CodeMeter in Virtual Environments
The migration of mid- to large-sized computing environments into the cloud creates significant problems for ISVs looking to prevent unauthorized access of applications while still providing a positive experience for their users.
CodeMeter provides the strongest known protection against using virtualization to abuse license privileges. This works just as well with CmAct licenses as it does with CmDongles.
What is Virtualization?
Products such as VMware or Hyper-V create “virtual machines (VM)” in the memory of a physical computer. Thus one computer can seem to be multiple machines, each running its own operating system and applications. The physical machine is called a host, and each operating system running in a VM on the host is called a guest. Virtualization is used to run a lot of independent servers on one physical machine, to realize high availability solutions and to run tests in a sandbox. It’s easy to clone (duplicate) or reset a virtual machine.
Hand in hand with virtualization, enterprises are also using terminal services. Instead of running Windows, say, on a desktop, a remote user with a simple computer can have his or her desktop of Windows on a terminal server (TS). This desktop is called a session. Terminal server sessions and virtual machines are very similar. All the application software runs on the same physical machine. For the corporate IT manager, the benefits of this are numerous and outside the scope of this article. For the application software publisher (ISV) the worry is that these VMs and TSs can run multiple copies of an application with a single license. For this reason, many ISVs include a test in the application code: if a VM or TS is detected, do not run the software. This does not endear them to users who have legal copies of their software but want to run it in a virtual environment for legitimate reasons.
CodeMeter to the rescue
Fortunately, CodeMeter can give everybody what they want. Nearly everything is handled automatically. You don’t need to care about VMs or terminal servers because CodeMeter does it for you. Let’s look at the following scenarios:
- The CmContainer is connected to another computer, which runs as a CodeMeter license server in the network. The CodeMeter Runtime on the VM and the terminal server ”sees” each virtual machine or terminal server session as a different computer. So it automatically counts the correct number of users, using the ISV’s software. It makes no difference if the software is running on a virtual machine, a terminal server, or a desktop computer. These licenses are referred to as floating network licenses.
- The CmContainer is connected directly to the host. In this case only the host has access to the CodeMeter functionality. If the host is configured as a CodeMeter license server in the network, each guest can also use the floating network licenses on the host, as in the prior scenario. First, however, the ISV has to activate the network functionality.
- The CmContainer is connected to a guest. In this case only this guest system has access to the licenses, unless the guest is configured as network server. This is similar to (1).
- The CmContainer is connected to the terminal server. In this case all sessions have local access to the license, because they are running on the same instance of the operating system. For non-CodeMeter dongles, this scenario can allow the user to break the licensing limits. But not CodeMeter, because it counts local licenses in the same way as network licenses. So if it is a 5 machine license (we call this stationshare), it can be used in 5 sessions at the same time, but no more.
A significant fear of ISVs is that multiple guest systems share a license intended for just one session. Is CodeMeter vulnerable to this scenario? The answer is no. Because of the security architecture in CodeMeter, having two guest systems attempt to share one license on a CodeMeter stick would cause too many secret key exchanges to be generated—CodeMeter would shut down for some interval, disabling both copies of the software.
So it is not possible to share one CmContainer between two computers or virtual machines at all. Nobody can permanently multiply licenses using virtual machines or reverse USB hubs (one USB device, two computers).
Usually it is not easy to connect a USB device to a virtual machine. VMware ESX only supports this in the latest version and blade servers usually don’t have free USB connectors. In such cases a USB-to-Ethernet hub is the answer. Similar to a “normal” USB hub, this adaptor connects several USB devices to a network over TCP/IP with a standard Ethernet (network) cable. Using a special driver, the CodeMeter Runtime sees the CmDongle as USB device as if it were directly connected to the computer rather than the network. Wibu-Systems has tested several such USB hubs from Digi Network, Silex, and Belkin. Ask your Wibu-Systems support representative for a whitepaper containing the details.
For more information on how to protect your application software from virtual machine piracy, please contact Wibu-Systems technical support department at 1.800.6-Go.Wibu.