of executions for each license. The same license can be used by more than one end useror machine, so long as the total number of users remains within the concurrency limit. Thenumber of executions is calculated across the network, regardless of which end user runs yoursoftware or on which machine it is run.

Sentinel Admin Control Center provides the end users’ system administrator with the tools totrack license users, and to terminate an unused session.

Implementation

n Select the executable file or software function that you want to license, and determine bywhich Feature ID the file or function will be identified.

n Select your protection method:

o Envelope-based automatic implementationProtect the executable file using Sentinel LDK Envelope, specifying its Feature ID.

o API-based automatic implementationIn your code, insert a Sentinel Licensing API Login call to the Feature ID.

If your protection method is feature-based, apply API-based automatic implementation; ifyour protection method is for each executable file, you can apply either Sentinel LDKEnvelope-based or Sentinel Licensing API-based automatic implementation.

n In Sentinel EMS:

a. Create a Product that includes the Feature ID, and define the maximum number ofexecutions.

b. Set the concurrency counter to the required number of concurrent licenses, anddetermine whether the concurrent instances will be counted for each station, eachlogin or each process.

Network LicenseModels 216

217 Chapter 17: Sentinel LDK Licensing Models: Description ofModels

n Distribute your software with the appropriate network-based Sentinel protection keyprogrammed with the license.

Volume

Sentinel LDK Functionality Enables a network-based license to be detached to a separatemachine while locked to a Sentinel SL key

Software DistributionMethod

Electronic distribution

Applicable Key Types Sentinel SL

Protection Method n Envelope-based automatic implementationn API-based automatic implementation

Description

A volume license enables you to sell a pool of licenses to an organization, without requiringproduct activation on every machine, while still enforcing the maximum number of installedworkstations.

A license can be temporarily detached from the network pool to enable off-line use of yoursoftware. In this case, a client machine periodically detaches a time-limited license at predefinedintervals—transparently to the end user. The license is installed locally and remains usable even ifthe network connectivity is lost, as long as the detachment is still valid.

Implementation

n Select the executable file that you want to license, and determine by which Feature ID itwill be identified.

n Select your protection method:

o Envelope-based automatic implementationProtect the executable file using Sentinel LDK Envelope, specifying its Feature ID.

o API-based automatic implementationIn your code, insert a Sentinel Licensing API Login call to the Feature ID.

n In Sentinel EMS, create a Product that contains the Feature ID used in the protectionphase of the implementation. Ensure that the license terms enable network concurrency,locking to a Sentinel SL key, and detachable licenses.

n Distribute your software with a Sentinel SL key for network use, ensuring that the systemadministrator at your end-user site knows how to permit and manage detachablelicenses.

n Using the Sentinel Licensing API, implement the license’s detachment in the protectedapplication. You may wish to let the customer organization decide the detached licenseperiod and renewal intervals.

Network LicenseModels 218

219 Chapter 17: Sentinel LDK Licensing Models: Description ofModels

Site

Sentinel LDK Functionality Locks the license to a specific domain, network, or subnet

Software DistributionMethod

n Physical packagen Electronic distribution

Applicable Key Types n All Sentinel HL keys except Sentinel HL Basicn Sentinel SL

Protection Method API-based automatic implementation

Description

A site license is a license that is locked to a specific domain, network, or subnet. A site license canbe combined with any of the licensing models in this guide.

Implementation

n Select and implement the required licensing model.

n Envelope your software for additional security (optional).

n Distribute your software using the appropriate Sentinel protection key.

n To lock the Sentinel protection key to the license, collect the site identifier (domain,subnet or network) from the customer. An identification value is written to theSentinel protection key. The application then validates the identifier every time yoursoftware runs.

n There are two ways in which you can collect site-specific data and save it on theSentinel protection key:

o Option 1: Site identifier collected prior to installationProvides more security, but is less convenient for the customer.

When a license is purchased, send the customer a utility that collects the requiredsite identifier from the customer.

Use Sentinel EMS to save the identification value to the Read-Only memory of theSentinel protection key.

o Option 2: Site identifier collected during installationRequires less interaction with the customer, but is less secure.

During installation, collect the site identifier from the machine on which yoursoftware is installed.

Use the Sentinel Licensing API to verify that there is no existing site identifier savedin the Read/Write memory on the Sentinel protection key.

If the memory does not contain an existing site identifier, save the value to theRead/Write memory on the Sentinel protection key.

n During run-time, read the site identifier, and use Sentinel Licensing API to validate itagainst the identification value saved on the Sentinel protection key.

Sales Boosting Licensing ModelsThe sales boosting licensing models described below are:

n "KickStart (Quick-delivery Grace)" on page 221

n "Referral-based Sales" on page 222

n "Automatic Sales Agent" on page 224

Sales Boosting Licensing Models 220

221 Chapter 17: Sentinel LDK Licensing Models: Description ofModels

KickStart (Quick-delivery Grace)

Sentinel LDK Functionality Grants a grace period to use software until key is delivered

Software DistributionMethod

n Physical packagen Electronic distribution

Applicable Key Types n All Sentinel HL keys except Sentinel HL Basicn Sentinel SL

Protection Method n Envelope-based automatic implementationn API-based automatic implementation

Description

Locking a license to a Sentinel HL key provides a higher level of security than locking to aSentinel SL key, but delivery of the Sentinel HL key to an end user can take time. This modelenables you to electronically supply your software with a quick-delivery license locked to aSentinel SL (software) key (“KickStart license”) as soon as an order is processed. For increasedprotection, you may choose to limit some software functions in the KickStart license.

The KickStart license can be used as part of a two-phased sales model:

n Phase 1: The end user purchases your software, and a 30-day KickStart license withlimited functionality is supplied electronically.

The KickStart license can be defined for any period between 1 and 90 days.

n Phase 2: The Sentinel HL key, programmed with the full license (the “final” license), isdelivered within 30 days. The end user replaces the KickStart license with the full license,using the RUS utility.

The KickStart license also serves as a super-distribution mechanism, since it will run for the graceperiod on any computer on which it is installed.

Implementation

n Determine which global Feature ID you will use for the KickStart license.

n Select the software functions that you want to include only in the full license, anddetermine by which Feature IDs each function will be identified.

n Select a protection method and do one of the following:

For Envelope-based automatic implementation:

n Determine which global Feature ID you will use for the full license.

n Create two executable files, one with limited functionality for the KickStart license, and theother with full functionality for the full license.

n Envelope each executable file separately, using the global Feature IDs you defined for theKickStart and full licenses respectively.

For API-based automatic implementation:

n In your code, insert a Sentinel Licensing API Login call to the global Feature ID for theKickStart license.

n In your code, for each software function you want to include only in the full license, insertSentinel Licensing API Login calls to the appropriate Feature IDs.

In Sentinel EMS:

n Create a Product that includes the global Feature ID for the KickStart license.

n Select the Provisional product attribute.

n Distribute your software with Sentinel LDK Run-time Environment. Your software can runfor a grace period of 30 days and can be installed on any other computer, for a 30-dayperiod, as a super-distribution mechanism.

In Sentinel EMS:

n Create a Product that includes the full license Feature IDs.

n Define appropriate license terms for each Feature.

If the full license is based on a metered licensing model, metering will commence onlywhen the full license is activated and not during the grace period.

n Distribute your software with a Sentinel protection key programmed with the full license.

Referral-based Sales

Sentinel LDK Functionality Creates a provisional Product that allows for unrestricteddistribution of the protected software

Software DistributionMethod

n Physical packagen Electronic distribution

Applicable Key Types n All Sentinel HL keysn Sentinel SL

Protection Method n Envelope-based automatic implementationn API-based automatic implementation

Description

A bonus mechanism that encourages end users to serve as “promoters” for software they finduseful. When an end user refers software to someone and a purchase is made based on thatreferral, you give a bonus to the referrer.

This model requires the creation of two vendor mechanisms:

n User data collection mechanism—You maintain an end-user database in which registeredsoftware owners (referrers) are linked to potential users to whom the software wasreferred (referees). Data for the database can be sent to you by either the referrer or the

Sales Boosting Licensing Models 222

223 Chapter 17: Sentinel LDK Licensing Models: Description ofModels

referee, using a variety of data collection mechanisms. For example, data can be collectedvia a form displayed during software activation or on a Web site.

n Bonus-granting mechanism—When the software is purchased, your end-user database isqueried. If the purchase was made as the result of a referral, the referrer receives a bonusfrom you.

The following implementation guidelines describe how to set up the referral-based sales model,based on:

n Using trialware as the evaluation mechanism.

n Distributing the purchased software with a software-based Sentinel SL key.

n Collecting information from the referee during software activation.

Implementation

n Create a trialware version of your software.

n End users who have already purchased your software send the trialware to otherpotential users.

n When a new user purchases your software—as part of your software activation processusing Sentinel LDK functionality—prompt the new user to provide you with the name andcontact information of the end user who referred your software to them.

n Reward the referrer.

This is a typical implementation, however, the referral-based sales model can also beapplied to other licensing models, including those models that use a hardware-basedSentinel HL key.

Automatic Sales Agent

Sentinel LDK Functionality Manages module usage

Software DistributionMethod

n Physical packagen Electronic distribution

Applicable Key Types n All Sentinel HL keys except Sentinel HL Basicn Sentinel SL

Protection Method API-based automatic implementation

Description

When an end user purchases a subset of software modules, the sales staff is often requested tofollow up the purchase and to interest the user in additional modules. With Sentinel LDK, yoursoftware can serve as its own automatic sales agent, providing the end user with the ability towork with additional modules and encouraging purchase of any modules that are identified asbeing of interest to the end user. This model consists of a number of phases:

n Phase 1: The end user purchases a subset of software modules. You supply a license thatincludes the option to install additional bonus modules so that the user can experimentwith them.

n Phase 2: The end user uses your software, including the bonus modules. Behind thescenes, your software monitors and evaluates usage of the bonus modules.

n Phase 3: Once the usage threshold of a monitored module has been reached, the moduleis considered “of value” and Sentinel LDK progressively restricts usage of that module.Concurrently, the Automatic Sales Agent comes into effect, issuing pop-up messagesencouraging the end user to purchase the module.

n Phase 4: When an end user purchases a license for an additional module, the license isseamlessly upgraded at the end-user site, using the RUS utility, and the relevant bonusmodules are changed to fully paid modules.

