The Unique Machine Number in FlexNet Publisher and FlexNet Operations

W H I T E PA P E R

Table of Contents
Executive Summary 2 Part I: Introduction to Binding, Activations, and Unique Machine Identifiers 2 Trusted-Storage Binding 2 Activation, Reinstalls, Returns and Repairs 2 First-Time Activation Process 4 Reinstall Process 4 Return Process 4 Repair Process 4 Properties of an Ideal Unique Machine Identifier 5 Real-World Unique Machine Identifiers 5 Difference Between Binding Elements and the Unique Machine Identifier 5 Methods for Securing First-Time Activation 5 Part II: Development of the Unique Machine IdentifierFrom the Machine Identifier to Unique Machine Numbers 6 Summary of Use Cases for the Unique Machine Identifiers 6 Machine Identifier 6 Unique Machine Numbers 6 Issues with Unique Machine Number1 in FlexNet Publisher 1161 to FlexNet Publisher 11101 7 Issues with Unique Machine Number2 in FlexNet Publisher 1161 to 11101 7 Unavailability of Both Unique Machine Numbers License Generator Toolkit Policies for Unique Machine Numbers 9

The Unique Machine Number in FlexNet Publisher and FlexNet Operat ions

The Unique Machine Number in FlexNet Publisher and FlexNet Operations

Executive Summary
This white paper describes the history and use of the unique machine number in FlexNet Publisher and FlexNet Operations The information about unique machine number usage in FlexNet Operations applies to the License Generator Toolkit as well FlexNet Operations and License Generator Toolkit are publisher license server alternatives License Generator Toolkit provides a library on which to build a custom publisher license server; FlexNet Operations offers a complete publisher license server solution Best practices for using unique machine number in FlexNet Publisher on any platform include the following Enable all anchors (the default) On all Windows systems, always use the latest version of the FlexNet Publisher Licensing Service Incorporate appropriate reinstall, return and repair policies in the back office Binding is implemented as a measure of a number of hardware elements, each given a specific weight. A hardware element, known as a host identifier, can be the boot disk serial number, Mac address of a suitable Ethernet adapter, CPU identifier, BIOS identifier, RAM size, hostname, IP address, or another hardware element If the total weight of all host identifiers changes more than fifty percent all at once, a binding break occurs, causing trusted storage to become untrusted If the weight of all host identifiers changes less than fifty percent all at once, the binding measurement stored in trusted storage is reset to reflect the new hardware environment. When trusted storage becomes untrusted, end users can no longer check out its licenses Usually the only way to reinstate trust is to run a repair on the trusted storage (Repairs are discussed in the next section, Activation, Reinstalls, Returns, and Repairs.) Note: Consider the following additional information about binding: Pre-12.8 FlexNet Operations versions do not support the ability to customize the binding elements used in a binding configuration. FlexNet Operations 12.8 offers a virtualization-aware binding option, described in part II: Relationship Between Unique Identifier for Virtual Machine and Virtual Machine Identifier

Part I

Introduction to Binding, Activations, and Unique Machine Identifiers

This section provides an overview of the bind, activation, reinstall, return and repair activities used to maintain trusted storage and describes the role that the unique machine identifier has in performing these activities. Trusted-Storage Binding Binding is a technology in trusted-storage-based licensing designed to fulfill the following requirements: If trusted storage is copied to a new machine, it becomes untrusted If an existing machine with trusted-storage licenses undergoes incremental small hardware upgrades, trusted storage remains trusted after each upgrade
2

Activation, Reinstalls, Returns and Repairs

This section steps through the basic processes used to activate, reinstall, return, and repair license rights in trusted storage To understand these activities, be familiar with the following terms:

