Sentinel LDK v.7.6 - Software Protection and Licensing Guide Protection and Licensing... ·...

Sentinel LDK v.7.6Software Licensing and Protection Guide

Revision History

Document number 007-012168-001, Rev C

Copyrights and Trademarks

© Gemalto 2017. All rights reserved. Gemalto, the Gemalto logo, are trademarks and service marks ofGemalto and are registered in certain countries.

HARDLOCK, HASP, SENTINEL, SUPERPRO and ULTRAPRO are registered trademarks of SafeNet, Inc. and/orits subsidiaries and may not be used without written permission.

All other trademarks are property of their respective owners.

Disclaimer

We have attempted to make this document complete, accurate, and useful, but we cannot guarantee it tobe perfect. When we discover errors or omissions, or they are brought to our attention, we endeavor tocorrect them in succeeding releases of the product. Gemalto is not responsible for any direct or indirectdamages or loss of business resulting from inaccuracies or omissions contained herein. The specificationscontained in this document are subject to change without notice.

June 2017 Revision 1707-3

Contents

Familiarizing Yourself with Sentinel Vendor Suite 13

Contents of the Sentinel License Development Kit 13Sentinel LDK - Demo Kit 13Sentinel LDK - Starter Kit 13

About This Book 14Major Components of the Vendor Suite 15Migrating to Sentinel LDK From Other Systems 17Obtaining Support 18

PART 1 - GETTING STARTED 19

Chapter 1: Understanding Sentinel LDK Software Protection and Licensing 21

Fundamentals of Protection 21What is Protection? 21

Major Protection Solutions 22Hardware-based Solutions 22Software-based Solutions 22Comparative Benefits of Hardware-based and Software-based Solutions 23Advantages of a Combined Solution 23

Fundamentals of Licensing 24Flexible and Secure Licensing Solutions 24Licensing Planning and Models 24Updating and Enforcing Usage Terms 25

Principles of Sentinel LDK 25Protect Once—Deliver Many—Evolve Often 26Cross-locking 26Mixing and Matching Licenses and Sentinel Protection Keys 26

Customizing Your Unique Solution 27Personalized Vendor and Batch Codes 27Selecting the Best Key for Your Requirements 28Sentinel Vendor Keys 28End-User Keys 28

Protection Key Attributes 31Sentinel LDK Protection Process 33

Obtaining Additional Information About Sentinel LDK 33

Chapter 2: Understanding Sentinel Cloud Licensing 35

4 Sentinel LDK Software Licensing and Protection Guide

Software as a Service 35What is Sentinel Cloud Licensing? 36How Does Sentinel Cloud Licensing Work? 37Cloud License Types 38For More Information 38

PART 2 - PROTECTION 39

Chapter 3: Protecting Software 41

Sentinel LDK Protection 41Elements of Sentinel LDK Protection 41Selecting a Protection Method 43

Chapter 4: Sentinel Licensing API Protection 45

Overview 45Universal Sentinel Licensing API 46

Sentinel Licensing API Prerequisites 46Vendor Code 46Licensing API 47

Learning About the Sentinel Licensing API 48Sentinel LDK ToolBox 48Sentinel Licensing API Samples 49

Implementation 49Planning Your Requirements 49Sentinel Licensing API Workflow 49Sentinel Licensing API Login Function 50

Sentinel Licensing API Functionality 52Function Groups 52

Chapter 5: Sentinel LDK Envelope Protection 55

Functionality 55Basic Protection Workflow 56Required and Optional Protection Parameters 57General Customizable Parameters 58

Sentinel LDK Envelope for Windows 59Prerequisites for Windows 59Running Sentinel LDK Envelope 59Protecting Windows Programs 60Calling Licensing API Functions From DllMain 61Enhancing Protection With "AppOnChip" 61

5

Accessing and Protecting Data Files 63Running Sentinel LDK Envelope from a Windows Command Line 63

Protecting .NET Assemblies 64.NET Considerations 64Global Features in .NET Assemblies 65Method-level Protection 65Code and Symbol Obfuscation in .NET Assemblies 67Exception Handling in Protected .NET DLL Assemblies 67Defining Sentinel LDK Envelope Protection Settings in Source Code 67

Sentinel LDK Envelope for Linux Intel Applications 68Sentinel LDK Envelope for Mac Binaries 68Sentinel LDK Envelope Prerequisites for Mac 68Running Sentinel LDK Envelope for Mac 68Sentinel LDK Envelope for Mac Protection Parameters 69Accessing and Protecting Data Files 69

Sentinel LDK Envelope for Java Executables 69Java Considerations 70Sentinel LDK Envelope Prerequisites for Java 70Running Sentinel LDK Envelope for Java Engines 71Sentinel LDK Envelope for Java Protection Parameters 71Protecting Java Executables 71Defining Sentinel LDK Envelope Protection Settings in Source Code 71

Sentinel LDK Envelope for Android Applications 72Sentinel LDK Envelope Prerequisites for Android 72Android Considerations 73Android Applications With Cyclic Dependencies 73

Chapter 6: Protection Strategies 75

Overview 75General Protection Guidelines 76Types of Attack and Their Sentinel LDK Defense 77Patching Executables and DLLs 77Modifying Key Memory 77Emulating Protection Keys 78Using Remote Desktops and Remote Desktop Solutions 78Cloning Hardware Keys 78Clock Tampering 78Additional Sentinel LDK-specific Strategies 79

Chapter 7: Protecting Data Files 81

Overview 81When to Protect Data Files 84


Users of Sentinel LDK Data Protection Utility 84Data Encryption for Mac 85

Data Protection Prerequisites 85Launching Sentinel LDK Data Protection Utility 85Data File Protection Plugin 86Licensing Data Files—Getting Started 87Licensing an FLV File to be Viewed Using Internet Explorer 87Licensing data files to be accessed using a proprietary application 89

Working With the dfcrypt Command Line Utility 90

PART 3 - LICENSING 93

Chapter 8: Introduction to Sentinel EMS 95

Sentinel EMS Overview 95Sentinel EMS Major Workflows 95

Sentinel EMS Users and User Roles 97Getting Started With Sentinel EMS 99Prerequisites for the Sentinel LDK Administrator 99Using the Sentinel EMS Help 101

Sentinel License Generation API 101Switching Between Sentinel License Generation API and Sentinel EMS 102

Chapter 9: Preparing Your Sentinel LDK Licensing Plan 103

Licensing Overview 103Preparing Your Licensing Plan 104Identifying Functional Components (Features) 105Combining Features Into Products 105

Choosing the Protection Level for Your Products 106Sentinel HL Key Protection and Activation 107Sentinel SL Key Protection and Activation 107Specifying the Protection Level for Individual Orders 109

Designating Products for Trial or Grace Period Use 109Assigning License Terms to Features 110Specifying License Values for Individual Orders 110

Utilizing Protection Key Memory 111Using Your Licensing Plan With Sentinel EMS 111

Chapter 10: Implementing Your Sentinel LDK Licensing Plan 113

License Planning in Sentinel EMS 113

7

Managing Features 114Defining Features 114Deleting Features 115

Managing Products 115Defining New Products 116Defining Unlocked Products 122Product Status Values 123Duplicating a Product 123Withdrawing a Product 124

Maintaining Products and Licenses 124Managing Product Versions 124Canceling Product Licenses 126

Chapter 11: Sentinel LDK Entitlements, Production, and Development Tasks 129

Sentinel LDK Entitlement Processing and Production 129Managing Entitlements 130Defining Entitlements 131Entitlement Status Values 135Processing C2V Information 135Order Processing and Production Examples 136

Producing Entitlements 138Producing Sentinel HL Key Entitlements 139Producing Entitlements for Product Keys 139Producing Protection Key Update Entitlements 140

Withdrawing Entitlements 140Customer Portal - Activating Entitlements 140Viewing License Updates 141Applying License Updates to SL AdminMode Keys 142Performing Development-related Tasks 142Generating Bundles of Unlocked Products 143Generating the Sentinel LDK Run-time Environment Installer 144Exporting Definition Data 144Customizing and Branding the RUS utility 145

Enabling Trial Use and Grace Periods 145Example 1: Issuing an Unlocked Trialware Product for Trial Use 145Example 2: Issuing a Product for a Grace Period 146

Chapter 12: Sentinel LDK Administration and Customer Services 147

Administration Tasks 147Maintaining User Details 148Maintaining Sentinel Master Keys 149

Customer Services 150


Chapter 13: Sentinel Remote Update System 151

RUS Utility Overview 151RUS Workflow 152Example: Using RUS for License Updates 153

Using RUS utility 153Instructions for Customers Using the RUS utility 153

Chapter 14: Generating Sentinel LDK Reports 157

Reports Facility Overview 157Permissions for Working With Reports 158Scheduling Reports 158Presentation Formats 159Export Formats 159Available Reports 159Custom Reports 159

PART 4 - DISTRIBUTING SOFTWARE 161

Chapter 15: Distributing Sentinel LDK With Your Software 163

Sentinel LDK Software for End Users 163Sentinel LDK Run-time Environment 163Software for Sentinel HL Licenses 163Software for Protected Applications Under Windows 164Software for Sentinel HL Licenses Under Linux Intel 164Software for Sentinel HL Licenses Under Linux ARM 164Software for Sentinel SL Licenses 164Software for .NET and Java Assemblies 165Network Environment Management 165Software for Updating Licenses 166Data File Protection Plugin 166

Distributing Sentinel LDK Run-time Environment 166Protection Keys That Require Sentinel LDK Run-time Environment 166Sentinel LDK Run-time Environment for Windows 168Sentinel LDK Run-time Environment for Mac 171Sentinel LDK Run-time Environment for Linux Intel 172Sentinel LDK Run-time Environment for Android 173

Chapter 16: Sentinel License Manager 175

Types of License Managers 176Selection of the License Manager By the Protected Application 177

9

Selection of License Manager Under Windows 177Selection of License Manager for Protected Data Files Under Windows 180Selection of License Manager Under Mac 180Selection of License Manager Under Linux Intel 180Selection of License Manager Under Linux ARM 180Selection of License Manager Under Android 181

License Manager Tools 181Sentinel Admin Control Center 181Sentinel Admin API 182

Managing User Access to Admin License Manager Information 182Enabling or Disabling Access for Remote Users 182Setting the Access Level for Authorized Users 183

Managing Access to Standalone and Network Licenses 183Client-side Configuration 184License Server-side Configuration 185

Working Directly With License Manager Configuration Files 186Default Location of License Manager Configuration Files 186Modifying License Manager Configuration Files Manually 188Additional License Manager Configuration Files Parameters 188

Configuring Detachable License Definitions 190Making Product Names Visible on the End User's Machine 190Loss of Connection With a Network License 191

Chapter 17: Sentinel Admin Control Center 193

Launching Admin Control Center 194Admin Control Center Interface 194Administrator’s Workflow 196Configuration Considerations 196Managing User Access to Admin Control Center 196Customizing Log Parameters 196Managing Access to Licenses in Admin License Manager 197Searching for Sentinel License Managers 197

Diagnostics 197Customizing Admin Control Center Look and Feel 197Writing Templates 198Configuring Admin Control Center to Use Your Custom Template 200

PART 5 - LICENSING MODELS 203

Chapter 18: Sentinel LDK Licensing Models: Overview 205

Introduction 205


Sentinel LDK Licensing 206Determining the Best Protection and Licensing Method 207About This Section 207How to Use the Licensing Models 208

Chapter 19: Sentinel LDK Licensing Models: Description of Models 209

Evaluation Licensing Models 210Trialware 211High-security Time-limited Evaluation 212Execution-limited Evaluation 213Demoware 214

Component-based Licensing Models 215Module-based (Suites) 216Feature-based 217

Metered Licensing Models 218Time-limited Rental 219Phased Rental 220Micro-rental 221Subscription 222Pay-by-Peak Time (Peak Time) 224Time-based Overdraft 226Standard Counter 227Phased Counter 228Capacity (CPU/Memory/Disk) 229

Locked License Models 230Machine-locked 231User-locked 232

Mobile License Models 234Portable 235Commuter 235Software on a Key 236

Network License Models 237Limited Concurrent End Users in a Network 238Time-limited Concurrent End Users in a Network 239Execution-limited Concurrent End Users in a Network 240Volume 242Site 243

Sales Boosting Licensing Models 244KickStart (Quick-delivery Grace) 245Referral-based Sales 246Automatic Sales Agent 248

Perpetual Licensing Models 250Standard Perpetual Licensing model 251

11

Perpetual Unlocked Licensing Model 252

PART 6 - APPENDICES 253

Appendix A: Understanding the Sentinel LDK Master Key Licenses 255

Licensing Concepts 256Product Activation Module 257New SL Key Pool 257Network Seats 258How New Activations and Update of Your Software Affect the Pool 259Unlimited Concurrency 260Additional Information 261

Unlocked Trialware Module 261Unlocked Unlimited Module 262V-Clock Module 262AppOnChip Module 262Advanced Data File Protection Module 263Reporting Module 263

Appendix B: Sentinel LDK Run-time Network Activity 265

Local Communications 266Remote Communications 267

Appendix C: Maximum Number of Features in a Sentinel HL Key 269

Appendix D: How Sentinel LDK Detects Machine Cloning 271

Overview 271Clone Detection for Physical Machines 273PMType1 Scheme 273PMType2 Scheme 274PMType3 Scheme 274PMType4 Scheme 275FQDN Scheme 276

Clone Detection for Virtual Machines 276VMType1 Scheme 276VMType2 Scheme 278FQDN Scheme 279

How to Analyze a Clone Report 280Example 281


How to Clear the "Cloned" Status for a Product License 283

Appendix E: How Sentinel LDK Protects Time-based Licenses With V-Clock 285

Tampering with the System Clock 286Re-enabling a Blocked Protected Application 286Setting Fallback to V-Clock If the RTC Battery in a Sentinel HL key is Depleted 286

Appendix F: How to Bundle Unlocked Products Manually 289

Appendix G: How to Optimize Performance for Sentinel LDK Run-timeEnvironment 291

SL UserMode License 291Run-time Environment 291Testing for Presence of Features 291

Appendix H: Upgrading Sentinel HL Keys 293

Upgrading a Sentinel HL Key to Driverless Configuration 293Upgrade Requirements 295Upgrade Process 296

Converting a Sentinel HL Standalone Key to a Network Key 296

Appendix I: Troubleshooting 299

Checklist 299Problems and Solutions 300

Appendix J: Requesting a Replacement Vendor Key 303

Composing the Email Request for a Replacement Vendor Key 303Request from Sentinel Vendor Tools (ToolBox, Envelope, Master Wizard) 303Request from Sentinel EMS 303

Glossary 305

SAFENET SENTINEL LDK PRODUCT END USER LICENSE AGREEMENT 313

Exhibit A - Third-Party Software 318Exhibit B - Third-Party Software for Sentinel EMS and Sentinel Cloud Add-on 350

Index 353

Familiarizing Yourself withSentinel Vendor Suite

This topic provides an introduction to Sentinel Vendor Suite. Gemalto recommends that youreview this information to familiarize yourself with:

n The contents of the Sentinel License Development Kit – Starter or Demo kit

n The major components of Sentinel Vendor Suite

n The information provided in this book

n How to obtain additional technical support for these products

Contents of the Sentinel License Development KitThe two Sentinel License Development Kits (Sentinel LDK) described below are available as part ofthe Sentinel Vendor Suite.

Sentinel LDK - Demo Kit

The Sentinel License Development Kit - Demo kit contains the software and hardware you need toevaluate Sentinel LDK protection and licensing. The following items are included:

n Sentinel LDK installation software on a Sentinel HL Drive microSD

n Sentinel HL Demo keys to facilitate the evaluation process

n Sentinel LDK Software Protection and Licensing Quick Start card

n Sentinel LDK Software Protection and Licensing Tutorial

Additional documentation can be found on the computer where Sentinel LDK is installed and onthe Installation Drive.

Sentinel LDK - Starter Kit

The Sentinel License Development Kit - Starter kit contains the software and hardware you need toapply Sentinel LDK protection and licensing. The following items are included:

n Sentinel LDK installation software on a Sentinel HL Drive microSD

n Sentinel Vendor keys:

o Sentinel Developer key for applying protection

o Sentinel Master key for generating license updates and activating softwarekeys


n Sentinel LDK Software Protection and Licensing Quick Start card

n Sentinel LDK Software Protection and Licensing Tutorial

Additional documentation can be found on the computer where Sentinel LDK is installed and onthe Installation Drive.

Sentinel HL keys for distribution to your customers must be ordered separately.

About This BookThis book is designed to help software publishers protect and license their software usingSentinel LDK. The guide provides background information and details about how Sentinel LDK canbest serve your protection and licensing requirements.

The book is divided into the following parts:

n "PART 1 - GETTING STARTED" on page 19

Introduces Sentinel LDK, presents basic protection and licensing concepts, and leads youthrough the process of configuring the system. You should read this part after openingyour kit.

n "PART 2 - PROTECTION" on page 39

Provides an in-depth presentation of Sentinel LDK protection methods. This part includesstrategies for maximizing the protection of your software using Sentinel LDK. This part isspecifically for software engineers who have the responsibility for using the Sentinel LDKprotection applications to protect software.

n "PART 3 - LICENSING" on page 93

Discusses the options that Sentinel LDK provides to enable you to apply flexible licensingterms to your software and provides case studies for you to examine. This part isparticularly relevant to product and business managers who have to make decisionsabout how their software is licensed. This part should also be read by operations staff andothers involved in production.

n "PART 4 - DISTRIBUTING SOFTWARE" on page 161

Details the Sentinel LDK software that can be delivered to end users to ensure easy andtrouble-free deployment of protected software. This part also describes the various waysof effectively delivering the Sentinel LDK software components.

n "PART 5 - LICENSING MODELS" on page 203

Provides an overview and detailed description of the various Sentinel LDK Licensingmodels that you can use to distribute your software.

n "PART 6 - APPENDICES" on page 253

Provides supplementary information regarding Sentinel LDK.

n "Glossary" on page 305

Major Components of the Vendor Suite 15

Major Components of the Vendor SuiteSentinel License Development Kit (Sentinel LDK) Vendor Suite contains many modules, tools, andAPIs that assist you to manage the protection and licensing of your application. This sectionprovides an overview of the most significant items in the Vendor Suite.

Sentinel LDK Envelope and Sentinel Licensing API

Sentinel LDK Envelope is a tool that wraps your application in a protective shield. This shieldensures that:

n The application is protected against disassembly and reverse engineering. Your intellectualproperty is protected.

n The protected application cannot run unless a suitable Sentinel protection key can beaccessed by the application.

An application that has been protected by Sentinel LDK Envelope can contain the Data Protectionmodule to automatically encrypt data files to disk and to read them back. You can use theSentinel LDK Data Protection utility to pre-encrypt data files for use with the protectedapplication.

You can use Sentinel Licensing API to provide enhanced protection for your application and toenable the licensing of specific Features in the application.

Sentinel LDK Data Protection Utility

Sentinel LDK Data Protection utility is a tool that can do either of the following:

n Protect data files with encryption. A protected data file can only be accessed by anapplication that has been protected with Sentinel LDK Envelope and that possesses therequired encryption key.

n Protect data files with encryption and licensing. A protected data file can be accessed:

o only by an application that has been protected with Sentinel LDK Envelope or by avendor-specific Web Browser plugin, AND

o only when the end user has the required license on a protection key.

Sentinel LDK ToolBox

Sentinel LDK ToolBox is an interactive application that enables software developers to learn aboutthe following Sentinel APIs:

n Sentinel Licensing API

n Sentinel License Generation API

n Sentinel Admin API

In ToolBox, software developers can execute API functions, observe the behavior of the functions,and then copy the relevant source code into their own applications.


Admin Control Center

Sentinel Admin Control Center is a customizable, web-based, end-user utility that enablescentralized administration of Sentinel License Managers and Sentinel protection keys.

Sentinel RUS (Remote Update System)

Sentinel RUS utility is an advanced tool that enables you to perform secure, remote updating ofthe license and memory data of Sentinel protection keys after they have been deployed on theend user’s computer.

Sentinel Cloud Licensing

Sentinel Cloud Licensing is an alternative to the LDK licensing solution that is used by Sentinel LDKfor protected applications. Sentinel Cloud Licensing provides a cloud-based licensing solution forvendors who want ongoing control over customers' license terms and who want to track theusage of features by the customers.

Sentinel Cloud Licensing is suitable both for SaaS (Software as a Service) applications that arehosted in the cloud and for on-premise applications that are installed at the customer's site.

Using Sentinel Cloud Licensing, you can enable feature-level authorization of your applications andleverage a wide range of feature and product packaging options—ranging from simplesubscription to complex usage-based models. In this way, you can maximize return on investmentthrough greater product versatility and simplified operations.

Sentinel Cloud Licensing simplifies your billing process management by providing automatedmetering and export of usage data for billing.

Sentinel Cloud Run-time provides a common set of APIs that enable you to deploy yourapplications on cloud without any change in application source code.

Sentinel EMS (Entitlement Management System)

Sentinel EMS is a web-based graphical application that is used to perform a range of functionsrequired to manage the licensing, distribution, and maintenance of protected applications anddata files.

You can use Sentinel EMS Web Services to perform the same functions programmatically. Thisenables you to integrate the EMS functionality into your own back end infrastructure.

Sentinel License Generation API

For software vendors who prefer to use their own ERP back-ends, Sentinel License Generation APIprovides access to the power and flexibility of Sentinel protection keys without the need to installthe full Sentinel EMS system. You can use Sentinel LDK ToolBox to examine the API functions,create license templates, and to generate protection keys.

Sentinel EMS Customer Portal

Sentinel LDK provides a product activation mechanism. This mechanism enables a customer toquickly and easily:

Migrating to Sentinel LDK From Other Systems 17

n convert a trialware version of your protected application or data file (an UnlockedTrialware Product) to a fully-licensed version (a Locked Product).

n directly activate a Locked Product.

The end users activate the relevant version using a unique Product Key that they receive from youafter completing the required commercial transaction to purchase a license for the application. Ineither case, your investment against software piracy is protected.

Sentinel EMS contains a separate Customer Portal. This is a Web portal that your customers canaccess in order to activate Locked Products. The customer logs in to the Customer Portal byproviding a Product Key. The customer completes a registration form (if you require this) and thenchooses the method to activate the Product. Online activation is completely automatic andactivates the license on the local machine. Offline activation enables the customer to download autility that can be used to activate the license manually on the same machine or on a a differentmachine.

The Sentinel LDK tutorials leads you through the complete process: define a Feature in SentinelEMS, define Products, enter an order, generate a product key, and finally convert the trialware toa Locked Product using the Customer Portal.

Master Wizard

You use the Sentinel LDK Master Wizard tool to introduce your unique Batch Code (from yourSentinel Vendor keys) into Sentinel LDK, for use with the various Vendor Suite applications. Thistool also imports your vendor-specific files from Gemalto servers, including API libraries and thevendor library used for software-based protection

The Master Wizard tool also generates your customized Data File Protection plugin. This pluginenables your customers to view certain types of protected data files in the Internet Explorer Webbrowser.

Migrating to Sentinel LDK From Other SystemsMigrating to Sentinel LDK from other types of protection schemes can be a significant challenge.Gemalto provides detailed system-specific migration guides to assist you in this transition. Eachmigration guide provides a number of different multi-stage migration options. These optionsdescribe how you can prepare to use Sentinel LDK protection for new customers while youmigrate your existing customers to Sentinel LDK at a pace that you can manage.

Migration guides are provided for the following systems:

n Hardlock

n SmartKey

n Sentinel SuperPro

n HASP HL

n HASP4


n Sentinel Hardware Keys

n Sentinel HASP

Migration Guides can be found:

n on the (physical) Sentinel LDK Installation Drive, under:

\Windows\Installed\Docs\Manuals & Tutorials\Migration Guides\

n where Sentinel LDK is installed, under:

%ProgramFiles(x86)%\Gemalto Sentinel\Sentinel LDK\Docs\Manuals &Tutorials\Migration Guides\

Obtaining SupportYou can contact us using any of the following options:

Business Contacts - To find the nearest office or distributor, use the following URL:https://sentinel.gemalto.com/contact-us-sm/

Technical Support

To obtain assistance in using Gemalto products, feel free to contact our Technical Support team:

n Customer Support Portal (preferred):https://supportportal.gemalto.com/csm?id=csm_index

n Support Essentials (Contact details, support plans, and policies):https://supportportal.gemalto.com/csm?id=support_essentials

n For Issues Related to Using the Portal: [email protected]

n Phone: Telephone support is available 24x7x365.

o AMER: 800-545-6608 (US toll free)

o International: +1-410-931-7520

o EMEA/APAC: https://supportportal.gemalto.com/csm?id=sentinel

èClick Contact Us

n E-mail (Use if you cannot submit the technical issue via the portal):[email protected]

Downloads

You can download installers and other updated components here:https://sentinelcustomer.gemalto.com/sentineldownloads/

https://sentinel.gemalto.com/contact-us-sm/

https://supportportal.gemalto.com/csm?id=csm_index

https://supportportal.gemalto.com/csm?id=support_essentials

mailto:[email protected]

https://supportportal.gemalto.com/csm?id=sentinel

mailto:[email protected]

https://sentinelcustomer.gemalto.com/sentineldownloads/

PART 1 - GETTING STARTEDIn this section:

n "Chapter 1: Understanding Sentinel LDK Software Protection and Licensing" on page 21

Provides an overview of the concepts of software and intellectual property protection andlicensing, discusses the primary protection solutions, and focuses on how Sentinel LDKprovides a comprehensive solution to all your protection requirements.

n "Chapter 2: Understanding Sentinel Cloud Licensing" on page 35

Provides an overview of the concepts of software and intellectual property protection andlicensing, discusses the primary protection solutions, and focuses on how Sentinel CloudLicensing provides a comprehensive solution for your SaaS licensing requirements

Chapter 1:Understanding Sentinel LDK

Software Protection and LicensingThis chapter provides an overview of the concepts of software and intellectual property protectionand licensing, discusses the primary protection solutions, and focuses on how Sentinel LDKprovides a comprehensive solution to all your protection needs.

Gemalto recommends that you familiarize yourself with the information in this chapter so that youcan maximize the benefits of using Sentinel LDK.

In this chapter:

n "Fundamentals of Protection" on page 21

n "Major Protection Solutions" on page 22

n "Fundamentals of Licensing" on page 24

n "Flexible and Secure Licensing Solutions" on page 24

n "Principles of Sentinel LDK" on page 25

n "Customizing Your Unique Solution" on page 27

Fundamentals of ProtectionThis section examines the nature of protection, and identifies the two types of protection that youneed to consider.

What is Protection?

Protection is the process of securing an application or intellectual property by incorporatingautomated and customized security strategies.

Protection is achieved by implementing specific security strategies, such as wrapping yourapplication in a security envelope, and incorporating various security measures within theapplication’s code during development. The greater the number of security measuresincorporated, and the higher the level of their complexity, the more secure your applicationbecomes.

It is not sufficient to protect only your software—you must also protect your intellectual property.Your professional expertise and the secrets that you use in developing your software, for examplealgorithms, must also be protected.

1

22 Chapter 1: Understanding Sentinel LDK Software Protection and Licensing

Copy Protection

Copy protection is the process of encrypting your software and incorporating various securitymeasures throughout the code and binding it to a key so that it can only be accessed byauthorized users who are in possession of the key. The more complex the copy protection appliedto your software, the less likely it is to be compromised.

Similarly, important data files can be encrypted and protected with licensing so that only userswho possess the key are able to access the files.

Intellectual Property Protection

Your intellectual property is the foundation on which your products are developed. Intellectualproperty theft is surprisingly easy. Every year, companies report the loss of proprietaryinformation and intellectual property valued at many billions of dollars.

The algorithms and other secret information that you use to make your products unique andcompetitive must be protected against attempts to discover their secrets, or to apply reverseengineering to the software code.

Major Protection SolutionsWith Sentinel LDK, the ability to protect and license your software is facilitated by the use offlexible protection and licensing tools, together with a Sentinel protection key to which yoursoftware is subsequently bonded. This key may be either hardware-based or software-based.

In general, references in this section to protection and licensing of software are alsoapplicable to protection and licensing of data files.

Hardware-based Solutions

In hardware-based solutions, you supply an external hardware device together with yoursoftware. The functioning of your software is dependent on the device being connected to theend user’s computer. At run-time, your software communicates with the hardware device, andonly functions correctly if it receives an authentic response from the device.

Sentinel LDK provides a variety of hardware devices in the form of Sentinel HL keys. You can selectthe type of Sentinel HL key that best suits your requirements. For more information aboutSentinel HL keys, see "Sentinel HL Keys" on page 29.

Software-based Solutions

In software-based solutions, following the installation of your software on an end user’s computer,the protection and licensing is bonded to that specific machine. Your software will only functionafter a Product Key has been entered by the user. At run-time, the Sentinel License Managerchecks that the software is on the machine on which it is licensed to run and that it is being usedin accordance with the user’s license terms.

Sentinel LDK provides a robust software-based solution using Sentinel SL keys. A Sentinel SL keyresides in the secure storage of a specific computer and is patterned on the functionality of aSentinel HL key.

For more information about Sentinel SL keys, see "Sentinel SL Keys" on page 30.

Comparative Benefits of Hardware-based and Software-based Solutions

Strong protection and licensing security can be provided with either hardware- or software-basedsolutions. While many protection and licensing features are common to both options, each alsooffers specific strengths that might be comparatively limited in the other.

The following table highlights and compares some of the available benefits of hardware- andsoftware-based solutions, and the relative strengths of each option.

Feature Hardware-based Software-based

Software and Intellectual Propertyprotection

* * * * * * *

Secure Licensing * * * * * *

Trialware * * * * * *

Portability * * * * *

Electronic Software Distribution * * * * * *

Multiple Feature/Module Licensing * * * * * * *

Advantages of a Combined Solution

As shown in the preceding section, both solutions have their relative strengths in protecting andlicensing your software.

It is probable that you utilize various strategies for marketing, selling, and distributing yoursoftware. For example, these strategies may include:

n Determining the level of protection according to the price of the software

n Determining the level of protection according to market segments, including verticalmarkets

It is likely that your strategies will also require the following:

n The ability to turn trialware into a fully-licensed version using hardware-based or software-based activation

n The ability to sell software over the Internet, protected with a hardware-based orsoftware-based key

Sentinel LDK Combined Solution

Sentinel LDK provides the industry’s first software DRM solution that combines hardware-basedand software-based protection and licensing.

Major Protection Solutions 23


This innovative, self-contained, flexible system enables you to:

n Implement multiple protection solutions

n Define multiple license models according to the requirements of your market, and applytheir usage terms independently of the protection process

n Select hardware-based (Sentinel HL) or software-based (Sentinel SL) protection keysindependently of the protection process

Fundamentals of LicensingIn addition to protecting your software and intellectual property, you need to protect the revenuefrom sales of your product. You want to ensure that your software is only available to theappropriate users, according to the terms that you define. This process is controlled by licensing.

Licensing provides you with the flexibility to implement your business strategies for your softwaredistribution. When you define the licensing terms on which your software is distributed or sold,you select the terms that are commercially beneficial to your company.

For example, you may decide that you initially want to distribute your software free of charge, sothat users can try it before purchasing. You will want to ensure that users can use it for only alimited time before it must be purchased.

Alternatively, you may publish very complex, expensive software. You may decide to make specificcomponents of that software available for a lower price, thus making parts of it accessible to userswho cannot afford the full-featured version. Such a decision creates an additional revenue source.

To obtain the maximum benefit from your company’s licensing strategy, you need a softwarelicensing system that provides you with the flexibility to tailor licensing terms to fit your businessstrategies, and to adapt quickly to changes in the market and in your business needs. Yourlicensing system must also be able to track your defined usage terms along with secure licensingmethods.

Flexible and Secure Licensing SolutionsSentinel LDK gives you the flexibility to choose and apply licensing models and license terms foryour protected software on-the-fly. This enables your company to offer attractive softwarepackages and to adapt rapidly to changes in customer purchasing preferences.

Licensing Planning and Models

An important step in the development of a licensing strategy is the preparation of a licensing plan.Business decision-makers in an organization, such as product or marketing managers, defineprotection and business rules, and specify the licensing models required to meet the company’ssoftware distribution needs.

A licensing model is the logic behind a business transaction relating to licensing. For example, arental license model enables you to charge for the use of software for a specific period of time.

Sentinel LDK enables you to choose from a variety of built-in licensing models, and to customizeand build licensing models and software usage terms to meet your company’s individualrequirements.

Sentinel LDK supports numerous out-of-the-box license models, that can be used individually or incombination, including:

n Trialware (try-before-you-buy)

n Rental/Subscription

n Module-/Feature-based

n Floating Usage

n Time-based

n Execution-based

You can easily define custom licensing models and usage terms using the functionality providedby Sentinel LDK. For example, Sentinel LDK functionality enables you to utilize secure read-onlyand read/write memory storage, flexible counters, and a real-time clock or virtual clockincorporated in the Sentinel protection key.

The separation of the engineering and licensing processes embodied in Sentinel LDK makes itpossible to modify your company’s licensing strategy as necessary when circumstances change,and to implement these changes quickly and efficiently.

Updating and Enforcing Usage Terms

When implementing a licensing plan, it is essential to ensure that the software usage termsdefined in the plan are securely applied and that licenses reach their legitimate owners. Newlicenses, and changes and extensions to licenses that have already been deployed, can be subjectto tampering if not adequately protected.

Sentinel LDK applies optimal security to the enforcement of usage terms and license extensions.License extensions sent to end users are highly protected, and require the return of a securereceipt. In addition, state-of-the-art Sentinel LDK technology prevents tampering with usage terms.

Principles of Sentinel LDKThe strength, uniqueness, and flexibility of Sentinel LDK are based on two primary principles:

n Protect Once—Deliver Many—Evolve Often: The concept of separating the Sentinel LDKengineering and business processes.

n Cross-Locking: The technology that supports the Protect Once—Deliver Many—EvolveOften concept, enabling a protected application to work with either a Sentinel HL key or aSentinel SL key.

In general, references in this book to protected applications are also applicable toprotected data files.

Principles of Sentinel LDK 25


Protect Once—Deliver Many—Evolve Often

At the heart of Sentinel LDK lies the Protect Once—Deliver Many—Evolve Often concept. Thisconcept is the process of protecting your software completely independently of the process ofdefining sales and licensing models.

Separation of Protection and Business Functions

The engineering process—that is, the protection of your software—is performed by your softwareengineers using Sentinel LDK Envelope, Sentinel LDK ToolBox and the Sentinel Licensing APIprotection tools.

The business processes—that is, software licensing and selection of the appropriateSentinel protection key—are performed by business management using Sentinel EMS.

As part of the business processes, the Evolve Often stage delivers the capability for you and yourend users to:

n Actively track delivery and activation status of end-user entitlements.

n Track when, how, and by whom your software is being consumed.

n Easily manage terms of each entitlement using Sentinel EMS.

The protection processes and the licensing processes—including selection of the appropriateSentinel protection key type—are performed completely independently of each other.

Cross-locking

Cross-locking is the Sentinel LDK process that enables you to choose the device to which yourprotected application and license will be locked—either to a Sentinel HL key or, via a Sentinel SLkey, to a specific computer.

The decision about the type of Sentinel protection key to which your software is locked isdetermined after protection has been implemented—you choose the options that best suit yourcurrent business strategies.

Mixing and Matching Licenses and Sentinel Protection Keys

Sentinel LDK gives you complete flexibility to choose the combination of license andSentinel protection key that best suits your business requirements. This means that you decidehow to bundle your protection, licensing and distribution requirements.

You may choose to release protected software as a downloadable product with a Trialware licensethat, after purchase, is activated with a Sentinel SL key. Additionally, you may choose to ship thesame protected software with a network license that is locked to a Sentinel HL key, and allowusers unlimited access to all features.

Sentinel LDK offers you an unprecedented number of possible options to combine licenses andSentinel protection keys.

Customizing Your Unique SolutionSentinel LDK provides you with a variety of applications and personalized devices that enable youto customize a protection and licensing solution that is appropriate to your business needs:

n Sentinel LDK Envelope enables you to wrap your software in a protective shield at thetouch of a button—without having to adjust your source code. It establishes a linkbetween your protected software and a Sentinel protection key, even though theselection of key is determined at a later time.

n Sentinel LDK Data Protection utility enables you to encrypt data files so that they can onlybe accessed by specific protected application. You can additionally apply licensingprotection so that the data files can only be accessed when an appropriateSentinel protection key is present.

n Sentinel LDK ToolBox and the Sentinel Licensing API enable you to enhance the protectionoffered by Sentinel LDK Envelope, by incorporating complex protection mechanisms intoyour source code.

n Sentinel EMS enables you to create licenses and lock them to Sentinel protection keys, towrite specific data to the memory of a Sentinel protection key, and to update licensesalready deployed in the field. These processes are performed independently of theprotection process.

n Customized Sentinel Vendor keys are used in-house by your staff, together withSentinel LDK state-of-the-art security applications.

n A selection of Sentinel protection keys enable you to meet the specific requirements ofyour business. Your unique Sentinel protection keys ensure that your applications willonly function when the correct key, supplied by you, is present.

n Additional applications and utilities provide advanced support for these key elements ofSentinel Vendor Suite.

Personalized Vendor and Batch Codes

When you purchase a Sentinel License Development Kit – Starter from Gemalto, you are providedwith Sentinel Vendor keys that contain unique Vendor Codes that are specific to your company.The codes are used by Sentinel LDK to communicate with your Sentinel protection keys, and todifferentiate your keys from those of other software vendors.

Vendor Code

The Vendor Code is a unique confidential code assigned to you by Gemalto when you place yourfirst order for Sentinel protection keys. It is integrated into your Sentinel Vendor keys. When youare protecting your software and licenses to Sentinel protection keys for distribution, the VendorCode is extracted from your Sentinel Vendor keys.

Batch Code

A Batch Code consists of five characters that represent your company’s unique Vendor Code.When you order Sentinel protection keys from Gemalto, you specify your Batch Code, which isthen written to the keys before dispatch. To easily identify the Batch Code to which a Sentinel HLkey belongs, the Batch Code is written on the outside of each key.

Customizing Your Unique Solution 27


Selecting the Best Key for Your Requirements

Sentinel LDK protection and licensing are key-based. Your software is distributed with uniqueactual and/or virtual Sentinel protection keys that you code according to your requirements.

There is a strong inherent link between a protected application and its correspondingSentinel protection key. Protection is based on making access to the protected applicationdependent on the presence of a correct Sentinel protection key.

Similarly, when licensing is implemented using Sentinel LDK, the operation of your software isdependent on the presence of a valid license in a Sentinel protection key.

A variety of Sentinel protection keys are available to provide you with the flexibility to sell yoursoftware in the ways that are most beneficial to your business goals.

Sentinel Vendor Keys

When you purchase Sentinel LDK, you are provided with two Sentinel Vendor keys—theSentinel Master key and the Sentinel Developer key. These keys enable you to apply protection toyour programs, program the Sentinel protection keys that you send to your end users, and tospecify the license terms under which your software can be used.

n Sentinel Developer key

The Sentinel Developer key is used by your programmers in conjunction with theSentinel LDK protection tools to protect your software and data files. This key is typicallyconnected to the machine on which Sentinel Envelope executes.

n Sentinel Master key

The Sentinel Master key is used by your production staff to create licenses and lock themto Sentinel protection keys, to write specific data to the memory of a Sentinel protectionkey, and to update licenses already deployed in the field. This key is typically connectedto the machine on which Sentinel EMS is installed or where the program that calls SentinelLicense Generation API is running.

The Sentinel Developer key and Sentinel Master key can be accessed using a remoteconnection. For more information, see the Sentinel LDK Installation Guide.

End-User Keys

Two types of Sentinel protection keys are available:

n The Sentinel HL key is a physical USB or ExpressCard key that connects to a computer, ora chip that is embedded in the computer.

n The Sentinel SL key is a software-based key that locks your software to a specific machine.Your software and the user license are locked to the Sentinel protection key that youselect.

All Sentinel HL keys—with the exception of Sentinel HL Basic keys—contain internal read/writememory. You can use the memory to do any of the following:

n Control access to specific software modules and/or packages

n Assign a unique code to each software user

n Store licenses from your own licensing schemes

n Save passwords, program code, program variables, and other data

Sentinel SL keys are patterned on the functionality of Sentinel HL keys. However, the data islocated in the secure storage of the computer on which the Sentinel SL key resides.

Sentinel HL Keys

Sentinel HL keys are distributed with your software to end users. The keys connect to the endusers’ computers. A variety of Sentinel HL keys are available to suit your requirements. Sentinel HLkeys are available in either of two configurations:

n Sentinel HL (HASP configuration) keys: These keys are fully compatible with software thatrequires the older HASP HL keys.

Sentinel HL (HASP configuration) keys can be upgraded in the field to Sentinel HL(Driverless configuration) keys. For more information, see "Appendix H: UpgradingSentinel HL Keys" on page 293.

n Sentinel HL (Driverless configuration) keys: These keys provide several advantages overSentinel HL (HASP configuration) keys:

o (On a Windows machine) Employ HID drivers instead of HASP key drivers. (HIDdrivers are an integral part of the Windows operating system.) In many cases, it ispossible to use these keys without installing any additional support software.

o (On a Windows machine) Support the use of "AppOnChip" functionality. WithAppOnChip, selected functions in the protected application are actually executed bythe HL key. This provides significantly enhanced security for the application.

o (On a Linux machine) In many cases, it is possible to use these keys withoutinstalling any additional support software.

o Support a higher number of Features.

o Provide larger on-key memory space.

o All Driverless keys (except for Basic keys) support a virtual clock for time-basedlicenses.

o All Driverless keys (except for Basic keys) support concurrency (network-basedlicenses).

Sentinel HL keys offer the highest level of security. In order for a user to access your software, andfor it to function correctly, the key must be accessible by the application. Furthermore,Sentinel LDK uses LicenseOnChip technology to protect Sentinel HL keys against license tampering.

Customizing Your Unique Solution 29


Sentinel HL keys also have the advantage of portability. This means that the key can be movedfrom one computer to another. Software may therefore be installed on multiple computers butwill only run if the key is connected and authenticated by the software.

Sentinel LDK continues to support the older HASP HL keys. All references to Sentinel HLkeys in this document and other Sentinel LDK documents can be understood to includeHASP HL keys unless the context of the reference clearly states otherwise.

Sentinel SL Keys

Sentinel SL keys are virtual, software-based keys that reside in the secure storage of a specificcomputer. Sentinel SL keys provide the same functionality as Sentinel HL keys, without requiringphysical distribution.

After your software is installed on a computer, the end user typically enters a Product Key that issent, via the Internet or by file transfer, to Sentinel EMS, together with the fingerprint of themachine. Sentinel EMS confirms that the Product Key has not been used to activate the softwareon more than the permitted number of machines—as determined by you—then sends back theSentinel SL key, which is installed on the end user’s machine. This process is also used forupdating license terms.

Several types of Sentinel SL keys exist:

n SL Legacy - SL keys that were generated with versions of Sentinel HASP prior to SentinelLDK v.6.0

n SL AdminMode - SL keys that provide the highest level of security and functionality

n SL UserMode - SL keys that provide a greater level of flexibility under certaincircumstances

Sentinel SL Unlocked Licenses

An unlocked license is one that is not locked to a specific machine. An application with anunlocked license (referred to as an Unlocked Product) is protected against disassembly. However,the protected application can be duplicated, installed , and used on any machine for as long asthe unlocked license allows. Unlocked licenses are used in the following situations:

Trialware products

The ability to create and distribute trialware products without exposing the protected software topiracy provides a significant marketing advantage when selling software applications. Potentialcustomers can work with the actual application and experience what the application has to offerand how it can benefit the individual or the organization. In addition, anybody that has access totrialware can copy it and distribute it to other people; this multiplies the exposure of theapplication within the marketplace. Each person who installs and works with the application must,at the end of the grace period (typically 30 to 90 days or 30 executions), decide to purchase an HLor SL key for the application or else be blocked from using the application.

Unlocked products

Unlocked products are used when vendors want to protect their applications against reverseengineering but either:

n Have no need to license the application (for example, software that is part of a largerhardware package). The vendor may not need to protect against duplication of thesoftware. However, they want to protect the software against theft of intellectualproperty.

n Are using a separate product or system to handle licensing of the software.

An unlocked product typically has no time restriction or has a long-term license.

Protection Key AttributesThe various types of Sentinel protection keys that are available provide different levels of securityand flexibility, as described in the table that follows.

Type of SentinelProtection Key

Level ofSecurity

SupportedOperatingSystems (Local)

SupportsTime-basedLicenses

SupportsConcurrencyandDetachableLicenses

SL AdminMode key + + + + Windows MacLinux Intel

Uses V-Clock Yes1

SL UserMode key(Excluding UnlockedProducts)

+ + + WindowsAndroidLinux ARMLinux Intel

Uses V-Clock No

SL UserMode (UnlockedProduct)

+ WindowsLinux ARMLinux Intel

Uses V-Clock No

SL Legacy key + + + + Windows MacLinux Intel

Uses V-Clock Yes1

HL (HASP configuration)Basic key

+ + + + + Windows MacLinux Intel

No No

HL (Driverlessconfiguration) Basic key

+ + + + + Windows MacLinux IntelLinux ARMAndroid

No No

HL (HASP configuration)Pro key


No No

Protection Key Attributes 31


Type of SentinelProtection Key

Level ofSecurity

SupportedOperatingSystems (Local)

SupportsTime-basedLicenses

SupportsConcurrencyandDetachableLicenses

HL (Driverlessconfiguration) Pro key


Uses V-Clock(Requires V-Clockmodule on theMaster key)

Yes 2 3

(Detach notsupported)

HL (HASP configuration)key (Max, Drive)


No No

HL (Driverlessconfiguration) key (Max,Drive)


Uses V-Clock Yes 2 3


HL (HASP configuration)Time key


Uses real-time clockon the key

No

HL (Driverlessconfiguration) Time key


Yes 2 3


HL (HASP configuration)NetTime key


Yes(Detach notsupported)HL (Driverless

configuration) NetTime key+ + + + + Windows Mac

Linux Intel

HL (HASP configuration)Net key


No

HL (Driverlessconfiguration) Net key


Uses V-Clock

Legend:1 - Requires network seats from the Master key.2 - Requires network seats from the Master key. Requires License Manager v.7.3 or later on themachine where the protected application executes. The required version of License Manager isprovided in Run-time Environment v.6.65 or later.3 - Android does not support concurrency.

The table above relates to the operating system on machine to which the protection key isattached. However, for protection keys that support concurrency, the protectedapplication can be located on a different machine. In this case, the protected applicationcan be executing under any operating system listed in the table (except for Android) evenwhen that operating system does not support the protection key.

For example: A protected application running on a Linux ARM machine can be licensed byan SL AdminMode protection key on a Linux Intel machine.

For information on V-Clock (the virtual clock available on most Sentinel protection keys), see"Appendix E: How Sentinel LDK Protects Time-based Licenses With V-Clock" on page 285.

For full technical specifications of the available Sentinel HL keys, refer to the Sentinel HL DataSheet.

For additional information, see "Protection Keys That Require Sentinel LDK Run-timeEnvironment" on page 166.

Sentinel LDK Protection Process

When you are developing your software, your engineers integrate a variety of calls to data storedin the memory of the Sentinel protection key.

Encryption and Decryption

Sentinel LDK encryption and decryption are based on the Advanced Encryption Standard (AES)algorithm. The encryption secret of the algorithm is stored in the Sentinel protection key. Toenhance security, all communication between an application and a Sentinel protection key israndomly encrypted. This inhibits emulation of a Sentinel protection key.

Obtaining Additional Information About Sentinel LDKThis chapter has provided an overview of the major concepts and principles of Sentinel LDK, andthe comprehensive protection and licensing solution that Sentinel LDK provides.

The remainder of this book explains in detail how you can best use the many elements ofSentinel LDK to meet your company’s software protection, licensing, and distributionrequirements.

Additional information is available in the help systems for the various Sentinel LDK tools, and inadditional Sentinel LDK documentation that you can download using the following URL:

www.sentinelcustomer.gemalto.com/sentineldownloads/

Obtaining Additional Information About Sentinel LDK 33

http://www.sentinelcustomer.gemalto.com/sentineldownloads/

Chapter 2:Understanding Sentinel Cloud

LicensingThis chapter provides an overview of the concepts of software and intellectual property protectionand licensing, discusses the primary protection solutions, and focuses on how Sentinel CloudLicensing provides a comprehensive solution for your SaaS licensing requirements.

Gemalto recommends that you familiarize yourself with the information in this chapter so that youcan maximize the benefits of using Sentinel Cloud Licensing.

In this chapter:

n "Software as a Service" on page 35

n "What is Sentinel Cloud Licensing?" on page 36

n "How Does Sentinel Cloud Licensing Work?" on page 37

n "Cloud License Types" on page 38

n "For More Information" on page 38

Software as a ServiceSoftware as a service (referred to as SaaS) is a software delivery model in which an application andassociated data are centrally hosted on the vendor's servers or some other public server. SaaS istypically accessed by users using a thin client via a web browser. SaaS is becoming an increasinglycommon model for many business applications. SaaS offers the potential to reduce IT supportcosts for customers by outsourcing hardware and software maintenance and support to the SaaSprovider (you, the vendor).

Most of the licensing considerations described earlier (in "Fundamentals of Licensing" on page 24)are application to SaaS. You need to protect the revenue from sales of your product. You want toensure that your software is only available to the appropriate users, according to the terms thatyou define.

Using the SaaS model, you can select from a number of licensing options to achieve greaterproduct versatility and simplified operations.

2

36 Chapter 2: Understanding Sentinel Cloud Licensing

What is Sentinel Cloud Licensing?To obtain the maximum benefit from your company’s licensing strategy, you need a softwarelicensing system that provides you with the flexibility to tailor licensing terms to fit your businessstrategies, and to adapt quickly to changes in the market and in your business needs. Yourlicensing system must also be able to track your defined usage terms along with secure licensingmethods.

Sentinel Cloud Licensing is a cloud-based license provisioning system that provides an alternativeto the on-site Sentinel SL licensing:

n Sentinel SL enables you to employ pre-paid licensing. For metered licensing, customerscan purchase the authorization to use an application for a specific period of time or for aspecific number of executions. When the license expires or the allowed executions areconsumed, the customer must extend the license in order to continue using theapplication.

n Sentinel Cloud licensing enables you to employ either pre-paid or post-paid licensing. Withpost-paid licensing, there is no predetermined limitation on the usage of the application.Customers can be billed based on the number of hours that they use the application orthe number of times that the product is used.

Note that a given application can be licensed using either Sentinel SL or Sentinel Cloud Licensing.You cannot apply both schemes to a single executable.

Sentinel Cloud Licensing provides you with the benefits described below.

Feature-based Authorization

Using Sentinel Cloud Licensing, you can enable feature-level authorization of your applications andleverage a wide range of feature and product packaging options—ranging from simplesubscription to complex usage-based models. In this way, you can maximize return on investmentthrough greater product versatility and simplified operations.

Usage-based Licensing

Sentinel Cloud Licensing simplifies your billing process management by providing automatedmetering and export of usage data for billing and analysis.

Segregated Design and Delivery

After you have carried out the simple, one-time process of integrating Sentinel Cloud Licensingwith your application, your product management and delivery tasks is totally separated from yourproduct design and development tasks. This empowers you to choose from a wide range oflicense models without affecting the design and development of the product.

Remote Control of License Terms

You can use the Sentinel EMS user interface or Web Services to instantly change the license termsfor any customer who is using your licensed application.

Cloud Support

Sentinel Cloud Run-time provides a common set of APIs that enable you to deploy yourapplications in the cloud without any change in application source code.

How Does Sentinel Cloud Licensing Work?Using Sentinel EMS, you define the products that you want to license. For each products, youdefine the features to be licensed and the licensing scheme to be used.

You integrate your web application with Sentinel Cloud Licensing in one of two ways:

n Integrate with Cloud Run-time. You insert Cloud Run-time API calls into your webapplication. These API calls perform the following functions:

User authorization: This function grants or blocks access to features in the application.Specific users can be granted access to different sets of features in the application.

Sentinel Cloud Run-time does not handle user authentication (that is, thedetermination that a given user should be granted access to the application). Thisfunction is the responsibility of the vendor.

Usage data collection: This function collects data relating to the usage of the applicationby each user, at the feature level. This data is later used for billing purposes. SentinelCloud Licensing stores this data locally and periodically transfers it to Sentinel CloudConnect (described below) for metering and data aggregation

n Integrate with Sentinel Cloud Connect Web Services. This provides Sentinel CloudLicensing capabilities for direct use by the application. Web Services can be used forapplications on platforms that are not supported by Cloud Run-time.

Your application can be deployed in either of two configurations:

n Cloud: The application is hosted on a cloud server, from where the customer can accessthe application. The server is managed either by the vendor or by an external providercontracted by the vendor.

n On-premise: The application is installed on the customer's machine.

Sentinel Cloud Licensing does not incorporate protection of the licensedapplication against disassembly and theft of intellectual property. If you intend touse On-premise deployment, consider taking appropriate steps to protect yourapplication. One such protection scheme is the use of Sentinel LDK unlockedlicenses, described later in this book.

You use Sentinel EMS to create entitlements for your customers to access the features in yourapplication. The entitlements are registered in Sentinel Cloud Connect. This component is hostedin the cloud, managed by Gemalto. When your customers attempt to use a feature in yourapplication, the licensed application sends queries to Sentinel Cloud Connect for license-servingdecisions.

HowDoes Sentinel Cloud Licensing Work? 37

38 Chapter 2: Understanding Sentinel Cloud Licensing

Sentinel Cloud Connect also accumulates usage data for the features in your application. This canbe used for billing and metering purposes. This data also provides you with valuable insight intohow your customers are working with your application. You can access this information using theSentinel EMS user interface or Sentinel EMS Web Services. Your customers can access their usagedata using the Cloud End User Portal in Sentinel EMS.

Cloud License TypesIn Sentinel EMS, you can specify the licensing details for each feature in the product that you aredefining.

Licensing terms for a feature can be defined when the product is being created or at the time yougenerate an entitlement for a customer.

You can choose from one of the following license types:

n Concurrent—This is a subscription-based license model in which there is a limit on theconcurrent use of a Feature. You can specify the number of concurrent instances allowedfor a feature, and select how concurrent instances are counted.

n Prepaid—Specifies a limit on the maximum number of times a license can be used, inaddition to license validity.

n Subscription—Specifies that the license to use the product is valid for a specified duration(for example, 3 months, 6 months, 1 year). The product can be used unlimited number oftimes within the specified duration.

n Postpaid—Specifies that the license to use the product is valid for a specified duration,but the billing can be done based on the usage model, which can either be:

o Time Based—Billing can be done based on the duration for which the product isused.

o Count Based—Billing can be done based on the number of times the product isused within the specified period.

When you select the license type, you can also specify the values for the license terms. Theselicense values will apply to all orders for this Product. For maximum flexibility, you can choose toleave the values to be specified at the time when each individual order is processed.

For More InformationThe remainder of this book deals primarily with using Sentinel LDK to protect and license yourapplications. For more information on Sentinel Cloud Licensing, see the Sentinel Cloud Run-timeGuide for Sentinel LDK.

PART 2 - PROTECTIONIn this section:

n "Chapter 3: Protecting Software" on page 41

Provides an overview of Sentinel LDK software protection, including its fundamentalelements, a summary of how it works, and an introduction to Sentinel LDK protectionmethods.

n "Chapter 4: Sentinel Licensing API Protection" on page 45

Provides an overview of the Sentinel Licensing API, details the prerequisites for using theAPI, introduces the Sentinel LDK ToolBox application and describes the functionality of theAPI.

n "Chapter 5: Sentinel LDK Envelope Protection" on page 55

Provides an overview of software protection using Sentinel LDK Envelope, details theprerequisites for using the application, and describes its functionality. In addition, itdescribes the Sentinel LDK Envelope protection parameters and how to encrypt data files.

n "Chapter 6: Protection Strategies" on page 75

Outlines strategies for maximizing Sentinel LDK protection, including best practices andoptimizing the use of the Sentinel Licensing API and Sentinel LDK Envelope.

n "Chapter 7: Protecting Data Files" on page 81

Describes data file protection using the Sentinel LDK Data Protection utility. It includesinformation about the types of protection that are available.

Chapter 3:Protecting Software

This chapter provides an overview of Sentinel LDK software protection, including its fundamentalelements, a summary of how it works, and an introduction to Sentinel LDK protection methods.

Sentinel LDK ProtectionSentinel LDK is an innovative, advanced solution for protecting software against illegal orunauthorized use. The solution deters illegal access and execution of protected applications.

A deployed application that is protected with Sentinel LDK requires access to a specificSentinel protection key in order to run. The protected application queries the Sentinel protectionkey for predefined information. If the Sentinel protection key is not present, or the informationreturned is incorrect, the program does not execute, or stops functioning.

After you have selected a Sentinel LDK protection method, implementation is straightforward.Regardless of the selected protection strategy, protected applications only work correctly if theycan access the information stored in a specific Sentinel protection key.

Elements of Sentinel LDK Protection

The Sentinel LDK protection system is based on the following:

n Protecting programs and data files

n Identifying the Sentinel protection key

n AES encryption

n Confidential protection parameters

n Utilizing Protection Key memory

n Anti-debugging and reverse engineering measures

Protecting Programs and Data Files

Sentinel LDK provides two primary protection methods:

n Sentinel LDK Envelope

n Sentinel Licensing API

3

42 Chapter 3: Protecting Software

When you protect your software using either of these methods, you are essentially forming aninherent link between the protected application and a specific Sentinel protection key.

What can be Protected

Sentinel LDK enables you to protect a variety of applications and data files. You can applyprotection directly to:

n Compiled executables, DLLs and .NET assemblies

n Specific functions or entire programs. Sentinel LDK protects all levels of software fromfunction level to entire programs

n Sensitive data and intellectual property

All the above are protected against any attempt at reverse engineering.

For additional information about the available protection parameter options, see the followingchapters:

n "Chapter 4: Sentinel Licensing API Protection" on page 45

n "Chapter 7: Protecting Data Files" on page 81

Availability of the Sentinel protection key

The Sentinel protection key, or to be more precise—the intelligence contained within theSentinel protection key—is the primary component of the Sentinel LDK protection system.

The main factor governing Sentinel LDK protection is whether a deployed program can identifyand access the intelligence contained in a specific Sentinel protection key at run-time. This factor isunambiguous—the Sentinel protection key is either available or is not available!

Regardless of the protection method adopted, protected applications only function when they canaccess the required information contained in a specific Sentinel protection key.

Sentinel protection keys, and their ‘intelligence’ cannot be cloned to replicate the link betweenthem and the protected application.

AES Encryption

A protected application relies on the ‘intelligence’ in the memory of a specific Sentinel protectionkey in order to function. In addition to the checks for the Sentinel protection key, data can beencrypted and decrypted using the intelligence available in the Sentinel protection key.

AES Encryption and Decryption

The encryption engine in the Sentinel protection key is based on the AES algorithm. Sentinel LDKencryption uses a set of confidential 128-bit encryption keys that remain in the Sentinel protectionkey.

Your protection schemes should always involve greater sophistication than merely confirming thepresence of the required Sentinel protection key. However, verifying the requiredSentinel protection key through data encryption and decryption requires forward planning. First,encrypted data must be available. This data must then be sent to the Sentinel protection key,where it is decrypted.

If the data is correct, the Sentinel protection key is considered to be “present.” For additionalinformation, see "Time Functions" on page 53.

Confidential Protection Parameters

The essence of software protection is confidentiality. Without confidential elements, any softwaresecurity system is vulnerable to attack.

Vendor Code

Each Sentinel LDK customer is assigned a unique Vendor Code that must be kept confidential. TheVendor Code forms an integral part of the protection parameters that constitute the inherent linkbetween the protected applications and the Sentinel protection key. However, the Vendor Code isonly part of the link. The code on its own is insufficient to prevent illegal use of the software. Itmerely provides the protected software with access to the Sentinel protection key and itsresources.

All Sentinel LDK protection applications require the Vendor Code. For information on how toaccess the code, see "Extracting the Vendor Code from Sentinel Vendor Keys" on page 47.

Utilizing Protection Key Memory

The secure memory on Sentinel protection keys can be utilized (read and write) as a component ofthe protection scheme for the software. Confidential data can be stored in the Protection Keymemory, including snippets of program code, customer name, or any other data.

Use the memory editors included in Sentinel LDK ToolBox to read or write data in the ProtectionKey memory. (In your production environment, use Sentinel EMS or Sentinel License GenerationAPI to handle Protection Key memory.) For additional information, see "Memory Functions" onpage 52.

Anti-Debugging and Reverse Engineering Measures

Sentinel LDK protects intellectual property and provides the functionality to combat anti-debugging and reverse engineering. Anti-debugging and reverse engineering usually try to unravelthe protection scheme of protected software by tracing a compiled application to its source code.Sentinel LDK Envelope implements contingency measures to ward off such attacks and preventhackers from uncovering algorithms used inside protected software.

Selecting a Protection Method

Sentinel LDK offers two software protection methods; Sentinel Licensing API and Sentinel LDKEnvelope. Both methods establish an inherent link between the protected software and theintelligence contained in a specific Sentinel protection key.

When selecting a protection method, the following issues must be considered:

n What the Sentinel protection key should protect

n How the Sentinel LDK protection parameters are best applied

n Whether the time required to implement the solution is a critical factor

n Whether flexibility in implementing the protection scheme is important

These issues are discussed in the following sections.

Sentinel LDK Protection 43

44 Chapter 3: Protecting Software

What to Protect

When protecting software with Sentinel LDK, there are various options for applying protection.Sentinel Licensing API is used to protect the software before it is compiled. Protection can also beapplied after the software is compiled using Sentinel LDK Envelope. You can choose whether toapply protection to an entire program, a subprogram, or simply to a Feature.

You may opt to use either the Sentinel Licensing API or the Sentinel LDK Envelope protectionmethod, or both, depending on your specific requirements. Use the following table to determinewhich method best meets your specific requirements.

Sentinel LDK Envelope Sentinel Licensing API

Quick, automatic protection process that shields your software Manual implementation ofcalls to Sentinel Licensing API

Define specific protection parameters for your programs Controlled process ensuringmaximum security. Thestrength of protection isproportional to the degree towhich the Sentinel LicensingAPI functionality is invested inimplementation.

No source code required Source code must be available

Anti-debugging and reverse engineering measures provided Maximum flexibility

Importance of Control over the Protection Scheme

When applying protection using Sentinel Licensing API, you control the entire protection process.You determine when the protected application queries the Sentinel protection key, and how itshould behave in different scenarios. With Sentinel LDK Envelope, compiled programs are wrappedwith random protection parameters. If you run Sentinel LDK Envelope twice to protect the sameprogram, two different output files are produced with different protective modules and shields.

Significance of the Time Factor

When a high protection level is specified in Sentinel LDK Envelope, file size increases and theprotected application takes longer to launch. Consider this factor when you are deciding on theprotection level settings that you choose. Aim for the optimal balance between protection leveland launch time.

How to Apply Protection

When using the Sentinel Licensing API, protection is integrated at the source code level in acarefully considered manner. You determine where in the source code to place calls to the SentinelLicensing API.

Sentinel LDK Envelope offers an automated, speedier method of protecting software. You definesettings for protection parameters that are applied to protected applications.

When enabling or disabling some features you might reduce the level of protectionprovided by the software.

Chapter 4:Sentinel Licensing API Protection

This chapter describes the Sentinel Licensing API protection method.

In this chapter:

n "Overview" on page 45

n "Sentinel Licensing API Prerequisites " on page 46

n "Learning About the Sentinel Licensing API" on page 48

n "Implementation" on page 49

n "Sentinel Licensing API Functionality" on page 52

The Sentinel Licensing API is not applicable for protecting data files.

OverviewThe Sentinel Licensing API (application programming interface) is a robust method of softwareprotection, the strength of which is wholly dependent on its implementation.

The extent to which the functionality afforded by the Sentinel Licensing API is utilized, determinesthe overall level of software security. To fully utilize the protection offered by the Sentinel LicensingAPI, strive to maximize the complexity and sophistication of your implementation.

It is essential that, before protecting your application, you are familiar with the overallfunctionality of the Sentinel Licensing API. For a description of the functions that make up theSentinel Licensing API, see the Sentinel Licensing API help system or the Sentinel LDK ToolBox helpsystem.

Most major Sentinel LDK documentation can be found on the Sentinel CustomerCommunity web site, at:https://sentinelcustomer.gemalto.com/Documentation_Information.aspx

To protect your software using the Sentinel Licensing API, you insert calls to a Sentinel protectionkey throughout your application’s source code. You can add calls to your application that checkfor the presence of a Sentinel protection key at any point during run-time, and you can designateresponses to these checks. For example, if the required Sentinel protection key is not found, youmight specify that the protected application suspend or terminate itself.

Your application can also check the memory of a Sentinel protection key for specific data. Inaddition, you can use the Sentinel Licensing API to encrypt or decrypt data.

4

https://sentinelcustomer.gemalto.com/Documentation_Information.aspx

46 Chapter 4: Sentinel Licensing API Protection

To facilitate a speedy learning curve, Gemalto recommends that you familiarize yourself with andtest specific Sentinel Licensing API functions using Sentinel LDK ToolBox. Sentinel LDK ToolBox is aGUI-based application that interfaces with various Sentinel LDK APIs. For additional information,see "Learning About the Sentinel Licensing API" on page 48.