Implementation

n Determine which Feature ID you will use for global protection of your software.

n Select the modules that you want to license separately, and determine by whichFeature ID each of the modules will be identified.

n In your code, insert Sentinel Licensing API Login calls to all Feature IDs.

n In Sentinel EMS, create a Product that includes only the global software Feature ID anddefine the license terms.

n Determine the parameters for gauging module usage, and define them in your code, forexample:

o The number of times a monitored module has been activated during a time period

o The accumulated usage time of a monitored module

o The number of clicks on an item in the user interface

Sales Boosting Licensing Models 224

225 Chapter 17: Sentinel LDK Licensing Models: Description ofModels

n In Sentinel EMS, in the Protection Key memory, define the usage threshold.

n Envelope your software for additional security (optional).

n Distribute your software with the appropriate Sentinel protection key programmed withthe license for the initial purchase, not including licenses for the bonus modules.

n Using the Sentinel Licensing API:

a. Calculate the accumulated usage of the gauging parameters.

b. Write the result to the Protection Key memory.

c. Compare the accumulated usage with the defined threshold.

When usage of a bonus module passes the threshold, begin to implement the restrictions,for example:

o Progressively slow down the speed of the module as the time passes or as usageincreases

o Progressively increase the number of Automatic Sales Agent pop-up messages as thetime passes or as usage increases

o Prevent the module from saving a snapshot of work that has been done

n In Sentinel EMS, create a Product that includes both the global software Feature ID andthe Feature ID for the module identified as being sellable, and define the license terms.

n When the end user decides to purchase a license for a bonus module, update the licenseon the Sentinel protection key to include the purchased module, using the RUS utility.

Perpetual Licensing ModelsThe perpetual licensing models described below are:

n "Standard Perpetual Licensing model" on page 227

n Perpetual Unlocked Licensing Model

Perpetual Licensing Models 226

227 Chapter 17: Sentinel LDK Licensing Models: Description ofModels

Standard Perpetual Licensing model

Sentinel LDK Functionality Creates an unconditional license

Software DistributionMethod

n Physical packagen Electronic distribution

Applicable Key Types n All Sentinel HL keysn Sentinel SL

Protection Method n Envelope-based automatic implementationn API-based automatic implementation

Description

The traditional perpetual, unlimited licensing model can serve as a basis for other, more creativemarketing strategies, for example:

n Your software is initially supplied with a perpetual license. The end user purchasesadditional modules as required.

n The initial release is supplied with a perpetual license. More sophisticated licensing modelsare implemented with future releases.

n A limited license (“bronze”) is converted to a perpetual license (“gold”) for additionalpayment.

Implementation

n Select the executable file that you want to license, and determine by which Feature ID itwill be identified.

n Select your protection method:

o Envelope-based automatic implementationProtect the executable file using Sentinel LDK Envelope, specifying its Feature ID.

o API-based automatic implementationIn your code, insert a Sentinel Licensing API Login call to the Feature ID.

n In Sentinel EMS, create a Product that includes the Feature ID and define a perpetuallicense for the Feature.

n Use the RUS utility to update a license currently held by the end user with the newlicense.

Perpetual Unlocked Licensing Model

Sentinel LDK Functionality Creates an unconditional unlocked license

Software DistributionMethod

n Physical packagen Electronic distribution

Applicable Key Types n None

Protection Method n Envelope-based automatic implementationn API-based automatic implementation

Description

An unlocked license is different from all other license types. Your application is protected againstdisassembly and modification, but the license is not locked to a specific computer, and nolicensing restrictions are applied.

This type of license is applicable for any of the following situations:

n Licensing is not an issue. For example, you are distributing medical equipment withembedded software. Since the software is specific to your equipment, you are notconcerned about the possibility of duplication of the software.

n You want to use a licensing system other than Sentinel LDK.

n You want to distribute the software as a Provisional Product with no time limit. Forexample, you may want to allow users to access basic functionality as long as they want,with the option to buy an upgrade later to access advanced functionality.

Implementation

n Select the executable file that you want to license, and determine by which Feature ID itwill be identified.

n Select your protection method:

o Envelope-based automatic implementationProtect the executable file using Sentinel LDK Envelope, specifying its Feature ID.

o API-based automatic implementationIn your code, insert a Sentinel Licensing API Login call to the Feature ID.

n In Sentinel EMS, create a Provisional Product (Perpetual) that includes the Feature IDsthat you want to include in the unlocked license.

Perpetual Licensing Models 228

PART 6 - APPENDICESIn this section:

n "Appendix A: Understanding the Sentinel LDK Master Key Licenses" on page 232

Describes the license modules that are available to software vendors on the Sentinel Masterkey .

n "Appendix B: Sentinel LDK Run-time Network Activity" on page 240

Describes the type of network activity that occurs in the communication between theSentinel License Manager and a protected application, and between the localSentinel License Manager and remote Sentinel License Managers.

n "Appendix C: Maximum Number of Features in a Sentinel HL Key" on page 244

Describes considerations that determine the maximum number of Features that can becontained in a Sentinel HL key.

n "Appendix D: How Sentinel LDK Detects Machine Cloning" on page 246

Describes the techniques employed by Sentinel LDK to prevent unauthorized use ofprotected software when the virtual machine on which the software is installed is cloned.

n "Appendix E: How Sentinel LDK Protects Time-based Licenses Locked to Sentinel SLKeys" on page 250

Describes the technology used in Sentinel LDK to prevent a user from extending theduration of a software license that is locked to a Sentinel SL key.

n "Appendix F: How to Bundle Provisional Products Manually" on page 252

Describes how you can bundle Provisional Products for distribution without using SentinelEMS.

n "Appendix G: How to Optimize Performance for Sentinel LDK Run-time Environment"on page 254

Describes how you can optimize the performance in the Sentinel LDK Run-timeEnvironment.

231 Sentinel LDK Software Licensing and Protection Guide

"Appendix H: How to Upgrade a Sentinel HL Key to Driverless Configuration" on page256

Describes how you can upgrade a Sentinel HL (HASP configuration) key to to a Sentinel HL(Driverless configuration) key.

"Appendix I: How to Make Product Names Visible on the End User's Machine" on page260

Describes how you can make Product names visible in Admin Control Center when aSentinel HL key is moved from one machine to another.

n "Appendix J: Troubleshooting" on page 262

Provides a checklist to help you solve some of the most common problems that yourcustomers might encounter when using the Sentinel HL keys. Also includes a list of specificproblems you or your customers may experience, together with the solutions.

Appendix A:Understanding the Sentinel LDK

Master Key LicensesThis appendix describes the SafeNet Sentinel LDK model for the Master Key licenses. Its purpose isto assist you in understanding how your Master Key licenses from SafeNet are implemented, andhow to make decisions about your license update requirements. (For more information on theMaster key, see "Sentinel Vendor Keys" on page 37.)

The Sentinel LDK licensing model includes the following components:

n Activation module

n Standalone licenses

n Network seats

n Cost of Unlimited Seats

n Trialware module

n Unlocked Licenses module

The components that you purchase depend on your specific requirements and whether you havean in-house Sentinel EMS installation, or you utilize Sentinel Managed Services.

To view information regarding your Master key in Sentinel EMS, see "Maintaining SentinelMaster Keys" on page 142.

In this appendix:

n "Licensing Concepts" on page 233

n "Activation Module License" on page 234

n "Standalone Licenses" on page 234

n "Network Seats" on page 235

n "Trialware Module License" on page 237

n Unlocked License Module

n "Reporting Module License" on page 238

A

233 Appendix A: Understanding the Sentinel LDK Master Key Licenses

Licensing ConceptsIn the descriptions of the Master Key licenses model, the following concepts are used:

n Provisional Product: A Product that can be used as trialware, or during a grace period.Provisional Products do not require a locking type, since they can be activated and usedfor a limited period without a Sentinel protection key. Provisional Products have amaximum time period of 90 days.

n Unlocked License: A license that does not lock a protected application to a specificmachine and does not impose any licensing restrictions on the use of the protectedapplication. With this license type, the vendor can use Sentinel LDK to protect theapplication, but can use a different mechanism to license the application (or can imposeno license restrictions on the application).

n Activation: The process in which a Sentinel LDK Provisional SL key is converted to alocked, computer-specific license. Following Activation, the protected software can beused on the end user's computer according to the licenses that were installed during theActivation process.

n Concurrency: A licensing attribute that can be specified to allow a single protection key ona computer in a network to be used by one or more instances of a protected applicationrunning on different computers in the network.

Concurrency is defined separately for each Feature in a Product.

Each instance of the protected application that can be used simultaneously is referred toas a network seat (or a floating license).

Network seats are not assigned to specific users. Instead, the concurrency attributesspecify how many instances (network seats) of the Feature in protected application can beused simultaneously within the customer’s network. The customer purchases a specificnumber (or an unlimited number) of network seats.

For example: A customer purchases 10 network seats for the Basic Feature and 5 networkseats for the Advanced Tools Feature for a protected application. As a result, 10 end userscan run the application and use the Basic Feature simultaneously. 5 of these users canalso use the Advanced Tools Feature simultaneously. All the users must be part of thenetwork where the protection key is located.

Management of the license in the network is controlled using the Sentinel LicenseManager.

For more information about concurrency, see "Specifying the License Terms for Features ina Product" on page 114.

Activation Module LicenseAn Activation Module license is required to enable the software activation functionality ofSentinel LDK. The license, together with a pool of standalone licenses or network seats (floatinglicenses), provides you with the ability to create a software initialization file (V2C) that can beapplied at the end user site to activate your software on their machine.

Your Activation Module License is either perpetual or issued for a limited time period. Thisdepends on your purchase plan or subscription plan for Sentinel LDK. For more information,consult with your SafeNet sales representative.

You do not require an Activation Module license if you do not intend to create activation files orto enable concurrency for Sentinel SL keys.