Flexera Software: FlexNet Publisher White Paper Series

The Unique Machine Number in FlexNet Publisher and FlexNet Operat ions

Term Unique machine identifier

Definition The unique identifier for the machine from which an activation request originates (also called the activation client). Two types of UMIs exist: the machine identifier and the unique machine number The license rights loaded in the customers trusted storage as a result of an activation An instance of a customers RightsID. That is, the Fulfillment ID uniquely identifies a fulfillment record in the customers trusted storage. (The Fulfillment ID is allocated to one machine only.) The publishers activation server, which, in response to a request from an activation client, activates, reinstalls, returns or repairs license rights in trusted storage on the client The customer machine that sends a request to the publisher license server to have license rights activated, reinstalled, returned or repaired in its trusted storage This machine can be an enterprise license server or a FlexNet client (the machine running a FlexEnabled application). The FlexNet Publisher program on the activation client that generates requests and processes responses from the publisher license server In general, an identifier pertaining to a customers licence rights, but the meaning of this ID differs depending on whether you are in FlexNet Operations or FlexNet Publisher In FlexNet Operations, the Entitlement ID is much like an invoice ID, referring to the entire bundle of license rights purchased by a single customer This invoice is made up of individual activation entries, each identified by an Activation ID that the customer can then request to activate on their machine as needed In FlexNet Publisher, the Entitlement ID value is the same as FlexNet Operations Activation ID, pointing to the specific activation entry that the customer wants to install from their FlexNet Operations entitlement The customer obtains this ID from the publisher and includes it in activation requests Note: FlexNet Publisher uses the Entitlement ID label in its V1 activations When FlexNet Publisher introduced V2 activations, it changed the Entitlement ID label to RightsID In either case, both IDs have the same value as FlexNet Operations Activation ID*

Fulfilment record Fulfillment ID

Publisher license server

Activation client

Activation utility Entitlement ID

Activation ID

A FlexNet Operations identifier pointing to a specific activation entry in a customers entitlement Each activation entry contains a set of purchased rights that are related (for example, license rights for the same product or product edition or for the same license model). A customers entitlement can contain multiple activation entries This Activation ID value serves as the Entitlement ID or RightsID in FlexNet Publisher A FlexNet Publisher identifier that is the same as FlexNet Publishers Entitlement ID. (FlexNet Publisher uses the label Entitlement IDs in V1 activations and RightsIDs in V2 activations.) FlexNet Publisher obtains this value from the publisher and includes it in the activation request sent to the publisher license server Both the RightsID and the Entitlement ID use the value of the corresponding FNO Activation ID in the customers entitlement

RightsID

Flexera Software: FlexNet Publisher White Paper Series

The Unique Machine Number in FlexNet Publisher and FlexNet Operat ions

* The following process descriptions assume that an ideal unique machine identifier is being used. First-Time Activation Process A simplified first-time activation between the publisher license server (in this example, FlexNet Operations) and the activation utility on the activation client might run like this: 1 The activation client generates the activation request (containing the RightsID and unique machine identifier) and sends it to FlexNet Operations 2. FlexNet Operations generates a new Fulfillment ID and then records the unique machine identifier, associating it with the Fulfillment ID. Additionally, the Fulfillment ID is associated with the RightsID. (A single RightsID can have multiple Fulfillment IDs associated with it.) 3 FlexNet Operations decrements the license count from customer entitlement associated with this RightsID 4 FlexNet Operations generates and sends the activation response (containing the fulfillment record, unique machine identifier, and activation request signature) to the activation client 5 The activation client checks that the unique machine identifier in the response matches the unique machine identifier obtained from the activation utility. (This step is known as requester verification.) 6. The activation client loads the fulfillment record into trusted storage Reinstall Process Certain situations require an end user to erase the data on the activation-client machine, resulting in the loss of trusted storage1 Under such a circumstance, the customer should be able to re-instate their license rights on this same machine without decrementing the license entitlement again In this use case, the customer needs to reinstall the license, a process that uses the unique machine identifier: 1 The activation client generates the activation request (containing the RightsID and unique machine identifier) and sends it to the publisher license server (in this example, publisher license server). 2. Publisher license server looks up all Fulfillment IDs associated with the RightsID, and then determines which Fulfillment IDs, if any, match the unique machine identifier sent in the request. 3 FlexNet Operations does not decrement license count from end-users entitlement 4 FlexNet Operations generates and sends the reinstallation response (containing the fulfillment records, unique machine identifier, and activation request signature) to the activation client. 5. The activation client loads the fulfillment record into trusted storage, as it had done previously

