Software Protection and Licensing Guide PDF
Software Protection and Licensing Guide PDF
Software Protection and Licensing Guide PDF
0
Software Licensing and Protection Guide
2 Sentinel LDK Software Licensing and Protection Guide
Revision History
Disclaimer
We have attempted to make this document complete, accurate, and useful, but we cannot
guarantee it to be perfect. When we discover errors or omissions, or they are brought to our
attention, we endeavor to correct them in succeeding releases of the product. SafeNet, Inc. is not
responsible for any direct or indirect damages or loss of business resulting from inaccuracies or
omissions contained herein. The specifications contained in this document are subject to change
without notice.
July 2013
Build 1308-2
3
IMPORTANT INFORMATION - PLEASE READ THIS AGREEMENT CAREFULLY BEFORE USING THE
CONTENTS OF THE PACKAGE AND/OR BEFORE DOWNLOADING OR INSTALLING THE SOFTWARE
PRODUCT. ALL ORDERS FOR AND USE OF THE SENTINEL® LDK PRODUCTS (including without
limitation, the Developer's Kit, libraries, utilities, diskettes, CD_ROM, DVD, Sentinel keys, the
software component of SafeNet Sentinel LDK and the Sentinel LDK Software Protection and
Licensing Guide) (hereinafter “Product”) SUPPLIED BY SAFENET, INC., (or any of its affiliates - either
of them referred to as “SAFENET”) ARE AND SHALL BE, SUBJECT TO THE TERMS AND CONDITIONS
SET FORTH IN THIS AGREEMENT.
BY OPENING THE PACKAGE CONTAINING THE PRODUCTS AND/OR BY DOWNLOADING THE
SOFTWARE (as defined hereunder) AND/OR BY INSTALLING THE SOFTWARE ON YOUR COMPUTER
AND/OR BY USING THE PRODUCT, YOU ARE ACCEPTING THIS AGREEMENT AND AGREEING TO BE
BOUND BY ITS TERMS AND CONDITIONS.
IF YOU DO NOT AGREE TO THIS AGREEMENT OR ARE NOT WILLING TO BE BOUND BY IT, DO NOT
OPEN THE PACKAGE AND/OR DOWNLOAD AND/OR INSTALL THE SOFTWARE AND PROMPTLY (at least
within 7 days from the date you received this package) RETURN THE PRODUCTS TO SAFENET, ERASE
THE SOFTWARE, AND ANY PART THEREOF, FROM YOUR COMPUTER AND DO NOT USE IT IN ANY
MANNER WHATSOEVER.
DISCLAIMER OF WARRANTY. The Product is provided on an “AS IS” basis, without warranty of
any kind. IMPLIED WARRANTIES OF FITNESS FOR A PARTICULAR PURPOSE, SATISFACTION AND
MERCHANTABILITY SHALL NOT APPLY. SOME JURISDICTIONS DO NOT ALLOW EXCLUSIONS OF AN
IMPLIED WARRANTY, SO THIS DISCLAIMER MAY NOT APPLY TO YOU AND YOU MAY HAVE OTHER
LEGAL RIGHTS THAT VARY BY JURISDICTION. The entire risk as to the quality and performance of
the Product is borne by you. This disclaimer of warranty constitutes an essential part of the
agreement.
If you initially acquired a copy of the Product without purchasing a license and you
wish to purchase a license, contact SafeNet or any SafeNet representative.
License Grant. Subject to your payment of the license fees applicable to the type and amount of licenses purchased by you
and set forth in your applicable purchase order, SafeNet hereby grants to you, and you accept, a personal,
nonexclusive and fully revocable limited License to use the Software (as such term is defined in Section III hereunder, in
the Intellectual Property subsection), in executable form only, as described in the Software accompanying user
documentation and only according to the terms of this Agreement: (i) you may install the Software and use it on
computers located in your place of business, as described in SafeNet's related documentation; (ii) you may merge and
link the Software into your computer programs for the sole purpose described in the Sentinel LDK Software Protection
and Licensing Guide; however, any portion of the Software merged into another computer program shall be deemed
as derivative work and will continue to be subject to the terms of this Agreement; and (iii) you are permitted to make a
reasonable number of copies of the Software solely for backup purposes. The Software shall not be used for any other
purposes.
Sub-Licensing. After merging the Software in your computer program(s) according to the License
Grant section above, you may sub-license, pursuant to the terms of this Agreement, the merged
Software and resell the hardware components of the Product, which you purchased from SafeNet,
if applicable, to distributors and/or users. Preceding such a sale and sub-licensing, you shall make
sure that your contracts with any of your distributors and/or end users (and their contracts with
their customers) shall contain warranties, disclaimers, limitation of liability, and license terms
which are no less protective of SafeNet's rights than such equivalent provisions contained herein.
In addition, you shall make it abundantly clear to your distributors and/or end users, that SafeNet
is not and shall not, under any circumstances, be responsible or liable in any way for the software
and software licenses contained in your computer programs which you merge with the SafeNet
Software and distribute to your distributors and/or end users, including, without limitation, with
respect to extending license terms and providing maintenance for any software elements and/or
computer programs which are not the SafeNet Software. SafeNet expressly disclaims any
responsibility and liability with respect to any computer programs, software elements, and/or
hardware elements which are not and do not form part of the SafeNet product.
Limited Warranty. SafeNet warrants, for your benefit alone, that (i) the Software, when and as
delivered to you, and for a period of three (3) months after the date of delivery to you, will
perform in substantial compliance with the Sentinel LDK Software Protection and Licensing Guide,
provided that it is used on the computer hardware and with the operating system for which it was
designed; and (ii) that the Sentinel key, for a period of twelve (12) months after the date of
delivery to you, will be substantially free from significant defects in materials and workmanship.
You may enable or disable certain features when applying the Sentinel LDK protection software by
changing settings in the Sentinel LDK tools in accordance with the Sentinel LDK Software
Protection and Licensing Guide; HOWEVER, IT IS IMPORTANT TO NOTE THAT WHEN ENABLING OR
DISABLING SOME FEATURES YOU MIGHT REDUCE THE LEVEL OF PROTECTION PROVIDED BY THE
SOFTWARE.
Warranty Disclaimer. SAFENET DOES NOT WARRANT THAT ANY OF ITS PRODUCT(S) WILL MEET
YOUR REQUIRMENTS OR THAT THEIR OPERATION WILL BE UNINTERRUPTED OR ERROR-FREE. TO
THE EXTENT ALLOWED BY LAW, SAFENET EXPRESSLY DISCLAIMS ALL EXPRESS WARRANTIES NOT
STATED HERE AND ALL IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED
WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE. NO SAFENET'S
DEALER, DISTRIBUTOR, RESELLER, AGENT OR EMPLOYEE IS AUTHORIZED TO MAKE ANY
MODIFICATIONS, EXTENSIONS, OR ADDITIONS TO THIS WARRANTY. If any modifications are made
to the Software or to any other part of the Product by you; if the media and the Sentinel key is
subjected to accident, abuse, or improper use; or if you violate any of the terms of this
Agreement, then the warranty in Section 2.3 above, shall immediately be terminated. The
warranty shall not apply if the Software is used on or in conjunction with hardware or program
5
other than the unmodified version of hardware and program with which the Software was
designed to be used as described in the Sentinel LDK Software Protection and Licensing Guide.
Limitation of Remedies. In the event of a breach of the warranty set forth above, SafeNet's sole
obligation, and your sole remedy shall be, at SafeNet's sole discretion: (i) to replace or repair the
Product, or component thereof, that does not meet the foregoing limited warranty, free of
charge; or (ii) to refund the price paid by you for the Product, or component thereof. Any
replacement or repaired component will be warranted for the remainder of the original warranty
period or 30 days, whichever is longer. Warranty claims must be made in writing during the
warranty period and within seven (7) days of the observation of the defect accompanied by
evidence satisfactory to SafeNet. All Products should be returned to the distributor from which
they were purchased (if not purchased directly from SafeNet) and shall be shipped by the
returning party with freight and insurance paid. The Product or component thereof must be
returned with a copy of your receipt.
Miscellaneous. If the copy of the Product you received was accompanied by a printed or other form of “hard-copy” End User
License Agreement whose terms vary from this Agreement, then the hard-copy End User License Agreement governs
your use of the Product. This Agreement represents the complete agreement concerning this license and may be
amended only by a writing executed by both parties. THE ACCEPTANCE OF ANY PURCHASE ORDER PLACED BY
YOU, IS EXPRESSLY MADE CONDITIONAL ON YOUR ASSENT TO THE TERMS SET FORTH HEREIN,
COMBINED WITH THE APPLICABLE LICENSE SCOPE AND TERMS, IF ANY, SET FORTH IN YOUR PURCHASE
ORDER. If any provision of this Agreement is held to be unenforceable, such provision shall be reformed only to the
extent necessary to make it enforceable. The failure of either party to enforce any rights granted hereunder or to take
action against the other party in the event of any breach hereunder shall not be deemed a waiver by that party as to
subsequent enforcement of rights or subsequent actions in the event of future breaches.
© 2013 SafeNet, Inc. All rights reserved.
Redistributions of source code must retain the above copyright notice, this list of conditions and
the following disclaimer.
Redistributions in binary form must reproduce the above copyright notice, this list of conditions
and the following disclaimer in the documentation and/or other materials provided with the
distribution.
All advertising materials mentioning features or use of this software must display the following
acknowledgment: “This product includes software developed by the OpenSSL Project for use in
the OpenSSL Toolkit. (http://www.openssl.org/)”
The names “OpenSSL Toolkit” and “OpenSSL Project” must not be used to endorse or promote
products derived from this software without prior written permission. For written permission,
please contact openssl-core@openssl.org.
Products derived from this software may not be called “OpenSSL” nor may “OpenSSL” appear in
their names without prior written permission of the OpenSSL Project.
Redistributions of any form whatsoever must retain the following acknowledgment: “This product
includes software developed by the OpenSSL Project for use in the OpenSSL Toolkit
(http://www.openssl.org/)”
DISCLAIMER OF WARRANTY
THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ''AS IS'' AND ANY EXPRESSED OR IMPLIED
WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY
AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE OpenSSL
PROJECT OR ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL,
EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT
OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS
INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,
STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF
THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
8 Sentinel LDK Software Licensing and Protection Guide
DISCLAIMER OF WARRANTY.
THIS SOFTWARE IS PROVIDED BY ERIC YOUNG ''AS IS'' AND ANY EXPRESS OR IMPLIED WARRANTIES,
INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR
A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE
LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES
(INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF
USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF
LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR
OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE
POSSIBILITY OF SUCH DAMAGE.
产品中有毒有害物质或元素的名称及含量
Hazardous Substances Table
○:表示该有毒有害物质在该部件所有均质材料中的含量均在SJ/T 11363-2006标准规定的
限量要求以下。
This device complies with Part 15 of the FCC Rules. Operation is subject to the
following two conditions: (1) this device may not cause harmful interference, and (2)
this device must accept any interference received, including interference that may
cause undesired operation.
NOTE: This equipment has been tested and found to comply with the limits for Class B digital
device, pursuant to Part 15 of the FCC Rules. These limits are designed to provide reasonable
protection against harmful interference in a residential installation. This equipment generates,
uses and can radiate radio frequency energy and, if not installed and used in accordance with the
instructions, may cause harmful interference to radio communications. However, there is no
guarantee that interference will not occur in particular installation. If this equipment does cause
harmful interference to radio or television reception, which can be determined by turning the
11
equipment off and on, the user is encouraged to try to correct the interference by one or more of
the following measures: --Reorient or relocate the receiving antenna. –Increase the separation
between the equipment and receiver. –Connect the equipment into an outlet on a circuit different
from that to which the receiver is connected. –Consult the dealer or an experienced radio/TV
technician for help.
Contents
Familiarizing Yourself with Sentinel Vendor Suite 22
Contents of the Sentinel License Development Kit 22
Sentinel LDK - Demo Kit 22
Sentinel LDK - Starter Kit 22
About This Guide 23
Major Components of the Vendor Suite 24
Contacting Us 26
Training 26
Obtaining Support 26
PART 2 - PROTECTION 42
13 Sentinel LDK Software Licensing and Protection Guide
PART 3 - LICENSING 88
Demoware 189
Component-based Licensing Models 190
Module-based (Suites) 191
Feature-based 192
Metered Licensing Models 193
Time-limited Rental 194
Phased Rental 195
Micro-rental 196
Subscription 197
Pay-by-Peak Time (Peak Time) 199
Time-based Overdraft 201
Standard Counter 202
Phased Counter 203
Capacity (CPU/Memory/Disk) 204
Locked License Models 205
Machine-locked 206
User-locked 207
Mobile License Models 209
Portable 210
Commuter 211
Software on a Key 212
Network License Models 213
Limited Concurrent End Users in a Network 214
Time-limited Concurrent End Users in a Network 215
Execution-limited Concurrent End Users in a Network 216
Volume 218
Site 219
Sales Boosting Licensing Models 220
KickStart (Quick-delivery Grace) 221
Referral-based Sales 222
Automatic Sales Agent 224
Perpetual Licensing Models 226
Standard Perpetual Licensing model 227
Perpetual Unlocked Licensing Model 228
How New Activations and Update of Your Software Affect the Pool 236
Additional Information 237
Trialware Module License 237
Unlocked License Module 238
Reporting Module License 238
Appendix I: How to Make Product Names Visible on the End User's Machine 260
Checklist 262
Problems and Solutions 263
Glossary 266
Index 272
Familiarizing Yourself with
Sentinel Vendor Suite
This topic provides an introduction to Sentinel Vendor Suite. SafeNet recommends that you review
this information to familiarize yourself with:
n The contents of the Sentinel License Development Kit – Starter or Demo kit
n The major components of Sentinel Vendor Suite
n The information provided in this Guide
n How to obtain additional technical support for these products
Additional documentation, including the Sentinel LDK Software Licensing and Protection Guide
(this book) and the Sentinel LDK Installation Guide, can be found on the computer where Sentinel
LDK is installed and on the product DVD.