Standalone LicensesEach time a Product Key for your software is submitted by an end user, their Provisional licensefor your software is converted to a locked, machine-specific license, and one Standalone License isconsumed. End users can submit a Product Key online, or they can request and receive anactivation file to apply manually.

To use this activation functionality, you may need to purchase a pool of Standalone Licenses. (Thisdepends on the nature of your purchase plan or subscription plan for Sentinel LDK.)

When the Standalone Licenses pool is low, you purchase additional Standalone Licenses (ifrequired by your plan). You can configure Sentinel EMS to send notifications when the poolreaches a predefined threshold, to ensure that you never run out of Standalone Licenses for yoursoftware. For additional information about configuring notifications, refer to the Sentinel EMS helpsystem.

You do not require a pool of Standalone Licenses if you do not intend to create activation files forSentinel SL keys.

How Activations and Updates Are Deducted from the Standalone Licenses Pool

The following actions cause Sentinel LDK to deduct Standalone Licenses from your Master key:

n A provisional SL protection key is activated on an end user's computer.

n An HL or SL protection key is updated (either online or offline) using a Product Key.

n The end user activates an SL protection key more than once using the same Product Key(from an order that was already applied to the key). This would typically occur when endusers reformat their hard drive and reinstall the software.

n The end user activates an SL protection key more than once using another Product Keythat was created by the same order.

n The end user activates a base license that updates read-only or read-write memory in aprotection key.

Activation Module License 234

235 Appendix A: Understanding the Sentinel LDK Master Key Licenses

The following actions do not cause Sentinel LDK to deduct Standalone Licenses from your Masterkey:

n The Vendor issues a regular Protection Key update using a V2C file, without using theProduct Key option.

n Activation of a Product Key order that contains only Products that have concurrencyenabled. (Only the network seats pool will have seats deducted.)

Additional Information

n When you purchase Standalone Licenses, SafeNet adds an extra 10% to the number ofStandalone Licenses provided, to compensate for situations in which a Standalone Licenseshould not have been deducted from your Master key. (For example, if a customer’s harddisk drive fails and the customer must reinstall the software on a new disk drive or adifferent computer, you may choose to provide an additional activation even though thecustomer did not purchase a second license.)

n If there are no Standalone Licenses remaining in your Master key, you will not be able toperform an activation (if your purchase plan or subscription plan requires that youpurchase Standalone Licenses).

Network Seats

Network seats are required to enable users to run your software concurrently in a networkenvironment. When you enter an order for your customer: For each Feature in the Product, youspecify whether concurrency is enabled for that Feature, and the number of instances (networkseats) that are supported.

To enable concurrency for Features, you may need to purchase network seats for your Masterkey (if required by your purchase plan or subscription plan). Each time a customer activates yoursoftware, the number of concurrent instances that you included in the Product is deducted fromthe network seats on your Master key. If a Product contains a number of Features that havedifferent concurrency attributes, and the number of network seats that are provided for theFeatures differs, the total number of seats deducted from your Master key is that of the Featurewith the highest number of seats.

When the number of network seats remaining on your Master key is low, you replenish it bypurchasing additional network seats (if required by your plan). You can configure Sentinel EMS tosend notifications when the number of seats remaining reaches a predefined threshold, to ensurethat you never run out of network seats for your software.

You do not require network seats on your Master key if you do not intend to enable concurrencyfor Sentinel SL keys.

Although performing an activation locks the license to the computer in the network onwhich Sentinel License Manager is located, in the event that only ‘network” licenses (thatis, licenses that contain a concurrency value) are included in the order, only the seats poolwill be decremented. The activations pool will not be decremented.

How New Activations and Update of Your Software Affect the Pool

When your protected application is first activated at the customer site, Sentinel LDK examineswhich Feature in the Product contains the greatest number of concurrency instances. The numberof concurrent instances defined in that Feature is deducted from network seats pool. (Theconcurrency in all other Features is ignored.)

For the Sample Product in the graph below, the customer purchased as follows:

n For the Print Feature: 12 network seats

n For the Save Feature: 5 network seats

n For the Export Feature: 6 network seats

The Print Feature has the greatest number of concurrent instances. Therefore, when the Productis activated, 12 network seats are deducted from the pool.

Later, the customer decided to purchase additional network seats or additional Features in theprotected application. For the sample Product in the graph below, the customer purchased asfollows:

n For the Print Feature: 3 network seats

n For the Save Feature: 11 network seats

n For the Export Feature: 5 network seats

n For the Reports Feature: 13 network seats

Sample Product - Number of Network Seats for Each Feature

Network Seats 236

237 Appendix A: Understanding the Sentinel LDK Master Key Licenses

When you fulfil the order, Sentinel LDK calculates the number of seats to deduct from yournetwork seats pool as follows:

1. Sentinel LDK determines which Feature had the greatest number of seats until now—in thiscase, the Print Feature with 12 seats.

2. The number of additional seats required for each Feature for the update order is added tothe original number of seats that the customer purchased. The chart above indicates thetotal number of seats that the customer now has.

3. Sentinel LDK determines which Feature now has the greatest number of seats—in this case,the Save Feature with 16 seats.

4. The number of seats for the Print Feature that the customer had already purchased isdeducted from the new total number of seats for the Save Feature (16 total seats - 12already-purchased seats = 4).

5. The remainder (4) is the number of seats that is deducted from the network seats pool.

The customer purchased 13 seats for the Reports Feature in the update. However, the SaveFeature has the highest accumulated number of seats. Therefore, only the Save Feature isconsidered when Sentinel LDK calculates the number of seats to deduct from the network seatspool.

Additional Information

n When you purchase seats, SafeNet adds an extra 10% to the number of seats provided, tocompensate for situations in which you reduce the number of seats at a customer site, orcancel a license on a computer on which Sentinel License Manager is located in order toactivate on a different computer.

n If you specify the concurrency value for a license as “unlimited” (for example, to create a“site” license), Sentinel LDK deducts from your seat pool the number of seats specified inthe Unlimited Concurrency license type (also referred to as Value of Unlimited Seats) onyour Sentinel Master key. This is typically 100 seats.

n If the terms of a license include both an activation and concurrency, both the activationspool and the seats pool are decremented.

n If there are not enough seats in your seats pool, your customer will not be able toperform an activation (if seats are required by your plan).

Trialware Module LicenseThe ability to create and distribute Provisional Products (“trialware”) without exposing theprotected software to piracy provides a significant marketing advantage when selling softwareapplications. Potential customers can work with the actual application and experience what theapplication has to offer and how it can benefit the individual or the organization. In addition,anybody that has access to trialware can copy it and distribute it to other people; this multipliesthe exposure of the application within the marketplace. Each person who installs and works with

the application must, at the end of the grace period (typically 30 to 90 days), decide to purchase alicense for the application or be blocked from using the application.

Creating Provisional Products is an optional part of the process of protecting software withSentinel SL protection keys.

A vendor who only distributes software protected by Sentinel HL keys can also take advantage ofthe benefits provided by creating and distributing trialware.

Vendors must purchase the Trialware Module license separately from SafeNet in order to createProvisional Products. The Trialware Module license is typically issued for a specific amount of time.

The ability to create and distribute Provisional Products is also included in the Sentinel LDK –Demo and Starter packs. Vendors who want to experiment with Sentinel LDK can learn first-handabout Provisional Products.

Unlocked License ModuleThe Unlocked license is for vendors who want to use Sentinel LDK to protect their applicationsagainst reverse engineering (by using Sentinel LDK Envelope) but either:

n Have no need to license the application (for example, software that is part of a largerhardware package). The vendor may not need to protect against duplication of thesoftware. However, they want to protect the software against theft of IP.

n Are using a separate product or system to handle licensing of the software.

An Unlocked license is similar to a Provisional license. A protected application with an Unlockedlicense can be installed and operated on any computer. However, an Unlocked license has no timerestriction.

To generate Unlocked licenses, the vendor must purchase the Unlocked License Module for theMaster key.

Reporting Module LicenseThe Reporting facility provides software vendors with the ability to produce real-time reports withvaluable business information. The Custom Reports facility enables vendors to design their ownreports to extract valuable information from the Sentinel EMS database.

Using the Custom Reports feature, managers can design reports to obtain data for analyzing howtheir software is used, the purchasing preferences of their customers, and information for profilingprospects and existing customers. The information can also be leveraged to maximize revenuesfrom license renewals and to turn trial users into buyers.

The Reporting facility includes both predefined reports and the Custom Reports facility. Use ofpredefined reports does not require a specific license. However, use of the Custom Reports facilityrequires the Reporting Module license. This license is typically issued for a specific amount of time.

Unlocked LicenseModule 238

239 Appendix A: Understanding the Sentinel LDK Master Key Licenses

The ability to define, generate and view custom reports is included in the Sentinel LicenseDevelopment Kit – Demo and Starter. Vendors who are experimenting with Sentinel LDK can learnfirst-hand about the Custom Reports facility.

For information on the Reporting facility, see "Chapter 13: Generating Sentinel LDK Reports" onpage 150.

Appendix B:Sentinel LDK Run-time Network

Activity

This appendix describes the type of network activity that occurs in the communication between:

n an application (protected using Sentinel LDK) and the local Sentinel License Manager(referred to as “local communications”).

n the local Sentinel License Manager and one or more remote Sentinel License Managers(referred to as “remote communications”).

Details regarding local communications and remote communications are provided on the pagesthat follow.

This chapter is intended to assist IT managers who want to understand how run-time activity onthe network may impact the way they set up their network rules and policies.

Sentinel LDK communicates via TCP and UDP on socket 1947.This socket is IANA-registeredexclusively for this purpose.

In this appendix:

n "Local Communications" on page 241

n "Remote Communications" on page 242

B

241 Appendix B: Sentinel LDK Run-time Network Activity

Local Communications

This section describes communication between a protected application and the localSentinel License Manager service.

A protected application communicates only with Sentinel License Manager on the computer wherethe application is running, regardless of whether the Sentinel HL or SL Key is located on the samecomputer or on a remote computer.

Under Windows, Sentinel License Manager is a service that is launched automatically byhasplms.exe. Under Mac OS and Linux, the Sentinel License Manager is a process launchedautomatically by hasplmd.