Return Process For license management purposes, FlexNet Publisher can request to return one or more fulfillment records. FlexNet Operations would process this request as follows: 1. The activation client generates the return request (that includes the unique machine identifier, RightsID, and Fulfillment IDs of records to be returned) and sends it to FlexNet Operations 2 FlexNet Operations looks up the unique machine identifier in its stored information and determines that it is indeed associated with this RightsID 3 In the end-users entitlement, FlexNet Operations increments the license count with the returned license 4 FlexNet Operations generates and sends the response (containing the unique machine identifier and fulfillment IDs of records to remove) to the activation client. 5 The activation client processes the response to remove the license rights Repair Process A parallel use case to reinstallation is a repair For various reasons, trusted storage can become untrusted (see the FlexNet Publisher: Best Practices for Recovering Trusted Storage white paper for more information). When this happens, FlexNet Publisher can issue a repair request If the publisher license server (in this example, FlexNet Operations) grants the repair, trusted storage becomes trusted again The following examples describe two ways in which trusted storage can become untrusted: Case A: The trusted-storage file is copied to a new machine in an attempt to duplicate licenses Such a security breach results in a binding break Case B: The original licensed machine has a significant hardware upgrade, causing a binding break in trusted storage Both cases involve a binding break However, the publisher would grant the repair request in Case B only, since the requesting machine is the original machine on which trusted storage was established In Case A, a new machine (now acting as the activation client) is making the repair request. FlexNet Operations would process this request as follows: 1 The activation client generates the repair request (containing fulfillment IDs of records to be repaired) and sends it to FlexNet Operations 2 FlexNet Operations determines that no unique machine identifier is associated with the fulfillment IDs. 3 FlexNet Operations denies the repair request and sends this response to the activation client

This is often the case when a laptop is returned by a employee who is leavingIT reimages the laptop.

Flexera Software: FlexNet Publisher White Paper Series

The Unique Machine Number in FlexNet Publisher and FlexNet Operat ions

Properties of an Ideal Unique Machine Identifier The previous section demonstrated that the unique machine identifier is instrumental in initial activation, reinstall, and repair use cases. The unique machine identifier is recorded during initial activation on a machine and then used to verify the machine for a reinstall or repair Ideally, a unique machine identifier should have the following properties: Global uniqueness, and therefore uniquely identifies the host machine Consistent availability on all native platforms supported by FlexNet Publisher. In other words, the identifier is always retrievable from the subsystem of any FlexNet Publisher-supported native platform; the retrieval process never returns a null value Consistent availability on virtualized platforms supported by FlexNet Publisher No elevated, administrative or root-privilege requirement to extract it Encrypted format to protect the privacy of the activation-client machine Immutability*, the degree of which is determined by the unique machine identifiers ability to remain unchanged under these conditions: 1 Across consecutive calls within a single activation process 2 After restarting the activation process 3 After a reboot of the system 4. After configuration changes on the system 5 After the system has been re-imaged 6 After the operating system has been upgraded 7. After significant hardware upgrades in the system 8. After a FlexNet Publisher upgrade on the system * This document later refers to Type x Immutability, where x is one of the eight types of immutability defined above. Real-World Unique Machine Identifiers In practice, unique machine identifiers are not ideal. For example, some unique machine identifiers might have high uniqueness but low availability across an ecosystem of machines. Other unique machine identifiers might be unique and available, but do not have many of the immutability types defined in the previous section. In order to deal with varying levels of uniqueness or availability, one can generate multiple unique machine identifiers with complementary properties. For example, one unique machine identifier is likely to be unique, while another has high-availability across multiple different machines One can also define a set of heuristics when retrieving unique machine identifiers, such as the following: A null unique machine identifier is better than nonunique one

