2

We provide per server licenses of our application to your clients. What is the best way of ensuring they're not copied to other servers? It's a JBoss server application. Are MAC address restrictions sufficient enough? A lot of applications restrict by MAC address, but I think it can be faked quite easily.

HyderA
  • 20,651
  • 42
  • 112
  • 180
  • Have you instead considered running a hosted solution? Distributing licenses is a maintenance nightmare and an antiquated business model that is easily subverted. – allingeek Jan 26 '12 at 00:25

6 Answers6

4

There are many issues with rolling your own license management software. If you lock to hardware, what happens when a server goes out and your customer wants to migrate to a new machine? Do you support hot standby? Do you support virtualization? Is it licensed per CPU or per instance? These are just a few sample questions that come into play; there are many, many more to consider.

Several years ago, I worked on a server system where we were required to implement license management and enforcement. We used FlexLM from Macrovision. It appears that it is now rolled into a new company and product suite as FlexNet. It was pricey but much better thought out for license management than a hand rolled solution, and, it can span pretty much any server licensing needs.

That said, I very much suggest that you do not approach license compliance in this way. Your customers are not likely to respond well to it, not because they want to cheat you on lincensing but because you are adding extra steps, however minor, to the use of the software that they are licensing. In my experience, much better solutions include simply trusting your customers to abide by the license agreement (as a jboss app I'm assuming you are dealing with corporate customers rather than a more easily "shared" consumer desktop app), include rights to audit via the license agreement, or setup the license so your customer can install at will and pay for licenses in use at specified periods. Your account managers should love having a touch point to ask about new licenses. In my experience with server software, when you make it easy for enterprise customers to expand use of your software, they tend to do so resulting in net positive sales.

Whichever way you go, good luck!

philwb
  • 3,805
  • 19
  • 20
  • +1 I've never seen or heard of a situation where DRM didn't do more harm than good. The pirates will just download a cracked version; by the time they see the product the DRM is already gone. DRM just serves to piss off your good paying customers. A simple key scheme to enforce things like license expiration is about as far as I'd go. – Sam Hanes Jan 24 '12 at 14:21
2

I believe that MAC address restrictions are not a very good idea. First a server may have more than one network card. Second - sometimes network cards fail, and need to be replaced - hence MAC address is changed.

A possibility is to collect some kind of hardware fingerprints of as many components as you can, and then use them to decide if this is the same machine or not. If you allow for some changes changing a single component will not stop the software, but changing 2 or 3 will require your client to contact you, to obtain new license.

Of course the ultimate protection is the so called dongle. There is a nice Software protection dongle article in Wikipedia.

All in all, there is no protection, which cannot be cracked. So whatever you choose, make sure that it does not harm your user, or you can loose more customers by virtue of bad protection mechanism than by unlicensed use.

ShaMan-H_Fel
  • 2,139
  • 17
  • 24
1

With Licenses, if you want to crack it you can crack it ;) That being said, If you intend to use MAC address to ensure that only only copy of your software is used, be prepared for the following:

  1. You need to support a single license on multiple MAC addresses, this is because customers will usually have multiple NICs and keep one of them active at a time.

  2. You will need to have a super fast customer service. Say your customer plans to transfer this software from one machine to another, then he will ask you for a transfer of license to the new MAC address. If the software is a time critical one then this transfer should happen very fast.
    Of course, you can combine solution 1 with Solution 2.

If the customers server, on which you install your software has access to internet, then the best option would be to have a online license renewal, where in your software will renew it's license with your license server. But cost is an issue here, considering all the infrastructure required.

Consider this discussion before decide on license schemes license-scheme
Also this how-are-software-license-keys-generated
And this consideration for License Management
Also JLicense is a simple library to use for simple license management.

Community
  • 1
  • 1
NiranjanBhat
  • 1,812
  • 13
  • 17
0

Suggestion. Build in an automatic update of functional deficiencies (security patches/bug repairs/optimisations). And then do an ID & IP check.

Joop Eggen
  • 107,315
  • 7
  • 83
  • 138
  • Bad idea: first, in an enterprise environment, updates and patches are pushed uniformly. Also, what happens if the server is updated after our application is installed? The license key will fail. – HyderA Dec 24 '11 at 08:57
  • Just in the case you provide minor updates (patches), independent of developing new versions, this might be combined with a check on IP and license key. This is not so uncommon for commercial products. But yeah, it might not fit, and requires some effort. – Joop Eggen Dec 24 '11 at 21:46
0

You need to think about the following questions:

  1. Would your customer breach the license agreement?
  2. Is your customer skilled and could breach the protection?

If both answers are true, there is no chance to protect your software, except you will use a hardware component like a dongle.

If one answer is false, you could use this simple approach:

  1. While installing your software generate an Install-Id on the customer machine using some secret algorythm and store it encrypted in an uncommon secret place on the machine and show it to the customer.
  2. Request the Install-Id from customer and check whether it is really generated with your algorythm.
  3. Generate a License-Key using a second secret algorythm and give it to the customer.
  4. Validate in your software that the License-Key was generated using the Install-Id.

Since the hardware can be replaced you can not use parameters like MAC address, so you have to use something generic like an Install-Id.

Roman K
  • 3,309
  • 1
  • 33
  • 49
0

The best way is to do this outside software, using the software agreement to place these restrictions. The customer can choose to follow the guidelines and be compliant or not. Chances are, if they're a public company, they're dealing w/ software audits and would rather just pay to be compliant than risk being sued.

Michael
  • 6,141
  • 2
  • 20
  • 21