Sentinel LDK also includes Sentinel Licensing API sample folders for specific compilers. EachSentinel LDK interface includes a sample application demonstrating API usage and a specific headerfile. The sample applications are located in the Samples folder in the Windows directories on theSentinel LDK Installation Drive.

Universal Sentinel Licensing API

The Sentinel Licensing API is a universal API that works with all Sentinel protection keys. SentinelLicensing API implementation and usage is independent of the Sentinel protection key you use.

Utilization of the Sentinel Licensing API is independent of the access mode used to search for aspecific Sentinel protection key. The same Sentinel Licensing API functions are used to enableprograms’ access to remote Sentinel protection keys, or Sentinel protection keys that are presentlocally.

Sentinel Licensing API PrerequisitesYou may have to install the Sentinel Run-time Environment in order to enable the Licensing API.For more information, see "Protection Keys That Require Sentinel LDK Run-time Environment" onpage 166. For additional information, see the Sentinel LDK Installation Guide.

Vendor Code

It is necessary to provide the Vendor Code in order to access a Sentinel protection key and itsresources, including memory. Vendor Codes are usually stored in the VendorCodes directory. Thelocation of the directory is described later in this topic.

In the Sentinel LDK Demo Kit, customers are provided with Sentinel HL Demo keys that work withthe DEMOMA Vendor Code. This Vendor Code can be used to apply protection with the SentinelLicensing API.

Do not distribute software protected with a Sentinel HL Demo key. This Sentinel protectionkey is only for evaluation purposes.

The first time you order Sentinel protection keys, you also receive two Sentinel Vendor keys—aSentinel Developer key and a Sentinel Master key—that contain your company’s uniqueconfidential Vendor Code. The Sentinel Developer key is used by engineers for adding protectionto your software. The Sentinel Master key is used for producing licenses and orders.

Sentinel Vendor Suite applications (Sentinel LDK Envelope, Sentinel LDK ToolBox, and Sentinel EMS)must recognize and have access to the unique Vendor Code that was assigned to you when yourfirst order was supplied by Gemalto. The Vendor Code is stored inside your Sentinel Vendor keys.Sentinel Vendor keys are introduced using the Master Wizard, as described in the followingsection.

If you have already introduced your Sentinel Developer key, it is usually not necessary tore-introduce it.

Extracting the Vendor Code from Sentinel Vendor Keys

You need to extract the Vendor Code from your Sentinel Vendor keys so that the Sentinel LDKsystem will recognize it when you are working with any of the Vendor Suite applications. TheMaster Wizard extracts the Vendor Code for you.

Depending on your Sentinel LDK configuration, if you launch a Sentinel Vendor Suite application,and you have connected a new Sentinel Vendor key to your computer, the Master Wizard willlaunch automatically. Alternatively, you can launch the Master Wizard manually.

For detailed information on using the Master Wizard, see the chapter on introducing Vendor keysin the Sentinel LDK Installation Guide.

By default, your Vendor Code information is saved in the following directory:

n For Windows Vista or Windows 7:

%UserProfile%\Documents\Gemalto\Sentinel LDK 7.6\VendorCodes

n For Windows XP:

%UserProfile%\My Documents\Gemalto\Sentinel LDK 7.6\VendorCodes

Vendor-specific File Naming Conventions

The format of a Vendor Code file name is BatchCode.hvc. For example, if your Batch Code isW3FLY, the file name will be W3FLY.hvc. (The Batch Code is a representation of your confidentialVendor Code.) Your Sentinel Vendor keys and all your Sentinel HL keys are labeled with your BatchCode.

By default, Sentinel Vendor Suite applications search the VendorCodes folder for your VendorCode/Batch Code information.

Licensing API

At the time the Master Wizard extracts the Vendor Codes, it downloads your customized LicensingAPI libraries from Gemalto servers.

Your customized API libraries are saved in the following directory:


%UserProfile%\Documents\Gemalto\Sentinel LDK 7.6\API\Runtime

n For Windows XP:

%UserProfile%\My Documents\Gemalto\Sentinel LDK 7.6\API\Runtime

The APIs for each language are stored in a separate subdirectory. The format of API library names(for Windows) is hasp_windows_vendorID.libraryExtension.

Sentinel Licensing API Prerequisites 47


Example

For C applications, the following libraries are downloaded:

Library Descriptionhasp_windows_vendorID.dll Dynamic version of the API libraryhasp_windows_vendorID.lib Implemented library for hasp_windows_vendorID.dll librarylibhasp_windows_vendorID.lib Static version of the API librarylibhasp_windows_bcc_vendorID.lib Static version of API library compiled with Borland C compiler

vendorID represents the vendor ID for your Batch Code or demo for the DEMOMA Batch Code.

Learning About the Sentinel Licensing APIThere are two components of Sentinel LDK that enable you to study how the Sentinel LicensingAPI works, and its range of capabilities.

n Sentinel LDK ToolBox: A utility with a graphical user interface that is part ofSentinel Vendor Suite. For more information, see "Sentinel LDK ToolBox" on page 48.

n Sentinel Licensing API Samples: A set of examples for implementing the Sentinel LicensingAPI. For more information, see "Sentinel Licensing API Samples" on page 49.

Sentinel LDK ToolBox

Sentinel LDK ToolBox is an interactive interface to work with various Sentinel LDK APIs. You canexecute calls to the Sentinel Licensing API using Sentinel LDK ToolBox. The calls are then relayed toa Sentinel protection key.

To use Sentinel Licensing API with Sentinel LDK ToolBox you must have a Sentinel Developer keyand a valid Vendor Code so that you can access Sentinel protection keys. Sentinel LDK ToolBox islaunched from Sentinel Vendor Suite. For more information, see the Sentinel LDK ToolBox helpsystem.

API-related Functionality

Sentinel LDK ToolBox serves as a training tool for the Sentinel APIs. Sentinel LDK ToolBoxfunctionality enables you to:

n Display the source code generated for each function call. This generated source code canbe copied and pasted into your application source code.

n Evaluate manual implementation of each API . Every API function included in Sentinel LDKToolBox is displayed on a separate screen. To execute a function call, you provide specificinformation related to the selected function.

n Transfer memory buffers to the AES encryption engine in a Sentinel protection key. Theprogram can also be used to decrypt data buffers.

n Create multiple programming language interfaces for the various APIs.

Sentinel Licensing API Samples

Sample applications are provided to demonstrate how to implement Sentinel Licensing APIprotection in your source code. The samples demonstrate how the API functions work.

Your Sentinel LDK installation contains folders for various interfaces and compilers. Each folderincludes the requisite API libraries, a header file and a sample application. The Sentinel HL Demokey—marked DEMOMA—must be connected to your computer when using the sampleapplications.

See the Sentinel Web site and the Sentinel LDK Installation Drive for information onavailable samples for specific programming languages.

ImplementationThis section describes the pre-implementation issues you should consider, and the workflow forimplementing the Sentinel Licensing API. It also provides an overview of how to log in to and outof a session.

Planning Your Requirements

Before implementing the Sentinel Licensing API, the following preliminary issues should beconsidered.

n What do you want to protect?

This may seem obvious, but it is crucial when you decide where to place the calls to theSentinel protection key. Typically, you would want to verify the presence of theSentinel protection key at startup. However, you can also identify certain aspects of thesoftware to protect, and apply your Sentinel Licensing API calls accordingly.

n Will encrypted data be included in your implementation scheme?

If you plan to use encrypted data at run-time, use Sentinel LDK ToolBox to encrypt thedata. Insert the encrypted data when implementing the Sentinel Licensing API. The data isdecrypted at run-time by the Sentinel protection key.

n Is data going to be stored in the Protection Key memory?

If the software is protected by a Sentinel protection key with memory functionality, sensitivedata can be stored in the Sentinel protection key. The Sentinel Licensing API enables accessto read from or write to Protection Key memory. Use Sentinel LDK ToolBox to write databuffers to Protection Key memory.

Sentinel Licensing API Workflow

After planning what data is going to be protected and how that protection will be applied, you areready to protect your application with the Sentinel Licensing API.

The recommended workflow for implementing the Sentinel Licensing API is as follows:

Implementation 49


1. Study the code of the sample application corresponding to your developmentenvironment.

2. In your application source code, insert a login call to the Sentinel protection key. Asuccessful login establishes a login session. The login session has its own unique handleidentifier.

The session identifier is self-generated and applies to a single login session. For moreinformation, see the description of the LoginScope function in the Sentinel Licensing APIhelp system or in the Sentinel LDK ToolBox help system.

3. After a login session is established, you can use other Sentinel Licensing API functions tocommunicate with the Sentinel protection key. For example, you can use the Decryptfunction to decrypt important data used by your application. You can also read data storedin the Protection Key memory, set timestamps, and other actions.

4. Using the output generated in Step 3, check for potential mismatches and notify the useraccordingly.

5. Repeat steps 2–4 throughout the code.

6. Compile the source code.

After you have compiled the source code, use Sentinel LDK Envelope to add an extra layerof protection to your software. This process also prevents reverse engineering of protectedcode.

Sentinel Licensing API Login Function

The login function is the gateway to Sentinel Licensing API implementation. You must open asuccessful login session to search for and communicate with a Sentinel protection key. To log intoa Sentinel protection key, you need to provide a Feature ID and a valid Vendor Code.

If the Sentinel protection key is not accessible by the computer, an error message is displayed. Anerror message is also displayed if the declared Vendor Code is not valid for a detectedSentinel protection key.

Sentinel LDK Login Operation Summary

Login Options

When using the Sentinel Licensing API implementation, login calls are not dependent on specificSentinel protection keys. However, when performing login calls you must specify what it is thatyou are actually logging into. When logging in you must declare:

n If you are logging into a default or a specific Feature

n How to search for the Sentinel protection key

n How the login counter should be handled

n Whether to enable or disable connection to the Sentinel protection key via a terminalserver

Declaring Feature IDs

You can either log into a specific Feature, or to the default Feature stored in theSentinel protection key. The default Feature is assigned Feature ID 0.

When logging into a licensed Feature, the protected application not only checks for the presenceof the Sentinel protection key, it also checks the terms of the license contained in that key. If thelicense is valid, the Feature is enabled.

Controlling Login Calls

Additional aspects of a login call can be controlled when implementing the Sentinel Licensing API,as follows:

n Search options

n Login counter

n Terminal server detection

n Enabling access to Sentinel HL v.1.x keys

Search Options

The default search setting enables a protected application to search both the local computer andthe network for the required Sentinel protection key. You can limit the Sentinel protection keysearch option, as follows:

n Search only the local PC for a Sentinel protection key

n Search only the network for a connected Sentinel protection key

Login Counter

By default, when a Sentinel LDK license is accessed in a Sentinel HL network key key, license usageis determined by counting the number of workstations that use the protected application. Youcan change this condition so that license usage is based on the number of protected applicationprocesses that are in use.

Implementation 51


Access to Legacy Memory on Sentinel HL Key

By default, the Sentinel LDK system does not enable access to the legacy memory on Sentinel HLkeys. To override this restriction, select the Allow access to Sentinel HL v.1.x check box in theSentinel LDK ToolBox Settings window.

Every Sentinel protection key login session must be terminated with a correspondinglogout call.

Sentinel Licensing API FunctionalityThe extent of the protection afforded by the Sentinel Licensing API is dependent on the way that itis implemented. Calls to a Sentinel protection key that are inserted in the source code controlaccess to the application at run-time.

This section describes the Sentinel Licensing API options that are available after a successful loginsession is established. For a detailed discussion about how to optimize your Sentinel Licensing APIimplementation, see "Chapter 6: Protection Strategies" on page 75. For a demonstration of howthe Sentinel Licensing API works, use Sentinel LDK ToolBox.

Function Groups

Sentinel Licensing API functions are categorized into five groups, based on common functionalityand linkage.

n Session functions

n Encryption/Decryption functions

n Memory functions

n Time functions

n Management functions

Session Functions

A session is created by executing a successful login call to a license residing in a specificSentinel protection key. For more information about logging in, see "Login Options" on page 51.At the end of a session, use the logout function to close the session.

Encryption Functions

You can encrypt or decrypt data buffers using the AES-based encryption engine in theSentinel protection key. The encryption engine uses symmetric encryption. This means that thesame encryption key is used later to decrypt the data buffer.

Memory Functions

Use the memory to store data to be used by the application at run-time, and information that canbe used later to verify and identify an end user. Control of access to sensitive data forms anintegral part of your protection scheme.

The Sentinel Licensing API can be used to:

n Read data buffers stored in the Protection Key memory

n Write data buffers to the Protection Key memory

The size of the data buffers is restricted by the memory available in the specific Sentinel protectionkey type. For information about the memory capacity of the available Sentinel protection keys,refer to the Sentinel HL Data Sheet.

Time Functions

Sentinel Licensing API can be used to access:

n the real-time clock in a Sentinel HL Time key or Sentinel HL NetTime key

n the V-clock in a Sentinel HL (Driverless configuration) key. For more information, see"Appendix E: How Sentinel LDK Protects Time-based Licenses With V-Clock" on page 285.

This functionality enables you to read the time. Two date and time conversion functions areincluded in the Sentinel Licensing API.

Management Functions

The Sentinel Licensing API includes functions that enable you to retrieve information on thesystem components, the current login session, the status of a deployed Sentinel protection key,and license updates.

When using Sentinel SL keys, the Transfer function enables you to:

n detach a license from a pool of network seats

n rehost a protection key from one computer to another at the customer site.

You can also use the Update function to install updates. You do not need to be logged in to asession in order to perform this function. For additional information, see the help system for theSentinel Licensing API or the Sentinel LDK ToolBox.

Sentinel Licensing API Functionality 53

Chapter 5:Sentinel LDK Envelope Protection

This chapter describes software protection using Sentinel LDK Envelope.

In this chapter:

n "Functionality" on page 55

n "Sentinel LDK Envelope for Windows" on page 59

n "Protecting .NET Assemblies" on page 64

n "Sentinel LDK Envelope for Linux Intel Applications" on page 68

n "Sentinel LDK Envelope for Mac Binaries" on page 68

n "Sentinel LDK Envelope for Java Executables" on page 69

n "Sentinel LDK Envelope for Android Applications" on page 72

FunctionalitySentinel LDK Envelope is a wrapping application that protects your applications with a secureshield. This application offers advanced protection features to enhance the overall level of securityof your software.

Sentinel LDK Envelope protects Win32, Windows x64, and .NET executables and DLLs, and Javaexecutables—providing a means to counteract reverse engineering and other anti-debuggingmeasures.

Sentinel LDK Envelope can also be used to protect Mac executables and dynamic shared libraries(Mach-O) (see "Sentinel LDK Envelope for Mac Binaries" on page 68 for more information) , andLinux executables and shared objects (see "Sentinel LDK Envelope for Linux Intel Applications" onpage 68 for more information).

The words program and application are used throughout this chapter as a genericreference to the various types of programming code that can be protected usingSentinel LDK Envelope, regardless of whether they are executables, binaries, assemblies,libraries or shared objects.

Sentinel LDK Envelope is not used directly to protect data files. However, it can enable aprotected application to access and write data to a protected data file.

5

56 Chapter 5: Sentinel LDK Envelope Protection

By using Sentinel LDK Envelope to protect your application, you establish a link between theprotected application and a Sentinel protection key. This link is broken whenever the protectedapplication cannot access the required Sentinel protection key.

Implementing Sentinel LDK Envelope protection is the fastest way to secure your application withoutrequiring access to your software source code.

Sentinel LDK Envelope provides both graphical user interface (GUI) and command-line utilityoptions. The graphical interface enables you to:

n Protect Windows and .NET executables and DLL files, and Java executables

n Enhance the protection of .NET and Java executables by defining Method-level protection

n Protect Mac Mach-o binaries

n Protect 32-bit and 64-bit Linux executables and shared objects

n Define a variety of global protection parameters for your program

n Specify a Vendor Code to authenticate the presence of a specific Sentinel protection key

n Customize the run-time messages that will be displayed to end users running protectedapplications

In addition to linking protected applications to a specific Sentinel protection key, Sentinel LDKEnvelope wraps the application file with numerous protection layers that are randomly assembled.

The random multi-layer wrapping of protected applications by Sentinel LDK Envelopeensures that implemented protection strategies differ from one protected application toanother.

Command-line utilities enable you to protect:

n Win32, Windows x64, and .NET executables and DLL files

n Java executables

n 32-bit and 64-bit Linux executables and shared objects

n Mac binaries

The command-line utilities also enable you to easily apply protection parameters that weredefined using the Sentinel LDK Envelope GUI. This simplifies the process of reapplying protectionparameters to your application during the development process.

Basic Protection Workflow

This section provides a workflow that describes the elements of protecting applications usingSentinel LDK Envelope. Additional information about specific procedures is provided in theSentinel LDK Envelope help system.

1. Launch the Sentinel LDK Envelope graphical interface from Sentinel Vendor Suite.

2. Add the executable, library, or .NET assembly you want to protect to the project.

3. Define protection parameters for the protected application.

4. Protect the program.

5. Distribute the protected software together with your encrypted Sentinel protection keys.

Sentinel LDK Envelope does not affect the files being protected. However, it is highlyrecommended that you designate a separate output folder for the protected application inorder to distinguish between source (unprotected) and output (protected) files.

Sentinel LDK Envelope protection involves the application of protection parameters that arecontrolled by the engines running Sentinel LDK Envelope. You apply these parameters to anunprotected source.

Sentinel LDK Envelope does not affect the original files or the way a protected application actuallyworks. The only modification is that user access is conditional on the presence of a requiredSentinel protection key. If the Sentinel protection key is present, the protected file runs.

The logic of Sentinel LDK Envelope protection is illustrated in the following diagram. Note that theoriginal file can be a Win32, or Windows x64 executable or DLL; a Windows .NET assemblyexecutable or dynamic library; a Java executable; a Linux executable or shared object; or a Macbinary.

To ensure the highest level of security for your software, Sentinel LDK Envelope for Win32removes debugging data from the programs that it is protecting.

It is recommended that Linux software engineers strip extraneous symbols from the executableprior to protecting with Sentinel LDK Envelope.

Required and Optional Protection Parameters

This section outlines the mandatory and customizable parameters that can be specified forprotecting software with Sentinel LDK Envelope.

Mandatory Parameters

The following information must be provided in order to protect software using Sentinel LDKEnvelope:

n Input file location: You must specify the location of the program that you want toprotect. By default, this is the directory from which you added the program to theproject.

Functionality 57


n Output file location: You must specify the directory where the protected output will besaved. By default, the directory is:

%LocalAppData%\Gemalto\Sentinel LDK 7.6\VendorTools\VendorSuite\Protected

n Vendor Code: You must provide a valid Vendor Code in order to access aSentinel protection key. On initial activation of Sentinel LDK Envelope, the default VendorCode is specified as DEMOMA. Select your Vendor Code in the Sentinel Vendor Codescreen.

This information is sufficient to protect a program.

General Customizable Parameters

The customizable parameters described in this section are identical for all supported applications,assemblies and dynamic libraries.

n Feature ID: You can select a unique Feature to protect your program. For additionalinformation about Features, see "Using Features to Protect Programs" on page 58.

n Protection key search mode: You can determine where a protected application searchesfor the Sentinel protection key. For additional information, see "Searching for aSentinel protection key" on page 58.

When enabling or disabling some features you might reduce the level of protectionprovided by the software.

Searching for a Sentinel protection key

Sentinel LDK Envelope enables you to determine where a protected application searches for arequired Sentinel protection key.

The following options are available:

n Local and remote: The protected application first searches the local machine for arequired Sentinel protection key (default), and then the network.

n Local only: The protected application searches only the local computer for a requiredSentinel protection key.

n Remote only: The protected application searches only the network for a requiredSentinel protection key.

Using Features to Protect Programs

A Feature is an identifiable functionality of a software application. Features may used to identifyentire executables, software modules, .NET or Java methods, or a specific functionality such asPrint, Save or Draw. Each Feature is assigned unique identifier called a Feature ID. The defaultFeature ID in Sentinel LDK Envelope is Feature ID 0.

For additional information on Features and licensing, see "Identifying Functional Components(Features) " on page 105 and "Managing Features " on page 114.

When you protect a Win32, Windows x64, Mac or Linux application with Sentinel LDK Envelope,you specify a single Feature ID for the entire executable. If you wish to apply unique Features to

separate components or functionalities, you must use the Sentinel Licensing API. For additionalinformation, see "Chapter 4: Sentinel Licensing API Protection" on page 45.

Protecting .NET Assemblies

When you protect a .NET assembly with Sentinel LDK Envelope, you have the flexibility to specifyFeatures at two levels:

n A global Feature that relates to the entire .NET assembly, with the exception ofindividually-protected methods. For additional information, see "Global Features in .NETAssemblies" on page 65.

n Method-specific Features. For additional information, see "Method-specific Features andParameters in .NET Assemblies" on page 65.

At run-time, a protected .NET assembly searches for all Features in the Sentinel protection key.

Sentinel LDK Envelope for WindowsThis section describes how to use Sentinel LDK Envelope on Windows platforms.

Prerequisites for Windows

To use Sentinel LDK Envelope, all of the following components must be installed on your system:

n Sentinel LDK Run-time Environment

n Sentinel Vendor Suite

n A valid Vendor Code stored in the VendorCodes folder. For additional information, see"Extracting the Vendor Code from Sentinel Vendor Keys" on page 47.

n dfcrypt.exe (if you are planning to encrypt data files by means of a command line)

n The Win32, Windows x64, .NET or Java executables or DLLs that you want to protect

n .NET Framework 2.0 or later (if you are protecting .NET assemblies)

Running Sentinel LDK Envelope

In the Start menu, select Programs > Gemalto Sentinel > Sentinel LDK > Vendor Suite. From theSentinel Vendor Suite program selection screen, launch Sentinel LDK Envelope.

Sentinel LDK Envelope Protection Parameters

After your program has been included in a Sentinel LDK Envelope project, protection can beperformed effortlessly, based on the default Sentinel LDK Envelope settings. In addition, you candefine and calibrate a range of protection parameters that affect the attributes and behavior ofthe protected application.

Sentinel LDK Envelope for Windows 59


Sentinel LDK Envelope customizable parameters are displayed in the Protection Details screen andthe Default Protection Settings screen. You can select a specific program in the Project pane and,from the Protection Details screen, view and edit the application’s parameters using the followingthree tabs:

n General tab

n Advanced tab

n Protection Settings tab

All parameters are detailed in the Sentinel LDK Envelope help system.

This section provides an overview of the Sentinel LDK Envelope protection settings that arecommon to all program types. Mandatory parameters that are required in order to protect aprogram are described in "Mandatory Parameters" on page 57. Other common parameters aredescribed in "General Customizable Parameters" on page 58.

Sentinel LDK Envelope also provides settings that are specific to the type of program protected.

n For additional information about settings for Win32 or Windows x64 programs, see"Protecting Windows Programs" on page 60, and "Accessing and Protecting Data Files" onpage 63.

n For additional information about settings for .NET assemblies, see "Protecting .NETAssemblies" on page 64, and "Code and Symbol Obfuscation in .NET Assemblies" on page67.

n For additional information about settings for Java executables, see "Protecting JavaExecutables" on page 71.

Protecting Windows Programs

When you protect a Windows program with Sentinel LDK Envelope, you can determine protectionattributes and aspects of the behavior of the protected application.

Protected Application Behavior

Sentinel LDK Envelope enables you to define the following additional properties for Win32 andWindows x64 programs:

n The frequency at which random queries are sent to a Sentinel protection key. Thesequeries include random encryption and decryption procedures.

n The time interval between checks for the presence of a required Sentinel protection key.

n Whether support for programs that require overlays to execute correctly should beenabled.

n The length of time that the protected application waits for the Sentinel LDK Run-timeEnvironment to load.

Protection Attributes

You can define specific security attributes for protected Win32 and Windows x64 programsincluding parameters for:

n Detection of both system and user-level debugging measures. You can activate measuresto be undertaken by the Sentinel LDK system to block potential attacks intended toundermine the protection scheme.

n Specifying the frequency of Sentinel protection key access for encryption. The parametercontrols the compactness of the Sentinel protection key calls made by the protectedapplication.

Run-time User Support

You can customize run-time messages for end users who are using applications protected bySentinel LDK Envelope. Sentinel LDK Envelopeincludes a set of message codes. Each code is mappedto a corresponding message that is displayed at run-time of the protected application.

In addition, you can choose to display a message for end users during startup of a protectedapplication that explains there may be delays due to required data decryption.

Calling Licensing API Functions From DllMain

In Windows and .Net, DLLs are loaded at run-time according to the order in which they werelinked while building the application. During protection of the application or DLL with Sentinel LDKEnvelope, the Licensing API is integrated into the protection application. The Licensing APIsometimes calls functions that are external to KERNEL32 from DllMain, which is not recommendedby Microsoft. This can cause the protected application to crash, because the protected DLL isloaded and executes before the required setup has been completed.

To prevent this occurrence, Gemalto recommends that you do one of the following:

n Use the External License Manager (hasp_rt.exe). When using the External LicenseManager, the Licensing API calls only KERNEL32 functions. This is the preferred solution,and this is the only solution that satisfies the Microsoft recommendation that you callonly KERNEL32 functions from DllMain.

n If using the External License Manager is not an option, add the protected DLL at the endof the import list of the application. This problem does not occur when the DLL is loadedwith LoadLibrary() as the latest library.

For more information regarding the External License Manager, see "Types of License Managers"on page 176.

Enhancing Protection With "AppOnChip"

Sentinel LDK Envelope incorporates AppOnChip protection to significantly increase the security ofan application that is protected with a Sentinel HL (Driverless configuration) key.



Currently, the following limitations apply for the application to be protected using AppOnChip:

n .NET assemblies are not supported.

n You cannot use AppOnChip to protect the Licensing API DLL.

n AppOnChip protection cannot be applied to applications and DLLs that have already beenprotected with tools from other vendors or sources.

An application that is protected using AppOnChip is not compatible with Sentinel SL keysor with any HL keys other than Sentinel HL (Driverless configuration) keys.

If the protected application will be licensed using a Sentinel HL Basic key or Sentinel HL Prokey, you must connect a Sentinel Developer key or Master key that contains theAppOnChip module at the time that you protect the application. For more information,see "AppOnChip Module" on page 262.

Once enabled, AppOnChip uses a code transformation engine to analyze the application code.AppOnChip determines which functions are eligible to be executed by the Sentinel HL key. Theeligible functions are listed in a table on the AppOnChip tabbed page in the Sentinel Envelopeinterface.

AppOnChip identifies the functions contained in the application as follows:

n AppOnChip looks for the map file in the application. If the application was compiled withMicrosoft Visual Studio compiler, AppOnChip uses the map file generated by the compilerto identify the eligible functions. (Map files from other compilers cannot be processed byAppOnChip.)

n AppOnChip searches in the application code for exported functions and adds them to thelist of eligible functions.

You examine the list of eligible and selected functions, and modify the selections to include onlythose functions that you want AppOnChip to protect.

AppOnChip also provides a Performance Profiling facility. This facility creates a specialized versionof your application that can be used to accumulate real-life statistics on the usage of selectedfunctions in the application. The accumulated information is then used by AppOnChip to help youfine-tune the list of functions to be protected using AppOnChip.

When Envelope generates the protected application, AppOnChip automatically extracts the codeor code segments for selected functions from the protected binary of the application and replacesthe extracted code with a placeholder. The extracted code is encrypted and signed with a vendor-specific sign key, and saved as part of the protected application.

Note that with the supported compiler (described above), the protection process is fullyautomatic. It is not necessary for you to make any changes to your application code toaccommodate this process.

At run-time, when the application calls one of the protected functions, the encrypted functioncode is uploaded to the Sentinel HL key. Within the key, the code is decrypted and loaded into avirtual machine. Once loaded, the code is executed by the virtual machine. The output of the codeis passed back to the protected application through the placeholder that was inserted into thefunction during the protection process.

As a result of this process, protected functions are never exposed in any manner that wouldenable a cracker to analyze or disassemble the code.

For more information regarding the AppOnChip functionality, see the Sentinel LDK Envelope helpsystem.

Accessing and Protecting Data Files

When you use Sentinel LDK Envelope to protect a Windows application, you can add thecapability to access and write data to protected data files.

A given protected application can be equipped with either of two modes of data file protection:

n Version 1 - This is appropriate for general-purpose data files. In this mode, the contentsof the data files are encrypted. The data files can only be accessed by applications thathave been protected with the vendor's unique Vendor Code and that have been providedwith a specific encryption key.

n Version 2 - This is appropriate for important data files that you want to license separately,such as training video files and courseware. In this mode, the data files are encrypted andprotected by assigning a Feature ID. Only users that purchase the specific license requiredfor the files are able to access the files.

For a complete description of the available data protection options, see "Chapter 7: ProtectingData Files" on page 81.

Running Sentinel LDK Envelope from a Windows Command Line

Sentinel LDK Envelope can be initiated using a command-line prompt. This is useful when runningautomated processes that do not require a graphical interface.

The command-line version of Sentinel LDK Envelope is primarily used for automatedprocesses. Before running the command-line utility, create and save protection projectsusing envelope.exe.

To access the command-line version of Sentinel LDK Envelope, go to:

%ProgramFiles(x86)%\Gemalto Sentinel\Sentinel LDK\VendorTools\VendorSuite\envelope.com

(For Windows x86, go to: %/ProgramFiles%\)

To start the command-line version of Sentinel LDK Envelope, type ENVELOPE in the command line.

Command-line Options

The table that follows describes parameters that are available for use with the command-lineversion of Sentinel LDK Envelope.



Command Description

-h--help

Displays the list of command-line parameters. Press Enter to return tothe command-line console.

-p <project>--protect <project>

The command-line utility uses the specified project as input data forthe application-wrapping process—all the files included in the projectare protected.

<project> The command-line version starts the GUI version with the specifiedproject running as the current project.

Protecting .NET AssembliesSentinel LDK Envelope provides significant flexibility when protecting .NET assemblies. In additionto global protection settings that you specify using the Protection Details and ProtectionTemplate Settings functionalities, you can also specify Method-level protection, by definingindividual methods in the .NET assembly.

You can also define protection settings in your source code using custom attributes.

For details about the prerequisites for protecting a .NET assembly, and other considerations totake into account, see ".NET Considerations" on page 64.

When you protect a .NET assembly with Sentinel LDK Envelope, you specify a global Feature thatprotects the entire assembly. For additional information, see "Global Features in .NET Assemblies"on page 65.

In addition to the global Feature, you can define Features for individual methods. You can alsodefine other method-specific parameters. For additional information, see "Method-specificFeatures and Parameters in .NET Assemblies" on page 65.

You can also apply different levels of obfuscation to your .NET assembly. For additional information,see "Code and Symbol Obfuscation in .NET Assemblies" on page 67.

Envelope can protect mixed-mode .NET applications. Only managed code is protected.

.NET Considerations

When protecting .NET assemblies, consider the following issues:

n You must protect your assemblies in a development environment. Sentinel LDK Enveloperequires libraries that are not part of the .NET framework, but are included in thedevelopment environment.

n Sentinel LDK Envelope for .NET requires access to all assemblies and their dependencies.

n Sentinel LDK Envelope breaks the strong name signature of signed assemblies. You canchoose to re-sign the assembly in Sentinel LDK Envelope, as part of the protectionprocess.

n When you protect a .NET Framework 1.x assembly, the Sentinel LDK Envelope output is inFramework 2.0, requiring Framework 2.0 to be installed on the end-user machine.

n For your protected .NET assembly to function at run-time, a Sentinel LDK DLL is required.For more information, see "Sentinel LDK Run-time Environment" on page 163.

Global Features in .NET Assemblies

When you protect a .NET assembly with Sentinel LDK Envelope, you specify a global Feature thatprotects any methods that have not had individual protection parameters applied. The globalFeature is also used when background checks are implemented.

Method-level Protection

When you select a .NET assembly for protection, Sentinel LDK Envelope automatically determinesthe Protection type that will provide the best protection for your program, depending on whetheryou are protecting an executable or a DLL. The Protection type determines the methods that areavailable for individual protection.

It is recommended that you do not change the automatic Protection type settings.

This section describes how you select individual methods and the behavior of different methodtypes, in addition to the parameters you can select for the methods.

Selecting .NET Methods for Protection

The .NET assembly is displayed in the Protection Details screen, in the Methods selected forprotection list. The list displays class constructors and methods, in a tree layout that mimics thestructure of the .NET assembly.

Items in the list are identified by icons that indicate the method type, and by the class or methodname. Method signatures are displayed as a tool tips.

When the check box to the left of a method is selected, that method is selected for Sentinel LDKEnvelope protection.

n Selecting or clearing the check box of a higher-level item does not affect nesteditems. For example, if you clear the check box of a class constructor, methodsnested under it remain selected.

n When a method name is grayed-out, it cannot be selected for protection.

n If the Protection type is Only Win32 shell or Only Windows x64 shell, youcannot protect individual methods in that .NET assembly.

n An assembly cannot be protected when the check boxes for all items in the listhave been cleared.

Method-specific Features and Parameters in .NET Assemblies

You can use Sentinel LDK Envelope to define separate Feature IDs for individual methods inyour .NET assembly. This enables you to:

n Make use of the separate encryption key inherent in each Feature to provide enhancedsecurity for individual methods

Protecting .NET Assemblies 65


n Determine how often the protected application logs into an individual method

At run-time, the protected application searches for all relevant Feature IDs in theSentinel protection key.

You can determine how often the protected application logs into each Feature ID in theSentinel protection key and performs decryption using that Feature ID by specifying the Frequencyfor specific methods.

n You can only specify the Feature ID and Frequency for methods that have beenselected for protection.

n If the Protection type is Only Win32 shell or Only Windows x64 shell, youcannot specify a Feature ID or Frequency for individual methods.

n You can select multiple methods and specify the same Feature ID and Frequencyfor all selected items.

The available Frequency options are described in the following table:

FrequencyType

Description

Once perprogram(Default)

A check is performed the first time a method using the Feature ID indicated for thatmethod is called, regardless of the number of methods that share the sameFeature ID across the program.

Once perclassinstance

A check is performed when the method is run, once for each Feature ID within thesame class.If the same Feature ID is also assigned to the class constructor, the check isperformed the first time the .ctor method is run.If the same Feature ID is used in other classes, the check is performed separatelyfor each class.

The Once per class instance frequency is available only for Instancemethods.

Every time A check is performed every time the method is called

Recommendations:

n Use the Once per Application default setting. The Once per Instance and Every timesettings may slow the performance of your program.

n If a counter-based license is being defined, use the Every time setting only for the methodthat determines licensing, as the counter is decremented every time the method is called.

If you choose to assign separate Feature IDs for individual methods, you must ensure that yourapplication code can only call the Feature IDs for those methods for which a valid license has beeninstalled in a Sentinel protection key.

If methods that do not have a valid license in a Sentinel protection key are called, it will causeSentinel LDK Envelope to generate an error loop that can only be stopped by installing a validlicense.

An API is provided as part of the Sentinel LDK installation that enables you to ensure that the errorloop does not occur. The .NET Envelope Runtime API is located in:

%ProgramFiles(x86)%\Gemalto Sentinel\Sentinel LDK\Samples\Envelope\EnvelopeRuntime.NET

(For Windows x86, in: %ProgramFiles%\)

For information on using this API, see .NET_Envelope_Runtime_API.html in the above location.

Code and Symbol Obfuscation in .NET Assemblies

Obfuscation is the process of turning meaningful strings into random strings of letters ornumbers. Using Sentinel LDK Envelope, you can apply obfuscation as an anti-reverse engineeringsecurity measure.

By default, all symbol names in the protected .NET assembly are obfuscated as part of theprotection process. In addition, you can choose to obfuscate the entire code of a selectedmethod. Since code obfuscation may slow the performance of your program, it is not selected bydefault.

You can apply Code obfuscation to a method regardless of whether it is selected for protection inthe Methods selected for protection list.

Exception Handling in Protected .NET DLL Assemblies

Given the following circumstances:

n A .NET DLL assembly is protected with Sentinel LDK Envelope.

n An application (protected or unprotected) calls the .NET DLL assembly.

n An appropriate license for the .NET DLL assembly cannot be located.

The .NET DLL assembly will raise a system exception. This is the expected behavior. The applicationthat called the .NET DLL assembly should contain appropriate code to catch the exception andhandle it. For example, the application can display a message stating that the user must connectan HL key that contains the required license.

Note that for an EXE assembly, the code added by Sentinel LDK Envelope can notify the user thatthe required protection key was not found and can quit the program because this issue isdetected at program startup. But a .NET DLL assembly can be called at any point during aprogram’s execution, so it is up to the developer to decide how to respond in the event that therequired license is not found.

Defining Sentinel LDK Envelope Protection Settings in Source Code

Instead of specifying your protection settings using the Sentinel LDK Envelope GUI, you can usethe .NET framework custom attributes for the Aladdin.HASP.Envelope assembly to adddefinitions directly to your source code.

The custom attributes can be applied to assemblies, classes, and methods. Protection settings inyour source code are processed according to hierarchy, in descending order of method, class, andassembly.

Protecting .NET Assemblies 67


For more information, see .NET_Envelope_Configuration_API.html. This document can be foundin the following location:

%ProgramFiles(x86)%\Gemalto Sentinel\Sentinel LDK\Samples\Envelope\EnvelopeRuntime.NET

(For Windows x86, in: %ProgramFiles%\...)

Sentinel LDK Envelope for Linux Intel ApplicationsSentinel LDK Envelope protection can be implemented for Linux Intel executables and sharedobjects using a command-line utility.

For a complete description of the Sentinel LDK Envelope command-line utility for Linux Intelapplication, see the Sentinel LDK Envelope for Linux User Guide. This book can be found under\Linux\Docs\Manuals & Tutorials\ in the Sentinel LDK for Linux installation and on the SentinelLDK Installation Drive.

Sentinel LDK Envelope for Mac BinariesSentinel LDK Envelope for Mac enables you to protect Mach-O executables and dynamic libraries(referred to as binaries). Both GUI and command-line versions of the application are available.

Before using Sentinel LDK Envelope for Mac, it is recommended that you familiarize yourself withthe general Sentinel LDK Envelope information about Sentinel LDK Envelope protection that isprovided at the beginning of this chapter.

Sentinel LDK Envelope Prerequisites for Mac

To use the Sentinel LDK Envelope utility, all of the following components must be installed on yoursystem:


n Sentinel Vendor Suite, containing the Sentinel LDK Envelope and the Master Wizard


n The Mac binaries that you want to protect

Running Sentinel LDK Envelope for Mac

Navigate to the location in which Sentinel LDK is stored. Select MacOS > VendorTools >VendorSuite > Envelope. Sentinel LDK Envelope is launched.

To access the command-line version of Sentinel LDK Envelope, go to:...\MacOS\VendorTools\VendorSuite\envelope_darwin

Type envelope_darwin -h in the command line to start the command-line version of Sentinel LDKEnvelope.

Sentinel LDK Envelope for Mac Protection Parameters

After your Mac executable or dynamic library has been included in a Sentinel LDK Envelopeproject, protection can be performed effortlessly, based on the default Sentinel LDK Envelopesettings. In addition, you can define and calibrate a range of protection parameters that affect theattributes and behavior of the protected binary.

Sentinel LDK Envelope customizable parameters are displayed in the Protection Details screen andthe Default Protection Settings screen. You can select a specific binary in the Project pane and,from the Protection Details screen, view and edit the binary’s parameters using the followingthree tabs:

n General tab

n Advanced tab

n Protection Settings tab

All parameters and procedures are detailed in the Sentinel LDK Envelope help system.

Accessing and Protecting Data Files

When you use Sentinel LDK Envelope to protect a Mac application, you can add the capability toaccess and write data to protected data files.

A given protected application can be equipped to create, access, and update protected data files.The data files can only be accessed by applications that have been protected with the vendor'sunique Vendor Code and that have been provided with the encryption key that was used toprotect the files.

You can use Sentinel LDK Data Protection utility to pre-encrypt data files that you want to delivertogether with the protected application.

For a complete description of the available data protection options, see "Chapter 7: ProtectingData Files" on page 81.

Sentinel LDK Envelope for Java ExecutablesSentinel LDK Envelope for Java enables you to protect JAR and WAR executables. Before usingSentinel LDK Envelope for Java, it is recommended that you familiarize yourself with the generalSentinel LDK Envelope information about Sentinel LDK Envelope protection that is provided at thebeginning of this chapter.

Protection of your software is performed on a Windows machine, after which you distribute theprotected software together with the appropriate Java run-time libraries for the end-useroperating system—Windows, Mac, or Linux.

Java applications that have been obfuscated, or protected using third-party tools, are notsupported by Sentinel LDK Envelope.

Sentinel LDK Envelope for Java Executables 69


Java Considerations

When protecting Java executables, consider the following issues:

n The methods selected for protection by Sentinel LDK Envelope by default are not theoptimal choices for your application or library. You must review and modify the list ofselected methods to provide the best mix of security and performance. For moreinformation, see the description of optimizing protection settings in the Sentinel LDKEnvelope help system.

n Sentinel LDK Envelope does not support protection of Java paint methods, but it allowsyou to select them in the user interface. As a result, the protected application may causea deadlock when it executes a protected paint method at runtime with noSentinel protection key connected. To prevent this issue from occurring, you can deselectall paint methods. Note that paint methods do not usually contain application logic;therefore, deselecting them typically has no impact on security. As an alternative, you canselect console output for messages by enabling stderr output instead of windows in theAdvanced settings panel.

n When you test Sentinel LDK Envelope for the first time with your application, it isrecommended that you clear the default selection and start with the protection of a singlemethod that you want to protect. After you protect the method, test your application. Ifthe application works as expected, continue to protect additional methods and test aftereach addition until you have reached the desired protection selection for the application.Do not try to apply this selection to different applications.

n Sentinel LDK Envelope does not support protection of methods that use the Hibernateservice.

n Sentinel LDK Envelope does not support protection of methods that, in turn, useSynthetic methods that are created as bootstrap methods or as arguments of bootstrapattributes.

n Tomcat does not support Java 8 applications. Therefore, Java 8 protected applications arenot supported on Tomcat.

Sentinel LDK Envelope Prerequisites for Java

To use the Sentinel LDK Envelope for Java engine, all of the following components must beinstalled on your system:

n The Java JRE or JDK must be installed




n The JAR or WAR executables that you want to protect

Before your JAR/WAR archive is protected, include the following customized Sentinel Licensing APIdynamic libraries with the archive:

Operating System Customized Sentinel Licensing API Dynamic Libraries

Windows (32/64-bit) hasp_windows_****_<vendorId>.dll

Mac OSX hasp_darwin_<vendorId>.dylib

Linux (32/64-bit) libhasp_linux_***_<vendorId>.so

During protection of the Java applications, Sentinel LDK Envelope copies these librariesautomatically to the output directory.

For your protected Java executables to function at run-time, one or more Sentinel LDK DLLs arerequired. For more information, see "Sentinel LDK Run-time Environment" on page 163.

Running Sentinel LDK Envelope for Java Engines

In the Start menu, select Gemalto Sentinel > Vendor Suite. From the Sentinel Vendor Suiteprogram selection screen, launch Sentinel LDK Envelope.

Sentinel LDK Envelope for Java Protection Parameters

After your Java executable has been included in a Sentinel LDK Envelope project, protection can beperformed, starting from the default Sentinel LDK Envelope settings. In addition, you can defineand calibrate a range of protection parameters that affect the attributes and behavior of theprotected file.

Sentinel LDK Envelope customizable parameters are displayed in the Protection Details screen andthe Default Protection Settings screen. You can select a specific Java executable in the Projectpane and, from the Protection Details screen, view and edit its parameters using the availabletabbed pages.

Protecting Java Executables

When you protect a Java executable with Sentinel LDK Envelope, you can determine protectionattributes and aspects of the behavior of the protected application.

Protected Application Behavior

Sentinel LDK Envelope enables you to define the following additional properties for Javaexecutables:

n The compression level of protected classes.

n The time interval between checks for the presence of a required Sentinel protection key.

All parameters and procedures are detailed in the Sentinel LDK Envelope help system.

Defining Sentinel LDK Envelope Protection Settings in Source Code

Protection settings for an application are typically specified by using the Sentinel LDK Envelopeuser interface.

Sentinel LDK Envelope for Java Executables 71


For certain settings, the Java Envelope Configuration API provides an alternate method forapplying protection. Using this API, the developer can specify protection settings for methodsdirectly in the application’s source code.

For more information, see Java_Envelope_Configuration_API.html. This document can be foundin the following location:

%ProgramFiles(x86)%\Gemalto Sentinel\Sentinel LDK\Samples\Envelope\EnvelopeRuntimeJAVA


Sentinel LDK Envelope for Android ApplicationsSentinel LDK Envelope for Android enables you to protect Android applications. Sentinel LDKEnvelope protects the Android application and encrypts the entire DEX file for the application.

Before using Sentinel LDK Envelope for Android, it is recommended that you familiarize yourselfwith the general Sentinel LDK Envelope information about Sentinel LDK Envelope protection that isprovided at the beginning of this chapter.

Protection of your software is performed on a Windows machine, after which you distribute theprotected software together with the appropriate Java run-time libraries.

Java applications that have been obfuscated, or protected using third-party tools, are notsupported by Sentinel LDK Envelope.

Sentinel LDK Envelope Prerequisites for Android

To use the Sentinel LDK Envelope for Android applications, the following components must beinstalled on your system:

n Android Developer Tools - ADT bundle




n The Android applications that you want to protect

For more information, see the Getting Started Guide for Android Applications.

Android Considerations

Sentinel LDK Envelope does not protect following types of classes/methods for Androidapplications:

n Static method

n Methods that refer to classes/methods that are not public or that are static

n Overridden “onCreate” methods

For additional considerations, see the Sentinel LDK Envelope help system.

Android Applications With Cyclic Dependencies

Method protection cannot be used when a cyclic dependency exists.

The following demonstrates an application with a cyclic dependency.

Given the following situation:

n Class A contains methods C1 (a constructor) and M1.

n Class B contains methods C2 (a constructor) and M2.

n Class B is a superclass of class A.

n Method C2 contains a call (direct or indirect) to M1.

n Method M1 is protected with Envelope (method protection)

The following events will occur:

1. When method M1 is executed, initialization steps for Envelope are performed. These stepsare triggered by the C1 constructor.

2. Before C1 is executed, C2 is executed (because class B is a superclass of class A).

3. C2 attempts to call M1.

4. Since Envelope initialization for M1 is not complete, the call to M1 fails.

Method protection cannot be used when this type of situation exists. To protect the application,either remove the cyclic dependency or use only DEX file encryption.

Do not protect a shared object which is being loaded before the launch of applicationstart-up activity. After protection, modified start-up activity will be the entry point forEnvelope runtime code. Therefore, it is not possible to decrypt a shared object that isloaded before activity launch.

Sentinel LDK Envelope for Android Applications 73

Chapter 6:Protection Strategies

Sentinel LDK provides the best hardware and software tools available in the market today. Thecontribution that Sentinel LDK can make to the protection of your software and intellectualproperty has already been well documented in the previous chapters. However, it is the strengthand sophistication of the strategies that you employ in partnership with Sentinel LDK that willtruly maximize your software protection.

In this chapter:


n "General Protection Guidelines" on page 76

n "Types of Attack and Their Sentinel LDK Defense" on page 77

OverviewParallel with advances in software and software security development, software crackers aredeveloping more sophisticated means of deconstructing software protection measures—in orderto duplicate and distribute illegal copies of unlicensed software—and to reverse engineer code inorder to steal intellectual property.

To maintain the rights to your revenue stream, it is essential that you remain vigilant about thestrategies of your “enemies”, and that you continually and wisely implement the latest andstrongest techniques for protecting your software.

The degree of investment that you make in limiting the ability of software crackers to illegallyaccess your software will depend on a number of considerations, including:

n The value of your software

n The history of previous cracking attempts related to your software

n The geographical region in which your software will be distributed

n The target market for your software (for example, whether it is intended to be sold toindividual consumers, small office/home office users, or enterprise users)

There is no software protection that is absolutely uncrackable. However, if you constantlyimplement up-to-date strategies using the strongest software protection methods, yousignificantly decrease your vulnerability to such attacks.

6

76 Chapter 6: Protection Strategies

This chapter describes general protection strategies for software vendors. It then outlines some ofthe methods that software crackers employ in order to identify and negate software protectionand security, and recommends Sentinel LDK measures that you can use to enhance your softwaresecurity.

In addition to the information described in this manual, our team of Gemalto Consultantsprovides personalized assistance in strengthening software security and protection. They canprovide help on a wide range of issues, including additional protection strategies andimplementation techniques.

For information on consultation services offered by Gemalto, contact your local Gemaltorepresentative.

General Protection GuidelinesThe following guidelines should be followed, regardless of the software protection strategies beingimplemented.

Gemalto thoroughly and constantly investigates potential and actual threats to software security,and Sentinel LDK is continuously being updated to counter such threats—before they cancompromise the security of your software.

Use the Most Up-to-date Protection Software

Protection software updates generally include enhancements to counter the most recent threats.Always check for and use the most recent version of Sentinel LDK protection software that isavailable. The latest software can be downloaded from the Sentinel Web site, atsentinel.gemalto.com/SentinelLDK/InstallationDVD.

Constantly Re-evaluate Protection Strategies

Frequently consider what protection strategies you can upgrade or enhance to provide strongersecurity for your software.

Use Evolving Strategies to Prevent Predictability

Vary the strategies that you implement between your software releases. If a software cracker isable to detect a pattern to your protection strategies, the strategies can more easily be negatedor evaded.

Vary Behavior when Cracking Attempt is Detected

When a cracking attempt is detected (for example, through using a checksum—described later inthe chapter), delay the reactive behavior of your software, thus breaking the logical connectionbetween “cause” and “effect.” Delayed reaction confuses a software cracker by obscuring the linkbetween the cracking attempt and the negative reaction of the software to that attempt.

Behavior such as impairing program functionality when a cracking attempt is detected can be veryeffective. Additional behaviors could include causing the program to crash, overwriting data files,or deliberately causing the program to become inaccurate, causing the program to becomeundependable.

http://sentinel.gemalto.com/SentinelLDK/InstallationDVD

Types of Attack and Their Sentinel LDK DefenseIt is important to “know your enemy.” When you are well informed about the types of attacksthat a software cracker may make, you will be best able to devise and implement strategies thatlimit or prevent their success.

This section describes the elements of some of the more common attacks that software crackersuse, and refers you to specific Sentinel LDK strategies that you can implement to counter suchattacks.

Patching Executables and DLLs

A software cracker disassembles and/or debugs EXE or DLL files to find protected code. The actualfile is then patched in order to modify run-time flow, or to remove calls in the code.

Commonly, the software cracker sends a small, standalone patch executable that the end userruns in order to patch your software.

Sentinel LDK Solution

The more files that are protected, the longer it takes a software cracker to remove protection. Youcan protect multiple executable and DLL files using Sentinel LDK Envelope. You can also use theData Protection facility to encrypt and protect data files that are accessed by protectedapplications.

Modifying Key Memory

Licensing data is normally stored in the memory of a software protection key. A software crackerattempts to access the Protection Key memory in order to modify the licensing terms. Forexample, a depleted execution-based license might be changed to a perpetual license, or a featurethat has not been paid for might be enabled.


In the context of Sentinel LDK, Read-only memory (ROM) is a segment of the memory that cancontain data that the protected application can access, but cannot overwrite. Sentinel protectionkeys contain two ROM segments, one of which contains Sentinel LDK Feature-based licenses. Thesecond segment provides an area in which vendor-customized data can be stored. Thesesegments can only be updated using remote updates.

Sentinel LDK automatic Feature-based licenses utilize read-only memory of Sentinel protectionkeys. The different types of available licenses are sufficient for almost any licensing model.

You can customize your own licenses and still use a ROM segment in a Sentinel protection key’smemory. Note however that licenses that have been customized must remain static (for example,such licenses cannot include a decremented number of executions).

For additional information about licensing models, see "PART 5 - LICENSING MODELS" on page203.

Types of Attack and Their Sentinel LDK Defense 77


Emulating Protection Keys

To emulate the software of a protection key manufacturer, a software cracker creates anapplication that replays previously recorded calls, as if an actual protection key is returning thecalls.

Limited functionality emulators only record and replay calls. Full-functionality emulators alsoemulate the key, including its encryption. A software cracker requires access to the encryption keyto create a full-functionality emulator.

There are several places in which emulators can reside. Primarily, they are an attempt to replacethe driver.


Sentinel LDK provides a secure channel between an application and the Sentinel HL key. Data thatpasses between the protected application and the key is encrypted. Taking advantage of thesecure channel functionality between your application and a Sentinel HL key provides you with thestrongest possible protection.

A different encryption key is used in every session. This means that someone recording datapassing through the secure channel cannot replay the data, since the encryption key used toencrypt the data will differ from that used to decrypt the data.

Using Remote Desktops and Remote Desktop Solutions

When using the remote desktops of some operating systems, it might be possible for an end userwith a standalone protection key to enable software on multiple remote desktops simultaneously.


The Sentinel LDK protection includes mechanisms to determine if a protected application isrunning on a remote desktop. If such a situation is detected, and a Feature in the license is notspecifically enabled for remote desktops, the program will not function.

Cloning Hardware Keys

The software cracker reverse-engineers a hardware protection key, then creates duplicates. Suchan attack is extremely costly to the cracker, both in terms of the reverse engineering tools and theexpertise required. It is also costly in terms of ongoing production of hardware keys.


Sentinel HL keys are each unique and have their own ID. Keys that are in the same Batch Codeand behave identically are each uniquely encrypted, the key’s customized controller and memoryforming a unique locked pair. This means that if the memory of one Sentinel HL key is copied toanother Sentinel HL key, the second key will not function.

Clock Tampering

Clock tampering relates to either the system clock of the machine on which the protectedsoftware is running, or to a real-time clock contained in keys. The software cracker resets the timeto enable extended, unlicensed use of the software.


When implementing time-based licenses for your software, use one of the following keys:

n Sentinel HL Time or Sentinel HL NetTime keys. These keys provide a real-time clock.

n Sentinel HL (Driverless configuration) key. This key provides a virtual clock (V-Clock). Formore information, see "Appendix E: How Sentinel LDK Protects Time-based Licenses WithV-Clock" on page 285.

Both the clock itself, and the license which is stored in read-only memory, cannot be modified.

Additional Sentinel LDK-specific Strategies

This section describes additional general protection strategies that are available to users ofSentinel LDK.

Use Both the Sentinel Licensing API and Sentinel LDK Envelope

Maximize security by using the Sentinel Licensing API to implement calls to a Sentinel protectionkey, and protect the application with Sentinel LDK Envelope. Using one protection method doesnot preclude the use of the other.

Insert Multiple Calls in your Code

Inserting many calls, throughout the code, to the Sentinel protection key in order to check thepresence of the key, and binding data from the key with the software functionality, frustratesthose attempting to crack your software. Multiple calls increase the difficulty in tracing aprotection scheme.

You can also add obstacles to a potential software cracker’s progress by encrypting data that hasno bearing on the application. Similarly, you can divert attention by generating “noise” throughrandom number generators, time values, intermediate results of calculations, and othermechanisms that do not lead to meaningful results or actions.

Encrypt/Decrypt Data with a Sentinel protection key

Encryption and decryption processes are performed inside a Sentinel protection key, well beyondthe reach of any debugging utility.

Encrypting data with the Sentinel LDK AES-based encryption engine considerably enhancessoftware security. By encrypting data used by your application, the decryption process dependson both the presence of a Sentinel protection key and its internal intelligence.

By implementing a Sentinel Licensing API scheme in which data is decrypted by aSentinel protection key, the association between the protected application and theSentinel protection key cannot easily be removed. Cracking the software also necessitates thesoftware cracker decrypting the data.

Use a Checksum to Verify Integrity of Executable Files

Compare the value in the executable file with a checksum stored in Sentinel protection keymemory. If the two values are not equal, you can assume that someone has attempted to modify

Types of Attack and Their Sentinel LDK Defense 79


the files. Repeat this check in various places in the code, varying it in each place to make it moredifficult for a software cracker to detect.

This strategy is not necessary if you protect your application with Sentinel LDK Envelope.Envelope implements its own integrity checks and uses code encryption to preventmodification of the protected application.

Chapter 7:Protecting Data Files

This chapter describes how you can use Sentinel LDK Data Protection utility to protect data files.

In this chapter:


n "Data Protection Prerequisites " on page 85

n "Launching Sentinel LDK Data Protection Utility" on page 85

n "Data File Protection Plugin " on page 86

n "Licensing Data Files—Getting Started" on page 87

n "Working With the dfcrypt Command Line Utility" on page 90

OverviewThe material contained in a data file can represent a significant investment in time, effort, andmoney. For example, a data file may contain valuable text-based, audio, or video courseware for atraining program.

Sentinel LDK provides you with a Data Protection facility to encrypt and (optionally) add licensingprotection to the contents of data files, similar to the licensing protection that is available forsoftware applications.

7

82 Chapter 7: Protecting Data Files

The Data Protection facility consists of the following components:

n Sentinel LDK Data Protection utility

This utility is used to protect data files that will be delivered together with a protectedapplication or as separate files. The utility can be invoked from within Envelope or as astandalone application. The utility does the following:

o The utility encrypts the data file. Once encrypted, the file can only be accessed byone of the modules described below.

o The utility optionally assigns a Feature ID to the data file. If this is done, the datafile can only be accessed if an appropriate protection key is available.

n Data Protection module

This module is optionally inserted into the protected application by Sentinel LDKEnvelope. This enables the protected application to access the data in a protected datafile. If the data file has been protected using the Version 2 protection mode (describedbelow), the data file can only be accessed if an appropriate protection key is available.

The Data Protection module can only be inserted into a protected executable file. Themodule cannot be inserted into a DLL or other library file.

A protected application with the Data Protection module can work with both protecteddata files and regular data files.

n Customized Data File Protection Plugin for Internet Explorer (Windows)

Sentinel LDK Master wizard generates a customized Data File Protection plugin for yourVendor Code. This module is optionally installed in a Web browser on the end user'smachine. The module enables the Web browser to display the following protected datafiles if an appropriate protection key is available:

o FLV files

o SWF files

o MP4 files played with HTML5

The protected data files that you provide to your customers can only be viewed with theData File Protection plugin that was generated for your Vendor Code.

The Data File Protection plugin is only compatible with data files that were protectedusing the Version 2 protection mode (described below).

Both the Sentinel LDK Data Protection utility and the Data Protection module provide two distinctmodes of operation:

n Version 1 (previously DataHASP)

In this mode, data files that are created by or accessed by a protected application can beencrypted and decrypted by the Data Protection module in the protected application.However, there are no specific license requirements to access the data files.

If you want to deliver data files together with the protected application, you can use theSentinel LDK Data Protection utility to encrypt these files.

The protected data files that can be accessed by a protected application are managed bysetting up the following controls in Sentinel LDK Envelope:

o Data filters - File masks that set rules to determine the names and file types ofprotected files that the protected application can access.

o Data encryption key - An eight-character key used to add an extra layer ofencryption for protected data files. The same key must be provided in Sentinel LDKEnvelope for each protected application that will access a given protected data fileor collection of protected data files. This key is also used by the Data Protectionutility to encrypt the data files.

Version 1 is supported for data files to be accessed under Windows, .NET (Windowsshell), or Mac.

n Version 2

In this mode, you can both encrypt and license data files with the Sentinel LDK DataProtection utility. Each data file or group of data files is assigned a specific Feature ID. Toaccess the data file, the end user requires a protection key with a license for the relevantFeature ID. By distributing the relevant Feature IDs among various Products, you caneasily manage the licensing of a large collection of data files.

This mode is especially suited for educational data and courseware. Data files protected inthis mode are protected against video capture software that runs on the machine wherethe user is viewing the protected video file.

Overview 83


The data file can be accessed and modified by one of the following:

o A protected application with the Data Protection module (Version 2). Theapplication and the data file must be protected with the same Batch Code.

o A Web browser with the vendor's customized Data File Protection plugin.

In this mode, the protected application cannot create a new protected data file. Howeveryou can manually create an empty data file, protect it with the Sentinel LDK DataProtection utility, and deliver the file together with the protected application. Theprotected application can add content to the protected data file.

Under Android, files protected with Version 2 data protection mode should beregarded as read-only. If a protected data file is modified or overwritten by theprotected application on the end user's device, the file is written in clear text(decrypted).

For protected data files that are accessed using a protected application, the locking typefor the data files is identical to the locking type for the application. For protected data filesthat are accessed using the Data File Protection plugin, the locking type allows all types ofHL and SL keys to be used for licensing.

Version 2 is supported for data files to be accessed under Windows, .NET (Windowsshell), or Android.

To use Version 2 data protection mode, you must have the Advanced DataProtection module on your Sentinel Master key or Developer key.

When to Protect Data Files

Protect your data files if:

n You want to maximize your software’s security. When your software is being protected,consider adding another layer of security by protecting those data files that are accessedby your software.

n You want to protect your intellectual property. Your data files may represent a significantinvestment, so it is worthwhile preventing your intellectual property from being exposedwithout protection.

n You want to license your data files. You can assign a different Feature ID to each data fileor to a group of data files. By distributing the relevant Feature IDs among variousProducts, you can easily manage the licensing of a large collection of data files.

Users of Sentinel LDK Data Protection Utility

Anyone involved in the production or maintenance of data files for your protected softwareshould use Sentinel LDK Data Protection utility. This could include people in roles such as graphicartists, information developers, or accountants.

Data Encryption for Mac

Sentinel LDK Envelope for Mac provides the capability for a protected application under Mac OS Xto encrypt and decrypt data that is written to and read from an external file.

Data files that will be delivered together with the protected application must be pre-encryptedusing the Sentinel LDK Data Protection utility for Mac or for Windows.

When using Sentinel LDK Data Protection utility to encrypt files for Mac:

n The Data Protection utility ignores TYPE/CREATOR for files.

n The Data Protection utility does not work with document types stored in File Bundles (forexample: Keynote presentations) since these are directory structures and not typical files.

Data Protection PrerequisitesTo use the Sentinel LDK Data Protection utility, you must prepare the following items:

n Sentinel keys

To protect data files with Version 2 data protection mode, you must connect yourSentinel Developer key or Sentinel Master key with the Advanced Data File Protectionmodule to your machine.

If you are using Version 1 data protection mode, you can use a Sentinel HL or SLprotection key with the appropriate Batch Code instead of the Developer key or Masterkey.

n (For Version 1 mode) Before protecting data files, you must create a Sentinel LDKEnvelope project containing one or more programs for which data protection has beenenabled and data filters have been defined. The data filters must include the data filesthat you want to protect.

If two or more protected applications will access a given protected data file, the samedata encryption key must be defined in all the relevant protected applications.

Launching Sentinel LDK Data Protection UtilityYou can launch Sentinel LDK Data Protection utility as follows:

n Directly from Sentinel LDK Envelope.

n From the Start menu, select Sentinel LDK Vendor Suite. From the Vendor Suite programselection screen, select Additional Tools > Sentinel LDK Data Protection Utility.

n You can click the datahasp.exe file, located in the following directory on your system:

%ProgramFiles(x86)%\Gemalto Sentinel\Sentinel LDK\VendorTools\VendorSuite\


Data Protection Prerequisites 85


Data File Protection PluginGiven the following circumstances:

n You are distributing any of the following types of multimedia files, protected withVersion 2 data file protection.

o FLV files

o SFW files

o MP4 files played with HTML5

n You want your customers to view these files using the Internet Explorer Web browser.

Each end user must install your customized version of the Data File Protection plugin in InternetExplorer in order to view these files.

A version of the plugin for the DEMOMA Batch Code is provided in the Sentinel LDK installation inthe following path:

%ProgramFiles(x86)%\Gemalto Sentinel\Sentinel LDK\VendorTools\Utilities\Data File ProtectionPlugin\Data File Protection Plugin.msi


When you introduce your Sentinel Master key or Sentinel Developer key, the Sentinel MasterWizard generates the customized version of this plugin for your Batch Code. The generated plugincan be found in the following location:


%UserProfile%\Documents\Gemalto\Sentinel LDK 7.6\Utilities\Data File Protection Plugin

n For Windows XP:

%UserProfile%\My Documents\Gemalto\Sentinel LDK 7.6\Utilities\Data File ProtectionPlugin

The name of the customized file is Data File Protection Plugin_BatchCode.msi.

To install the MSI plugin, the end user simply double-clicks the file and accepts all default values inthe installation wizard.

The requirement for generating and for installing the plugin are described in the Sentinel LDKRelease Notes:

n The requirements for using the Master Wizard to generate the Data File Protection plugincan be found under: "Supported Platforms for Vendors" > "Sentinel LDK Vendor Tools"

n The requirements for installing the Data File Protection plugin can be found under:"Supported Platforms for End Users" > "Data File Protection Plugin for Internet Explorer"

Licensing Data Files—Getting StartedThis section demonstrates how to get started with licensing of data files.

The following procedures are described:

n Licensing an FLV file to be viewed using Internet Explorer.

n Licensing data files to be accessed using a proprietary application.

In each case, instructions are provided for working with the HL Demo key (DEMOMA Batch Code).