A null unique machine identifier is better than one with a high mutability One can set a minimal immutability heuristic, such as requiring that a unique machine identifier have at least Types 1, 2, and 3 Immutability (see the previous section) in order to be usable. For any machine, at least one unique machine identifier should have a non-null value Difference Between Binding Elements and the Unique Machine Identifier Though interrelated, binding elements and the unique machine identifier differ in primary purpose: Binding is a process on the activation-client machine that locks trusted storage to the hardware fingerprint of a machine to prevent the copying of its trusted storage to another machine The unique machine identifier is used by the publisher license server to verify that the machine requesting a reinstall, repair or return request is the same one on which the licenses were originally activated Methods for Securing First-Time Activation At the time an activation request is issued, vulnerability exists to process the response on additional machines, thus granting the fulfillment record to unauthorized locations. The following two methods serve as solutions for deterring this exploitation Method 1: Binding Before Activation Before the request for license rights is granted, require that trusted storage be created and bound to the requesting machine (see previous section). Then, when the request for activation is generated and sent to the publisher license server, a copy of the request is also saved in the newly bound trusted storage The response from the publisher license server includes the sequence number and signature of the original request, which, in turn, is compared to the outstanding request stored in trusted storage Any attempt to copy trusted storage to a second machine by processing the response on that machine results in a binding break, thus preventing the response from being processed Method 2: Requester Verification In this case, the unique machine identifier is sent in the request, which is also stored in the (unbound) trusted storage on the requesting machine The response from the publisher license server now includes the sequence number and signature of the original request, as well as the unique machine identifier. As a result, the activation utility must verify not only that the sequence number and signature in the response matches that of the request, but also that the unique machine identifier of the host matches the one in the response

Flexera Software: FlexNet Publisher White Paper Series

The Unique Machine Number in FlexNet Publisher and FlexNet Operat ions

Methods Used in V1 and V2 Activations FlexNet Publishers first generation of activation, called V1 activation, uses Method 1 The second generation of activation, introduced in FlexNet Publisher 11.8.0 and called V2 activation, uses Method 2 and involves the use of the composite transaction FlexNet Publisher 11101 incorporates both methods in its V2 activation transactions That is, it introduces a default trusted configuration, which allows binding when the firsttime request is saved to trusted storage

Unique Machine Identifier Property Uniqueness

Machine Identifier Machine Identifier on Native on Virtualized Platforms Platforms High probability of uniqueness High confidence level in having a non-null value Medium probability of uniqueness2 High confidence level in having a non-null value, even on unsupported virtualized environments Yes Types 1, 2, and usually 3

Never Null

Part II

Development of the Unique Machine IdentifierFrom the Machine Identifier to Unique Machine Numbers
The previous sections introduced use cases for unique machine identifiershow these identifiers are needed to provide requester verification for various activation activities and how they differ from the identifiers used in trusted-storage binding Two types of unique machine identifiers are availablethe machine identifier, introduced first, and the unique machine number, introduced later in response to the machine identifiers immutability issues. The following sections describe these two types of unique machine identifiers. Summary of Use Cases for the Unique Machine Identifiers In summary, the unique machine identifier provides requester verification for the following use case types: Type 1Reinstall Type 2Repair Type 3Return Type 4Secure first-time activation via requester verification The machine identifier was FlexNet Publishers first attempt at providing a unique machine identifier for these use cases. Later, FlexNet Publisher introduced the unique machine numbers in response to immutability issues with the machine identifier. Machine Identifier The machine identifier is generated from all host identifiers specified in a binding configuration. Given that the machine identifier is based on the binding configuration, a trusted section must be in place (that is, the trusted configuration processed) in order to generate machine identifier. Each trusted section has its own machine identifier. The following describes the machine identifiers reliability as a unique machine identifier for the requesting machine:

Fulfillment ID Publisher License Server

Yes Types 1, 2, and usually 3

As the table shows, the machine identifier has a low level of immutability You can raise this level to some degree by removing more volatile host identifiers (such as the IP address and hostname) from the composite. However, the machine identifier remains a poor choice for immutability and is therefore not suitable for reinstall, return, or repair use cases The following are additional considerations about the machine identifier: In FlexNet Publisher 11.8.0 through 11.10.0, requests for first-time V2 activations do not contain the machine identifier. As a result of the previous point, FlexNet Operations versions 127 and later do not use the machine identifier as a unique machine identifier. FlexNet Publisher 11.10.1 provides an optional feature (default trusted configuration), which results in a machine identifier being provided in first-time V2 activation requests Unique Machine Numbers In response to concerns about the immutability of the machine identifier, FlexNet Publisher 11.3 introduced the unique machine identifier. Description of Unique Machine Number1 and Unique Machine Number2 The following table below describes the source of unique machine number1 and unique machine number2 on the various platforms for FlexNet Publisher versions 1161 to 11101 For these versions, FlexNet Publisher generates two unique machine numbers to increase the probability that at least one is always retrieved on a given supported platform

