Product activation is unobtrusive, secure and flexible - if you do it right. This paper describes some obvious, and some not-so-obvious, issues for software developers to consider.

1. www.agilis-sw.com
White Paper
Considering Product Activation?
You Need to Think about These 10 Issues
Copyright Agilis Software LLC 2008, 2009 Page 1

2. Product activation is unobtrusive, secure and flexible - if you do it right. This paper
describes some obvious, and some not-so-obvious, issues for software developers to
consider.
Product activation is a popular approach for securing software licenses. However,
software developers need to consider all the requirements for a capable activation system,
from the license models they'll need to support to how they'll deal with the corner-case
customer environments.
The basic activation process is typically as follows. Upon purchase the software vendor
sends a unique product serial number to the user. When the user installs the application
they are prompted to enter their product serial number. Their application connects to the
vendor's hosted license server over the Internet to confirm that this product serial number
is valid and has not already been used to activate a license. It also obtains from the
license server the license limits that apply to that user's license, such as a time limit or
enabling of product features. Finally it locks the license to the user's system by reading
certain machine parameters, such as the MAC address or hard disk ID, and encrypts the
license limit and locking information in a file which is saved on the user's system. Once
activated the application interrogates that local encrypted file to perform its license
check, so continues working on that user's specific machine within the defined license
limits with no further communication required with the vendor's systems.
Sounds simple enough... but here are the ten areas you need to consider as you select a
product activation system.
License models
What are the license models you wish to offer across your target markets? Are there other
models Marketing might want to offer next year? Here are some possibilities:
• Time-limited licenses, for trials or subscription licensing
• Feature-enabling, to offer different price points or to package your product for
different verticals e.g. a customer's license might have Feature A to be OFF,
Feature B at the Pro level, Feature C at level 5, Feature D on a 30-day trial and so
on.
• Usage-based licensing. This could be metered (where the usage is tracked for
subsequent reporting and billing, but not limited) or debiting (where the user
purchases a usage quota which is depleted as the application is used).
• Custom licensing. Maybe you need to communicate some licensing parameters to
your application, such as the Terabytes of data to address, number of
communication channels to support, number of pages open at any one time and so
forth.
Copyright Agilis Software LLC 2008, 2009 Page 2

3. • Some combination of the above e.g. enabling each feature with its own usage and
time limit.
Disconnected systems
Not all computers have an Internet connection, so you need to consider how you will
support your users who are on isolated corporate networks, or just can't get a network
connection from their laptop. The whole point of product activation is automation and
convenience - you don't want to have to set up phone support (during working hours,
24x7?, multi-lingual?) to help people without a network connection. Luckily, there are
some solutions... if you pick the right system. For example:
• User self-service activation. Does the activation system provide a way for users
to activate licenses on disconnected systems? A common approach is for the
licensing software, when it finds it can't connect to the hosted license, to encrypt
the locking and product serial number information in a file, which the user then
hand-carries to any web browser for upload to the vendor's self-service web page.
The vendor's system accepts the file, checks it, and returns the encrypted file
needed to enable the license. This file exchange can also be done by email, or
even snail mail.
• Proxy server support. In many sectors such finance, mil/aero and government,
users' systems don't have a direct connection to the Internet but can access it via
an HTTP proxy server. Can your applications access your hosted license server
via an existing HTTP proxy server?
• Install your own proxy server. If there isn't a suitable HTTP proxy server
available, does the activation solution include its own proxy server for installation
on the customer's network?
Security
The idea is to protect your applications from hacking and 'honest abuse' (over-
subscription by legitimate customers), so you need robust security. Here are some
questions to consider:
• If you issue time-limited licenses for trials or subscriptions, is there protection
against users who try to extend their license by turning back their system clock?
• Is there protection against users who try to hack or spoof the licensing library
built into your application?
• Is the communication between the licensed application and the license server
secure against man-in-the-middle attacks, replay attacks, and counterfeit attacks?
Copyright Agilis Software LLC 2008, 2009 Page 3