Additional documentation, including the Sentinel LDK Software Licensing and Protection Guide
(this book) and the Sentinel LDK Installation Guide, can be found on the computer where Sentinel
LDK is installed and on the product DVD.
Sentinel HL keys for distribution to your customers must be ordered separately.
Sentinel LDK Envelope is a tool that wraps your application in a protective shield. This shield
ensures that:
n The application is protected against disassembly and reverse engineering. Your intellectual
property is protected.
n The protected application cannot run unless a specified Sentinel protection key can be
accessed by the application.
An application that has been protected by Sentinel LDK Envelope can use the Data Encryption
facility to write initial encrypted application data to disk and to read it back. You can use the
Sentinel LDK Data Encryption utility to provide encrypted application data that is installed
together with the protected application.
You can use Sentinel Licensing API to provide enhanced protection for your application and to
enable the licensing of specific Features in the application.
Sentinel LDK ToolBox is an interactive application that enables software developers to learn about
the following Sentinel APIs:
n Sentinel Licensing API
n Sentinel License Generation API
n Sentinel Admin API
In ToolBox, software developers can actually execute API functions, observe the behavior of the
functions, and then copy the relevant source code into their own applications.
25 Sentinel LDK Software Licensing and Protection Guide
Sentinel Admin Control Center is a customizable, web-based, end-user utility that enables
centralized administration of Sentinel License Managers and Sentinel protection keys.
Sentinel RUS utility is an advanced utility that enables you to perform secure, remote updating of
the license and memory data of Sentinel protection keys after they have been deployed on the
end user’s computer.
Sentinel EMS
Sentinel EMS is a web-based graphical application that is used to perform a range of functions
required to manage the licensing, distribution, and maintenance of protected applications.
You can use Sentinel EMS Web Services to perform the same functions programmatically. This
enables you to integrate the EMS functionality into your own back end infrastructure.
For ISVs who prefer to use their own ERP back-ends, Sentinel License Generation API provides
access to the power and flexibility of Sentinel protection keys without the need to install the full
Sentinel EMS system. You can use Sentinel LDK ToolBox to examine the API functions create
license templates and to generate protection keys.
Sentinel HL Drive is a device that includes Sentinel HL Max key functionality and a flash memory
that can be used as a mass storage device or as a CD ROM emulator (or both).
Using the Sentinel HL Drive Partitioning utility or the Sentinel HL Drive Partitioning API, you can
load your Sentinel LDK-protected applications and data onto the CD ROM partition of a Sentinel
HL Drive, and deliver it to your customers. Your customers can save files to the Sentinel HL Drive,
or load additional software on it, thus utilizing the convenience of disk-on-key functionality.
By default, the flash memory in Sentinel HL Drive is fully allocated as a mass storage device. Using
the Partitioning utility or API, you can create a CD ROM emulation partition on which you can
load your software data.
Sentinel LDK provides an “activation” mechanism that enables a customer to quickly and easily
convert a trialware version of your protected application to a fully-enabled version – while
protecting your investment against software piracy. The end users can activate the trialware
version using a unique product code that they receive from you after completing the required
commercial transaction to purchase a license for the application.
Sentinel EMS contains a separate Customer Portal. This is a Web portal that your customers can
access in order to activate Provisional Products or Locked Products. The customer logs in to the
Customer Portal by providing a Product Key. The customer completes a registration form (if you
require this) and then chooses the method to activate the Product. Online activation is completely
Contacting Us 26
automatic and activates the license on the local machine. Offline activation enables the customer
to download a utility that can be used to activate the license manually on a different machine.
The Customer Portal is installed automatically as part of the Sentinel LDK Vendor Suite. The
Sentinel LDK Product Activation Tutorial leads you through the complete process: define a Feature
in EMS, define Products, enter an order, generate a product key, and finally activate the trialware
using the Customer Portal.
Master Wizard
The Sentinel LDK Master Wizard tool allows software vendors to introduce their batch code into
Sentinel EMS, for use with the various Vendor Suite applications. This tool also imports vendor-
specific files from SafeNet servers, including API libraries and the vendor library used for software-
based protection.
Contacting Us
SafeNet has both international offices and many local distributors providing support for
Sentinel LDK—virtually whenever and wherever required.
Training
For additional information and training about Sentinel LDK implementation issues, contact our
team of international consultants at the URL provided above. The consultants can provide you
with tailored training sessions on the following:
n Integration of Sentinel LDK into your product
n Analysis of the best protection strategy for your applications
n Assistance in implementation of your protection and licensing models
Obtaining Support
You can contact us using any of the following options:
n Business Contacts - To find the nearest office or distributor, use the following URL:
http://www.safenet-inc.com/contact-us/
n Technical Support - To obtain assistance in using SafeNet products, feel free to contact
our Technical Support team:
o Phone: 800-545-6608 (US toll free), +1-410-931-7520 (International)
o E-mail: support@safenet-inc.com
o URL: http://sentinelcustomer.safenet-inc.com/sentinelsupport/
n Downloads - You may want to check out updated installers and other components here:
www.sentinelcustomer.safenet-inc.com/sentineldownloads/
PART 1 - GETTING STARTED
In this section:
Fundamentals of Protection
This section examines the nature of protection, and identifies the two types of protection that you
need to consider.
What is Protection?
Protection is the process of securing an application or intellectual property by incorporating
automated and customized security strategies.
Protection is achieved by implementing specific security strategies, such as wrapping your
application in a security envelope, and incorporating various security measures within the
application’s code during development. The greater the number of security measures
incorporated, and the higher the level of their complexity, the more secure your application
becomes.
31 Chapter 1: Understanding Sentinel LDK Software Protection and Licensing
It is not sufficient to protect only your software—you must also protect your intellectual property.
Your professional expertise and the secrets that you use in developing your software, for example
algorithms, must also be protected.
Copy Protection
Copy protection is the process of encrypting your software and incorporating various security
measures throughout the code and binding it to a key so that it can only be accessed by
authorized users who are in possession of the key. The more complex the copy protection applied
to your software, the less likely it is to be compromised.
Your intellectual property is the foundation on which your products are developed. Intellectual
property theft is surprisingly easy. Every year, companies report the loss of proprietary
information and intellectual property valued at many billions of dollars.
The algorithms and other secret information that you use to make your products unique and
competitive must be protected against attempts to discover their secrets, or to apply reverse
engineering to the software code.
Hardware-based Solutions
In hardware-based solutions, you supply an external hardware device together with your
software. The functioning of your software is dependent on the device being connected to the
end user’s computer. At run-time, your software communicates with the hardware device, and
only functions correctly if it receives an authentic response from the device.
Sentinel LDK provides a variety of hardware devices in the form of Sentinel HL keys. You can select
the type of Sentinel HL key that best suits your requirements. For more information about
Sentinel HL keys, see "Sentinel HL Keys" on page 37.
Software-based Solutions
In software-based solutions, following the installation of your software on an end user’s computer,
the protection and licensing is bonded to that specific machine. Your software will only function
after a Product Key has been entered by the user. At run-time, the Sentinel License Manager
checks that the software is on the machine on which it is licensed to run and that it is being used
in accordance with the user’s license terms.
Sentinel LDK provides a robust software-based solution using Sentinel SL keys. A Sentinel SL key
resides in the secure storage of a specific computer and is patterned on the functionality of a
Sentinel HL key.
For more information about Sentinel SL keys, see "Sentinel SL Keys" on page 38.
Major Protection Solutions 32
Sentinel LDK provides the industry’s first software DRM solution that combines hardware-based
and software-based protection and licensing.
This innovative, self-contained, flexible system enables you to:
n Implement multiple protection solutions
n Define multiple license models according to the requirements of your market, and apply
their usage terms independently of the protection process
33 Chapter 1: Understanding Sentinel LDK Software Protection and Licensing
Fundamentals of Licensing
In addition to protecting your software and intellectual property, you need to protect the revenue
from sales of your product. You want to ensure that your software is only available to the
appropriate users, according to the terms that you define. This process is controlled by licensing.
Licensing provides you with the flexibility to implement your business strategies for your software
distribution. When you define the licensing terms on which your software is distributed or sold,
you select the terms that are commercially beneficial to your company.
For example, you may decide that you initially want to distribute your software free of charge, so
that users can try it before purchasing. You will want to ensure that users can use it for only a
limited time before it must be purchased.
Alternatively, you may publish very complex, expensive software. You may decide to make specific
components of that software available for a lower price, thus making parts of it accessible to users
who cannot afford the full-featured version. Such a decision creates an additional revenue source.
To obtain the maximum benefit from your company’s licensing strategy, you need a software
licensing system that provides you with the flexibility to tailor licensing terms to fit your business
strategies, and to adapt quickly to changes in the market and in your business needs. Your
licensing system must also be able to enforce your defined usage terms with secure licensing
methods.
n Trialware (try-before-you-buy)
n Rental/Subscription
n Module-/Feature-based
n Floating Usage
n Time-based
n Execution-based
You can easily define custom licensing models and usage terms using the functionality provided
by Sentinel LDK. For example, Sentinel LDK functionality enables you to utilize secure read-only
and read/write memory storage, flexible counters, and a real-time clock incorporated in the
Sentinel protection key.
The separation of the engineering and licensing processes embodied in Sentinel LDK makes it
possible to modify your company’s licensing strategy as necessary when circumstances change,
and to implement these changes quickly and efficiently.
Principles of Sentinel LDK
The strength, uniqueness, and flexibility of Sentinel LDK are based on two primary principles:
n Protect Once—Deliver Many—Evolve Often: The concept of separating the Sentinel LDK
engineering and business processes.
n Cross-Locking: The technology that supports the Protect Once—Deliver Many—Evolve
Often concept, enabling a protected application to work with either a Sentinel HL key or a
Sentinel SL key.
The engineering process—that is, the protection of your software—is performed by your software
engineers using Sentinel LDK Envelope, Sentinel LDK ToolBox and the Sentinel Licensing API
protection tools.
The business processes—that is, software licensing and selection of the appropriate
Sentinel protection key—are performed by business management using Sentinel EMS.
As part of the business processes, the Evolve Often stage delivers the capability for you and your
end-users to:
n Actively track delivery and activation status of end-user entitlements.
n Track when, how, and by whom your software is being consumed.
n Easily manage terms of each entitlement using Sentinel EMS.
The protection processes and the licensing processes—including selection of the appropriate
Sentinel protection key type—are performed completely independently of each other.
Cross-locking
Cross-locking is the Sentinel LDK process that enables you to choose the device to which your
protected application and license will be locked—either to a Sentinel HL key or, via a Sentinel SL
key, to a specific computer.
The decision about the type of Sentinel protection key to which your software is locked is
determined after protection has been implemented—you choose the options that best suit your
current business strategies.
n Sentinel LDK Envelope enables you to wrap your software in a protective shield at the
touch of a button—without having to adjust your source code. It establishes a link
between your protected software and a Sentinel protection key, even though the
selection of key is determined at a later time.
n Sentinel LDK ToolBox and the Sentinel Licensing API enable you to enhance the protection
offered by Sentinel LDK Envelope, by incorporating complex protection mechanisms into
your source code.
n Sentinel EMS enables you to create licenses and lock them to Sentinel protection keys, to
write specific data to the memory of a Sentinel protection key, and to update licenses
already deployed in the field. These processes are performed independently of the
protection process.
n Customized Sentinel Vendor keys are used in-house by your staff, together with
Sentinel LDK state-of-the-art security applications.
n A selection of Sentinel protection keys enable you to meet the specific requirements of
your business. Your unique Sentinel protection keys ensure that your applications will
only function when the correct key, supplied by you, is present.
n Additional applications and utilities provide advanced support for these key elements of
Sentinel Vendor Suite.
The Vendor Code is a unique confidential code assigned to you by SafeNet when you place your
first order for Sentinel protection keys. It is integrated into your Sentinel Vendor keys. When you
are protecting your software and licenses to Sentinel protection keys for distribution, the Vendor
Code is extracted from your Sentinel Vendor keys.
Batch Code
A Batch Code consists of five characters that represent your company’s unique Vendor Code.
When you order Sentinel protection keys from SafeNet, you specify your Batch Code, which is
then written to the keys before dispatch. To easily identify the batch to which a Sentinel HL key
belongs, the Batch Code is written on the outside of each key.
Similarly, when licensing is implemented using Sentinel LDK, the operation of your software is
dependent on the presence of a valid license in a Sentinel protection key.
A variety of Sentinel protection keys are available to provide you with the flexibility to sell your
software in the ways that are most beneficial to your business goals.
The Sentinel Developer key is used by your programmers in conjunction with the Sentinel LDK
protection tools to protect your software and data files.
Sentinel Master key
The Sentinel Master key is used by your production staff to create licenses and lock them to
Sentinel protection keys, to write specific data to the memory of a Sentinel protection key, and to
update licenses already deployed in the field. To generate licenses, the Sentinel Master key must
be connected to the machine where Sentinel EMS is installed or where the program that calls
Sentinel License Generation API is running. License generation cannot be performed over RDP
(that is, over a remote connection to the system where the Master key is connected).
End-User Keys
Two types of Sentinel protection keys are available—Sentinel HL keys, which are physical USB or
ExpressCard keys that connect to a computer, and Sentinel SL keys, which are software-based keys
that lock your software to a specific machine. Your software and the user license are locked to the
Sentinel protection key that you select.
All Sentinel HL keys—with the exception of Sentinel HL Basic keys—contain internal read/write
memory. You can use the memory to do any of the following:
n Control access to specific software modules and/or packages
n Assign a unique code to each software user
n Store licenses from your own licensing schemes
n Save passwords, program code, program variables, and other data
Sentinel SL keys are patterned on the functionality of Sentinel HL keys. However, the data is
located in the secure storage of the computer on which the Sentinel SL key resides.
