FlexNet Embedded Knowledge Base

cancel
Showing results for 
Search instead for 
Did you mean: 
Knowledge Base Categories
Summary Does Flexera offer static versions of libFlxComm64 and libFlxCore64 so that we can fully link our executable at build time? Question - libFlxComm64 and libFlxCore64 and the equivalent DLLs on Windows are dynamically loaded at runtime. Does Flexera offer static versions of these so that we can fully link our executable at build time? Answer FlexNet Embedded does not have static versions of libFlxComm and libFlxCore for the XT kits.
View full article
Summary What kinds of circumstances can lead to the "Response out of order with previous responses" error? Question What kinds of circumstances can lead to the "Response out of order with previous responses" error?   Answer The reason of the behavior is because FNE server is not built to talk to FNE client more than once per second, it might be returning the same time stamp. The repeating timestamp is the reason for the error. "Response is out of order with previous responses" refers to FLXERR_RESPONSE_STALE. That happens when you try to apply an old (or same) response to TS. You can generate a request to find what the last response time is that's stored in TS. Compare that against the response time of the capability response you are trying to process, which has to be greater or else you will get the error:   Additional Information There's no way to bypass this validation, but please consider it as more of a warning that an error and generally can be safely ignored. Look at those errors as the server equivalent to an exasperated parental response to the oft repeated question from their child of "Are we there yet?". There's little reason to ask for an update to your license rights more than once a second as the expiry of those license rights will be on a second boundary. If you're attempting some kind of load test, you might do better to simulate more than one client. Please note, if you had more than one process sharing the same TS, you also might conceivably get that error. It's not so much if the requests are different, what's important is either having 1 second between responses OR having the different request/response pairs be for different Host ID/Trusted Storage files. Certainly if the requests come from different systems then you should not see this error as long as each system is keeping a nice pause between requests, Examples: (Each pair is run on the same physical system.) Host ID Trust Storage Path Requested Feature Request Time Response Time Result 112233445566 \licenses\ Feature1 12:01:00.10 12:01:01 Success 112233445566 \licenses\ Feature1 12:01:00.20 12:01:01 Error Host ID Trust Storage Path Requested Feature Request Time Response Time Result 112233445566 \licenses\ Feature1 12:01:00.10 12:01:01 Success 112233445566 \licenses\ Feature2 12:01:00.20 12:01:01 Error Host ID Trust Storage Path Requested Feature Request Time Response Time Result 112233445566 \licenses\ Feature1 12:01:00.10 12:01:01 Success 112233445566 \licenses\ Feature2 12:01:00.90 12:01:02 Success Host ID Trust Storage Path Requested Feature Request Time Response Time Result 112233445566 \licenses\ 123456\ Feature1 12:01:00.10 12:01:01 Success 112233445577 \licenses\ 123457\ Feature2 12:01:00.20 12:01:01 Success
View full article
Summary When the FlexNet Operations backoffice removes support for older versions of TLS, communication between the backoffice and .NET XT clients may be disrupted. The cause for the disruption has been traced to .NET XT client applications being built against .NET framework versions older than 4.6. The problem with building against these older versions is that, by default, the .NET communications will utilize the older version of TLS. This article describes how to diagnose if the communication failure is caused by the TLS version by using a packet sniffer. In this example, we will use the Wireshark packet sniffing tool.  Configuring the Wireshark packet sniffer We will use Wireshark to see the TLS communication between the client application and backoffice server. In order to do this, we will need to filter on the following:  The client's ethernet adapter (if unsure which to use, select all of them) The protocol: TLS Communications to and from the target ip address Using Wireshark The client application uses the following url to communicate to FlexNet Operations:  https://<tenant>-uat.flexnetoperations.com/operations/deviceservices Using nslookup or ping for the hostname, you can obtain the communications ip address  NOTE: In the example below, internal ip addresses have been obfuscated or modified for security reasons.  For the example, the ip address to use is 64.12.34.56. Next you will need to set up Wireshark to filter for this ip address communication and the TLS protocol. To do that, you specify "(ip.src== 64.12.34.56 or ip.dst == 64.12.34.56) and tls" as the display filter. Do not set this as the capture filter. Then select the appropriate ethernet adapters. Click the button with the shark fin to start capturing. Below we have an example using C# XT client (using .NET framework 3.5) sending a capability request to the FlexNet Operations url. Notice the client specifies using TLS 1.0 and the failure to communicate with the backoffice. If we update the client application to use .NET framework 4.6 or greater, and send another capability request to FlexNet Operations, we observe the TLS version is 1.2 and the communication is successful.
