This White Paper presents an evolution of the various methods that FlexNet Publisher Trusted Storage has utilized to identify a client system to its server with an emphasis on best practice recommendations of using the Unique Machine Number (UMN).
1. W H I T E PA P E R
FlexNet Publisher Trusted Storage
Unique Identifier – Usage Guidelines
2. FlexNet Publisher Trusted Storage Unique Ident ifier Usage Guidelines
FlexNet Publisher Trusted Storage
Unique Identifier – Usage Guidelines
Executive Summary The publisher can use these multiple sections of TS and
This White Paper presents an evolution of the various apply stronger or lighter binding to that section, depending
methods that FlexNet Publisher Trusted Storage has utilized on the binding configuration applied to that section.
to identify a client system to its server with an emphasis on
best practice recommendations of using the Unique Machine FlexNet Publisher’s flexible binding features mean that some
Number (UMN). binding change can occur without the fulfillment records
stored on the machine losing trust. However, since the
Requirement for Client System Identification Machine Identifier includes all binding items, it will change
Various methods of identifying a client system have been if any item changes. If more than half of the weighted
introduced for different purposes at different stages in the binding items simultaneous change, this is known as a
evolution of FlexNet Publisher Trusted Storage. All of these binding break.
methods have been retained for backward compatibility.
In addition, some legacy identifying methods may be This allows a publisher to trade off strong binding, with high
necessary for some operational modes that are protection at the risk of a support call if some element of
described below. the binding changes, against weak binding, where there is
basic protection against fraud but much less chance of the
Machine ID end user being inconvenienced if a physical characteristic of
The Machine ID (MID) is generated from machine binding the system is changed. By default in FlexNet Publisher strong
items as configured by the user. Binding items are individual binding is enabled. Weak binding can be
physical characteristics of the machine that are used configured by explicitly disabling binding items in the
individually or in combination to create a signature of the trusted configuration.
system hardware. It is for this reason that Machine ID is also
known as the “Binding Hash.” MIDs have their shortcomings. They are subject to change
since they are based on multiple binding items that are user
When implement ing Act ivat ion in FlexNet Publisher, license selectable. Furthermore, some binding items are more likely
rights are held in a secure “vault” known as Trusted Storage to change than others (e.g., IP address).
(TS). The Trusted Storage is unique to each machine and
t his uniqueness is maintained by t he publisher who may Since this value can change when Trusted Storage is
wish to apply different licensing strategies to individual repaired, the server must keep an audit trail of previous
features or to complete software packages. To allow t his MIDs to track the client. Unfortunately, when system changes
granularity, Trusted Storage can be divided into sect ions occur which are within security tolerance, they do not
to match t he features or applicat ions of t hose ent itlements necessarily trigger repairs. The result is the activation server
t hat are being managed. may not have a record of the most current MID on the client
machine. Therefore, it is inadvisable to base a reinstall
The MID is generated in the client at the request of the business decision solely on MID.
server. In the case where multiple trusted storage sections
exist on the machine’s hard drive, there will be more than This susceptibility to change (“brittleness”) may be reduced
one MID on that system. by removing the HID_SYSTEM and HID_INTERNET binding
items from the trusted configuration.
2
II Flexera Software: FlexNet Publisher White Paper Series
3. FlexNet Publisher Trusted Storage Unique Ident ifier Usage Guidelines
Previously, the Machine ID was recommended as the best UMN, therefore, is derived according to the type of client
means to authenticate a system but an improved approach, system or “platform.” Mindful of the possibility that it may
based upon lessons learned, has superseded this method. not be possible to generate a UMN in certain circumstances
This method is known as UMN and is described below. on certain machines, a second mechanism was defined for
each platform, to be used as a backup approach.
Unique Machine Number
The Unique Machine Number (UMN) was introduced in This is the reason why there is a primary UMN1 and
FlexNet Publisher v11.3 in an attempt to overcome the a fallback UMN2. UMN1 is the first-choice on each
shortcomings of the techniques described above. platform. It has been chosen to give the best chance that
each machine will have a different UMN, but may not be
UMN is designed to be unique and constant. Not available on all machines.
dependent on being a stored value, it is intended that it
can be faithfully regenerated on a given piece of hardware UMN2 is the second-choice on each platform. It has been
even after a complete system wipe and be used to positively chosen as being available on a very high percentage of
identify itself as the client system that was originally issued machines but with a greater chance of duplication.
license rights.