In this case, machine identifier is a composite of virtualised host identifiers

Flexera Software: FlexNet Publisher White Paper Series

The Unique Machine Number in FlexNet Publisher and FlexNet Operat ions

Operating System Windows

Unique Machine Number1 Boot disk serial number

Unique Machine Number2 Primary Ethernet Machine address (from first non-removable, non-virtual Ethernet device) Primary Ethernet Machine address

Mac

Mac Unique System ID On newer systems, this ID is burned into the motherboard; rendering the number unchangeable For older systems, this information is on disk and requires low-level formatting to overwrite it Composite of the serial numbers for all non-removable integrated device electronics devices This value is available only if the FlexNet Publisher Licensing Service is installed See Trusted Storage-Based Licensing Programming Reference for installation details Unique hardware serial number This value is available on all PCI-based AIX hardware Unique hardware security key Serial number generated during manufacturing and written to the EEPROM This value changes during an operating-system reinstallation on PC hardware. (In other words, unique machine number1 on Solaris Intel does not have Type 6 Immutability.) However, an operating-system reinstallation on SPARC hardware has no effect on unique machine number1

Linux

Primary Ethernet Machine address

AIX HP/UX Solaris

Primary Ethernet Machine address Primary Ethernet Machine address Primary Ethernet Machine address

Issues with Unique Machine Number1 in FlexNet Publisher 11.6.1 to FlexNet Publisher 11.10.1 The following are limitations in retrieving unique machine number1: Unique machine number1 requires elevated privileges on Windows, Mac, and Linux machines On Windows and Linux, a few instances exist where hard-disk manufacturers provide models of hard disks with serial numbers that have a low degree of uniqueness. In addition, a virtualized boot disk is likely to have a serial number with a low degree of uniqueness, or have no serial number at all No serial number results in a null unique machine number1 On Windows RAID devices, obtaining the boot-disk serial number might require distinct device drivers or methods that FlexNet Publisher does not support Consequently, FlexNet Publisher might be unable to derive a unique machine number1 from a RAID (Redundant Array of Inexpensive Disks) device even if a valid serial number is available On Linux, only IDE devices are queried for serial numbers Consequently, unique machine number1 is often null on Linux systems

Issues with Unique Machine Number2 in FlexNet Publisher 11.6.1 to 11.10.1 New versions of Linux allow names other than eth(x) for Internet Ethernet devices. (For example, these versions might use em(x).) FlexNet Publisher does not yet support querying interfaces for the new names; this can result in an inability to retrieve unique machine number2 on some newer systems Unavailability of Both Unique Machine Numbers On certain unsupported platforms, FlexNet Publisher might retrieve neither unique machine number1 nor unique machine number2 When a request contains all null values for the unique machine numbers, FlexNet Operations treats the request as having an error Unique Machine Number3 FlexNet Publisher 11100 introduced unique machine number3 as a unique identifier for virtual machines. Unique machine number3 is a hash of the virtualized SMBIOS3 value. SMBIOS is commonly virtualized by hypervisor providers such as VMware and Microsoft In addition, virtualization management systems such as VMwares VMotion ensure that all virtual machines being managed have a unique SMBIOS value