View full article
Summary This KB article helps to resolve the issue - When processing a capability response from the back office, the following error is reported - FLXERR_RESPONSE_STALE - 'Response is out of order with previous responses' Symptoms When processing the capability response from the back office, the following error is reported: FLXERR_RESPONSE_STALE - Response is out of order with previous responses. Example use case: Capability Request 1 to FlexNet Operations contains a client trusted storage last-response timestamp of "never". Capability Response 1 from FlexNet Operations contains a timestamp of (say) "Wednesday at 4:00". Capability Request 2 to a local server contains a last-response timestamp of "never". Capability Response 2 from the local server contains a timestamp of (say) "Wednesday at 4:30". Capability Response 2 is processed, and client's trusted storage last-response timestamp is updated to "Wednesday at 4:30". Capability Response 1 can't be processed because its timestamp is earlier than what's already there, and so it returns the FLXERR_RESPONSE_STALE error.   Cause This behavior is intentional to prevent an adversarial user from saving a response, processing it to use its licenses, returning the licenses, and then re-processing the old response to get illicit licenses. Resolution There is the option to use a buffer license (what FlexNet Operations calls a pre-built license) from FlexNet Operations, if the device ID is known ahead of time. This would sidestep the issue, reported above, with timestamps.. Otherwise, there isn't a built-in "purge the anchor" operation. (There's a FlxPublisherDeleteTrustedStorage function, but it does not delete the anchor.) Depending on how anchoring has been implemented, you could delete the file/data themselves, but be aware it's dangerous to have the anchor in an easy-to-find location.  
View full article
Summary Process for adding a new platform to FlexNet Embedded by applying new Publisher/Platform keys to the "Publisher Identity Utility". Synopsis If a customer is sent new license (platform) keys from Flexera Software and the only purpose for them is to add additional platforms to FlexNet Embedded (FNE), you do not need to create a new identity. Instead, you only need to update the existing identity. With older versions of FNO, this could be done directly via the UI. Newer versions of FlexNet Operations don't allow you to change vendor keys with existing identities directly. I.e., once you've created them, the vendor key fields are read only in the UI. So instead you need to export the identity, then modify it via the Publisher Identity Utility (pubidutil) from your toolkit (in the bin/tools directory). To do this, open the downloaded identity with pubidutil and then change the vendor keys (and ONLY the vendor keys). And then click "Finish" to save it. Note, this allows you to include the new platforms without changing the internal seed values, so your older clients compiled with the original identity will still work with the licenses generated using the updated identity (which just added more platforms) as well as licenses generated with the pre-upgraded identity. After it's saved, import the updated identity back to FlexNet Operations and you should be good to go. If you've inadvertently deleted your existing identity (and don't have a backup), you can create the identity again via the BackOfficeIdentity (which is where the internal seeds were originally generated). If you lost the BackOfficeIdentity, you're out of luck (unless you happen to have a backup of your database or some other means to get a copy of the original BackOfficeIdentity before you upgrade the identity to add new platforms with updated vendor keys). Discussion Following is the detailed set of instructions on updating an existing Identity with updated Publisher Keys : 1. In the Producer Portal select Administer / Identities, then select the identity that you have already created to View the Identity. 2. At the bottom of the View Identity page select "Binary File" to download and save the current Back Office Identity locally. The file name is IdentityBackOffice.bin. Make a local backup copy as you can always revert back if necessary. 3. Run the pubidutil tool located in the /bin/tools directory of any of the FNE SDKs. If you don't have this readily available, you can download the tool from the Flexera Product and License Center via FlexNet Licensing/FlexNet Embedded/FlexNet Embedded Licenses & Tools: 4. Select Browse under Back-Office Identity and browse to the IdenityBackOffice.bin saved in Step 2. 5. This will populate the UI with your existing keys & Identity Information (example shown below): 6. Update the Publisher Keys with the new keys you receive from Flexera. You can click "Check Keys" to make sure they were input correctly. It should respond with Expiration: Permanent. 7. Click Finish. Your IdentityBackOffice.bin has now been updated, you now need to upload this modified Identity in FlexNet Operations. 8. From the Producer Portal View Identity Screen select Edit this Identity. You should see the Update Identity menu shown below: 9. Select Choose File and browse to the location of the modified IdentityBackOffice.bin, followed by Save. You will receive a warning, select "I am sure" to complete. When you make an update to add additional platform support in this manner you will NOT affect any existing devices and requests from devices with the previous version of the identity will also work. 10. You can now download the client identities for use on platforms that were not previously enabled.