Sources of UMN
UMN is now the best practice method of establishing and FlexNet Publisher clients are supported on a wide range of
verifying client identity and is described in greater detail in platforms, and so a number of different means of generating
the next section. UMN values exist depending on the underlying hardware.
TSSN Since UMN was introduced in FlexNet Publisher v11.3,
The TSSN is a randomly-generated, unique number stored in experience has been gained which has prompted a change
a trusted storage file when it is first created. However, this is in strategy regarding the source of information used to
not linked to any physical attribute of a machine’s hardware. generate the UMN values. This change is manifested in
FlexNet Publisher v11.6.1 and beyond.
The TSSN can be used to identify a particular instance of
trusted storage (i.e., the file but not the machine it is on). UMN2 on Windows systems is now derived from the MAC
address of the primary network interface. This is determined
UMN in Detail by ignoring any class of network interface that is not on a
Introduction physical bus. This means that removable and virtual network
UMN was introduced in FlexNet v11.3 to overcome the interfaces are not considered, ensuring the reliability of
consistency problems with MID described above. UMN2 on Windows.
The intent was to derive a means to uniquely identify an Diagram 1 lists UMN1 and UMN2 derivations for each
end user’s computer system for subsequent licensing supported platform.
transactions. UMN identifies the client system to which
license rights apply.
UMN is used when initially granting activation rights, in
returning license rights, and when repairing an activation
(which requires confirmation of the client being the same
one that originally received the allowed activation).
In an ideal world, all systems would have a globally-unique
serial number burned into the main circuit board. Indeed,
some of the high-end workstations from HP and Sun
Microsystems provide this. However, for all other systems
the next best identifying technique is UMN.
Even with an unchanging, unique identifier, a software
producer’s business logic would still have to handle the case
where the main hardware failed and had to be replaced,
causing the unique identifier to change.
Flexera Software: FlexNet Publisher White Paper Series 3
4. FlexNet Publisher Trusted Storage Unique Ident ifier Usage Guidelines
v11.3 – 11.6.0 v11.6.1 onward
Platform UMN1 UMN2 UMN2
Windows Boot disk serial number. Boot disk geometry. Primary Ethernet MAC
address.
Mac MAC Unique System ID. On newer systems, this ID is burned-in Primary Ethernet MAC Primary Ethernet MAC
to the motherboard, so the number cannot be changed. For address. address.
older systems, this information is on the disk and can only be
overwritten by low-level formatting.
Linux Hard disk serial number. Primary Ethernet MAC Primary Ethernet MAC
Only available if FlexNet PublisherLicensingService is run. address. address.
AIX Unique hardware serial number. Available on all PCI based AIX Primary Ethernet MAC Primary Ethernet MAC
hardware. address. address.
HP/UX Unique hardware security key Primary Ethernet MAC Primary Ethernet MAC
address. address.
Solaris Serial number generated during manufacturing and written Primary Ethernet MAC Primary Ethernet MAC
to the EEPROM. Please note that this value changes on OS address. address.
reinstallation on Sun or PC hardware but not on SPARC.
Diagram 1. FlexNet Publisher clients are supported on a wide range of platforms, and so a number of different means of generating UMN values exist depending
on the underlying hardware.
Potential Shortcomings Best Practice
As can be seen, the preferred UMN1 value is a hardware The following operations are presented as Best Practice:
serial number when it’s available. In the case of x86-
compatible systems (the Windows and Linux platforms), this Anchoring
is not available, and so the next best identifier is the serial On Windows systems, both track 0 and registry anchoring
number of the hard disk retrieved programmatically. should be enabled (i.e. stick with the default).