Sentinel License Manager service opens socket 1947 for listening (both for UDP packets and TCPpackets).

n IPv4 sockets are always opened (Sentinel License Manager currently does not workwithout IPv4 installed).

n IPv6 sockets are opened if IPv6 is available.

A protected application tries to connect to 127.0.0.1:1947 TCP to communicate withSentinel License Manager. If an application uses multiple sessions, multiple concurrent TCPconnections may exist. If a session is unused for a certain number of minutes (at least sevenminutes, but the exact number depends on several factors), the session may be closed andautomatically re-opened later in order to limit resources used by the application.

These local communications currently use IPv4 only.

The communication uses binary data blocks of varying size.

Remote Communications

This section describes communication between the local Sentinel License Manager service and aremote Sentinel License Manager service.

This type of communication occurs when the protected application is running on a differentcomputer from the computer where the Sentinel protection key is installed.

The protected application communicates only with the local Sentinel License Manager on thecomputer where the application is running, as described in "Local Communications" on page 241.The local Sentinel License Manager discovers and communicates with the License Manager on thecomputer containing the Sentinel protection key using one of the following methods:

n The local Sentinel License Manager issues a UDP broadcast to local subnets on port 1947using:

o IPv4 (always)

o IPv6 (if available)

You can disable this broadcast by clearing the Broadcast Search for Remote Licenses checkbox in the Admin Control Center Configuration screen.

n The local Sentinel License Manager issues a UDP “ping” packet to port 1947 for alladdresses specified in the Admin Control Center field Specify Search Parameters. Theseaddresses may be individual machine addresses or broadcast addresses.

All Sentinel License Managers found by the discovery process are then connected via TCP port1947, using IPv4 or IPv6 as detected during discovery, and data regarding the remoteSentinel protection keys are transferred.

This discovery process is repeated at certain intervals. (The interval size depending on a number offactors, but it is generally not less than five minutes.)

UDP packets sent and received in the discovery process contain the Sentinel License ManagerGUID (40 bytes of payload data).

When starting or stopping a Sentinel License Manager, and when adding or removing aSentinel protection key, a UDP notification packet is sent, containing the Sentinel License Manager

Remote Communications 242

243 Appendix B: Sentinel LDK Run-time Network Activity

GUID and a description of the changes encountered. This is done to allow other Sentinel LicenseManagers to update their data before the next scheduled discovery process.

TCP packets between two Sentinel License Managers on different computers use HTTP with base-64 encoded data in the body section.

Appendix C: Maximum Number ofFeatures in a Sentinel HL Key

Each Sentinel HL key can contain a certain maximum number of Features, depending on:

n the type of HL key

n the complexity of the license type defined in each Feature

n the number of Products among which the Features are distributed.

The diagram below illustrates that:

n As you increase the number of higher-complexity license types on the key, the maximumnumber of Features that the key can contain decreases.

n As you increase the number of Products on the key, the maximum number of Featuresthat the key can contain decreases.

For information on the range of Features that each Sentinel HL key can contain, see the SentinelHL Data Sheet.

The complexity of the license types are as follows:

n Lowest complexity: Perpetual HL

n Medium complexity: Perpetual HL + SL, Expiration

n Highest Complexity: Executions, Time Period

For example, a Sentinel HL Max (HASP configuration) key can contain as follows:

The number of Features that can be written to a Sentinel SL key is unlimited.

C

Appendix D:How Sentinel LDK Detects Machine

Cloning

This appendix describes the techniques employed by Sentinel LDK to prevent unauthorized use ofprotected software when the physical or virtual machine on which the software is installed iscloned.

This topic is only relevant for software protected with a Sentinel SL key. Software that is protectedby a Sentinel HL key is not vulnerable to machine cloning.

For more information on protecting software against cloning, see "Protection Against Cloning" onpage 113.

OverviewOne of the methods sometimes employed to enable the illegitimate use of licensed software ismachine cloning. Machine cloning involves copying the entire image of one machine (includingyour software and its legitimate license) and duplicating it to one or more other machines. If thereis no way to detect that the new image is running on different hardware than that on which it wasoriginally installed, multiple instances of the software are available even though only a singlelicense was purchased.

When clone detection is enabled for a Product in Sentinel LDK, the Run-time Environment checksfor cloning using the criteria described in this appendix. If cloning is detected, Sentinel LDK disablesthe license. As a result, the end user is unable to operate the software for which a cloned licensehas been detected.

This appendix describes the criteria that are built in to Sentinel LDK for clone detection on physicaland virtual machines.

Clone Detection for a Physical MachineAs part of the Activation process for a licensed Product, the Sentinel LDK Run-time Environmentcreates a “fingerprint” of the computer on which the protected software is installed. Thisfingerprint contains hash values of a number of characteristics of the computer, including harddrive serial numbers and the motherboard ID. This fingerprint is stored within the secure storage

D

247 Appendix D: How Sentinel LDK Detects Machine Cloning

on the computer and is also returned to the Vendor in the C2V file. At the Vendor site, thefingerprint is stored as part of the license information in the Sentinel EMS database.

Each time the end user starts the protected software, the Sentinel LDK Run-time Environmentcreates a new fingerprint of the computer and compares it to the fingerprint stored in the securestorage.

If the new and stored fingerprints are identical, Sentinel LDK Run-time Environment allows theprotected software to operate.

If either the hard drive serial number or the motherboard ID does not match the characteristics inthe fingerprint in the secure storage, Sentinel LDK Run-time Environment still allows the protectedsoftware to operate. Sentinel LDK recognizes that situations occur where an end user has alegitimate reason for replacing one of these components in the user’s computer. This policypossibly enables a user to operate protected software on a cloned computer. However, this policyalso frees the Vendor from dealing with numerous support calls from users who have replaced acomponent in their computer. Such calls would otherwise generate costly support cases for theVendor’s customer support organization.

If both the hard drive serial number and the motherboard ID do not match the characteristics inthe fingerprint of the license, Sentinel LDK regards computer as a clone and prevents theprotected software from operating.(See the table that follows.)

Comparison Results

CharacteristicsCompared

Hard drive serialnumber

Identical Different Identical Different

Motherboard ID Identical Identical Different Different

Sentinel LDK Behavior:The software is...

launched launched launched launched disabled

Clone Detection for a Virtual MachineClone detection for software installed on a virtual machine must employ a different techniquethan that used for physical machines.

The two most important fingerprint characteristics - the physical hard drive serial number and thephysical motherboard ID - are not accessible to software running on the virtual machine. Instead,the virtual machine has a virtual hard drive and a virtual motherboard.

On a cloned virtual machine, the characteristics of these virtual components are identical to thesource virtual machine. As a result, these characteristics are not suitable for use when creating thefingerprint at the time the protected software is activated or subsequently operated.

Sentinel LDK relies on three different parameters for verifying fingerprints on a virtual machine: thevirtual MAC address, CPU characteristics, and UUID of the virtual image. Each of these parametersis discussed below.

Virtual MAC Address

Each physical network adapter or network card has a unique identifier, but this identifier is notaccessible to a virtual machine running on the computer. Instead, each virtual machine is assigneda unique virtual MAC address.

Within a network, each virtual machine must possess a unique MAC address. If a user clones avirtual machine and installs it on a second computer within the same network, working on eitherthe original or the cloned virtual machine will be impractical as the two machines will constantlycause network collisions.

CPU Characteristics

In desktop/workstation environments such as VMware workstation or VMware player, thedesktop virtualization software does not expose the ability to virtualize the CPU. This increases thedifficulty for a user to bypass the protection by attempting to create a virtual copy of the sourcecomputer. A number of CPU characteristics are available for inclusion in the virtual machinefingerprint, including: processor make, model and speed.

Due to the large number of different processors available in the market, the likelihood of twodifferent desktop computers having completely identical CPU characteristics is low.

In centrally managed virtual infrastructures (also called server based virtualization), hardwareclusters can be virtualized. In this environment, the virtual infrastructure does not always utilize asingle, fixed set of physical hardware resources. Instead, it utilizes a shared pool of resources. Forthe most common types of clustered environments, where live migration capabilities are typicallyrequired, a requirement usually exists for different hosts in the cluster to have identical CPUcharacteristics. Solutions such as VMware vCenter Server provide the ability to enable CPUmasking to improve compatibility for the high availability and fault tolerance virtualizationfeatures. CPU masking allows host machines with different CPU characteristics to be used in thecluster, while providing common (masked) CPU characteristics across all hosts in the cluster.Therefore the CPU characteristics do not change when virtual machine migrates across the hostsin a cluster. This enables licensed applications to continue working when migrated from one hostto another within a cluster. However, this type of environment is restricted to a limited subset ofCPU types. In addition, the migration can only be performed when the target computer containsphysical CPU whose capabilities match or exceed the characteristics of the virtual CPU.

UUID of the Virtual Machine

This is used as a means of unique identification of the virtual machine with the majority of virtualmachines technologies. The UUID consists of a 16-byte (128-bit) number. Each virtual machine isassigned a different UUID.

When a user makes a clone of a virtual image or copies a virtual machine from one location toanother, a new UUID value is generated for the new virtual image or virtual machine.

None of the three characteristics used by Sentinel LDK to create a virtual machine fingerprint isabsolutely tamper-proof.

The protection against cloning provided by Sentinel LDK for virtual machines is not as secure asthe protection provided for physical machines. You have the option of blocking the protected

Clone Detection for a VirtualMachine 248

249 Appendix D: How Sentinel LDK Detects Machine Cloning

software from running on most popular virtual machines by clearing the Virtual Machine checkbox in the Define License Terms dialog box in Sentinel EMS.

However, when checking the fingerprint for cloning, Sentinel LDK examines all of thesecharacteristics. If one (or more) of these characteristics does not match the characteristics in thefingerprint of the license, Sentinel LDK prevents the protected software from operating. Thus, thecombination of these parameters in the fingerprint provides protection against cloning. (See thetable that follows.)