View full article
Summary Ways to tune an XT kit to optimize performance Question Please elaborate on how to go about optimizing the performance of XT kits. Answer Tuning XT Kit Performance The XT kits now include the Identity Update Utility (identityupdateutil) which we provided to allow publishers a certain amount of control over the behavior of various low level mechanisms used by the client. It takes client identity data as an argument and spits out an updated version which contains extra configuration data. When this identity data is loaded by the XT kits those settings are used to configure that behavior. We will probably continue to add new options to this over time so it's always worth picking up the latest docs. Observations In general, the big items that impact performance of the XT kits are either: Operating system mechanisms to discover host-ids. Operating system mechanisms to detect virtualization. Tamper resistance checks on image integrity (e.g. checksums or signature validation). Tamper resistance protection of FlxCore is an up front check which we do in one the early API calls (depends on C, Java or C# kit and platform). Ideally we'd like to be able to offer producers the choice to control that, dial it back, disable it, etc - but the reality is that we can't think of a way to disable it that doesn't weaken the security (or cost us significantly in QA/support). This has an impact but it only happens at the start of the process which means the main situations where that is a problem is where startup time. With the passive changes outlined below we hope that virtualization detection performance will cease to be a problem, and we may look to add the ability to cache detection going forward if it should prove to be a problem again. Host-id detection performance is a moving target for us. Hopefully by adding the caching mechanism described below we'll have dealt with the sort of concerns that come up most, and then we provide the further tweaks to control which mechanisms we use if startup performance becomes a problem. Passive Changes Before we go into using the tool, it's worth noting that we've also made a number of other performance tuning improvements which you may benefit from (2017.11 onward) and which you don't need to do anything to see the benefit of: At least on Windows, it turns out that the detection of the particular type of virtual machine is much more costly than simply detecting that we are running virtualized. Since nothing appeared to actually leverage this VM type (aside from idle curiosity) we no longer lookup VM type by default, leading to some nice performance improvements. If you still want it, that needs to be enabled by the publisher using the Capability Request addVmInfo API. We optimized some code paths that were repeatedly iterating across host-ids where it wasn't necessary. The effect was cumulative (I think) across the number of features, so not everyone would see the benefit of this optimization. Active Changes: Host-ids Explicitly, if host-id lookup performance is a problem then I suggest the producer experiment with things in the following order: Change Switch   Restrict host id detection to expected types -restrict-device-id <type> This might not make much difference but it's a good idea anyway. Note that this should be specified repeatedly to support different types (some combination of 'vmuuid' along with 'mac_ecmc' and 'mac', would be typical). This is a risk free operation. Cache host-ids -enable-device-id-caching all If you want the cache to periodically be refreshed you would also provide "-caching-duration <seconds>". This might have some consequences if the host-id is removable and a caching duration isn't specified as once you have that host-id you will have it for good (see our docs for details). Limit the mechanism to a faster but not always correct version (Windows only) -restrict-device-id-detection mac (and don't also use -restrict-device-id-detection mac_ecmc) The situations in which it is not always correct are pretty complicated. We don't see them often and they typically depend on weird Windows configurations around networking (teamed NICs for example). This option is the final option to try after first testing if you still see performance challenges with the previous approaches. Measurements With these changes, we've also formalized the process of measuring performance of XT kits. It's subjective but we tend to find that ignoring the startup cost of TRA and first host-id lookup (assuming host-id is cached) and with VM detection only (not type) that for the Java XT kits the process of creating a capability request and processing the response takes less than 40ms across Linux and Windows, including comms. TL;DR So the final result could be one of: Best reliable performance -restrict-device-id mac_ecmc -restrict-device-id mac -restrict-device-id vmuuid -enable-device-id-caching all Best performance, but may struggle to get correct host-ids on Windows in every situation -restrict-device-id mac -restrict-device-id vmuuid -enable-device-id-caching all  
View full article