Unfortunately, for FlexNet Publisher client systems based Binding
on Windows, there is not a consistent and reliable means Initial trusted configurations should use the default settings
of interrogating the hard disk serial number. It can also for binding with everything enabled. However, to overcome
be seen that all systems derive the fallback UMN2 value the brittleness of MID, it is recommended that the system
from the system’s primary Ethernet MAC address, except (HID_SYSTEM) and IP address (HID_INTERNET) binding
Windows systems. This can lead to problems explained in items be excluded.
more details in the section Things that can go wrong with
UMN. If Track 0 anchoring is turned off by default, as is the
case in FlexNet Operations versions until 11.5, then it is
UMN Post v11.6.1 recommended that track 0 is turned back on. If track 0 is not
The shortcomings alluded to above (and described in turned on, then the binding item HID_MSN should also be
more detail in a later section) prompted a move to derive excluded from binding. This is because HID_MSN is stored
UMN2 from the Ethernet MAC address of the system’s in anchors, and could be subject to change in the case of a
primary network interface. This was not done previously, in bona fide system restore.
part, because network interfaces on Windows PC systems
historically were usually add-in cards. The presence or lack Use UMN
of a card, or indeed the possibility of exchanging cards, did Use UMN1 and UMN2 to assist in deciding whether to
not suggest a reliable source of system identifier. approve a repair transaction.
However, today network interface hardware on Windows Recommendations for the use of UMN on Windows
platforms is typically a feature of the system’s main board, platforms and suitable fallback strategies now differ
especially for notebook computers. It is now a more between the pre and post 11.6.1 versions of FlexNet
obvious choice. Publisher. Accordingly, these recommendations are
presented separately.
Therefore, for FlexNet Publisher v11.6.1 and beyond,
UMN2 for Windows platforms has been brought into Best Practice versions 11.3 to 11.6.0
line with the other clients to use the primary Ethernet For activations, repairs, and re-installations, it is
MAC address. recommended that UMN1 be used as the first choice.
4 Flexera Software: FlexNet Publisher White Paper Series
5. FlexNet Publisher Trusted Storage Unique Ident ifier Usage Guidelines
Software producers who have previously used Machine ID UMN2
or TSSN to identify machines should update their licensing In FlexNet Publisher client versions before 11.6.1, the
database to record UMNs as a machine’s identity. The fallback UMN2 value for Windows systems is derived from
Machine ID is still available post v11.6.1 in all standard the geometry of the system’s primary hard disk. Note that
XML requests and the TSSN in repair requests. This means two hard disk drives with the same model number from
they can be used to find out if a machine already the same manufacturer will have the same disk geometry.
exists on the database and then to update the record to This approach has been found to be problematic in certain
include UMN. situations where a cluster of client systems are of identical
specification (e.g., having been specified and bought
Producers who use Machine ID or TSSN as the input to their en masse for a particular project). In this scenario, all
business logic (e.g., in deciding whether to allow repeated the UMN2 values are identical since the hard drives are
repairs) should now use UMN as the recommended form of identical and have identical geometries. This results in non-
client identifier. unique UMN2 values being presented to the server with
each client appearing to be the same.
Things that can go wrong with UMN pre- v11.6.1
While UMN is the best method to identify a client to Also, in RAID or virtual machine configurations, if there
its server, no technique is perfect. Several variables can were problems obtaining a serial number from the primary
contribute to problems with UMN. drive (as will often be the case), there may also be problems
in obtaining the disk geometry.
In decreasing order of severity:
1. Non-consistent or random UMN In these pre- FlexNet Publisher v11.6.1 Windows client
– UMN changes when the query is refreshed or scenarios, it is recommended that UMN2 not be used.
sometimes after reboot (common with RAID) Instead, the fallback is to use Machine ID with the HID_
2. Non-unique UMN in some rare situations SYSTEM and HID_INTERNET binding items excluded. An
3. Brittleness example trusted configuration file that shows how to disable
– Value changes after a hardware upgrade/repair. binding items can be found in Appendix A of the Trusted
4. Not obtainable Storage-based Licensing Programming Reference guide.
– UMN not supported by the underlying driver or
device. In summary, UMN1 on Windows systems generally works
well, but some operational issues concerning UMN1
UMN 1 have arisen due to the lack of a reliable, hardware-
There is the possibility on Windows platforms using SSD, based identifier.