Comparison Results

CharacteristicsCompared

Virtual MACAddress

Identical Different Identical orDifferent

IdenticalorDifferentCPU

CharacteristicsIdentical Identical or

DifferentDifferent

UUID Identical Identical orDifferent

Different

Sentinel LDKBehavior:The software is...

launched disabled disabled disabled

In a typical business environment (where computers in a given location are on the same network),the requirement for a unique virtual MAC address make cloning impractical.

For server virtualization, or virtualized cluster where the cluster is typically managed by thevirtualized management solution (such as VMware vCenter), UUID acts as additional deterrent torunning a cloned virtual image.

For computers on different networks or computers that are not networked, the likelihood of acloned virtual machine sharing identical CPU characteristics with the original virtual machine is low.

The method employed by Sentinel LDK to protect against cloning of virtual machines is effectivefor all types of virtual machine software commonly used by organizations.

Appendix E:How Sentinel LDK Protects Time-

based Licenses Locked toSentinel SL Keys

This appendix describes the technology used in Sentinel LDK to prevent a user from extending theduration of a software license that is locked to a Sentinel SL key by adjusting the computer’ssystem clock.

Software that is used in conjunction with Sentinel SL keys is locked to the machine on which it isactivated. The expiration period or date is initially calculated according to the system clock of themachine.

Sentinel License Manager reads the system time at Sentinel License Manager startup (by default,part of the machine startup). It subsequently uses its internal running time to calculate the time.When new software that is protected with a Sentinel SL key is executed for the first time,Sentinel License Manager queries its internal clock to determine the start time of the software’slicense duration.

n If the license duration is a fixed period (for example, 30 days or 1 year), Sentinel LicenseManager calculates the actual date on which the license must stop working and theinformation is stored in the secure storage area of the Sentinel SL key.

n If the license is to expire on a specific date, Sentinel License Manager records that date.

Expiration time is determined using the formula: ??

[current Sentinel License Manager time] + [number of seconds to expiration]

The information is stored in the secure storage area of the Sentinel SL key.

Tampering with the System ClockIf a user resets the system clock of the machine to which the software license is locked:

n As long as Sentinel License Manager remains running, the changed time does not affectthe expiration time of the license, since the calculations are all made within the License

E

251 Appendix E: How Sentinel LDK Protects Time-based Licenses Locked to Sentinel SL Keys

Manager, which uses the time of its last startup.

n If Sentinel License Manager is stopped and restarted (for example: if the machine isrebooted), the License Manager compares its last recorded internal time with the time ofthe system clock. When Sentinel License Manager detects that the time on the systemclock is earlier than that of its internal clock, the Sentinel SL key is deactivated until suchtime as the system clock is equal to or later than the time in the License Manager. Thismeans that all applications for which there are licenses on the Sentinel SL key are blockeduntil the key is re-enabled.

Re-enabling a Blocked Sentinel SL KeyTo re-enable a blocked Sentinel SL key, the software vendor sends a new V2C file.

Applying the V2C file to the Sentinel SL key on the end-user machine resets the flag that indicatedtime tampering had occurred, making the license available again. In addition, it sets the currenttime as the reference for future comparison.

Appendix F:How to Bundle Provisional Products

Manually

To prepare Provisional Products for distribution, you must first create a "bundle" that will beinstalled together with the protected applications. This bundle consists of:

n a V2C file containing the Provisional Product licenses

n your Vendor libraries

n a customized Run-time Environment installer

The customized Run-time Environment installer installs the Sentinel Run-time Environment andyour Vendor libraries, and applies the Provisional Product licenses to the Sentinel protection key .

You typically prepare a bundle using Sentinel EMS (see "Generating Bundles of ProvisionalProducts" on page 136). However, you have the option to write an installer that performs thebundling process.

To perform the bundling process manually, the program that installs the protected applicationshould also do the following:

1. Install the Sentinel LDK Run-time Environment. Several methods exist to accomplish this.For more information, see Distributing Sentinel LDK Run-time Environment.

2. Install your customized Vendor library. The file haspvlib_vendorID.dll can be found on thecomputer where Sentinel Vendor Suite is installed, in the path:

%CommonProgramFiles%\SafeNet Sentinel\Sentinel LDK\

Your installation procedure must place a copy of this DLL file in the identical path on thecomputer where the protected application is installed.

3. Apply the V2C file that contains the provisional licenses. To do this, call the function hasp_update. This function is part of the Sentinel Licensing API.

F

Appendix G: How to OptimizePerformance for Sentinel LDK Run-

time Environment

Certain configuration parameters or activities performed by a protected application can lead toreduced performance in the Sentinel LDK Run-time Environment.

This section describes how you can optimize the environment and protected application toachieve better performance.

SL-UserMode LicenseThe presence of an SL-UserMode license in a protection key on the end user’s computer increasesthe time required for the first login/get_info operation performed for a protected application,even if the license is not required for that application. Therefore, do not place an SL-UserModelicense on a computer unless that license type is required.

Run-time EnvironmentFor best performance, ensure that when the Run-time Environment is required, the Run-timeEnvironment on the end user’s computer is the most current. In addition, the Run-timeEnvironment provides better performance after it has been active for at least three minutes.

Testing for Presence of FeaturesTo determine whether certain Features exist in a protection key before using them, the protectedapplication can call the hasp_get_info() function in the Licensing API. This function can retrieve alist of all the Features that exist in the protection key. This is more efficient than attempting to login and then log out immediately to individual Features just to determine if they exist. In addition,use of hasp_get_info() does not consume a license. However, after using hasp_get_info(), theprotected application should call the hasp_login() function to log in to Features to use.

G

Appendix H:How to Upgrade a Sentinel HL Key

to Driverless Configuration

Sentinel HL (HASP configuration) Net keys and NetTime keys that were previously delivered tocustomers can be upgraded to Sentinel HL (Driverless configuration) keys in the field. In Driverlessconfiguration, these keys will employ HID drivers instead of HASP key drivers. (HID drivers are anintegral part of the operating system.) As a result, these keys are less subject to issues related tooperating system upgrades. All of the licenses and key memory that existed in the Sentinel HL(HASP configuration) key will continue to exist in the key after the upgrade.

An application that is protected with version 6.3 or 6.4 of Sentinel LDK, Licensing APIlibraries and/or Envelope will work correctly after the Sentinel HL (HASP configuration) keythat licenses the application is upgraded to the Driverless configuration. However, therequirement for the Run-time Environment will not change.

The tables that follow summarize the requirements for working with HL keys.

Standalone HL Keys

Version of Licensing API orEnvelope used to protect theapplication (lower of the 2)

HASP HL key or Sentinel HL(HASP configuration) key

Sentinel HL (Driverlessconfiguration) key

HASP SRM, Sentinel HASP, orSentinel LDK v.6.0 or v.6.1

Requires Run-timeEnvironment from same (orlater) version that was used toprotect the application

Not supported. See thewarning below.

Sentinel LDK v.6.3 Requires Run-time Environment from Sentinel LDK v.6.3 or later

Sentinel LDK v.6.4 Requires Run-time Environment from Sentinel LDK v.6.4 or later

Sentinel LDK v.7.0 Requires Run-timeEnvironment from SentinelLDK v.7.0 or later

Under Windows, use ofRun-time Environment (fromSentinel LDK v.7.0 or later) isoptional.

H

257 Appendix H: How to Upgrade a Sentinel HL Key to Driverless Configuration

Net and NetTime HL Keys

Version of Licensing API orEnvelope used to protect theapplication (lower of the 2)

HASP HL key or Sentinel HL(HASP configuration) key

Sentinel HL (Driverlessconfiguration) key

HASP SRM, Sentinel HASP, orSentinel LDK v.6.0 or v.6.1

On the machine where the HLkey is connected: RequiresRun-time Environment fromsame (or later) version thatwas used to protect theapplication

Not supported. See thewarning below.

Sentinel LDK v.6.3 On the machine where the HL key is connected: Requires Run-time Environment from Sentinel LDK v.6.3 or later

Sentinel LDK v.6.4 On the machine where the HL key is connected: Requires Run-time Environment from Sentinel LDK v.6.4 or later

Sentinel LDK v.7.0 On the machine where the HL key is connected: Requires Run-time Environment from Sentinel LDK v.7.0 or later

The following limitations apply:

n The application must be protected using version 6.4 or later of Sentinel LDK, Licensing APIlibraries and/or Envelope. (For Sentinel HL Net keys and Sentinel HL NetTime keys, useversion 7.0 or later.)

n You must be using version 6.4 or later of Sentinel EMS or License Generation API togenerate the Product that upgrades the HL key. (For Sentinel HL Net keys and Sentinel HLNetTime keys, use version 7.0 or later.)

n The firmware on the Sentinel HL key will be automatically updated as part of the upgradeprocess.

An application that is protected with version 6.3 of Sentinel LDK, Licensing API libraries and/orEnvelope will work correctly after the Sentinel HL (HASP configuration) key that licenses theapplication is upgraded to the Driverless configuration. However, the requirement for the Run-time Environment will not change.

Wa r n ingA n app l i c a t i o n th a t i s p r o te c te d w i th v e r s i o n 6 .1 o r e ar l i e r o f S e n t i n e l L DKl i b r a r i e s , L i c e n s i n g A P I l i b r a r i e s and /o r E n v e l o p e w i l l s to p w o r k i n g i f th eSe n t i n e l HL (HA SP c on f i gu r a t i o n ) k e y th a t l i c e n se s th e app l i c a t i o n i s u p g r ad e dto th e D r i v e r l e s s c on f i gu r a t i o n .

Th e up g r ad e p r o c e s s f o r th e Se n t i n e l HL k e y i s n o t r e v e r s i b l e .

To upgrade a Sentinel HL (HASP configuration) key to Sentinel HL (Driverless configuration)key:

n Create a Base Product or Modification Product that contains the Upgrade to Driverlessattribute. The Product can be created exclusively to upgrade the Sentinel key, or theUpgrade to Driverless attribute can be included in a Product that licenses or modifies thelicense for a protected application. Apply the Product to the Sentinel HL (HASPconfiguration) key to be upgraded.

The Upgrade to Driverless attribute is ignored if it applied to Sentinel HASP keys or toSentinel HL (Driverless configuration) keys. Similarly, the attribute is ignored if is applied toan SL-AdminMode key, SL-UserMode key, or SL-Legacy key. No error message isgenerated.