Sentinel HL Keys
Sentinel HL keys are distributed with your software to end users. The keys connect to the end
users’ computers. A variety of Sentinel HL keys are available to suit your requirements. Sentinel HL
keys are available in either of two configurations:
Customizing Your Unique Solution 38
n Sentinel HL (HASP configuration) keys: These keys are fully compatible with software that
requires the older HASP HL keys.
Sentinel HL (HASP configuration) keys can be upgraded in the field to Sentinel HL
(Driverless configuration) keys. For more information, see "Appendix H: How to
Upgrade a Sentinel HL Key to Driverless Configuration" on page 256.
n Sentinel HL (Driverless configuration) keys: These keys provide several advantages over
Sentinel HL (HASP configuration) keys:
o (On a Windows machine) Employ HID drivers instead of HASP key drivers. (HID
drivers are an integral part of the Windows operating system.) In many cases, it is
possible to use these keys without installing any additional support software.
o Support a higher number of Features.
o Provide larger on-key memory space.
Sentinel HL keys offer the highest level of security. In order for a user to access your software, and
for it to function correctly, the key must be accessible by the application. Furthermore,
Sentinel LDK uses LicenseOnChip technology to protect Sentinel HL keys against license tampering.
Sentinel HL keys also have the advantage of portability. This means that the key can be moved
from one computer to another. Software may therefore be installed on multiple computers but
will only run if the key is connected and authenticated by the software.
For full technical specifications of the available Sentinel protection keys, refer to the Sentinel HL
data sheet.
Sentinel LDK continues to support the older HASP HL keys. All references to Sentinel HL
keys in this document and other Sentinel LDK documents can be understood to include
HASP HL keys unless the context of the reference clearly states otherwise.
Sentinel SL Keys
Sentinel SL keys are virtual, software-based keys that reside in the secure storage of a specific
computer. Sentinel SL keys provide the same functionality as Sentinel HL keys, without requiring
physical distribution.
After your software is installed on a computer, the end user typically enters a Product Key that is
sent, via the Internet or by file transfer, to Sentinel EMS, together with the fingerprint of the
machine. Sentinel EMS confirms that the Product Key has not been used to activate the software
on more than the permitted number of machines—as determined by you—then sends back the
Sentinel SL key, which is installed on the end user’s machine. This process is also used for
updating license terms.
Several types of Sentinel SL keys exist:
n SL Legacy - SL keys that were generated with versions of Sentinel HASP prior to Sentinel
LDK v.6.0
n SL AdminMode - SL keys that provide the highest level of security and functionality
n SL UserMode - SL keys that provide a greater level of flexibility under certain
circumstances
39 Chapter 1: Understanding Sentinel LDK Software Protection and Licensing
For information about the attributes of Sentinel SL keys, see "Protection Key Attributes" on page
39.
For information about how Sentinel LDK prevents tampering of time-based licenses locked to
Sentinel SL keys, see "Appendix E: How Sentinel LDK Protects Time-based Licenses Locked to
Sentinel SL Keys" on page 250.
For full technical specifications of the available Sentinel protection keys, refer to the relevant
product data sheet.
Network Key Supports
Supported Supports
Type of Level of Supports Remote
Operating Applications That
Protection Key Security Detachable Protected
Systems Use Overlays
Licenses Application
HL + + + + + Windows Yes No Yes (HL
Mac Network key)
Linux
SL AdminMode + + + + Windows Yes Yes Yes (SL key
Mac with
Linux concurrency)
SL UserMode (Except + + + Windows No No No
for Provisional)
SL UserMode + Windows No No No
(Provisional)
SL Legacy + + + + Windows Yes Yes Yes (SL key
Mac with
Linux concurrency)
For additional information, see "Protection Keys That Require Sentinel LDK Run-time
Environment" on page 158.
Sentinel LDK encryption and decryption are based on the Advanced Encryption Standard (AES)
algorithm. The encryption secret of the algorithm is stored in the Sentinel protection key. To
Obtaining Additional Information About Sentinel LDK 40
In this chapter:
Sentinel LDK Protection
Sentinel LDK is an innovative, advanced solution for protecting software against illegal or
unauthorized use. The solution deters illegal access and execution of protected applications.
A deployed Sentinel LDK-protected program requires access to a specific Sentinel protection key in
order to run. The protected program queries the Sentinel protection key for pre-defined
information. If the Sentinel protection key is not present, or the information returned is incorrect,
the program does not execute, or stops functioning.
After you have selected a Sentinel LDK protection method, implementation is straightforward.
Regardless of the selected protection strategy, protected programs only work correctly if they can
access the information stored in a specific Sentinel protection key.
n Sentinel LDK Envelope
When you protect your software using either of these methods, you are essentially forming an
inherent link between the protected application and a specific Sentinel protection key.
What can be Protected
Sentinel LDK enables you to protect a variety of applications and data files. You can apply
protection directly to:
n Compiled executables, DLLs and .NET assemblies
n Specific functions or entire programs. Sentinel LDK protects all levels of software from
function level to entire programs
n Sensitive data and intellectual property
All the above are protected against any attempt at reverse engineering.
For additional information about the available protection parameter options, see the following
chapters:
n "Chapter 3: Sentinel Licensing API Protection" on page 50
n "Chapter 6: Working with the Sentinel LDK Data Encryption Utility" on page 84
AES Encryption
A protected program relies on the ‘intelligence’ in the memory of a specific Sentinel protection key
in order to function. In addition to the checks for the Sentinel protection key, data can be
encrypted and decrypted using the intelligence available in the Sentinel protection key.
The encryption engine in the Sentinel protection key is based on the AES algorithm. Sentinel LDK
encryption uses a set of confidential 128-bit encryption keys that remain in the Sentinel protection
key.
Sentinel LDK Protection 46
Your protection schemes should always involve greater sophistication than merely confirming the
presence of the required Sentinel protection key. However, verifying the required
Sentinel protection key through data encryption and decryption requires forward planning. First,
encrypted data must be available. This data must then be sent to the Sentinel protection key,
where it is decrypted.
If the data is correct, the Sentinel protection key is considered to be “present.” For additional
information, see "Time Functions" on page 57.
The essence of software protection is confidentiality. Without confidential elements, any software
security system is vulnerable to attack.
Vendor Code
Each Sentinel LDK customer is assigned a unique Vendor Code that must be kept confidential. The
Vendor Code forms an integral part of the protection parameters that constitute the inherent link
between the protected programs and the Sentinel protection key. However, the Vendor Code is
only part of the link. The code on its own is insufficient to prevent illegal use of the software. It
merely provides the protected software with access to the Sentinel protection key and its
resources.
All Sentinel LDK protection applications require the Vendor Code. For information on how to
access the code, see "Extracting the Vendor Code from Sentinel Vendor Keys" on page 52.
The secure memory on Sentinel protection keys can be utilized (read and write) as a component of
the protection scheme for the software. Confidential data can be stored in the Protection Key
memory, including snippets of program code, customer name, or any other data.
Use the memory editors included in Sentinel LDK ToolBox to read or write data in the Protection
Key memory. For additional information, see "Memory Functions" on page 57.
Sentinel LDK protects intellectual property and provides the functionality to combat anti-
debugging and reverse engineering. Anti-debugging and reverse engineering usually try to unravel
the protection scheme of protected software by tracing a compiled application to its source code.
Sentinel LDK Envelope implements contingency measures to ward off such attacks and prevent
hackers from uncovering algorithms used inside protected software.
What to Protect
When protecting software with Sentinel LDK, there are various options for applying protection.
Sentinel Licensing API is used to protect the software before it is compiled. Protection can also be
applied after the software is compiled using Sentinel LDK Envelope. You can choose whether to
apply protection to an entire program, a subprogram, or simply to a Feature.
You may opt to use either the Sentinel Licensing API or the Sentinel LDK Envelope protection
method, or both, depending on your specific requirements. Use the following table to determine
which method best meets your specific requirements.
When applying protection using Sentinel Licensing API, you control the entire protection process.
You determine when the protected program queries the Sentinel protection key, and how it
should behave in different scenarios. With Sentinel LDK Envelope, compiled programs are wrapped
with random protection parameters. If you run Sentinel LDK Envelope twice to protect the same
program, two different output files are produced with different protective modules and shields.
When a high protection level is specified in Sentinel LDK Envelope, file size increases and the
protected application takes longer to launch. Consider this factor when you are deciding on the
protection level settings that you choose. Aim for the optimal balance between protection level
and launch time.
When using the Sentinel Licensing API, protection is integrated at the source code level in a
carefully considered manner. You determine where in the source code to place calls to the Sentinel
Licensing API.
Sentinel LDK Protection 48
Sentinel LDK Envelope offers an automated, speedier method of protecting software. You define
settings for protection parameters that are applied to protected programs.
When enabling or disabling some features you might reduce the level of protection
provided by the software.
3
Chapter 3:
Sentinel Licensing API Protection
This chapter describes the Sentinel Licensing API protection method.
In this chapter:
n "Overview" on page 50
n "Sentinel Licensing API Prerequisites " on page 51
n "Learning About the Sentinel Licensing API" on page 52
n "Implementation" on page 53
n "Sentinel Licensing API Functionality" on page 56
Overview
The Sentinel Licensing API (application programming interface) is a robust method of software
protection, the strength of which is wholly dependent on its implementation.
The extent to which the functionality afforded by the Sentinel Licensing API is utilized, determines
the overall level of software security. To fully utilize the protection offered by the Sentinel Licensing
API, strive to maximize the complexity and sophistication of your implementation.
It is essential that, before protecting your application, you are familiar with the overall
functionality of the Sentinel Licensing API. For a description of the functions that make up the
Sentinel Licensing API, see the Sentinel LDK ToolBox help system.
To protect your software using the Sentinel Licensing API, you insert calls to a Sentinel protection
key throughout your application’s source code. You can add calls to your application that check
for the presence of a Sentinel protection key at any point during run-time, and you can designate
responses to these checks. For example, if the required Sentinel protection key is not found, you
might specify that the protected application suspend or terminate itself.
Your application can also check the memory of a Sentinel protection key for specific data. In
addition, you can use the Sentinel Licensing API to encrypt or decrypt data.
To facilitate a speedy learning curve, SafeNet recommends that you familiarize yourself with and
test specific Sentinel Licensing API functions using Sentinel LDK ToolBox. Sentinel LDK ToolBox is a
GUI-based application that interfaces with various Sentinel LDK APIs. For additional information,
see "Learning About the Sentinel Licensing API" on page 52.
Sentinel LDK also includes Sentinel Licensing API sample folders for specific compilers. Each
Sentinel LDK interface includes a sample application demonstrating API usage and a specific header
51 Chapter 3: Sentinel Licensing API Protection
file. The sample applications are located in the Samples folder in the Windows directories on the
Sentinel LDK installation DVD.
Vendor Code
It is necessary to provide the Vendor Code in order to access a Sentinel protection key and its
resources, including memory. Vendor Codes are usually stored in the VendorCodes folder. On most
Windows installations, the directory is located at:
…\Documents and Settings\[userName]\My Documents\
SafeNet\Sentinel LDK 7.0\VendorCodes
In the Sentinel LDK Demo Kit, customers are provided with Sentinel HL Demo keys that work with
the DEMOMA Vendor Code. This Vendor Code can be used to apply protection with the Sentinel
Licensing API.
The first time you order Sentinel protection keys, you also receive two Sentinel Vendor keys—a
Sentinel Developer key and a Sentinel Master key—that contain your company’s unique
confidential Vendor Code. The Sentinel Developer key is used by engineers for adding protection
to your software. The Sentinel Master key is used for producing licenses and orders.
Sentinel Vendor Suite applications (Sentinel LDK Envelope, Sentinel LDK ToolBox, and Sentinel EMS)
must recognize and have access to the unique Vendor Code that was assigned to you when your
first order was supplied by SafeNet. The Vendor Code is stored inside your Sentinel Vendor keys.
Sentinel Vendor keys are introduced using the Master Wizard, as described in the following
section.
If you have already introduced your Sentinel Developer key, it is usually not necessary to
re-introduce it.
Learning About the Sentinel Licensing API 52
You need to extract the Vendor Code from your Sentinel Vendor keys so that the Sentinel LDK
system will recognize it when you are working with any of the Vendor Suite applications.
Depending on your Sentinel LDK configuration, if you launch a Sentinel Vendor Suite application,
and you have connected a new Sentinel Vendor key to your computer, the Master Wizard will
launch automatically. Alternatively, you can launch the Master Wizard manually.
For detailed information on using the Master Wizard, see the chapter on introducing Vendor keys
in the Sentinel LDK Installation Guide.
By default, your Vendor Code information is saved in the following directory:
n For Windows XP: %UserProfile%\My Document\SafeNet\Sentinel LDK 7.0\VendorCodes
n For Windows Vista or Windows 7: %LocalAppData%\SafeNet\Sentinel LDK 7.0\VendorCodes
The format of a Vendor Code file name is BatchCode.hvc. For example, if your Batch Code is
W3FLY, the file name will be W3FLY.hvc. (The Batch Code is a representation of your confidential
Vendor Code.) Your Sentinel Vendor keys and all your Sentinel HL keys are labeled with your Batch
Code.
By default, Sentinel Vendor Suite applications search the VendorCodes folder for your Vendor
Code/Batch Code information.
The format of API library names (for Windows) is hasp_windows_language_
vendorID.libraryExtension . For example, hasp_windows_demo.lib is a C-language API library
associated with a demo key.
API-related Functionality
Sentinel LDK ToolBox serves as a training tool for the Sentinel APIs. Sentinel LDK ToolBox
functionality enables you to:
n Display the source code generated for each function call. This generated source code can
be copied and pasted into your application source code.
n Evaluate manual implementation of each API . Every API function included in Sentinel LDK
ToolBox is displayed on a separate screen. To execute a function call, you provide specific
information related to the selected function.
n Transfer memory buffers to the AES encryption engine in a Sentinel protection key. The
program can also be used to decrypt data buffers.
n Create multiple programming language interfaces for the various APIs.