4. • If you are tracking license limit data locally for each user, are these records secure
against hacking and rollback to prior versions?
• Can no-one else set up a license server and issue licenses for your product?
Node-locking
The general approach to preventing a license from simply being copied onto another
system is to lock each license to your desired parameters of the target system, such as the
MAC address, host ID, hard disk ID and so on.
So far so good, but here are some node-locking questions to ask:
• Is the node-locking mechanism flexible and extensible, so you can lock to the
parameters you wish?
• Does the node-locking mechanism follow generally-accepted computer science
principles, and not do such tricks as bypassing the operating system, with all its
unforeseeable consequences (such as breaking just because the user installed a
boot manager, or upgraded their operating system)?
• Can you secure licenses on virtualized systems (e.g. VMWare), where the
hardware parameters can legitimately change for a licensed user? How about
supporting users who run Windows on a Mac?
• If you want, can the node-locking mechanism provide resiliency against small
changes, so not inconveniencing users who make a minor system upgrade?
• Can you specify a set of locking parameters, with the license working if any one
of them is matched? For example, perhaps your user wants to be able to run their
license in one of any four machines - can you accommodate this?
• If some users really prefer dongle-based licensing, can you lock to a dongle as
well?
• If you sell a system with your own custom hardware in it, can you lock the license
to, say, the serial number in your custom hardware?
• How do you deal with the inevitable 'My machine crashed - how do I restore my
license?' user inquiry?
License Relocation
The fact of life is that users often want to move their license to a different system, months
or maybe years after it is first activated. This appears straightforward, but there are some
issues to consider:
Copyright Agilis Software LLC 2008, 2009 Page 4

5. • Maybe you don't want to offer this facility to everyone. Can you control which
users are allowed to relocate their licenses?
• For users who are allowed to relocate their license, can you control how often
they can do so? You may not want them doing so every day (that sounds like
they're sharing the license with others).
• Is there are any intervention required on your part during a license relocation, or
does the product activation system take care of it? Is it secure?
• Can licenses be deactivated on disconnected systems?
• Your application may well have some settings your users adjust as they work with
it, so your application runs exactly as they like it. Do they have to set these up
again on the new installation (that would be annoying), or can you transfer them
automatically?
• Does the product activation system track license relocations, so you know what
your users are doing? Could it alert you when a relocation is done?
License Revocation
Maybe you don't fully trust your customers, or perhaps you sell your product on credit, or
on a monthly subscription, so might need to revoke a user's license if they didn't pay up
or re-subscribe.
• Can your activation system revoke a user's license?
Reseller sales
Perhaps you sell via resellers or OEMs now, or plan to do so. Maybe your sales
department is looking for resellers overseas, or has it in their strategic plan? In that case,
you'd better be ready to deal with the basic issue: how do you delegate order fulfillment
(if desired) to your reseller, while still keeping track of the licenses they issue?
• Can your activation system allow resellers to issue licenses?
• If it does, can you restrict the range of licenses they can issue? For example, can
you prevent them enabling certain features that aren't part of their agreement with
you, can you limit the number of licenses they issue, or set a maximum time limit
on the licenses they issue?
• Can you generate a report on the licenses they've issued? Can they?
Copyright Agilis Software LLC 2008, 2009 Page 5

6. • Can you receive an alert when they issue a license?
Extensibility
While you may think that all your customers' needs will be met with a product activation
approach, what if that isn't the case? Perhaps some users will not want any information to
go out of their organization at all (often the case with some government and financial
institutions).
• Can your activation system also support, say, dongle-based or floating licensing
over your customers internal network, with no outside communication required at
all?
• If you do need to support floating licensing or dongle-based licensing, does
engineering have to re-do the licensing integration, or does the existing licensing
system they integrated for product activation support it without needing any
modification or replacement?
Platform support
Of course you need to protect your application on all the computer platforms you support.
• Does the activation system provide a client library for all your current
platforms?
• How about platforms in your product roadmap?
• How about 64-bit platforms?
• What if a major customer requires support for a non-standard platform - can you
readily obtain it?
• If your application is in Java, and you take advantage of Java's platform
independence, is the licensing library actually multi-platform, or are you
introducing platform dependency?
Copyright Agilis Software LLC 2008, 2009 Page 6

7. Back-office integration and infrastructure
If your business involves a large number of licenses, or you expect it to, you may want to
automate license fulfillment.
• Can you automate fulfillment from your back-office/CRM system, say via Web
Services?
• Can you automate management tasks, such as backup, archival and reporting for
the licensing system?
• Maybe you don't want to host the license server at all. Is there a 3rd-party
managed service available?
Clearly not all of these questions will apply to all software vendors, however they
hopefully provide food for thought, and suggest areas you should consider to ensure your
product activation deployment is successful.
Agilis Software is an infrastructure software company headquartered in Santa Clara, CA in the heart of
Silicon Valley.
We develop and market software license management solutions that are relied on by software vendors and
hardware / software systems vendors in a wide range of industries and market segments. Our solutions are
particularly suited to agile companies with complex licensing requirements.
Agilis Software LLC URL: www.agilis-sw.com
5201 Great America Parkway, Suite 320 Email: sales@agilis-sw.com
Santa Clara CA95054 Tel.: (408) 404 8480
USA
Copyright Agilis Software LLC 2008, 2009 Page 7