The Product that contains the Upgrade to Driverless attribute can be created usingSentinel EMS, Sentinel EMS Web Services, or Sentinel License Generation API.

To upgrade a Sentinel HL Basic key from HASP configuration to Driverless configuration:

n On the machine where the Sentinel HL Basic key is connected, use RUS to collectinformation regarding the key. Use the resulting C2V file with Sentinel License GenerationAPI to generate a V2C file that uses the Upgrade to Driverless attribute to upgrade thekey.

Apply the V2C file to the Sentinel HL Basic key to be upgraded.

258

Appendix I:How to Make Product Names Visible

on the End User's Machine

When you burn the entitlement for a Product to a Sentinel HL key, the Product name is notnecessarily visible in Sentinel Admin Control Center on the machine where the Sentinel HL isconnected by the end user. The Product name is visible if one of the following actions isperformed:

n You send a V2C file containing an update for the Product. After the user applies the V2Cfile, the Product name will be visible in Sentinel Admin Control Center as long as theSentinel HL key is connected to the same machine. (If the user moves the key to adifferent machine, the Product name will not be visible on the new machine.)

n You export Product names from Sentinel EMS to an XML file, and place the file on the enduser’s machine.

To export Product names from Sentinel EMS to the end user’s machine:

1. From the Developer menu in Sentinel EMS, click Export Catalog Definitions.

2. In the resulting screen, select the appropriate Batch Code. For Export File Type, select XMLformat.

3. Click Export. The file vendorID.xml is saved.

4. On the end user’s machine, do the following:

a. Stop the Sentinel LDK License Manager service. (This must be done before youperform the next step.)

b. Place the vendorID.xml file in the directory:

%SystemDrive%\Program Files (x86)\Common Files\AladdinShared\HASP\vendors\

(For Windows x86, use %SystemDrive%\Program Files\...)

c. Restart the Sentinel LDK License Manager service.

To move Product names from one end user's machine to another:

I

261 Appendix I: How to Make Product Names Visible on the End User's Machine

n Copy the vendorID.xml file from the source machine to the target machine using theprocedure in step 4 above.

Appendix J:Troubleshooting

The first part of this appendix provides a checklist to help you solve some of the most commonproblems that your customers might encounter when using the Sentinel HL keys. The second partlists specific problems you or your customers may experience, together with the solutions.

Sentinel HL keys conform to the highest standards of quality assurance. However, like any otherPC peripheral device, a Sentinel HL key might not operate on certain PC configurations because offaulty equipment or improper installation. This appendix can help you in such a situation.

In addition to the information in this appendix, you can access the Sentinel Knowledge Base at:www.safenet-inc.com/technicalsupport.aspx

The Knowledge Base contains a comprehensive listing of solutions to general and specificproblems.

To avoid potential difficulties, ensure you are using current Sentinel LDK software versions.Contact your local SafeNet representative for the latest updates, or visit the SafeNet downloadspage at:

www.sentinelcustomer.safenet-inc.com/sentineldownloads/

ChecklistIf a customer reports a problem, check the following:

n What the returned error code or message says. For additional information, see the statuscodes in the Licensing API help system.

n Whether a Sentinel HL key is connected correctly to the USB port.

n Whether your customer’s hardware or the operating system indicates technicalmalfunction, such as device manager collisions, system events, bootlog failures, or otherissues.

n Whether Sentinel Admin Control Center can access the Sentinel HL key.

n Whether the problem occurs when the protected application runs on another PC of thesame model.

J

263 Appendix J: Troubleshooting

Problems and Solutions

Problem Sentinel HL key drivers do not install.

Solution Are older Sentinel HL key drivers installed on the machine? Uninstall the older driverusing the installer corresponding to the older driver version. For additionalinformation, see the Sentinel HL key driver documentation. After the older drivers areremoved, install the Sentinel HL drivers. For additional information, see the SentinelLDK Installation Guide.

Problem You receive an error message when using haspdinst.exe to install the Sentinel HL keydriver under Windows 2000/XP/2003/Vista.

Solution Review the haspdinst.exe installation instructions. Alternatively, try to install thedrivers using the HASPUserSetup.exe. For additional information, see the Sentinel LDKInstallation Guide.

Problem The protected application cannot find a Sentinel HL key.

Solution Does the Sentinel HL key LED light up? If not, this could be for one of the followingreasons:

n The key is not connected properly to the USB port. Disconnect, then reconnectafter a few seconds. If the LED lights, the application should be able to accessthe key.

n The required Sentinel HL key drivers are not installed. If you are runningSentinel LDK on a Windows platform, check for an entry for Sentinel LDK in theDevice Manager utility. If there is no entry, you must install the drivers usingone of the methods in the Sentinel LDK Installation Guide.

n Check if the USB port is functioning correctly. Disconnect all other USB devicesfrom their respective ports. Connect the Sentinel HL key to a different USB port.Try using a different USB device in the port from which the Sentinel HL key wasnot accessible.

n Open the Windows Services window and check that Sentinel License Manager isrunning.

n Check that the Batch Code on the Sentinel HL key matches the Batch Code ofthe protected application.

Problem The application takes a long time to find the Sentinel protection key on a largenetwork.

Solution It is recommended that you customize the search mechanism. Use Admin ControlCenter configuration to specify a search criteria, and to define the server addresses tobe searched. By doing so, the Admin Control Center searches for the Sentinel

protection key at a specific address, which is much faster.

Problem You receive an error message indicating that Sentinel License Manager was not found.

Solution The error message might be for one of the following reasons:n Sentinel License Manager was not loaded. Try restarting Sentinel License

Manager in the Windows Services window.n There is a communication error with the machine on which the Sentinel

protection key is located. If you repeatedly receive the error message, try usinga different search mechanism.

Problem You cannot add files when using the Sentinel LDK Data Encryption utility.

Solution The problem may occur for one of the following reasons:n You are attempting to add a list that includes problematic files. Remove all

problematic files marked in red in the File list.n You are attempting to add a file that is outside the scope of the filters defined

in Sentinel Envelope. You must protect your software again using the new filefilter settings.

n For additional information, see "Chapter 6: Working with the Sentinel LDK DataEncryption Utility" on page 84.

Problem When using Sentinel LDK Data Encryption utility, you receive a message that no datafilters were defined for a program in a Sentinel Envelope project.

Solution The problem cannot be solved using the Data Encryption utility. You need to useSentinel LDK Envelope to protect your software again, and to specify file filter settings.

Problems and Solutions 264

Glossary

Activation counter Licensing element indicating the number of times a Feature, licensedusing Sentinel LDK, can be run

AES Advanced Encryption Standard (AES) algorithm that is the basis forthe Sentinel LDK encryption and decryption

Anti-debugging Measures applied by the Sentinel LDK system to block potentialattacks intended to undermine the protection scheme

API samples Sample applications that utilize the Sentinel Licensing API. A learningtool used for implementing the Sentinel Licensing API.

Background checks Random checks executed by protected applications for a requiredSentinel protection key

Backward compatibility Ability to share data or commands with applications protected withearlier versions. Sentinel LDK backward compatibility includes theability to read and write data, set real-time clocks, and process other‘legacy' commands.

Base Product An original Product that has been created from scratch from whichother Products may be created. All Modification Products, ProvisionalProducts and Cancellation Products are created from Base Products.

Batch Code Unique character string that represents a Vendor Code. Used indefining Features, Products and orders. It is also used for orderingSentinel protection keys. With Sentinel HL keys, the code is printedon the Sentinel HL key label.

C2V file Customer-to-Vendor file. A file sent by the customer to the vendor,containing data about deployed Sentinel protection keys or dataabout the customer's computer.

Cancellation Product A Product that cancels the licensing details of another Product. Canbe used to revoke a deployed license, or to remove a license from aspecified computer so that it can be transferred to anothercomputer.

Customer Portal A Web portal in Sentinel EMS that can be accessed by customers

Cross-locking Indicates that protection can be applied to both Sentinel HL andSentinel SL keys

Data Encryption utility Utility for protecting data files that are accessed by programsprotected by Sentinel LDK Envelope

K

267 Glossary

Decryption Process of decrypting data that has been encrypted

Default Feature Feature that is always available in a Sentinel protection key. Itrequires no configuration.

Demo Vendor Code See DEMOMA

DEMOMA Batch Code used for evaluation purposes with any Sentinel LDKapplication. Its corresponding Vendor Code is available in theVendorCodes folder of your Sentinel LDK installation.

Detach Temporarily remove a license from a network pool on a host machinefor attachment to a remote recipient machine

Encryption Translation of data into a confidential code. To read an encrypted file,you must have the correct encryption engine for decrypting the file.

Encryption engine Encryption engine in a Sentinel protection key—based on the AESalgorithm

Encryption key Key used for encrypting a data file used with Sentinel Envelope

Encryption level Number of iterations that the Sentinel Envelope executes with theSentinel protection key for each interaction

Envelope See Sentinel Envelope

Expiration date Date after which a protected program or Feature stops running

Feature An identifiable functionality of a software application that can beindependently controlled by a license. In Sentinel LDK, a Feature maybe an entire application, a module or a specific functionality such asPrint, Save or Draw.

Feature ID Unique identifier for a Sentinel LDK-protected Feature

File filter Defines the files that are exposed to on-the-fly file encryption

Grace period An initial period of time during which a Product can be used withouta Sentinel protection key. See also Provisional Product.

H2H file Host-to-Host file. A file used to rehost (transfer) a protection key fromone end user's machine to another end user's machine.

H2R file Host-to-Recipient file. A file that contains one or more detachedProducts and their licenses for temporary attachment to a recipientmachine

Handle Unique identifier for accessing the context of a Sentinel LDK loginsession

HL Basic key Standard Sentinel HL local key that is used to protect software, andhas a perpetual license. It does not have any memory functionality.

Key See Sentinel protection key

Key ID Unique identity number for a Sentinel protection key

License Digital permit stored in a Sentinel protection key

License Manager See Sentinel License Manager

License terms Detailed conditions contained in a license

Locked Product A Product that is protected using Sentinel LDK and is locked to aspecific machine. A Provisional Product becomes a Locked Productafter the customer activates an entitlement for the Product.