RAID, or virtual machines (e.g., using VirtualPC or VMWare)
that the UMN1 value may be random resulting in multiple Unfortunately, when difficulties do arise in deriving UMN1,
re-install requests. For these same reasons, the UMN the fact that UMN2 on Windows is not guaranteed to
value can also be non-unique, resulting in giving away be unique tends to compound the problem, especially in
entitlements to multiple clients since they all have the same workgroups where identical hardware has been sourced or
UMN identifier. if RAID or virtual machines are used.
In these cases, including the condition where UMN1 is Best Practice for v11.6.1 and Beyond
reported as being “not available”, it is advisable to use For activations, repairs, and re-installations, it is suggested
MID instead. that UMN1 be used as the first choice.
It is recommended to upgrade to the latest version of the The behavior of UMN1 generation on Windows clients has
FlexNet Windows Licensing Service (available in the been improved in v11.6.1 with respect to handling SSD,
FlexNet Publisher v11.6.1 and above) in order to remove RAID, and Virtual Machine disk configurations.
random or non-unique UMN1 values from these types of
systems. This version of the service will return the UMN1 In cases where FlexNet Publisher versions pre- 11.6.1 may
value as being “not available.” have become confused and produced changing UMN1
values, the enhancements described in this document will
The Windows FlexNet Licensing Service is designed to now yield a consistent UMN1 value or none at all. This
always be backward compatible with earlier versions of behavior is more predictable and robust and will remove
FlexNet Publisher (back to v11.3). The licensing service may spurious re-install requests that were previously experienced
be installed from the latest FlexNet Publisher kit. in these particular configurations.
Flexera Software: FlexNet Publisher White Paper Series 5
6. FlexNet Publisher Trusted Storage Unique Ident ifier Usage Guidelines
When a UMN1 value is not available, UMN2 should be will not resolve this issue. Therefore, UMN1 should not be
used instead because it is much improved in v11.6.1 and used in such systems in versions of FlexNet Publisher prior to
beyond since it is disconnected from the primary disk 11.6.1.
configuration details.
The behavior for UMN1 in v11.6.1 is for UMN1 to be
Producers who have previously used Machine ID or TSSN denoted as “not available”, and UMN2 should be used.
to identify machines should update their licensing database
to record UMNs as a machine’s identify. The Machine ID is Virtual Machines
still available in all standard XML requests (and the TSSN The same issue mentioned above for RAID systems also
in repair requests) in v11.6.1 so these requests can be used causes non-unique values to be generated for UMN1 in
to find out if a machine already exists on the database and virtualized environments. This has been fixed in the FlexNet
then update the record to include UMN. Publisher v11.6.1 client code, so it is not possible to pick
up this fix by updating just the FlexNet Licensing Service.
Producers who use Machine ID or TSSN as the input to their UMN1 should not be used in such systems in versions of
business logic (e.g., in deciding whether to allow repeated FlexNet Publisher prior to 11.6.1.
repairs) should now use UMN as the recommended form of
client identifier. The behavior for UMN1 in v11.6.1 is for UMN1 to be
denoted as “not available”, and the fallback strategy is for
Side Effects of Changing the Source of UMN2 on UMN2 to be used, as described above.
Windows
In the unlikely event that a producer has been using UMN2 Note that while MAC addresses are unique in virtual
on Windows clients (only in the small percentage of cases machine instances, it is possible for a user to modify them
when UMN1 is not available) and then upgrades to FlexNet which is a possible area for license circumvention.
Publisher v11.6.1, a re-install will be required since the
value of UMN2 will be different due to the change in source FlexNet Operations
used for it generation. In versions of FlexNet Operations prior to 11.5, only MID
was used.
It should be noted that FlexNet Operations has never used
UMN2 for Windows activations pre-v11.6.1 so this will In versions of FlexNet Operations from 11.5, the following
only affect LGT users. fallback is in place:
Solid State Drive (SSD) All platforms:
A number of Windows machines have been evaluated • UMN1, then
for use with FlexNet Publisher that feature an SSD as the • MID
primary drive. Those devices whose software drivers present
them as an IDE drive appear to work as any normal disk In transactions between FlexNet Publisher client and FlexNet
drive and yield a serial number for UMN1. Operations, the first choice for client identification made by
the server is UMN1. Should UMN1 be unavailable, noted
As previously stated, some SCSI devices present a problem by the lack of a UMN1 entry in the activation request, the
in obtaining the disk serial number in FlexNet Publisher fallback is to Machine ID (MID).