See the Sentinel Web site and the Sentinel LDK Installation DVD for information on
available samples for specific programming languages.
Implementation
This section describes the pre-implementation issues you should consider, and the workflow for
implementing the Sentinel Licensing API. It also provides an overview of how to log in to and out
of a session.
The session identifier is self-generated and applies to a single login session. For more
information, see the description of the hasp_login_scope function in the Sentinel Licensing
API help system or in the Sentinel LDK ToolBox help system.
3. After a login session is established, you can use other Sentinel Licensing API functions to
communicate with the Sentinel protection key. For example, you can use the hasp_decrypt
function to decrypt important data used by your application. You can also read data stored
in the Sentinel protection key memory, set timestamps, and other actions.
4. Using the output generated in Step 3, check for potential mismatches and notify the user
accordingly.
5. Repeat steps 2–4 throughout the code.
6. Compile the source code.
After you have compiled the source code, use Sentinel LDK Envelope to add an extra layer
of protection to your software. This process also prevents reverse engineering of protected
code.
If the Sentinel protection key is not accessible by the computer, an error message is displayed. An
error message is also displayed if the declared Vendor Code is not valid for a detected
Sentinel protection key.
When using the Sentinel Licensing API implementation, login calls are not dependent on specific
Sentinel protection keys. However, when performing login calls you must specify what it is that
you are actually logging into. When logging in you must declare:
n If you are logging into a default or a specific Feature
n How to search for the Sentinel protection key
n How the login counter should be handled
n Whether to enable or disable connection to the Sentinel protection key via a terminal
server
You can either log into a specific Feature, or to the default Feature stored in the
Sentinel protection key. The default Feature is assigned Feature ID 0.
When logging into a licensed Feature, the protected application not only checks for the presence
of the Sentinel protection key, it also checks the terms of the license contained in that key. If the
license is valid, the Feature is enabled.
Additional aspects of a login call can be controlled when implementing the Sentinel Licensing API,
as follows:
n Search options
n Login counter
Sentinel Licensing API Functionality 56
The default search setting enables a protected application to search both the local computer and
the network for the required Sentinel protection key. You can limit the Sentinel protection key
search option, as follows:
n Search only the local PC for a Sentinel protection key
n Search only the network for a connected Sentinel protection key
Login Counter
By default, when a Sentinel LDK license is accessed in a Sentinel HL Net key, license usage is
determined by counting the number of workstations that use the protected application. You can
change this condition so that license usage is based on the number of protected application
processes that are in use.
Access to Legacy Memory on Sentinel HL Key
By default, the Sentinel LDK system does not enable access to the legacy memory on Sentinel HL
keys. To override this restriction, select the Allow access to Sentinel HL v.1.x check box in the
Sentinel LDK ToolBox Settings window.
Function Groups
Sentinel Licensing API functions are categorized into five groups, based on common functionality
and linkage.
n Session functions
n Encryption/Decryption functions
n Memory functions
57 Chapter 3: Sentinel Licensing API Protection
n Time functions
n Management functions
Session Functions
Encryption Functions
You can encrypt or decrypt data buffers using the AES-based encryption engine in the
Sentinel protection key. The encryption engine uses symmetric encryption. This means that the
same encryption key is used later to decrypt the data buffer.
Memory Functions
Use the memory to store data to be used by the application at run-time, and information that can
be used later to verify and identify an end-user. Control of access to sensitive data forms an
integral part of your protection scheme.
The Sentinel Licensing API can be used to:
n Read data buffers stored in the Sentinel protection key memory
n Write data buffers to the Sentinel protection key memory
The size of the data buffers is restricted by the memory available in the specific Sentinel protection
key type. For information about the memory capacity of the available Sentinel protection keys,
refer to the relevant product data sheet.
Time Functions
If you are using a Sentinel HL Time key or Sentinel HL NetTime key, the Sentinel Licensing API can
be used to access the real-time clock in the key. This functionality enables you to read the time.
Two date and time conversion functions are included in the Sentinel Licensing API.
Management Functions
The Sentinel Licensing API includes functions that enable you to retrieve information on the
system components, the current login session, the status of a deployed Sentinel protection key,
and license updates.
When using Sentinel SL keys, the transfer function enables you to:
n detach a license from a pool of network seats
n rehost a protection key from one computer to another at the customer site.
You can also use the hasp_update function to install updates. You do not need to be logged in to
a session in order to perform this function. For additional information, see the help system for the
Sentinel Licensing API or the Sentinel LDK ToolBox.
4
Chapter 4:
Sentinel LDK Envelope Protection
n "Functionality" on page 58
n "Sentinel LDK Envelope for Windows" on page 62
n "Accessing and Encrypting Data Files for Windows Programs" on page 65
n "Protecting .NET Assemblies" on page 67
n "Sentinel LDK Envelope for Linux Applications" on page 73
n "Sentinel LDK Envelope for Mac Binaries" on page 74
n "Sentinel LDK Envelope for Java Executables" on page 75
Functionality
Sentinel LDK Envelope is a wrapping application that protects your applications with a secure
shield. This application offers advanced protection features to enhance the overall level of security
of your software.
Sentinel LDK Envelope protects Win32, Windows x64, and .NET executables and DLLs, and Java
executables—providing a means to counteract reverse engineering and other anti-debugging
measures.
Sentinel LDK Envelope can also be used to protect Mac executables and dynamic shared libraries
(Mach-O), and Linux executables and shared objects. For more information, see "Sentinel LDK
Envelope for Mac Binaries" on page 74, and see "Sentinel LDK Envelope for Linux Applications" on
page 73.
The word program is used throughout this chapter as a generic reference to the various
file types that can be protected using Sentinel LDK Envelope, regardless of whether they
are executables, binaries, assemblies, libraries or shared objects.
By using Sentinel LDK Envelope to protect your software, you establish a link between the
protected software and a Sentinel protection key. This link is broken whenever the protected
software cannot access the required Sentinel protection key.
59 Chapter 4: Sentinel LDK Envelope Protection
Implementing Sentinel LDK Envelope protection is the fastest way to secure your software without
requiring access to your software source code.
Sentinel LDK Envelope provides both graphical user interface (GUI) and command-line utility
options. The graphical interface enables you to:
n Protect Windows and .NET executables and DLL files, and Java executables
n Enhance the protection of .NET and Java executables by defining Method-level protection
n Protect Mac Mach-o binaries
n Protect 32-bit and 64-bit Linux executables and shared objects
n Define a variety of global protection parameters for your program
n Specify a Vendor Code to authenticate the presence of a specific Sentinel protection key
n Customize the run-time messages that will be displayed to end users running protected
programs
In addition to linking protected programs to a specific Sentinel protection key, Sentinel LDK
Envelope wraps the application file with numerous protection layers that are randomly assembled.
The command-line utilities also enable you to easily apply protection parameters that were
defined using the Sentinel LDK Envelope GUI. This simplifies the process of reapplying protection
parameters to your program during the development process.
Sentinel LDK Envelope does not affect the files being protected. However, it is highly
recommended that you designate a separate output folder for the protected application in
order to distinguish between source (unprotected) and output (protected) files.
Sentinel LDK Envelope protection involves the application of protection parameters that are
controlled by the engines running Sentinel LDK Envelope. You apply these parameters to an
unprotected source.
Sentinel LDK Envelope does not affect the original files or the way a protected application actually
works. The only modification is that user access is conditional on the presence of a required
Sentinel protection key. If the Sentinel protection key is present, the protected file runs.
The logic of Sentinel LDK Envelope protection is illustrated in the following diagram. Note that the
original file can be a Win32, or Windows x64 executable or DLL; a Windows .NET assembly
executable or dynamic library; a Java executable; a Linux executable or shared object; or a Mac
binary.
To ensure the highest level of security for your software, Sentinel LDK Envelope for Win32
removes debugging data from the programs that it is protecting.
It is recommended that Linux software engineers strip extraneous symbols from the executable
prior to protecting with Sentinel LDK Envelope.
Mandatory Parameters
The following information must be provided in order to protect software using Sentinel LDK
Envelope:
n Input file location: You must specify the location of the program that you want to
protect. By default, this is the directory from which you added the program to the
project.
n Output file location: You must specify the directory where the protected output will be
saved. By default, the directory is
[user’s home directory]\SafeNet\Sentinel LDK 7.0\VendorTools\VendorSuite\Protected
61 Chapter 4: Sentinel LDK Envelope Protection
n Vendor Code: You must provide a valid Vendor Code in order to access a
Sentinel protection key. On initial activation of Sentinel LDK Envelope, the default Vendor
Code is specified as DEMOMA. Select your Vendor Code in the Sentinel Vendor Code
screen.
This information is sufficient to protect a program.
When enabling or disabling some features you might reduce the level of protection
provided by the software.
Sentinel LDK Envelope enables you to determine where a protected application searches for a
required Sentinel protection key.
The following options are available:
n Local and remote: The protected application first searches the local machine for a
required Sentinel protection key (default), and then the network.
n Local only: The protected application searches only the local computer for a required
Sentinel protection key.
n Remote only: The protected application searches only the network for a required
Sentinel protection key.
When you protect a .NET assembly with Sentinel LDK Envelope, you have the flexibility to specify
Features at two levels:
n A global Feature that relates to the entire .NET assembly, with the exception of
individually-protected methods. For additional information, see "Global Features in .NET
Assemblies" on page 68.
n Method-specific Features. For additional information, see "Method-specific Features and
Parameters in .NET Assemblies" on page 69.
At run-time, a protected .NET assembly searches for all Features in the Sentinel protection key.
n Sentinel Vendor Suite
n A valid Vendor Code stored in the VendorCodes folder. For additional information, see
"Extracting the Vendor Code from Sentinel Vendor Keys" on page 52.
n dfcrypt.exe (if you are planning to encrypt data files by means of a command line)
n The Win32, Windows x64, .NET or Java executables or DLLs that you want to protect
n .NET Framework 2.0 or later (if you are protecting .NET assemblies)
After your program has been included in a Sentinel LDK Envelope project, protection can be
performed effortlessly, based on the default Sentinel LDK Envelope settings. In addition, you can
define and calibrate a range of protection parameters that affect the attributes and behavior of
the protected program.
Sentinel LDK Envelope customizable parameters are displayed in the Protection Details screen and
the Default Protection Settings screen. You can select a specific program in the Project pane and,
from the Protection Details screen, view and edit the application’s parameters using the following
three tabs:
63 Chapter 4: Sentinel LDK Envelope Protection
n General tab
n Advanced tab
n Protection Settings tab
Sentinel LDK Envelope enables you to define the following additional properties for Win32 and
Windows x64 programs:
n The frequency at which random queries are sent to a Sentinel protection key. These
queries include random encryption and decryption procedures.
n The time interval between checks for the presence of a required Sentinel protection key.
n Whether support for programs that require overlays to execute correctly should be
enabled.
n The length of time that the protected application waits for the Sentinel LDK Run-time
Environment to load.
Protection Attributes
You can define specific security attributes for protected Win32 and Windows x64 programs
including parameters for:
n Detection of both system and user-level debugging measures. You can activate measures
to be undertaken by the Sentinel LDK system to block potential attacks intended to
undermine the protection scheme.
Sentinel LDK Envelope for Windows 64
n Specifying the frequency of Sentinel protection key access for encryption. The parameter
controls the compactness of the Sentinel protection key calls made by the protected
application.
An application that is protected using AppOnChip is not compatible with Sentinel SL keys
or with any HL keys other than Sentinel HL (Driverless configuration) keys.
During the protection process, AppOnChip uses a code transformation engine to analyze the
application code. AppOnChip uses the map file provided with the application code to identify the
functions contained in the code. AppOnChip determines which functions are eligible to be
executed by the virtual machine in the Sentinel HL key. The eligible functions are listed in a table
on the AppOnChip tabbed page in the Sentinel Envelope interface.
(In addition to functions identified using the map file, if eligible exported functions are found in
the application code, they will be included in the list of eligible functions.)
You examine the list of eligible functions and select the functions that you want AppOnChip to
protect.
When Envelope generates the protected application, AppOnChip automatically extracts the code
or code segments for selected functions from the protected binary of the application and replaces
the extracted code with a placeholder. The extracted code is encrypted and signed with a vendor-
specific sign key, and saved in a separate binary.
Note that protection process is fully automatic. It is not necessary for you to make any changes to
your application code to accommodate this process.
At run-time, when the application calls one of the protected functions, the encrypted function
code is uploaded to the Sentinel HL key. Within the key, the code is decrypted and loaded into a
virtual machine. Once loaded, the code is executed by the virtual machine. The output of the code
is passed back to the protected application through the placeholder that was inserted into the
function during the protection process.
As a result of this process, protected functions are never exposed in any manner that would
enable a cracker to analyze or disassemble the code.
For more information regarding the AppOnChip functionality, see the Sentinel LDK Envelope help
system.
65 Chapter 4: Sentinel LDK Envelope Protection
Your protected Windows program may require access to data files during run-time. Sentinel LDK
Envelope enables you to control the access of data files by the protected software. Sentinel LDK
Envelope offers the following control mechanisms:
n Data filters: You can determine what file types can be accessed at run-time by the
protected software. You can also determine what files to exclude.
n Data encryption keys: Eight printable characters used to create an encryption key for
encrypting and decrypting data files.
Use the same encryption key when multiple applications access the same document set.
Sentinel LDK Envelope includes the data filters and encryption key information as part of the
protection scheme applied to the protected application. The encryption of data files is handled by
the Sentinel LDK Data Encryption utility. For additional information, see "Chapter 6: Working with
the Sentinel LDK Data Encryption Utility" on page 84. Alternatively, you can use a command-line
utility. For additional information, see "Using dfcrypt.exe" on page 66.
Setting Data File Filters
Sentinel LDK Envelope enables you to create file filters for protected Windows programs. File filters
determine which data files and data file types can work in conjunction with protected programs.
For more information, see the Sentinel LDK Envelope help system.