See http://www.dmtf.org/standards/smbios for further information 7

Flexera Software: FlexNet Publisher White Paper Series

The Unique Machine Number in FlexNet Publisher and FlexNet Operat ions

Note: Consider the following additional information about unique machine number3: FlexNet Operations support for unique machine number3 starts with version 12.8. Unique machine number3 is available on virtualizationaware FlexNet Publisher architectures only Relationship Between Unique Machine Number3 and Virtual Machine Identifier On virtual machines, FlexNet Publisher generates a virtual machine identifier for trusted storage binding and includes this in the activation request To support the virtual machine identifier, FlexNet Operations 12.8 introduced a virtualization-aware binding option. If this option is enabled, FlexNet Operations specifies a bind-to- virtual machine identifier binding configuration in the response for any V2 activation request containing a virtual machine identifier. The virtual machine identifier and unique machine number3 have the same value, which is a hash of the virtualized SMBIOS Note: Consider the following additional information: SMBIOS is available also on the native hardware, but is not so widely supported by hardware providers as it is by hypervisor providers However, the SMBIOS remains a candidate for a unique machine number(x) value for native systems in future FlexNet Publisher versions Unique machine number3 and virtual machine identifier are identical values in requests generated in FlexNet Publisher 11100 However, they remain as separate designations in the request because they are logically distinct: unique machine number3 is for machine verification in a reinstall, return or repair request, while the virtual machine identifier is the binding element Unique Machine Number Mutability When a unique machine number value changes, FlexNet Operations can deny reinstall, repair or return requests Consequently, Flexera Software avoids changing the underlying method by which a unique machine number is obtained across FlexNet Publisher releases (Type 8 Immutability). However, in some situations, circumstances beyond Flexera Softwares control cause a unique machine number to change One of these circumstances occurs when the operating system of a machine is upgraded (Type 7 Immutability). The upgrade can alter the order in which hardware devices are discovered In addition, FlexNet Publisher can occasionally make minor updates to the methods of obtaining existing UMNs to take advantage of newer technologies or to fix bugs in the unique machine number retrieval process Such updates

will be made in such a manner as to minimally degrade the Type 8 Immutability of that unique machine number(x) value. Relationship Between the Enterprise License Server and Unique Machine Numbers The Enterprise License Server, also known as the vendor daemon, is a license server residing in an enterprise The Enterprise License Server supports V2 activations between itself and a publisher license server to obtain and manage its licenses However, the Enterprise License Server supports only V1 activations between itself and its enterprise clients Additionally, it does not store unique machine number details about the enterprise clients during V1 activations and therefore cannot support reinstalls on those clients Unique Machine Number1 on Solid State Drives A number of Windows machines that feature a solid state drives as the primary drive have been evaluated for use with FlexNet Publisher Starting with FlexNet Publisher 1161, unique machine number1 has been successfully retrieved on those solid state drivers systems evaluated Unique Machine Number1 on Windows RAID Systems Occasional issues occur in retrieving unique machine number1 from RAID systems on Windows Since FlexNet Publisher 1161, reports of these issues have substantially decreased In cases where unique machine number1 is not available, FlexNet Operations uses the unique machine number2 value FlexNet Operations Policies for Unique Machine Numbers The following describes how FlexNet Operations 127 or later handles unique machine number information: Any request containing all null values for unique machine numbers is rejected All unique machine numbers that are present in a request are recorded and associated with the Fulfillment IDS of any fulfillment record that FlexNet Operations creates FlexNet Operations maintains and periodically updates heuristics defining which unique machine number(x) values must be identical to those in the original activation request in order to grant a reinstall, repair, or return request These heuristics can take into account a combination of factors including (but not limited to) the following: Historical reliability of a unique machine number(x) A new unique machine number(x) (such as unique machine number3) Whether the platform from which the request originates is known to be virtualized The presence of the machine ID in the request These heuristics are internal to FlexNet Operations, not configurable by publishers, and subject to change across FlexNet Operations versions

Flexera Software: FlexNet Publisher White Paper Series

The Unique Machine Number in FlexNet Publisher and FlexNet Operat ions

All unique machine numbers that arrive in a request are specified in the <RequesterVerification> section of the response Publishers cannot configure these policies. License Generator Toolkit Policies for Unique Machine Numbers Those publishers intending to use license generator toolkit must implement their own unique machine number-handling algorithm and back-end database The following is offered as a best-practice recommendation This recommendation attempts to provide some flexibility in supporting requests across multiple versions of FlexNet Publisher and license generator toolkit-based-publisher license servers and in allowing machines to update their unique machine numbers A simplerbut harsherpolicy is always to require unique machine numbers in a request to be identical to those stored in the database and to treat the requesting machine as a new machine if no match is found Database Design In a FlexNet Publisher request, the following information (when present) is used to identify the machine from which the request originated: The various unique machine number(x) values included in the request The machine ID(x) values included in the request The RightsID (or Entitlement ID in older V1 requests) The FulfillmentIDs within the <ExistingFulfillments> section of V2 requests (that is, existing FulfillmentIDs) This can be encapsulated in the following database design:
E_RIGHTS
1 0..N