Summary How do you return acquired license with Feature information and not just the last acquired license? Question We're using FNE 2018 R1 and wants to release/ return a few selected node-locked licenses. Currently, for node-locked licenses, we are able to release only the last Acquired license. Is it possible to return few acquired licenses? eg: Step 1: Acquire("Feat 1" , 1); Step 2: Acquire("Feat 1" , 3); Step 3: Release("Feat 1", 1); Step 4: Release("Feat 1", 2); Step 4: Release("Feat 1", 1); We are acquiring/releasing from local Trusted Storage. There is no error as such. FlcReturnLicense expects the license reference pointer which is returned by the FlcAcquireLicenses method. The problem is it is tedious to maintain the reference to the list of acquired features, hence we want to know how to return the acquired license with the "Feature information" and not just the last acquired license. Is this possible, and if so, how? Answer Perhaps one approach would be to make use of FlxPublisherLicenseCollectionCreate to get hold of the collection of acquired licenses and then return an appropriate entry assuming they find one that matches, but note that these are effectively the handles returned by FlxPublisherAcquireLicense(s) so they cannot return a partial count, although the presumption would be you could then change your acquisition calls to request one count at a time and then you'd be able to return one as needed. In this case you no longer need to keep track of license handles themselves.
View full article
Question How to get the activation ID from TS or by other means such that user of producer's software does not need to provide the activation id when they wish to return the license? Answer 1. If you include the activation ID in the license model with the Vendor String defined as {EntitlementLineItem.activationId} then your product user will have the Activation ID(s) in Trusted Storage. If the activation ID is part of the vendor string then the client application will have access to it PROGRAMATICALLY as it can be obtained via FNE API. You would need to explicitly code this but in the end, the user NEED NOT enter the Activation ID. Please refer to the attached file (ActivationID_in_TS) for a brief example and how this would work. 2. ManageDeviceService web service has a getDevicesQuery that can take the device ID or alias as the query parameter, and addOnActivationId can be configured to be returned in the response. But this web service is governed by some license restrictions.
View full article
Summary Can you have more than 1 product with a preinstalled device license? Question Using FlexNet Operation (FNO) 2017 R1 along with FlexNet Embedded (FNE), when creating a device in FNO, you have the option to add preinstalled licenses. However, the functionality is falling a bit short of our needs, as there is only a button to add a product (no way to remove it). Also, there doesn?t appear to be any way to add more than one product. When you click Add, to add another product license, it just replaces the existing one. Is there a means of getting FNO to add more than 1 product to a pre-installed license on a device? We have a large number of optional features that we want to be able to license on an ad-hoc basis. Creating Products with every combination of possible features would be very onerous. Note that in some instances the software will be installed in locations with no internet access. We're aware that we can assign licenses via creating an entitlement of multiple products, and fulfilling a capability request (which we're intending to do for most customers with an internet connection). And we can also send the capability request as a file via other means if there is no internet connection, but the pre-installed license allows them to send just a license file to a customer without first generating a capability request, and is also the neatest way to handle dongle-based licenses (where we know the hardwareID in advance). In both of these cases we'd appreciate the facility to generate a license file consisting of features from more than 1 product through FNO. At the moment, the only way around this is to use the licensefileutil that comes with FNE for these type of custom licenses that are distributed in a file (or loads of custom products in FNO). Are there any options available? Answer No, the FNO database schema does not currently allow this. Logically, in the service layer code, it could work, but there's no way to get FNO to call the service layer with the right parameters currently. An alternate option would be to deliver "add-ons" in the buffer license if you want, by using a device model with both pre-installed and add-ons delivered in the buffer license. This does generate a completely new buffer license each time, not a series of incremental buffer licenses, but it's not clear that that wouldn't work for you. It doesn't require any cap request upload. You can't remove copies of mapped add-ons that are delivered in this format however (because it would be too easy to cheat by just not loading the new license file), so that might be a showstopper if you need that functionality.