Run-time User Support
You can customize run-time messages for end users who are using applications protected by
Sentinel LDK Envelope. Sentinel LDK Envelope includes a set of message codes. Each code is mapped
to a corresponding message that is displayed at run-time of the protected application.
In addition, you can choose to display a message for end users during startup of a protected
application that explains there may be delays due to required data decryption.
Windows programs protected with Sentinel LDK Envelope can access encrypted data files that are
defined by data filters and use a specific encryption key. Sentinel LDK Envelope itself does not
encrypt data files. However, you can encrypt data files using the Data Encryption Utility interface,
or you can use the dfcrypt.exe command-line utility. For additional information about using the
Data Encryption Utility interface, see "Chapter 6: Working with the Sentinel LDK Data Encryption
Utility" on page 84.
Sentinel LDK Envelope for Windows 66
Using dfcrypt.exe
Instead of using the Data Encryption utility, you can use a command-line utility to encrypt data
files. The dfcrypt.exe utility generates data files that can be processed by executables protected
by Sentinel LDK Envelope.
The command-line utility requires a specific set of input parameters to function. After these
parameters have been applied to a defined set of data files, the encrypted files can be accessed by
Sentinel LDK Envelope.
To use dfcrypt.exe, specify the following:
n A command switch
n A list of source files and directories
n A destination for the encrypted output
When specifying multiple source files or a directory, the destination input specified must be an
existing directory.
The following format must be used to input parameters:
dfcrypt<option> source destination
For example:
dfcrypt -c:demoma.hvc -k:4873Asdb data.txt data_crypt.txt
Command Action
-e, --encrypt Encrypts data, available by default
-d, --decrypt Decrypts data
-c, --vcf:<file> Specifies a Vendor Code file (mandatory)
-k, --key:<key> Specifies an encryption key to be used to encrypt data files. Must contain 8
printable characters (mandatory)
-o, --overwrite Overwrites destination files
-r, --recursive Enables recursive handling of subdirectories
-h, --help Displays the help screen, listing dfcrypt.exe commands
-q, --quiet Suppresses output by excluding copyright information and the progress
indicator. Only error messages are displayed. This is particularly useful in
Makefile integration.
Command-line Options
The following parameters are available for use with the Sentinel LDK Envelope command-line
version:
Command Description
-h /--help Displays the list of command-line parameters. Press Enter to return to
the command-line console.
-p /--protect <project> The command-line utility uses the specified project as input data for
the application-wrapping process—all the files included in the project
are protected.
<project> The command-line version starts the GUI version with the specified
project running as the current project.
-a / --accesscode Specifies the access code for the connected Sentinel Vendor key. This
<code><project> switch is only required if an access code has been specified using the
Master wizard.
Protecting .NET Assemblies
Sentinel LDK Envelope provides significant flexibility when protecting .NET assemblies. In addition
to global protection settings that you specify using the Protection Details and Protection
Template Settings functionalities, you can also specify Method-level protection, by defining
individual methods in the .NET assembly.
You can also define protection settings in your source code using custom attributes.
For details about the prerequisites for protecting a .NET assembly, and other considerations to
take into account, see ".NET Considerations" on page 68.
When you protect a .NET assembly with Sentinel LDK Envelope, you specify a global Feature that
protects the entire assembly. For additional information, see "Global Features in .NET Assemblies"
on page 68.
In addition to the global Feature, you can define Features for individual methods. You can also
define other method-specific parameters. For additional information, see "Method-specific
Features and Parameters in .NET Assemblies" on page 69.
You can also apply different levels of obfuscation to your .NET assembly. For additional information,
see "Code and Symbol Obfuscation in .NET Assemblies" on page 71.
Protecting .NET Assemblies 68
.NET Considerations
When protecting .NET assemblies, consider the following issues:
n You must protect your assemblies in a development environment. Sentinel LDK Envelope
requires libraries that are not part of the .NET framework, but are included in the
development environment.
n Sentinel LDK Envelope for .NET requires access to all assemblies and their dependencies.
n Sentinel LDK Envelope breaks the strong name signature of signed assemblies. You can
choose to re-sign the assembly in Sentinel LDK Envelope, as part of the protection
process.
n When you protect a .NET Framework 1.x assembly, the Sentinel LDK Envelope output is in
Framework 2.0, requiring Framework 2.0 to be installed on the end-user machine.
n For your protected .NET assembly to function at run-time, a Sentinel LDK DLL is required.
For more information, see "Protection-related Software" on page 156.
Method-level Protection
When you select a .NET assembly for protection, Sentinel LDK Envelope automatically determines
the Protection type that will provide the best protection for your program, depending on whether
you are protecting an executable or a DLL. The Protection type determines the methods that are
available for individual protection.
It is recommended that you do not change the automatic Protection type settings.
This section describes how you select individual methods and the behavior of different method
types, in addition to the parameters you can select for the methods.
The .NET assembly is displayed in the Protection Details screen, in the Methods selected for
protection list. The list displays class constructors and methods, in a tree layout that mimics the
structure of the .NET assembly.
Items in the list are identified by icons that indicate the method type, and by the class or method
name. Method signatures are displayed as a tool tips.
When the check box to the left of a method is selected, that method is selected for Sentinel LDK
Envelope protection.
n Selecting or clearing the check box of a higher-level item does not affect nested
items. For example, if you clear the check box of a class constructor, methods
69 Chapter 4: Sentinel LDK Envelope Protection
You can use Sentinel LDK Envelope to define separate Feature IDs for individual methods in
your .NET assembly. This enables you to:
n Make use of the separate encryption key inherent in each Feature to provide enhanced
security for individual methods
n Determine how often the protected program logs into an individual method
At run-time, the protected program searches for all relevant Feature IDs in the Sentinel protection
key.
You can determine how often the protected program logs into each Feature ID in the
Sentinel protection key and performs decryption using that Feature ID by specifying the Frequency
for specific methods.
n You can only specify the Feature ID and Frequency for methods that have been
selected for protection.
n If the Protection type is Only Win32 shell or Only Windows x64 shell, you
cannot specify a Feature ID or Frequency for individual methods.
n You can select multiple methods and specify the same Feature ID and Frequency
for all selected items.
Frequency
Description
Type
Once per A check is performed the first time a method using the Feature ID indicated for that
program method is called, regardless of the number of methods that share the same
(Default) Feature ID across the program.
Once per A check is performed when the method is run, once for each Feature ID within the
class same class.
instance If the same Feature ID is also assigned to the class constructor, the check is
performed the first time the .ctor method is run.
If the same Feature ID is used in other classes, the check is performed separately
for each class.
The Once per class instance frequency is available only for Instance
methods.
Protecting .NET Assemblies 70
Frequency
Description
Type
Every time A check is performed every time the method is called
Recommendations:
n Use the Once per Application default setting. The Once per Instance and Every time
settings may slow the performance of your program.
n If a counter-based license is being defined, use the Every time setting only for the method
that determines licensing, as the counter is decremented every time the method is called.
If you choose to assign separate Feature IDs for individual methods, you must ensure that your
application code can only call the Feature IDs for those methods for which a valid license has been
installed in a Sentinel protection key.
If methods that do not have a valid license in a Sentinel protection key are called, it will cause
Sentinel LDK Envelope to generate an error loop that can only be stopped by installing a valid
license.
An API is provided as part of the Sentinel LDK installation that enables you to ensure that the error
loop does not occur. The API is located in …\Program Files\SafeNet
Sentinel\Sentinel LDK\Samples\Envelope\EnvelopeRuntime.NET. (For Windows x64, go to \Program
Files (x86)\...)
To prevent an error loop occurring if a method for which a license has expired or does not exist,
register a NotificationDelegate handler, as follows:
1. Include the Aladdin.HASP.EnvelopeRuntime assembly in your source code.
2. Select one of the following handlers, depending on the behavior that you require when the
handler is invoked.
Aladdin.HASP.Envelope.dll is not required for protected assemblies and does not have
to be distributed to your customers.
Using the custom attributes, you can define the following protection settings:
Sample
The following sample shows how protection settings can be applied in source code. The source
code comments are italicized.
using System;
using Aladdin.HASP.Envelope;
/// protection settings for this method are inherited from the settings of the class
public int Multiply(int a, int b)
{
return a * b;
}
}
}
n The protection definitions and defaults are based on those provided in the Sentinel LDK
Envelope GUI
n By default, static methods and methods that have a very small footprint are not
protected. To protect these methods, you must specify the protection settings at method
level in your source code.
73 Chapter 4: Sentinel LDK Envelope Protection
n Sentinel Vendor Suite, containing the Sentinel LDK Envelope command-line utility for Linux
and the Master wizard
n A valid Vendor Code stored in the VendorCodes folder. For additional information, see
"Extracting the Vendor Code from Sentinel Vendor Keys" on page 52.
n The Linux executables and shared libraries that you want to protect. Both x86 and x86_64
ELF executables and shared libraries are supported.
Sentinel LDK Envelope can be used on a 32-bit or 64-bit platform to protect both 32-bit and
64-bit executables and shared objects.
Parameter Description
-c <config filename> Mandatory parameter for the name of the configuration file
-i <input filename> Optional parameter pointing to the input executable contained in
the application file bundle
-o <output filename> Optional parameter pointing to the output executable contained in
the application file bundle
-v <vendor code filename> Optional parameter for the Vendor Code used by the protected file
to access a required Sentinel protection key
-m <messages filename> Optional parameter for the file containing the definitions for
messages displayed to end users at run-time
Sentinel LDK Envelope configuration parameters are detailed in Envelope Project Settings for
Linux.pdf, available in the Docs folder in the Sentinel LDK for Linux installation and on the
Sentinel LDK installation DVD.
For Linux applications that were protected using Sentinel LDK Envelope: The installer for
the protected application should determine if libXaw libraries are present on the end user's
computer and, if not, install them.
Sentinel LDK Envelope for Mac Binaries 74
After protection parameters are defined and stored in the Sentinel LDK Envelope configuration file,
you activate Sentinel LDK Envelope using one of the following methods:
1. Using the command-line utility, specify the mandatory Sentinel LDK Envelope parameters,
then run Sentinel LDK Envelope using the default settings.
2. Open the Sentinel LDK Envelope configuration file and edit the settings as required. Using
the command-line utility, program the utility to parse the Sentinel LDK Envelope
configuration file, then run Sentinel LDK Envelope. The configuration file is called
envconfig.cfgx
When running the Sentinel LDK Envelope command-line utility, use either the command-
line switches, or the configuration file.
Several parameters defined in the configuration file can be overwritten by the optional arguments
listed in the following table.
Parameter Description
-v --vcf:<filename> Vendor Code file
-f --fid:<id> Feature ID. If no Feature ID is specified, default Feature ID will be used.
-b --bgchk:<time> Enables background checks. Time is in seconds. (0 = off, default = 300)
-e --enclevel:<level> Encryption level. (1–5, default = 4)
-c --cfg:<file> Sentinel Envelope configuration file for Linux
-m --msg:<file> Message file
-m --msg-out:<val> The message output mode at run-time.
n 0 = no message output
n 1 = GUI
n 4 = console
n 5 = GUI and console (default = 1)
-m --wchar Writes run-time errors as wide character strings. Required when you
specify that messages will be output to a console (values 4 or 5 in the
previous switch).
-h --help Displays help screen
-q --quiet Specifies that only error and warning messages are displayed
Before using Sentinel LDK Envelope for Mac, it is recommended that you familiarize yourself with
the general Sentinel LDK Envelope information about Sentinel LDK Envelope protection that is
provided at the beginning of this chapter.
n Sentinel Vendor Suite, containing the Sentinel LDK Envelope and the Master wizard
n A valid Vendor Code stored in the VendorCodes folder. For additional information, see
"Extracting the Vendor Code from Sentinel Vendor Keys" on page 52.
n The Mac binaries that you want to protect
All parameters and procedures are detailed in the Sentinel LDK Envelope help system.
Sentinel LDK Envelope information about Sentinel LDK Envelope protection that is provided at the
beginning of this chapter.
Protection of your software is performed on a Windows machine, after which you distribute the
protected software together with the appropriate Java run-time libraries for the end-user
operating system—Windows, Mac, or Linux.
Java applications that have been obfuscated, or protected using third-party tools, are not
supported by Sentinel LDK Envelope.
Java Considerations
When protecting Java executables, consider the following issues:
n The methods selected for protection by Sentinel LDK Envelope by default are not the
optimal choices for your application or library. You must review and modify the list of
selected methods to provide the best mix of security and performance. For more
information, see the description of optimizing protection settings in the Sentinel LDK
Envelope help system.
n Sentinel LDK Envelope does not support protection of Java paint methods, but it allows
you to select them in the user interface. As a result, the protected program may cause a
deadlock when it executes a protected paint method at runtime with no
Sentinel protection key connected. To prevent this issue from occurring, you can deselect
all paint methods. Note that paint methods do not usually contain application logic;
therefore, deselecting them typically has no impact on security. As an alternative, you can
select console output for messages by enabling stderr output instead of windows in the
Advanced settings panel.
n When you test Sentinel LDK Envelope for the first time with your application, it is
recommended that you clear the default selection and start with the protection of a single
method that you want to protect. After you protect the method, test your application. If
the application works as expected, continue to protect additional methods and test after
each addition until you have reached the desired protection selection for the application.
Do not try to apply this selection to different applications.
Before your JAR/WAR archive is protected, include the following customized Sentinel Licensing API
dynamic libraries with the archive:
Sentinel LDK Envelope enables you to define the following additional properties for Java
executables:
n The compression level of protected classes.
n The time interval between checks for the presence of a required Sentinel protection key.
All parameters and procedures are detailed in the Sentinel LDK Envelope help system.
5
Chapter 5:
Protection Strategies
Sentinel LDK provides the best hardware and software tools available in the market today. The
contribution that Sentinel LDK can make to the protection of your software and intellectual
property has already been well documented in the previous chapters. However, it is the strength
and sophistication of the strategies that you employ in partnership with Sentinel LDK that will
truly maximize your software protection.