Locking type Determines the level of protection for a Product, according to thetype of Sentinel protection key supplied with the Product

Memory data Vendor-defined data (for example: passwords, values used by thesoftware) that is specified in memory for a Product and transferred tothe Sentinel protection key

Modification Product A modified version of an existing Product

Order A request for Products or protection key updates to be shipped to acustomer

Product A licensing entity that represents one of a vendor’s marketablesoftware products. The Product is coded into the memory of aSentinel key and contains one or more Features. License terms aredefined for each Feature in a Product.

Product Key A string generated by Sentinel EMS and supplied to the end user foruse as proof of purchase for Product Activation or Update Activation

Production The implementation of an order for Products or protection keyupdates

Protect Once—DeliverMany—Evolve Often™

The concept of separation between engineering and businessprocesses, on which Sentinel LDK is designed

Protection Key Memory Secure memory that resides within a Sentinel protection key (HL orSL), for use by the protected software. Protection Key memory canbe accessed or modified using the Sentinel Licensing API. Thememory can be initialized when the key is generated, using dataentered when defining the Product or when entering an order for aProduct.

Protection Key Update File containing update information for deployed Sentinel protectionkeys. See also V2C file

Provisional Product A Product that can be used as trialware, or during a grace period.Provisional Products do not require a locking type, since they can beactivated and used for a limited period without a Sentinel protectionkey.

R2H file Recipient-to-Host file. A file used to re-attach a cancelled detachablelicense to the host machine.

Real-time Clock (RTC) Clock available in the Sentinel HL Time key and Sentinel HL NetTimekey

Recipient machine Remote machine to which a license that has been detached from anetwork pool on a host machine is temporarily attached

Rehost Transfer a Sentinel SL key from one end user computer to another.

268

269 Glossary

The rehost process is performed entirely by the end user, with nointeraction with the vendor.

Reverse Engineering Software attacks intended to unravel the algorithms and executionflow of a target program by tracing the compiled program to itssource code. Sentinel Envelope protection implements contingencymeasures to repel such attacks and prevent hackers from discoveringalgorithms used inside protected software.

RUS utility See Sentinel Remote Update System

Secure Storage Area reserved by Sentinel LDK on a computer’s local hard drive whenone or more Sentinel SL protection keys are installed on thecomputer. The keys are installed in the secure storage area. This areacan only be accessed or modified by Sentinel LDK components.

Secure Storage ID A globally unique identifier of Secure storage on every machine.

Sentinel Admin ControlCenter

Customizable, Web-based, end-user utility that enables centralizedadministration of Sentinel License Managers and Sentinel protectionkeys

Sentinel Developer key A vendor-specific Sentinel HL key containing the confidential codesassigned by SafeNet. The key is used by the software engineers whenprotecting programs using Sentinel LDK.

Sentinel EMS Role-based application used to generate licenses and lock them toSentinel protection keys, write specific data to the memory of aSentinel protection key, and update licenses already deployed in thefield. Sentinel EMS is installed as a service (Sentinel EMS Service)under Windows.

Sentinel EMS Server Computer on which Sentinel EMS is installed and the SentinelEMS Service is active.

Sentinel HL key The hardware-based protection and licensing component of SentinelLDK. One of the Sentinel protection key types.

Sentinel HL (Driverlessconfiguration) key

Type of Sentinel HL key that does not require the Run-timeEnvironment in order to protect an application on a Windowsmachine.

Sentinel HL (HASPconfiguration) key

Type of Sentinel HL key that is fully compatible with protectedapplications that require the older HASP HL keys.

Sentinel LDK - Demo Kit Kit containing software, hardware and documentation for evaluatingthe Sentinel LDK system

Sentinel LDK Envelope Application that wraps an application in a protective shield, ensuringthat the protected application cannot run unless a specified Sentinelprotection key is accessible by the program

Sentinel LDK Run timeEnvironment (RTE)

System component that enables communication between aprotected program and a Sentinel protection key. The Run-timeEnvironment also contains Sentinel Admin Control Center.

Sentinel LDK ToolBox GUI application designed to facilitate software engineers’ use of

various Sentinel LDK APIs and to generate source code

Sentinel LicenseManager

Acts as a server and monitors concurrent usage according to thelicenses stored in a Sentinel HL Net key

Sentinel Licensing API Interface for inserting calls to a Sentinel protection key

Sentinel Master key A vendor-specific Sentinel HL key containing the confidential codesassigned by SafeNet. The key is connected to the Sentinel EMSmachine.

Sentinel protection keys Sentinel HL keys and Sentinel SL keys

Sentinel Remote UpdateSystem (RUS)

Utility that enables licenses in deployed Sentinel protection keys tobe securely, remotely updated, or the contents of the keys to bemodified. See also C2V file and V2C file

Sentinel SL key The software-based protection and licensing component of SentinelLDK—a virtual Sentinel HL key

Sentinel Vendor keys The Sentinel Master key and Sentinel Developer key that containyour confidential and unique Vendor Codes. These keys enable youto apply protection to your programs, program the Sentinelprotection keys that you send to your end users, and to specify thelicense terms under which your software can be used.

Status code Error or status message returned by the Sentinel LDK system

Trialware Software that can be distributed without a Sentinel protection key forend-user evaluation during a limited time period. See also ProvisionalProduct.

Unlocked license A type of license that does not lock a protected application to aspecific machine and does not impose any licensing restrictions onthe use of the protected application. With this license type, thevendor can use Sentinel LDK to protect the application, but can use adifferent mechanism to license the application (or can impose nolicense restrictions on the application).

Unlocked Product A Product that is distributed with an Unlocked license.

UTC Coordinated Universal Time—the standard time common to everyplace in the world

V2C file Vendor-to-Customer file that contains data to update a Sentinelprotection key on the end user's computer. This data can includedetailed changes to the license terms or data to be stored in the endusers' Sentinel protection keys.

Vendor Code A confidential, vendor-unique string containing vendor-specific secretsthat enables access to the vendor-specific Sentinel protection keys.

Vendor ID A unique number that is associated with a given Vendor Code andBatch Code.

Vendor libraries (Vlib) Vendor-specific API libraries. These libraries are built and customizedon SafeNet servers. In this process, the libraries are customized

270

271 Glossary

differently for every vendor. These libraries are downloaded whenyou introduce your Vendor keys.

Index.

.NET assembliesconsiderations 68global Feature 68Method-level protection 68method-specific settings 69obfuscation 71protecting 67required RTE libraries 156

A

Activating Productsabout 92manually 143with HL keys 102with SL keys 102

Admin API, about 176Admin Control Center

about 164administrator’s workflow 169configuration 169how to make Product names visible 260interface 168launching 167

Administrationfunctions 94tasks 140

AdminMode keys See SL AdminMode keysAES decryption

See Decryption 45AES encryption

See Encryption 45amin user account 93AppOnChip functionality 64

Attacksclock tampering 81cloning hardware keys 81defense against 80emulating protection keys 81modifying key memory 80patching executables 80using terminal servers 81

B

Base Product 112Batch Code Admin

role 93, 151Batch Codes

about 36DEMOMA 94, 141for Features 109for orders 123for Products 112for RUS 138, 145introducing in Sentinel LDK 140Sentinel LDK user access 141

Branding RUS 138, 145Broadcast Search for Remote Licenses 242Bundles

how to do manually 252See Provisional Products 136

C

C2Vchecking in files 129data for cancellation 120data in files 128data in keys 129from cloned machine 129generating files 129, 138, 145storing data in Sentinel EMS 129viewing data 129

273 Index

Canceling licenses 119Cancellation Products

about 119defining 120example 120

Certificate-based SL keys, viewing contentsof 134

Checking in C2V files 129Clone protection 113

for physical machines 246for virtual machines 247

Cloned machineschecking in C2V 129

Code Transformation Engine 64Communication

between License Managers 242between protected application and local

LM 241Comparing protection solutions 32Concurrent instances

changing settings 119counting 115in entitlement 125license terms 115network environment 115per order 115

Connection loss with a Network license 167Cross-locking 35Custom reports 152Customer orders See EntitlementsCustomer Portal 133Customer Services

function 123role 93, 143

Customersauthorization to manage 143defining 124entitlements for 124locating 124

Customized Vendor libraries See Vendor libraryCustomizing RUS 138, 145

D

Data Encryption facilityabout 84prerequisites 86

requirement for RTE 158Data Encryption utility

about 84encrypting data files 84functionality 86launching 86prerequisites 86

Data filesdfcrypt.exe encryption 66encrypting 65handling 65

DataHASP See Data Encryption utilityDecryption

about 39, 45Default

password 140user name 140

Demo kit 22DEMOMA

Batch Code 94, 141Detachable licenses

configuring in Features 171preparing recipient machine 137RTE requirement 158

Details pane (in Sentinel EMS screen) 96Development

functions 135role 93, 123, 135

Distributing See also End user softwareRUS 138

Distribution list for reports 151DLL for Runtime Environment installer 137Driverless configuration

described 38how to upgrade to 256requirement for RTE 158

DuplicatingProducts 117

E

EID (entitlement ID) 124EMS

See Sentinel EMS 94Encryption

about 39, 45Data Encryption utility 84

Index 274

data files 65dfcrypt.exe 66

End-of-life Product 117End user software

about 156haspdinst.exe 162HASPUserSetup.exe 162merge modules 159

Entitlement Managerfunctions 123role 92, 123, 131

Entitlementsabout 91activating 133customers 124defining 124EID (entitlement ID) 124examples 129for HL keys 126, 132for Product Keys 126, 132for Protection Key updates 126for SL keys 126holding 128in production queue 127including Products 124producing 132Product locking types 125status values 128withdrawing 133