View full article
Summary How are VM cloning or snapshots mitigated to prevent license leakage? Question Assume you have customers who operate within networks that are completely disconnected from the Internet. You're using an embedded license server which is preloaded with certain number of licenses and installed on a machine on the network accessible to other machines. (The machine with the license server are not connected to the internet). Here's the scenario: The customer installs the embedded license server in a virtual machine (VM). Takes a snapshot. The other machines will connect to this VM and obtain licenses. After all the licenses are consumed, the customer resets the VM to the original snapshot. Does that mean they will get to consume more licenses? Even if the embedded license server is not allowed in a VM. The customer can install it on a different machines and direct the software to use this different address to get more unpaid licenses. How is this handled? Answer Snapshot and clone are synonymous in terms of how this works in that the only differentiator is a generation (or time) gap. Trusted Storage (TS) is tied to the hostid and if the VMUUID changes then TS becomes invalid. So it is dependent on what you tie the license to and if the UUID is liable to change after the image copy is re-instated. A few of the docs have some information on this. A feature is tied to a particular client using a HOSTID value. In the default toolkit examples, clients are assumed to have a hard-coded string identifier ?1234567890?, while in practice your code specifies the desired type of client identifier (such as an Ethernet address) to examine at run time in order to compare it with the identifier in the license rights. In addition it is possible to tie the hostid to the VMUUID: UUID of a supported virtual machine: HOSTID=VM_UUID=uuid, as in HOSTID=VM_UUID=AAAAAAAA-BBBB-CCCC-DDDDEEEEEEEEEEEE Essentially it behaves like FlexNet Publisher (FNP), if the UUID changes there will be a license break. If it doesn?t then there will be no break. For a VM that has GenerationID then this would not be an issue as the UUID will change if it is cloned (or copied/snapshot/whatever). Please note that as with FNP, there are some caveats, such as the issue that the UUID will not change for VMWare. We are continually working on making this more robust.
View full article
Summary How to Retrieve the Host ID String in the FNE Binary License File Synopsis This article aims to show how to retrieve the hostid from a Binary license file using the Flexnet Embedded Client API calls. Discussion The following is an example of a Binary License file: INCREMENT survey fnedemo 1.25 1-jan-2015 uncounted HOSTID=ID_STRING=teststring INCREMENT highres fnedemo 1.25 1-jan-2015 uncounted HOSTID=ID_STRING=teststring To return the hostid it is possible to use the following call getHostIds. As an example modify the View.c sample that is provided so that the following call is performed: *if(feature.getHostIds() != null) { info.append(" HOSTID=\"" + feature.getHostIds() + "\""); } This should then return the following values based on the license file: Features found in C:\Users\sflynn\Documents\NetBeansProjects\View\license.bin highres 1.25 01-Jan-2015 uncounted HOSTID="{STRING=[1234567890]}", Acquisition Status= Not valid for acquisition: Signature didn't pass validation. survey 1.25 01-Jan-2015 uncounted HOSTID="{STRING=[1234567890]}", Acquisition Status= Not valid for acquisition: Signature didn't pass validation.
View full article
Summary What Version of OpenSSL is part of your latest release of FlexNet Embedded? Question What Version of OpenSSL is part of your latest release of FlexNet Embedded? Answer This is covered in the disclosure documentation included with each release under the Product and License Center. For example, the version of OpenSSL used in FNE 2014 R2 (2014.09) is 1.0.1h. FNE 2017 R1 is on 1.0.2j. Additional Information In February, 2017, OpenSSL released security patch "OpenSSL version 1.1.0e" https://www.us-cert.gov/ncas/current-activity/2017/02/16/OpenSSL-Releases-Security-Update However, please note that 1.0.2 is not effected by this issue, as seen below. OpenSSL Security Advisory [16 Feb 2017] ======================================== Encrypt-Then-Mac renegotiation crash (CVE-2017-3733) ==================================================== Severity: High During a renegotiation handshake if the Encrypt-Then-Mac extension is negotiated where it was not in the original handshake (or vice-versa) then this can cause OpenSSL to crash (dependent on ciphersuite). Both clients and servers are affected. OpenSSL 1.1.0 users should upgrade to 1.1.0e This issue does not affect OpenSSL version 1.0.2.