In this chapter:
n "Overview" on page 78
n "General Protection Guidelines" on page 79
n "Types of Attack and Their Sentinel LDK Defense" on page 80
Overview
Parallel with advances in software and software security development, software crackers are
developing more sophisticated means of deconstructing software protection measures—in order
to duplicate and distribute illegal copies of unlicensed software—and to reverse engineer code in
order to steal intellectual property.
To maintain the rights to your revenue stream, it is essential that you remain vigilant about the
strategies of your “enemies”, and that you continually and wisely implement the latest and
strongest techniques for protecting your software.
The degree of investment that you make in limiting the ability of software crackers to illegally
access your software will depend on a number of considerations, including:
n The value of your software
n The history of previous cracking attempts related to your software
n The geographical region in which your software will be distributed
n The target market for your software (for example, whether it is intended to be sold to
individual consumers, small office/home office users, or enterprise users)
There is no software protection that is absolutely uncrackable. However, if you constantly
implement up-to-date strategies using the strongest software protection methods, you
significantly decrease your vulnerability to such attacks.
79 Chapter 5: Protection Strategies
This chapter describes general protection strategies for software vendors. It then outlines some of
the methods that software crackers employ in order to identify and negate software protection
and security, and recommends Sentinel LDK measures that you can use to enhance your software
security.
In addition to the information described in this manual, our team of SafeNet Consultants provides
personalized assistance in strengthening software security and protection. They can provide help
on a wide range of issues, including additional protection strategies and implementation
techniques.
For information on consultation services offered by SafeNet, contact your local SafeNet
representative.
Protection software updates generally include enhancements to counter the most recent threats.
Always check for and use the most recent version of Sentinel LDK protection software that is
available. The latest software can be downloaded from the Sentinel Web site, at www.safenet-
inc.com/SentinelLDK/InstallationDVD.
Constantly Re-evaluate Protection Strategies
Frequently consider what protection strategies you can upgrade or enhance to provide stronger
security for your software.
Use Evolving Strategies to Prevent Predictability
Vary the strategies that you implement between your software releases. If a software cracker is
able to detect a pattern to your protection strategies, the strategies can more easily be negated
or evaded.
Vary Behavior when Cracking Attempt is Detected
When a cracking attempt is detected (for example, through using a checksum—described later in
the chapter), delay the reactive behavior of your software, thus breaking the logical connection
between “cause” and “effect.” Delayed reaction confuses a software cracker by obscuring the link
between the cracking attempt and the negative reaction of the software to that attempt.
Behavior such as impairing program functionality when a cracking attempt is detected can be very
effective. Additional behaviors could include causing the program to crash, overwriting data files,
or deliberately causing the program to become inaccurate, causing the program to become
undependable.
Types of Attack and Their Sentinel LDK Defense 80
Sentinel LDK Solution
The more files that are protected, the longer it takes a software cracker to remove protection. You
can protect multiple executable and DLL files using Sentinel LDK Envelope. You can also use the
Data Encryption facility of Sentinel LDK Envelope to encrypt and protect data files.
Sentinel LDK Solution
In the context of Sentinel LDK, Read-only memory (ROM) is a segment of the memory that can
contain data that the protected application can access, but cannot overwrite. Sentinel protection
keys contain two ROM segments, one of which contains Sentinel LDK Feature-based licenses. The
second segment provides an area in which vendor-customized data can be stored. These
segments can only be updated using remote updates.
Sentinel LDK automatic Feature-based licenses utilize read-only memory of Sentinel protection
keys. The different types of available licenses are sufficient for almost any licensing model.
You can customize your own licenses and still use a ROM segment in a Sentinel protection key’s
memory. Note however that licenses that have been customized must remain static (for example,
such licenses cannot include a decremented number of executions).
For additional information about licensing models, see "PART 5 - LICENSING MODELS" on page
178.
81 Chapter 5: Protection Strategies
Sentinel LDK Solution
Sentinel LDK provides a secure channel between an application and the Sentinel HL key. Data that
passes between the protected application and the key is encrypted. Taking advantage of the
secure channel functionality between your application and a Sentinel HL key provides you with the
strongest possible protection.
A different encryption key is used in every session. This means that someone recording data
passing through the secure channel cannot replay the data, since the encryption key used to
encrypt the data will differ from that used to decrypt the data.
Sentinel LDK Solution
Sentinel LDK Solution
Sentinel HL keys are each unique and have their own ID. Keys that are in the same batch and
behave identically are each uniquely encrypted, the key’s customized controller and memory
forming a unique locked pair. This means that if the memory of one Sentinel HL key is copied to
another Sentinel HL key, the second key will not function.
Clock Tampering
Clock tampering relates to either the system clock of the machine on which the protected
software is running, or to a real-time clock contained in keys. The software cracker resets the time
Types of Attack and Their Sentinel LDK Defense 82
Sentinel LDK Solution
Maximize security by using the Sentinel Licensing API to implement calls to a Sentinel protection
key, and protect the application with Sentinel LDK Envelope. Using one protection method does
not preclude the use of the other.
Inserting many calls, throughout the code, to the Sentinel protection key in order to check the
presence of the key, and binding data from the key with the software functionality, frustrates
those attempting to crack your software. Multiple calls increase the difficulty in tracing a
protection scheme.
You can also add obstacles to a potential software cracker’s progress by encrypting data that has
no bearing on the application. Similarly, you can divert attention by generating “noise” through
random number generators, time values, intermediate results of calculations, and other
mechanisms that do not lead to meaningful results or actions.
Encryption and decryption processes are performed inside a Sentinel protection key, well beyond
the reach of any debugging utility.
Encrypting data with the Sentinel LDK AES-based encryption engine considerably enhances
software security. By encrypting data used by your application, the decryption process depends
on both the presence of a Sentinel protection key and its internal intelligence.
By implementing a Sentinel Licensing API scheme in which data is decrypted by a
Sentinel protection key, the association between the protected application and the
Sentinel protection key cannot easily be removed. Cracking the software also necessitates the
software cracker decrypting the data.
Compare the value in the executable file with a checksum stored in Sentinel protection key
memory. If the two values are not equal, you can assume that someone has attempted to modify
the files. Repeat this check in various places in the code, varying it in each place to make it more
difficult for a software cracker to detect.
6
Chapter 6:
Working with the Sentinel LDK Data
Encryption Utility
This chapter describes data file protection using the Sentinel LDK Data Encryption utility.
In this chapter:
n "Introduction" on page 84
n "Data Encryption Prerequisites " on page 86
Introduction
The Sentinel LDK Data Encryption facility enhances the default Sentinel LDK Envelope protection by
injecting a protected program with the ability to encrypt and decrypt specified data files. The
protected application can write encrypted data to external files and read the encrypted data back.
In addition, you can also use the standalone Data Encryption utility to encrypt data files that you
want to secure and distribute with your protected application. These files can be read later by the
protected application. Decryption occurs when a data file is opened and encryption occurs when a
data file is saved.
The ability to implement Sentinel LDK Data Encryption functionality is enabled at the time your
application is protected using Sentinel LDK Envelope. The types of files that are to be encrypted
and decrypted are specified at that time.
Sentinel LDK Data Encryption utility generates data files that can be processed by programs
protected by Sentinel LDK Envelope. After a specific set of data files has been encrypted, those
files can be accessed by Sentinel LDK Envelope.
An application that has been protected using Sentinel LDK Envelope contains the Data Encryption
facility. This facility enables the protected application to read and write encrypted data to an
external file. You can use the Data Encryption utility to provide an initial encrypted application
data file that is installed together with the protected application.
The following diagram illustrates how application data is initially encrypted, and then used by the
protected application.
Supported Functionality
The Sentinel LDK Data Encryption utility has a conveniently designed interface that manages all
aspects of data encryption projects. The interface enables you to:
n Open Sentinel LDK Envelope projects and list the programs they contain
n Edit existing Data Encryption projects
n Add files or directories for data encryption
n Encrypt data files and directories for specific programs protected by Sentinel LDK Envelope
n View and save encryption process logs
n Access all Sentinel Vendor Suite applications and the Sentinel Web site
87 Chapter 6: Working with the Sentinel LDK Data Encryption Utility
Modifying Input
Data files are subject to regular modification. The design of the Data Encryption utility anticipates
the requirement to regularly update data file content. After you have encrypted modified data
files, they can only be accessed if a specific Sentinel protection key is detected.
PART 3 - LICENSING
In this section:
This chapter provides an overview of Sentinel EMS and the major processes it facilitates. It also
describes the user roles and their functions in Sentinel EMS, lists its prerequisites, and explains
how to start using the application.
An alternative to Sentinel EMS, the Sentinel License Generation API, is also described.
In this chapter:
Sentinel EMS Overview
Sentinel EMS is a powerful role-based application designed to manage the business activities
required to implement and maintain Sentinel LDK in your organization.
Sentinel EMS streamlines the major workflows in the licensing lifecycle of a protected software
application, from the moment it is developed, through its packaging, marketing, selling, and
order-taking, to its distribution and upgrading.
Sentinel LDK separates the software protection process (implemented with Sentinel Licensing API
or Sentinel LDK Envelope) from the licensing and production processes (implemented with
Sentinel EMS), enabling you to modify your company’s licensing strategy as necessary when
circumstances change, and to implement these changes quickly and efficiently.
License Planning
You can make changes to your licensing plan and license models at any time, adding
Features and Products as required.
For additional information on preparing a licensing plan for use with Sentinel LDK, see "Chapter 8:
Preparing Your Sentinel LDK Licensing Plan " on page 98.
For a description of the many types of model licenses you can implement using Sentinel LDK, see
"PART 5 - LICENSING MODELS" on page 178.
For additional information on defining Features and Products in Sentinel EMS, see "Chapter 9:
Implementing Your Sentinel LDK Licensing Plan" on page 108.
Staff in your organization’s orders department receive and fulfil entitlements. An entitlement is an
order for Sentinel LDK items, and can be one of the following:
n An order for Products to be supplied with one or more Sentinel protection keys
n A Protection Key Update that specifies changes to be made to the license terms and/or
data stored in Sentinel protection keys that have already been deployed
Order processing personnel process the entitlement details using Sentinel EMS. The license terms
of each Feature in the ordered Products may be specified when the Product is defined, or when
the entitlement is processed.
When all the details of an entitlement have been defined, the entitlement can be produced. The
Product details, including the license terms and memory data, are stored in the specified
Sentinel protection keys at the production stage or when the Product is activated, and can be
updated after the keys have been deployed.
For additional information on processing and producing entitlements in Sentinel EMS, see
"Chapter 10: Sentinel LDK Entitlements, Production, and Development Tasks" on page 122.
Sentinel EMS Users and User Roles 92
Product activation and online updates are performed using Sentinel EMS when your software is at
the end user’s site.
Product Activation with Sentinel SL Keys
With Sentinel SL keys, the software is only activated and usable after the following steps are
completed:
1. A Product Key is produced in Sentinel EMS and supplied to the end user.
2. The end user sends the Product Key to Sentinel EMS for validation.
3. A Sentinel SL key with license terms is sent back and installed on the end user’s computer.
Online Updates
Sentinel LDK passwords are case-sensitive, so ensure that you use upper-case and lower-
case letters correctly when you type your password.
If you are evaluating Sentinel EMS, you can use the DEMOMA Batch Code provided, which
does not require a Sentinel Master key.
n You must define user names, passwords, roles, and batch access for each Sentinel EMS
user, and also for yourself. For additional information, see "Maintaining User Details " on
page 141.
A default user name and password is provided with Sentinel LDK to enable you to log in to
Sentinel EMS as the Sentinel LDK Administrator. The default user name and password is
admin .
For additional information on the Sentinel LDK administration tasks and options in Sentinel EMS,
see "Administration Tasks" on page 140.
The Sentinel EMS Home screen provides a snapshot of the current status of important
information in Sentinel EMS. The information relates to all the Batch Codes for which the current
user has authorizations.
To return to this screen at any later time, click the Home tab.
The functions that each user sees on the Function bars will vary based on the roles that are
assigned to the user.
Sentinel EMS Screen
When you select any of the Function bars, the Sentinel EMS screen is displayed.
Sentinel License Generation API 96
The functions that each user sees on the Function bars will vary based on the roles that are
assigned to the user.
EMS. All the required services are provided by the system that you choose to implement. You
would use Sentinel LDK only to handle the protection and Feature-control functions for your
applications.
Sentinel License Generation API is included in Sentinel LDK ToolBox. Documentation for the API is
included in the ToolBox help system.
To generate licenses, the Sentinel Master key must be connected to the machine where
the program that calls Sentinel License Generation API is running. License generation
cannot be performed over RDP (that is, over a remote connection to the system where the
Master key is connected).
8
Chapter 8:
Preparing Your Sentinel LDK
Licensing Plan
Before you start to use Sentinel EMS in your organization, you may want to prepare a detailed
licensing plan for use with Sentinel LDK. Although it is recommended that you prepare a licensing
plan, it is not a prerequisite for using Sentinel EMS. Licensing decisions can be implemented or
modified at any point.
This chapter outlines the importance of licensing your software products, describes the licensing
options provided by Sentinel LDK, and suggests how you might prepare a detailed licensing plan
for use with Sentinel EMS.
In this chapter:
This chapter provides high-level information about Sentinel LDK licensing options. For
detailed practical instructions for implementing the licensing options in Sentinel EMS, see
the Sentinel EMS help system.
Licensing Overview
"PART 2 - PROTECTION" on page 42, in this Guide explained in detail how to protect your
software and intellectual property. In addition to protecting these valuable assets, it is essential
that you protect your company’s revenue by ensuring that your software is available only to the
appropriate users, according to the terms that you define. This process is controlled by licensing.
99 Chapter 8: Preparing Your Sentinel LDK Licensing Plan
Licensing provides you with the flexibility to implement your business strategies for the sale and
distribution of your software products. You define the licensing terms with which your software is
distributed or sold according to your decisions about what is commercially beneficial to your
company.