A machine generates a separate MachineID for each trusted section it creates Most machines will have one trusted section, but multiple MachineIDs exist per machine can exist MachineIDs should be stored in E_UMN. A crucial factor in deciding whether to grant a request is being able to identify the machine from which the request originated According to this design, if an existing FulfillmentID is included in the request, determining the requesting machine is easy However, if no existing FulfillmentIDs are present in the request (as might be expected in reinstall requests), determining the requesting machine is more difficult. The two cases are dealt with separately in later sections Performing the Update-Unique Machine Number Step After license generator toolkit processes and grants any valid request, it should always perform an update-unique machine number step: If existing FulfillmentIDs are included in the request, with at least one trusted FulfillmentID, then license generator toolkit should do the following to update the database: Identify the machine in E_MACHINE associated with the trusted FulfillmentID, and update E_UMN with any new unique machine numbers or new MachineIDs in the request A new unique machine number is defined as a non-empty unique machine number (x) in the request for which no corresponding entry currently exists for that machine in E_UMN. Ensure E_FULFILLMENT has entries for all trusted FulfillmentIDs in the request. If new or repaired FulfillmentIDs are sent in the response, E_FULLFILLMENT and E_UMN entities are updated with the new unique machine numbers or MachineIDs sent in the matching request The purpose of this step is to ensure that new unique machine number (x) (and MachineID(x)) values are incrementally added to the set of unique identifiers associated with a machine Requests With Unique Machine Number3 Unique Machine Number3 takes precedence over every other unique machine number (x) in a request. If a request contains unique machine number3, a machine with a matching unique machine number3 must exist in order to grant the reinstall, repair or return request This requirement exists because unique machine number3 is FlexNet Publishers only virtual machine identifier.

E_FULFUILLMENT

1..N 1

E_MACHINE

1..N

E_UMN

This design assumes the following: An entry in the E_RIGHTS entity is uniquely identified by RightsID An entry in the E_FULLFILLMENT entity is uniquely identified by Fulfillment. A RightsID can result in multiple unique FulfillmentIDs across multiple machines Consider the following in using this database design: The important entity is E_MACHINE, which is the connector between the unique machine numbers of a machine and the FulfillmentIDs allocated to that machine The design correctly reflects that a machine can have multiple unique machine numbers and that each FulfillmentID is allocated to only one machine.

Flexera Software: FlexNet Publisher White Paper Series

The Unique Machine Number in FlexNet Publisher and FlexNet Operat ions

If the request is granted, license generator toolkit must update the unique machine number information in the database as an additional step in request processing Requests Without Unique Machine Number3 But With Existing FulfillmentIDs Repair, return or upgrade requests might include existing FulfillmentIDs, but contain no unique machine number3. The full algorithm for determining if the request should be granted is defined in the sample grantRequest pseudocode function specified in Using Machine Numbers and Existing FulfillmentIDs to Decide Whether to Grant Requests. The algorithm is forgiving on older clients, but tightens up on new clients If the request is granted, License Generator Toolkit must update the using machine number information in the database (see Performing the Update-Unique Machine Number Step) as an additional step in request processing. Requests Without Unique Machine Number3 and Existing FulfillmentIDs A request containing neither unique machine number3 nor existing FulfillmentIDs can be either a first-time activation or a reinstall request use case FlexNet Operations distinguishes between the two request types by requiring the <Reason> element in the request activation action to have a value of 1 (for license servers only) or by a reinstall policy. In such cases, one can expect the request to contain a RightsID and one or more non-empty unique machine number (x) values. For reinstall requests, the first step is to generate a list of candidate machines that is, a list of machines on which any FulfillmentID was ever generated against the RightsID cited in the request. The next step is to call the findMachine pseudocode function (see Using the RightsID and Unique Machine Numbers to Find Matching Machine). If a machine is found, the reinstall is granted Using Unique Machine Numbers and Existing Fulfillment IDs to Decide Whether to Grant Requests Repair, return or lifecycle-operation requests (such as a product upgrade) are likely to contain details of existing FulfillmentIDs. For a given request, license generator toolkit should determine whether the request comes from the same machine on which the original activation occurred The following is a sample pseudocode algorithm that license generator toolkit could use to determine whether to grant the request. (A lookup in the E_FID database entity determines the machineObj.)