If you prefer to work with your own Batch Code (or if you do not have an HL Demo key),prepare an HL or SL key that contains a license for Features 0 and 42. Use this key insteadof the Demo key where required. Where the Vendor Codes file is required, use yourunique Vendor Codes file instead of the DEMOMA Vendor Codes file. Connect your Masterkey or Developer key (with the required module) to your machine.

It is assumed that you already have a basic familiarity with Sentinel LDK. If not, perform thelessons provided in the Sentinel LDK Software Protection and Licensing Tutorial, describedelsewhere in this book.

Licensing an FLV File to be Viewed Using Internet Explorer

This procedure demonstrates how to protect and license an FLV data file to be viewed withMicrosoft Internet Explorer.

For this procedure, you will use Internet Explorer and a provided FLV file to represent the data filethat you want to protect. The FLV file will be licensed with Feature ID 42. (A license for this Featureis already present on Demo key.)

How to Protect the Data File

1. Copy the following directory to your desktop from the machine where Sentinel LDK isinstalled:

%ProgramFiles(x86)%\Gemalto Sentinel\SentinelLDK\VendorTools\VendorSuite\samples\DataProtection\flv\

(For Windows x86, go to: %ProgramFiles%\...)

2. Create the following directories on your desktop: FLV_42 and FLV_99.

3. From the Start menu, select Sentinel LDK Vendor Suite. From the Vendor Suite programselection screen, select Additional Tools > Sentinel LDK Data Protection Utility.

4. Do the following in Sentinel LDK Data File Protection utility:

a. From the menu bar, select File > New project.

b. In the resulting dialog box, browse to the DEMOMA Vendor Codes file. This canusually be found in:

%ProgramFiles(x86)%\Gemalto Sentinel\Sentinel LDK\VendorCodes\


Licensing Data Files—Getting Started 87


c. Select the DEMOMA.hvc file and click Open. The Batch Code field now displaysDEMOMA.

d. From the menu bar, select Actions > Add Files.

e. In the Files to Encrypt dialog box, click Add.

f. Browse to the test FLV file in the following path:

Desktop\flv\local\test.flv

g. Select the test.flv file. The file now appears in the Files to Encrypt dialog box.

h. Set the Feature ID field on the right side of the box to 42.

i. Set the output directory to Desktop\FLV_42.

j. Click OK. The dialog box closes, and the text file is listed in the main pane.

k. Repeat step d through step j above. However, this time set the Feature ID to 99 andset the output directory to Desktop\FLV_99.

l. From the menu bar, select Actions > Encrypt All. The FLV files are protected.

5. Close Sentinel LDK Data File Protection utility.

How to Access the Protected FLV File

1. Install the Data File Protection plugin as follows:

a. Browse to the directory %ProgramFiles(x86)%\Gemalto Sentinel\SentinelLDK\VendorTools\Utilities\Data File Protection Plugin\.


b. Double-click Data File Protection Plugin.msi. The plugin installer is launched. Acceptall defaults to install the plugin.

c. If Internet Explorer was active, restart it.

If you are working with your own Batch Code, install your customized Data FileProtection plugin. For more information, see "Data File Protection Plugin " on page86.

2. Connect the Demo (DEMOMA) key to your machine.

3. Copy test.flv from Desktop\FLV_42\ to Desktop\local\sample\flv\local\.

4. Open Desktop\local\sample\flv\local\sample.htm in Internet Explorer. The test.flv file canbe viewed successfully. (The Demo key contains a license for Feature 42. Therefore, the FLVPlayer can operate in Internet Explorer and display the file that was protected with Feature42.)

For the current release of Sentinel LDK, you must use the 32-bit version of InternetExplorer to view a protected data file.

5. Copy test.flv from Desktop\FLV_99\ to Desktop\local\sample\flv\local\.

6. Open Desktop\local\sample\flv\local\sample.htm in Internet Explorer. The test.flv filecannot be viewed in Internet Explorer. (The Demo key contains a license for Feature 42while this test.flv file requires a license for Feature 99.)

Licensing data files to be accessed using a proprietary application

This procedure demonstrates how to prepare a data file to be licensed and accessed with yourown application.

For this procedure, you will use a text viewer application (TextViewer.exe), provided by Gemalto,to represent your proprietary application, and a simple text file to represent the data file that youwant to protect. The text viewer will be licensed with Feature ID 0 and the data file will be licensedwith Feature ID 42. (Licenses for these Features are already present on the Demo key.)

How to Protect the Text Viewer Application and the Data File

1. Using the Windows notepad application, prepare and save two copies of a text file thatcontains the name of your organization (or any other text string). Name the files test_42.txtand test_99.txt.

2. Do the following in Sentinel LDK Envelope:

a. Add the TextViewer.exe application to a new Sentinel LDK Envelope project. Thisapplication can be found in:

%ProgramFiles(x86)%\Gemalto Sentinel\SentinelLDK\VendorTools\VendorSuite\samples\


b. In the Project pane, select the TextViewer program.

c. On the General tabbed page, select the Enable data file protection check box.

d. In the version list box, select Version 2.

e. Click Protect to protect the application. The application is protected and licensedwith Feature ID 0. Be sure to note the location where the protected application issaved.

f. Close the Protection Status box.

g. Save the Envelope project.

h. On the General tabbed page, click Encrypt Data. Sentinel LDK Data File Protectionutility is launched. The Batch Code field displays DEMOMA.

3. Do the following in Sentinel LDK Data File Protection utility:

a. From the menu bar, select Actions > Add Files.

b. In the Files to Encrypt dialog box, click Add.

c. Browse to the text files that you prepared in step 1 above. Select the test_42.txt file.The file now appears in the Files to Encrypt dialog box.

d. Set the Feature ID field on the right side of the box to 42.

Licensing Data Files—Getting Started 89


e. Set the output directory to the location where the protected text file should bewritten.

f. Click OK. The dialog box closes, and the text file is listed in the main pane.

g. Repeat step a through step f above. However, this time select the test_99.txt file,and assign it the Feature ID 99.

h. From the menu bar, select Actions > Encrypt All. The text files are protected.

4. Close Data File Protection utility and Envelope.

How to Access the Protected Data File

1. Open each protected text file with Microsoft Notepad or with the unprotected version ofthe TextViewer application. Random characters are displayed.

2. Connect the Demo key to your machine.

3. Open the protected version of the test_42.txt file with the protected version of theTextViewer application. The original text is successfully displayed. (The Demo key containslicenses for Features 0 and 42. Therefore, the protected TextViewer application can operateand the file that was protected with Feature 42 can be accessed.)

4. Open the protected version of the test_99.txt file with the protected version of theTextViewer application. Random characters are displayed. (The Demo key does not containa license for Feature 99.)

Working With the dfcrypt Command Line UtilityThe dfcrypt utility provides an alternative to the Sentinel LDK Data Protection utility. dfcryptenables you to encrypt data files by specifying the relevant information in a command line insteadof a graphical user interface.

The utility supports both Version 1 and Version 2 data protection modes.

n For Version 1: To run the utility, you must connect a Sentinel Vendor key or protectionkey with the relevant Vendor Code to your machine.)

n For Version 2: To run the utility, you must connect a Sentinel Vendor key with therelevant Vendor Code and with the Advanced Data Protection module (Feature ID 11) toyour machine.)

dfcrypt can only be executed on a Windows platform.

The dfcrypt.exe utility is located in the following path:

%ProgramFiles(x86)%\Gemalto Sentinel\Sentinel LDK\VendorTools\VendorSuite\


To encrypt or decrypt data files using dfcrypt, enter the following command:

dfcrypt <options> <source> <destination>

The parameters used in the dfcrypt command line are described in the table that follows.

Parameter Description

options List of options that indicate the function to be performed by the dfcrypt utility.See the tables of options that follow.

source The file to be read and processed by the utility. To process multiple files, placethe files in a directory and specify the name of the directory for this parameter.

destination The file to be generated by the utility. If you specified a directory as the source,specify the name of directory to contain the generated output.

The options that determine the function to be performed by the dfcrypt utility are described inthe tables that follows. Each option can be specified using either of two formats.

Options for Version 1 Data Protection Mode

Option Action

-v:1--encver:1

This specifies that the data protection mode is Version 1.

-e--encrypt

dfcrypt reads the source file or directory and generates an encrypted file or adirectory of encrypted files. (This is the default action.)

-d--decrypt

dfcrypt reads an encrypted source file or directory and generates anunencrypted file or a directory or unencrypted files.

-c:<file>--vcf:<file>

Name of a Vendor Code file (mandatory).

-k:<key>--key:<key>

The encryption key to be used to encrypt or decrypt data files (mandatory). Youmust also specify this encryption key in Sentinel LDK Envelope for eachprotected application that will access the protected data files. The key mustcontain 8 printable characters. If you include special characters, enclose theentire command in quotation marks. For example: "-k:qe4<!r^B"

-o--overwrite

Overwrite destination files, if any.

-r--recursive

Enables recursive handling of all files in all subdirectories contained in thespecified source directory.

-q--quiet

Suppresses output by excluding copyright information and the progressindicator. Only error messages are displayed. This is particularly useful inMakefile integration.

For example:

dfcrypt -v:1 -c:demoma.hvc -k:4873Asdb data.txt data_crypt.txt

Encrypts the file data.txt using the specified Vendor Codes file and encryption key. Theencrypted file is written to data_crypt.txt.

dfcrypt --encver:1 --decrypt --recursive --vcf:demomb.hvc --key:4873Asdb myInputs

myOutputs

Decrypts all the files in the directory myInputs and in all contained subdirectories, usingthe specified Vendor Codes file and encryption key. The decrypted files are written to the

Working With the dfcrypt Command Line Utility 91


directory myOutputs.

Options for Version 2 Data Protection Mode

Option Action

-v:2--enver:2

This specifies that the data protection mode is Version 2.

-e--encrypt

dfcrypt reads the source file or directory and generates an encrypted file or adirectory of encrypted files. (This is the default action.)

-c:<file>--vcf:<file>

Name of a Vendor Code file (mandatory).

-f:<fid>--fid:<fid>

The Feature ID to be used to license the data file. (The default Feature ID is 0.)

-o--overwrite

Overwrite destination files, if any.

-r--recursive

Enables recursive handling of all files in all subdirectories contained in thespecified source directory.

-q--quiet

Suppresses output by excluding copyright information and the progressindicator. Only error messages are displayed. This is particularly useful inMakefile integration.

For example:

dfcrypt -v:2 -c:demoma.hvc -f:25 data.txt data_crypt.txt

Encrypts the file data.txt using the specified Vendor Codes file. Feature ID 25 is used tolicense the file. The encrypted file is written to data_crypt.txt.

dfcrypt --encver:2 --recursive --vcf:demomb.hvc --fid:50 myInputs myOutputs

Encrypts all the files in the directory myInputs and in all contained subdirectories, usingthe specified Vendor Codes file. Feature ID 50 is used to license all the files. The encryptedfiles are written to the directory myOutputs.

Display the dfcrypt help screen

Specify one of the following to display the options available for the dfcrypt utility:

dfcrypt -h

dfcrypt --help

PART 3 - LICENSINGIn this section:

n "Chapter 8: Introduction to Sentinel EMS" on page 95

Provides an overview of Sentinel EMS and the major processes it facilitates, lists itsprerequisites, and explains how to use the application.

n "Chapter 9: Preparing Your Sentinel LDK Licensing Plan " on page 103

Outlines the importance of licensing your software products, describes the licensing optionsprovided by Sentinel LDK, and explains how to prepare a licensing plan for use withSentinel EMS.

n "Chapter 10: Implementing Your Sentinel LDK Licensing Plan" on page 113

Describes how to use Sentinel EMS to define and manage the Features and Productsincluded in your Sentinel LDK licensing plan, and how to maintain Products and licenses ascircumstances change.

n "Chapter 11: Sentinel LDK Entitlements, Production, and Development Tasks" on page129

Describes how to use Sentinel EMS to manage and produce entitlements, and to performadditional development-related tasks.

n "Chapter 12: Sentinel LDK Administration and Customer Services" on page 147

Describes how to use Sentinel EMS to define Sentinel LDK user details, maintain BatchCodes, configure system settings, perform manual Product activation and maintaincustomer data.

n "Chapter 13: Sentinel Remote Update System" on page 151

Describes the Sentinel Remote Update System utility (RUS utility) and explains how to usethe RUS utility to remotely update license data in deployed Sentinel protection keys.

n "Chapter 14: Generating Sentinel LDK Reports" on page 157

Provides an overview of the Sentinel EMS Reporting facility and describes some of the mainfeatures of the facility.

Chapter 8:Introduction to Sentinel EMS

This chapter provides an overview of Sentinel EMS and the major processes it facilitates. It alsodescribes the user roles and their functions in Sentinel EMS, lists its prerequisites, and explainshow to start using the application.

An alternative to Sentinel EMS, the Sentinel License Generation API, is also described.

In this chapter:

n "Sentinel EMS Overview" on page 95

n "Sentinel EMS Users and User Roles" on page 97

n "Getting Started With Sentinel EMS" on page 99

n "Sentinel License Generation API" on page 101

This chapter provides high-level information on Sentinel EMS processes. For detailedpractical instructions for using each function in Sentinel EMS, see the Sentinel EMS helpsystem.

Sentinel EMS OverviewSentinel EMS is a powerful role-based application designed to manage the business activitiesrequired to implement and maintain Sentinel LDK in your organization.

Sentinel EMS streamlines the major workflows in the licensing lifecycle of a protected softwareapplication, from the moment it is developed, through its packaging, marketing, selling, andorder-taking, to its distribution and upgrading.

Sentinel LDK separates the software protection process (implemented with Sentinel Licensing APIor Sentinel LDK Envelope) from the licensing and production processes (implemented withSentinel EMS), enabling you to modify your company’s licensing strategy as necessary whencircumstances change, and to implement these changes quickly and efficiently.

Sentinel EMS Major Workflows

Sentinel EMS is installed as a service under Windows. The Sentinel EMS Service handles threemajor workflows: license planning, order processing and production, and software activation.

8

96 Chapter 8: Introduction to Sentinel EMS

License Planning

Before starting to use Sentinel EMS, it is recommended that business decision-makers in yourorganization, such as product or marketing managers, prepare a licensing plan based on thecompany’s licensing strategy.

The licensing plan identifies each individual functional component in your software applicationsthat can be independently controlled by a license. In Sentinel LDK, these components are referredto as Features. A Feature may be an entire application, a module, or a specific functionality suchas Print, Save or Draw. Over 64,000 Features can be defined using Sentinel EMS.

In addition, the licensing plan can include the Products that your company wants to sell and/ordistribute for evaluation. In Sentinel LDK, a Product is a collection of one or more licensedFeatures that can be sold or distributed as an item.

After completing the licensing plan, the Features and Products can be defined in Sentinel EMS. Theoutput of this process is a repository of Products that are stored in the Sentinel EMS database—ready for customer orders.

You can make changes to your licensing plan and license models at any time, addingFeatures and Products as required.

For additional information on preparing a licensing plan for use with Sentinel LDK, see "Chapter 9:Preparing Your Sentinel LDK Licensing Plan " on page 103.

For a description of the many types of model licenses you can implement using Sentinel LDK, see"PART 5 - LICENSING MODELS" on page 203.

For additional information on defining Features and Products in Sentinel EMS, see "Chapter 10:Implementing Your Sentinel LDK Licensing Plan" on page 113.

Order Processing and Production

Staff in your organization’s orders department receive and fulfil entitlements. An entitlement is anorder for Sentinel LDK items, and can be one of the following:

n An order for Products to be supplied with one or more Sentinel protection keys

n A Protection Key Update that specifies changes to be made to the license terms and/ordata stored in Sentinel protection keys that have already been deployed

Order processing personnel process the entitlement details using Sentinel EMS. The license termsof each Feature in the ordered Products may be specified when the Product is defined, or whenthe entitlement is processed.

When all the details of an entitlement have been defined, the entitlement can be produced. TheProduct details, including the license terms and memory data, are stored in the specifiedSentinel protection keys at the production stage or when the Product is activated, and can beupdated after the keys have been deployed.

For additional information on processing and producing entitlements in Sentinel EMS, see"Chapter 11: Sentinel LDK Entitlements, Production, and Development Tasks" on page 129.

Software Activation and Online Updates

Product activation and online updates are performed using Sentinel EMS when your software is atthe end user’s site.

Product Activation with Sentinel SL Keys

With Sentinel SL keys, the software is only activated and usable after the following steps arecompleted:

1. A Product Key is produced in Sentinel EMS and supplied to the end user.

2. The end user sends the Product Key to Sentinel EMS for validation.

3. A Sentinel SL key with license terms is sent back and installed on the end user’s computer.

Online Updates

Online updates can be implemented in the following ways:

n The Protection Key Update information is stored in Sentinel EMS for use in software thatyou provide to your end users. The update is then implemented as part of the end users’installation process.

n A file that contains the Protection Key Update information is generated and sent to theend user. This file can then be used with the Sentinel Remote Update System (RUS utility)utility to ensure secure, remote updating of the deployed Sentinel protection keys.

For additional information on RUS utility, see "Chapter 13: Sentinel Remote UpdateSystem" on page 151.

A receipt can be generated when a Protection Key Update is processed, to verify that the updatehas been applied.

Sentinel EMS Users and User RolesSentinel EMS is a role-based application. The functions and tasks that you can perform aredetermined by the user roles assigned to you by the Sentinel LDK Administrator.

The table that follows describes the roles available. (Almost all of the tasks listed in the table relateto functionality in Sentinel EMS.)

Sentinel EMS Users and User Roles 97


Role Authorized Tasks For more informationProduct Manager Define and manage Features and Products "Chapter 9: Preparing Your

Sentinel LDK Licensing Plan " onpage 103"Chapter 10: ImplementingYour Sentinel LDKLicensing Plan" on page 113

Entitlement Manager Define and manage customersEnter and manage entitlements

"Chapter 11: Sentinel LDKEntitlements, Production,and Development Tasks" onpage 129

Production Produce entitlements "Chapter 11: Sentinel LDKEntitlements, Production,and Development Tasks" onpage 129

Customer Services Define and manage customersManage Product activations

"Chapter 12: Sentinel LDKAdministration and CustomerServices" on page 147

Report Generation Run and view reportsSchedule generation of and arrangedistribution of reports.

"Chapter 14: GeneratingSentinel LDK Reports" on page157

Development Perform development-related tasksOperate Sentinel LDK ToolBox andSentinel LDK Envelope

"Chapter 11: Sentinel LDKEntitlements, Production,and Development Tasks" onpage 129

Batch Code Admin Can perform the following functions forthe assigned Batch Codes:

n Manage Sentinel LDK usersn Maintain Master keysn Configure system settingsn Generate reportsn Manage scheduled reports


Super User Can perform the following functions for allBatch Codes:

n Manage Sentinel LDK usersn Maintain Master keysn Configure system settingsn Generate reportsn Manage scheduled reports


The “admin” user is authorized to perform all functions in Sentinel LDK. Only the admin user canassign the Super User role to another user.

Getting Started With Sentinel EMSBefore you start to use Sentinel EMS, ensure that:

n You have a URL to access the installation of Sentinel EMS at your site.

n You have received a Sentinel LDK user name and password from your Sentinel LDK systemadministrator.

After you have logged in to Sentinel EMS, you can change the Sentinel LDK password that youreceived to a password of your own choice. For additional information on changing yourpassword, see the Sentinel EMS help system.

Sentinel LDK passwords are case-sensitive, so ensure that you use upper-case and lower-case letters correctly when you type your password.

Prerequisites for the Sentinel LDK Administrator

If you are performing administration functions for Sentinel LDK in your organization, it is essentialthat you check the following requirements before you (or other users) start to use Sentinel EMS:

n A valid connection to the Sentinel EMS Server machine must exist. For additionalinformation on installing Sentinel EMS, see the Sentinel LDK Installation Guide.

n You must have a Sentinel Master key that contains your license for Sentinel LDK and yourcompany’s specific Vendor Code. If not previously introduced, the Sentinel Master key isintroduced during the Sentinel EMS Service installation process.

n The Sentinel Master key must remain connected to the Sentinel EMS Server machine inorder to enable you to perform Sentinel EMS functions. If Sentinel EMS is installed onmore than one machine, each machine must have a separate Sentinel Master keyconnected locally.

If you are evaluating Sentinel EMS, you can use the DEMOMA Batch Code provided, whichdoes not require a Sentinel Master key.

n You must define user names, passwords, roles, and Batch Code access for eachSentinel EMS user, and also for yourself. For additional information, see "Maintaining UserDetails " on page 148.

A default user name and password is provided with Sentinel LDK to enable you to log in toSentinel EMS as the Sentinel LDK Administrator. The default user name and password isadmin.

For additional information on the Sentinel LDK administration tasks and options in Sentinel EMS,see "Administration Tasks" on page 147.

Sentinel EMS Home Screen

When you log in, the Sentinel EMS Home screen is displayed.

Getting Started With Sentinel EMS 99


The Sentinel EMS Home screen provides a snapshot of the current status of importantinformation in Sentinel EMS. The information relates to all the Batch Codes for which the currentuser has authorizations.

To return to this screen at any later time, click the Home tab.

The functions that each user sees on the Function bars will vary based on the roles that areassigned to the user.

Sentinel EMS Screen

When you select any of the Function bars, the Sentinel EMS screen is displayed.

Sentinel EMS top-level web screens typically includes the following:

n Function bars, in which you select the function to perform.

n Main pane, in which you view and select items.

n Filter tool, which you can use to filter the items that are listed in the main pane.

n Details pane, in which you view details of the item selected in the Main pane.

n Task buttons, which you use to perform actions for the selected item.

The functions that each user sees on the Function bars will vary based on the roles that areassigned to the user.

Using the Sentinel EMS Help

Detailed instructions for using each function and task in Sentinel EMS are provided in theSentinel EMS help system.

To access help, click the Help link at the top right of the screen. Many individual screens alsocontain a help button for information about the contents of the screen.

Sentinel License Generation APIFor sites that already have a licensing infrastructure in place or that prefer to implement analternative to Sentinel EMS, Sentinel LDK offers a standalone licensing solution.

You can use Sentinel License Generation API together with your existing licensing server softwareand ERP and CRM back office systems for maximum flexibility and control over your businessprocesses.

Sentinel License Generation API 101


Sentinel License Generation API provides the functionality required to generate and maintainSentinel protection keys, but without any of the back office services that are provided by SentinelEMS. All the required services are provided by the system that you choose to implement. Youwould use Sentinel LDK only to handle the protection and Feature-control functions for yourapplications.

Sentinel License Generation API is included in Sentinel LDK ToolBox. Documentation for the API isincluded in the ToolBox help system.

To generate licenses, the Sentinel Master key must be connected to the machine wherethe program that calls Sentinel License Generation API is running. To connect the SentinelMaster key from a remote machine, refer to the Sentinel LDK Installation Guide.

Switching Between Sentinel License Generation API andSentinel EMSWa r n ing :Se n t ine l EM S a nd Se n t ine l L i c e n se Ge ne r a t i on AP I c a nno t be u se d in pa r a l l e lt o upda t e l i c e n se s fo r a g i ve n c u s t ome r .

Sentinel EMS retains an update counter for each protection key that was created or updatedusing Sentinel EMS. This update counter must remain synchronized with the update counter thatis stored in each protection key. If a protection key that was updated with Sentinel EMS is thenupdated with Sentinel License Generation API, the synchronization with Sentinel EMS is lost, and itis no longer possible to update the key using Sentinel EMS.

You can, on a one-time basis, move from using Sentinel EMS to using Sentinel License GenerationAPI to maintain a protection key, or vice-versa.

n You can move from Sentinel EMS to Sentinel License Generation API because SentinelLicense Generation API does not store the update counter. Instead, it relies on receivingthe update counter each time in the C2V file sent by the customer.

n You can move from Sentinel License Generation API to Sentinel EMS once. When SentinelEMS receives a C2V file for a given protection key for the first time, Sentinel EMS initializesthe update counter for that key in its database. From that point, the update counters inSentinel EMS and in the protection key must remain synchronized.

New functionality in Sentinel LDK is often introduced first in Sentinel LicenseGeneration API and then, in a following release, in Sentinel EMS. Before you movefrom Sentinel License Generation API to Sentinel EMS, make sure that all thefunctionality that you are using is supported in Sentinel EMS. Otherwise, the C2Vfiles sent by customers may contain parameters that Sentinel EMS does notrecognize.

Chapter 9:Preparing Your Sentinel LDK

Licensing Plan

Before you start to use Sentinel EMS in your organization, you may want to prepare a detailedlicensing plan for use with Sentinel LDK. Although it is recommended that you prepare a licensingplan, it is not a prerequisite for using Sentinel EMS. Licensing decisions can be implemented ormodified at any point.

This chapter outlines the importance of licensing your software products, describes the licensingoptions provided by Sentinel LDK, and suggests how you might prepare a detailed licensing planfor use with Sentinel EMS.

In this chapter:

n "Licensing Overview" on page 103

n "Preparing Your Licensing Plan" on page 104

n "Choosing the Protection Level for Your Products" on page 106

n "Designating Products for Trial or Grace Period Use" on page 109

n "Assigning License Terms to Features" on page 110

n "Utilizing Protection Key Memory" on page 111

n "Using Your Licensing Plan With Sentinel EMS" on page 111

This chapter provides high-level information about Sentinel LDK licensing options. Fordetailed practical instructions for implementing the licensing options in Sentinel EMS, seethe Sentinel EMS help system.

Licensing Overview"PART 2 - PROTECTION" on page 39, in this book explained in detail how to protect your softwareand intellectual property. In addition to protecting these valuable assets, it is essential that youprotect your company’s revenue by ensuring that your software is available only to theappropriate users, according to the terms that you define. This process is controlled by licensing.

9

104 Chapter 9: Preparing Your Sentinel LDK Licensing Plan

Licensing provides you with the flexibility to implement your business strategies for the sale anddistribution of your software products. You define the licensing terms with which your software isdistributed or sold according to your decisions about what is commercially beneficial to yourcompany.

For example, you may decide that you initially want to distribute your software free of charge, sothat users can try it before purchasing. You will want to ensure that users can use it for only alimited time before it must be purchased.

Alternatively, you may publish very complex, expensive software. You may decide to make specificcomponents of that software available for a lower price, thus making parts of it accessible to userswho cannot afford the full-featured version.

The versatility of Sentinel LDK enables you to implement a wide variety of licensing models. Formore information on the many models you can apply to your software offering, see "PART 5 -LICENSING MODELS" on page 203.

Preparing Your Licensing PlanA useful step in the development of a licensing strategy is the preparation of a licensing plan.Business decision-makers in your organization, such as product managers or marketing managers,define protection and business rules, and specify the licensing models required to meet yourcompany’s business needs.

A licensing model is the logic behind a business decision relating to the way a Product is licensed.For example, a rental license model enables you to charge for the use of software for a specificperiod of time.

Sentinel LDK enables you to choose from a variety of out-of-the-box licensing models, including:

n Trialware (try-before-you-buy)

n Rental/Subscription

n Module-based

n Feature-based

n Floating users

n Time-based

n Execution-based

n Perpetual

n Unlocked

You can define additional licensing models and software usage terms to meet your company’sindividual requirements.

It is recommended that you prepare a licensing plan before you start to use Sentinel LDK tostreamline the implementation of your company’s licensing strategy. Your Sentinel LDK licensingplan should be based on the detailed licensing requirements that you define for all the protectedsoftware applications to be sold by your company, and/or distributed for trial use.

The process of preparing a Sentinel LDK licensing plan can include the following steps:

1. Analyzing all the relevant software applications and identifying each functional componentthat can be licensed individually.

2. Combining these components into licensed entities that can be offered to customers.

3. Deciding which Sentinel protection keys you want to supply with your softwareapplications.

4. Specifying the detailed licensing terms to be applied, according to your licensing strategy.

The output of such a process is a comprehensive licensing plan that can be implemented usingSentinel EMS.

You can make changes to your licensing plan and license models at any time.

Identifying Functional Components (Features)

The recommended first step in evaluating and planning your licensing requirements involvesanalyzing your software applications and identifying their functional components. Mostapplications can be segmented into a number of distinct functional components. In Sentinel LDK,these components are referred to as Features.

Each individual Feature is an identifiable functionality of a software application that can beindependently controlled by a license. In Sentinel LDK, a Feature may be an entire application, amodule or a specific functionality such as Print, Save or Draw.

Example: Specifying Features

Scenario: The Product Manager of High Quality Software Ltd. (HQ Software), a company providingdesign software for the construction industry, identifies the specific functional components thatthe company wants to license, and assigns a Feature name to each component.

The following table lists the defined functional components and the Feature names assigned toeach component:

Functional Component Feature

Drawing design plans DRAW

Viewing design plans VIEW

Saving projects SAVE

Printing designs PRINT DESIGNS

Printing predefined reports PRINT REPORTS

Generating tailored reports REPORT GENERATOR

Combining Features Into Products

After you have identified and listed all the individual Features to license, you can define thedifferent combinations of licensed Features that your company wants to sell.

Preparing Your Licensing Plan 105


In Sentinel LDK, a collection of one or more licensed Features that can be sold as an item isreferred to as a Product. Products can differ from each other, not just in the Features that theycontain, but also in the license terms specified for each Feature.

Your licensing plan can contain the names of all the Products that your company wants to selland/or distribute for evaluation, and the Features that each Product includes.

In Sentinel LDK, you have full control over the specific Products you define, the Features theyinclude, and the license terms assigned to each Feature in each Product.

Example: Defining Products

Scenario: The HQ Software Product Manager decides to define a trial Product intended fordistribution to customers who want to evaluate their software. This Product, HQ Design Demo,includes only the VIEW and PRINT DESIGNS Features.

In addition, the company defines:

n A Product intended for small-office customers, HQ Design Lite, offering the Featuresincluded in HQ Design Demo, with the addition of DRAW and SAVE

n A Product targeted towards larger customers, HQ Design Pro, that offers all availableFeatures

(The REPORT GENERATOR Feature has not yet been fully developed and is not currently includedin the HQ Design Pro Product. This Feature is planned for a future release.)

Choosing the Protection Level for Your ProductsYour choice of the Sentinel protection keys to be distributed together with your licensed softwarereflects the level of protection you wish to apply and the way you intend to control the use of oraccess to each Product.

Two types of Sentinel protection keys are available:

n Sentinel HL keys: The hardware-based protection and licensing component ofSentinel LDK that provides the safest and strongest level of protection.

n Sentinel SL keys: The software-based protection and licensing component ofSentinel LDK—virtual Sentinel HL keys. Sentinel SL keys are further divided intoAdminMode and UserMode keys

For more information on the different types of keys and a comparison of the benefits for eachtype, see "End-User Keys" on page 28.

Your software and the user license are both locked to the Sentinel protection key that you select.

When you define the Product licenses to be included in your licensing plan, you also select whichSentinel LDK locking type to assign to each Product license. The locking type that you selectdetermines the level of protection for each Product license as follows:

Locking Type Level of Protection Provided

HL Hardware-based level of protection

SL AdminMode Software-based level of protection

SL UserMode

HL or SL AdminMode Software-based level of protection (this is explained in "Specifying theProtection Level for Individual Orders" on page 109).HL or SL

(AdminMode orUserMode)

Sentinel HL Key Protection and Activation

A Product that is protected with a Sentinel HL key can be activated only after the end userreceives a Sentinel HL key containing the license terms for the Product and connects the key tothe computer.

Benefits of Sentinel HL Key Protection

Sentinel HL key protection provides the strongest level of protection against piracy. The correctfunctionality of the software depends on the internal logic of the Sentinel HL key, which is virtuallytamper-proof.

In addition, Sentinel HL key protection:

n Offers the strongest enforcement for license terms, which are stored and protected insidethe Sentinel HL key.

n Enables portability—the software can be used on any computer to which the Sentinel HLkey is connected.

n Does not require transaction with the software vendor to enable activation of theProduct.

Sentinel SL Key Protection and Activation

A Product that is protected with a Sentinel SL key can be activated using one of the methods thatfollow.

Product Key Activation

1. A Product Key, consisting of a string of characters, is generated in Sentinel EMS andsupplied to the end user. This can be done by including the Product key in the physicalinstallation package or by providing the Product key by email as part of the entitlementprocess.

2. The end user returns the Product Key as proof of purchase.

3. The Product Key is sent to Sentinel EMS for verification.

4. A Sentinel SL key with license terms is sent back and installed on the end user’s computer.

(The end user can perform steps 2, 3, and 4 automatically with the Sentinel EMS Customer Portal.)

Choosing the Protection Level for Your Products 107


When the locking type in an entitlement includes SL AdminMode and SL UserMode,Sentinel EMS determines the locking type to use when the customer activates theprotection key. If the target machine contains the Admin License Manager, an SLAdminMode key is installed; otherwise, an SL UserMode key is installed.

Protection Key Update

The steps that follows can be performed manually using the RUS utility or programmatically usingSentinel Licensing API or Sentinel Web Services.

1. A fingerprint of the end user's machine is generated in a C2V file.

2. The C2V file is sent to the vendor (typically by email).

3. The vendor uses the C2V file to generate a Product activation update (in a V2C file) usingSentinel EMS or using Sentinel License Generation API.

4. The V2C file is sent to the end user.

5. The V2C file is used on the end user's machine to install an SL key.

Choosing the SL UserMode or SL AdminMode Locking Type

The type of SL license installed on the user's machine is determined as follows:

n If the locking type that is specified for a Product license includes only SL AdminMode oronly SL UserMode, the specified locking type will be used for the SL key.

n If the locking type that is specified for a Product license allows for both SL AdminModeand SL UserMode, then SL AdminMode is selected automatically if the Run-timeEnvironment is present on the user's machine. If you want to force the locking type to beSL User Mode in this instance, ensure that the Run-time Environment is not installed onthe user's machine. This prevents the use of Sentinel EMS Customer Portal on themachine. The SL key must be activated using the "Protection Key Update" methoddescribed above.

Benefits of Sentinel SL Key Protection

With Sentinel SL key protection:

n (Product key activation method) Product activation is instantaneous. End users canimmediately start using the software with its fully-licensed functionality.

n (Product key activation method) The activation process for end users is convenient andtransparent.

n (Product key activation method) The online connection with end users can enable userregistration data to be collected and used for marketing purposes.

n When using a network license that is locked to a Sentinel SL key, you can specify that alicense can be detached from the pool of network seats and attached to a remoterecipient machine.

Specifying the Protection Level for Individual Orders

Sentinel LDK gives you the flexibility to choose the Sentinel protection keys for a Product oraccording to the requirements of each individual order.

If you prefer not to specify the protection level in advance, you can assign the HL or SLAdminMode or SL UserMode locking type to a Product. With this locking type, the decision onwhich type of Sentinel protection key is to be shipped with the Product is made when each orderis processed.

Although SL keys provide a high level of protection, HL key security is superior.

A Product whose locking type allows for both HL and SL keys provides HL key-levelprotection if the Product is only shipped with HL keys (that is, the Product is nevershipped with SL keys).

However if the Product is also sometimes shipped with SL keys, the overall level of securityshould be considered to be that provided by SL keys. This is because there is always thepossibility that an attacker could have access to a deployed SL key.

Designating Products for Trial or Grace Period UseSentinel LDK enables you to create, protect, and distribute secure trialware versions of yoursoftware. You can invite users to download your trial software from networks, to share it withother users, and to give it away to their friends or colleagues. End users then have the option topurchase your software and to turn their trial copy of into a fully-licensed version by activating itwith a Sentinel protection key.

You can also use Sentinel LDK to define grace periods for your software. During the grace period,and even after activation, end users can pass copies of their purchased software to as manyfriends as they wish. When a friend installs the software, it automatically reverts to a limited trialversion for the entire grace period. After the grace period expires, the software can no longer rununtil it is activated with a Sentinel protection key.

Sentinel LDK enables you to define trial and grace periods for software protected with any type ofSentinel protection key.

For example, software protected with Sentinel HL keys can be purchased and delivered over theInternet while the Sentinel HL keys are shipped, and end users can start using the software whilewaiting for the arrival of their key.

Similarly, end users who purchase and install a software application can use it for a 30-day graceperiod without activating it. During this grace period, they can activate the software remotely andreceive a Sentinel SL key, after which the software will run according to the purchased licenseterms stored in the keys. If the grace period expires and the software has not been activated, itwill stop running until activated by the end user.

In Sentinel LDK, a Product that is intended for distribution as trialware or for use during a graceperiod is referred to as an Unlocked Trialware Product.

Your licensing plan can include all the Unlocked Trialware Products to be offered by yourorganization.

Designating Products for Trial or Grace Period Use 109


Assigning License Terms to FeaturesSentinel LDK enables you to assign individual license terms to each Feature in each Product thatyou define. You can also define Products that include the same Features, but with different licenseterms. Such decisions are based on the commercial requirements of your organization, and on thelicense models that you choose to implement.

You can control Feature usage through the license by specifying the license type to be applied.You can choose one of the following license types:

n Perpetual: Indicates that the license can be used an unlimited number of times for anunlimited period of time.

n Expiration Date: Specifies the date on which the license expires.

n Executions: Specifies the maximum number of times that the Feature can be used.

n Time Period: Specifies the number of days until the license expires, from the date of firstuse.

After you select the type of license to apply to each Feature in a Product, you can specify itsvalue, for example, the number of times that a Feature can be used.

If the Feature is intended to be used on a network or remote desktop, you can also specify thenumber of concurrent instances (network seats) allowed, and you can specify how concurrentinstances are to be counted for the purpose of the license. In addition, if the Feature will be usedin Products that are locked to Sentinel SL keys, you can specify that the Feature and its licensemay be temporarily detached from the network for attachment to a remote recipient machine.

Specifying License Values for Individual Orders

Sentinel LDK offers you maximum flexibility with regard to license terms, enabling you to supplythe same Product to different customers with different license term values.

You do not have to specify in advance the exact values for the license type or the number ofconcurrent instances for each Feature in the Product. When each order for the Product isprocessed, the person processing the order defines the values required for that specific order.

Example: Specifying License Terms and Protection Levels

Scenario: The HQ Software Product Manager decides to specify the following license terms for itsthree Products:

n A trial period of 30 days for the PRINT and VIEW Features in its HQ Design Demo Product

n A low-cost annual rental license for the DRAW and SAVE Features in the HQ Design LiteProduct, with unlimited usage for the PRINT and VIEW Features

n A more costly, full-featured license for the HQ Design Pro Product that specifies unlimitedusage for all Features

The following protection levels are defined for each of the Products:

n HQ Design Demo is defined as an Unlocked Trialware Product, to enable it to bedistributed freely for evaluation

n HQ Design Lite is supplied with Sentinel SL key protection, enabling electronic distribution

n HQ Design Pro is supplied with Sentinel HL key protection, for maximum security

The following table summarizes the three Products, their protection levels, and their licensedFeatures:

Product: HQ Design Demo HQ Design Lite HQ Design Pro

Protection Level: Unlocked Trialware Sentinel SL keys Sentinel HL keys

License Model: Trial Rental Unlimited

Feature

DRAW – Expires after 1 year Unlimited

VIEW 30 days Unlimited Unlimited

SAVE – Expires after 1 year Unlimited

PRINT DESIGNS 30 days Unlimited Unlimited

PRINT REPORTS – – Unlimited

REPORT GENERATOR – – Not yet available

Utilizing Protection Key MemoryAll Sentinel protection keys—with the exception of Sentinel HL Basic keys—contain secure internalread-only and read/write memory. You can define specific segments for memory data and choosewhether the data is added when you create a Product or when an order is being processed.

You can use the memory, for example, to:

n Store licenses from your own licensing schemes

n Save passwords, program code, program variables, and other data

Memory data can be defined for each Product. The contents of the memory are transferred to thesecure memory of the selected Sentinel protection keys together with the Features, license termsand other data defined for the Product.

You can add any specific data that is required to be stored in memory for each Product to yourlicensing plan. For more information, see "Defining Protection KeyMemory Data" on page 120.

Using Your Licensing Plan With Sentinel EMSYour licensing plan can be implemented using Sentinel EMS. As your licensing requirementschange, you can revise the licensing plan and ensure that the changes are implemented usingSentinel EMS. Your licensed Products can be easily and securely updated as required, after theyhave been deployed to customers.

Utilizing Protection Key Memory 111


For additional information on implementing and maintaining your licensing plan, see "Chapter 10:Implementing Your Sentinel LDK Licensing Plan" on page 113.

Sentinel LDK offers you the flexibility to update your licensing strategy as necessary, and to adaptrapidly to changes in the market, in your company’s business strategy, or in customer purchasingpreferences.

Chapter 10:Implementing Your Sentinel LDK

Licensing Plan

This chapter is intended for Sentinel EMS users who are assigned the Product Management role.It describes how to use Sentinel EMS to define and manage Features and Products in Sentinel LDK,and to maintain Products and licenses as circumstances change.

For information on preparing a licensing plan and on Sentinel LDK licensing options, see "Chapter9: Preparing Your Sentinel LDK Licensing Plan " on page 103.

For an overview of Sentinel EMS and for information on starting to use the application, see"Chapter 8: Introduction to Sentinel EMS" on page 95.

In this chapter:

n "License Planning in Sentinel EMS" on page 113

n "Managing Features " on page 114

n "Managing Products" on page 115

n "Maintaining Products and Licenses" on page 124

This chapter provides high-level information on license planning and definition processes.For detailed practical instructions for using each function in Sentinel EMS, see theSentinel EMS help system.

License Planning in Sentinel EMSBefore you start to use Sentinel EMS for license planning, it is suggested that you prepare alicensing plan. For additional information, see "Chapter 9: Preparing Your Sentinel LDK LicensingPlan " on page 103.

When you start Sentinel EMS, you have access to the Licensing Plan group of functions, including:

n Managing Features

n Managing Products

Each of these functions is described in this section.

10

114 Chapter 10: Implementing Your Sentinel LDK Licensing Plan

All Sentinel LDK Features and Products are associated with a Sentinel LDK Batch Code. Foradditional information on Batch Code, see "Personalized Vendor and Batch Codes" onpage 27.

Managing FeaturesWhen you display the Features screen in the Sentinel EMS window, you can view the details of alldefined Features associated with the selected Batch Code. You can perform the following tasksusing the Features screen in Sentinel EMS:

n Define Features

n Withdraw Features from use

Defining Features

If you have prepared a licensing plan, the first stage in its implementation is to use Sentinel EMSto define all the Features that you listed in the plan.

Before you begin to define Features, ensure that you have the following information available foreach new Feature:

n The Batch Code associated with the Feature

n A Feature Name that is unique in the selected Batch Code (mandatory). The maximumlength for a Feature Name is 50 characters.

n A free-text description that provides additional information about the Feature (optional)

n The ID number that you want to assign to the Feature (optional). The ID must be uniquein the selected Batch Code. The same Feature ID may be used in more than one BatchCode.

After you have defined a Feature, and until the Feature is included in a Product, you can changethese properties in Sentinel EMS. After the Feature has been included in one or more Products,you can open the Feature to view its details, but you cannot change them.

License terms are Feature-specific in Sentinel LDK. However, they are not defined as part ofthe Feature properties. The license terms for a Feature are specified when the Feature isadded to a Product, or when the Product is added to an entitlement. This is because thesame Feature may be included in a number of Products, and the license terms for theFeature may vary according to the requirements of the Product or of the entitlement.

Feature Identification

By default, Sentinel EMS generates a unique Feature ID for each new Feature. You can assign yourown numeric identifier to the Feature, for example, to maintain consistency with existing Featuredata. The Feature ID that you specify must be unique in the selected Batch Code.

Transferring Feature Definitions for Development Use

After you have defined the Features for a selected Batch Code, users authorized to performDevelopment tasks can transfer the Feature data to a file that can be used for development andprotection purposes. For more information on transferring Feature definitions, see "ExportingDefinition Data" on page 144.

Feature Status Values

When a Feature is first defined, you can edit the Feature and modify any of its attributes,including the Feature Name and Feature ID.

Once the Feature has been included in one or more Products, the Feature Name and Feature IDcan no longer be modified.

Deleting Features

If the Feature has not been included in any Product, you can delete it. A Feature cannot bedeleted once it has been deployed in at least one Product.

Managing ProductsWhen you display the Products screen in the Sentinel EMS window, you can view the details of alldefined Products associated with the selected Batch Code.

Managing Products 115


You can perform the following tasks using the Products screen in Sentinel EMS:

n Define new Base Products

n Define new Unlocked Products

n Copy existing Products

n Define new Modification Products

n Define Cancellation Products

n Open a Product to view or modify details

n Withdraw Products from use

n Restore Products that have been made obsolete

n Delete a Product

You cannot modify license terms for a Product or delete a Product that has been fullydefined (with the Complete status).

Defining New Products

Before you start to define the new Products in your licensing plan, ensure that you have thefollowing information available for each Product:

n The Batch Code associated with the Product

n A Product Name that identifies the Product and is unique in the selected Batch Code(mandatory). The maximum length for a Product Name is 50 characters.

n A free-text description that provides additional information about the Product, forexample, the functionality it includes (optional)

n Product reference information that can identify the Product in a different system, forexample, a product code in your company's ERP system (optional)

n The level of protection (locking type) that you want to apply to the Product

n The Features to be included in the Product

n The license terms for each Feature to be included in the Product

n The data to be stored in the memory associated with the Product

After a Product has been defined, it can be included in orders. For additional information onprocessing orders, see "Defining Entitlements" on page 131.

Until the Product is included in an order, you can change the Product properties, Features, andmemory contents in Sentinel EMS. After the Product has been included in at least one order, youcan open the Product to view its details. However, you cannot make any changes.

The only changes that can be made after a Product is included in an order are those related tolicensing terms and memory data that have been previously specified as definable at order time,and these changes are made when the order is being processed.

Product Types

The basic unit on which all Products are built is the Base Product. A Base Product can contain allthe Product attributes such as Features, licensing data and memory—and can be used as aProduct that you offer for sale, and/or as a “shell” on which other Product types are built.

You can define Unlocked Products for use during a grace period or as trialware. An UnlockedProduct can also be defined for an extended period or with a perpetual license for distributingUnlocked Products. The properties for Unlocked Products are not identical to those for standardProducts. For additional information, see "Defining Unlocked Products" on page 122.

You can copy an existing Product to create a new Product. For additional information, see"Duplicating a Product" on page 123.

You can define Modification Products and Cancellation Products to modify or cancel Productsthat have been deployed at customer sites. For additional information, see "Maintaining Productsand Licenses" on page 124.

Selecting the Locking Type for the Product

When you define a Product, you must select a locking type. The locking type determines:

n The level of protection for the Product

n The type of Sentinel protection keys that can be shipped with the Product

n The way that the Product can be activated

The locking type options are described in "Choosing the Protection Level for Your Products" onpage 106.



Protection Against Cloning

This section describes the protection of your protected application against attempts to clone thephysical or virtual machine on which the protected application is installed.

One of the methods sometimes employed to enable the illegitimate use of licensed software ismachine cloning. Machine cloning involves creating an image of one machine (including yoursoftware and its legitimate license) and copying this image to one or more other machines. Ifthere is no way to detect that the new image is running on different hardware than that on whichit was originally installed, multiple instances of the software are available even though only asingle license was purchased.

Sentinel LDK can detect probable machine cloning and disable protected software that is locked toSentinel SL keys. Clone detection is effective whether the protected software is installed on aphysical machine or on a virtual machine.

When software is locked to a Sentinel HL key, the physical key must be present in orderfor the software to run. Even if a machine image, including your software, is cloned, thesoftware cannot run without the Sentinel HL key to which the software license is locked.

Protection against cloning is applied automatically when a protected application is locked to aSentinel SL key

For each Feature, you specify whether you want to allow the Feature to be accessible on virtualmachines at the time you add the Feature to the Product or when preparing the order for theProduct. By default, each Feature is accessible on virtual machines.

The clone protection functionality is tuned to minimize the occurrence of potential false positives(detection of a clone when no cloning exists), and reduce unnecessary calls to your technicalsupport. As a result, it is possible that the clone protection functionality may not detect a clonedmachine in every case. However, the possibility of this occurrence is low, especially when physicalmachines are cloned. (For information on how Sentinel LDK detects cloned software and cloneprotection schemes, see "Appendix D: How Sentinel LDK Detects Machine Cloning" on page 271.)

When the Sentinel LDK Run-time Environment detects cloning, it disables the licenses for whichclone protection was specified. The end user is unable to log in to the software for which clonedlicenses have been detected. The end user must activate the software before it can be used. Otherlicenses for which clone protection was not specified are not affected and the user may continueto log in and use the applications.

Detection of cloned licenses is recorded in the Sentinel License Manager and displayed in theSentinel Admin Control Center. For additional information, see the Admin Control Center helpsystem.

The following workflows provides an overview of how to enable clone detection for licenses lockedto Sentinel SL keys, and how to manage licenses that have been disabled due to the detection ofmachine cloning.

During software protection:

n During protection of your software, use the Sentinel Licensing API to define how yourapplication should behave when machine cloning is detected. For example, the application

might display a message telling the end user that the software is disabled due to clonedetection and that they should contact your customer services team.

If you use only Sentinel LDK Envelope for applying protection, (that is, withoutincorporating any additional software engineering), software that is disabled due todetection of cloning will return the following message to the end user: Unknown error.H64

During Product definition:

n When defining Products in Sentinel EMS:

o For each Feature, decide whether the Feature should be accessible on virtualmachines (this can also be decided during order entry). By default, accessibility onvirtual machines is enabled.

During Product activation:

1. When Sentinel EMS detects cloning via the C2V file, it disables the protected application onthe end user's machine.

2. To enable the protected on the end user's machine, the end user must send a newfingerprint for machine. This fingerprint can be generated with the RUS utility, or with theGetInfo function in Sentinel Licensing API. Use the fingerprint to generate a new entitlementfor the end user.

Additional Information about Clone Protection

n If you attempt to check in a C2V file, and Sentinel EMS detects that the C2V is from acloned machine, you cannot check the file into the Sentinel EMS database. Similarly, youcannot use a C2V file from a cloned machine to create a license update.

You can click View Details in the Check in Key screen to view details of the C2V if required.

Specifying the License Terms for Features in a Product

When you include a Feature in a Product, the following default license terms are assigned:

n License type: Perpetual

n Number of concurrent instances: Unlimited

To specify the required license terms for the Feature, you can:

n Select a different license type:

o Expiration Date

o Executions

o Time Period

n Assign a value for the selected license type:

o The expiration date

o The number of executions



o The number of days until the license expires, from the date of first use

If the Feature is intended to be used on a network, virtual machine, or remote desktop, you canspecify the number of concurrent instances allowed, and you can select how concurrent instancesare counted:

n Station: Each login request for a single machine is counted as an instance (default)

n Login: Each login request is counted as an instance

n Process: Each login request for a single process is counted as an instance

If the Feature is in a Product that will be locked to a Sentinel SL key, and is defined to be used ona network, you can specify that the license is allowed to be temporarily detached from thenetwork pool. This means that the license can be attached to a remote recipient machine that isnot connected to the network, to enable a user to work offline.

If required, you can specify that a user working in Remote Desktop (terminal machine) mode canaccess the license. Similarly, you can specify that the license for a Feature in a Product that will belocked to a Sentinel SL key can be enabled to run on a virtual machine.

If you choose to make a Feature excludable, you enable the decision about whether the Feature isto be included in a specific order to be made at the time the order is being produced.

You can leave the value for the license type undefined at this stage, and specify that the exactvalue will be defined when each order for the Product is processed.

Similarly, you can specify that the number of concurrent instances will be defined when an orderfor the Product is processed.

The above license term options do not apply to Unlocked Products. For additionalinformation, see "Defining Unlocked Products" on page 122.

Defining Protection KeyMemory Data

When you define a Product in Sentinel LDK, you can define the layout and contents of thememory data associated with the Product. At the customer site, memory data is stored in theprotection key on the end user's computer or network.

Sentinel LDK provides two types of Protection Key memory:

n Default memory

Default memory is available in all Sentinel HL and SL keys, except for Sentinel HL Basickeys. The amount of memory available depends on the type of key.

Default memory is divided into two fixed partitions:

o Read/Write memory: Data that can be updated when the deployed protectedapplication is running, such as dynamic values for counters, or informationretrieved during interaction with the user.

o Read-Only memory: Data that can be read when the protected application isrunning but cannot be changed. For example: the Product version number, text tobe used in a “Welcome” message, fixed threshold values for counters.

You can divide each partition into multiple segments and enter data into them asrequired. Each segment is defined by an offset from the start of the partition and alength. It is the developer's responsibility to keep track of the location and size of eachsegment. You can redefine the data and the layout of each partition as required. InSentinel EMS, you can specify that data is entered in one or more of the memorysegments at order time.

n Dynamic memory

Dynamic memory is available in all Sentinel HL (Driverless configuration) keys except forSentinel HL Basic keys and Sentinel HL Pro keys. Dynamic memory is not available inSentinel (HASP configuration) keys or Sentinel SL keys.

Dynamic memory is significantly larger than Default memory. However, dynamic memoryspace is shared between dynamic memory files (the space available to you for yourapplications, similar to default memory files) and license data (Features and Product). Allspace that is not utilized for license data can be used for dynamic memory files. For moreinformation, see "Appendix C: Maximum Number of Features in a Sentinel HL Key" onpage 269.

Dynamic memory can be divided into dynamic memory files. Each file is assigned anidentifier, which is used by your application to refer to that file. You can assign a size tothe file at the time you create it, or allow the file size to be assigned automatically basedon the amount of data that is written to the file. The following types of dynamic memoryfiles can be created:

o Read/Write file: Data that can be updated when the deployed protectedapplication is running, such as dynamic values for counters, or informationretrieved during interaction with the user.

o Read-Only file: Data that can be read when the protected application is runningbut cannot be changed. For example: the Product version number, text to be usedin a “Welcome” message, fixed threshold values for counters.

o Read/Write-Once file: Data that can be updated once when the deployedprotected application is running. After a successful update, the memory becomesread-only memory.

Protection Key memory is set up using either Sentinel EMS or Sentinel License Generation API.

You can use any of the different types of memory to store and control licenses from your ownlicensing schemes.

For information on the amount of memory available for each type of Sentinel HL key, see theSentinel HL Data Sheet. Sentinel SL keys contain 2,048 bytes of read-only Default memory and4,032 bytes of read/write Default memory.

The memory in the protection key is shared by all Products in the key. When you allocatememory for a Product: Make sure that the memory space does not conflict with memoryspace for any other Product that may be protected with the same protection key.



The data defined in memory is written to the secure memory of the Sentinel protection keystogether with the Features, license terms and other data defined for the Product.

Defining Unlocked Products

An Unlocked Product is a license that can be installed by any user on any number of machines. AnUnlocked Product is bundled with an SL AdminMode key or SL UserMode key as described below.The Unlocked Product is installed together with the protected application. The bundled protectionkey is activated automatically the first time the protected application is executed.

However, if an Unlocked Product license has expired on a given machine, the user cannot simplyreinstall the license to continue using the protected application.

An Unlocked Product is used:

n to distribute a protected application as trialware during a grace period (typically 30 to 90days or 30 executions).

n to distribute a protected application that does not require any licensing restrictions andthat can be used for an extended period of time or perpetually. The application is onlyprotected against disassembly (although it may have some time limitation). You canchoose to use a licensing mechanism other than Sentinel LDK to license the application (oryou can choose to impose no additional license restrictions on the application).

To generate an Unlocked Product, you must purchase the relevant modules for yourSentinel Master key.

An Unlocked Product can be defined for any type of Base Product. The properties of an UnlockedProduct are similar to those for a standard Product, with the following exceptions:

n Locking Type: Unlocked Products are automatically assigned the SL AdminMode lockingtype. If the Base Product on which the Unlocked Product is based has the SL UserModelocking type, the Unlocked Product is assigned the SL UserMode locking type.

n License Terms: The maximum duration or maximum number of executions that you candefine for any Feature in an Unlocked Product depends on the Modules you havepurchased for your Sentinel Master key. The table that follows indicates the maximumvalue that can be assigned for a Feature in an Unlocked Product.

License Type Limitation

Modules on Master Key

Unlocked TrialwareUnlocked Unlimited(With or WithoutUnlocked Trialware)

Maximum duration of Time Periodlicense

90 days from first execution 3,650 days from firstexecution

Maximum duration of Expiration Datelicense

90 days from current date 18-Jan-2038

Maximum number of executions forExecution Count license

30 16,777,215

Availability of Perpetual license Not available Available

In the current release of Sentinel LDK, the use of the Execution Count license type forUnlock Products is only supported when working with Sentinel License Generation API.This license type is not available in Sentinel EMS.

Feature ID 0 in an Unlocked Product is automatically assigned one of the following durations,depending on the modules on the Master key:

n For Unlocked Trialware: 90 days from first execution

n For Unlocked Unlimited (with or without Unlocked Trialware): Perpetual

For additional information on the purpose and use of Unlocked Products for trialware, see"Designating Products for Trial or Grace Period Use" on page 109.

For additional information on modules for the Master key, see "Appendix A: Understanding theSentinel LDK Master Key Licenses" on page 255.

Unlocked Products are not available for inclusion in customer orders. Users authorized to performDevelopment tasks can bundle Unlocked Products for distribution. For additional information, see"Generating Bundles of Unlocked Products" on page 143.

When packaging a Run-time Environment installer with a V2C file for one or more Productsin Sentinel EMS, you cannot include a Product that only has the locking type SLUserMode.

Product Status Values

A Product can be assigned one of the following statuses:

Draft - The Product is not ready for distribution. The Product can be modified or deleted.

Complete - The Product can be included in an entitlement. The Product can be modified.However, it cannot be deleted. You can change its status to End of Life if you do not want theProduct to be distributed any longer. Once the Product has been included in an entitlement("Deployed"), the license terms can no longer be modified.

End of Life - The Product cannot be included in an entitlement. The Product's license termscannot be modified. However, if you edit and save the Product, its status changes back toComplete and the Product can again be included in an entitlement.

Duplicating a Product

After you have defined a Product, you can easily define additional Products with similar details,using the Copy option in Sentinel EMS. This option creates a new Product using the definedproperties, Features, and memory contents of the original Product, and enables you to make anychanges you require, with the exception of changing the Base Product or the Product lockingtype.

If you duplicate a Base Product, you can give it a new name.



Withdrawing a Product

At some stage, you may want to withdraw a selected Product from use and specify that it can nolonger be included in orders, for example, if it is being replaced by an updated version.

If the Product has the status Draft, you can delete it. A Product cannot be deleted once it hasbeen assigned the status Complete. You can, however, withdraw the Product from use bymarking it as End of Life.

A withdrawn Product cannot be added to entitlements, but its details are maintained inSentinel EMS for tracking purposes, and it continues to be functional when already at the enduser’s site.

Restoring a Product

A Product whose status is End of Life can be restored to the Complete status. A restored Productcan be used in the same way as any other Product.

Maintaining Products and LicensesAfter you have defined the initial Features and Products, you can use the Licensing Plan options inSentinel EMS to cater for changing circumstances, such as the release of new software versionsand changes in customer requirements.

Sentinel EMS enables you to maintain your licensing plan by defining new Features and Productsas required. In addition, you can use Sentinel EMS to:

n Manage Product versions

n Cancel Product licenses

Managing Product Versions

After you have implemented your initial licensing plan, you need to continue to review andupdate it to allow for changes in your company’s software applications, in customer demand, inthe market, and other considerations. For example:

n Your company develops an enhanced version of an existing Product and you want tooffer the new versions for sale instead of (or in addition to) the original Products.

n You want to offer your existing customers the opportunity to replace their current versionof a Product with an upgraded version that has additional Features.

n Feedback from your customers indicates that they want to purchase a specific Productwith different license terms than you are currently offering.

In circumstances such as these, since you cannot change the properties of an existing Productafter it has been ordered, you can define a Modification Product based on the Base Product.

AModification Product is a modified version of an existing Product, containing changes such as:

n A software upgrade

n Extended license terms

n Added or removed Features

You can define several Modification Products for the same Base Product, with different Features,memory and/or license terms.

You can also define Modification Products based on an existing Modification Product.

Defining a Modification Product

Before you start to define a Modification Product, ensure that you have the following informationavailable:

n The name of the Product that is being modified

n The Batch Code associated with the Product that is being modified

n A Product Name that identifies the Modification Product and is unique in the selectedBatch Code (mandatory). The maximum length for a Product Name is 50 characters.

n A description (free text) that provides additional information about the ModificationProduct, for example, the changes it includes (optional)

n The details of the required changes, including Features to be added or removed, memoryand license term updates, or any combination of these.

Specifying License Terms and Memory for a Modification Product

To change the license terms for each Feature in the Modification Product, you can:

n Change the value for the license type by adding or subtracting days or number ofexecutions

n Change the settings for concurrent instances, if appropriate

n Overwrite the license terms including selecting a new license type

n Change memory segments or data

n Cancel the license

You can leave the license type value and the concurrent instances settings unchanged at thisstage, and specify that they will be changed when each individual order for the ModificationProduct is processed.

Example: Defining a Modification Product

Scenario: When the Product Manager of HQ Software originally defined the HQ Design ProProduct (in the example "Example: Specifying License Terms and Protection Levels " on page 110),the REPORT GENERATOR Feature was not yet available.

This Feature has now been developed, tested, and protected, and has been included in anenhanced version of HQ Design Pro (v.2.0). This version of the Product is ready for sale to newcustomers, and can also be issued to customers who hold current licenses.

Maintaining Products and Licenses 125


Accordingly, the Product Manager for HQ Software defines a Modification Product for the HQ DesignPro Product, named HQ Design Pro v.2.0.

When the Modification Product is defined, the REPORT GENERATOR Feature is added to theProduct, with the same license terms as for the other Features.

Issuing Modification Products

Modification Products can be included in orders in the same way as the original Products.

For example, if the Modification Product is intended to replace the Product in Sentinel protectionkeys that have already been deployed, it can be included in a Protection Key Update order. Whenthe Protection Key Update is applied, the data for the Modification Product is added to the datafor the original Product in the Sentinel protection keys.

For additional information on defining and producing orders, see "Chapter 11: Sentinel LDKEntitlements, Production, and Development Tasks" on page 129.

Canceling Product Licenses

In certain circumstances, it may be necessary to cancel the license terms for one or more Featuresin a Product that has been delivered to a customer. For example:

n To revoke a deployed license

n To cancel the license for a Product that has been returned before its license terms haveexpired

A Cancellation Product can be defined for the Product, with values that cancel previous licenseterms. This Cancellation Product can be used whenever the license terms of the original Productneed to be cancelled.

The process of canceling the license terms of a specific instance of a Product can include thefollowing stages:

1. When the original Product needs to be cancelled, a Customer-to-Vendor (C2V file) isrequested from the customer, containing the required license information.

2. An order for the Cancellation Product is defined and produced.

3. If the Product license is being moved to another computer, a new order for the originalProduct is produced with the appropriate details.

4. The changed license information is sent to the customer.

5. An acknowledgment receipt is returned by the customer when the change has beenimplemented.

For additional information on C2V files and on defining and producing orders, see "Chapter 11:Sentinel LDK Entitlements, Production, and Development Tasks" on page 129.

Defining a Cancellation Product

Before you start to define a Cancellation Product, ensure that you have the following informationavailable:

n The name of the Product to be cancelled

n The Batch Code associated with the Product to be cancelled

n A Product Name that identifies the Cancellation Product and is unique in the selectedBatch Code (mandatory). The maximum length for a Product Name is 50 characters.

n A description (free text) that provides additional information about the CancellationProduct, for example, the reason it is required (optional)

n The Features to be cancelled

Specifying License Terms or Memory for a Cancellation Product

The options for defining the license terms for a Cancellation Product are exactly the same as for aModification Product. For additional information, see "Specifying License Terms and Memory for aModification Product" on page 125.

Example: Canceling a License

Scenario: A new customer, TOP Construction, purchased a one-year rental license for theHQ Design Lite Product. After three months, the customer wants to cancel the license and receivea refund.

HQ Software defines a Cancellation Product for the HQ Design Lite Product, with the license termscancelled for all the Features in the Product. This Cancellation Product is only defined once—it cansubsequently be used whenever required in similar circumstances.

TOP Construction is asked to send a Customer-to-Vendor (C2V) file. The file is received andprocessed in Sentinel EMS.

A Protection Key Update order is defined and produced for the HQ Design Lite CancellationProduct. The resulting Vendor-to-Customer (V2C) file containing the changed license details is sentto TOP Construction. TOP Construction applies the V2C file, then generates and returns a C2V file,confirming that the license cancellation has been applied. HQ Software then issues a refund.

For additional information on C2V and V2C files, and on defining and producing orders, see"Chapter 11: Sentinel LDK Entitlements, Production, and Development Tasks" on page 129.

Maintaining Products and Licenses 127

Chapter 11:Sentinel LDK Entitlements,

Production, and Development Tasks

The first part of this section is intended for users assigned the Entitlement Manager andProduction roles in Sentinel EMS. It describes how to use Sentinel EMS to manage and produceentitlements (customer orders).

The final part of this section is intended for users assigned the Development role. It describes howto use Sentinel EMS to perform development-related tasks, including generating bundles ofUnlocked Products and Sentinel LDK Run-time Environment installer files, and exporting definitionfiles.