View full article
Summary How to resolve License Server startup error "ERROR keystore validation failed. identity data has changed" Question How to resolve License Server startup error "ERROR keystore validation failed. identity data has changed" 2016-04-07 13:29:35,634 INFO Starting FlexNet License Server 2016.03 (build 180349) 2016-04-07 13:29:35,634 INFO Copyright (C) 2013-2016 Flexera Software LLC. 2016-04-07 13:29:35,634 INFO All Rights Reserved. 2016-04-07 13:29:35,634 INFO Running as a service 2016-04-07 13:29:43,040 ERROR keystore validation failed. identity data has changed 2016-04-07 13:29:43,040 FATAL Unable to create database connection 2016-04-07 13:29:43,040 INFO Stopping FlexNet License Server Answer This error indicates the identity was changed from what's expected (likely due to a different identity still residing in Trusted Storage). To resolve this, clean (overwrite or delete) the existing Trusted Storage, then use the new identity.
View full article
Summary Are the XT kits compiled with Secure Anchoring and Binding Question Do you need to do the steps for Secure Anchoring to get the FLCERR_TS_BINDING_BREAK error as a return value? Or is there already some default hardware data stored that will trigger this if the Trusted Local Storage (TLS) files are copied from one device to another? Answer All the XT kits are compiled with Secure Anchoring, but Binding is not present (as the host-id node locks). However, at some point in the future it almost inevitably will. Either model of anchoring can cause anchoring to break, but from our perspective, Trusted Storage is a conceptual mechanism for securely storing data which cannot be easily: ? Tampered with or modified (Encryption is used to prevent this, amongst other things to make reverse engineering challenging). ? Backed up/restored (Anchoring is used to prevent this). ? Copied to another machine (Binding is used to prevent this). So anchoring will break if TS is backed up, updated and then restored. Binding, if it existed in the XT kits, would fail if copied to a different enough machine ? but since we don?t have it, host-id would stop the copy from TS to another machine from succeeding.
View full article
Summary Is there's an API available to manage the reservation list to Add and Return devices in LLS? Question Is there's an API available to mange the reservation list to Add and Return devices in LLS? Answer There is no API specific to this. The LLS has /fne/xml/setreservations and /fne/xml/reservations endpoints to manage the reservations. Please refer to the "Server Application Endpoints" section of the server app guide for more information. Server Application Endpoints The FlexNet Embedded server application is set up to communicate with an external administrative configuration and status tool using a REST-style interface and XML messages of MIME type ?application/xml?, along with binary capability-request and capability-response messages. The endpoints used in communications with the server application are described in the following table: Table 1 ? Server application endpoints and operations /fne/xml/setreservations POST Sets the server?s XML reservation list /fne/xml/reservations GET Gets the server?s reservation list
View full article
Summary How do you add a flag so FlxCapabilityResponseGetVendorDictionary detects returns at runtime? Question Using the FlexNet Embedded 2014.09 client to obtain a license from an instance of FlexNet Operations, when creating the license model, how do you add a Boolean field to indicate whether the license can be returned or not, as well as a string field for any additional info? The need here is to query these fields so as to prevent/allow the returning of licenses at run-time. How can this information be queried from the client? Answer This can be done by implementing the com.flexnet.opsembedded.publicapi.DeviceRequestHandler class. You can use this to add something to the response. Attached is some sample code based on the samples that ship with FNO (CustomDeviceRequestHandler.java). All of the test stuff has been stripped out and just the handler return test is included as the key value pair. It is also possible to use the license model vendor string to add a value, either at entitlement time or license model specific if needed (just need to set when to create the string in the license model). With this situation, first need to add a custom attribute to the FNO instance (per the DeviceRequestHandler class, which should be modified for the specific needs before doing a "flexnet site make" and then restarting the FNO server to implement the modifications). Then, via the FNO admin console, add it to the license model (see attached license_model.jpg) Next, created an entitlement that sets the value (see attached entitlement.jpg) Then, back at your client, modify the capabilityrequest example to display the vendor string: if ( !FlxPublisherAcquireLicenses( clientObjects->publisher, &license, clientObjects->licenseSources, survey, version, 1, 0, 0, error) ) { DisplayErrorString(_T( "acquiring survey license" ), error); return FLX_FALSE; } printf( "Vendor string: %s\n" , FlxLicenseGetVendorString(license)); This then takes the license that had been populated by the acquire call and used it to read the vendor string: INFO: number of features loaded from capability response: 4 Vendor string: true INFO: acquired license INFO: deleted client objects