BOOL grantRequest (machineObj m, requestObj request) { if request.UMN(3).exists or m.UMN(3).exists then { if (m.UMN(3) == request.UMN(3)) return TRUE else return FALSE } // Prefer UMN1 over UMN2 // we always send up UMN1 in requests, even if its the empty string // if a UMN1 was empty in the past, dont require it to be empty in the future // ie only check UMN1 if its not empty if not(request.UMN(1).empty) and m.UMN(1).exists then { if (m.UMN(1) == request.UMN(1)) then return TRUE else return FALSE } // Prefer UMN2 over MID // we always send up UMN2 in requests, even if its the empty string // if a UMN2 was empty in the past, dont require it to be empty in the future // ie only check UMN2 if its not empty if not(request.UMN(2).empty) and m.UMN(2).exists then { if (m.UMN(2) == request.UMN(2)) then return TRUE else return FALSE } // Finally, check any MID values for_each MID md in m { if (request.mid(md.trustedID) == mid) { return TRUE; } } return FALSE; }

10

Flexera Software: FlexNet Publisher White Paper Series

The Unique Machine Number in FlexNet Publisher and FlexNet Operat ions

Using the RightsID and Unique Machine Number to Find Matching Machine In the reinstall use case, the request might contain no existing FulfillmentIDs, only the RightsID and unique machine numbers. If such a request is received (and license generator toolkit determines it to be a reinstall request), the following sample pseudocode algorithm determines to which machine, if any, the reinstall request can be granted (Before calling findMachine, the caller first determines a list of candidate machines via a lookup in the E_RIGHTS database entity.) machineObj findMachine(listOfMachines lm, requestObj request) { // UMN3 trumps other UMNs No UMN3 match means we fail to find a machine if request.UMN(3).exists then { for_each machineObj m in lm { if request.UMN(3) == m.UMN(3) then return m } return nullMachine; } // if we cant find a UMN3 match, well look for a UMN1 match, // but only in machines where there is no existing UMN3 in E_UMN if not(request.UMN(1).empty) then { for_each machineObj m in lm such_that not(m.UMN(3).exists) { if request.UMN(1) == m.UMN(1) return m } } // if we cant find a UMN3 match, or a UMN1 match well look for a UMN2 match, // but only in machines where there is no existing UMN3 or UMN1 in E_UMN if not(request.UMN(2).empty) then { for_each machineObj m in lm such_that ( not(m.UMN(3).exists and not(m.UMN(1).exists ) { if request.UMN(2) == m.UMN(2) return m } }

// finally well look for a MID match for_each machineObj m in lm such_that ( not(m.UMN(3).exists and not(m.UMN(1).exists and not(m.UMN(2).exists ) { for_each MID md in m { if (request.mid(md.TrustedID) == md) { return m; } } } } return nullMachine;

Flexera Software: FlexNet Publisher White Paper Series

11

Flexera Software LLC 1000 East Woodfield Road, Suite 400 Schaumburg, IL 60173 USA

Schaumburg (Global Headquarters): +1 800-809-5659

United Kingdom (Europe, Middle East Headquarters): +44 870-871-1111 +44 870-873-6300

Japan (Asia, Pacific Headquarters): +81 3-4360-8291

For more office locations visit: www.flexerasoftware.com

Copyright 2012 Flexera Software LLC. All other brand and product names mentioned herein may be the trademarks and registered trademarks of their respective owners.

FNP_WP_UMN_Feb12