In this chapter:

n "Sentinel LDK Entitlement Processing and Production " on page 129

n "Managing Entitlements " on page 130

n "Producing Entitlements" on page 138

n "Performing Development-related Tasks" on page 142

n "Enabling Trial Use and Grace Periods" on page 145

This chapter provides high-level information on the entitlement management, production,and development-related processes in Sentinel EMS. For detailed practical instructions forusing each function, see the Sentinel EMS help system.

Sentinel LDK Entitlement Processing and ProductionAn entitlement is the execution of a customer order for Sentinel LDK items, and can be one of thefollowing:

n An order for Products to be supplied with one or more Sentinel protection keys

n A Protection Key Update that specifies changes to be made to the license terms and/ordata stored in Sentinel protection keys that have already been deployed

11

130 Chapter 11: Sentinel LDK Entitlements, Production, and Development Tasks

For entitlements that generate Product Keys, the customer receives an email from Sentinel EMSthat contains the keys. The customer is able to log in to the EMS Customer Portal using theProduct Key in order to activate the Product.

After Features and Products have been defined in Sentinel EMS, entitlements can be processedand produced using the Production group of functions, including:

n "Managing Entitlements " on page 130

n "Producing Entitlements" on page 138

n "Performing Development-related Tasks" on page 142

The specific Sentinel EMS functions you can access in the Production group of functions dependon the role assigned to you, as follows:

n If you have been assigned the Entitlement Manager role, you have access to both theOrder Management and the Customer Services functions

n If you have been assigned the Production role, you have access only to entitlementproduction functions

n If you have been assigned the Development role, you have access only to theDevelopment functions

Managing EntitlementsThis section is intended for users assigned the Entitlement Manager role.

When you select the Entitlements > Entitlements tab in the Sentinel EMS window, you can viewthe details of all entitlements associated with the selected Batch Code.

For additional information on Batch Codes, see "Personalized Vendor and Batch Codes" onpage 27.

Management of entitlements includes the following tasks:

n Define new customers

n Define entitlements

n Delete entitlements

n Process Customer-to-Vendor (C2V) information

Defining Entitlements

Before you start to define an entitlement for a customer in Sentinel EMS, ensure that you havethe following information available:

n Details of the customer who placed the order (optional)

n The Products to be included in the entitlement

n The required values to specify in the entitlement for any license terms that were notspecified in the Products

n The production requirements, according to the type of entitlement:

o Entitlement for Sentinel HL keys

o Entitlement for Product Keys

o Entitlement for Protection Key Update

n Additional entitlement information (optional)

Sentinel EMS generates a unique entitlement ID (EID) for each new entitlement.

Defining the Customer for the Entitlement

When you define the entitlement in Sentinel EMS, you can specify the customer who placed theorder. You can search for an existing customer, using the customer name or other identifyingdetails, or you can define a new customer.

You can also define a new customer using the Customers page.

Including Products in the Entitlement

An entitlement can contain one or more Products. All Sentinel LDK Products are associated with aSentinel LDK Batch Code. You select the Batch Code before you create a new entitlement.

Unlocked Products are not available for inclusion in entitlements. The process ofgenerating files containing Unlocked Products is a Development task. For additionalinformation, see "Generating Bundles of Unlocked Products" on page 143.

Managing Entitlements 131


Each Product is assigned a locking type when it is defined. The locking type determines the levelof Sentinel LDK protection and the type of Sentinel protection key that can be supplied with theProduct.

The locking type assigned to a Product may determine the type of entitlement that can beproduced:

n Products defined only with the HL locking type can be included in entitlements forSentinel HL keys, Product Keys, or for Protection Key Updates.

n Products defined only with the SL AdminMode or SL UserMode locking type can beincluded only in entitlements for Product Keys or for Protection Key Updates.

n Products defined with the HL or SL AdminMode or HL or SL AdminMode or SLUserMode locking type can be included in entitlements for Sentinel HL keys, ProductKeys, or for Protection Key Updates

You cannot add a Product defined only with the HL locking type and another Product defined onlywith the SL locking type (whether AdminMode or UserMode) to the same entitlement.

For additional information on locking types, see "Choosing the Protection Level for Your Products"on page 106.

Specifying License Term Values

When a Product is initially defined in Sentinel EMS, the exact license term values for each Featurecan be left unspecified. This enables you to include the same Product in different entitlementswith different license term values.

In this case, the license values must be specified when each entitlement for the Product isprocessed.

You may be required to specify one or more of the following license term values for Featureswhen processing an entitlement:

n The date on which the license expires

n The maximum number of times that the Feature can be used

n The number of days until the license expires

You may also be required to specify the number of concurrent instances for one or moreFeatures. This value specifies the number of instances of simultaneous usage that the licenseallows on the customer’s network. Concurrent instances may relate to the network, processes, ormachines.

An entitlement can be produced only after the license term values have been specified for all theFeatures in every Product included in the entitlement.

Specifying Protection Key Memory Data

When a Product is initially defined in Sentinel EMS, memory data can be left unspecified. Thisenables you to customize memory data for each Product when defining the entitlement. Forexample, customer-specific memory data can be added to the Product when an entitlement isbeing processed.

Specifying an Entitlement for Sentinel HL Keys

When an entitlement for Sentinel HL keys is produced, the ordered Products are programmed(burned) on one or more Sentinel HL keys to be shipped to the customer. For additionalinformation on Sentinel HL keys, see "Sentinel HL Keys" on page 29.

When you define the entitlement, you must specify the total number of Sentinel HL keys to beproduced for the entitlement.

Specifying an Entitlement for Product Keys

An entitlement for Product Keys enables you to produce activation strings for Sentinel protectionkeys.

The Products in the entitlement are associated with one or more Sentinel LDK Product Keys. AProduct Key is a string of characters generated by Sentinel EMS and stored in a file for delivery tothe customer.

After the end user receives the Product Key and returns it as proof of purchase, Sentinel EMSvalidates the Product Key and produces a Sentinel protection key. The Sentinel protection key isthen sent back with the license terms and installed on the end user’s computer, enabling theProduct to be activated.

When you define an entitlement for Product Keys, you must specify the following information:

n The number of Product Keys to be produced for the entitlement

n The number of activations allowed for each Product Key. This is the number of machineson which each Product Key can be used.

While it is mandatory to used Product Keys for activation of software locked to Sentinel SL keys,Product Keys can also optionally be used for activating software that is locked to Sentinel HL keys.

Before a Sentinel SL key can be used on an end user’s computer, an Unlocked TrialwareProduct is typically installed on the computer. When the Unlocked Trialware Product isinstalled, it initializes the Sentinel LDK Run-time Environment, which is required forcommunication between the Sentinel SL key and the software.

The process of generating files containing Unlocked Trialware Products is a Developmenttask. For additional information, see "Generating Bundles of Unlocked Products" on page143.

Specifying a Protection Key Update Entitlement

A Protection Key Update entitlement specifies changes to be made to the license terms, Products,and/or data stored in Sentinel protection keys that have already been deployed to end users. AProtection Key Update can be applied remotely to Sentinel HL keys or Sentinel SL keys as follows:

n Using the Sentinel Licensing API by calling the Update function

n By using the Sentinel Remote Update System utility

n (For SL AdminMode keys) By placing the file that contains the update information in theappropriate directory on the end user's computer.



When the Protection Key Update entitlement is produced, a file containing the details of thechanges is generated for each Sentinel protection key to be updated.

This file can be one of the following:

n An executable file (EXE) that can be delivered to end users for use as instructed by yourcompany

n A Vendor-to-Customer (V2C) file that end users can process using the Sentinel RemoteUpdate System utility (RUS utility)

For additional information on the RUS utility, see "Chapter 13: Sentinel Remote Update System"on page 151. For additional information on updating SL AdminMode keys, see "Applying LicenseUpdates to SL AdminMode Keys" on page 142.

When you define a Protection Key Update entitlement, you must specify the total number ofSentinel protection keys to be updated as a result of this entitlement. You may also need to selectthe specific Sentinel protection keys to be updated.

Locating the Sentinel protection keys to Update

When you define an entitlement for Protection Key Update, you may need to select the specificSentinel protection keys to be updated. For example, the entitlement may be for an organizationwith 100 Sentinel protection keys, and this entitlement is required to update the keys for only 10specific users.

In Sentinel EMS, you can:

n Display a list of the customer’s Sentinel protection keys

n View the contents of each key

n Select the keys to be updated

You cannot select more Sentinel protection keys than the total number of product keysspecified in the Product Details area in the New Entitlement screen.

Optional Entitlement Information

You can add the following optional information to the entitlement:

n Order reference information that can identify the order in a different system, for example,an order number in your company's ERP system.

n A comment that provides additional information about the order.

Adding the Entitlement to the Production Queue

After you have specified all the necessary information for an entitlement, you can produce itimmediately or "queue" it to add it to the production queue. The queue is a list of all entitlementsthat are awaiting production.

Entitlements in the production queue can be selected for production according to the criteriadetermined by your organization.

Sentinel EMS enables you to save as "draft" any entitlement that have not been completelydefined, without losing the information that you may have already specified. You can open theentitlement and continue to define the entitlement details when convenient.

Entitlement Status Values

During the course of its life cycle, an entitlement is assigned statuses as follows:

User ActionResultingEntitlementStatus

Description of Status

Create a new entitlement,click Save OR Re-open anentitlement.

Draft This status indicates that the entitlement isnot yet ready for production. The entitlementdetails can be modified, or the entitlementcan be deleted.

Create a new entitlement oredit an existing entitlement,click Queue.

Queued This status indicates that the entitlement is inthe production queue, awaiting production.The details of a Queued entitlement cannotbe changed. However, it can be deleted.

In an entitlement for ProductKeys, select one or moreProducts and click Produce.

Product KeysGenerated

Indicates that Product Keys for one or moreProducts in the entitlement have beengenerated. If the entitlement containscustomer information, the customer receivesan email. The email contains the ProductKeys and information on how to log in theSentinel EMS Customer Portal and activatethe protection key.

Produced In an entitlement that includes multipleProduct Keys, at least one Product Key hasbeen used to activate the protected software.The entitlement contains additional ProductKeys that have not yet been used.

Completed In an entitlement for protection key updatesor for HL keys, the entire entitlement hasbeen produced. In an entitlement for ProductKeys, all the Product Keys have been used toactivate the protected applications.

Acknowledged The end user has verified that the entitlementwas applied at the customer site.

Processing C2V Information

C2V files contain protected information about the license terms and data stored in deployedSentinel protection keys. They do not contain private customer information.



C2V files can be generated using the Sentinel Remote Update System utility (RUS utility). Foradditional information on the RUS utility, see "Chapter 13: Sentinel Remote Update System" onpage 151.

C2V information stored in Sentinel HL keys and in C2V files can be retrieved for use in connectionwith Protection Key Update orders.

When a C2V file or Sentinel HL key is received from a customer, you must check in theinformation, in order to make the data in the file or key available to Sentinel EMS. The process ofchecking in the C2V information stores the data securely in Sentinel EMS, and enables you to viewsome of the information.

When you check in a C2V file, you can view the identifying information for the Sentinel protectionkey associated with the file, including the Batch Code, ID and key type. You can also view theProduct details contained in the file. When you check in a Sentinel HL key, you can view similarinformation.

If you attempt to check in a C2V file for a Sentinel SL key, and Sentinel EMS detects that ithas come from a cloned machine, you will not be able to check the C2V file into thedatabase. For additional information about dealing with cloned Sentinel SL keys, see"Protection Against Cloning" on page 118.

Formatting a Sentinel HL Key

You can format a Sentinel HL key to make it available for reuse. The process of formatting aSentinel HL key deletes any orders that have been defined for the key but not yet produced. Italso produces a V2C file that contains Protection Key Update information to be applied to the keyusing the RUS utility. Applying the Protection Key Update erases all license and memory datastored in the key.

Order Processing and Production Examples

In the examples in this section, HQ Software defines the following orders for its customers:

1. Order for Sentinel HL keys

2. Order for Product Keys (Sentinel SL keys)

3. Protection Key Update order

Order Example 1: Order for Sentinel HL Keys

Scenario: A new customer, ABC Design, orders the GemaltoCAD Office Product from HQ Softwarewith a license for 20 users.

Since the GemaltoCAD Office Product is defined with Sentinel HL key protection, the details forthis order are defined as follows:

n Customer: ABC Design

n Product: GemaltoCAD Office

n Order type: Sentinel HL keys

n Number of keys: 20

When this order is produced, the GemaltoCAD Office Product license is programmed on20 Sentinel HL keys, which are then shipped to the customer.

Order Example 2: Order for Product Keys (Sentinel SL Keys)

Scenario: On March 15, 2007, another customer, JL Optics, orders the GemaltoCAD HomeProduct, with a license for use on two computers.

The GemaltoCAD Home Product is defined with Sentinel SL key protection and an annual rentallicense. To ensure that the customer enjoys a full year’s licensed use, the expiration date needs tobe specified when the order is placed.

The details for this order are defined as follows:

n Customer: JL Optics

n Product: GemaltoCAD Home

n Expiration date for DRAW and SAVE: March 15, 2008

n Order type: Product Key-based

n Number of Product Keys: 1

n Number of Activations per Product Key: 2

This example assumes that JL Optics has installed and used the GemaltoCAD Home[Trial]Unlocked Trialware Product on the two computers before ordering the GemaltoCAD HomeProduct. As a result, the Sentinel LDK Run-time Environment for Sentinel SL has alreadybeen initialized on those computers.

When this order is produced, a file is generated containing a Product Key. HQ Software sends thisfile to JL Optics by e-mail.

Two end users at JL Optics open the file and enter the Product Key as required on theHQ Software Web site. The HQ Software customer interface application sends the Product Key toSentinel EMS, which validates the Product Key and returns a Sentinel SL key to the customer.

The Sentinel SL key is installed on the two computers at JL Optics with the license information, andthe GemaltoCAD Home Product can be activated under the terms of the license.

Order Example 3: Order for Protection Key Update

Scenario: HQ Software informs ABC Design that a new version of GemaltoCAD Office has beenreleased, containing the REPORT GENERATOR Feature, and that an upgrade is available forpurchase. ABC Design orders the enhanced Product for five of its 20 users.

HQ Software has defined a Modification Product for the new version, GemaltoCAD Office v.2.0.This Product is ready for inclusion in customer orders.

Before defining the Protection Key Update order, HQ Software needs to receive C2V files for thefive Sentinel HL keys to be updated. ABC Design uses the RUS utility to generate the required C2Vfiles and sends them to HQ Software.

After the C2V files have been received and checked in, HQ Software defines a Protection KeyUpdate order for the Modification Product.



The details for this order are defined as follows:

n Customer: ABC Design

n Product: GemaltoCAD Office v2.0

n Order type: Protection Key Update

n Number of Sentinel protection keys to be updated: 5.

During the order definition process, the five Sentinel HL keys to be updated are selected from allthe keys issued to ABC Design, according to the C2V files received.

When this order is produced, a V2C file is generated for each selected Sentinel HL key and sent tothe customer.

The selected five end users install the update on their Sentinel HL keys, using the RUS utility. Theyare then able to activate the upgraded version of GemaltoCAD Office and to generate tailoredreports.

Producing EntitlementsThis section is intended for Sentinel EMS users assigned the Entitlement Manager or Productionrole.

On the Entitlements page in Sentinel EMS, you can view the details of all entitlements awaitingproduction.

You can perform the following production tasks using the Entitlements page:

n Produce Entitlements

n View Entitlements

If you have been assigned both the Entitlement Manager and the Production roles, youcan choose to produce an entitlement immediately after you finish defining it.

The process of producing an entitlement is determined by the type of entitlement:

n Order for Sentinel HL keys

n Order for Product Keys

n Order for Protection Key Update

While producing any entitlement, you can open the entitlement and view its details.

Producing Sentinel HL Key Entitlements

Before you start to produce an entitlement for Sentinel HL keys, Sentinel EMS enables you toprepare the appropriate Sentinel HL keys to use for the entitlement, by displaying:

n The Sentinel HL key types that are valid for the entitlement

n The number of Sentinel HL keys to be produced, as specified in the entitlement

Sentinel EMS determines which Sentinel HL keys are valid for the entitlement according to anumber of factors, including:

n The license terms defined for the Features in the Products included in the entitlement

n The data defined in memory for each Product

n The space required on the key to accommodate the entitlement

For example, if the license terms for a Product in the entitlement are based on one (or both) ofthese factors:

n A number of days or an expiration date

n A number of concurrent instances in a network environment

The entitlement can be produced only on Sentinel HL keys that support time-based licenses orsupport concurrency licenses. Most Sentinel HL (Driverless configuration) keys support these typesof license terms.

For additional information about Sentinel HL key types and their capabilities, see "End-User Keys"on page 28.

Producing Entitlements for Product Keys

When you produce an entitlement for Product Keys, a TXT file is generated containing the ProductKeys.

Before you generate the file, you must specify its required location, or accept the default location.The file is saved in the format Product_Keys_[order ID].txt.

After the file has been generated, the Product Keys are available for use. If customer informationwas provided in the entitlement, an email containing the Product Keys is generated automaticallyand sent to the customer. You could also print the Product Keys on the cover of a CD.

Producing Entitlements 139


Producing Protection Key Update Entitlements

The entitlement production process generates a file containing the Protection Key Updateinformation for each Sentinel protection key to be updated. After the files have been generated,they can be sent to the customer.

Before you generate the file, you must select the required location and the type of files to begenerated for delivery to end users:

n Vendor-to-Customer (V2C) files that can be processed using the Sentinel Remote UpdateSystem utility (RUS utility)

n Executable files (EXE) that contain V2C data and can be used as instructed by yourcompany

For additional information on the RUS utility, see "Chapter 13: Sentinel Remote Update System"on page 151.

A default file location for V2C files may have been specified by the Sentinel LDKAdministrator.

Withdrawing EntitlementsUnder certain circumstances, you may need to withdraw an entitlement before it has beenproduced, or if it has been only partly produced. For example: If the customer cancels the orderor significantly changes the order requirements.

If the entitlement is not yet in the production queue (Queued status), you can delete it. Anentitlement cannot be deleted after it has been added to the production queue. You can,however, remove the entitlement from the production queue by reopening it. This changes thestatus of the entitlement to Draft.

A Draft entitlement is no longer available for production, but its content are available to view forreference.

Customer Portal - Activating EntitlementsIf an entitlement includes customer information, then at the time Product Keys are generated, anemail is automatically sent to the customer. The email contains the Product Keys and a link to theSentinel EMS Customer Portal in Sentinel EMS.

To log in to the Customer Portal, the customer clicks the provided link. At the login screen, thecustomer enters a Product Key.

If you specified in the entitlement that user registration is desired (or mandatory), the customer isrequested (or required) to fill out a registration form.

Next, a screen similar to the following is displayed:

This screen displays the status of the Product Key, including the number of activations remaining.

The customer uses this screen to activate the entitlement as follows:

n If the customer logged in to the Customer Portal from the machine where the licenseshould be installed, the customer can click Online Activation. Activation of theentitlement proceeds automatically.

n If the customer did not log in to the Customer Portal from the machine where the licenseshould be installed, the customer can click Offline Activation. The customer can thendownload the RUS utility. The customer uses this utility in order to generate a C2V file andperform the activation process manually.

Viewing License UpdatesWith certificate-based Sentinel SL keys, you can examine the sequence of updates that wereapplied to a Protection Key at a customer site. The V2C files that were applied to a protection keyreside in a directory on the computer where the protection key is located.

(For protection keys that were rehosted from a different computer, you can also examine the H2Hfiles that contain rehost information.)

The licensing information in each V2C file is specified using XML tags. You can open any of thesefiles using a simple text editor and read the contents. If you examine the files for a specificProtection Key ID in sequence, you can follow the history of updates that were applied to the key.

Information regarding SL legacy protection keys is not available in these files.

Viewing License Updates 141


The V2C files on a given computer can be found in the following locations:

n For SL AdminMode keys:

Windows %ProgramFiles(x86)%\Common Files\SafeNet Sentinel\Sentinel LDK\installed\[vendorID]\(For Windows x86, in: %ProgramFiles%\...)

Linux, Mac /var/hasplm/installed/[vendorID]/

n For SL UserMode keys:

Windows %ProgramData%\SafeNet Sentinel\Sentinel LDK\installed\[vendorID]\Linux $HOME/.hasplm/fs/

The naming convention for the files is as follows:

keyID_provisional.v2c Unlocked ProductkeyID_base.v2c Base ProductkeyID_updateX.v2c Update to a Base Product. Updates are numbered sequentially.keyID_rehost.h2h Rehost of a protection key

keyID is the Protection Key ID.

Do not remove or modify these files. If any of these files are removed or modified, theprotection key may become invalid.

Applying License Updates to SL AdminMode KeysSeveral methods exist to apply updates to a Sentinel protection key. However, for SL AdminModekeys, an additional simplified method to apply updates exists.

You can do either of the following:

n Use software to place the V2C file containing the license update directly into the installeddirectory described above (see "Viewing License Updates" on page 141).

n Instruct the end user to place the file into the installed directory. The Sentinel LicenseManager detects the V2C file in the installed directory and automatically applies thelicense update.

If the license update is applied successfully, the Sentinel License Manager then moves the V2C filefrom the installed directory to the appropriate installed\vendorID\ subdirectory.

If the license update installation fails, the Sentinel License Manager moves the V2C file to aseparate directory called invalid. The failure is recorded in the Admin Control Center access log.The log can be viewed from the Access Log option in Admin Control Center.

Performing Development-related TasksThis section is intended for users assigned the Development role.

From the Developer tab in the Sentinel EMS screen, you can select one of the followingdevelopment-related activities:

n Generate bundles of Unlocked Products

n Export catalog data definitions to a file

n Customize the Sentinel Remote Update System utility (RUS utility)

n Generate a customized Sentinel LDK Run-time Environment (RTE) installer file

Generating Bundles of Unlocked Products

When a Product is defined in Sentinel EMS, it can be specified as an Unlocked Product that is notlocked to a single machine. The Product can be further defined as an Unlocked Trialware Productfor distribution as trialware or for use during a grace period.

Unlocked Products are distributed as bundles. Each bundle can contain one or more UnlockedProducts.

Bundles of Unlocked Trialware Products can be distributed for use for a restricted period of time,(typically up to 90 days) or number of executions (typically 30).

Software that has been supplied with a trial license or for a grace period can be activatedafter a valid license is purchased, with either a Sentinel HL key or a Sentinel SL key.


For additional information on the purpose and use of Unlocked Trialware Products, see"Designating Products for Trial or Grace Period Use" on page 109.

The process of generating a bundle of Unlocked Products involves:

n Selecting the Unlocked Products to be included in the bundle

n Producing a file containing the Unlocked Product license and Vendor library. This file canbe:

o An EXE file containing V2C data

o A V2C file that can be used with the RUS utility. For additional information on theRUS utility, see "Chapter 13: Sentinel Remote Update System" on page 151.

The output file from this process must be installed on each end user’s computer in order to:

n Create an initial Sentinel LDK Run-time Environment that enables your protected softwareto communicate with Sentinel SL keys.

n Enable a trialware or grace period license.

When a bundle of Unlocked Products is installed on an end user’s computer, a provisionalKey ID is generated for the SL key. If a fully-licensed Product is installed on the computerwhere the bundled Unlocked Product exists, a new key ID is created in addition to theoriginal provisional key ID.

Performing Development-related Tasks 143


To simplify the installation process at end users’ sites, it is recommended that you generate aSentinel LDK Run-time Environment installer executable. You can embed the Run-timeEnvironment installer in your software setup to create a ready-to-run Sentinel LDK-protected andlicensed application.

To generate a Sentinel LDK Run-time Environment installer executable, you need to specify theV2C file generated when an Unlocked Product bundle is produced. An EXE file containing V2C datacannot be used to generate a Sentinel LDK Run-time Environment installer.

Generating the Sentinel LDK Run-time Environment Installer

You can generate a Sentinel LDK Run-time Environment installer that simplifies the installationprocess at end users' sites, for Unlocked Products or Locked Products.

The input to this process is a V2C file that contains your vendor-specific data. For UnlockedProducts, the V2C file also contains the Unlocked Product bundle data.

When packaging a Run-time Environment installer with a V2C file for one or more Productsin Sentinel EMS, you cannot include a Product that only has the locking type SLUserMode.

The output can be one of the following:

n An executable file that creates a Run-time Environment command-line installer

n A DLL that can be used with the Sentinel LDK Run-time Environment installer API

n A Mac PKG Sentinel LDK Run-time Environment installer

You can embed the Sentinel LDK Run-time Environment installer in your software setup to create aready-to-run application that is protected and licensed by Sentinel LDK.

Generating a Sentinel LDK Run-time Environment Installer for a Locked Product or DetachedProduct

You have the option of installing a Locked Product or Detached Product license on the end usercomputer. In this case, the Product is never installed as an Unlocked Trialware Product.

To install Sentinel LDK Run-time Environment on the computer, you generate the Sentinel LDKRun-time Environment Installer without providing a V2C file. In this case, the installer containsonly the Run-time Environment and the vendor libraries.

Exporting Definition Data

You can export data about Features, Products, vendors, and other information in various fileformats. This information can then be used for development, protection backup, and otherpurposes. You can also export metadata for use in Admin Control Center.

You can use the Export Definitions function to produce the following output file types:

n Metadata in Admin Control Center format

n Features and Products in a C-style header file

n Features and Products in a CPP-style header file

n Features and Products in XML format

n Features in CSV format

For examples of the output file contents, see the Sentinel EMS help system.

Before you export the Features, you must select the required Batch Code, specify the required filetype, and define the name and location for the file.

As your software develops and additional Features are defined, you can use the ExportDefinitions function whenever you want to retrieve the data definitions from Sentinel EMS.

Customizing and Branding the RUS utility

The RUS utility is a tool that can be distributed to end users to enable secure, remote updating ofthe license and memory data of Sentinel protection keys after they have been deployed.

End users can invoke the RUS utility directly in order to generate a C2V file, or they can launch theutility by double-clicking an EXE file containing a license update.

Before you distribute the RUS utility, you must customize it with the Batch Code associated withthe Sentinel protection keys that you have deployed to your end users, in order to enable themto generate C2V files, or to process files containing V2C information.

In addition, you can brand the text that is displayed to an end user when the RUS utility isopened. For example, you may want to display your company name and information about yoursoftware.

The RUS Branding option in Sentinel EMS enables you to associate the RUS utility with theselected Batch Code. You can also use the simple HTML editor provided to enter, format, andpreview the text to be displayed in the RUS utility.

It is recommended that you distribute your protected software with a customized and brandedversion of the RUS utility.

For additional information on the RUS utility, see "Chapter 13: Sentinel Remote Update System"on page 151.

Enabling Trial Use and Grace PeriodsThis section provides examples that demonstrate the use of Unlocked Trialware Products:

n To distribute a Product for use on a trial basis for a limited period

n To enable use of a licensed Product during a grace period

Example 1: Issuing an Unlocked Trialware Product for Trial Use

Scenario: HQ Software decides to offer visitors to their Web site the option of downloading andusing their HQ Design Demo Product for 30 days.

When the original licensing plan definitions were implemented, the HQ Design Demo Product wasdefined as an Unlocked Product.The license terms for the two Features were set to Time Period with a value of 30 days.

Enabling Trial Use and Grace Periods 145


The software developer at HQ Software defines a bundle of Unlocked Trialware Products thatcontains the HQ Design Demo Product, and generates the bundle as a V2C file.

A Sentinel LDK Run-time Environment installer is then generated as an EXE file, using this V2C fileas input.

The HQ Software Web master adds the EXE to the Web site, with download instructions forpotential trial users.

Example 2: Issuing a Product for a Grace Period

Scenario: A new customer, XYZ Construction, has purchased a 50-user license for the HQ DesignPro Product, which is available only with Sentinel HL key protection. The Sentinel HL keys arebeing prepared and shipped, but meanwhile the customer wants to start using the HQ Design ProProduct immediately.

HQ Software needs to enable XYZ Construction to activate and use the HQ Design Pro Productduring a grace period, until the Sentinel HL keys arrive and are distributed to the end users.

For this purpose, a version of the HQ Design Pro Product is defined as an Unlocked Product, withthe Product name HQ Design Pro Grace. The PRINT REPORTS Feature is removed from thisversion. The license terms for the remaining four Features are set to Time Period with a value of30 days.

A bundle of Unlocked Products is defined containing the HQ Design Pro Grace Product, andgenerated as a V2C file.

A Sentinel LDK Run-time Environment installer is then generated as an EXE file, using this V2C fileas input.

The EXE file is sent to the customer, for distribution to the end users. End users can run the EXE,which installs the Sentinel LDK Run-time Environment and the HQ Design Pro Grace Product ontheir computers. They can then use the program for 30 days until they receive their Sentinel HLkeys and can activate the full Product.

Chapter 12:Sentinel LDK Administration and

Customer Services

The first part of this chapter is intended for users authorized to perform Sentinel LDKAdministration tasks. It describes how to use Sentinel EMS to define user details, manageSentinel LDK licenses and Sentinel Master keys, and configure system settings.

The second part of this chapter is intended for users authorized to perform Sentinel EMSCustomer Services tasks. It describes how to use Sentinel EMS to view and edit customer details,and to perform manual Product activation for customers.


In this chapter:

n "Administration Tasks" on page 147

n "Customer Services" on page 150

This chapter provides high-level information on the Administration and Customer Servicesprocesses in Sentinel EMS. For detailed practical instructions for using each function inSentinel EMS, see the Sentinel EMS help system.

Administration TasksAfter you first install Sentinel LDK in your organization, you can log in to Sentinel EMS using thedefault user name and password (admin) provided for your use by Gemalto. By default, this user isauthorized to perform all tasks in Sentinel EMS, including Administration tasks.

The ‘admin’ administrator details cannot be viewed or modified. Only the password can bechanged.

After logging in to Sentinel EMS the first time, it is recommended that you select the ChangePassword function at the top of the screen and change your user password as soon as possible.

To be able to use Sentinel LDK with your company-specific Batch Codes and license, you must firstintroduce the Sentinel Master keys provided for your use by Gemalto.

12

148 Chapter 12: Sentinel LDK Administration and Customer Services

For additional information on Sentinel Vendor keys, see "Personalized Vendor and Batch Codes"on page 27.

For additional information on introducing Sentinel Master keys, see "Maintaining Sentinel MasterKeys" on page 149.

From time to time, you will need to renew your Sentinel LDK license, or to replenish your pools ofSL keys or network seat licenses. You can schedule email notifications to be sent when it is time torenew or reorder, ensuring you uninterrupted use of Sentinel LDK.

For additional information about the various modules on your Sentinel Master Key, see "AppendixA: Understanding the Sentinel LDK Master Key Licenses" on page 255.

For additional information about configuring and scheduling email notifications, refer to theSentinel EMS help system.

If you are evaluating Sentinel EMS, you can use the provided DEMOMA Batch Code, whichdoes not require a Sentinel Master key.

You can now define additional Sentinel LDK users in your organization, including assigning theusers the appropriate roles and authorizing access to Batch Codes. For additional information, see"Maintaining User Details " on page 148.

Maintaining User Details

When you select the Users function in Sentinel EMS, you can view the Sentinel LDK details of allcurrently defined Sentinel LDK users.

You can perform the following tasks using the Users function in Sentinel EMS:

n Define Sentinel LDK users

n Change user details and passwords

n Control user access

Defining Sentinel LDK Users

Before you start to define Sentinel LDK users, ensure that you have the following informationavailable for each new user:

n The user name to be assigned to the user for the purpose of logging in to Sentinel LDK

n The password to be assigned to the user

Users can change their own passwords after logging in to Sentinel EMS.

n The user's email address

n The Batch Codes that the user is authorized to access

n The roles to assign to the user. For additional information on the functions authorized foreach role, see "Sentinel EMS Users and User Roles" on page 97.

Changing User Details and Passwords

After you have defined a user, you can change any of the user’s details.

Users can change their own passwords. However, if necessary, you can change the password for auser without knowing the current password. This is useful in the event that the user has lost orforgotten his/her password.

Controlling User Access

In certain circumstances, you may want to prevent a user from logging in to Sentinel LDK. If theuser has left the company, for example, or will no longer be using Sentinel LDK, you can delete theuser details.

You can prevent or allow a user to access Sentinel LDK by clearing or selecting the Login Allowedcheck box.

Maintaining Sentinel Master Keys

When you select the Administration > Master function in Sentinel EMS, you can view the details,for the selected Batch Code, of all available Sentinel Master keys that are currently connected tothe EMS Server.

You can perform the following tasks using the Master page in Sentinel EMS:

n Generate a C2V file for a selected Sentinel Master key. You send this file to your Gemaltorepresentative when you want to:

o update your Sentinel Master key license modules

o replenish your pool of SL keys

o replenish your pool of HL or SL network seat licenses

n Apply the V2C file returned to you by your Gemalto representative to the Sentinel Masterkey. This updates the Master key with the contents of your order.

n Specify Mail Notification properties

For more information on the Sentinel Master key, see "Appendix A: Understanding theSentinel LDK Master Key Licenses" on page 255.

Introducing Sentinel Vendor Keys

Before you can work effectively, you must introduce your Sentinel Master key(s) on the SentinelEMS Server machine. The Sentinel Master Wizard is available from the Sentinel Vendor Suite. Youmust have a separate Sentinel Master key connected to each machine on which Sentinel EMS isinstalled.

You can introduce additional Sentinel Vendor keys—Sentinel Master keys or Sentinel Developerkeys—in order to enable Batch Codes for use with Sentinel LDK applications.

When you introduce a Sentinel Vendor key, you can select the libraries for which you want togenerate APIs.

Administration Tasks 149

150 Chapter 12: Sentinel LDK Administration and Customer Services

If you have purchased Managed Services, you do not need to introduce the Master key(provided in your Sentinel LDK Starter Kit) to Sentinel EMS. The hosted installation ofSentinel EMS already includes a Master key. However, you must introduce your Developerkey. For more information, see the Sentinel LDK Installation Guide.

Generating a C2V File

When you submit an order for an update to your Sentinel LDK Master Key licenses, regardless ofwhether it is to renew a license or to replenish your pools of SL keys or Network Seat licenses, youneed to generate a C2V file for the Sentinel Master key that is to be updated. You then send theC2V to your Sentinel LDK supplier, together with your order. The C2V file contains encryptedinformation about the current status of your Sentinel Master key, including its unique ID.

Defining Mail Notification Properties

You can specify who is to receive notifications that your Sentinel LDK Master Key licenses andpools of SL keys or Network Seat licenses are about to expire. In addition, you can define thethresholds after which the notifications are sent.

Customer ServicesIf you have been assigned the Customer Services role, you can manage the list of customers —you can define customers, change customer details, and mark customers as obsolete.

You can enable or disable a Product key for a customer, or increase the number of activationsavailable for a Product key.

If a customer is unable for any reason to activate a Product remotely, you can activate theProduct manually for the customer, using the Product Key and a Customer-to-Vendor (C2V) file forthe customer’s Sentinel protection key.

The output of the manual activation process is a Vendor-to-Customer (V2C) file that can be sent tothe customer. You can request that the customer returns a C2V file to confirm that the Producthas been activated.

For additional information on C2V files, see "Processing C2V Information" on page 135.

Chapter 13:Sentinel Remote Update System

This chapter describes the Sentinel Remote Update System utility (RUS utility) and explains how touse this utility to update license data remotely for deployed Sentinel protection keys.

You can also apply updates to a deployed Sentinel protection key using the SentinelLicensing API, by calling the Update function. For additional information, see the SentinelLicensing API help system. For SL AdminMode keys, also see "Applying License Updates to SLAdminMode Keys" on page 142.

In this chapter:

n "RUS Utility Overview" on page 151

n "RUS Workflow " on page 152

n "Using RUS utility" on page 153

RUS Utility OverviewThe RUS utility is an advanced utility that enables secure, remote updating of the license andmemory data of Sentinel protection keys after they have been deployed. As part of the basicconcept underlying Sentinel LDK, the RUS utility facilitates ongoing licensing well after protectionhas been implemented. For additional information on Sentinel LDK concepts, see "Protect Once—Deliver Many—Evolve Often" on page 26.

The RUS utility is used for the following;

n The RUS utility provides a simple and secure method of updating your licenses remotely,after you have delivered your protected software together with the Sentinel protectionkeys. You simply need to update the license and deliver update files to your customers.

n The RUS utility enables you to receive information on the current status of Sentinel LDKlicenses at your customers’ sites, and to securely extend or reduce the functionality ofthese licenses, without recalling the Sentinel protection keys.

n The RUS utility can be used by an end user to generate the fingerprint of a computer atyour customer's site. You can use this fingerprint to generate a V2C file for the customer.The customer can then use the RUS utility to apply the V2C file and generate an SL key forthe protected application.

13

152 Chapter 13: Sentinel Remote Update System

n The RUS utility can be used to transfer (rehost) an SL key from one computer to anotherat your customer's site, without any intervention on your part. (An SL key can only berehosted if this function was enabled by the vendor when the SL key was generated.)

All Sentinel protection keys except the Sentinel HL Basic key can be updated using RUSutility.

The RUS utility is an executable utility (rus.exe) that can be distributed to end users with yoursoftware.

It is important that you customize the RUS utility with the Batch Code associated with theSentinel protection keys that you produce for your customers, before you distribute theexecutable to them. For additional information on Batch Codes, see "Personalized Vendor andBatch Codes" on page 27.

You can use Sentinel EMS to customize the RUS utility with the required Batch Code, and also tobrand the GUI to display your vendor-specific information to end users. For additionalinformation, see "Customizing and Branding the RUS utility" on page 145.

RUS WorkflowWhen you deliver your Products to a customer, you can include a customized version of the RUSutility with the installation package. You can also include the instructions for using RUS.

(To perform rehost, your customer will require a customized version of the RUS utility.)

When a license update is required, you have the option of either retrieving customer licensinginformation from Sentinel EMS, or of requesting that a customer produces and sends you aCustomer-to-Vendor (C2V) file for the Sentinel protection keys to be updated. C2V files have a.c2v extension and contain information on the licensing and memory content of theSentinel protection keys.

When you receive C2V files from a customer, you check them in using Sentinel EMS. For additionalinformation, see "Processing C2V Information" on page 135.

Regardless of whether you obtain the data from Sentinel EMS or in the form of a C2V file fromyour customer, the collected data enables you to produce an update most suited to thecustomer’s needs. At no point in this workflow is it necessary to reconfigure security or protectionat the customer’s site.

You define the requested license updates in Sentinel EMS as Protection Key Update orders fordelivery to the customer. For more information on defining Protection Key Update orders, see"Defining Entitlements" on page 131.

The process of producing a Protection Key Update order generates a file for eachSentinel protection key to be updated. This can be either a Vendor-to-Customer (V2C) file or anexecutable that contains the license update data. For more information on the Protection KeyUpdate order production process, see "Producing Protection Key Update Entitlements" on page140.

The output file is then delivered to the end user, who either runs the executable as instructed byyou, or uses the RUS utility to apply the license update data contained in the V2C file.

Example: Using RUS for License Updates

Scenario: One of HQ Software’s customers, ABC Design, has ordered the upgraded version of HQDesign Pro that contains the new REPORT GENERATOR Feature, for five of its 20 HQ Design Prousers. The customer is asked to send C2V files containing details of the five deployed Sentinel HLkeys to be updated.

ABC Design uses the RUS utility to generate the C2V files and sends them to HQ Software. Thesefiles contain the current status of the license on the specific Sentinel HL keys.

HQ Software checks in the C2V files, defines a Protection Key Update order for the HQ Design Prov.2.0 Modification Product, and produces a license update contained in five V2C files. Foradditional information on this example order, see "Order Example 3: Order for Protection KeyUpdate" on page 137.

The V2C files are sent by email to ABC Design. Each of the five end users applies the update totheir Sentinel HL key using the RUS utility, and returns a C2V file containing a confirmation receipt.

Using RUS utilityThe RUS utility window consists of the following tabs:

n Collect Status Information: The parameters in this tab are used to collect information onthe current status of the licenses in the Sentinel protection key or collecting fingerprintinformation. The end user specifies a name and location for the generated C2V file. Ifmore than one Sentinel protection key is installed, the user selects the required key.No private customer data is included in the C2V file.

n Apply License Update: The parameters in this tab are used to apply a V2C file and updatelicenses in a Sentinel protection key.

n Transfer License: The parameters in this tab are used on the source computer andrecipient computer to rehost an SL key from the source computer to the recipientcomputer.

Instructions for Customers Using the RUS utility

The following sections contain information and instructions that you can customize and send toyour customers.

Instructions for Using the RUS utility

If you are using the RUS utility with a Sentinel HL key, (hardware-based key) you must connect thekey before performing either of the following procedures. The RUS utility automatically locates anySentinel SL keys (software-based keys) installed on your computer.

Collecting Sentinel protection key License Data

You can use the RUS utility to produce a Customer-to-Vendor (C2V) file containing information onthe current status of the licenses in your Sentinel protection keys. You can then send this file inorder to receive a license update.

Using RUS utility 153

154 Chapter 13: Sentinel Remote Update System

To retrieve the current license information from a Sentinel protection key:

1. Launch the RUS utility (rus.exe).

2. Click the Collect Status Information tab.

3. Ensure that Update of Existing Protection Key is select at the bottom of the screen.

4. Click Collect Information. The Save key status as window is displayed.

5. Specify the directory where you want to store the C2V file. Enter a file name and click Save.

6. If more than one Sentinel protection key is located, a list of the keys is displayed. Select therequired key, or disconnect the keys that are not required, and click Refresh.

7. The C2V file for the Sentinel protection key is generated and saved in the required location.The file can now be sent for processing to produce an update.

Collecting Computer Data

You can use the RUS utility to produce a Customer-to-Vendor (C2V) file containing information onthe computer where you want to install a Sentinel protection key for a protected application. Youcan then send this file in order to receive a license update. This procedure would be used if aSentinel protection key does not currently exist on the computer.

To retrieve the current computer information :

1. Launch the RUS utility (rus.exe).

2. Click the Collect Status Information tab.

3. Ensure that Installation of New Protection Key is select at the bottom of the screen.

4. Click Collect Information. The Save key status as window is displayed.

5. Specify the directory where you want to store the C2V file. Enter a file name and click Save.

6. The C2V file for the Sentinel protection key is generated and saved in the required location.The file can now be sent for processing to produce a Sentinel protection key.

Applying an Update

You can use the RUS utility to apply an update to the licenses stored in your Sentinel protectionkeys.

To update the licenses in Sentinel protection keys:

1. Launch the RUS utility (rus.exe) or double-click the Vendor-to-Customer (V2C) file that youhave received containing the update data.

If you have received an update as an executable, double-click the file and it willautomatically launch RUS utility.

2. Click the Apply License File tab. (This might be the only tab displayed.)

Rehosting a Sentinel protection key

You can use the RUS utility to transfer a Sentinel protection key from one computer (the sourcecomputer) to another (the recipient computer). This is a three-step procedure that uses the RUSutility on both computers.

Step 1: Collect Information About the Recipient Computer

1. On the recipient computer, launch the RUS utility (rus.exe).

2. Click the Transfer License tab.

3. Follow the instructions labeled "Step 1" to collect information about the computer and saveit to a file. Make sure that the file (or a copy of the file) is accessible on the sourcecomputer.

Step 2: Generate the License Transfer File

1. On the source computer, launch the RUS utility (rus.exe).

2. Click the Transfer License tab.

3. Follow the instructions labeled "Step 2" to select the SL key to transfer, read the recipientinformation file, and generate a license transfer (h2h) file. Make sure that the licensetransfer file (or a copy of the file) is accessible on the recipient computer.

After you perform this step, the SL key is no longer available on the source computer. Besure to keep a copy of the transfer file until you have completed the transfer procedure.

Step 3: Apply the License Transfer File

1. On the recipient computer, in the RUS utility, click the Apply License File tab

2. In the Update File field, click the browse button and locate the license transfer (h2h) file.

3. Click Apply Update. The SL key is installed on the recipient computer.

To ensure the success of the transfer procedure, all the steps in the procedure should becompleted within no more than a few days of the time you first start the process.

Using RUS utility 155

Chapter 14:Generating Sentinel LDK Reports

This chapter describes the Reporting facility in Sentinel EMS.

In this chapter:

n "Reports Facility Overview" on page 157

n "Permissions for Working With Reports" on page 158

n "Scheduling Reports" on page 158

n "Presentation Formats" on page 159

n "Export Formats" on page 159

n "Available Reports" on page 159

n "Custom Reports" on page 159

Reports Facility Overview

The Sentinel EMS Reports facility provides you with the ability to produce reports with valuablebusiness information, based on data in the Sentinel EMS database. With this tool, managers canobtain data for analyzing how their software is used and the purchasing preferences of theircustomers. The information can also be leveraged to maximize revenues from license renewals, toup-sell existing customers, and turn trial users into buyers.

14

158 Chapter 14: Generating Sentinel LDK Reports

The Sentinel EMS Reports facility connects directly to the Sentinel EMS database, and generatesreports based on SQL queries. Both predefined and custom (user-defined) reports are available.

The Sentinel EMS Reports facility can present information both in tabular and (where appropriate)graphical formats, and can export report data in a variety of formats for further processing andanalysis.

The remainder of this chapter provides an overview of features and options available in theReports facility.

For detailed information on operating the facility, see the Sentinel EMS help system.

Permissions for Working With ReportsAccess to the Reports facility is limited to Sentinel EMS users who have been granted the roleReport Generation or Batch Code Admin. Only these users can view reports directly inSentinel EMS. (The role Report Generation provides access only to the Reports facility, and onlyfor the specific Batch Codes selected.)

However, using the scheduling option in the Reports facility, an authorized user can define adistribution list for each report. Each member of the distribution list receives the report by e-mail.The list can include Sentinel EMS users (for whom an e-mail address has been specified inSentinel EMS) or any valid e-mail address.

No special authorization is required to receive reports by e-mail.

Scheduling ReportsAn authorized Sentinel EMS user can generate and view reports on demand. In addition, the usercan define a schedule for generation of each report and a distribution list of people to receive thereport automatically by e-mail each time the report is generated. Both predefined and customreports can be scheduled.

Reports can be scheduled for generation and distribution based on a daily, weekly, or monthlyscheduling definitions. A scheduled report can also be generated and distributed on-demand.

Presentation FormatsAll reports are generated in tabular (text-based) format. In addition, where relevant, each reportincludes a graphical presentation of the data, in either pie chart or bar chart format.

Export FormatsEach report can be exported from Sentinel EMS or sent to the recipients in the distribution list inany of the following formats:

n Adobe Acrobat (PDF file)

n Microsoft Word (RTF file)

n Microsoft Excel (XLS file)

n HTML file

n Comma-separated values (CSV file)

Available ReportsThe reports listed below are available in the Sentinel EMS Reports facility.

Report Name Report Description

Entitlements

Customer Entitlement Lists all entitlements for customers and channel partners.

Customer Activation Lists activations by customer

Total Entitlement Utilization Summarizes total and activated entitlements by Product

Licenses

License Expiration Lists all licenses due to expire within a specific period.

Most Popular ProductsOrdered

Indicates orders for Products during a given period by channelpartner

Custom ReportsThe Sentinel EMS Reports facility provides you with the capability of defining custom reports. Thisenables you to design reports that satisfy the specific business requirements for yourorganization.

Custom Reports are defined by creating an SQL query that extracts the specific information yourequire from the Sentinel EMS database. For more information, select the Administration >Custom Reports tab in the Sentinel EMS window.

Presentation Formats 159

160 Chapter 14: Generating Sentinel LDK Reports

The Custom Reports facility is licensed separately from Sentinel EMS. To obtain a license to usethe Custom Reports facility, contact your Gemalto representative.

PART 4 - DISTRIBUTING SOFTWAREIn this section:

n "Chapter 15: Distributing Sentinel LDK With Your Software" on page 163

Describes options for distributing required software to your end users.

n "Chapter 16: Sentinel License Manager" on page 175

Describes the facilities used by Sentinel LDK to manage access to local and remote Sentinelprotection keys from a protected application.

n "Chapter 17: Sentinel Admin Control Center" on page 193

Describes the configuration and management functionality of Sentinel Admin ControlCenter, an end-user utility that enables centralized administration of Sentinel LicenseManagers and Sentinel protection keys.

Chapter 15:Distributing Sentinel LDK With Your

Software

This chapter introduces options for distributing required software to your end users.

In this chapter:

n "Sentinel LDK Software for End Users" on page 163

n "Distributing Sentinel LDK Run-time Environment" on page 166

Sentinel LDK Software for End UsersEvery Sentinel LDK installation includes software that you need to distribute to your end users.This software must be installed at your customer’s site to ensure that your protected and licensedsoftware functions correctly.

Sentinel LDK Run-time Environment

In many instances, the Sentinel LDK Run-time Environment must be installed on the computer ofeach end user who will use the protected application so that the application can communicatewith the Sentinel protection key. For network licenses, the Run-time Environment is required onthe computer where the network license is located. For information on when the Run-timeEnvironment is required, see "Protection Keys That Require Sentinel LDK Run-time Environment"on page 166.

There are a number of ways in which the Run-time Environment can be installed. For moreinformation, see "Distributing Sentinel LDK Run-time Environment" on page 166.

Software for Sentinel HL Licenses

No Sentinel LDK software is required specifically for protected applications that are licensed withSentinel HL (Driverless configuration) keys. However, other Sentinel LDK software may be requiredas described in this chapter.

Other HL keys may require the Run-time Environment. For more information, see "ProtectionKeys That Require Sentinel LDK Run-time Environment" on page 166.

15

164 Chapter 15: Distributing Sentinel LDK With Your Software

Software for Protected Applications Under Windows

Gemalto recommends that, under Windows, you include the External License Manager with allprotected applications. For more information, see "Types of License Managers" on page 176.

Software for Sentinel HL Licenses Under Linux Intel

For an application that is licensed with a standalone Sentinel HL (Driverless configuration) key:Copy the file /Linux/Redistribute/Runtimeless/80-hasp.rules into the /etc/udev/rules.d directoryon the machine where the protected application executes. This operation is normally performedby the Run-time Environment installer for Linux. However, if the Run-time Environment is notinstalled, the file must be copied manually.

Software for Sentinel HL Licenses Under Linux ARM

For an application that is licensed with a standalone Sentinel HL (Driverless configuration) key:Copy the file /Linux/Redistribute/Runtimeless/80-hasp.rules into the /etc/udev/rules.d directoryon the machine where the protected application executes. This operation is normally performedby the Run-time Environment installer for Linux. However, if the Run-time Environment is notinstalled, the file must be copied manually.

Note the following issue:

If the Linux distribution supports udev, and the 80-hasp.rules file is copied as described above,Sentinel Licensing API uses udev to access USB devices. Otherwise, the Licensing API uses sysfs.

udev allows both root and regular users to access USB devices. sysfs allows only root to accessUSB devices

However, in some Linux ARM distributions, udev is configured to block regular users fromaccessing USB devices even though the 80-hasp.rules file requests such access for these users. Tobypass this limitation, the user can be added to the plugdev group of users. Users in this groupare allowed access to USB devices.

Software for Sentinel SL Licenses

When you distribute protected applications that are licensed with Sentinel SL keys, you mustinclude the following Sentinel LDK components with your applications.

For Unlocked Products

As part of the process to create unlocked protected applications, you create a bundle thatincludes your protected application and all the required Sentinel LDK components. Therefore, noadditional components are required when you distribute the bundle.

Unlocked protected applications can also be updated to locked protected applications at thecustomer's site without adding any Sentinel LDK components.

For Locked Products

When you distribute a locked protected application that is not installed first as an unlockedapplication, your installation procedure should also install your customized Vendor library (the filehaspvlib_vendorID.*).

Your customized Vendor library can be found on the computer where Sentinel Vendor Suite isinstalled, in the following path:

n For Windows x64: %CommonProgramFiles(x86)%\Aladdin Shared\HASP\

n For Windows x86:%CommonProgramFiles%\Aladdin Shared\HASP\

n For Mac: /var/hasplm (By default, the /var path is hidden. You may need to modify theoperating system View option to display all files and folders in order to access this path.)

n For Linux: /var/hasplm

On the computer where the protected application is installed, your installation procedure mustplace a copy of the Vendor library in the same path as above.

Software for .NET and Java Assemblies

For protected .NET assemblies or Java applications, the following additional files must bedistributed with your protected application:

Type ofProtectedApplication

End UserOperatingSystem

Additional File Required

.NET assembly 32-bit Windows haspdnert.dll

64-bit Windows haspdnert_x64.dll

Java application 32-bit Windows HASPJava.dll

64-bit Windows HASPJava_x64.dll

Mac OSX libHASPJava.dyliblibHASPJava.jnilib

32-bit Linux libHASPJava.so

64-bit Linux libHASPJava_x86_64.so

All Customized Sentinel Licensing API dynamic libraries (copiedautomatically to the output directory by Sentinel Envelope)

These native library files enable the protected application to communicate with theSentinel protection key.

For Linux applications that were protected using Sentinel LDK Envelope and that run underRed Hat EL 6.4: The installer for the protected application should determine if libXawlibraries are present on the end user's computer and, if not, install them.

Network Environment Management

Your end users can manage their network licenses online using Sentinel Admin Control Center,which is part of the Sentinel LDK Run-time Environment. Ensure that you provide them with theURL for accessing this application. For additional information, see "Chapter 17: Sentinel AdminControl Center" on page 193.

Sentinel LDK Software for End Users 165


Software for Updating Licenses

You can choose to distribute Sentinel Remote Update System to update licenses remotely indeployed Sentinel protection keys. For additional information on this utility, see "Chapter 13:Sentinel Remote Update System" on page 151.

Data File Protection Plugin

Given the following circumstances:

n You are distributing FLV, SWF, or MP4 data files that are protected with Version 2 datafile protection.

n You want your customers to view these files using the Internet Explorer Web browser.

You must provide your customized version of the Data File Protection plugin to end users. Formore information, see "Data File Protection Plugin " on page 86.

For more information on data file protection, see "Chapter 7: Protecting Data Files" on page 81.

Distributing Sentinel LDK Run-time EnvironmentDepending on the type of Sentinel protection key, Sentinel LDK Run-time Environment may berequired on the end user's computer to enable your protected software to run by communicatingwith Sentinel protection keys. For more information, see "Protection Key Attributes" on page 31.(For Mac and Linux Intel, Sentinel LDK Run-time Environment is always required.

The following sections describe when the Run-time Environment is required and the variousoptions available for distributing the Run-time Environment to your end users.

n "Protection Keys That Require Sentinel LDK Run-time Environment" on page 166

n "Sentinel LDK Run-time Environment for Windows" on page 168

n "Sentinel LDK Run-time Environment for Mac" on page 171

n "Sentinel LDK Run-time Environment for Linux Intel" on page 172

n "Sentinel LDK Run-time Environment for Android" on page 173

Protection Keys That Require Sentinel LDK Run-time Environment

Sentinel LDK Run-time Environment is a system component that enables communication betweena protected application and a Sentinel protection key. Sentinel LDK Run-time Environment alsocontains Sentinel Admin Control Center, used to manage licenses.

Installation of Sentinel LDK Run-time Environment requires administrator privileges on the targetcomputer. However, on a Windows computer, Sentinel LDK Run-time Environment is not requiredfor all protected applications.

The tables that follow indicate when a protected application requires the presence of Sentinel LDKRun-time Environment in order to execute.

Sentinel LDK Run-time Environment is always required under the following circumstances:

n When the protected application executes under Mac.

n When the protected application uses the Data Protection module to encrypt anddecrypt data in an external file AND the application was protected using SentinelLDK v.7.0 or earlier.

In addition, Sentinel LDK Run-time Environment is required on any machine that will accessthe Sentinel EMS Customer Portal to perform online activation of SL keys.

Standalone Licenses

A Standalone license is for a single protected application that executes on the computer where theprotection key is located (no concurrency).

Type of protection keyRun-time Environment required on the computerwhere the protected application executes?

SL AdminMode key Yes

SL UserMode key No

SL Legacy key Yes

Sentinel HL (Driverlessconfiguration) key

No

Sentinel HL (HASPconfiguration) key

Yes

HASP HL key Yes

Detachable Licenses

To attach a Detached license to a protected application installed on a remote computer, the Run-time Environment must be installed on the remote computer.

Network Seat Licenses

A Network Seat license is installed on a single computer with a Run-time Environment.

The protected applications can run on remote computers in the same network. The Run-timeEnvironment is not required on the remote computer where the protected application executes.

The following Sentinel protection keys support Network Seat licenses:

n SL AdminMode keys (with concurrency)

n SL Legacy keys (with concurrency)

n Sentinel HL (HASP configuration) Net and NetTime keys

n Sentinel HL (Driverless configuration) keys (with concurrency) – all types except for Basic

Distributing Sentinel LDK Run-time Environment 167


Sentinel LDK Run-time Environment for Windows

The following options are available for distributing Sentinel LDK Run-time Environment forWindows operating systems:

n Use Windows Update to download the Sentinel LDK Run-time Environment. An Internetconnection is required for this process.

n Integrate installation of the Sentinel LDK Run-time Environment into your application’sinstaller using either of the two options below:

o Sentinel LDK Run-time Environment Merge module

o Sentinel LDK Run-time Environment Installation API

n Deliver either of the following Sentinel LDK Run-time Environment installation utilities toyour end users:

o HASPUserSetup.exe: A GUI-based installer

o haspdinst.exe: A command-line utility

Each of these methods is described in greater detail in this section.

Windows Update

If your end users are running the protected software on Windows XP or later platforms, and canaccess the Internet, they simply need to connect a Sentinel protection key on their machines. TheSentinel LDK Run-time Environment is certified by Microsoft, and is therefore automaticallydownloaded from the Microsoft Update site.

When your end users connect a Sentinel protection key:

1. The system informs them that a new component has been detected.

2. The Sentinel LDK Run-time Environment is automatically installed.

3. The LED on the Sentinel protection key lights up, indicating that the installation process iscomplete.

Sentinel LDK Run-time Environment Merge Module

The Sentinel LDK Run-time Environment installation is available as a merge module, in the filehaspds.msm. You can use the merge module to seamlessly integrate the Sentinel LDK Run-timeEnvironment installation in your MSI installation. Merge modules deliver shared Windows Installercomponents, code, files, resources, registry entries and setup logic in a single, composite file.

The haspds.msm merge module cannot be run as a standalone application.

When integrated with your MSI installer, the haspds.msm merge module copies the haspds_windows.dll into the Win32 system directory of the end user’s computer. The haspds_windows.dll is called by the MSI module to install or uninstall the Sentinel LDK Run-timeEnvironment.

The benefits of using the Sentinel LDK installation merge modules in a single unified MSI installerinclude:

n Providing end users with a single, compound file for your application that includes theSentinel LDK Run-time Environment installation

n Installation self-repair provided by reusing the MSI installer

A demonstration of the use of the haspds.msm merge module is provided. For more information,see "Sample Merge Module Installer" on page 170.

Implementation Requirements

Before including the Sentinel LDK merge module in your installer, review the followingrequirements:

n The Sentinel LDK merge module require Windows Installer version 2.0 or later.

n To successfully execute the Run-time Environment installation, end users requireadministrator rights. Ensure that this is accounted for in your installation scripts.

n Processes that require the Sentinel LDK Run-time Environment should not be active in thebackground when installing the Run-time Environment.

n Before validating the WSM module, change the project properties to relate to yourspecific development environment.

n If you intend to apply a digital signature to your installer, ensure that you first adjust theproperties in your development environment.

n Before compiling the MSI project, change the path to external files to match yourdevelopment environment

Implementation

Implementation of Sentinel LDK merge modules is a straightforward process that simply requiresyou to add the .msm file containing the Run-time Environment installation to your MSI-compliantinstaller setup. After you have created your MSI installer, the wrapped file automatically includesthe Sentinel LDK installation merge module.

The haspds.msm merge module can be found in:

%ProgramFiles(x86)%\Gemalto Sentinel\Sentinel LDK\API\RuntimeInstall\MSI




n Do not alter the versioning data in the default merge module, or the MSI DLLsample.

n Do not alter any entity in the default merge module.

n When the Run-time Environment is already installed on a target machine:

o If you install a version of haspds_windows.dll that is newer than thealready-installed haspds_windows.dll, the installed DLL will be replaced withthe new one.

o If a new version of haspds_windows.dll is the same as the previousversion, the file timestamp will be compared. If the version of the DLL thatis being installed is equal to or older than the existing haspds_windows.dll,the DLL will not be replaced.

In any event, the haspds_windows.dll will be executed.

Sample Merge Module Installer

A sample MSI installer containing the Sentinel LDK merge module is provided and should bereviewed before implementing the haspds.msm merge module into your own installer.

The sample installer is a full MSI-installer containing the Sentinel LDK Run-time Environmentinstallation merge module and the required shared libraries for installing the Run-timeEnvironment.

The sample installer does the following:

n Verifies that the user has the requisite administrator rights to install the Run-timeEnvironment

n Stops a running Sentinel License Manager service before the Run-time Environment isinstalled, and re-starts the service after the installation is complete.

n Installs or removes Run-time Environment

The sample installer can be found in:

%ProgramFiles(x86)%\Gemalto Sentinel\Sentinel LDK\API\RuntimeInstall\MSI


Before attempting to try the sample installer, review the following requirements:

n Administrator rights are generally required in order to install the Driver sample. However,it is possible for a restricted user to install the Driver. For more information, see MicrosoftSupport Knowledge Base article # 259459 (http://support.microsoft.com/kb/259459/en-us).

n You must change the resource path to your own environment in the project files (*.wsi,*.wsm) in order to successfully compile the samples.

You can incorporate a branded DLL into the sample by replacing the name of the demoDLL with the name of the branded DLL.

http://support.microsoft.com/kb/259459/en-us

http://support.microsoft.com/kb/259459/en-us

Sentinel LDK Run-time Environment Installer API

Use the Sentinel LDK Run-time Environment installer API to integrate the installation process intoyour custom setup application. For additional information, see the separate help file in theRuntimeInstall directory described above.

haspdinst.exe

haspdinst.exe is a command-line utility that installs the Sentinel LDK Run-time Environment.Following installation of Sentinel Vendor Suite , the file is located in:

%ProgramFiles(x86)%\Gemalto Sentinel\Sentinel LDK\Redistribute\Runtime Environment\cmdInstall


You can distribute this standalone application to your end users.

To install the Sentinel LDK Run-time Environment using haspdinst.exe:

n At the command-line prompt, type haspdinst -i.

For a full list of the available switches for the haspdinst.exe utility, see the Sentinel LDKInstallation Guide.

HASPUserSetup.exe

HASPUserSetup.exe is a GUI-based installation program to independently install the Sentinel LDKRun-time Environment. Following installation of Sentinel Vendor Suite, the file is located in:

%ProgramFiles(x86)%\Gemalto Sentinel\Sentinel LDK\Redistribute\Runtime Environment\Setup


This easy-to-use program has an intuitive GUI-based wizard. After your end users run the file, theyshould follow the on-screen instructions to complete the Run-time Environment installation.

Sentinel LDK Run-time Environment for Mac

Distribute the Sentinel LDK daemons—aksusbd and hasplmd—to end users running protectedand licensed applications on Mac OS X platforms.

All the Sentinel LDK software for Mac that is required for distribution to end users is provided inthe MacOS/Redistribute/ directory on your Sentinel LDK installation Drive.

Options for Distributing the Sentinel LDK Daemons

The software required to distribute the daemons is provided in the MacOS/Redistribute/ directoryon the Sentinel LDK installation Drive.

Multiple options are available for distributing the Mac daemons to end users. The following twooptions are described:

n Installer Distribution Using a Multi-packager

n Installer Scripts



Installation Using a Multi-packager

The installation package can be integrated into any multi-package installer that includes theinstallation for your own application. Include the Sentinel Runtime Installer.pkg in the mpkg.

To locate the Sentinel Runtime Installer.pkg:

1. In the MacOS/Redistribute/ directory, double-click Sentinel Runtime.dmg. The file opens.

2. Click the Install Sentinel Runtime Environment icon and select Show Original. The.Packages window opens and Sentinel Runtime Installer.pkg is displayed.

For additional information, see the welcome.rtf file provided in the MacOS/Redistribute/directory.

Installer Scripts

Installation scripts are provided in MacOS/Redistribute/ on the Sentinel LDK installation Drive.Open the directory and click Sentinel Runtime Installer Scripts.dmg. A new volume namedSentinel Runtime Installer Scripts is mounted on your desktop. The volume contains dinst anddunst files and the payload/ directory.

You can copy the files in the volume and integrate them in your customized installer. The scriptsare not configurable.

For additional information on using the scripts, see the ReadMe.html file provided in theSentinel Runtime Installer Scripts volume.

Sentinel LDK Run-time Environment for Linux Intel

Distribute the Sentinel LDK daemons—aksusbd and hasplmd—to end users running protectedand licensed applications on Linux Intel platforms. Without the daemons, the end user’s systemwill not recognize the connected Sentinel protection keys, and the protected applications will notrun.

All the Sentinel LDK software for Linux that is required for distribution to end users is provided inthe Linux/Redistribute/ directory on your Sentinel LDK installation Drive.

Using the Installer Scripts to Distribute the Sentinel LDK Daemons

Open the Linux/Redistribute/Runtime/script directory. The directory contains dinst (install) anddunst (uninstall) scripts and the Sentinel LDK Run-time Environment.

You can integrate the scripts in your installer. The scripts are not configurable.