For example, you may decide that you initially want to distribute your software free of charge, so
that users can try it before purchasing. You will want to ensure that users can use it for only a
limited time before it must be purchased.
Alternatively, you may publish very complex, expensive software. You may decide to make specific
components of that software available for a lower price, thus making parts of it accessible to users
who cannot afford the full-featured version.
The versatility of Sentinel LDK enables you to implement a wide variety of licensing models. For
more information on the many models you can apply to your software offering, see "PART 5 -
LICENSING MODELS" on page 178.
You can define additional licensing models and software usage terms to meet your company’s
individual requirements.
It is recommended that you prepare a licensing plan before you start to use Sentinel LDK to
streamline the implementation of your company’s licensing strategy. Your Sentinel LDK licensing
plan should be based on the detailed licensing requirements that you define for all the protected
software applications to be sold by your company, and/or distributed for trial use.
Preparing Your Licensing Plan 100
The process of preparing a Sentinel LDK licensing plan can include the following steps:
1. Analyzing all the relevant software applications and identifying each functional component
that can be licensed individually.
2. Combining these components into licensed entities that can be offered to customers.
3. Deciding which Sentinel protection keys you want to supply with your software
applications.
4. Specifying the detailed licensing terms to be applied, according to your licensing strategy.
The output of such a process is a comprehensive licensing plan that can be implemented using
Sentinel EMS.
You can make changes to your licensing plan and license models at any time.
Scenario: The Product Manager of High Quality Software Ltd. (HQ Software), a company providing
design software for the construction industry, identifies the specific functional components that
the company wants to license, and assigns a Feature name to each component.
The following table lists the defined functional components and the Feature names assigned to
each component:
In Sentinel LDK, a collection of one or more licensed Features that can be sold as an item is
referred to as a Product. Products can differ from each other, not just in the Features that they
contain, but also in the license terms specified for each Feature.
Your licensing plan can contain the names of all the Products that your company wants to sell
and/or distribute for evaluation, and the Features that each Product includes.
In Sentinel LDK, you have full control over the specific Products you define, the Features they
include, and the license terms assigned to each Feature in each Product.
Scenario: The HQ Software Product Manager decides to define a trial Product intended for
distribution to customers who want to evaluate their software. This Product, HQ Design Demo,
includes only the VIEW and PRINT DESIGNS Features.
In addition, the company defines:
n A Product intended for small-office customers, HQ Design Lite, offering the Features
included in HQ Design Demo, with the addition of DRAW and SAVE
n A Product targeted towards larger customers, HQ Design Pro, that offers all available
Features
(The REPORT GENERATOR Feature has not yet been fully developed and is not currently included
in the HQ Design Pro Product. This Feature is planned for a future release.)
Sentinel HL key protection provides the strongest level of protection against piracy. The correct
functionality of the software depends on the internal logic of the Sentinel HL key, which is virtually
tamper-proof.
In addition, Sentinel HL key protection:
n Offers the strongest enforcement for license terms, which are stored and protected inside
the Sentinel HL key.
n Enables portability—the software can be used on any computer to which the Sentinel HL
key is connected.
n Does not require transaction with the software vendor to enable activation of the
Product.
n When using a network license that is locked to a Sentinel SL key, you can specify that a
license can be detached from the pool of network seats and attached to a remote
recipient machine.
W ARN I N G
A P r oduc t that c an be distr ibute d w ith both HL and SL ke ys is alw ays supplie d
w ith the SL ke y-le ve l of pr ote c tion, e ve n w he n it is shippe d w ith HL ke ys.
Scenario: The HQ Software Product Manager decides to specify the following license terms for its
three Products:
n A trial period of 30 days for the PRINT and VIEW Features in its HQ Design Demo Product
n A low-cost annual rental license for the DRAW and SAVE Features in the HQ Design Lite
Product, with unlimited usage for the PRINT and VIEW Features
n A more costly, full-featured license for the HQ Design Pro Product that specifies unlimited
usage for all Features
The following protection levels are defined for each of the Products:
105 Chapter 8: Preparing Your Sentinel LDK Licensing Plan
The following table summarizes the three Products, their protection levels, and their licensed
Features:
Memory data can be defined for each Product. The contents of the memory are transferred to the
secure memory of the selected Sentinel protection keys together with the Features, license terms
and other data defined for the Product.
You can add any specific data that is required to be stored in memory for each Product to your
licensing plan.
For additional information on implementing and maintaining your licensing plan, see "Chapter 9:
Implementing Your Sentinel LDK Licensing Plan" on page 108.
Sentinel LDK offers you the flexibility to update your licensing strategy as necessary, and to adapt
rapidly to changes in the market, in your company’s business strategy, or in customer purchasing
preferences.
9
Chapter 9:
Implementing Your Sentinel LDK
Licensing Plan
This chapter is intended for Sentinel EMS users who are assigned the Product Management role.
It describes how to use Sentinel EMS to define and manage Features and Products in Sentinel LDK,
and to maintain Products and licenses as circumstances change.
For information on preparing a licensing plan and on Sentinel LDK licensing options, see "Chapter
8: Preparing Your Sentinel LDK Licensing Plan " on page 98.
For an overview of Sentinel EMS and for information on starting to use the application, see
"Chapter 7: Introduction to Sentinel EMS" on page 90.
In this chapter:
This chapter provides high-level information on license planning and definition processes.
For detailed practical instructions for using each function in Sentinel EMS, see the
Sentinel EMS help system.
All Sentinel LDK Features and Products are associated with a Sentinel LDK Batch Code. For
additional information on Batch Code, see "Personalized Vendor and Batch Codes" on
page 36.
Managing Features
When you display the Features screen in the Sentinel EMS window, you can view the details of all
defined Features associated with the selected Batch Code. You can perform the following tasks
using the Features screen in Sentinel EMS:
n Define Features
n Withdraw Features from use
Defining Features
If you have prepared a licensing plan, the first stage in its implementation is to use Sentinel EMS
to define all the Features that you listed in the plan.
Before you begin to define Features, ensure that you have the following information available for
each new Feature:
n The Batch Code associated with the Feature
n A Feature Name that is unique in the selected batch (mandatory). The maximum length
for a Feature Name is 50 characters.
n A free-text description that provides additional information about the Feature (optional)
n The ID number that you want to assign to the Feature (optional). The ID must be unique
in the selected batch. The same Feature ID may be used in more than one batch.
Managing Products 110
After you have defined a Feature, and until the Feature is included in a Product, you can change
these properties in Sentinel EMS. After the Feature has been included in one or more Products,
you can open the Feature to view its details, but you cannot change them.
License terms are Feature-specific in Sentinel LDK. However, they are not defined as part of
the Feature properties. The license terms for a Feature are specified when the Feature is
added to a Product, or when the Product is added to an entitlement. This is because the
same Feature may be included in a number of Products, and the license terms for the
Feature may vary according to the requirements of the Product or of the entitlement.
Feature Identification
By default, Sentinel EMS generates a unique Feature ID for each new Feature. You can assign your
own numeric identifier to the Feature, for example, to maintain consistency with existing Feature
data. The Feature ID that you specify must be unique in the selected batch.
After you have defined the Features for a selected batch, users authorized to perform
Development tasks can transfer the Feature data to a file that can be used for development and
protection purposes. For more information on transferring Feature definitions, see "Exporting
Definition Data" on page 137.
When a Feature is first defined, you can edit the Feature and modify any of its attributes,
including the Feature Name and Feature ID.
Once the Feature has been included in one or more Products, the Feature Name and Feature ID
can no longer be modified.
Deleting Features
If the Feature has not been included in any Product, you can delete it. A Feature cannot be
deleted once it has been deployed in at least one Product.
Managing Products
When you display the Products screen in the Sentinel EMS window, you can view the details of all
defined Products associated with the selected Batch Code.
111 Chapter 9: Implementing Your Sentinel LDK Licensing Plan
You can perform the following tasks using the Products screen in Sentinel EMS:
n Define new Base Products
n Define new Provisional Products
n Copy existing Products
n Define new Modification Products
n Define Cancellation Products
n Open a Product to view or modify details
n Withdraw Products from use
n Restore Products that have been made obsolete
n Delete a Product
You cannot modify license terms for a Product or delete a Product that has been fully
defined (with the Complete status).
After a Product has been defined, it can be included in orders. For additional information on
processing orders, see "Defining Entitlements" on page 124.
Until the Product is included in an order, you can change the Product properties, Features, and
memory contents in Sentinel EMS. After the Product has been included in at least one order, you
can open the Product to view its details. However, you cannot make any changes.
The only changes that can be made after a Product is included in an order are those related to
licensing terms and memory data that have been previously specified as definable at order time,
and these changes are made when the order is being processed.
Product Types
The basic unit on which all Products are built is the Base Product. A Base Product can contain all
the Product attributes such as Features, licensing data and memory—and can be used as a
Product that you offer for sale, and/or as a “shell” on which other Product types are built.
You can define Provisional Products for use during a grace period or as trialware. A Provisional
Product can also be defined with a perpetual license for distributing Unlocked Products. The
properties for Provisional Products are not identical to those for standard Products. For additional
information, see "Defining Provisional Products" on page 116.
You can copy an existing Product to create a new Product. For additional information, see
"Duplicating a Product" on page 117.
You can define Modification Products and Cancellation Products to modify or cancel Products
that have been deployed at customer sites. For additional information, see "Maintaining Products
and Licenses" on page 117.
When you define a Product, you must select a locking type. The locking type determines:
n The level of protection for the Product
n The type of Sentinel protection keys that can be shipped with the Product
n The way that the Product can be activated
113 Chapter 9: Implementing Your Sentinel LDK Licensing Plan
The locking type options are described in "Choosing the Protection Level for Your Products" on
page 101
This section describes the protection of your protected application against attempts to clone the
physical or virtual machine on which the protected application is installed.
One of the methods sometimes employed to enable the illegitimate use of licensed software is
machine cloning. Machine cloning involves creating an image of one machine (including your
software and its legitimate license) and copying this image to one or more other machines. If
there is no way to detect that the new image is running on different hardware than that on which
it was originally installed, multiple instances of the software are available even though only a
single license was purchased.
Sentinel LDK can detect probable machine cloning and disable protected software that is locked to
Sentinel SL keys. Clone detection is effective whether the protected software is installed on a
physical machine or on a virtual machine.
When software is locked to a Sentinel HL key, the physical key must be present in order
for the software to run. Even if a machine image, including your software, is cloned, the
software cannot run without the Sentinel HL key to which the software license is locked.
n During protection of your software, use the Sentinel Licensing API to define how your
application should behave when machine cloning is detected. For example, the application
might display a message telling the end user that the software is disabled due to clone
detection and that they should contact your customer services team.
If you use only Sentinel LDK Envelope for applying protection, (that is, without
incorporating any additional software engineering), software that is disabled due to
detection of cloning will return the following message to the end user: Unknown error.
H64
1. When Sentinel EMS detects cloning via the C2V file, it disables the protected application on
the end user's machine.
2. To enable the protected on the end user's machine, the end user must send a new
fingerprint for machine. This fingerprint can be generated with the RUS utility, or with the
hasp_get_sessioninfo() function in Sentinel Licensing API. Use the fingerprint to generate a
new entitlement for the end user.
Additional Information about Clone Protection
n If you attempt to check in a C2V file, and Sentinel EMS detects that the C2V is from a
cloned machine, you cannot check the file into the Sentinel EMS database. Similarly, you
cannot use a C2V file from a cloned machine to create a license update.
You can click View Details in the Check in Key screen to view details of the C2V if required.
When you include a Feature in a Product, the following default license terms are assigned:
n License type: Perpetual
n Number of concurrent instances: Unlimited
To specify the required license terms for the Feature, you can:
n Select a different license type:
o Expiration Date
o Executions
o Time Period
115 Chapter 9: Implementing Your Sentinel LDK Licensing Plan
If the Feature is intended to be used on a network, virtual machine, or remote desktop, you can
specify the number of concurrent instances allowed, and you can select how concurrent instances
are counted:
n Station: Each login request for a single machine is counted as an instance (default)
n Login: Each login request is counted as an instance
n Process: Each login request for a single process is counted as an instance
If the Feature is in a Product that will be locked to a Sentinel SL key, and is defined to be used on
a network, you can specify that the license is allowed to be temporarily detached from the
network pool. This means that the license can be attached to a remote recipient machine that is
not connected to the network, to enable a user to work offline.
If required, you can specify that a user working in Remote Desktop (terminal machine) mode can
access the license. Similarly, you can specify that the license for a Feature in a Product that will be
locked to a Sentinel SL key can be enabled to run on a virtual machine.
If you choose to make a Feature excludable, you enable the decision about whether the Feature is
to be included in a specific order to be made at the time the order is being produced.
You can leave the value for the license type undefined at this stage, and specify that the exact
value will be defined when each order for the Product is processed.
Similarly, you can specify that the number of concurrent instances will be defined when an order
for the Product is processed.
The above license term options do not apply to Provisional Products. For additional
information, see "Defining Provisional Products" on page 116.
When you define a Product in Sentinel EMS, you can define the layout and contents of the
memory data associated with the Product.
You can define areas (segments) in Protection Key memory and enter data into them as required.
You can also specify that data is entered in one or more of the memory segments at order time.
You can select different colors for each segment to make it easy to identify them, and you can
redefine the data and the layout as required.
You can select the memory type for each segment that you define, according to the type and
purpose of the data you want to store:
n Read/Write Memory: Data that can be updated when the deployed, protected program is
running, such as dynamic values for counters, or information retrieved during interaction
Managing Products 116
The memory in the protection key is shared by all Products in the key. When you allocate
memory for a Product: Make sure that the memory space does not conflict with memory
space for any other Product that may be protected with the same protection key.
The data defined in memory is written to the secure memory of the Sentinel protection keys
together with the Features, license terms and other data defined for the Product.
Product to be distributed any longer. Once the Product has been included in an entitlement
("Deployed"), the license terms can no longer be modified.