versions prior to 11.6.1. Since some SSDs appear as SCSI
devices, this same condition may occur. In scenarios that do In versions of FlexNet Operations starting with 12.7 (where
not yield a consistent UMN1 value, the fallback should be UMN2 is used), the fallback will be:
used. This condition has been fixed in the FlexNet Licensing
Service for Windows available in FlexNet Publisher All platforms:
v11.6.1. • UMN1, then
• UMN2, then
RAID • MID
Another issue has been found which allows non-unique
and/or random values to be generated for UMN1 when the FlexNet Operations can detect this since the version number
primary hard disk in an FlexNet Publisher client is a RAID is included in activation requests with the client and FlexNet
configuration. Publisher v11.6.1 supports a robust UMN2.
This has been fixed in the FlexNet Publisher v11.6.1 client
code, so updating to the latest FlexNet Licensing Service
6 Flexera Software: FlexNet Publisher White Paper Series
7. FlexNet Publisher Trusted Storage Unique Ident ifier Usage Guidelines
Using UMN in the License Generator Toolkit (LGT) In summary, best practices for using UMN on Windows
The recommendation is to adopt the same mechanism as in platforms are:
FlexNet Operations, described above.
• Enable all anchors
The activation request contains the FlexNet Publisher version
number, platform type, UMN1, and UMN2 as shown in the • Exclude the two “brittle” host IDs from binding (HID_
file snippet below: SYSTEM and HID_INTERNET)
<OriginData> • For versions of FlexNet Publisher pre-11.6.1,
<ClientVersion>11.6.1</ClientVersion> – Use UMN1 as primary client identifier
<ConfigData> – Use Machine ID (MID) as the fallback
<IsServer>0</IsServer>
</ConfigData> • For versions of FlexNet Publisher post-11.6.1,
<Platform> – Use UMN1 as primary client identifier
<PlatformTypeName>i86_n3</PlatformTypeName> – Use UMN2 as the first fallback
<OperatingSystem> – Use Machine ID (MID) as the second fallback
<Info>none</Info>
</OperatingSystem> • Always use the latest version of the FlexNet Windows
</Platform> Licensing Service
<UniqueMachineNumbers>
<UniqueMachineNumber> • Incorporate appropriate reinstall and repair policies in
<Type>1</Type> the back office
<Value>024277395D31F263C350A0255CE3C282C7D3A
EBF</Value> About Flexera Software
</UniqueMachineNumber> Flexera Software is the leading provider of strategic solutions
<UniqueMachineNumber> for Application Usage Management; solutions delivering
<Type>2</Type> continuous compliance, optimized usage and maximized
<Value>BA4E766C2FC6387A5F31B03683E445E2B9304 value to application producers and their customers. Flexera
4A6</Value> Software is trusted by more than 80,000 customers that
</UniqueMachineNumber> depend on our comprehensive solutions- from installation
</UniqueMachineNumbers> and licensing, entitlement and compliance management to
<SequenceNumber>7</SequenceNumber> application readiness and enterprise license optimization
</OriginData> - to strategically manage application usage and achieve
breakthrough results realized only through the systems-level
Repair and reinstallation policies approach we provide. For more information, please go to:
By allowing one or two reinstall requests, the publishers can www.flexerasoftware.com
gracefully accommodate the UMN brittleness problem.
Conclusions For more information on FlexNet Publisher and
A number of mechanisms are employed in FlexNet Publisher FlexNet Suite, please visit:
to identify clients to their servers. The merits of these were www.flexerasoftware.com/fnp
presented with the recommendation to use the UMN values.
In Windows systems, problems in acquiring consistent and
unique values have been experienced in a small number of
cases. However, enhancements made to the v11.6.1 FlexNet
Publisher client have greatly reduced the likelihood of these
problems occurring in the future.
The final recommendation is for users of Windows systems to
upgrade to the latest version of FlexNet Publisher to benefit
from the improvements to the generation of UMN.
Flexera Software: FlexNet Publisher White Paper Series 7