Using the DEB or RPM File to Distribute the Sentinel LDK Daemons

This option is available for Ubuntu, Debian, SUSE, CentOS, and RedHat Linux Intel.

Open the Linux/Redistribute/Runtime directory. The directory contains the Sentinel LDK Run-timeEnvironment and the following files:

n For Ubuntu or Debian: aksusbd_version_i386.deb

n For RedHat, SUSE or CentOS: aksusbd-version.i386.rpm

Sentinel LDK Run-time Environment for Android

The protected Android application contains all required distribution files, including the IntegratedLicense Manager. No Run-time Environment is required.


Chapter 16:Sentinel License Manager

Sentinel License Manager is a component of Sentinel LDK that is located on each machine where aprotected application executes and on each machine where a protection key is connected. TheLicense Manager enables the protected application to locate and query the protection key thatprovides licensing authorization for the protected application to operate.

In the most basic configuration, a single License Manager handles the communication betweenthe protected application and a local protection key. In more complex configurations, multipleLicense Managers may exist on the machine where the protected application exists. These LicenseManagers communicate among themselves and among other License Managers on remotemachines where network protection keys are located.

The License Managers provide the protected application with information about the availability oflicenses (both local and remote) and manage access to the licenses.

A user or an application can query and configure various aspects of the License Managerfunctionality. For example, a user can determine where protection keys are located and cancontrol from which machine a protected application consumes a license.

Sentinel Admin API and Sentinel Admin Control Center (a graphical user interface) are available tocommunicate with the License Managers as described in this chapter.

For basic configurations, no customization of the License Manager is required at thecustomer site.

In this chapter:

n "Types of License Managers" on page 176

n "Selection of the License Manager By the Protected Application" on page 177

n "License Manager Tools" on page 181

n "Managing User Access to Admin License Manager Information" on page 182

n "Managing Access to Standalone and Network Licenses" on page 183

n "Working Directly With License Manager Configuration Files" on page 186

n "Configuring Detachable License Definitions" on page 190

n "Making Product Names Visible on the End User's Machine" on page 190

n "Loss of Connection With a Network License" on page 191

16

176 Chapter 16: Sentinel LicenseManager

Types of License ManagersSeveral types of License Managers exist, depending on the type of platform used.

n Integrated License Manager (Windows, Linux Intel, Linux ARM, Android)

The Integrated License Manager (Integrated LM) is included in the Sentinel LDK LicensingAPI and in applications that were protected using Sentinel LDK Envelope. A given instanceof the Integrated LM is dedicated to the protected application in which it is included.

The Integrated LM is able to directly handle local SL UserMode keys, local Sentinel HL(Driverless configuration) keys. Admin rights are not required to install the Integrated LM.

The Integrated LM has no user interface. Sessions for protection keys that are handleddirectly by the Integrated LM are not visible in Admin Control Center. Under Windows,the Integrated LM can be managed with Sentinel Admin API (described in "LicenseManager Tools" on page 181). Under Linux, the Integrated LM can be configured manuallyas described in this chapter. Under Android, no configuration is required.

The Integrated LM can be upgraded by upgrading the Licensing API or by re-protectingthe application with the latest version of Sentinel LDK Envelope.

n External License Manager (Windows)

The External License Manager (External LM) is contained in a standalone file: hasp_rt.exe.The hasp_rt.exe file must be placed in the same directory as the protected application. Agiven instance of the External LM is dedicated to the protected application whosedirectory contains the hasp_rt.exe file.

The External LM is able to directly handle local SL UserMode keys, local Sentinel HL(Driverless configuration) keys. (To handle SL UserMode protection keys, you must placeyour customized Vendor library in the same directory as the protected application.)

The External LM has no user interface. Sessions for protection keys that are handleddirectly by the External LM are not visible in Admin Control Center. However, the ExternalLM can be managed with Sentinel Admin API.

Admin rights are not required to deploy the External LM. The External LM can beupgraded by simply replacing the hasp_rt.exe file with a later version of the file.

n Admin License Manager (Windows, Mac, Linux Intel)

The Admin License Manager (Admin LM) is included as part of the Run-time Environment.The Run-time Environment also includes device drivers, data file encryption drivers, andSentinel Admin Control Center, which is the user interface for the Admin LM. The AdminLM can also be managed with Sentinel Admin API.

The Admin LM can manage all Sentinel HL and SL keys, with the exception of SL UserModekeys. Sessions for protection keys that are handled by the Admin LM are visible in AdminControl Center.

The Admin LM must be present on machines where network protection keys are located.

The Sentinel LDK License Manager service must be active at all times on the machinewhere the Admin LM is used. This service is started automatically when the machine isstarted.

Installation of the Run-time Environment on a computer requires administrator rights. Nospecial rights are required after the installation.

The table that follows summarizes the differences between the various types of License Managers.

AttributeAdmin LicenseManager

ExternalLicenseManager

IntegratedLicenseManager

Supported platforms Windows, Mac,Linux Intel

Windows Windows,Linux ARM,Linux Intel,Android

Management tools Admin ControlCenter, Admin API

Admin API Admin API(Windowsonly)

Requires admin rights for installation Yes No No

Easily upgradable Yes Yes No

Requires additional files Yes Yes No

Supports Sentinel HL (Driverlessconfiguration) key

Yes Yes Yes

Supports Sentinel HL (HASP configuration) keyand HASP HL key

Yes No No

Supports SL AdminMode key Yes No No

Supports SL UserMode key No Yes Yes

Supports SL Legacy key Yes No No

Supports network key on a license servermachine

Yes No No

Selection of the License Manager By the ProtectedApplicationThis section describes how a protected application selects a License Manager when more than onetype of Sentinel LDK License Manager is available to the protected application.

Selection of License Manager Under Windows

On a Windows platform, two or more types of License Managers may be available to a protectedapplication. The application selects the License Manager based on the type and location of theprotection key that contains the required license. This section describes the process by which theLicense Manager that will directly access the protection key is selected.

The Integrated LM is always present in a protected application. The External LM is optionallypresent also. One of the two is always selected to directly access a local protection key or to handoff access requests to a local or remote Admin LM.

Selection of the LicenseManager By the Protected Application 177


The License Managers to directly and indirectly access the protection key are selected as follows:

1. The Integrated LM is selected if the External LM is missing or is an older version. Otherwise,the External LM is selected.

2. A local SL UserMode key is always directly accessed by the selected Integrated/External LM.

3. A local Sentinel HL (Driverless configuration) key is directly accessed by the selectedIntegrated/External LM if a local Admin LM is absent or is an older version than theIntegrated/External LM. Otherwise, access requests are forwarded to the local Admin LM.

When a protection key is accessed directly by the Integrated/External LM, thesession created for the protection key is not displayed in Sentinel Admin ControlCenter.

4. Access requests for other types of local protection keys are always forwarded to the localAdmin LM.

5. When the protection key (of a type that supports network operation) is on a remotemachine, the selected Integrated/External LM handles communication directly with theAdmin LM on the remote machine, even if a local Admin LM exists. However, if a localAdmin LM exists and is active, the Integrated/External LM retrieves the list of license servermachines (if such a list exists) from the local Admin LM.

The following diagram shows a graphical representation of the process by which the LicenseManager to directly access the protection key is selected.

Legend:

The External LM is selected unless the Integrated LM is a more recent version than theExternal LM or unless the External LM is not present.For the Sentinel HL (Driverless configuration) key: The key is directly accessed by the AdminLM unless the selected Integrated/External LM is a more recent version than the Admin LM,or unless the Admin LM is not present.

Selection of the LicenseManager By the Protected Application 179


The following table provides a summary of which License Manager is selected to directly accesseach type of protection key. Note that the Admin LM and External LM are not necessarily presentin all cases.

Type of protection keythat contains the requiredlicense

Locationof thekey

License Manager selection priority (fromhighest to lowest)


Local 1. Admin LM (if the Admin LM is the same or amore recent version than the External LM andthe Integrated LM)

2. External LM (if the External LM is the same ora more recent version than the IntegratedLM)

3. Integrated LM

Sentinel HL (HASPconfiguration) or HASP HL key

Local Admin LM

SL Legacy key or SLAdminMode key

Local Admin LM

SL UserMode key Local 1. External LM (if the External LM is the same ora more recent version than the IntegratedLM)

2. Integrated LM

A protection key that supportsconcurrency

Remote (Remote) Admin LM

Selection of License Manager for Protected Data Files Under Windows

Selection of the License Manager for data files with licensing protection is determined by thelocation of the protected application or the Web browser that is used to access the data files, andnot by the location of the data files. Therefore, the process for selection of the License Manager isthe same as for any other protected application on a Windows platform.

Selection of License Manager Under Mac

On Mac platforms, only the Admin LM is supported. For a local protection key, all access requestsare handled by the local Admin LM. For a remote protection key, the local Admin LM passes theaccess request to the Admin LM on the remote machine where the protection key is located.

Selection of License Manager Under Linux Intel

On Linux Intel platforms, selection of the License Manager is identical to the process for Windowsplatforms, with one exception: the External LM is not supported and therefore cannot be selected.

Selection of License Manager Under Linux ARM

On Linux ARM platforms, only the Integrated LM is supported.

Selection of License Manager Under Android

On Android platforms, only the Integrated LM is supported. The Integrated LM handles all accessrequests for a local protection key. Remote protection keys are not supported.

License Manager ToolsSentinel LDK provides two tools for working with License Managers:

n Sentinel Admin Control Center

n Sentinel Admin API

These tools provide the following functionality:

n Detach a license from a network key and attach the license to your machine or to adifferent recipient machine

n Cancel a detachable license prematurely

n Install an update (V2C file) to a license on a key that is visible to the Admin LM

n Generate a C2V file for a Sentinel SL key or a Sentinel HL (Driverless configuration) key thatis visible to the Admin LM

n Configure access permissions from a client machine to a remote license server machine

n Configuring a license server machine to allow remote access from a client machine

n Configure detachable licenses parameters and other License Manager parameters

Most of the functionality listed above is relevant only for the Admin LM.

The table that follows indicates the differences between Sentinel Admin Control Center andSentinel Admin API.

Consideration Admin Control Center Admin API

Interface Web-based graphical userinterface

Callable API functions

Target user Customer's end user or licenseadministrator

Vendor software developer

Types of LicenseManagers handled

Admin LM (Under Windows,Mac, and Linux Intel)

n Under Windows: Admin LM,Integrated LM, External LM

n Under Mac: Admin LMn Under Linux Intel: Admin LM

Each of these tools is described briefly below.

Sentinel Admin Control Center

Sentinel Admin Control Center is a customizable, Web-based, end-user utility that enablescentralized administration of Admin LMs and Sentinel protection keys.

LicenseManager Tools 181


Sentinel Admin Control Center is available under the Windows, Mac, and Linux Intel operatingsystems.

For more information, see "Chapter 17: Sentinel Admin Control Center" on page 193.

Sentinel Admin API

Sentinel Admin API provides the functionality described above in the form of callable APIfunctions. However, Admin API can be used to access both Admin LMs (under Windows, Mac, andLinux Intel) and Integrated/External LMs (under Windows only).

You can use Admin API to develop a custom application to replace Admin Control Center.

You can incorporate calls to Admin API in your protected application. This gives you the ability, forexample, to make configuration changes in the License Manager each time the protectedapplication is executed. Such changes are not dependent on the contents of the License Managerconfiguration file and, therefore, cannot be modified by the user and are not necessarily visible tothe user.

Sentinel Admin API is also accessible in Sentinel LDK ToolBox.

For information regarding Sentinel Admin API, see the Sentinel Admin API Reference help file.

Most major Sentinel LDK documentation can be found on the Sentinel CustomerCommunity web site, at:https://sentinelcustomer.gemalto.com/Documentation_Information.aspx

Managing User Access to Admin License ManagerInformationAdmin LMs can be accessed and modified by local and remote users on the network usingSentinel Admin Control Center or (programmatically) Sentinel Admin API.

n This topic relates only to accessing information for an Admin LM, such asconfiguration parameters or Product data. This topic does not relate to accessinglocal or remote licenses with the Admin LM.

n No user access parameters exist for Integrated/External LMs. Information for theseLicense Managers is only available to users on the local machine where the LicenseManagers are installed.

By default, only a local end user is authorized to set access rights for the Admin LM on a givenmachine. Remote users are blocked from accessing any local Admin LM.

Enabling or Disabling Access for Remote Users

The parameters in the table that follows relates specifically to remote users. If these parametersare set to disable access for remote users, remote users will not be able to access Admin ControlCenter or Admin API for the local Admin LM. These settings override any access level granted byother parameters described below.

https://sentinelcustomer.gemalto.com/Documentation_Information.aspx

Remote AccessEnabled/Disabled

Using Admin Control Center –"Basic Settings" Configuration Page

Using AdminAPI

Enable access for remoteusers

Select the Allow Remote Access to ACC checkbox.

Set <accremote>to 1.

Disable access for remoteusers

Clear the Allow Remote Access to ACC checkbox.

Set <accremote>to 0.

Setting the Access Level for Authorized Users

For information in each Admin LM, an authorized end user can set one of the following levels ofaccess for local and remote users who are employing Admin Control Center or Admin API:

Access Level

Using Admin ControlCenter –"Basic Settings"Configuration Page

Using Admin API

Allow all users to retrieve and modifyall information.

For the Password Protectionparameter, do not set apassword, or change thepassword to null.

Do not set a password,or use<adminpassnew> tochange the passwordto null.

Allow all users to retrieve allinformation.Require a password to modify anyinformation.

n For the PasswordProtection parameter,select All ACC Pages.

n Set a password.

n Set <passacc> to 1.n Use

<adminpassnew>to set a password.

Allow all users to retrieve allinformation and to modify allinformation except for Admin LMconfiguration parameters.Require a password to modify AdminLM configuration parameters.

n For the PasswordProtection parameter,select Configuration Pages.

n Set a password.

n Set <passacc> to 0.n Use

<adminpassnew>to set a password.

The access level described in the table above applies to both local and remote users.However, in practice, the access level is only relevant for remote users because any userthat can access the configuration file for an Admin LM can modify access rights manually.

Managing Access to Standalone and Network LicensesA network license is Product license that supports concurrency. A network license is typicallylocated on a machine that is different from the machine where the protected application executes.

Managing Access to Standalone and Network Licenses 183


The following terms are used in this section:

license server machine A machine on which a network license is located. This machine alsocontains the Run-time Time Environment. The Sentinel LDK LicenseManager service must be active on this machine at all times. Multiplelicense server machines may exist in a network.

client machine A machine on which a protected application executes.

When a protected application is launched, the License Manager on the client machine initiates asearch for a protection key that contains an appropriate Product license. (The client machine maycontain more than one License Manager. For more information, see "Selection of the LicenseManager By the Protected Application" on page 177.)

The customer can configure the way the client machine locates the appropriate license. Forexample:

n The customer can configure the License Manager on the client machine or license servermachines so that if no license is found locally, the License Manager on the client machinecan expand the search to include license server machines in the same network.

n The customer may want to minimize the time required for a protected application tolocate a network license. This can be done by configuring the License Manager on eachclient machine to access a specific license server machine.

n An organization may want to set up two or more license server machines in their networkand control which end user machines can access each license server machine.

Configuration of the search for a network license can be accomplished using either client-sideconfiguration or license server-side configuration (or any combination of the two).

The scope of the search by a protected application for a Product license on a protectionkey may be limited by the following additional considerations:

n The Protection Key Search Mode specified for the protected application inSentinel LDK Envelope may limit the search to the local machine or to remotemachines only.

n The Locking Type specified for the protected application in Sentinel LDK Envelopemay limit the search to specific types of protection keys.

n If the Sentinel Licensing API is used in the protected application to log into aspecific Feature in a protection key, the login scope may apply a variety ofparameters that limit the search for the protection key.

The explanations in this section are based on the assumption that the parameters aboveare configured to include widest possible scope of protection keys.

Client-side Configuration

When using client-side configuration, you must also configure the Admin LM on the licenseserver machine to allow remote access from client machines. In Admin Control Center onthe license server machine, select the configuration parameter Allow Access From RemoteClients.

Use one of the following techniques to configure client machines:

n Use Admin Control Center (if available) on a client machine:

Access the Configuring Access to Remote License Managers tab on the Configurationpage. Select the Allow Access to Remote Licenses option, and use the other parameterson the screen to specify how the client machine should search for remote licenses.

To repeat the configuration on multiple client machines, see "Working Directly WithLicense Manager Configuration Files" on page 186.

n Use Admin API on a client machine:

Use the ContextNewScope() function to establish a context to the Integrated/External LM(or to the Admin LM, if available). Configure which license server machines the clientmachine should access in order to locate a license for the protected application. Use the<serveraddr> tag for this purpose.

To repeat the configuration on multiple client machines, see "Working Directly WithLicense Manager Configuration Files" on page 186.

n Manually configure the client machine

You can use a text editor to create a Licensing Manager configuration file manually (orcopy an existing one). Indicate which license server machines the client machine shouldaccess in order to locate a license for the protected application.

For more information, see "Working Directly With License Manager Configuration Files"on page 186.

License Server-side Configuration

When using license server-side configuration, you must also configure the Admin LM onthe client machine to search for remote licenses on license server machines. In AdminControl Center on the client machine, select the configuration parameter Allow Access toRemote Licenses.

Use either Admin Control Center or Admin API to configure license server machines:

n Using Admin Control Center on each license server machine, do one or both of thefollowing:

o Access the Configuring Access From Remote Clients tab on the Configurationpage. Select the Allow Access from Remote Clients option. In the AccessRestrictions field, specify restrictions that limit which remote machines can accessthe local Sentinel License Manager to consume licenses.

o Access the Configuring User Settings tab on the Configuration page. In the UserRestrictions field, specify which users, which machines, or which user–machinepairs can access licenses on the license server machine.

To repeat the configuration on multiple license server machines, see "Working DirectlyWith License Manager Configuration Files" on page 186.

OR

Managing Access to Standalone and Network Licenses 185


n Using Admin API on each license server machine:

a. Use the ContextNewScope() function to establish a context to the Admin LM.

b. Configure the Admin LM:

o Use the <access_restriction> tag to allow or deny access from specific clientmachines or subnets.

OR

o Use the <user_restrictions> tag to specify which users, which machines, orwhich user+machine pairs can access the license server machine.

To repeat the configuration on multiple license server machines, see "Working DirectlyWith License Manager Configuration Files" on page 186.

Working Directly With License Manager Configuration FilesLicense Manager configuration files can be modified using:

n Sentinel Admin API (for all types of License Managers)

n Sentinel Admin Control Center (for Admin API License Managers)

However, under certain circumstance it may be desirable or necessary to work directly with theconfiguration files using a text editor, as described in this section.

License Manager configuration files do not exist on a given machine until one or more of thefollowing occur:

n A user submits configuration changes in Admin Control Center.

n The writeconfig command is issued in Admin API to write configuration changes to theconfiguration file.

n A configuration file is created manually and placed on the machine.

Default Location of License Manager Configuration Files

This topic describes the location where each type of License Manager creates or expects to find itsconfiguration file.

For all types of License Managers, this location can be determined in Admin API by retrieving thevalue of the configuration parameter <configdir>.

Admin License Manager

For the Admin LM on a given machine, the configuration file is called hasplm.ini. The pathname ofthe configuration file is as follows:

n For Windows x64: %CommonProgramFiles(x86)%\Aladdin Shared\HASP\hasplm.ini

n For Windows x86: %CommonProgramFiles%\Aladdin Shared\HASP\hasplm.ini

n For Linux/Mac: /etc/hasplm/hasplm.ini

The full path name of the hasplm.ini file is displayed at the bottom of the Configuration page inAdmin Control Center.

On a given machine, one hasplm.ini file exists for all software vendors who require the Admin LMon the machine.

If you are using Windows in a language other than English, locate the directory in whichthe common files are stored. (In English Windows, the Common Files folder).

Integrated/External License Manager

For the Integrated LM or External LM, the configuration file is called hasp_vendorId.ini. (vendorIdis the Vendor ID associated with your Batch Code.) For each account under which a protectedapplication executes on a given machine, the file is placed in one of the following locations:

Type of application Default Location

Desktop(Windows Vista/7 orlater)

%LocalAppData%\SafeNet Sentinel\Sentinel LDK\

Desktop(Windows XP)

%UserProfile%\Local Settings\Application Data\SafeNet Sentinel\SentinelLDK\

Service (Local Serviceaccount)x64 operating system

%systemroot%\SysWOW64\config\systemprofile\AppData\Local\SafeNetSentinel\Sentinel LDK\

Service (Local Serviceaccount)x86 operating system

%systemroot%\System32\config\systemprofile\AppData\Local\SafeNetSentinel\Sentinel LDK\

Service (NetworkService account)

%systemroot%\ServiceProfiles\NetworkService\AppData\Local\SafeNetSentinel\Sentinel LDK\

Linux $HOME/.hasplm

The Integrated/External LM also searches for configuration information from additional sources, inthe following order:

n (Windows only) The License Manager search for the hasp_vendorId.ini configuration file inthe following locations:

a. directory where the protected application is installed.

b. the %ProgramData%\Safenet Sentinel\Sentinel LDK\ directory (for applicationsthat were protected with Sentinel LDK 7.6 or later).

This file must be created and maintained manually.

Working Directly With LicenseManager Configuration Files 187


If the hasp_vendorId.ini file is present in more than one of the locations described in thissection, the License Manager merges the information in the files. Preference for conflictinginformation is given to files according to the following priority:

1. default location

2. application directory

3. the %ProgramData%\Safenet Sentinel\Sentinel LDK\ directory

For example: If files are present in the default location and in the application directory, andboth files contain a list of remote license server machines, the License Manager will searchfirst for licenses in the list from the file in the default location. If the two files containconflicting configuration information, preference is given to information from the file in thedefault location.

n The License Manager retrieves a list of remote license server machines from the Admin LMcontext on the local machine (if the Sentinel LDK License Manager service is active). Thismay include license server machines that were added in the current context but were notwritten to the Admin LM configuration file.

Modifying License Manager Configuration Files Manually

You have the option of creating a configuration file manually. This would be typically done when:

n You want to distribute the same configuration parameters to many machines.

n You want to place a configuration file in the application directory. A configuration file inthis location would be shared by all users who run a protected application on a givenmachine.

The easiest way to create a configuration file is to copy an existing file that was created using oneof the License Manager tools and modify it to suit your requirements.

The configuration file does not have to contain any parameters for which you accept the defaultvalues. A typical reason to create a configuration file manually is to specify a remote license servermachine. In this case, the file would contain the following entry:

serveraddr = remoteServerAddress

This parameter is described below in greater detail.

For multiple entries, place each entry on a separate line in the file.

Additional License Manager Configuration Files Parameters

The table that follows describes configuration parameters that you can insert or modify in theconfiguration file for any type of License Manager.

Parameter Descriptiondisable_IPv6 Whether to disable IPv6 protocol. Possible values are:

0 — Do not disable IPv6 protocol. Default.1 — Disable IPv6 protocol.

serveraddr Append specific machines that may be searched by the current machinefor remote Sentinel License Managers. Specify data as IP addresses (forexample: 10.1.1.17), Broadcast addresses (for example: 10.1.1.255), ormachine names (for example: hklm001.ecomp.com). When using theIPv6 protocol, use the IPv6 address format. For example, specify FF02::1to access all remote Sentinel License Managers that are part of thedefault local group defined in the IPv6 subnet.

requestlog Whether to generate an access log file. Possible values are:0 — Do not generate. Default.1 — Generate.

errorlog Whether to generate an error log file. Possible values are:0 — Do not generate. Default.1 — Generate.

getinfo_uncached When the GetInfo function or GetSessionInfo function in the SentinelLicensing API retrieves information about remote keys, the informationmay be obsolete by several minutes because of caching. (For example,the session/login counters may not be current for several minutes.)You can disable caching to deliver actual values. However, theadditional network request requires significantly more time to retrieve.Possible values are:0 — Enable caching. Default.1 — Disable caching.

load_balancing Attempt to distribute licensing requests evenly by one of the following:server — Prefer remote License Managers with fewer sessions. Defaultcontainer — Prefer remote keys with fewer sessions.none — No preference.Other priorities (license reuse, faster key preference, local keypreference) always override these setting.

broadcastsearch Whether to enable the current machine to search for remote SentinelLicense Managers on the local network via broadcasts. (Note that thebroadcast uses a random UDP source port. This may be an issue withcertain firewalls.) If this option is not enabled, every machine on thelocal network that is to be searched must be specified with theserveraddr parameter (follows below).Possible values are:0 — Enable broadcasts.1 — Disable broadcasts. Default.

For example:

Working Directly With LicenseManager Configuration Files 189


disable_IPv6 = 1requestlog = 0errorlog = 1getinfo_uncached = 0serveraddr = 10.1.1.17serveraddr = 10.1.1.255

Configuring Detachable License DefinitionsIn Sentinel EMS, it is possible to flag network-based licenses for Features in Products that will belocked to Sentinel SL keys as being detachable. This means that the Product license can betemporarily detached from a pool of network seats and attached to a remote recipient machinefor a specific period of time. At the end of the detachment period, the license is automaticallyrestored to the network pool. Prior to the expiration of the license, it is possible to extend itsdetachment period, or to cancel the detachment and to return the license to the network poolearly.

Licenses cannot be detached unless this functionality is enabled as described in thissection.

You enable or disable the ability to detach licenses as follows:

n In Admin Control Center: In the Detachable License tab of the Configuration page.

n In Admin API: Using the <enabledetach> tag.

You can also specify criteria relating to the number of licenses that can be detached from the poolof network seats and the maximum period for which the licenses can be detached. In AdminControl Center, you can specify global settings for all Products, or click the Per-Product Settingsbutton to customize settings for individual Products. Global settings will also affect any Productsfor which individual settings have not been specified.

The Diagnostics page in Admin Control Center on the recipient machine can be used to create afile that containing the machine identity details. This information is required by Admin ControlCenter on the host machine in order to identify the machine to which a detachable license will beattached.

Making Product Names Visible on the End User's MachineWhen you burn the entitlement for a Product to a Sentinel HL key, the Product name is notnecessarily visible in Sentinel Admin Control Center or in Sentinel Admin API on the machinewhere the Sentinel HL key is connected. The Product name is visible if one of the following actionsis performed:

n You send a V2C file containing an update for the Product. After the user applies the V2Cfile, the Product name will be visible as long as the Sentinel HL key is connected to thesame machine. (If the user moves the key to a different machine, the Product name willnot be visible on the new machine.)

n You export Product names from Sentinel EMS to an XML file, and place the file on the enduser’s machine.

To export Product names from Sentinel EMS to the end user’s machine:

1. From the Developer menu in Sentinel EMS, click Export Catalog Definitions.

2. In the resulting screen, select the appropriate Batch Code. For Export File Type, selectMetadata in Admin Control Center format.

3. Click Export. The file vendorID.xml is saved.

4. On the end user’s machine, do the following:

a. Stop the Sentinel LDK License Manager service. (This must be completed before youperform the next step.)

b. Place the vendorID.xml file in the directory:

%ProgramFiles(x86)%\Common Files\Aladdin Shared\HASP\vendors\

(For Windows x86, use: %ProgramFiles%\...)

c. Restart the Sentinel LDK License Manager service.

To move Product names from one end user's machine to another:

n Copy the vendorID.xml file from the source machine to the target machine using theprocedure in step 4 above.

Loss of Connection With a Network LicenseA network-type protection key (HL or SL) that contains Features with concurrency typically doesnot reside on the same machine as the protected application (the client machine).

Under certain circumstances, the communication between the protected application and theprotection key may be lost. For example, the protected application may fail or the client machinemay crash. As a result, the protection key is left with an open session for a non-existent instanceof the protected application. This reduces the number of available network seats for theapplication in the license.

The Admin LM on the license server machine contains an automatic function that identifiesinstances where a network protection key and the relevant protected application (on separatemachines) have become disconnected. When this situation occurs, the session times out afterthree minutes. At that point, the Admin LM frees the network seat for re-use.

This functionality is completely automatic and requires no setup or configuration activities by thesoftware vendor or the end user.

Loss of Connection With a Network License 191

Chapter 17:Sentinel Admin Control Center

Sentinel Admin Control Center is a customizable, Web-based, end-user utility that enablescentralized administration of Admin License Managers and Sentinel protection keys.

Admin Control Center is designed to provide your end user’s system administrator with themeans of managing the use of your licensed software by members of the organization. AdminControl Center has been engineered in a way that makes it both flexible and customizable. Thismakes Admin Control Center a useful add-on to your protected application.

Following are some of the benefits of Admin Control Center:

n Web-based, meaning that it can be easily accessed from any Web browser. Theadministrator does not have to be physically present at your end user’s site in order tomanage the software licenses.

n Cross-platform capable, enabling it to be used on any platform on which a browser isavailable.

n Fully customizable, enabling you to change the displayed information, appearance andbehavior so that it will, for example, integrate seamlessly into other applications or matchcorporate styles. In addition, Admin Control Center can be displayed in a variety oflanguages.

n Easy to use, meaning that it can be used with minimal configuration. In addition, the GUIis intuitive, enabling the administrator to manage licenses without the need for a steeplearning curve.

n Enables configuration and control of licenses in a network.

This chapter describes the functionality, configuration, and customization of Admin ControlCenter.

All of the functionality that is available in Admin Control Center can also be accessed from anyprogram by calls to the Admin API.

For more information, see "License Manager Tools" on page 181.

In this chapter:

n "Launching Admin Control Center" on page 194

n "Admin Control Center Interface" on page 194

n "Administrator’s Workflow" on page 196

n "Configuration Considerations" on page 196

17

194 Chapter 17: Sentinel Admin Control Center

n "Diagnostics" on page 197

n "Customizing Admin Control Center Look and Feel" on page 197

Launching Admin Control CenterAdmin Control Center is installed as part of the Sentinel LDK Run-time Environment driverinstallation process.

Admin Control Center is launched by typing http://<machine_name or ip_address>:1947 in theaddress field of the browser. If you are accessing the Sentinel License Manager residing on yourown machine, type http://localhost:1947.

Ensure that Sentinel LDK License Manager service is active on the machine where AdminControl Center will run. If Admin Control Center Web pages do not display, see "AppendixI: Troubleshooting" on page 299.

Admin Control Center InterfaceWhen you launch Sentinel Admin Control Center, the Web interface displays a number ofAdministration Options on the left of the page. The Sentinel Admin Control Center help systemprovides information about the fields for each option. Note that the options relate toSentinel License Manager on the machine whose name or IP address appears in the title bar ofAdmin Control Center.

The following options are available:

n Sentinel Keys enables you to identify which Sentinel protection keys are currently presenton the network, including locally connected keys.

n Products enables you to view a list of all the Base Products available on allSentinel License Managers (local and network). In addition, when a Product containsFeatures with detachable licenses you can see the number of licenses for the Product thatare currently available to be detached from the network and the maximum duration forwhich they may be detached. This option also enables you to access the Detach/Extendfunctions.

The Product name for Products that are licensed with Sentinel HL keys are notnecessarily displayed in Admin Control Center. For more information, see "MakingProduct Names Visible on the End User's Machine" on page 190.

n Features enables you to view a list of the Features that are licensed in each of theSentinel protection keys that are currently present on the network, including locallyconnected keys. In addition, you can see the conditions of the license, and the currentactivity related to each Feature.

n Sessions lists all the sessions of clients on the local machine, and those remotely logged into Sentinel License Manager on the local machine. You can view session data andterminate sessions.

n Update/Attach enables you to update existing licenses on a Sentinel protection key in thefield and, in the case of Sentinel SL keys, to attach a detachable license to a recipientmachine. It also enables you to apply identification details of an offline recipient machineto a host machine in order to create a file for a detachable license.

n Access Log enables you to view a history of log entries for the server on whichSentinel License Manager is running.

n Configuration enables you to specify certain operating settings for Sentinel Admin ControlCenter running on the connected machine. You can set parameters relating to useraccess, access to remote Sentinel License Managers, and access from remote clients. Inaddition, you can customize log template files in terms of the data they return.

n Diagnostics enables you to view operating information for the Sentinel License Managerto which you are currently logged in, to assist in diagnosing problems. You can generatereports in HTML format. This option also enables you to view miscellaneous data relatingto the use of the server on which Sentinel License Manager is running.

For more information about the Diagnostics page, see "Diagnostics" on page 197.

n Help displays the Sentinel Admin Control Center help system. Context-sensitive help isavailable within each of the functions described above, by clicking the Help link at thebottom of the page.

n About provides information about the version of Sentinel License Manager.

n Country Flags enables you to change the language of the user interface. Click the flag ofthe appropriate country for the language you require. Languages other than English canbe downloaded within Admin Control Center from the Sentinel Web site.

Admin Control Center Interface 195


Administrator’s WorkflowWhen you first launch Admin Control Center, the utility is preconfigured to run automatically.However, you may want to customize it to your requirements and to specify users and theiraccess permissions, and access permissions between remote machines and local servers. Changesto the configuration of Admin Control Center are made in the Configuration tab of the application.

The basic configuration changes that you can make include:

n Specifying a name for the local machine

n Enabling access from remote machines to the Admin Control Center web interface on thelocal machine

n Setting the display refresh time

n Defining how many rows of data will be displayed on a page

n Specifying the logs that are to be created and their content, and customizing informationthat will be displayed in the log

n Setting an Admin password

Following the configuration set up, you can define:

n Users and their access privileges

n Access parameters to remote Sentinel License Managers

n Access privileges from remote client machines to a Sentinel License Manager on thecurrent machine

Configuration ConsiderationsThis section briefly describes the main configuration considerations for Admin Control Center.

Managing User Access to Admin Control Center

You can configure which users can access the Admin Control Center Web interface (or the AdminAPI) to view or modify information regarding the Admin License Manager. For more information,see "Managing User Access to Admin License Manager Information" on page 182.

Customizing Log Parameters

You can specify whether Admin Control Center should create an access log and the data thatshould be included in the log file.

Access the Edit Log Parameters page by clicking Edit Log Parameters in the Basic Settings tab ofthe Configuration page.

Additional information about log file parameters is provided in the Admin Control Center helpsystem.

Managing Access to Licenses in Admin License Manager

Managing Access to licenses in Sentinel License Manager is performed with the Users tab andAccess from Remote Clients tab in the Configuration page.

For more information, see "Managing Access to Standalone and Network Licenses" on page 183.

Searching for Sentinel License Managers

The Access to Remote License Manager tab in the Configuration page is used determine whichlocations to include when the local Sentinel License Manager searches for remote Sentinel LicenseManagers.

When you define criteria relating to the machines that may be searched for Sentinel LicenseManager, you can choose to:

n Enable a “broadcast” that searches all machines on the local network

n Search the default local group in an IPv6 subnet

n Restrict the search to specific machines.

For more information, see "Managing Access to Standalone and Network Licenses" on page 183.

DiagnosticsThe Diagnostics page enables you to view and extract operating information for theSentinel License Manager to which you are currently logged in, to assist in diagnosing problems.You can generate diagnostics reports in HTML format.

Occasionally, it is necessary to create a file containing the machine identity details of a remoterecipient machine. This information is required in order for a host machine to identify whichmachine a detachable license will be attached to. The Diagnostics page enables you to create thisfile for the local machine on which Admin Control Center is running by using the Create ID Filebutton.

Additional information about the data provided in the Diagnostics page is available in the AdminControl Center help system.

Customizing Admin Control Center Look and FeelYou can change the language, displayed information, appearance, and behavior of Admin ControlCenter so that, for example, it will integrate into other applications or match your organization’scorporate styles.

The Admin Control Center user interface consists of HTML, GIF, and other files, which are locatedinside the executable (EXE) file hasplms.exe. When you implement additional template sets, youmust add them to a fixed directory structure under the Sentinel LDK base directory.

As an alternative to customizing Admin Control Center, you can develop your owninterface to Admin Control Center functionality by using Sentinel Admin API. For moreinformation, see "License Manager Tools" on page 181.

Diagnostics 197


To create a directory for a custom template:

1. Locate the templates directory inside the Sentinel LDK base directory. (which is displayed atthe bottom of the Configuration page in Admin Control Center). The location of the SentinelLDK base directory is as follows:


n For Windows x86: %CommonProgramFiles%\Aladdin Shared\HASP\

n For Linux/Mac: /etc/hasplm/

If you are using Windows in a language other than English, locate the directory inwhich the common files are stored. (In English Windows, the Common Files folder).

2. Add <your_template_directory_name> to the directory. For example, using an English versionof Windows 7, the full path is:

%ProgramFiles(x86)%\Common Files\Aladdin Shared\HASP\templates\myTemplates

You can create multiple templates inside your templates directory

Each time Sentinel License Manager is launched, the application reads the files in allthe directories (except .bak files). To expedite the launch time, it is recommendedthat you keep the directories free of unnecessary files.

3. Restart the Sentinel License Manager,ORCall http://127.0.0.1:1947/action.html?reload_templates to reload the new template.

To verify your customized template, from a browser on your local machine, open:http://127.0.0.1:1947/<yourTemplateDirectory>.

Writing Templates

A template is an ASCII text file (typically HTML, but also XML, CSV, or other possibilities) thatcontains place holders (tags) for variables that are inserted by the Admin License Manager when arequest is made via HTTP.

In addition, the file may contain block tags that surround a block of text and tags, and generallyiterate a list (of Sentinel protection keys, Features, sessions, or other entities). For example,{tagname}repeatingblock{/tagname}

The place holders are written as {placeholdername}. For a complete list of available place holdernames, their description and usage, see tagxref.txt in:

%ProgramFiles(x86)%\Gemalto Sentinel\Sentinel LDK\Docs\Manuals & Tutorials\Admin ControlCenter Customization


Not all tags work in every context, and some will have different values depending on how they areused. For example, when {logincount} is used in a global context, it returns the total login countfor the server. When logincount is used inside {devicelist} {/devicelist}, it returns the login

count for the currently selected Sentinel protection key. If logincount is used inside{featurelist} {/featurelist}, it returns the login count for the currently selected Feature.

A special include tag is available—{#include "filename.ext"}—that will return the contents of aspecific file instead of a value. Includes (included files) must not be nested, and must not include apath (meaning that included files must reside in the same directory as the template).

If a table displayed in a browser page returns *** illegal tag: xxx ***, the tag is eitherunrecognized, or is illegal in the current context.

In JavaScript, {placeholders} are replaced. To use an opening curly bracket {, without it beingreplaced or generating an illegal tag error, ensure that a white space (space, CR, LF, or tab)follows the curly bracket. In this case, it will be passed without modification.

To output something such as {this} without it being parsed, use the HTML notation for a curlybracket—{this}.

For additional assistance, refer to the sample templates in the templates directory describedabove.

Default Templates and Samples

Three sets of template source code are provided:

n sample provides a very simple example of how to use templates and tags.

n csv provides an example for generating a comma-separated (.csv) file for importing to aspreadsheet or database, or for processing by your own program. It produces a CSV listof all available Features.

n en is the complete English-language version of Admin Control Center, as included in theSentinel License Manager application (hasplms.exe). The template uses AJAX technologiesto increase ease of use. For translations, or creating a specific corporate identity, use thistemplate set as a starting point.

You can also incorporate some or all of the Sentinel Admin Control Center functionality into yourown Web application, possibly with the use of (i)frames or other methods.

Sample CSV Output

This section provides a sample CSV output. Such output is useful for tasks such as importing thedata into spreadsheets or databases.

Using a template such as:

c:\>type templates\csv\features.txt{featurelist}{index}, {hhlid}, {featureid}, "{local}", "{concurrtext}", {priority}, {fileid},{filetag}, {logincount}, {loginlimit}, {sessioncount}{/featurelist}

The following output is produced:

c:\>wget http://10.24.2.23:1947/csv/features.txt -Of.txt & type f.txt--17:23:44-- http://10.24.2.23:1947/csv/features.txt=> `f.txt'Connecting to 10.24.2.23:1947... connected!

Customizing Admin Control Center Look and Feel 199


HTTP request sent, awaiting response... 200 OKLength: 1,411 [text/plain]1, 0x335918F1, 0x00000000, "local", "L", 0, 0xFFCB, 0x0B, 0, 0, 02, 0x335918F1, 0x0000BEEF, "local", "LNS", 0, 0x1234, 0x0C, 0, 7, 03, 0x335918F1, 0x00001357, "local", "L", 0, 0xABCD, 0x0B, 0, 0, 04, 0x335918F1, 0x000CAFF1, "local", "L", 0, 0xCAF1, 0x0B, 0, 0, 05, 0x335918F1, 0x000CAFF2, "local", "L", 0, 0xCAF2, 0x0B, 0, 0, 06, 0x335918F1, 0x000000A1, "local", "LNS", 0, 0xCAF3, 0x0C, 1, 7, 47, 0x335918F1, 0x000000A2, "local", "LNS", 0, 0xCAF4, 0x0C, 0, 7, 08, 0x335918F1, 0x0000BEEF, "local", "LNS", 0, 0x1235, 0x0C, 0, 7, 09, 0x335918F1, 0x0000BEEF, "local", "LNS", 0, 0x1236, 0x0C, 0, 7, 010, 0x335918F1, 0x0000BEEF, "local", "LNS", 0, 0x1237, 0x0C, 0, 7, 011, 0x335918F1, 0x0000BEEF, "local", "LNS", 0, 0x1238, 0x0C, 0, 7, 012, 0x389C1FAB, 0x00000000, "local", "L", 0, 0xFFCB, 0x0B, 0, 0, 013, 0x389C1FAB, 0x00012345, "local", "LNS", 0, 0xAFFE, 0x0C, 0, 7, 014, 0x389C1FAB, 0x00055779, "local", "L", 0, 0xBEEF, 0x0B, 0, 0, 015, 0x33C90F7A, 0x00011223, "10.24.2.17", "LNS", 0, 0xAFFE, 0x0C, 0, 7, 016, 0x33C90F7A, 0x00097531, "10.24.2.17", "LNS", 0, 0x1234, 0x0C, 0, 7, 017, 0x33C90F7A, 0x00002FAC, "10.24.2.17", "LNS", 0, 0xCAF2, 0x0C, 0, 7, 018, 0x33C90F7A, 0x000AFFEE, "10.24.2.17", "LNS", 0, 0xCAF5, 0x0C, 0, 7, 019, 0x33C90F7A, 0x000DFEED, "10.24.2.17", "LNS", 0, 0xCAF9, 0x0C, 0, 7, 020, 0x33C90F7A, 0x000FFE01, "10.24.2.17", "LNS", 0, 0x00A1, 0x0C, 0, 7, 0

Configuring Admin Control Center to Use Your Custom Template

After you have created your template, you want to be sure that Admin Control Center loads yourcustomized settings whenever it launches.

By default, when you enter http://[servername]:1947 in your browser, the internal factory defaulttemplates are used. The URL is redirected to http://[servername]:1947/_int_/index.html. _int_ denotes theinternal directory. If you replace _int_ with sample, the templates from the sample directory areused.

To direct Admin Control Center to use your Custom Template:

1. Open Admin Control Center in your browser. By default, the application opens at this URL:http://[servername]:1947/_int_/index.html

2. In the URL, replace _int_with the name of the custom template you wish to use.

3. Create a shortcut to the address of Admin Control Center with your template.

Using this process, multiple browser windows can use multiple templates simultaneously.

URL Redirections Using HTTP 302

Following is a list of sample URLs to which the browser is redirected when a specific URL isentered.

Note that you do not require this information for translation or simple layout changes in yourtemplate. However, it is required if you are changing the logic of Admin Control Center (forexample, by adding or removing pages, or merging Admin Control Center functions into anotherapplication).

URL Entered URL Displayed

[server name]:1947Provides a shortcut to the main Admin Control Center page

[server name]:1947/_int_/index.html

[server name]:1947/corporate.htmlAutomatically switches to the internal template. (_ini_) is setwhen no template has been specified

[server name]:1947/_int_/corporate.html

[server name]:1947/csv/devices.txtDoes not change because the template (csv) and file name arespecified

[servername]:1947/csv/devices.txt

[server name]:1947/sampleAutomatically redirects to the index.html file when no file namehas been specified

[servername]:1947/sample/index.html

It is sufficient to type only the URL of Sentinel Admin Control Center— it automaticallyredirects to the index page.

Customizing Admin Control Center Look and Feel 201

PART 5 - LICENSING MODELSIn this section:

n "Chapter 18: Sentinel LDK Licensing Models: Overview" on page 205

Provides an overview of Sentinel LDK Licensing models.

n "Chapter 19: Sentinel LDK Licensing Models: Description of Models" on page 209

Provides a detailed description of the various Sentinel LDK Licensing models that you canuse to distribute your software.

Chapter 18:Sentinel LDK Licensing Models:

OverviewIn this chapter:

n "Introduction" on page 205

n "Sentinel LDK Licensing" on page 206

n "Determining the Best Protection and Licensing Method" on page 207

n "About This Section" on page 207

n "How to Use the Licensing Models" on page 208

IntroductionToday’s software industry is more competitive than ever. As with many other industries that onceenjoyed exceptionally high margins, software products are increasingly regarded as commodities,with resulting deterioration in both revenues and bottom line profits. To counteract these trends,software publishers and vendors now see the need to change the way they market their products,to increase the value they offer their customers and to better differentiate their offerings from thecompetition.

Licensing is among the most promising approaches for achieving more-competitive, value-basedofferings. Today, software publishers and vendors are seeking ways of moving away from thetraditional model—based on perpetual licenses and printed End User License Agreements—towardmore flexible licensing models. New licensing tactics such as trialware, demoware, module- andfeature-based licensing, rental, subscription, network licensing—and combinations of these—enable software publishers and vendors to adapt to dynamic markets by offering compellingproducts that target broader, more segmented markets.

Sentinel LDK is designed specifically to assist software publishers and vendors in pursuit of morecompetitive product offerings. It not only offers the highest possible level of protection—bothagainst illegal copying and in securing critical intellectual property (IP)—it also enables rapidimplementation of novel licensing and distribution models, without the need for extensiveengineering of product source code. This enables software publishers and vendors to aggressivelyextend their market reach and penetration, without negatively impacting their operating margins,to protect the bottom line.

This section describes a wide range of licensing strategies and models designed to provide endusers with greater value and additional options for purchasing software products. Using

18

206 Chapter 18: Sentinel LDK Licensing Models: Overview

Sentinel LDK’s versatile abilities, these strategies and models can be implemented immediately,and can serve as the basis for elaboration and for creating new, tailor-made licensing models.

Sentinel LDK LicensingSentinel LDK offers a wide range of options and unprecedented flexibility for making and revisingboth licensing and protection strategies. Virtually any licensing model can be created—supportedby the following fundamental Sentinel LDK concepts, technologies and applications:

n Protect Once—Deliver Many—Evolve Often™

The process of protecting software is completely autonomous of marketing and licensingprocesses, so that after protection has been implemented, diverse licensed products can becreated without necessitating changes in the code.

n Cross-Locking™

Using Sentinel LDK, the software vendor can choose the device to which the protectedsoftware and license are locked—either to one of the many hardware-based Sentinel HLkeys, or to a specific computer by means of a versatile software-based Sentinel SL key. Therequired level of protection, the licensing model, and the manner in which the software willbe accessed and used collectively determine the most appropriate type ofSentinel protection key. Locking the license to a hardware-based Sentinel HL key providesthe strongest security.

n Sentinel Remote Update System utility (RUS utility)

The RUS utility provides a simple and secure method of remotely updating the licenses ondeployed Sentinel protection keys. Using the RUS utility, software vendors can renew,extend, revise or revoke a license.

n LicenseOnChip® and UpdateOnChip

When a license is supplied on a hardware-locked Sentinel HL key, the licensing logic isembedded in the key’s chip, employing Sentinel LDK’s patented LicenseOnChip technology.This practice ensures that licenses are hardware-secured and effectively tamper-proof.Likewise, license updates are authenticated in the key’s chip.

n Role-based licensing application

Sentinel EMS is a role-based application in which access to each type of task is restricted toauthorized personnel. Restricted access provides separation of business activities from ordercreation, license manufacture and customer follow-up.

n Versatile Implementation

Software protection can be implemented using the GUI-driven Sentinel LDK Envelope, theSentinel Licensing API, or a combination of both. The considerations for choosing aprotection method are provided in "Determining the Best Protection and LicensingMethod" on page 207.

n Detachable Licenses

A detachable license is available for Products that are locked to Sentinel SL keys in a

network environment. Such a license can be temporarily detached from the network poolfor use on a remote recipient machine for a defined period.

Determining the Best Protection and Licensing MethodSentinel LDK offers two software protection methods that establish an inherent link between theprotected software, the license, and the intelligence contained in a specific Sentinel protection key.

n Envelope-based protection (automatic)

Sentinel LDK Envelope automatically wraps software in a protective shield and validates thelicensing terms. Sentinel LDK Envelope protection offers ease of use, short time-to-delivery,and anti reverse-engineering features such as file encryption and anti-debugging. It issuitable for protecting compiled executables and DLLs.

n API-based protection (automatic or customized)

Executables or specific functions are protected using Sentinel Licensing API calls that areembedded in the software code. This protection method offers maximum flexibility, andcompatibility with a wide variety of development tools and operating systems. API-basedprotection can be based on predefined Sentinel LDK functions and calls so that licensingterms are validated automatically, or can apply a customized license validation mechanismin order to implement specialized licensing models.

Most licensing models discussed in this book can be applied using either Envelope-basedprotection or API-based protection. However, some specialized models require customizedimplementation using the Sentinel Licensing API. Each licensing model notes the appropriatemethod or methods.

To enhance the security of your application, when you choose an API-based protectionmethod, it is recommended that you also protect your application with Sentinel LDKEnvelope. You can do this using a dedicated Feature ID or with Feature ID 0, which is notlinked to a specific license.

For additional information, see "Chapter 9: Preparing Your Sentinel LDK Licensing Plan " on page103.

For information on which important licensing functionality is supported by the various types ofprotection keys, see "Protection Key Attributes" on page 31. This will assist you in determiningwhich types of protection keys can be used for the various licensing models described in thissection.

About This SectionThis section describes a wide variety of licensing models, and provides guidelines for implementingthem using Sentinel LDK. The licensing models include:

n Evaluation licenses (trialware or demoware)

n Component-based licenses

Determining the Best Protection and Licensing Method 207

208 Chapter 18: Sentinel LDK Licensing Models: Overview

n Metered licenses

n Locked licenses

n Mobile licenses

n Network licenses

n Sales-assisting licenses

n Perpetual licensing

This section provides an outline of how to use Sentinel LDK to implement the describedlicensing models. For detailed instructions on how to protect and license your software,refer to earlier sections in this book and to the integral help system included in each of theSentinel LDK applications.

How to Use the Licensing ModelsEach licensing model in this section is introduced with a legend that describes the following:

n Sentinel LDK functionality—the Sentinel LDK functionality that enables creation of thedescribed licensing model

n Software distribution method—the available methods for software distribution whenusing the described licensing model (physical package or electronic distribution)

n Applicable key types—the Sentinel protection keys that can be used to implement thelicensing model

n Protection method—the Sentinel LDK protection methods (Sentinel LDK Envelope or theSentinel Licensing API) that can be used to implement the licensing model

For example:

Sentinel LDKFunctionality

Manages the maximum number of software executions

Software DistributionMethod

n Physical packagen Electronic distribution

Applicable Key Types n All Sentinel HL keys except Sentinel HL Basicn Sentinel SL

Protection Method n Envelope-based automatic implementationn API-based automatic implementation

The legend is followed by:

n A short description of the licensing model

n Guidelines for implementation using Sentinel LDK

Chapter 19:Sentinel LDK Licensing Models:

Description of ModelsThis chapter provides a detailed description of the many types of licensing models that you candefine using Sentinel LDK.

In this chapter:

n "Evaluation Licensing Models" on page 210

n "Component-based Licensing Models" on page 215

n "Metered Licensing Models" on page 218

n "Locked License Models" on page 230

n "Mobile License Models" on page 234

n "Network License Models" on page 237

n "Sales Boosting Licensing Models" on page 244

n "Perpetual Licensing Models" on page 250

19

210 Chapter 19: Sentinel LDK Licensing Models: Description ofModels

Evaluation Licensing ModelsEvaluation licensing models are marketing tools for the software publisher, providing potentialend users with the opportunity to test software without making a financial commitment. Anevaluation license can be based on fully-functional trialware or on semi-functional demoware. Thelicense can be limited by time or by executions.

When a potential end user subsequently decides to purchase the software, the software vendorcan offer any of the paid licensing models described in this book, with the appropriate key typeand locking type. The software vendor uses Sentinel EMS to create and produce the new license.The evaluation license is then seamlessly converted to a purchased license at the end-user site,using the RUS utility.

The evaluation licensing models described below are:

n "Trialware" on page 211

n "High-security Time-limited Evaluation" on page 212

n "Execution-limited Evaluation" on page 213

n "Demoware" on page 214

Trialware


Creates a time-limited, software-based trialware license



Applicable Key Types Sentinel SL


Description

Trialware is fully-functional software that is made available for a limited time period (typicallybetween 1 and 90 days) or limited number of executions (typically 30) as a marketing tool. Thesoftware is protected with a software-based license, so that it can be distributed bothelectronically—for example, via a Web site, and on media such as a CD.

The time-limited trialware license does not use a dedicated Sentinel protection key and does notrequire activation during the trial period. The license is linked to the machine on which thetrialware is installed. After the time period expires, the software can no longer run on thatmachine. However, it can be installed on other machines, creating a super-distribution mechanismwhen the trialware is referred to others.

Implementation

n Select the executable file that you want to license, and determine by which Feature ID itwill be identified.

n Select your protection method:

o Envelope-based automatic implementationProtect the executable file using Sentinel LDK Envelope, specifying its Feature ID.

o API-based automatic implementationIn your code, insert a Sentinel Licensing API Login call to the Feature ID.

n Create an Unlocked Product in Sentinel EMS, including the Feature IDs you defined.

n Distribute your trialware with Sentinel LDK Run-time Environment.

n When a fully-licensed product is purchased, provide the end user with the appropriateSentinel protection key programmed with the license.

Evaluation Licensing Models 211


High-security Time-limited Evaluation


Manages the period over which your software can be activated


Physical package

Applicable Key Types n Sentinel HL Timen Sentinel HL NetTimen All Sentinel HL (Driverless configuration) keys except Sentinel

HL Basic


Description

The time-limited evaluation software is distributed, protected with a Sentinel HL key for maximumsecurity. Due to the extra cost of providing software with a hardware-based Sentinel HL key, thisevaluation method is suitable for high-end software or for software with a high evaluation-to-purchase conversion rate.

Implementation





n Create the evaluation Product in Sentinel EMS and define the expiration date for eachFeature ID included in the Product.

n Distribute the evaluation software with a Sentinel HL key programmed with the license.

n Create the licensed Product in Sentinel EMS and define the required licensing terms foreach Feature ID included in the Product.

n When a fully-licensed product is purchased, update the Sentinel HL key using the RUSutility.

Execution-limited Evaluation


Manages the maximum number of software executions





Description

Evaluation software that is restricted to a predetermined number of executions. The evaluationsoftware can be distributed with a Sentinel SL key—for example, via a Web site or on a demo CD.Alternatively, it can be distributed with a Sentinel HL key, providing maximum security.

Using a Sentinel HL key for evaluation purposes is usually applicable for high-end software or forsoftware with a high evaluation-to-purchase conversion rate.

When distributing the evaluation software with a Sentinel HL key, the type of key provided mustbe compatible with the licensing model that will subsequently be applied to the paid license. Forexample, if the paid license is a rental license, the key used must be a Sentinel HL Time or SentinelHL NetTime key or must be a Sentinel HL key that supports V-Clock.

Implementation





n Create the evaluation Product in Sentinel EMS and define the permitted number ofexecutions for each Feature ID included in the Product.

n Distribute the evaluation software with a Sentinel protection key programmed with thelicense.

n Create the licensed Product in Sentinel EMS, defining the licensing terms for eachFeature ID included in the Product.

n When the end user purchases a fully-licensed product, update the Sentinel protection keyusing the RUS utility.

Evaluation Licensing Models 213


Demoware

Sentinel LDK Functionality Manages active and inactive software functionality




Protection Method API-based automatic implementation

Description

The demo version of the software is limited to a subset of the functions provided in the fully-licensed product. Demoware can be distributed either with a Sentinel SL key (for example via aWeb site or on a demo CD), or with the superior protection of a Sentinel HL key.

Demoware provides prospective end users with limited software functionality, at no charge. Evenif the end user does not subsequently purchase the software, the demoware is not discarded,serving as a constant reminder that more powerful functionality can be purchased, with yourbrand name at the forefront.

When distributing the demoware with a Sentinel HL key, the type of key provided must becompatible with the licensing model that will subsequently be applied to the paid license.For example, if the paid license is a rental license, a Sentinel HL Time or Sentinel HLNetTime key must be used or the key must support V-Clock.

Implementation

n Select the software functions that you want to license separately, and determine by whichFeature ID they will be identified.

n In your code, insert a Sentinel Licensing API Login call to the Feature ID.

n Create two Products in Sentinel EMS:

o The demoware Product, including only those Feature IDs that are designated forthe demoware. Define a Permanent license for these Features.

o The fully-licensed Product, including the full set of Feature IDs. Define the requiredlicense terms for these Features.

n Envelope your software for additional security (optional).

n Distribute the demoware.

n When the end user purchases the software, send a Sentinel protection key programmedwith the full license.

Component-based Licensing ModelsOften, software vendors do not want to sell all the software functionality as a single package,preferring to mix and match components in order to create different offerings. Using Sentinel LDK,software vendors have complete freedom to determine the granularity of licensed items, at thelevel of a specific functionality or component, or at the level of an executable file.

The component-based licensing models described below are:

n "Module-based (Suites)" on page 216

n "Feature-based" on page 217

Component-based Licensing Models 215


Module-based (Suites)


Manages licensing of individual executables





Description

Each module (executable file) is licensed separately. Assorted software can be bundled into a suite,including software from other software vendors. The license for the entire suite is supplied on asingle Sentinel protection key.

Implementation

n Select the executable files that you want to license separately, and determine by whichFeature ID they will be identified.




n In Sentinel EMS:

a. Create one or more Products.

b. Include the required Feature IDs in each Product.

c. Define the appropriate license terms for each Feature—for example, the number ofexecutions, expiration date or concurrency.

n Distribute your software suite with the appropriate Sentinel protection key programmedwith the license.

Feature-based


Manages licensing of separate functional components





Description

Software components or functionality are licensed separately, without necessitating changes inthe code. Feature-based licensing can be useful in many different scenarios.

n Example 1: Basic Software with Add-onsYour basic software is provided with a perpetual license. Additional features are licensedseparately, and are available at a charge.

n Example 2: Software LevelsDifferent levels of your software are offered—for example, Student, Light, Standard, andProfessional versions. The protection method determines which components are active ineach version.

n Example 3: Customized SoftwareYour software is customized to display or hide functionality depending on therequirements of different end users.

n Example 4: Skins or ThemesThe end user is able to choose from a selection of skins or themes, or a user-specificdesign is created and applied.

Implementation

n Select the software functions that you want to license separately, and determine by whichFeature ID they will be identified.

n In your code, insert a Sentinel Licensing API Login call to each Feature ID.

n In Sentinel EMS:

a. Create one or more Products.b. Include the required Feature IDs in each Product.c. Define the appropriate license terms for each Feature—for example, number of

executions, expiration date or concurrency.


n Distribute your software with the appropriate Sentinel protection key programmed withthe license.

Component-based Licensing Models 217


Metered Licensing ModelsIn recent years, licensing models that are based on usage, rather than providing an end user withownership of the software, have become more prevalent. These models all apply some form ofmetering, the most common of which are rental (time-based) and execution (counter-based)metering. Some models require a prepaid fee, while others enable payment for each use. Themodels in this section include:

n Rental packages—Time-limited rental, phased rental, micro-rental, subscription.

In this group of license models, the license is prepaid or paid on a monthly basis. When itexpires, the end user can only continue using your software by extending the license.

n Pre-paid execution-based packages—Standard counter and phased counter.

The license provides a prepaid number of executions. When these have been consumed,the end user must purchase a new package of executions.

n Specialized packages—Capacity, pay-by-peak time, time-based overdraft, counter-basedoverdraft.

The metered licensing models described below are:

n "Time-limited Rental" on page 219

n "Phased Rental" on page 220

n "Micro-rental" on page 221

n "Subscription" on page 222

n "Pay-by-Peak Time (Peak Time)" on page 224

n "Time-based Overdraft" on page 226

n "Standard Counter" on page 227

n "Phased Counter" on page 228

n "Capacity (CPU/Memory/Disk)" on page 229

Time-limited Rental

Sentinel LDK Functionality Manages the time period over which your software can be used



Applicable Key Types n Sentinel HL Timen Sentinel HL NetTimen All Sentinel HL (Driverless configuration) keys except

Sentinel HL Basicn Sentinel SL


Description

The end user pre-pays a fee for a specific period of time, either for a predetermined number ofdays or terminating on a predetermined expiration date.

End users can monitor the remaining time using Sentinel Admin Control Center, and can order alicense renewal before the license expires. License renewal is implemented using the RUS utility.

You can also specify a licensing period that is shorter than one day, as described in "Micro-rental" on page 221.

Implementation





n In Sentinel EMS, create a Product that includes the Feature ID and define either anexpiration date or the number of days until expiration.


n Renew the license remotely using the RUS utility.

Metered Licensing Models 219


Phased Rental

Sentinel LDK Functionality Manages the time period over which your software can be used






Description

The end user pays a monthly fee, with a phased pricing structure, which can be associated with anentire product or a specific functionality. The transition from one phase to another isimplemented using the RUS utility.

n Phase 1: A fraction of the regular usage price is charged (micro-payment) for a limitedperiod of time. This provides an incentive for the end user to enter into a rentalagreement for use of the software. If payment is not received for Phase 2, the licenseexpires at the end of the defined time period.

n Phase 2: The full monthly rental price is charged, for an indefinite time period.

Implementation

n Select the executable file or software functions that you want to license, and determine bywhich Feature ID each file or function will be identified.




To set the time limit for a specific functionality, apply API-based automaticimplementation. To set the time limit for an executable file, apply either Sentinel LDKEnvelope-based or Sentinel Licensing API-based automatic implementation.

n In Sentinel EMS, create a Product that includes the Feature ID and define an expirationdate or the number of days until expiration of Phase 1.


n Subject to receiving payment for Phase 2 from the user, extend the license remotely usingthe RUS utility.

Micro-rental


Manages the time period over which your software can be used



Applicable Key Types n Sentinel HL Timen Sentinel HL NetTimen All Sentinel HL (Driverless configuration) keys except Sentinel HL

Basicn Sentinel SL


Description

The end user purchases a predefined number of “usage hours.” When the hours are consumed, anew package of hours is purchased.

Implementation



n Determine what constitutes “active” for the purpose of counting usage and define this inyour code, for example:

o Your software window is focused and activity is detected.

o Your software is active, performing calculations, even if the window is not focused.

n In Sentinel EMS, in the Protection Key memory, define the total number of softwareactivity hours that has been purchased.



n Using the Sentinel Licensing API and the key’s built-in clock:

a. Calculate the accumulated active time.

b. Write the result to the Protection Key memory.

c. Verify that the accumulated time has not exceeded the number of purchasedhours.

d. When the number of purchased hours is about to expire, display a warningmessage.

n When payment is received for additional usage, renew the license remotely using the RUSutility.



Subscription

Sentinel LDK Functionality Creates an unconditional license that can be updated remotely




HL Basicn Sentinel SL


Description

The end user pays a monthly subscription fee that covers the initial software package plusperiodical updates. If the end user does not renew the subscription, the basic package and all paidupdates remain the property of the end user. New updates are not provided.

Implementation


n Select the protection method for your software:



n In Sentinel EMS, create a Product that includes the Feature ID for your initial software anddefine a perpetual license for the Feature.

n Create a component in your software that manages the installation of software updates,and assign it a Feature ID. Select and implement your protection method for thatcomponent (Sentinel LDK Envelope or Sentinel Licensing API-based).

n In Sentinel EMS, create a Product that includes the Feature ID for the update-installationcomponent and define an expiration date for that Feature.



n During the subscription period, use the RUS utility to send updates to the subscriber. Theupdates are handled by the update-installation component in your software. Optionally,use Sentinel LDK to encrypt the update files so that the Sentinel protection key is requiredto decrypt them.

n Continue sending updates as long as the end user’s subscription is valid.

n When the end user renews the subscription, use the RUS utility to update the expirationdate for the update-installation component’s license.



Pay-by-Peak Time (Peak Time)

Sentinel LDK Functionality Compares a value in the Protection Key memory with a valuecollected during run-time




HL Basicn Sentinel SL


Description

The end user purchases a predefined number of “usage units”. Differential charging is calculatedaccording to the hour of the day or the day of the week in which your software is used. Whenyour software is used at peak demand time, more “usage units” are consumed than at lowdemand time. This type of license might be applicable in an environment such as a learningfacility, in order to encourage students to use resources at low demand time.