Envelope.NET considerations 68authorization to operate 93customizable parameters 61encrypting data files 65functionality 58Java considerations 76Linux prerequisites 73Mac prerequisites 75-76mandatory parameters 60prerequisites 62protecting .NET assemblies 67protecting Java executables 75, 77protecting Mac binaries 74protecting Win32 programs 63protecting Windows x64 programs 63running from commandline 66, 74-75

using Features 61workflow 59

Examplesdefining Features 100defining Products 101license cancellation 120license terms 104Modification Product 119order for HL keys 129order for Product Keys 130order for Protection Key update 130order using SL 130protection levels 104Provisional Products 138remote update with RUS 146trial use 138

EXE fileprotecting, See Envelope 136Runtime Environment installer 137with V2C data 136, 145

ExportAdmin Control Center format 137C-style header 137CPP-style header 137CSV format 137Feature data 110XML format 137

Exported functions (for AppOnChip) 64

F

Featuresabout 91Batch Codes 109defining 109deleting 110detachable licenses 115example 100exporting 110Feature ID 110Feature name 109identifying 100in Envelope 61in Products 100, 112license terms 104maximum number of 244status values 110

275 Index

testing for presence of 254transferring data 110

FilesC2V 120, 128EXE with V2C data 127, 133, 136export 110Product Keys 126, 132Provisional Products 136Runtime Environment EXE 137Runtime Environment installer DLL 137V2C 127, 133, 136

Filter tool (in Sentinel EMS screen) 96fingerprint 38, 246Formatting HL keys 129Function bars (in Sentinel EMS screen) 96

G

Grace periodsabout 103Provisional Products 116

H

HASP configuration 38, 158HASP HL keys See also HL keys

HASP HL keys in Sentinel LDK 38HASP search mode 61HASP SL keys See SL keyshaspdinst.exe 162hasplmd process 241HASPUserSetup.exe 162HL keys

attributes 39entitlements 126formatting 129order example 129orders 132Product activation 102protection 102requirement for RTE 158updating licenses with RUS 146upgrade to Driverless configuration 256

HL Network keysrequirement for RTE 159

HTTPfor TCP packets between two LM 243

I

IANA-registered socket 240ID

entitlement 124Feature 110

InstallingProvisional Products 136Runtime Environment 136Server 94

Introducing Vendor keys 94, 142IPv4 sockets 241IPv6 sockets 241

J

Javabehavior of protected executables 77protecting executables 75required RTE libraries 156

Java executablesconsiderations 76

K

KeySee Protection keys 36See Vendor keys 36

L

Legacy keys See SL Legacy keysLicense Generation API 96License Manager

how it handles lost connection 167local and remote LMs communication 242on a different subnet 170Run-time network activity 240types of 165

License termsabout 104assigning values 114canceling 119concurrent instances 115example 104for different entitlements 125Modification Products 118network access 115

Index 276

remote desktop users 115remote updates 126revoking 119selecting license type 114specifying 114transferring 119updating 126values per order 115virtual machines 115

License typesabout 104assigning values 114selecting 114values per order 115

Licensingabout 98fundamentals 33planning 33, 91, 99solutions 33

Licensing APIabout 50functionality 56login function 54planning requirements 53prerequisites 51samples 53ToolBox 52workflow 54

Licensing modelsdetailed description of 184overview 180preparing licensing plan 99

Licensing Plan functions 108Linux

distributing Runtime Environment 163List of reports 152Locating keys for update 127Locked Product

installing RTE for 137Locking Sentinel LDK users 142Locking types

about 101HL only 102HL or SL 103Products in entitlements 125selecting 112

SL only 102

M

Macdistributing Runtime Environment 162encrypting data for 85protecting binaries 74

MAC addressclone prevention 248

Main pane (in Sentinel EMS screen) 96Master key See also Vendor keys

about 37maintaining 142

Memoryabout 105defining 115storing data 116utilizing 46

Merge modules 159Modification Products

about 118defining 118example 119license terms 118

N

Networkaccess to license 115concurrent instances 115

Network activity (Run-time) in Sentinel LDK 240Network Seat licenses

released after loss of connection 167requirement for RTE 158

O

Obfuscation in .NET assemblies 71Obsolete Product 117Offline activation 134Online activation 134Order reference data 127Orders See Entitlements

P

Passwords (Sentinel LDK)assigning to users 142

277 Index

changing 93default 140receiving 93

Product activation 126manual 143with HL keys 102with SL keys 102

Product Keysabout 126authorization to manage 143entitlements for 126files 126, 132order example 130orders 132Product activation 143proof of purchase 126server verification 126use with SL keys 126

Product Management role 108Product Manager role 92Product name

how to make visible in ACC 260Production

entitlements in queue 127functions 123orders for HL keys 132orders for Product Keys 132role 93, 123, 131

Productsabout 91activation 92Base Product 112Batch Codes 112Cancellation Products 119defining 111duplicating 117End-of-life 117example 101grace, See Provisional Products 116in entitlements 124including Features 101, 112locking types 101, 112memory 115Modification Products 118Product name 112Provisional Products 116

reference data 112restoring 117status values 116trial, See Provisional Products 116types 112withdrawing 117

Protect Once–Deliver Many-Evolve Often 34Protection

against cloning 113against copying 31API, See Runtime API 50attack types 80Data Encryption utility 84defense against attacks 80elements 44encryption and decryption 39, 82fundamentals 30, 79inserting multiple calls 82intellectual property 31Java executables 75Mac binaries 74Method-level 68options 47programs and data files 45selecting method 46solutions 31solutions, combined 32solutions, comparison 32using checksum verification 82using Run-time API and Envelope 82

Protection Key memorySee Memory 105

Protection Key updatesabout 126applying remotely 126applying with RUS 145entitlements for 126for SL AdminMode keys 135implementing 92locating keys 127order example 130RUS example 146

Protection keysfor entitlements 125HL keys 37locating for update 127

Index 278

locking 101memory 116searching for 61selecting 36SL keys 38updating 126

Protection levelsexample 104HL keys 102per order 103SL keys 102

Provisional Productsdefining 116description 103example 138generating bundles 136generating V2C file 137in entitlements 124installing 126, 136key ID 136license terms 116, 136license to create 237output files 136properties 116Vendor library 136

R

Read-only memory 105, 116Read/write memory 105, 115Recycling HL keys 129Rehosting

using RUS 148Remote desktop

access to license 115Remote License Manager 242Remote Update System

See RUS 129Report Generation role 151Reports

about the Reports facility 150custom (user-defined) 152export formats 152granting permissions to work with 151license to generate custom reports 238list of available 152presentation formats 152

scheduling 151Restoring obsolete Products 117Roles 92

Batch Code Admin 93, 151Customer Services 93, 143Development 93, 123, 135Entitlement Manager 92, 123for Sentinel LDK users 141Product Manager 92Production 93, 123Report Generation 151Super User 93

RTESee Runtime Environment 137

Run-time Environmentcommand-line installer 137distributing for Linux 163distributing for Mac 162distributing to end users 157EXE file 137generating installer 136generating installer 137initializing 126installer API 137installer DLL 137installer PKG 137Mac PKG 137required for Detachable license 158required libraries for .NET and Java 156to optimize performance of 254updating 159when required 158

Run-time network activity 240RUS

applying Protection Key updates 145Batch Code 138, 145branding 138, 145customizing 138, 145description 138, 144distributing 138, 145example 146executable 145generating C2V files 138, 145instructions for end users 146processing V2C files 127, 133, 145with HL keys 146

279 Index

with SL keys 146

S

Secure storage 269Sentinel EMS

about 90description of screen 95evaluating 94, 141Home screen 94roles 92

Sentinel HL keys See HL keysSentinel LDK Envelope

See Envelope 58Sentinel LDK Runtime Environment

See Runtime Environment 137, 157Sentinel LDK ToolBox

See ToolBox 52Sentinel LDK users

See Users (Sentinel LDK) 141Sentinel License Manager

See License Manager 240Sentinel Licensing API

See Licensing API 50Sentinel Master key

See Vendor keys 94Sentinel protection keys

See Protection keys 36Sentinel Remote Update System

See RUS 127Sentinel SL keys See SL keysSentinel Vendor keys

See Vendor keys 37Server

connecting Master key 94installing 94

SL AdminMode keysabout 38applying update to 135attributes 39requirement for RTE 158

SL keysentitlements for 126order example 130Product activation 102, 126protection 102Runtime Environment 126, 136

tamper protection for Time-basedlicenses 250

updating licenses with RUS 146viewing contents of 134

SL Legacy keysabout 38attributes 39requirement for RTE 158

SL UserMode keysabout 38attributes 39effect on performance 254requirement for RTE 158

socket 1947 240Solutions

combined protection 32customizing 35protection 31protection, comparison 32

Specify Search Parameters field 242Standalone licenses

requirement for RTE 158Starter kit 22Status values

Features 110orders 128Products 116

Super User 93role 93

Supporttraining 26

T

Task buttons (in Sentinel EMS screen) 96Technical specifications 39Toolbox

authorization to operate 93ToolBox

about 52encrypting data 54

Transferring an SL key 148Trialware

about 103example 138license to create 237Provisional Products 116

Index 280

Trialware Module license, about 237

U

uDP notification packet 93UDP packets 242Unlimited Concurrency license type 237Unlocked License module 238Unlocked Product

defining 116Updates

See Protection Key updates 92Updating deployed keys 126Upgrade Sentinel HL key to Driverless

configuration 256Upgrade to Driverless attribute 257User roles

See Roles 92Users (Sentinel LDK)

access to batches 141default user name 140defining 141described 92locking 142passwords 93, 142preventing access 142roles 141user names 93, 141

V

V2Cdata in EXE 127default file location 133file for Provisional Products 136generating files 127, 133, 145input to Runtime Environment 137launching files 138processing with RUS 127, 133

Vendor-to-Customer fileSee V2C 127

Vendor Codeabout 36extracting 52Master Wizard 52

Vendor ID 270Vendor keys

Developer key 37

extracting Vendor Code 52introducing 94, 142maintaining Master keys 142Master key 37

Vendor library 136, 166, 270Virtual MAC address

clone protection 248Virtual machines

access to license 115clone protection 247

Vlib See Vendor libraryVolume license 218

W

Win32 programsbehavior of protected programs 63data file protection 65

Windows x64 programsbehavior of protected programs 63data file protection 65

WithdrawingProducts 117