View full article
Question Use case: You've enabled VM detection using the API function, then ran a series of tests and proved that you can get a license for a Feature without increasing your feature licensing count in FNO by spoofing a Device ID like a MAC address. The free license occurs because the regenerative factor, so when a 2nd device with the same Device ID asks for a license, it grants it, but still only sees 1 license count in use (rather than 2 or more). What is the suggested best practice to not permit VM's to spoof a Device ID? Would it be to make a VM device ID a combination of the virtual MAC Address as well as the UUID or similar GUID type ID that is assigned to each VM by the VM host manager software? If so, how would you prevent the UUID from being spoofed as well? The host manager programs (such as VMware and Mac Parallels) do not seem to allow the user to set the UUID, though it may be possible that it can be done. What is the best practice to prevent a VM from spoofing a Device ID? Answer We have a contrib library for obtaining the VM_UUID for 32 and 64 bit Linux and Windows, called FlxContribVmUuid-<platform>-<version>. As for the host ID, if you're using the XT kits, we provide API functions that return a list of the host Ids we detect on the system. For Java, it?s ILicenseManager.getHostIds(). For C-XT, it?s FlcGetHostIds(), etc? Additional Information Or, as a possible more outside the box solution (don't have an example for this - it's just a theory), you could perhaps create a Producer-defined Hostids based on the Microsoft Generation ID which will change when a machine has been cloned.
View full article
Summary How do you set the return policy for a FlexNet Embedded license model in FlexNet Operations? Question How do you set the return policy for a FlexNet Embedded license model in FlexNet Operations? Answer For certificate and trusted storage-based FlexNet Publisher licensing, a return policy can be set on a license model. However, this is not currently supported in FlexNet Embedded license models. Additional Information The reason for this is returns are initiated by the FlexNet Embedded client and the publisher has to explicitly code a return of the counts using the FlexNet Embedded APIs. In other words, the publisher has full control whether or not to allow returns. For the products that you don?t want to support returns, you simply shouldn?t provide any client side workflows that support returns.
View full article
Summary What is the suggested way to confirm a license is still valid in FNE? Question If a user opens their licensed software and then sometime later the license expires and they just continue to leave their software open past the licensed time period, how could a publisher counter this type of undesired usage? Would they just set up a thread that runs periodically that releases/acquires the license? Or is there a preferred method to handle this type of situation for both the binary license (as a buffered license) and served license cases? Answer Periodic release and reacquire is the preferred method if the licenses will need to be held for a long time. This will guarantee that any changes to the license parameters (not just the expiry date, but also the hostid) are validated as well. The best method is to do a license enforcement at a more granular level to reduce the amount of period a license is held in a checked out state.
View full article
Summary How does FNE validate that the DLLs / shared objects it loads against are genuine / haven?t been interposed by some third party? Question How does FlexNet Embedded validate that the DLLs / shared objects it loads against are genuine / haven?t been interposed by some third party? Answer The security measures in for the C XT kits are as follows: 1) The static library that the customer links into their code communicates with the DLL via an anti-spoof channel (take a look at the DLL and you will only see a couple of exported functions). 2) As of the upcoming release 2015.09, TRA will be used to protect the FlxCore dynamic library from tampering. 3) TRA could also be used by the publisher in their application to check the signatures of Microsoft libraries and FlxCore itself.
View full article