Implementation



n Determine what constitutes “active” for the purpose of calculating usage and define thisin your code, for example:

o Your software window is focused and activity is detected.

o Your software is active, performing calculations, even if the window is not focused.

n In Sentinel EMS, in the Protection Key memory, define the total number of “usage units”that has been purchased and the pricing structure (number of “usage units” for each timeunit and each rate).




a. Calculate the accumulated active time for each separate rate.

b. Calculate the total number of “usage units” consumed.

c. Write the result to the Protection Key memory.

d. Verify that the accumulated consumption has not exceeded the total number of“usage units” defined in the Protection Key memory.

e. When the “usage units” are about to expire, display a warning message.

n Using the RUS utility, replenish the pool of “usage units” when the license is renewed.



Time-based Overdraft

Sentinel LDK Functionality Manages the time period over which software can be used






Description

A differential pricing structure is implemented, in which a nominal price is charged for use of yoursoftware until a defined expiration date. Following expiration, a higher price may be charged for alimited period, to enable the end user to continue using your software until the license isrenewed.

Implementation



n In Sentinel EMS, create a Product that includes the Feature ID and define either anexpiration date or the number of days until expiration. Include both the regular usageperiod and the overdraft period in the time that you define.




o Calculate the time period.

o When the regular usage period terminates, display a message informing the enduser that the usage is now subject to overdraft terms and state the expiration dateof the overdraft period.

o When the end user renews the license, billing includes payment for the overdraftusage in addition to the license renewal.

o After payment has been received, renew the license remotely using the RUS utility.

Standard Counter

Sentinel LDK Functionality Manages the maximum number of software executions





Description

The end user purchases a predefined number of software executions, which can be defined foryour software or for specific functionality. A counter-based license might appeal to end users whouse your software or a software functionality sporadically, and prefer to pay only when theyactually run your software or use the functionality.

End users can monitor the remaining executions using Sentinel Admin Control Center, and canorder a license renewal before the license expires. The license renewal is implemented using theRUS utility.

Implementation

n Select the executable file or software function that you want to license, and determine bywhich Feature ID the file or function will be identified.




To set a counter for a specific functionality, apply API-based automatic implementation. Toset a counter for an executable file, apply either Sentinel LDK Envelope-based or SentinelLicensing API-based automatic implementation.

n In Sentinel EMS, create a Product that includes the Feature ID and define the number ofexecutions.


n Renew the license remotely using the RUS utility.



Phased Counter

Sentinel LDK Functionality Manages the maximum number of software executions

Software Distribution Method n Physical packagen Electronic distribution



Description

The end user purchases a predefined number of software executions, which can be associatedwith all of your software or a specific functionality. The pricing structure is phased, and thetransition from one phase to another is implemented using the RUS utility.

n Phase 1: For a limited number of executions, the end user pays a fraction of the regularusage price (micro-payment). This provides an incentive for the end user to startpurchasing executions. If payment is not received for Phase 2, the license expires whenthese executions have been consumed.

n Phase 2: The end user pays the regular price for each software execution.

Implementation





To set a counter for a specific functionality, apply API-based automatic implementation. Toset a counter for an executable file, apply either Sentinel LDK Envelope-based or SentinelLicensing API-based automatic implementation.

n In Sentinel EMS, create a Product that includes the Feature ID and define the number ofexecutions included in Phase 1.


n Subject to receiving payment for Phase 2 from the end user, replenish the number ofexecutions remotely using the RUS utility.

Capacity (CPU/Memory/Disk)


Manages resource usage





Description

License consumption depends on utilization of resources—for example, CPU usage or disk space.The more resources the end user consumes, the sooner the license runs out. This type of licensemight be applicable in an environment such as a learning facility, in order to limit the resourcesconsumed by students.

Implementation



n Determine the parameters for calculating software usage, and define them in your code,for example:

o CPU activity related to your software.

o Disk space usage each time a file is saved from your software.

n In Sentinel EMS, create a Product that includes the Feature ID and define the licenseterms—for instance, a perpetual license or a time-limited license.

n In Sentinel EMS, in the Protection Key memory, define the capacity that has beenpurchased.



n Using the Sentinel Licensing API:

a. Calculate the accumulated usage.


c. Verify that the accumulated usage has not exceeded the purchased capacity.

d. When purchased capacity has almost expired, display a warning message.

n When payment is received for additional usage, renew the license remotely using the RUSutility.



Locked License ModelsA locked license is limited to usage on a specific machine or by a specific end user.

The locked license models described below are:

n "Machine-locked" on page 231

n "User-locked" on page 232

Machine-locked


Creates an activation key that is locked to a specific machine





Description

The license can only be used on the machine on which it was installed. A machine-locked licensecan be combined with any of the licensing models in this book.

Implementation 1—Locking to a Sentinel SL key

This model is applicable when a Sentinel SL key provides sufficient security for your needs.

n Select and implement the required licensing model.

n Distribute your software using a Sentinel SL key. Sentinel SL keys are always locked to aspecific machine.

Implementation 2—Combined locking to both a Sentinel SL key and a Sentinel HL key

This model is applicable when you want to lock your software to a Sentinel HL key for enhancedsecurity, and also wants to use a Sentinel SL key to lock your software to a specific machine. TheSentinel SL key will require remote activation.

n Select the executable file that you want to license, and determine two Feature IDs bywhich it will be identified. One Feature ID will be used to lock the license to the Sentinel HLkey, and the other to lock the license to the Sentinel SL key and the machine.


o For combined Envelope-based and API-based automatic implementationProtect the executable file using Sentinel LDK Envelope , specifying one of theFeature IDs. In your code, insert a Sentinel Licensing API Login call to otherFeature ID.

o For API-based automatic implementationIn your code, insert Sentinel Licensing API Login calls to both Feature IDs.

n In Sentinel EMS, create two Products, one for each Feature ID. Define the license terms forboth Products—for example, a counter-based license or a time-limited license.

n Burn a Sentinel HL key for one of the Products and create a Sentinel SL Product Key forthe other Product.

n Distribute your software with both Sentinel protection keys.

Locked LicenseModels 231


Implementation 3—Locking to a Sentinel HL key

This model is applicable when you want to lock the license to both a machine and a Sentinel HLkey—but for security reasons, the end user will not be able to activate a Sentinel SL key online.

This implementation requires a utility to be written that will collect the required identifiers fromthe machine before or during installation of your software, and subsequently every time yoursoftware is run. The initial identifiers are saved in the read-only memory of the protection key,and the run-time identifiers are written to the read/write memory on the Sentinel HL key andvalidated against the initial identifiers.

It is recommended that you contact Gemalto Sentinel Professional Services for a detailedimplementation plan.

User-locked


Compares end user data saved in the Protection Key memory with avalue collected during run-time





Description

The license can only be run by a specific logged-in end user. A user-locked license ensures thatonly an entitled end user can activate your software. This model can be particularly useful whenyour software resides on a server, or is activated by a remote end user. A user-locked license canbe combined with any of the licensing models in this book.

Implementation

Select and implement the required licensing model, and distribute your software with theappropriate Sentinel protection key programmed with the license.

There are two ways to lock the key to a specific end user:

n Option 1: Predefined locking

Identification is based on the login user name defined in the operating system. Predefinedlocking enables a number of authorized end users to access your software residing on asingle machine.

o When a license is purchased, request the login user name of the end user for whomthe license is intended.

o Use Sentinel EMS to save the user name to the Read-Only memory of aSentinel protection key.

o During run-time, read the user name from the machine, and use the SentinelLicensing API to validate it against the user name saved on the Sentinel protectionkey.

n Option 2: Password locking

During installation, the end user defines a user name and password, which are laterrequired in order to log in to your software. Password locking is less convenient for an enduser, but provides extra security. When a Sentinel HL key is used, your software can beinstalled on more than one computer, but can only be accessed when the Sentinel HL key isconnected.

o During installation, request the end user to define a user name and password.

o Use the Sentinel Licensing API to save the data to the Read/Write memory on theSentinel HL key.

o During run-time, require the end user to log in, and validate the user name andpassword against the data saved on the Sentinel protection key.

Locked LicenseModels 233


Mobile License ModelsMany software vendors are looking for ways in which they can accommodate the growing trendtowards a mobile workforce. The models in this section provide options for mobile licenses.

The mobile license models described below are:

n "Portable" on page 235

n "Commuter" on page 235

n "Software on a Key" on page 236

Portable

Sentinel LDK Functionality Locks the license to a hardware-based Sentinel HL key


Physical package

Applicable Key Types All Sentinel HL keys


Description

Your software can be installed on any number of machines, providing flexibility, but can only runon the machine to which the Sentinel HL key is connected.

Implementation


n Distribute your software with the appropriate Sentinel HL key, programmed with thelicense.

Commuter

Sentinel LDK Functionality Enables a network-based license to be detached to a separatemachine while locked to a Sentinel SL key


Electronic distribution

Applicable Key Types Sentinel SL Net


Description

A license can be temporarily detached from a network pool—using Sentinel Admin ControlCenter—to enable off-line use of your software. For example, when employees leave the office towork off site, they can take their laptops with them and continue using the protected softwarelocally.

Implementation

n Select and implement the network concurrency licensing model, ensuring that the licensecan be locked to a Sentinel SL key and that detachable licenses are enabled.

n Distribute your software with a Sentinel SL key, ensuring that the system administrator atyour end-user site knows how to permit and manage detachable licenses.

n If the employee requires the detached license for less time than originally planned, thelicense can be manually returned to the network pool before its expiration date.

Mobile LicenseModels 235


Software on a Key

Sentinel LDK Functionality Locks the license to a Sentinel HL Drive microSD key that alsocontains your software


Physical package

Applicable Key Types Sentinel HL Drive microSD


Description

Both your software and the license are stored on a Sentinel HL Drive microSD key, providingmaximal mobility. The Sentinel HL Drive key contains up to 64 GB of flash memory on a microSDcard in addition to the license data memory, enabling all of your software to reside on the key.This method is applicable for software that can be run from an external key without necessitatinginstallation on a hard disk.

This method can be applied to all license models for which a hardware-based key is used.

Implementation


n Distribute your software on a Sentinel HL Drive microSD key, together with the software’slicense.

Network License ModelsNetwork licenses are designed for a network environment, in which the vendor’s software is runby multiple end users or on multiple workstations. In such an environment, a singleSentinel protection key can be used to protect and monitor usage of the vendor’s software acrossthe network. Network licenses can be implemented in conjunction with other licensing modelssuch as component-based or metering. A network license can be concurrency-based, site-specific,or both.

The network license models described below are:

n "Limited Concurrent End Users in a Network" on page 238

n "Time-limited Concurrent End Users in a Network" on page 239

n "Execution-limited Concurrent End Users in a Network" on page 240

n "Volume" on page 242

n "Site" on page 243

Network LicenseModels 237


Limited Concurrent End Users in a Network

Sentinel LDK Functionality Manages the number of concurrent software end users



Applicable Key Types n Sentinel HL Netn Sentinel HL NetTimen All Sentinel HL (Driverless configuration) keys except



Description

A concurrency-limited network license limits the number of end users concurrently accessing thelicensed application in a network environment, preventing additional activations and unintentionalpiracy if the maximum number of allowed concurrent licenses has been reached. The same licensecan be used by more than one end user or workstation, so long as the total number of usersremains within the concurrency limit.

Sentinel Admin Control Center provides the end users’ system administrator with the tools totrack license users, and to terminate an inactive session.

Implementation

n Select the executable file that you want to license, and determine by which Feature ID thefile or function will be identified.




n In Sentinel EMS:

a. Create a Product that includes the Feature ID, and define the license type asPerpetual.

b. Set the concurrency counter to the required maximum number of concurrentlicenses, and determine whether concurrent instances will be counted for eachstation, each login or each process.

T i p :

You can specify the number and type of concurrent instances each time aspecific order is created. This enables you to use the same Product to producemore than one license, each with a different number of seats.

n Distribute your software with a Sentinel protection key programmed with the license.

Time-limited Concurrent End Users in a Network


Manages the number of concurrent software end users in a network andthe time period over which your software can be used

SoftwareDistribution Method


Applicable KeyTypes

n Sentinel HL NetTimen All Sentinel HL (Driverless configuration) keys except HL Basicn Sentinel SL


Description

A combined concurrency-limited and time-limited network license restricts both the number ofend users concurrently accessing the licensed application in a network environment and theperiod during which the license is valid. The same license can be used by more than one end useror machine, so long as the total number of users remains within the concurrency limit.

Sentinel Admin Control Center provides the end user’s system administrator with the tools totrack license users, and to terminate an unused session.

Implementation





n In Sentinel EMS:

a. Create a Product that includes the Feature ID, and define the expiration date ornumber of days until expiration.

b. Set the concurrency counter to the required maximum number of concurrentlicenses, and determine whether concurrent instances will be counted for eachstation, each login or each process.

T i p

You can specify the number and type of concurrent instances each time aspecific order is created. This enables you to use the same Product to producemore than one license, each with a different number of seats.

n Distribute your software with the appropriate network-based Sentinel protection keyprogrammed with the license.



Execution-limited Concurrent End Users in a Network


Manages the number of concurrent software end users in a network andthe maximum number of software executions

SoftwareDistributionMethod


Applicable KeyTypes

n Sentinel HL Netn Sentinel HL NetTimen All Sentinel HL (Driverless configuration) keys except Sentinel HL Basicn Sentinel SL


Description

A combined concurrency- and execution-limited network license restricts both the number of endusers concurrently accessing the licensed application in a network environment and the totalnumber of executions for each license. The same license can be used by more than one end useror machine, so long as the total number of users remains within the concurrency limit. Thenumber of executions is calculated across the network, regardless of which end user runs yoursoftware or on which machine it is run.

Sentinel Admin Control Center provides the end users’ system administrator with the tools totrack license users, and to terminate an unused session.

Implementation





If your protection method is feature-based, apply API-based automaticimplementation; if your protection method is for each executable file, you canapply either Sentinel LDK Envelope-based or Sentinel Licensing API-basedautomatic implementation.

n In Sentinel EMS:

a. Create a Product that includes the Feature ID, and define the maximum number ofexecutions.

b. Set the concurrency counter to the required number of concurrent licenses, anddetermine whether the concurrent instances will be counted for each station, eachlogin or each process.

n Distribute your software with the appropriate network-based Sentinel protection keyprogrammed with the license.



Volume

Sentinel LDK Functionality Enables a network-based license to be detached to a separatemachine while locked to a Sentinel SL key


Electronic distribution

Applicable Key Types Sentinel SL


Description

A volume license enables you to sell a pool of licenses to an organization, without requiringproduct activation on every machine, while still enforcing the maximum number of installedworkstations.

A license can be temporarily detached from the network pool to enable off-line use of yoursoftware. In this case, a client machine periodically detaches a time-limited license at predefinedintervals—transparently to the end user. The license is installed locally and remains usable even ifthe network connectivity is lost, as long as the detachment is still valid.

Implementation





n In Sentinel EMS, create a Product that contains the Feature ID used in the protectionphase of the implementation. Ensure that the license terms enable network concurrency,locking to a Sentinel SL key, and detachable licenses.

n Distribute your software with a Sentinel SL key for network use, ensuring that the systemadministrator at your end-user site knows how to permit and manage detachablelicenses.

n Using the Sentinel Licensing API, implement the license’s detachment in the protectedapplication. You may wish to let the customer organization decide the detached licenseperiod and renewal intervals.

Site

Sentinel LDK Functionality Locks the license to a specific domain, network, or subnet





Description

A site license is a license that is locked to a specific domain, network, or subnet. A site license canbe combined with any of the licensing models in this book.

Implementation



n Distribute your software using the appropriate Sentinel protection key.

n To lock the Sentinel protection key to the license, collect the site identifier (domain,subnet or network) from the customer. An identification value is written to theSentinel protection key. The application then validates the identifier every time yoursoftware runs.

n There are two ways in which you can collect site-specific data and save it on theSentinel protection key:

o Option 1: Site identifier collected prior to installationProvides more security, but is less convenient for the customer.

When a license is purchased, send the customer a utility that collects the requiredsite identifier from the customer.

Use Sentinel EMS to save the identification value to the Read-Only memory of theSentinel protection key.

o Option 2: Site identifier collected during installationRequires less interaction with the customer, but is less secure.

During installation, collect the site identifier from the machine on which yoursoftware is installed.

Use the Sentinel Licensing API to verify that there is no existing site identifier savedin the Read/Write memory on the Sentinel protection key.

If the memory does not contain an existing site identifier, save the value to theRead/Write memory on the Sentinel protection key.

n During run-time, read the site identifier, and use Sentinel Licensing API to validate itagainst the identification value saved on the Sentinel protection key.



Sales Boosting Licensing ModelsThe sales boosting licensing models described below are:

n "KickStart (Quick-delivery Grace)" on page 245

n "Referral-based Sales" on page 246

n "Automatic Sales Agent" on page 248

KickStart (Quick-delivery Grace)

Sentinel LDK Functionality Grants a grace period to use software until key is delivered





Description

Locking a license to a Sentinel HL key provides a higher level of security than locking to aSentinel SL key, but delivery of the Sentinel HL key to an end user can take time. This modelenables you to electronically supply your software with a quick-delivery license locked to aSentinel SL (software) key (“KickStart license”) as soon as an order is processed. For increasedprotection, you may choose to limit some software functions in the KickStart license.

The KickStart license can be used as part of a two-phased sales model:

n Phase 1: The end user purchases your software, and a 30-day KickStart license withlimited functionality is supplied electronically.

The KickStart license is typically defined for a period of up to 90 days.

n Phase 2: The Sentinel HL key, programmed with the full license (the “final” license), isdelivered within 30 days. The end user replaces the KickStart license with the full license,using the RUS utility.

The KickStart license also serves as a super-distribution mechanism, since it will run for the graceperiod on any computer on which it is installed.

Implementation

n Determine which global Feature ID you will use for the KickStart license.

n Select the software functions that you want to include only in the full license, anddetermine by which Feature IDs each function will be identified.

n Select a protection method and do one of the following:

For Envelope-based automatic implementation:

n Determine which global Feature ID you will use for the full license.

n Create two executable files, one with limited functionality for the KickStart license, and theother with full functionality for the full license.

n Envelope each executable file separately, using the global Feature IDs you defined for theKickStart and full licenses respectively.

Sales Boosting Licensing Models 245


For API-based automatic implementation:

n In your code, insert a Sentinel Licensing API Login call to the global Feature ID for theKickStart license.

n In your code, for each software function you want to include only in the full license, insertSentinel Licensing API Login calls to the appropriate Feature IDs.

In Sentinel EMS:

n Create a Product that includes the global Feature ID for the KickStart license.

n Select the Trialware/Unlocked Product attribute.

n Distribute your software with Sentinel LDK Run-time Environment. Your software can runfor a grace period of 30 days and can be installed on any other computer, for a 30-dayperiod, as a super-distribution mechanism.

In Sentinel EMS:

n Create a Product that includes the full license Feature IDs.

n Define appropriate license terms for each Feature.

If the full license is based on a metered licensing model, metering will commence onlywhen the full license is activated and not during the grace period.

n Distribute your software with a Sentinel protection key programmed with the full license.

Referral-based Sales

Sentinel LDK Functionality Creates an Unlocked Trialware Product that allows for unrestricteddistribution of the protected software



Applicable Key Types n All Sentinel HL keysn Sentinel SL


Description

A bonus mechanism that encourages end users to serve as “promoters” for software they finduseful. When an end user refers software to someone and a purchase is made based on thatreferral, you give a bonus to the referrer.

This model requires the creation of two vendor mechanisms:

n User data collection mechanism—You maintain an end-user database in which registeredsoftware owners (referrers) are linked to potential users to whom the software wasreferred (referees). Data for the database can be sent to you by either the referrer or the

referee, using a variety of data collection mechanisms. For example, data can be collectedvia a form displayed during software activation or on a Web site.

n Bonus-granting mechanism—When the software is purchased, your end-user database isqueried. If the purchase was made as the result of a referral, the referrer receives a bonusfrom you.

The following implementation guidelines describe how to set up the referral-based sales model,based on:

n Using trialware as the evaluation mechanism.

n Distributing the purchased software with a software-based Sentinel SL key.

n Collecting information from the referee during software activation.

Implementation

n Create a trialware version of your software.

n End users who have already purchased your software send the trialware to otherpotential users.

n When a new user purchases your software—as part of your software activation processusing Sentinel LDK functionality—prompt the new user to provide you with the name andcontact information of the end user who referred your software to them.

n Reward the referrer.

This is a typical implementation, however, the referral-based sales model can also beapplied to other licensing models, including those models that use a hardware-basedSentinel HL key.



Automatic Sales Agent


Manages module usage





Description

When an end user purchases a subset of software modules, the sales staff is often requested tofollow up the purchase and to interest the user in additional modules. With Sentinel LDK, yoursoftware can serve as its own automatic sales agent, providing the end user with the ability towork with additional modules and encouraging purchase of any modules that are identified asbeing of interest to the end user. This model consists of a number of phases:

n Phase 1: The end user purchases a subset of software modules. You supply a license thatincludes the option to install additional bonus modules so that the user can experimentwith them.

n Phase 2: The end user uses your software, including the bonus modules. Behind thescenes, your software monitors and evaluates usage of the bonus modules.

n Phase 3: Once the usage threshold of a monitored module has been reached, the moduleis considered “of value” and Sentinel LDK progressively restricts usage of that module.Concurrently, the Automatic Sales Agent comes into effect, issuing pop-up messagesencouraging the end user to purchase the module.

n Phase 4: When an end user purchases a license for an additional module, the license isseamlessly upgraded at the end-user site, using the RUS utility, and the relevant bonusmodules are changed to fully-licensed modules.

Implementation

n Determine which Feature ID you will use for global protection of your software.

n Select the modules that you want to license separately, and determine by whichFeature ID each of the modules will be identified.

n In your code, insert Sentinel Licensing API Login calls to all Feature IDs.

n In Sentinel EMS, create a Product that includes only the global software Feature ID anddefine the license terms.

n Determine the parameters for gauging module usage, and define them in your code, forexample:

o The number of times a monitored module has been activated during a time period

o The accumulated usage time of a monitored module

o The number of clicks on an item in the user interface

n In Sentinel EMS, in the Protection Key memory, define the usage threshold.


n Distribute your software with the appropriate Sentinel protection key programmed withthe license for the initial purchase, not including licenses for the bonus modules.

n Using the Sentinel Licensing API:

a. Calculate the accumulated usage of the gauging parameters.


c. Compare the accumulated usage with the defined threshold.

When usage of a bonus module passes the threshold, begin to implement the restrictions,for example:

o Progressively slow down the speed of the module as the time passes or as usageincreases

o Progressively increase the number of Automatic Sales Agent pop-up messages as thetime passes or as usage increases

o Prevent the module from saving a snapshot of work that has been done

n In Sentinel EMS, create a Product that includes both the global software Feature ID andthe Feature ID for the module identified as being sellable, and define the license terms.

n When the end user decides to purchase a license for a bonus module, update the licenseon the Sentinel protection key to include the purchased module, using the RUS utility.



Perpetual Licensing ModelsThe perpetual licensing models described below are:

n "Standard Perpetual Licensing model" on page 251

n "Perpetual Unlocked Licensing Model" on page 252

Standard Perpetual Licensing model

Sentinel LDK Functionality Creates an unconditional license



Applicable Key Types n All Sentinel HL keysn Sentinel SL


Description

The traditional perpetual, unlimited licensing model can serve as a basis for other, more creativemarketing strategies, for example:

n Your software is initially supplied with a perpetual license. The end user purchasesadditional modules as required.

n The initial release is supplied with a perpetual license. More sophisticated licensing modelsare implemented with future releases.

n A limited license (“bronze”) is converted to a perpetual license (“gold”) for additionalpayment.

Implementation





n In Sentinel EMS, create a Product that includes the Feature ID and define a perpetuallicense for the Feature.

n Use the RUS utility to update a license currently held by the end user with the newlicense.

Perpetual Licensing Models 251


Perpetual Unlocked Licensing Model

Sentinel LDK Functionality Creates an unconditional unlocked license



Applicable Key Types n None


Description

An unlocked license is different from all other license types. Your application is protected againstdisassembly and modification, but the license is not locked to a specific computer, and nolicensing restrictions are applied.

This type of license is applicable for any of the following situations:

n You want to distribute the software as an Unlocked Product with no time limit (or with anextended time limit). For example, you may want to allow users to access basicfunctionality as long as they want, with the option to buy an upgrade later to accessadvanced functionality.

n You want to use a licensing system other than Sentinel LDK.

n Licensing is not an issue. For example, you are distributing medical equipment withembedded software. Since the software is specific to your equipment, you are notconcerned about the possibility of duplication of the software.

Implementation





n In Sentinel EMS, create an Unlocked Product (Perpetual) that includes the Feature IDs thatyou want to include in the unlocked license.

PART 6 - APPENDICESIn this section:

n "Appendix A: Understanding the Sentinel LDK Master Key Licenses" on page 255

Describes the license modules that are available to software vendors on the SentinelMaster key.

n "Appendix B: Sentinel LDK Run-time Network Activity" on page 265

Describes the type of network activity that occurs in the communication between theSentinel License Manager and a protected application, and between the localSentinel License Manager and remote Sentinel License Managers.

n "Appendix C: Maximum Number of Features in a Sentinel HL Key" on page 269

Describes considerations that determine the maximum number of Features that can becontained in a Sentinel HL key.

n "Appendix D: How Sentinel LDK Detects Machine Cloning" on page 271

Describes the techniques employed by Sentinel LDK to prevent unauthorized use ofprotected software when the virtual machine on which the software is installed is cloned.

n "Appendix E: How Sentinel LDK Protects Time-based Licenses With V-Clock" on page285

Describes the technology used in Sentinel LDK to prevent a user from extending theduration of a software license that is locked to a Sentinel SL key.

n "Appendix F: How to Bundle Unlocked Products Manually" on page 289

Describes how you can bundle Unlocked Products for distribution without using SentinelEMS.


n "Appendix G: How to Optimize Performance for Sentinel LDK Run-time Environment"on page 291

Describes how you can optimize the performance in the Sentinel LDKRun-timeEnvironment

n "Appendix H: Upgrading Sentinel HL Keys" on page 293

Describes how you can upgrade a Sentinel HL (HASP configuration) key to a Sentinel HL(Driverless configuration) key or convert a Sentinel HL standalone key to a network key.

n "Appendix I: Troubleshooting" on page 299

Provides a checklist to help you solve some of the most common problems that yourcustomers might encounter when using the Sentinel HL keys. Also includes a list ofspecific problems you or your customers may experience, together with the solutions.

n "Appendix J: Requesting a Replacement Vendor Key" on page 303

Describes how to compose the email to request a replacement vendor key. This may berequired when Sentinel LDK determines that the battery on your Vendor key is nearlydepleted, but your machine does not contain an email client.

Appendix A:Understanding the Sentinel LDK

Master Key LicensesThis appendix describes the Gemalto Sentinel LDK model for the Master Key licenses. Its purposeis to assist you in understanding how your Master Key licenses from Gemalto are implemented,and how to make decisions about your license update requirements. (For more information onthe Master key, see "Sentinel Vendor Keys" on page 28.)

The Sentinel LDK licensing model includes the following components:

n Product Activation module

n New SL Key Pool

n Network seats (SL Pool of Seats, HL Pool of Seats)

n Value of Unlimited Seats

n Unlocked Trialware module

n Unlocked Unlimited module

n V-Clock module

n AppOnChip module

n Advanced Data Protection module

n Reporting module

The components that you purchase depend on your specific requirements and whether you havean in-house Sentinel EMS installation, or you utilize Sentinel Managed Services.

To view information regarding your Master key in Sentinel EMS, see "Maintaining SentinelMaster Keys" on page 149.

In this appendix:

n "Licensing Concepts" on page 256

n "Product Activation Module" on page 257

n "New SL Key Pool" on page 257

A

256 Appendix A: Understanding the Sentinel LDK Master Key Licenses

n "Network Seats" on page 258

n "Unlocked Trialware Module" on page 261

n "Unlocked Unlimited Module" on page 262

n "V-Clock Module" on page 262

n "AppOnChip Module" on page 262

n "Advanced Data File Protection Module" on page 263

n "Reporting Module" on page 263

Licensing ConceptsIn the descriptions of the Master Key licenses model, the following concepts are used:

n Unlocked Trialware Product: A Product that can be used as trialware, or during a graceperiod. Unlocked Trialware Products are not locked to a specific machine and do notrequire activation for a limited period. Unlocked Trialware Products typically have aduration of 30 to 90 days or 30 executions. This period can be set to begin either from thedate of first use of the application or from the date that the license was generated. (TheUnlocked Trialware Product was formerly referred to as a Provisional Product.)

n Unlocked Unlimited Product: A Product that does not lock a protected application to aspecific machine and does not necessarily impose any licensing restrictions on the use ofthe protected application. (The Product can be granted a perpetual license or can belimited to any length of time that you choose.) With this license type, the vendor can useSentinel LDK to protect the application, but can use a different mechanism to license theapplication (or can impose no license restrictions on the application).

n Activation: The process in which an SL key is locked to a specific computer. FollowingActivation, the protected software can be used on the end user's computer according tothe license that was installed during the Activation process.

n Concurrency: A licensing attribute that can be specified to allow a single protection key ona computer in a network to be used by one or more instances of a protected applicationrunning on different computers in the network.

Concurrency is defined separately for each Feature in a Product.

Each instance of the protected application that can be used simultaneously is referred toas a network seat (or a floating license).

Network seats are not assigned to specific users. Instead, the concurrency attributesspecify how many instances (network seats) of the Feature in protected application can beused simultaneously within the customer’s network. The customer purchases a specificnumber (or an unlimited number) of network seats.

For example: A customer purchases 10 network seats for the Basic Feature and 5 networkseats for the Advanced Tools Feature for a protected application. As a result, 10 end userscan run the application and use the Basic Feature simultaneously. 5 of these users can

also use the Advanced Tools Feature simultaneously. All the users must be part of thenetwork where the protection key is located.

Management of the license in the network is controlled using the Sentinel LicenseManager.

For more information about concurrency, see "Specifying the License Terms for Featuresin a Product" on page 119.

Product Activation ModuleSentinel LDK provides a mechanism to easily perform interactive update to licenses on an enduser’s machine. This is accomplished by generating a Product Key for an entitlement in SentinelEMS and providing this code to the end user. The end user accesses the Sentinel EMS CustomerPortal over the Internet and enters the Product Key. Sentinel EMS then retrieves the necessaryinformation about the end user’s machine or existing license and completes the process to updatethe license on the user’s machine. (This process can also be accomplished in program code usingSentinel EMS Web Services.)

This mechanism is typically used to activate an application on the end user’s machine (that is, tolock an SL key for the application to the machine), although the mechanism can be used for othertypes of license updates.

To use the Product Key mechanism to update an SL key, you must have the Product Activationmodule on your Master key. The Product Activation module is either perpetual or issued for alimited time period. This depends on your purchase plan or subscription plan for Sentinel LDK. Formore information, consult with your Gemalto sales representative.

The Product Activation module is not required if you only want to use the Product Keymechanism to update HL keys.

New SL Key PoolEach time a new SL key is created for a given machine at a customer site, an SL key is consumedfrom the New SL Key Pool on the Master key.

A new SL key is created in these situations:

n A Product Key for your software is submitted by an end user for the first time for a givenmachine. End users can submit a Product Key online, or they can request and receive anactivation file to apply manually.

n You use Sentinel License Generation API to generate a license code for the first time for agiven machine.

To create new SL keys, you may need to purchase a pool of SL keys. (This depends on the natureof your purchase plan or subscription plan for Sentinel LDK.)

When the New SL Key Pool is low, you purchase additional SL keys (if required by your plan). Youcan configure Sentinel EMS to send notifications when the pool reaches a predefined threshold, to

Product Activation Module 257


ensure that you never run out of SL keys licenses for your software. For additional informationabout configuring notifications, refer to the Sentinel EMS help system.

Additional Information

n When you purchase SL keys, Gemalto adds an extra 10% to the number of keys provided,to compensate for situations in which an SL key should not have been deducted fromyour Master key. (For example, if a customer’s hard disk drive fails and the customermust reinstall the software on a new disk drive or a different computer, you may chooseto provide an additional activation even though the customer did not purchase a secondlicense.)

n If there are no SL keys remaining in your Master key (and your purchase plan orsubscription plan requires that you purchase SL keys), you will not be able to perform anactivation that installs a new SL key on a machine.

Network SeatsNetwork seats are required to enable users to run your software concurrently in a networkenvironment when your Product is licensed with a Sentinel SL key or Sentinel HL concurrency-enabled key. (Network seats from your Master key are not required when your Product is licensedwith a Sentinel HL Net or NetTime key.) When you enter an order for your customer: For eachFeature in the Product, you specify whether concurrency is enabled for that Feature, and thenumber of instances (network seats) that are supported.

Your Sentinel Master key contains the pools of network seats described below. To enableconcurrency for Features, you may need to purchase network seats for the appropriate pool onyour Master key (if required by your purchase plan or subscription plan).

n SL Pool of Seats

Each time a customer activates your software, the number of concurrent instances thatyou included in the Product is deducted from the SL Pool of Seats on your Master key.

n HL Pool of Seats

Each time you burn or update an HL key for a Product with concurrency, the number ofnetwork seats that you add to the key is deducted from the HL Pool of Seats on yourMaster key.

If a Product contains a number of Features that have different concurrency attributes, and thenumber of network seats that are provided for the Features differs, the total number of seatsdeducted from your Master key is that of the Feature with the highest number of seats.

When the number of network seats remaining in the relevant pool on your Master key is low, youreplenish it by purchasing additional network seats (if required by your plan). You can configureSentinel EMS to send you notification when the number of seats remaining reaches a predefinedthreshold, to ensure that you never run out of network seats for your software.

You do not require network seats on your Master key if you do not intend to enable concurrency.

How New Activations and Update of Your Software Affect the Pool

When your protected application is first activated at the customer site or when you burn an HLkey for a Product with concurrency, Sentinel LDK examines which Feature in the Product containsthe greatest number of concurrency instances. The number of concurrent instances defined inthat Feature is deducted from the SL or HL pool of seats. (The concurrency in all other Features isignored.)

For the Sample Product in the graph below, the customer purchased as follows:

n For the Print Feature: 12 network seats

n For the Save Feature: 5 network seats

n For the Export Feature: 6 network seats

The Print Feature has the greatest number of concurrent instances. Therefore, when the Productis activated, 12 network seats are deducted from the pool.

Later, the customer decided to purchase additional network seats or additional Features in theprotected application. For the sample Product in the graph below, the customer purchased asfollows:

n For the Print Feature: 3 network seats

n For the Save Feature: 11 network seats

n For the Export Feature: 5 network seats

n For the Reports Feature: 13 network seats

Sample Product - Number of Network Seats for Each Feature

Network Seats 259


When you fulfill the order, Sentinel LDK calculates the number of seats to deduct from your poolof seats as follows:

1. Sentinel LDK determines which Feature had the greatest number of seats until now—in thiscase, the Print Feature with 12 seats.

2. The number of additional seats required for each Feature for the update order is added tothe original number of seats that the customer purchased. The chart above indicates thetotal number of seats that the customer now has.

3. Sentinel LDK determines which Feature now has the greatest number of seats—in this case,the Save Feature with 16 seats.

4. The number of seats for the Print Feature that the customer had already purchased isdeducted from the new total number of seats for the Save Feature (16 total seats - 12already-purchased seats = 4).

5. The remainder (4) is the number of seats that is deducted from the pool of seats.

The customer purchased 13 seats for the Reports Feature in the update. However, the SaveFeature has the highest accumulated number of seats. Therefore, only the Save Feature isconsidered when Sentinel LDK calculates the number of seats to deduct from the pool of seats.

A Feature with unlimited seats is regarded as having the value defined for the UnlimitedConcurrency license type as described below.

Unlimited Concurrency

Your Sentinel Master key contains a license type called Unlimited Concurrency (also referred to asValue of Unlimited Seats). When you specify the concurrency value for a license as “unlimited”(for example, to create a “site” license), Sentinel LDK deducts the number of seats specified for thislicense type from the HL pool of seats or SL pool of seats. This is typically 100 seats.

Given the following scenario

n A customer purchases 75 network seats for a Feature in a Product.

n Later, the customer purchases unlimited network seats for the Feature.

n The Unlimited Concurrency license type is set to 100 network seats.

Sentinel LDK charges this as an addition of 25 network seats. The pool of seats is decrementedaccordingly.

If you set or increase the number of network seats to a value greater than the UnlimitedConcurrency value, the network seats pool will be decremented according to the value youspecify. This charge may be greater than the value set for Unlimited Concurrency.

Additional Information

n When you purchase seats, Gemalto adds an extra 10% to the number of seats provided,to compensate for situations in which you reduce the number of seats at a customer site,or cancel a license on a computer on which Sentinel License Manager is located in order toactivate on a different computer.

n If you reduce the number of seats in a Product license, the seats are not returned to thepool of seats. However, if the number of seats in the same Product license is laterincreased (to the same amount as before or higher), the earlier reduction is taken intoconsideration, and only seats beyond that amount (if any) are consumed.

n The activation of a new license whose terms include concurrency will decrement both theNew SL Key pool and the SL pool of seats.

n If the terms of a new license include more seats than exist in your pool of seats, yourcustomer will not be able to activate the license (if seats are required by your plan).

Unlocked Trialware ModuleAn Unlocked Trialware Product is a Product with an unlocked license that can be used for arelatively short period before the license expires. A protected application with an UnlockedTrialware license can be installed and operated on any number of computers. To continue usingthe application after the license expires, the user must purchase a production license. You candefine the Unlocked Trialware Product so that the Product can be used either up to an absoluteexpiration date or for the defined number of days starting from the date of first use.

To define Unlocked Trialware Products with a duration of up to 90 days or up to 30 executions,you must purchase the Unlocked Trialware module for the Master key. (For extended durations,see the Unlocked Unlimited Module, described below.)


The ability to create and distribute Trialware Products is included in the Sentinel LDK – Demo andStarter packs. Vendors who want to experiment with Sentinel LDK can learn first-hand aboutUnlocked Trialware Products.

When packaging a Run-time Environment installer with a V2C file for one or more UnlockedProducts in Sentinel EMS, you cannot include a Product that only has the locking type SLUserMode.

The maximum duration or maximum number of executions that you can define for any Feature inan Unlocked Product depends on the Modules you have purchased for your Sentinel Master key.For more information, see "Defining Unlocked Products" on page 122.

Unlocked TrialwareModule 261


Unlocked Unlimited ModuleThe Unlocked license is for vendors who want to use Sentinel LDK to protect their applicationsagainst reverse engineering (by using Sentinel LDK Envelope) but do not require a traditionallocked license.

An Unlocked license is similar to an Unlocked Trialware license. A protected application with anUnlocked license can be installed and operated on any number of computers. However, anUnlocked license can grant a perpetual license or a license for any length of time or any number ofexecutions with no restrictions.

To generate Unlocked licenses, you must purchase the Unlocked Unlimited License module for theMaster key.

If you purchase the Unlocked Unlimited module, you can also create and distributeUnlocked Trialware Products without the need to purchase the Unlocked Trialware module.

The maximum duration or maximum number of executions that you can define for any Feature inan Unlocked Product depends on the Modules you have purchased for your Sentinel Master key.For more information, see "Defining Unlocked Products" on page 122.

V-Clock ModuleV-Clock is a virtual clock that is available in Sentinel SL keys and in all Sentinel HL (Driverlessconfiguration) keys except for Sentinel HL Basic keys. V-Clock is for vendors who want to use time-based licenses to protect their applications but do not want to provide a Sentinel HL Time key orSentinel HL NetTime key. (These keys contain a real-time clock.)

The use of V-Clock with Sentinel SL keys and most Sentinel HL keys does not require a speciallicense. However, to generate time-based licenses that depend on V-Clock in Sentinel HL Pro keys,you must purchase the V-Clock module for the Master key.

For more information on V-Clock, see "Appendix E: How Sentinel LDK Protects Time-based LicensesWith V-Clock" on page 285.

AppOnChip ModuleAppOnChip functionality provides significant protection for applications by moving importantfunctions from the application code to a Sentinel HL (Driverless configuration) key. This creates astrong binding between the protected application and the presence of the protection key, makingreverse engineering of the protected code virtually impossible.

The AppOnChip Module is not required for applications that are licensed using Sentinel HL Max,Time, NetTime, Net, and Drive keys. For applications that are licensed using Sentinel HL Basic keysor Sentinel HL Pro keys, an annual or perpetual AppOnChip module must be obtained fromGemalto.

The AppOnChip Module can be placed on your Sentinel Developer key or the Sentinel Master key.The key that contains the AppOnChip license must be accessible to Sentinel LDK Envelope at thetime that you apply AppOnChip protection to your application.

The Sentinel Developer key and Sentinel Master key can be accessed using a remoteconnection. For more information, see the Sentinel LDK Installation Guide.

In the current version of Sentinel LDK, the AppOnChip module is not displayed when you viewMaster Key modules in Sentinel EMS (from Administration > Master). However, you can useSentinel EMS to apply the AppOnChip module to the Master key or Developer key. You can viewall the modules on your Master key or Developer key in Sentinel Admin Control Center.

Advanced Data File Protection ModuleThe Version 2 data protection mode in Sentinel LDK Envelope and in Sentinel LDK Data Protectionutility enables you want to apply licensing protection to data files. This capability enables you tolicense data files in the same manner that you license application. For more information, see"Chapter 7: Protecting Data Files" on page 81.

The Advanced Data File Protection module is required by Sentinel LDK Envelope and Sentinel LDKData Protection utility when you select the Version 2 data protection mode. This module can beplaced on the Master key or Developer key.

In the current version of Sentinel LDK, the Advanced Data File Protection module is not displayedwhen you view Master Key modules in Sentinel EMS (from Administration > Master). However,you can use Sentinel EMS to apply the Advanced Data File Protection module to the Master keyor Developer key. You can view all the modules on your Master key or Developer key in SentinelAdmin Control Center.

Reporting ModuleThe Reporting facility provides software vendors with the ability to produce real-time reports withvaluable business information. The Custom Reports facility enables vendors to design their ownreports to extract valuable information from the Sentinel EMS database.

Using the Custom Reports feature, managers can design reports to obtain data for analyzing howtheir software is used, the purchasing preferences of their customers, and information for profilingprospects and existing customers. The information can also be leveraged to maximize revenuesfrom license renewals and to turn trial users into buyers.

The Reporting facility includes both predefined reports and the Custom Reports facility. Use ofpredefined reports does not require a specific license. However, use of the Custom Reports facilityrequires the Reporting Module. This module is typically issued for a specific amount of time.

The ability to define, generate and view custom reports is included in the Sentinel LicenseDevelopment Kit – Demo and Starter. Vendors who are experimenting with Sentinel LDK can learnfirst-hand about the Custom Reports facility.

Advanced Data File Protection Module 263


For information on the Reporting facility, see "Chapter 14: Generating Sentinel LDK Reports" onpage 157.

Appendix B:Sentinel LDK Run-time Network

Activity

This appendix describes the type of network activity that occurs in the communication between:

n an application (protected using Sentinel LDK) and the local Sentinel License Manager(referred to as “local communications”).

n the local Sentinel License Manager and one or more remote Sentinel License Managers(referred to as “remote communications”).

Details regarding local communications and remote communications are provided on the pagesthat follow.

This chapter is intended to assist IT managers who want to understand how run-time activity onthe network may impact the way they set up their network rules and policies.

Sentinel LDK communicates via TCP and UDP on socket 1947.This socket is IANA-registeredexclusively for this purpose.

In this appendix:

n "Local Communications" on page 266

n "Remote Communications" on page 267

B

266 Appendix B: Sentinel LDK Run-time Network Activity

Local Communications

This section describes communication between a protected application and the localSentinel License Manager service.

A protected application communicates only with Sentinel License Manager on the computer wherethe application is running, regardless of whether the Sentinel HL or SL Key is located on the samecomputer or on a remote computer.

Under Windows, Sentinel License Manager is a service that is launched automatically byhasplms.exe. Under Mac OS and Linux, the Sentinel License Manager is a process launchedautomatically by hasplmd.

Sentinel License Manager service opens socket 1947 for listening (both for UDP packets and TCPpackets).

n IPv4 sockets are always opened (Sentinel License Manager currently does not workwithout IPv4 installed).

n IPv6 sockets are opened if IPv6 is available.

A protected application tries to connect to 127.0.0.1:1947 TCP to communicate withSentinel License Manager. If an application uses multiple sessions, multiple concurrent TCPconnections may exist. If a session is unused for a certain number of minutes (at least sevenminutes, but the exact number depends on several factors), the session may be closed andautomatically re-opened later in order to limit resources used by the application.

These local communications currently use IPv4 only.

The communication uses binary data blocks of varying size.

Remote Communications

This section describes communication between the local Sentinel License Manager service and aremote Sentinel License Manager service.

This type of communication occurs when the protected application is running on a differentcomputer from the computer where the Sentinel protection key is installed.

The protected application communicates only with the local Sentinel License Manager on thecomputer where the application is running, as described in "Local Communications" on page 266.The local Sentinel License Manager discovers and communicates with the License Manager on thecomputer containing the Sentinel protection key using one of the following methods:

n If the option Broadcast Search for Remote Licenses is selected in the Admin ControlCenter (in the Access From Remote Clients tab of the Configuration page), the localSentinel License Manager issues a UDP broadcast to local subnets on port 1947 using:

o IPv4 (always)

o IPv6 (if available)

The option Broadcast Search for Remote Licenses is selected by default.

n For addresses specified in the Admin Control Center field Remote License SearchParameters or Specify Search Parameters (in the Access From Remote Clients tab of theConfiguration page), the local License Manager does the following:

o For a local Admin License Manager: The License Manager issues a UDP “ping”packet to port 1947 for all addresses specified. These addresses may be individualmachine addresses or broadcast addresses.

o For a local Integrated License Manager or External License Manager: The LicenseManager sends a TCP request to all individual addresses. If the field contains abroadcast address (xxx.xxx.xxx.255), the License Manager send a UDP broadcast todiscover a running server at that broadcast address.

All Sentinel License Managers found by the discovery process are then connected via TCP port1947, using IPv4 or IPv6 as detected during discovery, and data regarding the remoteSentinel protection keys are transferred.

Remote Communications 267

268 Appendix B: Sentinel LDK Run-time Network Activity

This discovery process is repeated at certain intervals. (The interval size depending on a number offactors, but it is generally not less than five minutes.)

UDP packets sent and received in the discovery process contain the Sentinel License ManagerGUID (40 bytes of payload data).

When starting or stopping a Sentinel License Manager, and when adding or removing aSentinel protection key, a UDP notification packet is sent, containing the Sentinel License ManagerGUID and a description of the changes encountered. This is done to allow other Sentinel LicenseManagers to update their data before the next scheduled discovery process.

TCP packets between two Sentinel License Managers on different computers use HTTP with base-64 encoded data in the body section.

Appendix C: Maximum Number ofFeatures in a Sentinel HL Key

Each Sentinel HL key can contain a certain maximum number of Features, depending on:

n the type of HL key

n the complexity of the license type defined in each Feature

n the number of Products among which the Features are distributed.

The diagram below illustrates that:

n As you increase the number of higher-complexity license types on the key, the maximumnumber of Features that the key can contain decreases.

n As you increase the number of Products on the key, the maximum number of Featuresthat the key can contain decreases.

For information on the range of Features that each Sentinel HL key can contain, see the SentinelHL Data Sheet.

The complexity of the license types are as follows:

n Lowest complexity: Perpetual HL

n Medium complexity: Perpetual HL + SL, Expiration

n Highest Complexity: Executions, Time Period

For example, a Sentinel HL Max (Driverless configuration) key can contain as follows:

The number of Features that can be written to a Sentinel SL key is unlimited.

C

270 Appendix C: Maximum Number of Features in a Sentinel HL Key

In Sentinel HL (Driverless configuration) keys, Features are stored in dynamic memoryspace. This space is shared between application data (the space available to you for yourapplications) and Features. All space that is not utilized for Features can be used forapplication data. For more information, see "Defining Protection KeyMemory Data" onpage 120.

Appendix D:How Sentinel LDK Detects Machine

Cloning

This appendix describes the techniques employed by Sentinel LDK to prevent unauthorized use ofprotected software when the physical or virtual machine on which the software is installed iscloned. In addition, the appendix describes how you can examine the fingerprints from a machineto determine whether the machine and its protection keys were intentionally cloned.

This topic is only relevant for software protected with a Sentinel SL key. Software that is protectedby a Sentinel HL key is not vulnerable to machine cloning.

For more information on protecting software against cloning, see "Protection Against Cloning" onpage 118.

In this appendix:


n "Clone Detection for Physical Machines" on page 273

n "Clone Detection for Virtual Machines" on page 276

n "How to Analyze a Clone Report" on page 280

n "How to Clear the "Cloned" Status for a Product License" on page 283

OverviewOne of the methods sometimes employed to enable the illegitimate use of licensed software ismachine cloning. Machine cloning involves copying the entire image of one machine (includingyour software and its legitimate license) and duplicating it to one or more other machines. If thereis no way to detect that the new image is running on different hardware than that on which it wasoriginally installed, multiple instances of the software are available even though only a singlelicense was purchased.

As part of the Activation process for a licensed Product, the Sentinel LDK License Manager createsa “fingerprint” of the computer on which the protected software is installed. This fingerprint

D

272 Appendix D: How Sentinel LDK Detects Machine Cloning

contains hash values of a number of characteristics of the computer. This fingerprint (referred toas the reference fingerprint) is stored within the secure storage on the computer and is alsoreturned to the Vendor in the C2V file. At the Vendor site, the fingerprint is stored as part of thelicense information in the Sentinel EMS database.

Each time the end user starts the protected software, the Sentinel LDK License Manager creates anew fingerprint of the computer (referred to as the system fingerprint) and compares it to thereference fingerprint.

If the system and reference fingerprints are identical or sufficiently close (as described in thisappendix), Sentinel LDK allows the protected software to operate.

When clone detection is enabled for a Product in Sentinel LDK, the License Manager checks forcloning using the criteria described in this appendix. If cloning is detected, Sentinel LDK disablesthe license. As a result, the end user is unable to operate the software for which a cloned licensehas been detected.

Several schemes exist in Sentinel LDK to create fingerprints for physical and virtual machines.These schemes provide different level of protection to satisfy the various sets of requirementsthat may exist in your organization. The list below summarizes the various clone protectionschemes available. A more detailed description of each clone protection scheme is provided laterin this appendix.

Summary of Schemes for Physical Machines

n PMType1: This scheme exists in all versions of Sentinel LDK. This scheme uses twocomponents to verify fingerprints: hard drive serial number and motherboard ID.

n PMType2: This scheme exists in Sentinel LDK v.7.1 and later. This scheme uses variouscomponents such as CPU, ethernet card, optical drive, and PCI card slot peripherals,along with the hard drive serial number and motherboard ID to verify fingerprints. Thisscheme provides enhanced reliability against false positive clone detection and maintainsthe inherent security of the scheme.

n PMType3: This scheme exists in Sentinel LDK v.7.3 and later for Android applications. Thisscheme uses three components to verify fingerprints: CPU model, CPU serial number, andinternal storage serial number.

n PMType4: This scheme exists in Sentinel LDK v.7.6 and later for Android applications. Thisscheme uses up to five components to verify fingerprints. Additionally, this scheme allowsthe end user to uninstall and reinstall the protected application in many instances withoutvendor assistance.

n FQDN: This scheme exists in Sentinel LDK v.7.1 and later. This scheme uses only themachine’s FQDN (Fully Qualified Domain Name) to verify fingerprints.

On MAC machines, FQDN licenses are bound to LocalHostName, and the value ofLocalHostName should not be empty.

Summary of Schemes for Virtual Machines:

n VMType1: This scheme exists in all versions of Sentinel LDK. This scheme uses threecomponents to verify fingerprints: Virtual MAC address, CPU characteristics, and UUID.

n VMType2: This scheme exists in Sentinel LDK 7.5 and later and has additional restrictionsthat are described later in this appendix. This scheme prevents attacks (again a protectedapplication) that are based on virtual machine rollback snapshots.

n FQDN: This scheme exists in Sentinel LDK v.7.1 and later. This scheme uses the machine’sFQDN (Fully Qualified Domain Name) to verify fingerprints. This scheme provides increasedreliability and provides flexibility of operation in a server virtualization environment.

The clone protection provided by the VMType1 and FQDN protection schemes are basedon the following assumption: The customer’s IT department follows best practices to avoidthe collisions that would result from cloned machines that have identical UUID, MACaddresses or hostnames.

If you are concerned that your customers may be willing to accept collisions in order toattempt to bypass clone protection, consider one of the other Sentinel LDK solutions thatprovides a different tradeoff of security and convenience and is not affected by suchdeployment. A remote license (SL AdminMode, Sentinel HL, or Sentinel Cloud Licensing) willprovide the higher level of security that you require.

The remainder of this appendix provides a more detailed description of each of the cloneprotection schemes.

Clone Detection for Physical MachinesThis section provides a detailed description of the clone protection schemes that are available toprotect again the cloning of physical machines.

PMType1 Scheme

The PMType1 scheme uses two components to verify fingerprints: hard drive serial number andmotherboard ID.

If either the hard drive serial number or the motherboard ID does not match the characteristics inthe fingerprint in the secure storage, Sentinel LDK License Manager still allows the protectedsoftware to operate. Sentinel LDK recognizes that situations occur where an end user has alegitimate reason for replacing one of these components in the user’s computer. This policypossibly enables a user to operate protected software on a cloned computer. However, this policyalso frees the Vendor from dealing with numerous support calls from users who have replaced acomponent in their computer. Such calls would otherwise generate costly support cases for theVendor’s customer support organization.

If both the hard drive serial number and the motherboard ID do not match the characteristics inthe fingerprint of the license, Sentinel LDK regards computer as a clone and prevents theprotected software from operating. (See the table that follows.)

Clone Detection for Physical Machines 273


Comparison Results

CharacteristicsCompared

Hard drive serialnumber

Identical Different Identical Different

Motherboard ID Identical Identical Different Different

Sentinel LDK Behavior:The software is...

launched launched launched disabled

PMType2 Scheme

The PMType2 scheme uses various components such as CPU, ethernet card, optical drive, PCIcard slot peripherals (for example: display, storage, network, multimedia) along with the harddrive serial number and motherboard ID to verify fingerprints on a physical machine.

Each component that makes up the reference fingerprint is assigned a weighted value. SentinelLDK performs the following computations:

n A = total for the weighted values of all components in the reference fingerprint.

n B = total for the weighted values of all components in the system fingerprint that matchcomponents in the reference fingerprint.

n matching percentage = (B/A) * 100

Sentinel LDK computes a required percentage based on the level of agreement that is foundbetween the hard drive serial number and motherboard ID in the reference fingerprint and in thesystem fingerprint.

If the matching percentage reaches the required percentage, the protected application is allowedto execute.

PMType3 Scheme

The PMType3 scheme is specifically for Android applications. This scheme uses severalcomponents to verify fingerprints.

The primary requirements of the PMType3 scheme are:

n The CPU serial number or internal storage serial number (or both) must match thecharacteristics in the fingerprint in secure storage.

n If the CPU serial number and internal storage serial number are absent, the CPU modelmust match the characteristic in the fingerprint in secure storage.

If the protected application is re-installed on the user's device, the user must send a C2V file tothe vendor and receive a new V2C file in return in order to activate the product license.

The table that follows describes the requirements of the PMType3 scheme in detail.


Comparison Results

CPU serial number Identical Different Identical Different Absent Absent

Internal Storage serialnumber

Identical Identical Different Different Absent Absent

CPU model Notrelevant

Notrelevant

Notrelevant

Notrelevant

Identical Different


launched launched launched disabled launched disabled

PMType4 Scheme

The PMType4 scheme is a more advanced scheme for Android applications. This scheme uses CPUserial number and internal storage serial number as the primary factors in checking for clones. Ifthese are not available, the scheme uses the CPU model , Android serial number and Android firstboot time.

This scheme allows for situations where the end user uninstalls and then reinstalls the protectedapplication.

Typically, after a reinstall, the user is required to request a new V2C file from the vendor to re-enable the license for the application. This is required because some licenses may restrict thenumber of executions or may be time-restricted based on the installation date.

However, with the PMType4 scheme, if the license is perpetual or is time-restricted based on anabsolute expiration date, a new V2C file is not required. As a result, both the vendor and thecustomer are saved the effort of resolving licensing issues unnecessarily.

The table that follows demonstrates the requirements for the operation of an application that isprotected using the PMType4 scheme.


Comparison Results

CPU serial number Identical Different Identical Different Absent Absent Absent

Internal Storage serialnumber

Identical Identical Different Different Absent Absent Absent

CPU model Notrelevant

Notrelevant

Notrelevant

Notrelevant

Identical identical Different

Android serialnumber

Notrelevant

Notrelevant

Notrelevant

Notrelevant

Identical Notrelevant

Notrelevant

Android first boottime

Notrelevant

Notrelevant

Notrelevant

Notrelevant

Notrelevant


Sentinel LDKBehavior:The software is...

launched launched launched disabled launched launched disabled

Clone Detection for Physical Machines 275


FQDN Scheme

The FQDN scheme uses only the machine’s FQDN (Fully Qualified Domain Name) to verifyfingerprints on a physical machine.

If the FQDN in the reference fingerprint matches the FQDN in the system fingerprint, theprotected Software is launched.

Clone Detection for Virtual MachinesThis section provides a detailed description of the clone protection schemes that are available toprotect again the cloning of virtual machines.

VMType1 Scheme

Clone detection for software installed on a virtual machine must employ a different techniquethan that used for physical machines.

The two most important fingerprint characteristics - the physical hard drive serial number and thephysical motherboard ID - are not accessible to software running on the virtual machine. Instead,the virtual machine has a virtual hard drive and a virtual motherboard.

On a cloned virtual machine, the characteristics of these virtual components are identical to thesource virtual machine. As a result, these characteristics are not suitable for use when creating thefingerprint at the time the protected software is activated or subsequently operated.

The VMType1 scheme relies on three different parameters for verifying fingerprints on a virtualmachine: the virtual MAC address, CPU characteristics, and UUID of the virtual image. Each ofthese parameters is discussed below.

Virtual MAC Address

Each physical network adapter or network card has a unique identifier, but this identifier is notaccessible to a virtual machine running on the computer. Instead, each virtual machine is assigneda unique virtual MAC address.

Within a network, each virtual machine must possess a unique MAC address. If a user clones avirtual machine and installs it on a second computer within the same network, working on eitherthe original or the cloned virtual machine will be impractical as the two machines will constantlycause network collisions.

CPU Characteristics

In desktop/workstation environments such as VMware workstation or VMware player, thedesktop virtualization software does not expose the ability to virtualize the CPU. This increases thedifficulty for a user to bypass the protection by attempting to create a virtual copy of the sourcecomputer. A number of CPU characteristics are available for inclusion in the virtual machinefingerprint, including: processor make, model and speed.

Due to the large number of different processors available in the market, the likelihood of twodifferent desktop computers having completely identical CPU characteristics is low.

In centrally managed virtual infrastructures (also called server based virtualization), hardwareclusters can be virtualized. In this environment, the virtual infrastructure does not always utilize asingle, fixed set of physical hardware resources. Instead, it utilizes a shared pool of resources. Forthe most common types of clustered environments, where live migration capabilities are typicallyrequired, a requirement usually exists for different hosts in the cluster to have identical CPUcharacteristics. Solutions such as VMware vCenter Server provide the ability to enable CPUmasking to improve compatibility for the high availability and fault tolerance virtualizationfeatures. CPU masking allows host machines with different CPU characteristics to be used in thecluster, while providing common (masked) CPU characteristics across all hosts in the cluster.Therefore the CPU characteristics do not change when virtual machine migrates across the hostsin a cluster. This enables licensed applications to continue working when migrated from one hostto another within a cluster. However, this type of environment is restricted to a limited subset ofCPU types. In addition, the migration can only be performed when the target computer containsphysical CPU whose capabilities match or exceed the characteristics of the virtual CPU.

UUID of the Virtual Machine

This is used as a means of unique identification of the virtual machine with the majority of virtualmachines technologies. The UUID consists of a 16-byte (128-bit) number. Each virtual machine isassigned a different UUID.

When a user makes a clone of a virtual image or copies a virtual machine from one location toanother, a new UUID value is generated for the new virtual image or virtual machine.

None of the three characteristics used by this scheme to create a virtual machine fingerprint isabsolutely tamper-proof.

The protection against cloning provided by Sentinel LDK for virtual machines is not as secure asthe protection provided for physical machines. You have the option of blocking the protectedsoftware from running on most popular virtual machines by clearing the Virtual Machine checkbox in the Define License Terms dialog box in Sentinel EMS.

However, when checking the fingerprint for cloning, Sentinel LDK examines all of thesecharacteristics. If one (or more) of these characteristics does not match the characteristics in thefingerprint of the license, Sentinel LDK prevents the protected software from operating. Thus, thecombination of these parameters in the fingerprint provides protection against cloning. (See thetable that follows.)

Comparison Results


Virtual MACAddress

Identical Different Not relevant Not relevant

CPUCharacteristics

Identical Not relevant Different

UUID Identical Not relevant Different


launched disabled disabled disabled

In a typical business environment (where computers in a given location are on the same network),the requirement for a unique virtual MAC address make cloning impractical.

Clone Detection for VirtualMachines 277


For server virtualization, or virtualized cluster where the cluster is typically managed by thevirtualized management solution (such as VMware vCenter), UUID acts as additional deterrent torunning a cloned virtual image.

For computers on different networks or computers that are not networked, the likelihood of acloned virtual machine sharing identical CPU characteristics with the original virtual machine is low.

The method employed by this scheme to protect against cloning of virtual machines is effectivefor all types of virtual machine software commonly used by organizations.

VMType2 Scheme

This scheme provides the same protection that is provided by VMType1. In addition, this schemeprevents attacks (against a protected application) that are based on virtual machine rollbacksnapshots. The scheme enables the protected application on a virtual machine to detect that atime shift event may have occurred.

The table that follows describes the circumstances under which the protected application isdisabled with the VMType2 scheme.

Comparison Results


Virtual MACAddress

Identical Different Notrelevant

Notrelevant

Notrelevant

CPUCharacteristics


Different

UUID Identical Notrelevant

Different

RollbackSnapshotDetected

No Notrelevant

Yes


launched disabled

This scheme is only supported under the following circumstances:

n Run-time Environment v.7.5 or later is present on the virtual machine where theprotected application is running.

n The license type is SL AdminMode.

The scheme is supported on Windows 8, Windows 10, and Windows Server 2012 R2 with thesupported versions of the following virtual machines:

n VMware Player, Workstation, and ESXi

n Hyper-V Server

In addition, the scheme is supported on certain earlier versions of Windows with Hyper-V Server ifHyper-V integration services from Windows 8 or Windows Server 2012 is installed.

For more information, see: https://msdn.microsoft.com/en-us/library/jj643357(v=vs.85).aspx

https://msdn.microsoft.com/en-us/library/jj643357(v=vs.85).aspx

For other virtual machine clients that do not support VMType2, this scheme will be handled as ifyou had selected the VMType1 scheme.

FQDN Scheme

The FQDN scheme uses only the machine’s FQDN (Fully Qualified Domain Name) to verifyfingerprints on a virtual machine.

If the FQDN in the reference fingerprint matches the FQDN in the system fingerprint, theprotected Software is launched.

The FQDN clone protection scheme provides a solution for virtual machine live migration. It allowsthe guest virtual machine to freely migrate between different physical hosts, while allowingaccurate license enforcement to continue. Virtual machine live migration does not cause thelicense to be incorrectly marked as cloned (and thus disabled).

Clone Detection for VirtualMachines 279


How to Analyze a Clone ReportUnder certain circumstances, the Sentinel License Manager may report that cloning was detectedeven if intentional cloning did not occur. If an end user complains to you that they were blockedfrom using a Product due to cloning, use the procedure described below to analyze informationfrom the user’s machine. This helps you determine whether the Product was blocked due to afalse-positive clone report or whether an actual clone attempt occurred.

To generate a clone report:

1. Instruct the end user to generate a C2V file for the relevant machine using RUS (describedin "Chapter 13: Sentinel Remote Update System" on page 151) and to send the file to you.Alternatively, you can include a function in your application to generate a C2V file by callingthe GetInfo function in the Sentinel Licensing API.

2. In Sentinel LDK ToolBox or Sentinel License Generation API:

a. Call sntl_lg_initialize to initialize a session.

b. Call sntl_lg_decode_current_state to read the C2V file and decode the current stateof the protection keys on the end user’s machine.

3. Examine the decoded XML output of the C2V file as described below.

The decoded XML output of the C2V file contains information regarding all the protection keys onthe machine. For each protection key, the XML output contains:

n The fingerprint of the machine from the time the protection key was activated (“referencefingerprint")

n The fingerprint of the machine from the time cloning was detected (“system fingerprint")

n Information regarding the Product licenses in the key

If the Sentinel License Manager detects that a protection key was cloned, the XML output for thekey contains code similar to this:

<clone_detected machine_type=”Physical”>Yes</clone_detected>

Each Product can use a different clone protection scheme for physical and for virtual machines.For example:

<clone_protection_ex><physical_machine>PMType1</physical_machine><virtual_machine>VMType2</virtual_machine>

</clone_protection_ex>

For each Product that is regarded as cloned, the section in the XML output for that Productcontains this code:

<fingerprint_change>Cloned</fingerprint_change>

The clone protection scheme indicates which factors are considered by the License Manager whenit checks to determine whether a machine (together with its protection keys) was cloned. For eachProduct license in the XML output, determine which clone protection scheme is used, and thencompare the relevant factors in the reference fingerprint and the system fingerprint. The results ofthe comparisons should enable you to determine whether an intentional attempt was made toclone a machine and its protection keys. Clone protection schemes are described earlier in thisappendix.

You can determine whether a given machine in a fingerprint is a physical machine or a virtualmachine. The following tag in a fingerprint indicates that the corresponding machine is a physicalmachine:

<criteria> <name>vm_info</name> <value>1294737779</value></criteria>

If the value indicated in the tag above is anything other than 1294737779, the fingerprint is from avirtual machine.

For more information on the decoded XML output file, see the help system for Sentinel LDKToolBox.

Example

Given that you receive a C2V file from a customer who complains that protected applications willnot run. The clone protection schemes are PMType1 and VMType2 as seen above.

You decode the C2V file using the ToolBox and then examine the generated XML code in a texteditor. The XML code in the file indicates that the license is cloned. The system fingerprint and thereference fingerprint from the XML code are displayed below side by side.

How to Analyze a Clone Report 281


As seen in the code:

n The motherboard IDs (mainboard_uid) in the system and reference fingerprints are notidentical.

n The hard drive serial numbers (hdd_uid) in the system and reference fingerprints are notidentical.

n The value of vm_info indicates that both fingerprints are from physical machines.

Therefore, these fingerprints satisfy the criteria for the PMType1 scheme to indicate that thelicense is from a cloned machine.

How to Clear the "Cloned" Status for a Product LicenseIn the event that a Product license is disabled because it has been identified as "cloned", proceedas follows to re-enable the license:

n For a Product license generated using Sentinel EMS:

1. In Sentinel EMS, check in the C2V file from the disabled Product license, and clickClear Clone. Sentinel EMS generates a V2C file.

2. Return the V2C file to the customer to apply on the machine where the Productlicense was disabled.

n For a Product license generated using Sentinel License Generation API: Use the providedfunction to clear the "cloned" status for the license. For more information, see theSentinel License Generation API help system or Sentinel LDK ToolBox help system.

How to Clear the "Cloned" Status for a Product License 283

Appendix E:How Sentinel LDK Protects Time-

based Licenses With V-Clock

This appendix describes the technology used in Sentinel LDK to prevent a user from extending theduration of a software license that is locked to the V-Clock in a Sentinel protection key byadjusting the computer’s system clock.

V-Clock is a virtual clock that is available in Sentinel SL keys and in all types of Sentinel HL(Driverless configuration) keys except for Sentinel HL Basic keys. For Products that are licensedwith Sentinel SL keys, V-Clock is always available. For Products that are licensed with Sentinel HL(Driverless configuration) keys, V-Clock must be specifically enabled for each Product.

The use of V-Clock in Sentinel HL Pro keys is only available if your Sentinel Master keycontains a valid V-Clock module.

V-Clock does not provide the same level of control as the real-time clock in Sentinel HL Time keysand Sentinel HL NetTime keys. However, V-Clock prevents the end user from setting the systemtime back to an earlier date and time, and thus tampering with time-based licenses.

The expiration period or date for a time-based license is initially calculated according to the systemclock of the end user's machine.

Sentinel License Manager reads the system time at Sentinel License Manager startup (by default,part of the machine startup). Sentinel License Manager subsequently uses its internal running timeto calculate the time. When an application that is protected with V-Clock is executed for the firsttime, Sentinel License Manager queries its internal clock to determine the start time of thesoftware’s license duration.

n If the license duration is a fixed period (for example, 30 days or 1 year), Sentinel LicenseManager calculates the actual date on which the license must stop working and theinformation is stored in the secure storage area of the protection key. The secure storagefor a Sentinel SL key is on the hard drive of the end user's computer. The secure storagefor a Sentinel HL key is in the HL key.

n If the license is to expire on a specific date, Sentinel License Manager records that date.

E

286 Appendix E: How Sentinel LDK Protects Time-based Licenses With V-Clock

Expiration time is determined using the formula:

[current Sentinel License Manager time] + number of seconds to expiration

The information is stored in the secure storage area of the protection key.

Tampering with the System ClockIf a user resets the system clock of the machine to which the software license is locked:

n As long as Sentinel License Manager remains active, the changed time does not affect theexpiration time of the license, since the calculations are all made within the LicenseManager, which uses the time of its last startup.

n If Sentinel License Manager is stopped and restarted (for example: if the machine isrebooted), the License Manager compares its last recorded internal time with the time ofthe system clock. When Sentinel License Manager detects that the time on the systemclock is earlier than that of its internal clock, protected applications with time-basedlicenses are deactivated. The applications are reactivated automatically when the systemclock is equal to or later than the time in the License Manager.

Sentinel License Manager allows the system clock to run up to 24 hours earlierthan its internal clock. This accommodates situations where the protectedapplication is used across different time zones.

Re-enabling a Blocked Protected ApplicationAs indicated above, a blocked protected application is automatically re-enabled when the time onthe system clock is no longer earlier than the V-Clock time. The application will be accessible if thelicense for the application has not yet expired.

Under certain circumstances, you may want to re-enable blocked applications by changing the V-Clock time. This can be accomplished by receiving a C2V file for the protection key from thecustomer and then returning a V2C file that provides an update to the V-Clock time.

Setting Fallback to V-Clock If the RTC Battery in a SentinelHL key is DepletedIf the battery for the real-time clock on a Sentinel HL (Driverless configuration) Time or NetTimekey is depleted, the key is no longer accepted for time-based licenses.

You can configure a Sentinel HL Time or NetTime key to switch automatically to the V-Clock in theevent that the battery becomes depleted. If the real-time clock on the Sentinel HL key stopsoperating, protected applications, including those with time-based licenses, will continue to run.

In Sentinel License Generation API, you can implement fallback to V-Clock for a Sentinel HL key byincluding the tag <fallback_to_vclock> in a license definition. In Sentinel EMS, you can

select the global configuration parameter Fallback to V-Clock in the Administration Console inorder to implement fallback to V-Clock in all generated licenses.

n Once you have enabled fallback to V-Clock for a Sentinel HL Time or NetTime key,this functionality can be disabled in the key only if the battery is not yet depleted.

n After the real-time clock stops working, the Sentinel HL key must be disconnectedand reconnected in order to switch over to the V-Clock.

Setting Fallback to V-Clock If the RTC Battery in a Sentinel HL key is Depleted 287

Appendix F:How to Bundle Unlocked Products

Manually

To prepare Unlocked Products for distribution, you must first create a "bundle" that will beinstalled together with the protected applications. This bundle consists of:

n a V2C file containing the Unlocked Product licenses

n your Vendor libraries

n a customized Run-time Environment installer

The customized Run-time Environment installer installs the Sentinel LDK Run-time Environmentand your Vendor libraries, and applies the Unlocked Product licenses to the Sentinel protectionkey .

You typically prepare a bundle using Sentinel EMS (see "Generating Bundles of Unlocked Products"on page 143). However, you have the option to write an installer that performs the bundlingprocess.

To perform the bundling process manually, the program that installs the protected applicationshould also do the following:

1. Install the Sentinel LDK Run-time Environment. Several methods exist to accomplish this.For more information, see "Distributing Sentinel LDK Run-time Environment" on page 166.

2. Install your customized Vendor library. The file haspvlib_vendorID.* can be found on thecomputer where Sentinel Vendor Suite is installed, in the following path:


n For Windows x86: %CommonProgramFiles%\Aladdin Shared\HASP\

n For Mac: /var/hasplm (By default, the /var path is hidden. You may need tomodify the operating system View option to display all files and folders in order toaccess this path.)

n For Linux: /var/hasplm

On the computer where the protected application is installed, your installation proceduremust place a copy of this file in the same path as above.

F

290 Appendix F: How to Bundle Unlocked Products Manually

3. Apply the V2C file that contains the unlocked licenses. To do this, call the Update functionin the Sentinel Licensing API.

Appendix G: How to OptimizePerformance for Sentinel LDK

Run-time Environment

Certain configuration parameters or activities performed by a protected application can lead toreduced performance in the Sentinel LDK Run-time Environment.

This section describes how you can optimize the environment and protected application toachieve better performance.

SL UserMode LicenseThe presence of an SL UserMode license in a protection key on the end user’s computer increasesthe time required for the first login/get_info operation performed for a protected application,even if the license is not required for that application. Therefore, do not place an SL UserModelicense on a computer unless that license type is required.

Run-time EnvironmentFor best performance, ensure that when the Run-time Environment is required, the Run-timeEnvironment on the end user’s computer is the most current. In addition, the Run-timeEnvironment provides better performance after it has been active for at least three minutes.

Testing for Presence of FeaturesTo determine whether certain Features exist in a protection key before using them, the protectedapplication can call the GetInfo function in the Licensing API. This function can retrieve a list of allthe Features that exist in the protection key. This is more efficient than attempting to log in andthen log out immediately to individual Features just to determine if they exist. In addition, use ofthe GetInfo function does not consume a license. However, after using the GetInfo function, theprotected application should call the Login function to log in to Features to use.

G

Appendix H:Upgrading Sentinel HL Keys

The configuration of Sentinel HL keys can be upgraded before or after delivery to customers asfollows:

n Sentinel HL (HASP configuration) keys can be upgraded to Sentinel HL (Driverlessconfiguration) keys.

n Sentinel HL (Driverless configuration) standalone (non-Net) keys can be converted toSentinel HL (Driverless configuration) network keys.

Each of these upgrades is described below.

Upgrading a Sentinel HL Key to Driverless ConfigurationA Sentinel HL (HASP configuration) key that was previously delivered to a customer can beupgraded to a Sentinel HL (Driverless configuration) key in the field. In Driverless configuration,this key will employ HID drivers instead of HASP key drivers. (HID drivers are an integral part ofthe operating system.) As a result:

n The key is less subject to issues related to operating system upgrades.

n The key may no longer require the presence of Sentinel LDK Run-time Environment.

All of the licenses and key memory that existed in the Sentinel HL (HASP configuration) key willcontinue to exist in the key after the upgrade.

Given the following situation:

n An application is protected with version 6.3 or 6.4 of Sentinel Licensing API librariesand/or Envelope.

n The Sentinel HL (HASP configuration) key that licenses the application is upgradedto the Driverless configuration.

The application will work correctly after the upgrade. However, the requirement for thepresence of the Run-time Environment does not change.

The tables that follow summarize the requirements for working with HL keys.

H

294 Appendix H: Upgrading Sentinel HL Keys

Standalone HL Keys

Version of Licensing API orEnvelope used to protect theapplication (lower of thetwo)

HASP HL key or Sentinel HL(HASP configuration) key


HASP SRM, Sentinel HASP, orSentinel LDK v.6.0 or v.6.1

Requires Run-timeEnvironment from same (orlater) version that was used toprotect the application

Not supported. See thewarning below.

Sentinel LDK v.6.3 Requires Run-time Environment from Sentinel LDK v.6.3 or later

Sentinel LDK v.6.4 Requires Run-time Environment from Sentinel LDK v.6.4 or later

Sentinel LDK v.7.0 or later Requires Run-timeEnvironment from Sentinel LDKv.7.0 or later

Under Windows, use ofRun-time Environment (fromSentinel LDK v.7.0 or later) isoptional.

Net and NetTime HL Keys

Version of Licensing API orEnvelope used to protect theapplication (lower of thetwo)

HASP HL key or Sentinel HL(HASP configuration) key


HASP SRM, Sentinel HASP, orSentinel LDK v.6.0 or v.6.1

On the machine where the HLkey is connected: RequiresRun-time Environment fromsame (or later) version thatwas used to protect theapplication

Not supported. See thewarning below.

Sentinel LDK v.6.3 On the machine where the HL key is connected: Requires Run-time Environment from Sentinel LDK v.6.3 or later

Sentinel LDK v.6.4 On the machine where the HL key is connected: Requires Run-time Environment from Sentinel LDK v.6.4 or later

Sentinel LDK v.7.0 or later On the machine where the HL key is connected: Requires Run-time Environment from Sentinel LDK v.7.0 or later

The following limitations apply:

n The application must be protected using version 6.4 or later of Sentinel Licensing APIlibraries and/or Envelope. (For Sentinel HL Net keys and Sentinel HL NetTime keys, useversion 7.0 or later.)

n You must be using version 6.4 or later of Sentinel EMS or License Generation API togenerate the Product that upgrades the HL key. (For Sentinel HL Net keys and Sentinel HLNetTime keys, use version 7.0 or later.)

n The firmware on the Sentinel HL key will be automatically updated as part of the upgradeprocess.

n After upgrade, Sentinel HL (Driverless configuration) keys will not be visible in AdminControl Center if the Run-time Environment is earlier than:

o version 6.50 (Sentinel LDK v.6.3) — for standalone keys

o version 6.60 (Sentinel LDK v.7.0) — for Net and NetTime keys

An application that is protected with version 6.3 of Sentinel LDK, Licensing API libraries and/orEnvelope will work correctly after the Sentinel HL (HASP configuration) key that licenses theapplication is upgraded to the Driverless configuration. However, the requirement for thepresence of the Run-time Environment does not change.

Wa r n ingA n app l i c a t i o n th a t i s p r o te c te d w i th v e r s i o n 6 .1 o r e ar l i e r o f S e n t i n e l L DKl i b r a r i e s , L i c e n s i n g A P I l i b r a r i e s and /o r E n v e l o p e w i l l s to p w o r k i n g i f th eSe n t i n e l HL (HA SP c on f i gu r a t i o n ) k e y th a t l i c e n se s th e app l i c a t i o n i s u p g r ad e dto th e D r i v e r l e s s c on f i gu r a t i o n .

Th e up g r ad e p r o c e s s f o r th e Se n t i n e l HL k e y i s n o t r e v e r s i b l e .

Upgrade Requirements

The machine that is used to upgrade a Sentinel HL (HASP configuration) key to a Sentinel HL(Driverless configuration) key must contain a Sentinel LDK Run-time Environment that satisfies thefollowing requirements:

Sentinel HL (HASP configuration) key to upgradeRequiredRun-timeEnvironment

Standalone key that contains license information (Features and Products) Version 6.56or later

Net or NetTime key that contains license information (Features and Products) Version 6.60or later

Any HL key that contains no license information (Features and Products) ANDthe license update used to upgrade the key contains no license information(Features and Products). Both the key and the license update can containmemory data.

No specialversionrequirements

Upgrading a Sentinel HL Key to Driverless Configuration 295

296 Appendix H: Upgrading Sentinel HL Keys

Upgrade Process

To upgrade a Sentinel HL (HASP configuration) key to Sentinel HL (Driverless configuration)key:

n Create a Base Product or Modification Product that contains the Upgrade to Driverlessattribute. The Product can be created exclusively to upgrade the Sentinel key, or theUpgrade to Driverless attribute can be included in a Product that licenses or modifies thelicense for a protected application. Apply the Product to the Sentinel HL (HASPconfiguration) key to be upgraded.

The Upgrade to Driverless attribute is ignored if it applied to Sentinel HASP keys or toSentinel HL (Driverless configuration) keys. Similarly, the attribute is ignored if is applied toan SL AdminMode key, SL UserMode key, or SL Legacy key. No error message isgenerated.

The Product that contains the Upgrade to Driverless attribute can be created usingSentinel EMS, Sentinel EMS Web Services, or Sentinel License Generation API.

To upgrade a Sentinel HL Basic key from HASP configuration to Driverless configuration:

n On the machine where the Sentinel HL Basic key is connected, use RUS to collectinformation regarding the key. Use the resulting C2V file with Sentinel License GenerationAPI to generate a V2C file that uses the Upgrade to Driverless attribute to upgrade thekey.

Apply the V2C file to the Sentinel HL Basic key to be upgraded.

Converting a Sentinel HL Standalone Key to a Network KeyThis topic does not apply to Sentinel HL Basic keys.

The table below describes the terminology used in this section:

Term Description

Sentinel HL standalone key Any Sentinel HL (Driverless configuration) key otherthan Net or NetTime keys.

Sentinel HL concurrency-enabled key A Sentinel HL standalone key that has been updated tosupport concurrency licenses.

Sentinel HL network key Any Sentinel HL key that supports network seatlicenses. This can be a Net or NetTime key, or a SentinelHL concurrency-enabled key.

Sentinel HL standalone keys can be updated, before or after delivery to end users, to Sentinel HLconcurrency-enabled keys, and thus provide practically the same network functionality as SentinelHL Net or NetTime keys.

The only difference between a Sentinel HL concurrency-enabled key and a Sentinel HL Net orNetTime key is the manner in which you are charged for network seat licenses. Each Net or

NetTime key is provided with a number of network seat licenses, based on the type of key. For HLconcurrency-enabled keys, network seat licenses that you provide to your customers arededucted from the HL Pool of Seats on your Master key. This is similar to the way network seatsare charged for Sentinel SL keys.

You update a Sentinel HL standalone key to a Sentinel HL concurrency-enabled key simply byassigning concurrency to a Feature on the key. When this occurs, the License Manager checks theFirmware version of the key. If the version is earlier than 4.27, the License Manager upgrades theFirmware on the key to the latest version.

The conversion can only occur if License Manager v.7.3 or later is present on the machine wherethe Sentinel HL key is connected.

When you update a Sentinel HL standalone key to a Sentinel HL concurrency-enabled key,you must also ensure that the Sentinel LDK Run-time Environment is installed on themachine where the key is connected. For more information, see "Protection Keys ThatRequire Sentinel LDK Run-time Environment" on page 166.

Note the following:

n Feature 0 for a Sentinel HL concurrency-enabled key shows the key as a NET key withunlimited concurrency as long as any other Feature on the key requires concurrency. Ifthe requirement for concurrency are removed from the key, Feature 0 will show the keyas a standalone key.

n In Sentinel License Generation API, you can prevent the upgrade of the Firmware for aSentinel key when you update a license. However, if the existing Firmware on the keydoes not support the functionality in the update you are attempting to perform, theupdate will fail as a result.

n All Sentinel HL (Driverless configuration) key (except for HL Basic keys) will be shown ascapable devices for licenses that require concurrency.

Sentinel HL (HASP configuration) standalone keys can be upgraded and updated to Sentinel HL(Driverless configuration) concurrency-enabled keys in a single update operation. Upgrade the keyto the Driverless configuration as described earlier in this appendix, and at the same time assignconcurrency to a Feature on the key.

Converting a Sentinel HL Standalone Key to a Network Key 297

Appendix I:Troubleshooting

The first part of this appendix provides a checklist to help you solve some of the most commonproblems that your customers might encounter when using the Sentinel HL keys. The second partlists specific problems you or your customers may experience, together with the solutions.

Sentinel HL keys conform to the highest standards of quality assurance. However, like any otherPC peripheral device, a Sentinel HL key might not operate on certain PC configurations because offaulty equipment or improper installation. This appendix can help you in such a situation.

In addition to the information in this appendix, you can access the Sentinel Knowledge Base at:https://safenet.gemalto.com/technical-support/

The Knowledge Base contains a comprehensive listing of solutions to general and specificproblems.

To avoid potential difficulties, ensure you are using current Sentinel LDK software versions.Contact your local Gemalto representative for the latest updates, or visit the Gemalto downloadspage at:

www.sentinelcustomer.gemalto.com/sentineldownloads/

ChecklistIf a customer reports a problem, check the following:

n What the returned error code or message says. For additional information, see the statuscodes in the Licensing API help system.

n Whether a Sentinel HL key is connected correctly to the USB port.

n Whether your customer’s hardware or the operating system indicates technicalmalfunction, such as device manager collisions, system events, bootlog failures, or otherissues.

n Whether Sentinel Admin Control Center can access the Sentinel HL key.

n Whether the problem occurs when the protected application runs on another PC of thesame model.

I

https://safenet.gemalto.com/technical-support/

http://www.sentinelcustomer.gemalto.com/sentineldownloads/

300 Appendix I: Troubleshooting

Problems and Solutions

Problem Sentinel HL key drivers do not install.

Solution Are older Sentinel HL key drivers installed on the machine? Uninstall the older driverusing the installer corresponding to the older driver version. For additionalinformation, see the Sentinel HL key driver documentation. After the older drivers areremoved, install the Sentinel HL drivers. For additional information, see the SentinelLDK Installation Guide.

Problem You receive an error message when using haspdinst.exe to install the Sentinel HL keydriver under Windows 2000/XP/2003/Vista.

Solution Review the haspdinst.exe installation instructions. Alternatively, try to install thedrivers using the HASPUserSetup.exe. For additional information, see the Sentinel LDKInstallation Guide.

Problem The protected application cannot find a Sentinel HL key.

Solution Does the Sentinel HL key LED light up? If not, this could be for one of the followingreasons:

n The key is not connected properly to the USB port. Disconnect, then reconnectafter a few seconds. If the LED lights, the application should be able to accessthe key.

n The required Sentinel HL key drivers are not installed. If you are runningSentinel LDK on a Windows platform, check for an entry for Sentinel LDK in theDevice Manager utility. If there is no entry, you must install the drivers usingone of the methods in the Sentinel LDK Installation Guide.

n Check if the USB port is functioning correctly. Disconnect all other USB devicesfrom their respective ports. Connect the Sentinel HL key to a different USB port.Try using a different USB device in the port from which the Sentinel HL key wasnot accessible.

n Open the Windows Services window and check that Sentinel License Manager isrunning.

n Check that the Batch Code on the Sentinel HL key matches the Batch Code ofthe protected application.

Problem Web pages for Admin Control Center do not display in your Web browser on aWindows machine.

Solution Check the following:n Confirm that the Sentinel LDK License Manager service is active.n Some other program that you installed may have incorrectly installed special

TCP/IP drivers. As a result, WinSock configuration may be damaged. To resolvethis problem, run the command netsh winsock reset from an Administratorshell, and then restart the machine.

Problem The application takes a long time to find the Sentinel protection key on a largenetwork.

Solution It is recommended that you customize the search mechanism. Use Admin ControlCenter configuration to specify a search criteria, and to define the server addresses tobe searched. By doing so, the Admin Control Center searches for the Sentinelprotection key at a specific address, which is much faster.

Problem You receive an error message indicating that Sentinel License Manager was not found.

Solution The error message might be for one of the following reasons:n Sentinel License Manager was not loaded. Try restarting Sentinel License

Manager in the Windows Services window.n There is a communication error with the machine on which the Sentinel

protection key is located. If you repeatedly receive the error message, try usinga different search mechanism.

Problem You cannot add files when using the Sentinel LDK Data Protection utility.

Solution The problem may occur for one of the following reasons:n You are attempting to add a list that includes problematic files. Remove all

problematic files marked in red in the File list.n You are attempting to add a file that is outside the scope of the filters defined

in Sentinel Envelope. You must protect your software again using the new filefilter settings.

n For additional information, see "Chapter 7: Protecting Data Files" on page 81.

Problem When using Sentinel LDK Data Protection utility, you receive a message that no datafilters were defined for a program in a Sentinel Envelope project.

Solution The problem cannot be solved using the Data Protection utility. You need to useSentinel LDK Envelope to protect your software again, and to specify file filter settings.

Problems and Solutions 301

302 Appendix I: Troubleshooting

Problem When running a protected Java application, error code 22 is thrown.

Solution When a java application is protected using both Sentinel LDK Envelope and SentinelLicensing API, the JAR files used by the protected application must have the sameversion number. Ensure that you are using both Sentinel LDK Envelope and SentinelLicensing API from the same version of Sentinel LDK.

Problem When you are logged in to both the Vendor Portal and the Customer Portalsimultaneously in Sentinel EMS in different tabs of a single Web browser instance, amessage for an internal error is generated.

Solution To work simultaneously with the Sentinel EMS Vendor Portal and Customer Portal ona single machine, use two separate Web browser instances.

Problem When you download a C2V file (for example, abc.C2V) from Admin Control Centerusing the Safari Web browser, Safari appends ".xml" to the file name (for example,abc.c2v.xml). As a result, Sentinel EMS blocks the file.

Solution Before you attempt to use the C2V file in Sentinel EMS, remove the ".xml" extensionfrom the file name.

Appendix J:Requesting a Replacement

Vendor KeyYour Sentinel Vendor keys (Sentinel Master key and Sentinel Developer key) are an essential partof the Sentinel LDK system and are required for day-to-day operations. Each Vendor key containsa battery with a life expectancy of seven years.

When your Vendor keys approach the end of their expected useful life span, you must transferthe license modules and license pools that the keys contains to a new key. Sentinel EMS andSentinel Vendor Tools will automatically generate a notice to you at the appropriate time,informing you how to obtain replacement Vendor keys (at no cost to you). Together with yourreplacement Vendor keys, you will receive instructions that describe how to use the Vendor KeyLicense Transfer Tool to transfer your license modules and license pools to your new Vendor keys.

Composing the Email Request for a Replacement VendorKeyWhen Sentinel LDK determines that your Vendor key requires replacement, it generates an emailthat contains the required information and that specifies additional information that you mustprovide to complete the request.

In the event that the machine to which your Vendor key is connected does not contain an emailclient, follow the instructions that follow to compose and send the required email request toGemalto Customer Services.

Request from Sentinel Vendor Tools (ToolBox, Envelope, Master Wizard)

You can click Copy key details to clipboard in the displayed notification window, and then pastethe required text where you will compose the required email message. Fill in the missinginformation in the body of the email. Enter the subject: Request to replace Master/Developerkeys with weak battery. Send the email to [email protected].

Request from Sentinel EMS

Paste the text that follows in to the body of the email that you will send and fill in the missinginformation. (The ID of the Vendor key is displayed at the bottom of the notification window.)

J

304 Appendix J: Requesting a Replacement Vendor Key

Enter the subject: Request to replace Master/Developer keys with weak battery. Send the emailto: [email protected]

Email to request a replacement Master key

Address: [email protected]

Subject: Request to replace Master/Developer keys with weak battery

Body of the email:

To Gemalto Customer Services:

The battery in our Master key is nearly depleted. Please send a replacement key.

-------

Instructions to the customer: To obtain your replacement key, provide all requested informationbelow:

** Customer details **

-Contact email:

-Company name:

-Contact name:

-Contact phone number:

** Shipping address **

-Company name:

-Address:

-City:

-State:

-Country:

-Contact name:

-Phone number:

** Keys for replacement **

-Type of Key: Master key

-Batch code:

-Key ID: [Copy from the notification screen]

Glossary

Activation counter Licensing element indicating the number of times a Feature, licensedusing Sentinel LDK, can be run

Admin License Manager Standalone License Manager that is implemented as a service inWindows or as a daemon in Linux Intel and Mac. The Admin LicenseManager handles communication between the protected applicationand the protection keys. The Admin License Manager is installed aspart of Sentinel Run-time Environment, together with Sentinel AdminControl Center. See also: License Manager

AES Advanced Encryption Standard (AES) algorithm that is the basis forthe Sentinel LDK encryption and decryption

Anti-debugging Measures applied by the Sentinel LDK system to block potentialattacks intended to undermine the protection scheme

API samples Sample applications that utilize the Sentinel Licensing API. A learningtool used for implementing the Sentinel Licensing API.

AppOnChip A protection functionality in Sentinel LDK Envelope that moves theexecution of selected functions from the protected application to theSentinel HL (Driverless configuration) key. This enhances the securityof the protected application.

Background checks Random checks executed by protected applications for a requiredSentinel protection key

Backward compatibility Ability to share data or commands with applications protected withearlier versions. Sentinel LDK backward compatibility includes theability to read and write data, set real-time clocks, and process other‘legacy' commands.

Base Product An original Product that has been created from scratch from whichother Products may be created. All Modification Products, UnlockedProducts and Cancellation Products are created from Base Products.

Batch Code Unique character string that represents a Vendor Code. Used indefining Features, Products and orders. It is also used for orderingSentinel protection keys. With Sentinel HL keys, the code is printedon the Sentinel HL key label.

K

306 Glossary

C2V file Customer-to-Vendor file. A file sent by the customer to the vendor,containing data about deployed Sentinel protection keys or dataabout the customer's computer. C2V files can be safely sent usingregular Email. See also V2C file.

Cancellation Product A Product that cancels the licensing details of another Product. Canbe used to revoke a deployed license, or to remove a license from aspecified computer so that it can be transferred to anothercomputer.

Customer Portal A Web portal in Sentinel EMS that can be accessed by customers

Cross-locking Indicates that protection can be applied to both Sentinel HL andSentinel SL keys

Data Protection utility Utility for encrypting and (optionally) licensing data files that areaccessed by programs protected by Sentinel LDK Envelope. (FormerlyDataHASP)

Decryption Process of decrypting data that has been encrypted

Default Feature Feature that is always available in a Sentinel protection key. Itrequires no configuration.

Demo Vendor Code See DEMOMA

DEMOMA Batch Code used for evaluation purposes with any Sentinel LDKapplication. Its corresponding Vendor Code is available in theVendorCodes folder of your Sentinel LDK installation.

Detach Temporarily remove a license from a network pool on a host machinefor attachment to a remote recipient machine

Encryption Translation of data into a confidential code. To read an encrypted file,you must have the correct encryption engine for decrypting the file.

Encryption engine Encryption engine in a Sentinel protection key—based on the AESalgorithm

Encryption key Key used for encrypting a data file used with Sentinel Envelope

Encryption level Number of iterations that the Sentinel Envelope executes with theSentinel protection key for each interaction

Envelope See Sentinel Envelope

Expiration date Date after which a protected application or Feature stops running

External LicenseManager

License Manager that can be provided for each protected application(to replace the Integrated License Manager). Handles communicationbetween the application and the protection key. See also: LicenseManager

Feature For software applications: An identifiable functionality that can beindependently controlled by a license. In Sentinel LDK, a Feature maybe an entire application, a module or a specific functionality such asPrint, Save or Draw.For data files: A specific Feature can be assigned to an individual datafile or to a collection of data files. This enables the vendor to easilymanage the licensing of data files.

Feature ID Unique identifier for a Sentinel LDK-protected Feature

File filter File mask that is defined in Sentinel LDK Envelope for a protectedapplication. The file filter is used by the protected application dodetermine which data files should be handled as encrypted files.

Grace period An initial period of time (typically 30 to 90 days) or number ofexecutions (typically 30) during which a Product can be used withouta Sentinel protection key. See also Unlocked Trialware Product.

H2H file Host-to-Host file. A file used to rehost (transfer) a protection key fromone end user's machine to another end user's machine.

H2R file Host-to-Recipient file. A file that contains one or more detachedProducts and their licenses for temporary attachment to a recipientmachine

Handle Unique identifier for accessing the context of a Sentinel LDK loginsession

HASP A legacy term used to refer to Sentinel protection keys in the HASPand LDK family of products. It is used in the following contexts:

n HASP HL keys. Legacy hardware protection keys, now replacedby Sentinel HL keys.

n HASP SL keys. Previous name for the software-based SentinelSL Legacy keys.

n HASP_ prefix / namespace. Used in the Sentinel Licensing API.n HASPUserSetup.exe. GUI-based Run-time installer that

supports multiple key types (Sentinel HL, HASP HL, HASP4, andHardlock).

n haspdinst.exe. Command-line based Run-time installer similarto HASPUserSetup.exe.

HASP ID See Key ID

Integrated LicenseManager

License Manager that is integrated into each protected application.Handles communication between the application and the protectionkey. See also: License Manager

Key See Sentinel protection key

Key ID Unique identity number for a Sentinel protection key

307

308 Glossary

License A logical entity (file or data) that enables the user to access aprotected application (or part of it). The digital representation of alicense is stored in a Sentinel protection key.

License Manager A component of Sentinel LDK that enables the protected applicationto locate and query the protection key that provides licensingauthorization for the protected application to operate. The followingtypes of License Managers exist: Admin License Manager, IntegratedLicense Manager, External License Manager

License terms Detailed conditions contained in a license

Locked Product A Product that is protected using Sentinel LDK and is locked to aspecific machine or HL key. An Unlocked Trialware Product becomes aLocked Product after the customer activates an entitlement for theProduct.

Locking type Determines the level of protection for a Product, according to thetype of Sentinel protection key supplied with the Product

Memory data Vendor-defined data (for example: passwords, values used by thesoftware) that is specified in memory for a Product and transferred tothe Sentinel protection key

Modification Product A modified version of an existing Product

Order A request for Products or protection key updates to be shipped to acustomer

Product A licensing entity that represents one of a vendor’s marketablesoftware products or data files. The Product is coded into thememory of a Sentinel key and contains one or more Features. Licenseterms are defined for each Feature in a Product.

Product Key A string generated by Sentinel EMS and supplied to the end user foruse as proof of purchase for Product Activation or Update Activation

Production The implementation of an order for Products or protection keyupdates

Protect Once—DeliverMany—Evolve Often

The concept of separation between engineering and businessprocesses, on which Sentinel LDK is designed

Protection key See Sentinel protection key.

Protection Key Memory Secure memory that resides within a Sentinel protection key (HL orSL), for use by the protected software. Protection Key memory canbe accessed or modified using the Sentinel Licensing API. Thememory can be initialized when the key is generated, using dataentered when defining the Product or when entering an order for aProduct.

Protection Key Update File containing update information for deployed Sentinel protectionkeys. See also V2C file.

Provisional Product See Unlocked Trialware Product.

R2H file Recipient-to-Host file. A file used to re-attach a cancelled detachablelicense to the host machine.

Real-time Clock (RTC) Clock available in the Sentinel HL Time key and Sentinel HL NetTimekey. See also V-Clock.

Recipient machine Remote machine to which a license that has been detached from anetwork pool on a host machine is temporarily attached

Rehost Transfer a Sentinel SL key from one end user computer to another.The rehost process is performed entirely by the end user, with nointeraction with the vendor.

Reverse Engineering Software attacks intended to unravel the algorithms and executionflow of a target program by tracing the compiled program to itssource code. Sentinel Envelope protection implements contingencymeasures to repel such attacks and prevent hackers from discoveringalgorithms used inside protected software.

RUS utility See Sentinel Remote Update System

Secure Storage Area reserved by Sentinel LDK on a computer’s local hard drive whenone or more Sentinel SL protection keys are installed on thecomputer. The keys are installed in the secure storage area. This areacan only be accessed or modified by Sentinel LDK components.

Secure Storage ID A globally unique identifier of Secure storage on every machine.

Sentinel Admin API API that enables administration of License Managers and Sentinelprotection keys. Provides all the functionality that is available inAdmin Control Center. See also: License Manager

Sentinel Admin ControlCenter

Customizable, Web-based, end-user utility that enables centralizedadministration of Admin License Managers and Sentinel protectionkeys. See also: License Manager, Admin License Manager

Sentinel Developer key A vendor-specific Sentinel HL key containing the confidential codesassigned by Gemalto. The key is used by the software engineerswhen protecting applications or data files using Sentinel LDK.

Sentinel EMS Role-based application used to generate licenses and lock them toSentinel protection keys, write specific data to the memory of aSentinel protection key, and update licenses already deployed in thefield. Sentinel EMS is installed as a service (Sentinel EMS Service)under Windows.

Sentinel EMS Server Computer on which Sentinel EMS is installed and the SentinelEMS Service is active.

Sentinel HL key The hardware-based protection and licensing component of SentinelLDK. One of the Sentinel protection key types.

309

310 Glossary

Sentinel HL Basic key Standard Sentinel HL local key that is used to protect software, and:has a perpetual license. This key:

n does not have any memory functionality.n does not support concurrency.n does not support V-Clock.

Sentinel HL network key Any Sentinel HL key that supports concurrency. This includes thefollowing keys:

n Sentinel HL Net keyn Sentinel HL NetTime keyn Any Sentinel HL (Driverless configuration) key except for

Sentinel HL Basic keys


Type of Sentinel HL key that does not require the Run-timeEnvironment in order to protect an application or data file on aWindows machine.

Sentinel HL (HASPconfiguration) key

Type of Sentinel HL key that is fully compatible with protectedapplications that require the older HASP HL keys.

Sentinel LDK - Demo Kit Kit containing software, hardware and documentation for evaluatingthe Sentinel LDK system

Sentinel LDK Envelope Application that wraps an application in a protective shield, ensuringthat the protected application cannot run unless a specified Sentinelprotection key is accessible by the program

Sentinel LDK Run timeEnvironment (RTE)

System component that enables communication between a Sentinelprotection key and a protected application or data file . The Run-timeEnvironment also contains Sentinel Admin Control Center.

Sentinel LDK ToolBox GUI application designed to facilitate software engineers’ use ofvarious Sentinel LDK APIs and to generate source code

Sentinel LicenseManager

See License Manager

Sentinel Licensing API Interface for inserting calls to a Sentinel protection key

Sentinel Master key A vendor-specific Sentinel HL key containing the confidential codesassigned by Gemalto. The key is connected to the Sentinel EMSmachine. The Master key also contains license modules that enableyou to use various types of Sentinel LDK functionality.

Sentinel protection keys Sentinel HL keys and Sentinel SL keys

Sentinel Remote UpdateSystem (RUS)

Utility that enables licenses in deployed Sentinel protection keys tobe securely, remotely updated, or the contents of the keys to bemodified. See also C2V file and V2C file

Sentinel SL key The software-based protection and licensing component of SentinelLDK—a virtual Sentinel HL key

Sentinel Vendor keys The Sentinel Master key and Sentinel Developer key that containyour confidential and unique Vendor Codes. These keys enable youto apply protection to your programs, to program the Sentinelprotection keys that you send to your end users, and to specify thelicense terms under which your software can be used.

Status code Error or status message returned by the Sentinel LDK system

Trialware Software or data files that can be distributed with an integratedSentinel protection key for end-user evaluation during a limited timeperiod. See also Unlocked Trialware Product.

Unlocked license A type of license that does not lock a protected entity (application ordata file) to a specific machine and does not necessarily impose anylicensing restrictions on the use of the protected entity. Theprotected entity can be installed on any number of machines. Withthis license type, the vendor can use Sentinel LDK to protect theentity, but can use a different mechanism to license the entity (or canimpose no license restrictions on the entity).

Unlocked Product A Product that is distributed with an Unlocked license.

Unlocked TrialwareProduct

An Unlocked Product that is distributed as trialware for a limitedperiod (typically up to 90 days) or limited number of executions(typically 30).

UTC Coordinated Universal Time—the standard time common to everyplace in the world

V-Clock (Virtual Clock) Virtual clock available in Sentinel SL keys and Sentinel HL (Driverlessconfiguration) keys. See also Real-time Clock.

V2C file Vendor-to-Customer file. A file sent by the vendor to a customer. Thefile contains data to update a Sentinel protection key on the enduser's computer. This data can include detailed changes to the licenseterms or data to be stored in the end users' Sentinel protection keys.V2C files can be safely sent using regular Email. See also C2V file.

Vendor Code A confidential, vendor-unique string containing vendor-specific secretsthat enables access to the vendor-specific Sentinel protection keys.

Vendor ID A unique number that is associated with a given Vendor Code andBatch Code.

Vendor libraries (Vlib) Vendor-specific API libraries. These libraries are built and customizedon Gemalto servers. In this process, the libraries are customizeddifferently for every vendor. These libraries are downloaded whenyou introduce your Vendor keys.

311

312 Glossary

SAFENET SENTINEL LDK PRODUCTEND USER LICENSE AGREEMENT

IMPORTANT INFORMATION - PLEASE READ THIS AGREEMENT CAREFULLY BEFORE USING THECONTENTS OF THE PACKAGE AND/OR BEFORE DOWNLOADING OR INSTALLING THE SOFTWAREPRODUCT. ALL ORDERS FOR AND USE OF THE SENTINEL® LDK PRODUCTS (including withoutlimitation, the Developer's Kit, libraries, utilities, diskettes, CD_ROM, DVD, Sentinel keys, thesoftware component of SafeNet Sentinel LDK, and the Sentinel LDK Software Protection andLicensing Guide) (hereinafter “Product”) SUPPLIED BY SAFENET, INC., (or any of its affiliates - eitherof them referred to as “SAFENET”) ARE AND SHALL BE, SUBJECT TO THE TERMS AND CONDITIONSSET FORTH IN THIS AGREEMENT.

BY OPENING THE PACKAGE CONTAINING THE PRODUCTS AND/OR BY DOWNLOADING THESOFTWARE (as defined hereunder) AND/OR BY INSTALLING THE SOFTWARE ON YOUR COMPUTERAND/OR BY USING THE PRODUCT, YOU ARE ACCEPTING THIS AGREEMENT AND AGREEING TO BEBOUND BY ITS TERMS AND CONDITIONS.

IF YOU DO NOT AGREE TO THIS AGREEMENT OR ARE NOT WILLING TO BE BOUND BY IT, DONOT OPEN THE PACKAGE AND/OR DOWNLOAD AND/OR INSTALL THE SOFTWARE ANDPROMPTLY (at least within 7 days from the date you received this package) RETURN THEPRODUCTS TO SAFENET, ERASE THE SOFTWARE, AND ANY PART THEREOF, FROM YOURCOMPUTER AND DO NOT USE IT IN ANY MANNER WHATSOEVER.

This Agreement has 3 sections:

Section I applies if you are downloading or using the Product free of charge for evaluationpurposes only.

Section II applies if you have purchased or have been otherwise granted by SafeNet a license touse the Product.

Section III applies to all grants of license.

1. SECTION I - TERMS APPLICABLE TO GRANT OF EVALUATION LICENSE

1.1 License Grant. SafeNet hereby grants to you, and you accept, a nonexclusive license to usethe Product in machine- readable, object code form only, free of charge, for the purpose ofevaluating whether to purchase an ongoing license to the Product and only as authorized in thisLicense Agreement. The evaluation period is limited to the maximum amount of days specified inyour applicable evaluation package. You may use the Product, during the evaluation period, in themanner described in Section III below under “Extent of Grant.”

1.2 DISCLAIMER OF WARRANTY. The Product is provided on an “AS IS” basis, without warranty ofany kind. IMPLIED WARRANTIES OF FITNESS FOR A PARTICULAR PURPOSE, SATISFACTION ANDMERCHANTABILITY SHALL NOT APPLY. SOME JURISDICTIONS DO NOT ALLOW EXCLUSIONS OF ANIMPLIED WARRANTY, SO THIS DISCLAIMER MAY NOT APPLY TO YOU AND YOU MAY HAVE OTHER

313

314 SAFENET SENTINEL LDK PRODUCT END USER LICENSE AGREEMENT

LEGAL RIGHTS THAT VARY BY JURISDICTION. The entire risk as to the quality and performance ofthe Product is borne by you. This disclaimer of warranty constitutes an essential part of theagreement.

If you initially acquired a copy of the Product without purchasing a license and you wish topurchase a license, contact SafeNet or any SafeNet representative.

2. SECTION II - APPLICABLE TERMS WHEN GRANTED A LICENSE

2.1 License Grant. Subject to your payment of the license fees applicable to the type and amountof licenses purchased by you and set forth in your applicable purchase order, SafeNet herebygrants to you, and you accept, a personal, nonexclusive and fully revocable limited License to usethe Software (as such term is defined in Section III hereunder, in the Intellectual Propertysubsection), in executable form only, as described in the Software accompanying userdocumentation and only according to the terms of this Agreement: (i) you may install theSoftware and use it on computers located in your place of business, as described in SafeNet'srelated documentation; (ii) you may merge and link the Software into your computer programsfor the sole purpose described in the Sentinel LDK Software Protection and Licensing Guide;however, any portion of the Software merged into another computer program shall be deemed asderivative work and will continue to be subject to the terms of this Agreement; and (iii) you arepermitted to make a reasonable number of copies of the Software solely for backup purposes.The Software shall not be used for any other purposes.

2.2 Sub-Licensing. After merging the Software in your computer program(s) according to theLicense Grant section above, you may sub-license, pursuant to the terms of this Agreement, themerged Software and resell the hardware components of the Product, which you purchased fromSafeNet, if applicable, to distributors and/or users. Preceding such a sale and sub-licensing, youshall make sure that your contracts with any of your distributors and/or end users (and theircontracts with their customers) shall contain warranties, disclaimers, limitation of liability, andlicense terms which are no less protective of SafeNet's rights than such equivalent provisionscontained herein. In addition, you shall make it abundantly clear to your distributors and/or endusers, that SafeNet is not and shall not, under any circumstances, be responsible or liable in anyway for the software and software licenses contained in your computer programs which youmerge with the SafeNet Software and distribute to your distributors and/or end users, including,without limitation, with respect to extending license terms and providing maintenance for anysoftware elements and/or computer programs which are not the SafeNet Software. SafeNetexpressly disclaims any responsibility and liability with respect to any computer programs,software elements, and/or hardware elements which are not and do not form part of the SafeNetproduct.

2.3 Limited Warranty. SafeNet warrants, for your benefit alone, that (i) the Software, when and asdelivered to you, and for a period of three (3) months after the date of delivery to you, willperform in substantial compliance with the Sentinel LDK Software Protection and Licensing Guide,provided that it is used on the computer hardware and with the operating system for which it wasdesigned; and (ii) that the Sentinel HL key and microSD card, for a period of twenty four (24)months after the date of delivery to you, will be substantially free from significant defects inmaterials and workmanship. You may enable or disable certain features when applying theSentinel LDK protection software by changing settings in the Sentinel LDK tools in accordance withthe Sentinel LDK Software

Protection and Licensing Guide; HOWEVER, IT IS IMPORTANT TO NOTE THAT WHEN ENABLING ORDISABLING SOME FEATURES YOU MIGHT REDUCE THE LEVEL OF PROTECTION PROVIDED BY THESOFTWARE.

2.4 Warranty Disclaimer. SAFENET DOES NOT WARRANT THAT ANY OF ITS PRODUCT(S) WILL MEETYOUR REQUIREMENTS OR THAT THEIR OPERATION WILL BE UNINTERRUPTED OR ERROR-FREE. TOTHE EXTENT ALLOWED BY LAW, SAFENET EXPRESSLY DISCLAIMS ALL EXPRESS WARRANTIES NOTSTATED HERE AND ALL IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIEDWARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE. NO SAFENET'SDEALER, DISTRIBUTOR, RESELLER, AGENT OR EMPLOYEE IS AUTHORIZED TO MAKE ANY

MODIFICATIONS, EXTENSIONS, OR ADDITIONS TO THIS WARRANTY. If any modifications are madeto the Software or to any other part of the Product by you; if the media, the Sentinel key, or themicroSD card is subjected to accident, abuse, or improper use; or if you violate any of the termsof this Agreement, then the warranty in Section 2.3 above, shall immediately be terminated. Thewarranty shall not apply if the Software is used on or in conjunction with hardware or programother than the unmodified version of hardware and program with which the Software wasdesigned to be used as described in the Sentinel LDK Software Protection and Licensing Guide. Thelimited warranty does not cover any damage to the microSD card that results from improperinstallation, accident, abuse, misuse, natural disaster, insufficient or excessive electrical supply,abnormal mechanical or environmental conditions, or any unauthorized disassembly, repair ormodification. This limited warranty shall not apply if: (i) the microSD card was not used inaccordance with any accompanying instructions, or (ii) the product was not used for its intendedfunction. This limited warranty also does not apply to any microSD card on which the originalidentification information has been altered, obliterated or removed, that has not been handled orpackaged correctly, that has been sold as second-hand or that has been resold contrary to U.S.and other applicable export regulations.

2.5 Limitation of Remedies. In the event of a breach of the warranty set forth above, SafeNet'ssole obligation, and your sole remedy shall be, at SafeNet's sole discretion: (i) to replace or repairthe Product, or component thereof, that does not meet the foregoing limited warranty, free ofcharge; or (ii) to refund the price paid by you for the Product, or component thereof. Anyreplacement or repaired component will be warranted for the remainder of the original warrantyperiod or 30 days, whichever is longer. Warranty claims must be made in writing during thewarranty period and within seven (7) days of the observation of the defect accompanied byevidence satisfactory to SafeNet. All Products should be returned to the distributor from whichthey were purchased (if not purchased directly from SafeNet) and shall be shipped by thereturning party with freight and insurance paid. The Product or component thereof must bereturned with a copy of your receipt. SafeNet is not liable for, and does not cover under warranty,any damages or losses of any kind whatsoever resulting from loss of, damage to or corruption of,content or data or any costs associated with determining the source of system problems orremoving, servicing or installing the microSD card. This warranty excludes third party software,connected equipment or stored data. SafeNet is therefore not liable for any losses or damageattributable to third party software, connected equipment or stored data. In the event of a claim,SafeNet’s sole obligation shall be to issue a refund or replacement of the microSD card.

3. SECTION III - TERMS APPLICABLE TO ALL GRANTS OF LICENSE

315


3.1 Extent of Grant and Prohibited Uses. Except as specifically permitted in Sections 2.1 and 2.2above, you agree not to (i) use the Product in any manner beyond the scope of license purchasedby you in accordance with your applicable purchase order; (ii) use, modify, merge or sub-licensethe Software or any other of SafeNet's products except as expressly authorized in this Agreementand in the Sentinel LDK Software Protection and Licensing Guide; and (iii) sell, license (or sub-license), lease, assign, transfer, pledge, or share your rights under this License with/to anyoneelse; and (iv) modify, disassemble, decompile, reverse engineer, revise or enhance the Software orattempt to discover the Software’s source code; and (v) place the Software onto a server so that itis accessible via a public network; and (vi) use any back-up or archival copies of the Software (orallow someone else to use such copies) for any purpose other than to replace an original copy if itis destroyed or becomes defective. If you are a member of the European Union, this agreementdoes not affect your rights under any legislation implementing the EC Council Directive on theLegal Protection of Computer Programs. If you seek any information within the meaning of thatDirective you should initially approach SafeNet.

3.2 Intellectual Property. THIS IS A LICENSE AGREEMENT AND NOT AN AGREEMENT FOR SALE. Thesoftware component of the SafeNet Sentinel LDK Product, including any revisions, corrections,modifications, enhancements, updates and/or upgrades thereto, (hereinafter in whole or any partthereof defined as: “Software”), and the related documentation, ARE NOT FOR SALE and are andshall remain in SafeNet's sole property. All intellectual property rights (including, withoutlimitation, copyrights, patents, trade secrets, trademarks, etc.) evidenced by or embodied inand/or attached/connected/related to the Product, (including, without limitation, the Softwarecode and the work product performed in accordance with Section II above) are and shall beowned solely by SafeNet. This License Agreement does not convey to you an interest in or to theSoftware but only a limited right of use revocable in accordance with the terms of this LicenseAgreement. Nothing in this Agreement constitutes a waiver of SafeNet's intellectual property rightsunder any law.

3.3 Audit. SafeNet shall have the right, at its own expense, upon reasonable prior notice, toperiodically inspect and audit your records to ensure your compliance with the terms andconditions of this license agreement.

3.4 Termination. Without prejudice to any other rights, SafeNet may terminate this license uponthe breach by you of any term hereof. Upon such termination by SafeNet, you agree to destroy,or return to SafeNet, the Product and the Documentation and all copies and portions thereof.

3.5 Limitation of Liability. SafeNet's cumulative liability to you or any other party for any loss ordamages resulting from any claims, demands, or actions arising out of or relating to thisAgreement and/or the sue of the Product shall not exceed the license fee paid to SafeNet for theuse of the Product/s that gave rise to the action or claim, and if no such Product/s is/are soapplicable then SafeNet's liability shall not exceed the amount of license fees paid by You toSafeNet hereunder during the twelve (12) months period preceding the event. UNDER NOCIRCUMSTANCES AND UNDER NO LEGAL THEORY, TORT, CONTRACT, OR OTHERWISE, SHALLSAFENET OR ITS SUPPLIERS OR RESELLERS OR AGENTS BE LIABLE TO YOU OR ANY OTHER PERSONFOR ANY INDIRECT, SPECIAL, INCIDENTAL, OR CONSEQUENTIAL DAMAGES OF ANY TYPEINCLUDING, WITHOUT LIMITATION, DAMAGES FOR LOSS OF GOODWILL, BUSINESS INTERRUPTION,COMPUTER FAILURE OR MALFUNCTION, LOSS OF BUSINESS PROFITS, LOSS OF BUSINESSINFORMATION, DAMAGES FOR PERSONAL INJURY OR ANY AND ALL OTHER COMMERCIAL

DAMAGES OR LOSSES, EVEN IF SAFENET SHALL HAVE BEEN INFORMED OF THE POSSIBILITY OFSUCH DAMAGES, OR FOR ANY CLAIM BY ANY OTHER PARTY. SOME JURISDICTIONS DO NOT ALLOWTHE EXCLUSION OR LIMITATION OF INCIDENTAL OR CONSEQUENTIAL DAMAGES, SO THISLIMITATION AND EXCLUSION MAY NOT APPLY TO YOU.

3.6 No other Warranties. Except and to the extent specifically provided herein, SafeNet makes nowarranty or representation, either express or implied, with respect to its Products as, includingtheir quality, performance, merchantability or fitness for a particular purpose.

3.7 Export Controls. YOU ACKNOWLEDGE THAT THE SOFTWARE IS SUBJECT TO REGULATION BYUNITED STATES, EUROPEAN UNION, AND/OR OTHER GOVERNMENT AGENCIES, WHICH PROHIBITEXPORT OR DIVERSION OF THE SOFTWARE TO CERTAIN COUNTRIES AND CERTAIN PERSONS. YOUAGREE TO COMPLY WITH ALL EXPORT LAWS, REGULATIONS AND RESTRICTIONS OF THE UNITEDSTATES DEPARTMENT OF STATE, DEPARTMENT OF COMMERCE OR OTHER LEGAL AUTHORITYWITHIN THE UNITED STATES OR ANY FOREIGN ENTITY WHICH REGULATES THEIR SHIPMENT. YOUWILL NOT EXPORT IN ANY MANNER, EITHER DIRECTLY OR INDIRECTLY, ANY SOFTWARE OR ANYPRODUCT THAT INCORPORATES ANY SOFTWARE WITHOUT FIRST OBTAINING ALL NECESSARYAPPROVAL FROM APPROPRIATE GOVERNMENT AGENCIES. YOU AGREE TO INDEMNIFY SAFENETAGAINST ALL CLAIMS, LOSSES, DAMAGES, LIABILITIES, COSTS AND EXPENSES, INCLUDINGREASONABLE ATTORNEYS' FEES, TO THE EXTENT SUCH CLAIMS ARISE OUT OF ANY BREACH OF THISSECTION 3.7.

3.8 Governing Law & Jurisdiction. This License Agreement shall be construed, interpreted andgoverned by the laws of the State of Delaware without regard to conflicts of laws and provisionsthereof. The exclusive forum for any disputes arising out of or relating to this License Agreementshall be an appropriate federal or state court sitting in Harford County, State of Maryland, USA.The application of the United Nations Convention of Contracts for the International Sale of Goodsis expressly excluded. The failure of either party to enforce any rights granted hereunder or totake action against the other party in the event of any breach hereunder shall not be deemed awaiver by that party as to subsequent enforcement of rights or subsequent actions in the eventof future breaches.

3.9 Third Party Software. If distributed, the Software is distributed with open source softwarecomponents (“Open Source Software Components” or “OSS”) and other third party software(such OSS and other third party software individually or collectively referred to herein as “ThirdParty Software”), which are provided “As Is” without any warranty of any kind and subject to theirown applicable license agreements (which might also contain limited warranties and liabilities)referenced in Exhibit A (for the Software aside from that included in Sentinel EMS and SentinelCloud Add-on) and Exhibit B (for the Software included in Sentinel EMS and Sentinel Cloud Add-on). THOSE TERMS AND CONDITIONS SPECIFIED FOR EACH SPECIFIC OPEN SOURCE SOFTWARECOMPONENT OR OTHER THIRD PARTY SOFTWARE SHALL BE APPLICABLE TO SUCH COMPONENT.Third Party Software in addition to those listed in Exhibit A and B may be added to the Softwarefrom time to time, and will also be subject to their own applicable license agreements. Each OpenSource Software Component or other third party software is copyrighted by its respectivecopyright owner(s) as indicated in the applicable copyright notices which can be found in theapplicable license, installation, readme and/or help files for such Open Source SoftwareComponents or other third party software. SafeNet makes no representations or warranties withregard to the Open Source Software Components or other third party software. If the Software

317


contains any Third Party Software other than the ones listed in Exhibit A and B, such Third PartySoftware is also provided “As Is” without any warranty of any kind and shall be subject to theterms and conditions as set forth in the agreements contained/attached to such Third PartySoftware. In the event such agreements are not available, such Third Party Software is provided“As Is” without any warranty of any kind and shall be used in accordance with this Agreement.

3.10 Miscellaneous. If the copy of the Product you received was accompanied by a printed orother form of “hard-copy” End User License Agreement whose terms vary from this Agreement,then the hard-copy End User License Agreement governs your use of the Product. This Agreementrepresents the complete agreement concerning this license and may be amended only by awriting executed by both parties. THE ACCEPTANCE OF ANY PURCHASE ORDER PLACED BY YOU, ISEXPRESSLY MADE CONDITIONAL ON YOUR ASSENT TO THE TERMS SET FORTH HEREIN, COMBINEDWITH THE APPLICABLE LICENSE SCOPE AND TERMS, IF ANY, SET FORTH IN YOUR PURCHASEORDER. If any provision of this Agreement is held to be unenforceable, such provision shall bereformed only to the extent necessary to make it enforceable. The failure of either party toenforce any rights granted hereunder or to take action against the other party in the event of anybreach hereunder shall not be deemed a waiver by that party as to subsequent enforcement ofrights or subsequent actions in the event of future breaches.

© 2014 SafeNet, Inc. All rights reserved.

Exhibit A - Third-Party SoftwareOpen SSL

Version 1.0.2h

Copyright (c) 1998-2016 The OpenSSL Project. All rights reserved.

This product includes cryptographic software written by Eric Young

([email protected]). This product includes software written by Tim

Hudson ([email protected]).

/* ====================================================================

* Copyright (c) 1998-2016 The OpenSSL Project. All rights reserved.

*

* Redistribution and use in source and binary forms, with or without

* modification, are permitted provided that the following conditions

* are met:

*

* 1. Redistributions of source code must retain the above copyright

* notice, this list of conditions and the following disclaimer.

*

* 2. Redistributions in binary form must reproduce the above copyright

* notice, this list of conditions and the following disclaimer in

* the documentation and/or other materials provided with the

* distribution.

*

* 3. All advertising materials mentioning features or use of this

* software must display the following acknowledgment:

* "This product includes software developed by the OpenSSL Project

* for use in the OpenSSL Toolkit. (http://www.openssl.org/)"

*

* 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to

* endorse or promote products derived from this software without

* prior written permission. For written permission, please contact

* [email protected].

*

* 5. Products derived from this software may not be called "OpenSSL"

* nor may "OpenSSL" appear in their names without prior written

* permission of the OpenSSL Project.

*

* 6. Redistributions of any form whatsoever must retain the following

* acknowledgment:


* for use in the OpenSSL Toolkit (http://www.openssl.org/)"

*

* THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT `ÀS IS'' AND ANY

* EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE

* IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR

* PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE OpenSSL PROJECT OR

* ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,

* SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT

* NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;

Exhibit A - Third-Party Software 319


* LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)

* HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,

* STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)

* ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED

* OF THE POSSIBILITY OF SUCH DAMAGE.

* ====================================================================

*

* This product includes cryptographic software written by Eric Young

* ([email protected]). This product includes software written by Tim

* Hudson ([email protected]).

*

*/

Original SSLeay License

Version 1.0.2h

Copyright (c) 1998-2016 The OpenSSL Project. All rights reserved.

This product includes software written by Tim Hudson ([email protected])

-----------------------

/* Copyright (C) 1995-1998 Eric Young ([email protected])

* All rights reserved.

*

* This package is an SSL implementation written

* by Eric Young ([email protected]).

* The implementation was written so as to conform with Netscapes SSL.

*

* This library is free for commercial and non-commercial use as long as

* the following conditions are adhered to. The following conditions

* apply to all code found in this distribution, be it the RC4, RSA,

* lhash, DES, etc., code; not just the SSL code. The SSL documentation

* included with this distribution is covered by the same copyright terms

* except that the holder is Tim Hudson ([email protected]).

*

* Copyright remains Eric Young's, and as such any Copyright notices in

* the code are not to be removed.

* If this package is used in a product, Eric Young should be given attribution

* as the author of the parts of the library used.

* This can be in the form of a textual message at program startup or

* in documentation (online or textual) provided with the package.

*



* are met:

* 1. Redistributions of source code must retain the copyright



* notice, this list of conditions and the following disclaimer in the

* documentation and/or other materials provided with the distribution.

* 3. All advertising materials mentioning features or use of this software

* must display the following acknowledgement:

* "This product includes cryptographic software written by

* Eric Young ([email protected])"

* The word 'cryptographic' can be left out if the routines from the library

* being used are not cryptographic related :-).

* 4. If you include any Windows specific code (or a derivative thereof) from

* the apps directory (application code) you must include an acknowledgement:

* "This product includes software written by Tim Hudson ([email protected])"

*

* THIS SOFTWARE IS PROVIDED BY ERIC YOUNG `ÀS IS'' AND

* ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE

* IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE

* ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE

* FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL

* DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS

* OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)

* HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT



* LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY

* OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF

* SUCH DAMAGE.

*

* The licence and distribution terms for any publically available version or

* derivative of this code cannot be changed. i.e. this code cannot simply be

* copied and put under another distribution licence

* [including the GNU Public Licence.]

*/

LLVM

Version 3.6

Copyright (c) 2003-2015 University of Illinois at Urbana-Champaign.

----------------------------------------------------------------------------------------------------

==============================================================================

LLVM Release License

==============================================================================

University of Illinois/NCSA

Open Source License

Copyright (c) 2003-2014 University of Illinois at Urbana-Champaign.

All rights reserved.

Developed by:

LLVM Team

University of Illinois at Urbana-Champaign

http://llvm.org

Permission is hereby granted, free of charge, to any person obtaining a copy of

this software and associated documentation files (the "Software"), to deal with

the Software without restriction, including without limitation the rights to

use, copy, modify, merge, publish, distribute, sublicense, and/or sell copies

of the Software, and to permit persons to whom the Software is furnished to do

so, subject to the following conditions:

* Redistributions of source code must retain the above copyright notice,

this list of conditions and the following disclaimers.

* Redistributions in binary form must reproduce the above copyright notice,

this list of conditions and the following disclaimers in the

documentation and/or other materials provided with the distribution.

* Neither the names of the LLVM Team, University of Illinois at

Urbana-Champaign, nor the names of its contributors may be used to

endorse or promote products derived from this Software without specific

prior written permission.

THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR

IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, FITNESS

FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE

CONTRIBUTORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER

LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,

OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS WITH THE

SOFTWARE.

==============================================================================

Copyrights and Licenses for Third Party Software Distributed with LLVM:

==============================================================================

The LLVM software contains code written by third parties. Such software will

have its own individual LICENSE.TXT file in the directory in which it appears.

This file will describe the copyrights, license, and restrictions which apply

to that code.

The disclaimer of warranty in the University of Illinois Open Source License

applies to all code in the LLVM Distribution, and nothing in any of the

other licenses gives permission to use the names of the LLVM Team or the

University of Illinois to endorse or promote products derived from this

Software.

The following pieces of software have additional or alternate copyrights,

licenses, and/or restrictions:

Program Directory

------- ---------

Autoconf llvm/autoconf

llvm/projects/ModuleMaker/autoconf



Google Test llvm/utils/unittest/googletest

OpenBSD regex llvm/lib/Support/{reg*, COPYRIGHT.regex}

pyyaml tests llvm/test/YAMLParser/{*.data, LICENSE.TXT}

ARM contributions llvm/lib/Target/ARM/LICENSE.TXT

md5 contributions llvm/lib/Support/MD5.cpp llvm/include/llvm/Support/MD5.h

TAGGANT

Version 1.0

Copyright (c) 2012 IEEE. All rights reserved

----------------------------------------------------------------------------------------------------------------------

This software was developed by The Institute of Electrical and Electronics

Engineers, Incorporated (IEEE), through the Industry Connections Security

Group (ICSG) of its Standards Association. Portions of it include software

developed by the OpenSSL Project for use in the OpenSSL Toolkit

(http://www.openssl.org/), and those portions are governed by the OpenSSL

Toolkit License.

IEEE License

============

/* ====================================================================

* Copyright (c) 2012 IEEE. All rights reserved.

*



* are met:

*



*




* distribution.

*



* "This product includes software developed by the IEEE Industry

* Connections Security Group (ICSG)".

*

* 4. The name "IEEE" must not be used to endorse or promote products

* derived from this software without prior written permission from

* the IEEE Standards Association ([email protected]).

*

* 5. Products derived from this software may not contain "IEEE" in

* their names without prior written permission from the IEEE Standards

* Association ([email protected]).

*


* acknowledgment:

* "This product includes software developed by the IEEE Industry

* Connections Security Group (ICSG)".

*

* THIS SOFTWARE IS PROVIDED "AS IS" AND "WITH ALL FAULTS." IEEE AND ITS

* CONTRIBUTORS EXPRESSLY DISCLAIM ALL WARRANTIES AND REPRESENTATIONS,

* EXPRESS OR IMPLIED, INCLUDING, WITHOUT LIMITATION: (A) THE IMPLIED

* WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE;

* (B) ANY WARRANTY OF NON-INFRINGEMENT; AND (C) ANY WARRANTY WITH RESPECT

* TO THE QUALITY, ACCURACY, EFFECTIVENESS, CURRENCY OR COMPLETENESS OF

* THE SOFTWARE.

*

* IN NO EVENT SHALL IEEE OR ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT,

* INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES,

* (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR

* SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)




* STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING

* IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE

* POSSIBILITY OF SUCH DAMAGE AND REGARDLESS OF WHETHER SUCH DAMAGE WAS

* FORESEEABLE.

*

* THIS SOFTWARE USES STRONG CRYPTOGRAPHY, WHICH MAY BE SUBJECT TO LAWS

* AND REGULATIONS GOVERNING ITS USE, EXPORTATION OR IMPORTATION. YOU ARE

* SOLELY RESPONSIBLE FOR COMPLYING WITH ALL APPLICABLE LAWS AND

* REGULATIONS, INCLUDING, BUT NOT LIMITED TO, ANY THAT GOVERN YOUR USE,

* EXPORTATION OR IMPORTATION OF THIS SOFTWARE. IEEE AND ITS CONTRIBUTORS

* DISCLAIM ALL LIABILITY ARISING FROM YOUR USE OF THE SOFTWARE IN

* VIOLATION OF ANY APPLICABLE LAWS OR REGULATIONS.

* ====================================================================

*/

OpenSSL Toolkit License

=======================

The OpenSSL toolkit stays under a dual license, i.e. both the conditions of

the OpenSSL License and the original SSLeay license apply to the toolkit.

See below for the actual license texts. Actually both licenses are BSD-style

Open Source licenses. In case of any license issues related to OpenSSL

please contact [email protected].

OpenSSL License

---------------

/* ====================================================================

* Copyright (c) 1998-2011 The OpenSSL Project. All rights reserved.

*



* are met:

*



*




* distribution.

*




* for use in the OpenSSL Toolkit. (http://www.openssl.org/)"

*

* 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to

* endorse or promote products derived from this software without

* prior written permission. For written permission, please contact

* [email protected].

*

* 5. Products derived from this software may not be called "OpenSSL"

* nor may "OpenSSL" appear in their names without prior written

* permission of the OpenSSL Project.

*


* acknowledgment:


* for use in the OpenSSL Toolkit (http://www.openssl.org/)"

*

* THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT `ÀS IS'' AND ANY

* EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE

* IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR

* PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE OpenSSL PROJECT OR

* ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,

* SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT

* NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;



* LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)


* STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)

* ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED

* OF THE POSSIBILITY OF SUCH DAMAGE.

* ====================================================================

*

* This product includes cryptographic software written by Eric Young

* ([email protected]). This product includes software written by Tim

* Hudson ([email protected]).

*

*/

Original SSLeay License

-----------------------

/* Copyright (C) 1995-1998 Eric Young ([email protected])

* All rights reserved.

*

* This package is an SSL implementation written

* by Eric Young ([email protected]).

* The implementation was written so as to conform with Netscapes SSL.

*

* This library is free for commercial and non-commercial use as long as

* the following conditions are adhered to. The following conditions

* apply to all code found in this distribution, be it the RC4, RSA,

* lhash, DES, etc., code; not just the SSL code. The SSL documentation

* included with this distribution is covered by the same copyright terms

* except that the holder is Tim Hudson ([email protected]).

*

* Copyright remains Eric Young's, and as such any Copyright notices in

* the code are not to be removed.

* If this package is used in a product, Eric Young should be given attribution

* as the author of the parts of the library used.

* This can be in the form of a textual message at program startup or

* in documentation (online or textual) provided with the package.

*



* are met:

* 1. Redistributions of source code must retain the copyright



* notice, this list of conditions and the following disclaimer in the

* documentation and/or other materials provided with the distribution.

* 3. All advertising materials mentioning features or use of this software

* must display the following acknowledgement:

* "This product includes cryptographic software written by

* Eric Young ([email protected])"

* The word 'cryptographic' can be left out if the rouines from the library

* being used are not cryptographic related :-).

* 4. If you include any Windows specific code (or a derivative thereof) from

* the apps directory (application code) you must include an acknowledgement:

* "This product includes software written by Tim Hudson ([email protected])"

*

* THIS SOFTWARE IS PROVIDED BY ERIC YOUNG `ÀS IS'' AND

* ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE

* IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE

* ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE

* FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL

* DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS

* OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)

* HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT

* LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY

* OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF

* SUCH DAMAGE.



*

* The licence and distribution terms for any publically available version or

* derivative of this code cannot be changed. i.e. this code cannot simply be

* copied and put under another distribution licence

* [including the GNU Public Licence.]

*/

smali/baksmali

Version 2.1.1

Copyright (c) 2010 Ben Gruver (JesusFreke)

*******************************************************************************

Copyright (c) 2010 Ben Gruver (JesusFreke)


Redistribution and use in source and binary forms, with or without

modification, are permitted provided that the following conditions

are met:

1. Redistributions of source code must retain the above copyright

notice, this list of conditions and the following disclaimer.

2. Redistributions in binary form must reproduce the above copyright

notice, this list of conditions and the following disclaimer in the

documentation and/or other materials provided with the distribution.

3. The name of the author may not be used to endorse or promote products

derived from this software without specific prior written permission.

THIS SOFTWARE IS PROVIDED BY THE AUTHOR `ÀS IS'' AND ANY EXPRESS OR

IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES

OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED.

IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT,

INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT

NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE,

DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY

THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT

INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF

THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.

*******************************************************************************

Unless otherwise stated in the code/commit message, any changes with the

committer of [email protected] is copyrighted by Google Inc. and released

under the following license:

*******************************************************************************

Copyright 2011, Google Inc.


Redistribution and use in source and binary forms, with or without

modification, are permitted provided that the following conditions are

met:

* Redistributions of source code must retain the above copyright

notice, this list of conditions and the following disclaimer.

* Redistributions in binary form must reproduce the above

copyright notice, this list of conditions and the following disclaimer

in the documentation and/or other materials provided with the

distribution.

* Neither the name of Google Inc. nor the names of its

contributors may be used to endorse or promote products derived from

this software without specific prior written permission.

THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS

"AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT

LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR

A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT

OWNER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,

SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT

LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE,

DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY

THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT

(INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE

OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.

*******************************************************************************

Various portions of the code are taken from the Android Open Source Project,



and are used in accordance with the following license:

*******************************************************************************

Copyright (C) 2007 The Android Open Source Project

Licensed under the Apache License, Version 2.0 (the "License");

you may not use this file except in compliance with the License.

You may obtain a copy of the License at

http://www.apache.org/licenses/LICENSE-2.0

Unless required by applicable law or agreed to in writing, software

distributed under the License is distributed on an "AS IS" BASIS,

WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.

See the License for the specific language governing permissions and

limitations under the License.

*******************************************************************************

Some parts of the smalidea plugin are based on code from the IDEA project, per the

following license

*******************************************************************************

Copyright 2000-2014 JetBrains s.r.o.

Licensed under the Apache License, Version 2.0 (the "License");

you may not use this file except in compliance with the License.

You may obtain a copy of the License at

http://www.apache.org/licenses/LICENSE-2.0

Unless required by applicable law or agreed to in writing, software

distributed under the License is distributed on an "AS IS" BASIS,

WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.

See the License for the specific language governing permissions and

limitations under the License.

*******************************************************************************

Zlib

Version: 1.2.3

Copyright notice: (C) 1995-2004 Jean-loup Gailly and Mark Adler

This software is provided 'as-is', without any express or implied warranty. In no event will theauthors be held liable for any damages arising from the use of this software.

Permission is granted to anyone to use this software for any purpose, including commercialapplications, and to alter it and redistribute it freely, subject to the following restrictions:

1. The origin of this software must not be misrepresented; you must not claim that you wrote theoriginal software. If you use this software in a product, an acknowledgment in the productdocumentation would be appreciated but is not required.

2. Altered source versions must be plainly marked as such, and must not be misrepresented asbeing the original software.

3. This notice may not be removed or altered from any source distribution.

Expat

Version: 2.0.0

Copyright (c) 1998, 1999, 2000 Thai Open Source Software Center Ltd

and Clark Cooper

Copyright (c) 2001, 2002, 2003, 2004, 2005, 2006 Expat maintainers.

Permission is hereby granted, free of charge, to any person obtaining a copy of this software andassociated documentation files (the "Software"), to deal in the Software without restriction,including without limitation the rights to use, copy, modify, merge, publish, distribute, sublicense,and/or sell copies of the Software, and to permit persons to whom the Software is furnished todo so, subject to the following conditions:

The above copyright notice and this permission notice shall be included in all copies or substantialportions of the Software.

THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR IMPLIED,INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, FITNESS FOR APARTICULAR PURPOSE AND NONINFRINGEMENT.

IN NO EVENT SHALL THE AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGESOR OTHER LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISINGFROM, OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS INTHE SOFTWARE.

Trio

Version: 1.1.0

Copyright (C) 1998-2001 by Bjorn Reese and Daniel Stenberg.

Permission to use, copy, modify, and distribute this software for any purpose with or without feeis hereby granted, provided that the above copyright notice and this permission notice appear inall copies.

THIS SOFTWARE IS PROVIDED `ÀS IS'' AND WITHOUT ANY EXPRESS OR IMPLIED WARRANTIES,INCLUDING, WITHOUT LIMITATION, THE IMPLIED WARRANTIES OF MERCHANTIBILITY AND FITNESS



FOR A PARTICULAR PURPOSE. THE AUTHORS AND CONTRIBUTORS ACCEPT NO RESPONSIBILITY INANY CONCEIVABLE MANNER.

Y2038

Copyright (c) 2007-2010 Michael G Schwern

Permission is hereby granted, free of charge, to any person obtaining a copy of this software andassociated documentation files (the "Software"), to deal in the Software without restriction,including without limitation the rights to use, copy, modify, merge, publish, distribute, sublicense,and/or sell copies of the Software, and to permit persons to whom the Software is furnished todo so, subject to the following conditions:

The above copyright notice and this permission notice shall be included in all copies or substantialportions of the Software.

THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR IMPLIED,INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, FITNESS FOR APARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE AUTHORS ORCOPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER LIABILITY, WHETHER IN ANACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, OUT OF OR IN CONNECTION WITHTHE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE SOFTWARE.

Libtommath

Version: 0.42

Copyright: Copyright © Tom St Denis

[LICENSE #1]

LibTomMath is public domain.

BeaEngine 5

Copyright (C) 2007 Free Software Foundation, Inc. <http://fsf.org/>

GNU LESSER GENERAL PUBLIC LICENSE

Version 3, 29 June 2007


Everyone is permitted to copy and distribute verbatim copies

of this license document, but changing it is not allowed.

This version of the GNU Lesser General Public License incorporates

the terms and conditions of version 3 of the GNU General Public

License, supplemented by the additional permissions listed below.

0. Additional Definitions.

As used herein, "this License" refers to version 3 of the GNU Lesser

General Public License, and the "GNU GPL" refers to version 3 of the GNU

General Public License.

"The Library" refers to a covered work governed by this License,

other than an Application or a Combined Work as defined below.

An "Application" is any work that makes use of an interface provided

by the Library, but which is not otherwise based on the Library.

Defining a subclass of a class defined by the Library is deemed a mode

of using an interface provided by the Library.

A "Combined Work" is a work produced by combining or linking an

Application with the Library. The particular version of the Library

with which the Combined Work was made is also called the "Linked

Version".

The "Minimal Corresponding Source" for a Combined Work means the

Corresponding Source for the Combined Work, excluding any source code

for portions of the Combined Work that, considered in isolation, are

based on the Application, and not on the Linked Version.

The "Corresponding Application Code" for a Combined Work means the

object code and/or source code for the Application, including any data

and utility programs needed for reproducing the Combined Work from the

Application, but excluding the System Libraries of the Combined Work.

1. Exception to Section 3 of the GNU GPL.

You may convey a covered work under sections 3 and 4 of this License

without being bound by section 3 of the GNU GPL.

2. Conveying Modified Versions.

If you modify a copy of the Library, and, in your modifications, a

facility refers to a function or data to be supplied by an Application

that uses the facility (other than as an argument passed when the

facility is invoked), then you may convey a copy of the modified

version:

a) under this License, provided that you make a good faith effort to

ensure that, in the event an Application does not supply the



function or data, the facility still operates, and performs

whatever part of its purpose remains meaningful, or

b) under the GNU GPL, with none of the additional permissions of

this License applicable to that copy.

3. Object Code Incorporating Material from Library Header Files.

The object code form of an Application may incorporate material from

a header file that is part of the Library. You may convey such object

code under terms of your choice, provided that, if the incorporated

material is not limited to numerical parameters, data structure

layouts and accessors, or small macros, inline functions and templates

(ten or fewer lines in length), you do both of the following:

a) Give prominent notice with each copy of the object code that the

Library is used in it and that the Library and its use are

covered by this License.

b) Accompany the object code with a copy of the GNU GPL and this license

document.

4. Combined Works.

You may convey a Combined Work under terms of your choice that,

taken together, effectively do not restrict modification of the

portions of the Library contained in the Combined Work and reverse

engineering for debugging such modifications, if you also do each of

the following:

a) Give prominent notice with each copy of the Combined Work that

the Library is used in it and that the Library and its use are

covered by this License.

b) Accompany the Combined Work with a copy of the GNU GPL and this license

document.

c) For a Combined Work that displays copyright notices during

execution, include the copyright notice for the Library among

these notices, as well as a reference directing the user to the

copies of the GNU GPL and this license document.

d) Do one of the following:

0) Convey the Minimal Corresponding Source under the terms of this

License, and the Corresponding Application Code in a form

suitable for, and under terms that permit, the user to

recombine or relink the Application with a modified version of

the Linked Version to produce a modified Combined Work, in the

manner specified by section 6 of the GNU GPL for conveying

Corresponding Source.

1) Use a suitable shared library mechanism for linking with the

Library. A suitable mechanism is one that (a) uses at run time

a copy of the Library already present on the user's computer

system, and (b) will operate properly with a modified version

of the Library that is interface-compatible with the Linked

Version.

e) Provide Installation Information, but only if you would otherwise

be required to provide such information under section 6 of the

GNU GPL, and only to the extent that such information is

necessary to install and execute a modified version of the

Combined Work produced by recombining or relinking the

Application with a modified version of the Linked Version. (If

you use option 4d0, the Installation Information must accompany

the Minimal Corresponding Source and Corresponding Application

Code. If you use option 4d1, you must provide the Installation

Information in the manner specified by section 6 of the GNU GPL

for conveying Corresponding Source.)

5. Combined Libraries.

You may place library facilities that are a work based on the

Library side by side in a single library together with other library

facilities that are not Applications and are not covered by this

License, and convey such a combined library under terms of your

choice, if you do both of the following:

a) Accompany the combined library with a copy of the same work based

on the Library, uncombined with any other library facilities,



conveyed under the terms of this License.

b) Give prominent notice with the combined library that part of it

is a work based on the Library, and explaining where to find the

accompanying uncombined form of the same work.

6. Revised Versions of the GNU Lesser General Public License.

The Free Software Foundation may publish revised and/or new versions

of the GNU Lesser General Public License from time to time. Such new

versions will be similar in spirit to the present version, but may

differ in detail to address new problems or concerns.

Each version is given a distinguishing version number. If the

Library as you received it specifies that a certain numbered version

of the GNU Lesser General Public License "or any later version"

applies to it, you have the option of following the terms and

conditions either of that published version or of any later version

published by the Free Software Foundation. If the Library as you

received it does not specify a version number of the GNU Lesser

General Public License, you may choose any version of the GNU Lesser

General Public License ever published by the Free Software Foundation.

If the Library as you received it specifies that a proxy can decide

whether future versions of the GNU Lesser General Public License shall

apply, that proxy's public statement of acceptance of any version is

permanent authorization for you to choose that version for the

Library.

GNU GENERAL PUBLIC LICENSE

Version 3, 29 June 2007


Everyone is permitted to copy and distribute verbatim copies of this license document, butchanging it is not allowed.

Preamble

The GNU General Public License is a free, copyleft license for software and other kinds of works.

The licenses for most software and other practical works are designed to take away your freedomto share and change the works. By contrast, the GNU General Public License is intended to

guarantee your freedom to share and change all versions of a program--to make sure it remainsfree software for all its users. We, the Free Software Foundation, use the GNU General PublicLicense for most of our software; it applies also to any other work released this way by itsauthors. You can apply it to your programs, too.

When we speak of free software, we are referring to freedom, not price. Our General PublicLicenses are designed to make sure that you have the freedom to distribute copies of freesoftware (and charge for them if you wish), that you receive source code or can get it if you wantit, that you can change the software or use pieces of it in new free programs, and that you knowyou can do these things.

To protect your rights, we need to prevent others from denying you these rights or asking you tosurrender the rights. Therefore, you have certain responsibilities if you distribute copies of thesoftware, or if you modify it: responsibilities to respect the freedom of others.

For example, if you distribute copies of such a program, whether gratis or for a fee, you must passon to the recipients the same freedoms that you received. You must make sure that they, too,receive or can get the source code. And you must show them these terms so they know theirrights.

Developers that use the GNU GPL protect your rights with two steps: (1) assert copyright on thesoftware, and (2) offer you this License giving you legal permission to copy, distribute and/ormodify it.

For the developers' and authors' protection, the GPL clearly explains that there is no warranty forthis free software. For both users' and authors' sake, the GPL requires that modified versions bemarked as changed, so that their problems will not be attributed erroneously to authors ofprevious versions.

Some devices are designed to deny users access to install or run modified versions of the softwareinside them, although the manufacturer can do so. This is fundamentally incompatible with theaim of protecting users' freedom to change the software. The systematic pattern of such abuseoccurs in the area of products for individuals to use, which is precisely where it is mostunacceptable. Therefore, we have designed this version of the GPL to prohibit the practice forthose products. If such problems arise substantially in other domains, we stand ready to extendthis provision to those domains in future versions of the GPL, as needed to protect the freedomof users.

Finally, every program is threatened constantly by software patents. States should not allowpatents to restrict development and use of software on general-purpose computers, but in thosethat do, we wish to avoid the special danger that patents applied to a free program could make iteffectively proprietary. To prevent this, the GPL assures that patents cannot be used to render theprogram non-free.

The precise terms and conditions for copying, distribution and modification follow.

TERMS AND CONDITIONS

0. Definitions.

“This License” refers to version 3 of the GNU General Public License.



“Copyright” also means copyright-like laws that apply to other kinds of works, such assemiconductor masks.

“The Program” refers to any copyrightable work licensed under this License. Each licensee isaddressed as “you”. “Licensees” and “recipients” may be individuals or organizations.

To “modify” a work means to copy from or adapt all or part of the work in a fashion requiringcopyright permission, other than the making of an exact copy. The resulting work is called a“modified version” of the earlier work or a work “based on” the earlier work.

A “covered work” means either the unmodified Program or a work based on the Program.

To “propagate” a work means to do anything with it that, without permission, would make youdirectly or secondarily liable for infringement under applicable copyright law, except executing iton a computer or modifying a private copy. Propagation includes copying, distribution (with orwithout modification), making available to the public, and in some countries other activities aswell.

To “convey” a work means any kind of propagation that enables other parties to make or receivecopies. Mere interaction with a user through a computer network, with no transfer of a copy, isnot conveying.

An interactive user interface displays “Appropriate Legal Notices” to the extent that it includes aconvenient and prominently visible feature that (1) displays an appropriate copyright notice, and(2) tells the user that there is no warranty for the work (except to the extent that warranties areprovided), that licensees may convey the work under this License, and how to view a copy of thisLicense. If the interface presents a list of user commands or options, such as a menu, a prominentitem in the list meets this criterion.

1. Source Code.

The “source code” for a work means the preferred form of the work for making modifications toit. “Object code” means any non-source form of a work.

A “Standard Interface” means an interface that either is an official standard defined by arecognized standards body, or, in the case of interfaces specified for a particular programminglanguage, one that is widely used among developers working in that language.

The “System Libraries” of an executable work include anything, other than the work as a whole,that (a) is included in the normal form of packaging a Major Component, but which is not part ofthat Major Component, and (b) serves only to enable use of the work with that MajorComponent, or to implement a Standard Interface for which an implementation is available to thepublic in source code form. A “Major Component”, in this context, means a major essentialcomponent (kernel, window system, and so on) of the specific operating system (if any) on whichthe executable work runs, or a compiler used to produce the work, or an object code interpreterused to run it.

The “Corresponding Source” for a work in object code form means all the source code needed togenerate, install, and (for an executable work) run the object code and to modify the work,including scripts to control those activities. However, it does not include the work's SystemLibraries, or general-purpose tools or generally available free programs which are used unmodifiedin performing those activities but which are not part of the work. For example, Corresponding

Source includes interface definition files associated with source files for the work, and the sourcecode for shared libraries and dynamically linked subprograms that the work is specifically designedto require, such as by intimate data communication or control flow between those subprogramsand other parts of the work.

The Corresponding Source need not include anything that users can regenerate automaticallyfrom other parts of the Corresponding Source.

The Corresponding Source for a work in source code form is that same work.

2. Basic Permissions.

All rights granted under this License are granted for the term of copyright on the Program, andare irrevocable provided the stated conditions are met. This License explicitly affirms yourunlimited permission to run the unmodified Program. The output from running a covered work iscovered by this License only if the output, given its content, constitutes a covered work. ThisLicense acknowledges your rights of fair use or other equivalent, as provided by copyright law.

You may make, run and propagate covered works that you do not convey, without conditions solong as your license otherwise remains in force. You may convey covered works to others for thesole purpose of having them make modifications exclusively for you, or provide you with facilitiesfor running those works, provided that you comply with the terms of this License in conveying allmaterial for which you do not control copyright. Those thus making or running the covered worksfor you must do so exclusively on your behalf, under your direction and control, on terms thatprohibit them from making any copies of your copyrighted material outside their relationship withyou.

Conveying under any other circumstances is permitted solely under the conditions stated below.Sublicensing is not allowed; section 10 makes it unnecessary.

3. Protecting Users' Legal Rights From Anti-Circumvention Law.

No covered work shall be deemed part of an effective technological measure under any applicablelaw fulfilling obligations under article 11 of the WIPO copyright treaty adopted on 20 December1996, or similar laws prohibiting or restricting circumvention of such measures.

When you convey a covered work, you waive any legal power to forbid circumvention oftechnological measures to the extent such circumvention is effected by exercising rights under thisLicense with respect to the covered work, and you disclaim any intention to limit operation ormodification of the work as a means of enforcing, against the work's users, your or third parties'legal rights to forbid circumvention of technological measures.

4. Conveying Verbatim Copies.

You may convey verbatim copies of the Program's source code as you receive it, in any medium,provided that you conspicuously and appropriately publish on each copy an appropriatecopyright notice; keep intact all notices stating that this License and any non-permissive termsadded in accord with section 7 apply to the code; keep intact all notices of the absence of anywarranty; and give all recipients a copy of this License along with the Program.

You may charge any price or no price for each copy that you convey, and you may offer supportor warranty protection for a fee.

5. Conveying Modified Source Versions.



You may convey a work based on the Program, or the modifications to produce it from theProgram, in the form of source code under the terms of section 4, provided that you also meet allof these conditions:

§ a) The work must carry prominent notices stating that you modified it, and giving a relevantdate.

§ b) The work must carry prominent notices stating that it is released under this License and anyconditions added under section 7. This requirement modifies the requirement in section 4 to“keep intact all notices”.

§ c) You must license the entire work, as a whole, under this License to anyone who comes intopossession of a copy. This License will therefore apply, along with any applicable section 7additional terms, to the whole of the work, and all its parts, regardless of how they are packaged.This License gives no permission to license the work in any other way, but it does not invalidatesuch permission if you have separately received it.

§ d) If the work has interactive user interfaces, each must display Appropriate Legal Notices;however, if the Program has interactive interfaces that do not display Appropriate Legal Notices,your work need not make them do so.

A compilation of a covered work with other separate and independent works, which are not bytheir nature extensions of the covered work, and which are not combined with it such as to forma larger program, in or on a volume of a storage or distribution medium, is called an “aggregate” ifthe compilation and its resulting copyright are not used to limit the access or legal rights of thecompilation's users beyond what the individual works permit. Inclusion of a covered work in anaggregate does not cause this License to apply to the other parts of the aggregate.

6. Conveying Non-Source Forms.

You may convey a covered work in object code form under the terms of sections 4 and 5,provided that you also convey the machine-readable Corresponding Source under the terms ofthis License, in one of these ways:

§ a) Convey the object code in, or embodied in, a physical product (including a physicaldistribution medium), accompanied by the Corresponding Source fixed on a durable physicalmedium customarily used for software interchange.

§ b) Convey the object code in, or embodied in, a physical product (including a physicaldistribution medium), accompanied by a written offer, valid for at least three years and valid foras long as you offer spare parts or customer support for that product model, to give anyone whopossesses the object code either (1) a copy of the Corresponding Source for all the software in theproduct that is covered by this License, on a durable physical medium customarily used forsoftware interchange, for a price no more than your reasonable cost of physically performing thisconveying of source, or (2) access to copy the Corresponding Source from a network server at nocharge.

§ c) Convey individual copies of the object code with a copy of the written offer to provide theCorresponding Source. This alternative is allowed only occasionally and noncommercially, and onlyif you received the object code with such an offer, in accord with subsection 6b.

§ d) Convey the object code by offering access from a designated place (gratis or for a charge),and offer equivalent access to the Corresponding Source in the same way through the same placeat no further charge. You need not require recipients to copy the Corresponding Source alongwith the object code. If the place to copy the object code is a network server, the CorrespondingSource may be on a different server (operated by you or a third party) that supports equivalentcopying facilities, provided you maintain clear directions next to the object code saying where tofind the Corresponding Source. Regardless of what server hosts the Corresponding Source, youremain obligated to ensure that it is available for as long as needed to satisfy these requirements.

§ e) Convey the object code using peer-to-peer transmission, provided you inform other peerswhere the object code and Corresponding Source of the work are being offered to the generalpublic at no charge under subsection 6d.

A separable portion of the object code, whose source code is excluded from the CorrespondingSource as a System Library, need not be included in conveying the object code work.

A “User Product” is either (1) a “consumer product”, which means any tangible personal propertywhich is normally used for personal, family, or household purposes, or (2) anything designed orsold for incorporation into a dwelling. In determining whether a product is a consumer product,doubtful cases shall be resolved in favor of coverage. For a particular product received by aparticular user, “normally used” refers to a typical or common use of that class of product,regardless of the status of the particular user or of the way in which the particular user actuallyuses, or expects or is expected to use, the product. A product is a consumer product regardless ofwhether the product has substantial commercial, industrial or non-consumer uses, unless suchuses represent the only significant mode of use of the product.

“Installation Information” for a User Product means any methods, procedures, authorization keys,or other information required to install and execute modified versions of a covered work in thatUser Product from a modified version of its Corresponding Source. The information must sufficeto ensure that the continued functioning of the modified object code is in no case prevented orinterfered with solely because modification has been made.

If you convey an object code work under this section in, or with, or specifically for use in, a UserProduct, and the conveying occurs as part of a transaction in which the right of possession anduse of the User Product is transferred to the recipient in perpetuity or for a fixed term (regardlessof how the transaction is characterized), the Corresponding Source conveyed under this sectionmust be accompanied by the Installation Information. But this requirement does not apply ifneither you nor any third party retains the ability to install modified object code on the UserProduct (for example, the work has been installed in ROM).

The requirement to provide Installation Information does not include a requirement to continueto provide support service, warranty, or updates for a work that has been modified or installed bythe recipient, or for the User Product in which it has been modified or installed. Access to anetwork may be denied when the modification itself materially and adversely affects the operationof the network or violates the rules and protocols for communication across the network.

Corresponding Source conveyed, and Installation Information provided, in accord with this sectionmust be in a format that is publicly documented (and with an implementation available to thepublic in source code form), and must require no special password or key for unpacking, readingor copying.



7. Additional Terms.

“Additional permissions” are terms that supplement the terms of this License by makingexceptions from one or more of its conditions. Additional permissions that are applicable to theentire Program shall be treated as though they were included in this License, to the extent thatthey are valid under applicable law. If additional permissions apply only to part of the Program,that part may be used separately under those permissions, but the entire Program remainsgoverned by this License without regard to the additional permissions.

When you convey a copy of a covered work, you may at your option remove any additionalpermissions from that copy, or from any part of it. (Additional permissions may be written torequire their own removal in certain cases when you modify the work.) You may place additionalpermissions on material, added by you to a covered work, for which you have or can giveappropriate copyright permission.

Notwithstanding any other provision of this License, for material you add to a covered work, youmay (if authorized by the copyright holders of that material) supplement the terms of this Licensewith terms:

§ a) Disclaiming warranty or limiting liability differently from the terms of sections 15 and 16 of thisLicense; or

§ b) Requiring preservation of specified reasonable legal notices or author attributions in thatmaterial or in the Appropriate Legal Notices displayed by works containing it; or

§ c) Prohibiting misrepresentation of the origin of that material, or requiring that modifiedversions of such material be marked in reasonable ways as different from the original version; or

§ d) Limiting the use for publicity purposes of names of licensors or authors of the material; or

§ e) Declining to grant rights under trademark law for use of some trade names, trademarks, orservice marks; or

§ f) Requiring indemnification of licensors and authors of that material by anyone who conveysthe material (or modified versions of it) with contractual assumptions of liability to the recipient,for any liability that these contractual assumptions directly impose on those licensors andauthors.

All other non-permissive additional terms are considered “further restrictions” within the meaningof section 10. If the Program as you received it, or any part of it, contains a notice stating that it isgoverned by this License along with a term that is a further restriction, you may remove thatterm. If a license document contains a further restriction but permits relicensing or conveyingunder this License, you may add to a covered work material governed by the terms of that licensedocument, provided that the further restriction does not survive such relicensing or conveying.

If you add terms to a covered work in accord with this section, you must place, in the relevantsource files, a statement of the additional terms that apply to those files, or a notice indicatingwhere to find the applicable terms.

Additional terms, permissive or non-permissive, may be stated in the form of a separately writtenlicense, or stated as exceptions; the above requirements apply either way.

8. Termination.

You may not propagate or modify a covered work except as expressly provided under this License.Any attempt otherwise to propagate or modify it is void, and will automatically terminate yourrights under this License (including any patent licenses granted under the third paragraph ofsection 11).

However, if you cease all violation of this License, then your license from a particular copyrightholder is reinstated (a) provisionally, unless and until the copyright holder explicitly and finallyterminates your license, and (b) permanently, if the copyright holder fails to notify you of theviolation by some reasonable means prior to 60 days after the cessation.

Moreover, your license from a particular copyright holder is reinstated permanently if thecopyright holder notifies you of the violation by some reasonable means, this is the first time youhave received notice of violation of this License (for any work) from that copyright holder, and youcure the violation prior to 30 days after your receipt of the notice.

Termination of your rights under this section does not terminate the licenses of parties who havereceived copies or rights from you under this License. If your rights have been terminated and notpermanently reinstated, you do not qualify to receive new licenses for the same material undersection 10.

9. Acceptance Not Required for Having Copies.

You are not required to accept this License in order to receive or run a copy of the Program.Ancillary propagation of a covered work occurring solely as a consequence of using peer-to-peertransmission to receive a copy likewise does not require acceptance. However, nothing other thanthis License grants you permission to propagate or modify any covered work. These actionsinfringe copyright if you do not accept this License. Therefore, by modifying or propagating acovered work, you indicate your acceptance of this License to do so.

10. Automatic Licensing of Downstream Recipients.

Each time you convey a covered work, the recipient automatically receives a license from theoriginal licensors, to run, modify and propagate that work, subject to this License. You are notresponsible for enforcing compliance by third parties with this License.

An “entity transaction” is a transaction transferring control of an organization, or substantially allassets of one, or subdividing an organization, or merging organizations. If propagation of acovered work results from an entity transaction, each party to that transaction who receives acopy of the work also receives whatever licenses to the work the party's predecessor in interesthad or could give under the previous paragraph, plus a right to possession of the CorrespondingSource of the work from the predecessor in interest, if the predecessor has it or can get it withreasonable efforts.

You may not impose any further restrictions on the exercise of the rights granted or affirmedunder this License. For example, you may not impose a license fee, royalty, or other charge forexercise of rights granted under this License, and you may not initiate litigation (including a cross-claim or counterclaim in a lawsuit) alleging that any patent claim is infringed by making, using,selling, offering for sale, or importing the Program or any portion of it.

11. Patents.



A “contributor” is a copyright holder who authorizes use under this License of the Program or awork on which the Program is based. The work thus licensed is called the contributor's“contributor version”.

A contributor's “essential patent claims” are all patent claims owned or controlled by thecontributor, whether already acquired or hereafter acquired, that would be infringed by somemanner, permitted by this License, of making, using, or selling its contributor version, but do notinclude claims that would be infringed only as a consequence of further modification of thecontributor version. For purposes of this definition, “control” includes the right to grant patentsublicenses in a manner consistent with the requirements of this License.

Each contributor grants you a non-exclusive, worldwide, royalty-free patent license under thecontributor's essential patent claims, to make, use, sell, offer for sale, import and otherwise run,modify and propagate the contents of its contributor version.

In the following three paragraphs, a “patent license” is any express agreement or commitment,however denominated, not to enforce a patent (such as an express permission to practice apatent or covenant not to sue for patent infringement). To “grant” such a patent license to aparty means to make such an agreement or commitment not to enforce a patent against theparty.

If you convey a covered work, knowingly relying on a patent license, and the CorrespondingSource of the work is not available for anyone to copy, free of charge and under the terms of thisLicense, through a publicly available network server or other readily accessible means, then youmust either (1) cause the Corresponding Source to be so available, or (2) arrange to depriveyourself of the benefit of the patent license for this particular work, or (3) arrange, in a mannerconsistent with the requirements of this License, to extend the patent license to downstreamrecipients. “Knowingly relying” means you have actual knowledge that, but for the patent license,your conveying the covered work in a country, or your recipient's use of the covered work in acountry, would infringe one or more identifiable patents in that country that you have reason tobelieve are valid.

If, pursuant to or in connection with a single transaction or arrangement, you convey, orpropagate by procuring conveyance of, a covered work, and grant a patent license to some of theparties receiving the covered work authorizing them to use, propagate, modify or convey aspecific copy of the covered work, then the patent license you grant is automatically extended toall recipients of the covered work and works based on it.

A patent license is “discriminatory” if it does not include within the scope of its coverage, prohibitsthe exercise of, or is conditioned on the non-exercise of one or more of the rights that arespecifically granted under this License. You may not convey a covered work if you are a party toan arrangement with a third party that is in the business of distributing software, under whichyou make payment to the third party based on the extent of your activity of conveying the work,and under which the third party grants, to any of the parties who would receive the covered workfrom you, a discriminatory patent license (a) in connection with copies of the covered workconveyed by you (or copies made from those copies), or (b) primarily for and in connection withspecific products or compilations that contain the covered work, unless you entered into thatarrangement, or that patent license was granted, prior to 28 March 2007.

Nothing in this License shall be construed as excluding or limiting any implied license or otherdefenses to infringement that may otherwise be available to you under applicable patent law.

12. No Surrender of Others' Freedom.

If conditions are imposed on you (whether by court order, agreement or otherwise) thatcontradict the conditions of this License, they do not excuse you from the conditions of thisLicense. If you cannot convey a covered work so as to satisfy simultaneously your obligationsunder this License and any other pertinent obligations, then as a consequence you may notconvey it at all. For example, if you agree to terms that obligate you to collect a royalty for furtherconveying from those to whom you convey the Program, the only way you could satisfy boththose terms and this License would be to refrain entirely from conveying the Program.

13. Use with the GNU Affero General Public License.

Notwithstanding any other provision of this License, you have permission to link or combine anycovered work with a work licensed under version 3 of the GNU Affero General Public License into asingle combined work, and to convey the resulting work. The terms of this License will continue toapply to the part which is the covered work, but the special requirements of the GNU AfferoGeneral Public License, section 13, concerning interaction through a network will apply to thecombination as such.

14. Revised Versions of this License.

The Free Software Foundation may publish revised and/or new versions of the GNU General PublicLicense from time to time. Such new versions will be similar in spirit to the present version, butmay differ in detail to address new problems or concerns.

Each version is given a distinguishing version number. If the Program specifies that a certainnumbered version of the GNU General Public License “or any later version” applies to it, you havethe option of following the terms and conditions either of that numbered version or of any laterversion published by the Free Software Foundation. If the Program does not specify a versionnumber of the GNU General Public License, you may choose any version ever published by theFree Software Foundation.

If the Program specifies that a proxy can decide which future versions of the GNU General PublicLicense can be used, that proxy's public statement of acceptance of a version permanentlyauthorizes you to choose that version for the Program.

Later license versions may give you additional or different permissions. However, no additionalobligations are imposed on any author or copyright holder as a result of your choosing to follow alater version.

15. Disclaimer of Warranty.

THERE IS NO WARRANTY FOR THE PROGRAM, TO THE EXTENT PERMITTED BY APPLICABLE LAW.EXCEPT WHEN OTHERWISE STATED IN WRITING THE COPYRIGHT HOLDERS AND/OR OTHERPARTIES PROVIDE THE PROGRAM “AS IS” WITHOUT WARRANTY OF ANY KIND, EITHER EXPRESSEDOR IMPLIED, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITYAND FITNESS FOR A PARTICULAR PURPOSE. THE ENTIRE RISK AS TO THE QUALITY ANDPERFORMANCE OF THE PROGRAM IS WITH YOU. SHOULD THE PROGRAM PROVE DEFECTIVE, YOUASSUME THE COST OF ALL NECESSARY SERVICING, REPAIR OR CORRECTION.



16. Limitation of Liability.

IN NO EVENT UNLESS REQUIRED BY APPLICABLE LAW OR AGREED TO IN WRITING WILL ANYCOPYRIGHT HOLDER, OR ANY OTHER PARTY WHO MODIFIES AND/OR CONVEYS THE PROGRAM ASPERMITTED ABOVE, BE LIABLE TO YOU FOR DAMAGES, INCLUDING ANY GENERAL, SPECIAL,INCIDENTAL OR CONSEQUENTIAL DAMAGES ARISING OUT OF THE USE OR INABILITY TO USE THEPROGRAM (INCLUDING BUT NOT LIMITED TO LOSS OF DATA OR DATA BEING RENDEREDINACCURATE OR LOSSES SUSTAINED BY YOU OR THIRD PARTIES OR A FAILURE OF THE PROGRAMTO OPERATE WITH ANY OTHER PROGRAMS), EVEN IF SUCH HOLDER OR OTHER PARTY HAS BEENADVISED OF THE POSSIBILITY OF SUCH DAMAGES.

17. Interpretation of Sections 15 and 16.

If the disclaimer of warranty and limitation of liability provided above cannot be given local legaleffect according to their terms, reviewing courts shall apply local law that most closelyapproximates an absolute waiver of all civil liability in connection with the Program, unless awarranty or assumption of liability accompanies a copy of the Program in return for a fee.

END OF TERMS AND CONDITIONS

libCurl 7.50

COPYRIGHT AND PERMISSION NOTICE

Copyright (c) 1996 - 2016, Daniel Stenberg, [email protected], and many contributors, see theTHANKS file.


Permission to use, copy, modify, and distribute this software for any purpose with or without feeis hereby granted, provided that the above copyright notice and this permission notice appear inall copies.

THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR IMPLIED,INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, FITNESS FOR APARTICULAR PURPOSE AND NONINFRINGEMENT OF THIRD PARTY RIGHTS. IN NO EVENT SHALL THEAUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER LIABILITY,WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, OUT OF OR INCONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE SOFTWARE.

Except as contained in this notice, the name of a copyright holder shall not be used in advertisingor otherwise to promote the sale, use or other dealings in this Software without prior writtenauthorization of the copyright holder.

LibJpeg8

Version: 8.4.0

Copyright © 1991-2010, Thomas G. Lane, Guido Vollbeding

LEGAL ISSUES [ from README supplied with source - MM ]

The authors make NO WARRANTY or representation, either express or implied,

with respect to this software, its quality, accuracy, merchantability, or

fitness for a particular purpose. This software is provided "AS IS", and you,

its user, assume the entire risk as to its quality and accuracy.

This software is copyright (C) 1991-2010, Thomas G. Lane, Guido Vollbeding.

All Rights Reserved except as specified below.

Permission is hereby granted to use, copy, modify, and distribute this

software (or portions thereof) for any purpose, without fee, subject to these

conditions:

(1) If any part of the source code for this software is distributed, then this

README file must be included, with this copyright and no-warranty notice

unaltered; and any additions, deletions, or changes to the original files

must be clearly indicated in accompanying documentation.

(2) If only executable code is distributed, then the accompanying

documentation must state that "this software is based in part on the work of

the Independent JPEG Group".

(3) Permission for use of this software is granted only if the user accepts

full responsibility for any undesirable consequences; the authors accept

NO LIABILITY for damages of any kind.

These conditions apply to any software derived from or based on the IJG code,

not just to the unmodified library. If you use our work, you ought to

acknowledge us.

Permission is NOT granted for the use of any IJG author's name or company name

in advertising or publicity relating to this software or products derived from

it. This software may be referred to only as "the Independent JPEG Group's

software".

We specifically permit and encourage the use of this software as the basis of

commercial products, provided that all warranty or liability claims are

assumed by the product vendor.

ansi2knr.c is included in this distribution by permission of L. Peter Deutsch,

sole proprietor of its copyright holder, Aladdin Enterprises of Menlo Park, CA.

ansi2knr.c is NOT covered by the above copyright and conditions, but instead

by the usual distribution terms of the Free Software Foundation; principally,

that you must include source code if you redistribute it. (See the file



ansi2knr.c for full details.) However, since ansi2knr.c is not needed as part

of any program generated from the IJG code, this does not limit you more than

the foregoing paragraphs do.

The Unix configuration script "configure" was produced with GNU Autoconf.

It is copyright by the Free Software Foundation but is freely distributable.

The same holds for its supporting scripts (config.guess, config.sub,

ltmain.sh). Another support script, install-sh, is copyright by X Consortium

but is also freely distributable.

The IJG distribution formerly included code to read and write GIF files.

To avoid entanglement with the Unisys LZW patent, GIF reading support has

been removed altogether, and the GIF writer has been simplified to produce

"uncompressed GIFs". This technique does not use the LZW algorithm; the

resulting GIF files are larger than usual, but are readable by all standard

GIF decoders.

We are required to state that

"The Graphics Interchange Format(c) is the Copyright property of

CompuServe Incorporated. GIF(sm) is a Service Mark property of

CompuServe Incorporated."

Exhibit B - Third-Party Software for Sentinel EMS andSentinel Cloud Add-onA. The following free software components are used and distributed pursuant to the ApacheLicense, Version 1.1, and are subject to the terms and conditions of said License: (i) Avalonframework 4.1.3 and (ii) logkit-1.0.1.jar. The Apache License, Version 1.1, is located at:http://www.apache.org/licenses/LICENSE-1.1.

B. The following free software components are used and distributed pursuant to the ApacheLicense, Version 2.0, and are subject to the terms and conditions of said

Li-cense: (i) Spring 3.0.5; (ii) IzPack; (iii) json-lib-2.2.3-jdk15; (iv) EHCache; (v) acegi-security-1.0.2; (vi)derby 10.2.2.jar; (vii) ezmorph-1.0.6.jar; (viii) lucene-core-2.3.2.jar; (ix) xercesImpl-2.8.1; (x) xalan-2.6.0; (xi) standalone-compiler.jar; (xii) commons-beanutils-1.7.0; (xiii) commons-collections-3.2;

(xiv) commons-lang-2.4; (xv) commons-logging-1.1; (xvi) Quartz 1.6.5; (xvii) Apache Tomcat 6; (xviii)JCS; (xviv) Log4j; and (xvv) Log4net. Said free software components are subject to the following

copyright: Copyright © 2012 The Apache Software Foundation. All rights reserved. The ApacheLicense, Version 2.0, is located at: http://www.apache.org/licenses/LICENSE-2.0.

C. The following free software components are used and distributed pursuant to the GNU LesserGPL License 2.1, and are subject to the terms and conditions of said

Li-cense: (i) XLightWeb; (ii) Hibernate; and (iii) DynamicJasper 3.1.1. The GNU Lesser GPL License 2.1is located at: http://www.gnu.org/licenses/old-licenses/lgpl-2.1.html.

D. The free software component known as "XStream" is used and distributed pursuant to the BSDLicense for XStream, and is subject to the terms and conditions of said License. The BSD Licensefor XStream is located at: http://xstream.codehaus.org/license.html.

E. The free software component known as "Bouncy Castle" is used and distributed pursuant tothe terms and conditions of the License located at:

http://www.bouncycastle.org/licence.html.

F. The free software component known as “Libcurl” is used and distributed pursuant to the termsand conditions of the License located at: http://curl.haxx.se/legal/licmix.html.

G. The free software component known as “Libconfig” is used and distributed pursuant to theterms and conditions of the License located at: hhttp://www.gnu.org/licenses/lgpl.html.

H. The free software component known as “Liblogger” is used and distributed pursuant to theterms and conditions of the License located at: http://www.gnu.org/licenses/lgpl-3.0.txt.

I. The free software component known as “GenX” is used and distributed pursuant to the termsand conditions of the License located at: http://www.tbray.org/ongoing/genx/COPYING.

J. The free software component known as “Libexpat” is used and distributed pursuant to the MITLicense, and is subject to the terms and conditions of said License located at:http://opensource.org/licenses/MIT

K. The free software component known as “uthash” is used pursuant to the terms and conditionsof the License located at: http://uthash.sourceforge.net/license.html.

L. The free software component known as “SpiderMonkey” is used and distributed pursuant tothe MPL/GPL/LGPL tri-license, and is subject to the terms and conditions of said Licenses.

M. The free software component known as “OpenSSL” is used and distributed pursuant to theterms and conditions of the License located at: http://www.openssl.org/source/license.html.

N. The free software component known as "YUI" is used and distributed pursuant to the BSDLicense, and is subject to the terms and conditions of said License. The said software componentis subject to the following copyright: Copyright © 2010, Yahoo! Inc. All rights reserved. The BSDLicense for YUI is located at: http://developer.yahoo.com/yui/license.html.

O. The free software components known as (i) JasperReports and (ii) JasperBerry_002 are usedand distributed pursuant to the LGPL License, and is subject to the terms and conditions of saidLicense. The LGPL license is available at: http://www.gnu.org/copyleft/lesser.html.

Exhibit B - Third-Party Software for Sentinel EMS and Sentinel Cloud Add-on 351


P. The free software component known as "Javolution.jar" is used and distributed pursuant to theBSD License for Javolution.jar, and is subject to the terms and conditions of said License. The BSDLicense for Javolution.jar is located at: http://javolution.org/LICENSE.txt.

Q. The free software component known as "jempbox-0.2.0.jar" is used and distributed pursuantto the BSD License for jempbox-0.2.0.jar, and is subject to the terms and conditions of saidLicense. The BSD License for jempbox-0.2.0.jar is located at:http://www.jempbox.org/license.html.

R. The free software component known as "JDOM" is used and distributed pursuant to the JDOMLicense, and is subject to the terms and conditions of said License. The JDOM License is locatedat: http://vmgump.apache.org/gump/public- jars/jdom/jars/LICENSE.txt.

S. The free software component known as "icu4j-2.6.1.jar" is used and distributed pursuant toICU4J License, and is subject to the terms and conditions of said License. The ICU4J License islocated at: http://www.xom.nu/lib/normalizer_license.html.

T. The free software component known as "Dojo 1.3" is used and distributed pursuant to theterms and conditions of the license located at: http://o.dojotoolkit.org/license.

U. The free software component known as "7-zip 4.65" is used and distributed pursuant to theterms and conditions of the license located at: http://www.7- zip.org/license.txt.

V. The free software component known as "Curl 7.15.1" is used and distributed pursuant to theterms and conditions of the license located at: http://curl.haxx.se/docs/copyright.html.

W. The free software component known as "JRE 1.6" is used and distributed pursuant to theterms and conditions of the license located at:

http://www.oracle.com/technetwork/java/javase/terms/license/index.html

Index

.

.NET DLL assembliesexception handling for missing

license 67

8

80-hasp.rules file 164

A

Activating Productsabout 97manually 150with HL keys 107with SL keys 107

Admin APIcompared to Admin Control

Center 181functionality 181how to make Product names

visible 190managing user access to 182

Admin API, about 182Admin Control Center

about 181administrator’s workflow 196compared to Admin API 181configuration considerations 196customizing look and feel of 197diagnostics 197functionality 181how to make Product names

visible 190interface 194-195launching 194managing user access to 182overview 193troubleshooting 301

writing template for 198Admin License

ManagerSee also License

Managerabout 176managing user access to 182

Administrationfunctions 99tasks 147

AdminMode keys See SL AdminMode keysAES decryption See DecryptionAES encryption See Encryptionamin user account 98Android applications

clone protection scheme 274-275considerations 73distributing Runtime

Environment 173License Manager 181protecting 72

AppOnChip functionality 61AppOnChip module 62, 262Attacks

clock tampering 78cloning hardware keys 78defense against 77emulating protection keys 78modifying key memory 77patching executables 77using remote desktops 78

B

Base Product 117Batch Code Admin

role 98, 158Batch Codes

about 27DEMOMA 99, 148for Features 114for orders 130

Index

354 Index

for Products 116for RUS 145, 152introducing in Sentinel LDK 147Sentinel LDK user access 148

Bootstrap methods or attributes 70Branding RUS 145, 152Broadcast Search for Remote

Licenses 267Bundles See also Unlocked Products

how to prepare manually 289

C

C2Vchecking in files 136data for cancellation 126data in files 135data in keys 136from cloned machine 136generating files 136, 145, 152storing data in Sentinel EMS 136viewing data 136

Canceling licenses 126Cancellation Products

about 126defining 126example 127

Certificate-based SL keys, viewingcontents of 141

Checking in C2V files 136client machine

about 184configuration of 185

Clock, virtual See V-ClockClone protection 118

for physical machines 271for virtual machines 276

Clone protection schemesabout 271

Cloned machineschecking in C2V 136how to clear the "cloned"

status for 283how to detect 280

Cloned status, how to clear 283Cloud licensing 36Code Transformation Engine 61

Communicationbetween License Managers 267between protected application

and local LM 266Comparing protection solutions 23Concurrent instances

changing settings 125counting 120in entitlement 132license terms 120network environment 120per order 120

Connection loss with a Networklicense 191

Cross-locking 26Custom reports 159Customer orders See EntitlementsCustomer Portal 140Customer Services

function 130role 98, 150

Customersauthorization to manage 150defining 131entitlements for 131locating 131

Customized Vendorlibraries See Vendor library

Customizing RUS 145, 152

D

Data File Advanced Protectionmodule 263

Data File Protection pluginabout 86generating 17getting started 87overview 83

Data filesAdvanced Data File Protection

module 263how to protect 81License Manager for protected

data files 180licensing, getting started 87locking type for protected data 84

Index 355

fileswhen to protect 84

Data Protection facility 82Data Protection module 82Data Protection utility

for Mac 85getting started 87how to launch 85overview 81prerequisites 85who should use 84

DataHASP See Data Protection utilityDecryption

about 33, 42Default

password 147user name 147

Default memory 120Demo kit 13DEMOMA

Batch Code 99, 148Detachable license

requirement for RTE 167Detachable licenses

configuring in Features 190preparing recipient machine 144

Details pane (in Sentinel EMSscreen) 101

Developer keyintroducing 149requesting a replacement 303

Developmentfunctions 143role 98, 130, 142

Diagnostics in Admin ControlCenter 197

Distributing See also End user softwareRUS 145

Distribution list for reports 158DLL for Runtime Environment

installer 144DllMain, calling Licensing API from 61Driverless configuration

described 29how to upgrade to 293requirement for RTE 167

DuplicatingProducts 123

Dynamic memory 121

E

EID (entitlement ID) 131EMS See Sentinel EMSEncryption

about 33, 42End-of-life Product 124End user software

about 163haspdinst.exe 171HASPUserSetup.exe 171merge modules 168

Entitlement Managerfunctions 130role 98, 130, 138

Entitlementsabout 96activating 140customers 131defining 131EID (entitlement ID) 131examples 136for HL keys 133, 139for Product Keys 133, 139for Protection Key updates 133for SL keys 133holding 135in production queue 134including Products 131producing 139Product locking types 132status values 135withdrawing 140

Envelope.NET considerations 64Android considerations 73Android prerequisites 72authorization to operate 98customizable parameters 58functionality 55Java considerations 70Linux, how to use 68Mac prerequisites 68, 70

356 Index

mandatory parameters 57prerequisites 59protecting .NET assemblies 64protecting Android applications 72protecting Java executables 69, 71protecting Mac binaries 68protecting Win32 programs 60protecting Windows x64

programs 60running from commandline 63, 68using Features 58workflow 56

Examplesdefining Features 105defining Products 106license cancellation 127license terms 110Modification Product 125order for HL keys 136order for Product Keys 137order using SL 137protection levels 110Provisional Products 145trial use 145

EXE fileprotecting See EnvelopeRuntime Environment installer 144with V2C data 143, 152

ExportAdmin Control Center format 144C-style header 144CPP-style header 144CSV format 145Feature data 115XML format 145

Exported functions (forAppOnChip) 62

External LicenseManager

See also LicenseManager

about 61, 176

F

Fallback to V-Clock 286Feature ID 0

about 58default duration 123

for licensing data files 89Features

about 96Batch Codes 114defining 114deleting 115detachable licenses 120example 105exporting 115Feature ID 115Feature name 114identifying 105in Envelope 58in Products 105, 117license terms 110maximum number of 269status values 115testing for presence of 291transferring data 115

FID 0 See Feature ID 0Files

C2V 126, 135EXE with V2C data 134, 140, 143export 115Product Keys 133, 139Runtime Environment EXE 144Runtime Environment installer

DLL 144Unlocked Products 143V2C 134, 140, 143Vendor Code 47

Filter tool (in Sentinel EMS screen) 101fingerprint 30, 271

analyzing 280Formatting HL keys 136FQDN clone protection scheme 276

description 279limitation 273

Function bars (in Sentinel EMSscreen) 101

G

Getting startedlicensing data files 87

Grace periodsabout 109

Index 357

Unlocked/Trialware Products 122

H

Hardlock, migrating from 17HASP configuration 29, 167HASP HL keys See also HL keys

HASP HL keys in Sentinel LDK 30HASP HL, migrating from 17HASP search mode 58HASP SL keys See SL keyshasp_rt.exe file 176HASP4, migrating from 17haspdinst.exe 171hasplmd process 266HASPUserSetup.exe 171Hibernate service (Java) 70HL concurrency-enabled key 296HL keys

attributes 31entitlements 133formatting 136order example 136orders 139Product activation 107protection 107requirement for RTE 167tamper protection for time-

based licenses 285update standalone key to

network key 296updating licenses with RUS 153upgrade to Driverless

configuration 293, 296HL network keys

description 296HL Pool of Seats

about 258HL standalone key

upgrading to HL network key 296HTTP

for TCP packets between twoLM 268

I

IANA-registered socket 265

IDentitlement 131Feature 115

InstallingRuntime Environment 143Server 99Unlocked Products 143

Integrated LicenseManager

See also LicenseManager

about 176Introducing Vendor keys 99IPv4 sockets 266IPv6 sockets 266

J

Javabehavior of protected

executables 71protecting executables 69required RTE libraries 165

Java executablesconsiderations 70

K

Key See also Protection keys; Vendor keys

L

Legacy keys See SL Legacy keysLicense Generation API 101License Manager

comparison of types 177configuration files 186for Android 181for Linux 180for Mac 180handling lost connection 191local and remote LMs

about 177

local and remote LMscommunication 267

overview 175protected data files 180Run-time network activity 265selection process 177types of 176

358 Index

License Manager tools 181comparison of 181

license server machineabout 184configuration of 185

License termsabout 110assigning values 119canceling 126concurrent instances 120example 110for different entitlements 132Modification Products 125network access 120remote desktop users 120remote updates 133revoking 126selecting license type 119specifying 119transferring 126updating 133values per order 120virtual machines 120

License typesabout 110assigning values 119selecting 119values per order 120

Licensingabout 103fundamentals 24planning 24, 96, 104solutions 24

Licensing APIabout 45functionality 52login function 50planning requirements 49prerequisites 46samples 49ToolBox 48workflow 49

Licensing modelsdetailed description of 209overview 205preparing licensing plan 104

Licensing Plan functions 113Linux

distributing RuntimeEnvironment 172

Envelope, how to use 68License Manager selection 180required file for Sentinel HL

(Driverless configuration)key 164

linuxenv application 68List of reports 159LM See License ManagerLocating keys for update 134Locked Product

installing RTE for 144Locking Sentinel LDK users 149Locking types

about 106for protected data files 84HL only 107HL or SL 109Products in entitlements 132selecting 117SL only 107

M

Macdistributing Runtime

Environment 171encrypting data for 85License Manager selection 180protecting binaries 68

MAC addressclone prevention 276

Main pane (in Sentinel EMSscreen) 101

Managed Servicesintroducing keys 150modules on Master key 255

Map fileused by AppOnChip to identify

functions 62Master key See also Vendor keys

about 28introducing 149maintaining 149

Index 359

requesting a replacement 303Master Wizard 83

about 17generating Data File Protection

plugin 86Memory

about 111defining 120storing data 122utilizing 43

Merge modules 168Migrating to Sentinel LDK 17Modification Products

about 124defining 125example 125license terms 125

N

.NET assembliesconsiderations 64global Feature 65Method-level protection 65method-specific settings 65obfuscation 67protecting 64required RTE libraries 165

Networkaccess to license 120concurrent instances 120

Network activity (Run-time) inSentinel LDK 265

Network Seat licensesmanaging access to 183released after loss of

connection 191requirement for RTE 167

New SL Key Poolabout 257

O

Obfuscation in .NET assemblies 67Obsolete Product 124Offline activation 141

Customer Portal 17

Online activation 141Customer Portal 17

Order reference data 134Orders See Entitlements

P

Passwords (Sentinel LDK)assigning to users 149changing 99default 147receiving 99

Performance Profiling 62PMType1 clone protection scheme 273PMType2 clone protection scheme 274PMType3 clone protection scheme 274PMType4 clone protection scheme 275Pool of Seats

HL or SL 258Product activation 133

manual 150with HL keys 107with SL keys 107

Product Activation module, about 257Product Keys

about 133authorization to manage 150entitlements for 133files 133, 139order example 137orders 139Product activation 150proof of purchase 133server verification 133use with SL keys 133

Product Management role 113Product Manager role 98Product name

how to make visible in LicenseManager tools 190

Productionentitlements in queue 134functions 130orders for HL keys 139orders for Product Keys 139role 98, 130, 138

360 Index

Productsabout 96activation 97Base Product 117Batch Codes 116Cancellation Products 126defining 116duplicating 123End-of-life 124example 106grace period See Unlocked

TrialwareProducts

in entitlements 131including Features 106, 117locking types 106, 117memory 120Modification Products 124Product name 116reference data 117restoring 124status values 123trial See Unlocked Trialware Productstypes 117Unlocked Products 122withdrawing 124

Protect Once–Deliver Many-EvolveOften 26

Protected data files See Data filesProtection

against cloning 118against copying 22Android applications 72API See Licensing APIattack types 77data files 81defense against attacks 77elements 41encryption and decryption 33, 79fundamentals 21, 76inserting multiple calls 79intellectual property 22Java executables 69Mac binaries 68Method-level 65options 44

programs and data files 42selecting method 43solutions 22solutions, combined 23solutions, comparison 23using checksum verification 79using Run-time API and

Envelope 79Protection Key memory See MemoryProtection Key updates

about 133applying remotely 133applying with RUS 152entitlements for 133for SL AdminMode keys 142implementing 97locating keys 134

Protection keysfor entitlements 132HL keys 29locating for update 134locking 106memory 122searching for 58selecting 28SL keys 30updating 133

Protection levelsexample 110HL keys 107per order 109SL keys 107

Provisional Productsexample 145

R

Read-only memory 111, 121Read/write-once memory 121Read/write memory 111, 120-121Real-time clock

when the battery is depleted 286Recycling HL keys 136Rehosting

using RUS 155Remote desktop

access to license 120

Index 361

Remote License Manager 267Remote Update System See RUSReport Generation role 158Reports

about the Reports facility 157custom (user-defined) 159export formats 159granting permissions to work

with 158license to generate custom

reports 263list of available 159presentation formats 159scheduling 158

Restoring obsolete Products 124Roles 97

Batch Code Admin 98, 158Customer Services 98, 150Development 98, 130, 142Entitlement Manager 98, 130for Sentinel LDK users 148Product Manager 98Production 98, 130Report Generation 158Super User 98

RTCwhen the battery is depleted 286

RTE See Run-time EnvironmentRun-time Environment

Admin License Manager 176command-line installer 144distributing for Android 173distributing for Linux 172distributing for Mac 171distributing to end users 166EXE file 144generating installer 144initializing 133installer API 144installer DLL 144installer PKG 144Mac PKG 144required libraries for .NET and

Java 165to optimize performance of 291updating 168

when required 166Run-time network activity 265RUS

applying Protection Keyupdates 152

Batch Code 145, 152branding 145, 152customizing 145, 152description 145, 151distributing 145, 152executable 152generating C2V files 145, 152instructions for end users 153processing V2C files 134, 140, 152with HL keys 153with SL keys 153

S

s 149SaaS 35Secure storage 309Sentine LDK users See Users (Sentinel LDK)Sentinel Admin API See Admin APISentinel Cloud Licensing 36Sentinel EMS

about 95description of screen 100evaluating 99, 148Home screen 99roles 97

Sentinel Hardware Keys, migratingfrom 18

Sentinel HASP, migrating from 18Sentinel HL keys See HL keysSentinel LDK Envelope See EnvelopeSentinel LDK Run-

timeEnvironment

See Run-timeEnvironment

Sentinel LDK ToolBox See ToolBoxSentinel License

Manager See License ManagerSentinel Licensing API See Licensing APISentinel Master key See Vendor keysSentinel protection

keys See Protection keysSentinel Remote Update System See RUS

362 Index

Sentinel SL keys See SL keysSentinel Vendor keys See Vendor keysServer

connecting Master key 99installing 99

SHK, migrating from 18SL AdminMode keys

about 30applying update to 142attributes 31how this mode is selected 108location of V2C files on end

user's machine 141requirement for RTE 167

SL keysentitlements for 133order example 137Product activation 107, 133protection 107Runtime Environment 133, 143tamper protection for time-

based licenses 285updating licenses with RUS 153viewing contents of 141

SL Legacy keysabout 30attributes 31requirement for RTE 167

SL Pool of Seats 258SL UserMode keys

about 30attributes 31effect on performance 291how this mode is selected 108including in an RTE package 261location of licenses on end

user's machine 141requirement for RTE 167

Smartkey, migrating from 17socket 1947 265Software as a service 35Solutions

combined protection 23customizing 27protection 22protection, comparison 23

Standalone licensesrequirement for RTE 167

Starter kit 13Status values

Features 115orders 135Products 123

Super User 98role 98

SuperPro, migrating from 17Synthetic methods 70

T

Task buttons (in Sentinel EMSscreen) 101

Technical specifications 33Templates for Admin Control

Center 198Toolbox

authorization to operate 98ToolBox

about 48encrypting data 49

Transferring an SL key 155Trialware

about 109example 145license to create 261Unlocked/Trialware Products 122

Trialware Module license, about 261

U

uDP notification packet 98UDP packets 268Unlimited Concurrency license

type 260Unlocked Products

defining 122generating bundles 143generating V2C file 144how to bundle manually 289in entitlements 131installing 143key ID 143license terms 122, 143license to create 262

Index 363

output files 143properties 122Vendor library 143

Unlocked Trialware module 261Unlocked Trialware Products

description 109installing 133

Unlocked Unlimited module 262Updates See Protection Key updatesUpdating deployed keys 133Upgrade Sentinel HL key to

Driverless configuration 293Upgrade to Driverless attribute 295User roles See RolesUserMode keys See SL UserMode keysUsers (Sentinel LDK)

access to Batch Codes 148default user name 147defining 148described 97locking 149passwords 99, 149preventing access 149roles 148user names 99, 148

V

V-Clockfallback to if the RTC in an HL

key is depeted 286Master key module 262tamper protection for time-

based licenses 285V2C

data in EXE 134default file location 140file for Unlocked Products 143generating files 134, 140, 152input to Runtime Environment 144launching files 145processing with RUS 134, 140

Vendor-to-Customer file See V2CVendor Code

about 27extracting 47Master Wizard 47

Vendor ID 311Vendor keys

Developer key 28extracting Vendor Code 47introducing 99, 149maintaining Master keys 149Master key 28remote connection of 28requesting a replacement 303

Vendor library 143, 311Version 1 (Data Protection)

about 83Version 2 (Data Protection)

about 83Virtual clock See V-ClockVirtual MAC address

clone protection 276Virtual machines

access to license 120clone protection 276live migration 279

Vlib See Vendor libraryVMType1 clone protection scheme

description 276limitation 273

VMType2 clone protection schemedescription 278

Volume license 242

W

Win32 programsbehavior of protected

applications 60data file protection 63

Windows x64 programsbehavior of protected

applications 60data file protection 63

WithdrawingProducts 124

Date post:	30-Mar-2018
Category:	Documents
Upload:	buiphuc
View:	285 times
Download:	9 times