End of Life - The Product cannot be included in an entitlement. The Product's license terms
cannot be modified. However, if you edit and save the Product, its status changes back to
Complete and the Product can again be included in an entitlement.
Duplicating a Product
After you have defined a Product, you can easily define additional Products with similar details,
using the Copy option in Sentinel EMS. This option creates a new Product using the defined
properties, Features, and memory contents of the original Product, and enables you to make any
changes you require, with the exception of changing the Base Product or the Product locking
type.
Withdrawing a Product
At some stage, you may want to withdraw a selected Product from use and specify that it can no
longer be included in orders, for example, if it is being replaced by an updated version.
If the Product has the status Draft, you can delete it. A Product cannot be deleted once it has
been assigned the status Complete. You can, however, withdraw the Product from use by
marking it as End of Life.
A withdrawn Product cannot be added to entitlements, but its details are maintained in
Sentinel EMS for tracking purposes, and it continues to be functional when already at the end
user’s site.
Restoring a Product
A Product whose status is End of Life can be restored to the Complete status. A restored Product
can be used in the same way as any other Product.
You can define several Modification Products for the same Base Product, with different Features,
memory and/or license terms.
You can also define Modification Products based on an existing Modification Product.
Before you start to define a Modification Product, ensure that you have the following information
available:
n The name of the Product that is being modified
n The Batch Code associated with the Product that is being modified
n A Product Name that identifies the Modification Product and is unique in the selected
batch (mandatory). The maximum length for a Product Name is 50 characters.
n A description (free text) that provides additional information about the Modification
Product, for example, the changes it includes (optional)
n The details of the required changes, including Features to be added or removed, memory
and license term updates, or any combination of these.
To change the license terms for each Feature in the Modification Product, you can:
n Change the value for the license type by adding or subtracting days or number of
executions
119 Chapter 9: Implementing Your Sentinel LDK Licensing Plan
You can leave the license type value and the concurrent instances settings unchanged at this
stage, and specify that they will be changed when each individual order for the Modification
Product is processed.
Scenario: When the Product Manager of HQ Software originally defined the HQ Design Pro
Product (in the example "Example: Specifying License Terms and Protection Levels " on page 104),
the REPORT GENERATOR Feature was not yet available.
This Feature has now been developed, tested, and protected, and has been included in an
enhanced version of HQ Design Pro (v.2.0). This version of the Product is ready for sale to new
customers, and can also be issued to customers who hold current licenses.
Accordingly, the Product Manager for HQ Software defines a Modification Product for the HQ Design
Pro Product, named HQ Design Pro v.2.0.
When the Modification Product is defined, the REPORT GENERATOR Feature is added to the
Product, with the same license terms as for the other Features.
Modification Products can be included in orders in the same way as the original Products.
For example, if the Modification Product is intended to replace the Product in Sentinel protection
keys that have already been deployed, it can be included in a Protection Key Update order. When
the Protection Key Update is applied, the data for the Modification Product is added to the data
for the original Product in the Sentinel protection keys.
For additional information on defining and producing orders, see "Chapter 10: Sentinel LDK
Entitlements, Production, and Development Tasks" on page 122.
The process of canceling the license terms of a specific instance of a Product can include the
following stages:
1. When the original Product needs to be cancelled, a Customer-to-Vendor (C2V file) is
requested from the customer, containing the required license information.
2. An order for the Cancellation Product is defined and produced.
3. If the Product license is being moved to another computer, a new order for the original
Product is produced with the appropriate details.
4. The changed license information is sent to the customer.
5. An acknowledgement receipt is returned by the customer when the change has been
implemented.
For additional information on C2V files and on defining and producing orders, see "Chapter 10:
Sentinel LDK Entitlements, Production, and Development Tasks" on page 122.
Before you start to define a Cancellation Product, ensure that you have the following information
available:
n The name of the Product to be cancelled
n The Batch Code associated with the Product to be cancelled
n A Product Name that identifies the Cancellation Product and is unique in the selected
batch (mandatory). The maximum length for a Product Name is 50 characters.
n A description (free text) that provides additional information about the Cancellation
Product, for example, the reason it is required (optional)
n The Features to be cancelled
The options for defining the license terms for a Cancellation Product are exactly the same as for a
Modification Product. For additional information, see "Specifying License Terms and Memory for a
Modification Product" on page 118.
Scenario: A new customer, TOP Construction, purchased a one-year rental license for the
HQ Design Lite Product. After three months, the customer wants to cancel the license and receive
a refund.
HQ Software defines a Cancellation Product for the HQ Design Lite Product, with the license terms
cancelled for all the Features in the Product. This Cancellation Product is only defined once—it can
subsequently be used whenever required in similar circumstances.
TOP Construction is asked to send a Customer-to-Vendor (C2V) file. The file is received and
processed in Sentinel EMS.
A Protection Key Update order is defined and produced for the HQ Design Lite Cancellation
Product. The resulting Vendor-to-Customer (V2C) file containing the changed license details is sent
121 Chapter 9: Implementing Your Sentinel LDK Licensing Plan
to TOP Construction. TOP Construction applies the V2C file, then generates and returns a C2V file,
confirming that the license cancellation has been applied. HQ Software then issues a refund.
For additional information on C2V and V2C files, and on defining and producing orders, see
"Chapter 10: Sentinel LDK Entitlements, Production, and Development Tasks" on page 122.
10
Chapter 10:
Sentinel LDK Entitlements,
Production, and Development Tasks
The first part of this section is intended for users assigned the Entitlement Manager and
Production roles in Sentinel EMS. It describes how to use Sentinel EMS to manage and produce
entitlements (customer orders).
The final part of this section is intended for users assigned the Development role. It describes how
to use Sentinel EMS to perform development-related tasks, including generating bundles of
Provisional Products and Sentinel LDK Run-time Environment installer files, and exporting
definition files.
For an overview of Sentinel EMS and for information on starting to use the application, see
"Chapter 7: Introduction to Sentinel EMS" on page 90.
In this chapter:
For entitlements that generate Product Keys, the customer receives an email from Sentinel EMS
that contains the keys. The customer is able to log in to the EMS Customer Portal using the
Product Key in order to activate the Product.
After Features and Products have been defined in Sentinel EMS, entitlements can be processed
and produced using the Production group of functions, including:
n "Managing Entitlements " on page 123
n "Producing Entitlements" on page 131
n "Performing Development-related Tasks" on page 135
The specific Sentinel EMS functions you can access in the Production group of functions depend
on the role assigned to you, as follows:
n If you have been assigned the Entitlement Manager role, you have access to both the
Order Management and the Customer Services functions
n If you have been assigned the Production role, you have access only to entitlement
production functions
n If you have been assigned the Development role, you have access only to the
Development functions
Managing Entitlements
This section is intended for users assigned the Entitlement Manager role.
When you select the Entitlements > Entitlements tab in the Sentinel EMS window, you can view
the details of all entitlements associated with the selected Batch Code.
Managing Entitlements 124
For additional information on Batch Codes, see "Personalized Vendor and Batch Codes" on
page 36.
Defining Entitlements
Before you start to define an entitlement for a customer in Sentinel EMS, ensure that you have
the following information available:
n Details of the customer who placed the order (optional)
n The Products to be included in the entitlement
n The required values to specify in the entitlement for any license terms that were not
specified in the Products
n The production requirements, according to the type of entitlement:
o Entitlement for Sentinel HL keys
o Entitlement for Product Keys
o Entitlement for Protection Key Update
n Additional entitlement information (optional)
When you define the entitlement in Sentinel EMS, you can specify the customer who placed the
order. You can search for an existing customer, using the customer name or other identifying
details, or you can define a new customer.
You can also define a new customer using the Customers page.
An entitlement can contain one or more Products. All Sentinel LDK Products are associated with a
Sentinel LDK Batch Code. You select the Batch Code before you create a new entitlement.
Provisional Products (Products defined for use during a grace period or as trialware, or
Unlocked Products) are not available for inclusion in entitlements. The process of
generating files containing Provisional Products is a Development task. For additional
information, see "Generating Bundles of Provisional Products" on page 136.
125 Chapter 10: Sentinel LDK Entitlements, Production, and Development Tasks
Each Product is assigned a locking type when it is defined. The locking type determines the level
of Sentinel LDK protection and the type of Sentinel protection key that can be supplied with the
Product.
The locking type assigned to a Product may determine the type of entitlement that can be
produced:
n Products defined only with the HL locking type can be included in entitlements for
Sentinel HL keys, Product Keys, or for Protection Key Updates.
n Products defined only with the SL AdminMode or SL UserMode locking type can be
included only in entitlements for Product Keys or for Protection Key Updates.
n Products defined with the HL or SL AdminMode or HL or SL AdminMode or SL
UserMode locking type can be included in entitlements for Sentinel HL keys, Product
Keys, or for Protection Key Updates
You cannot add a Product defined only with the HL locking type and another Product defined only
with the SL locking type (whether AdminMode or UserMode) to the same entitlement.
For additional information on locking types, see "Choosing the Protection Level for Your Products"
on page 101.
When a Product is initially defined in Sentinel EMS, the exact license term values for each Feature
can be left unspecified. This enables you to include the same Product in different entitlements
with different license term values.
In this case, the license values must be specified when each entitlement for the Product is
processed.
You may be required to specify one or more of the following license term values for Features
when processing an entitlement:
n The date on which the license expires
n The maximum number of times that the Feature can be used
n The number of days until the license expires
You may also be required to specify the number of concurrent instances for one or more
Features. This value specifies the number of instances of simultaneous usage that the license
allows on the customer’s network. Concurrent instances may relate to the network, processes, or
machines.
An entitlement can be produced only after the license term values have been specified for all the
Features in every Product included in the entitlement.
When a Product is initially defined in Sentinel EMS, memory data can be left unspecified. This
enables you to customize memory data for each Product when defining the entitlement. For
example, customer-specific memory data can be added to the Product when an entitlement is
being processed.
Managing Entitlements 126
When an entitlement for Sentinel HL keys is produced, the ordered Products are programmed
(burned) on one or more Sentinel HL keys to be shipped to the customer. For additional
information on Sentinel HL keys, see "Sentinel HL Keys" on page 37.
When you define the entitlement, you must specify the total number of Sentinel HL keys to be
produced for the entitlement.
An entitlement for Product Keys enables you to produce activation strings for Sentinel protection
keys.
The Products in the entitlement are associated with one or more Sentinel LDK Product Keys. A
Product Key is a string of characters generated by Sentinel EMS and stored in a file for delivery to
the customer.
After the end user receives the Product Key and returns it as proof of purchase, Sentinel EMS
validates the Product Key and produces a Sentinel protection key. The Sentinel protection key is
then sent back with the license terms and installed on the end user’s computer, enabling the
Product to be activated.
When you define an entitlement for Product Keys, you must specify the following information:
n The number of Product Keys to be produced for the entitlement
n The number of activations allowed for each Product Key. This is the number of machines
on which each Product Key can be used.
While it is mandatory to used Product Keys for activation of software locked to Sentinel SL keys,
Product Keys can also optionally be used for activating software that is locked to Sentinel HL keys.
The process of generating files containing Provisional Products is a Development task. For
additional information, see "Generating Bundles of Provisional Products" on page 136.
A Protection Key Update entitlement specifies changes to be made to the license terms, Products,
and/or data stored in Sentinel protection keys that have already been deployed to end users. A
Protection Key Update can be applied remotely to Sentinel HL keys or Sentinel SL keys as follows:
n Using the Sentinel Licensing API by calling the hasp_update function
n By using the Sentinel Remote Update System utility
n (For SL AdminMode keys) By placing the file that contains the update information in the
appropriate directory on the end user's computer.
127 Chapter 10: Sentinel LDK Entitlements, Production, and Development Tasks
When the Protection Key Update entitlement is produced, a file containing the details of the
changes is generated for each Sentinel protection key to be updated.
This file can be one of the following:
n An executable file (EXE) that can be delivered to end users for use as instructed by your
company
n A Vendor-to-Customer (V2C) file that end users can process using the Sentinel Remote
Update System utility (RUS utility)
For additional information on the RUS utility, see "Chapter 12: Sentinel Remote Update System"
on page 144. For additional information on updating SL AdminMode keys, see "Applying License
Updates to SL AdminMode Keys" on page 135.
When you define a Protection Key Update entitlement, you must specify the total number of
Sentinel protection keys to be updated as a result of this entitlement. You may also need to select
the specific Sentinel protection keys to be updated.
Locating the Sentinel protection keys to Update
When you define an entitlement for Protection Key Update, you may need to select the specific
Sentinel protection keys to be updated. For example, the entitlement may be for an organization
with 100 Sentinel protection keys, and this entitlement is required to update the keys for only 10
specific users.
In Sentinel EMS, you can:
n Display a list of the customer’s Sentinel protection keys
n View the contents of each key
n Select the keys to be updated
You cannot select more Sentinel protection keys than the total number of product keys
specified in the Product Details area in the New Entitlement screen.
After you have specified all the necessary information for an entitlement, you can produce it
immediately or "queue" it to add it to the production queue. The queue is a list of all entitlements
that are awaiting production.
Entitlements in the production queue can be selected for production according to the criteria
determined by your organization.
Managing Entitlements 128
Sentinel EMS enables you to save as "draft" any entitlement that have not been completely
defined, without losing the information that you may have already specified. You can open the
entitlement and continue to define the entitlement details when convenient.
Resulting
User Action Entitlement Description of Status
Status
Create a new entitlement, Draft This status indicates that the entitlement is
click Save OR Re-open an not yet ready for production. The entitlement
entitlement. details can be modified, or the entitlement
can be deleted.
Create a new entitlement or Queued This status indicates that the entitlement is in
edit an existing entitlement, the production queue, awaiting production.
click Queue. The details of a Queued entitlement cannot
be changed. However, it can be deleted.
In an entitlement for Product Product Keys Indicates that Product Keys for one or more
Keys, select one or more Generated Products in the entitlement have been
Products and click Produce. generated. If the entitlement contains
customer information, the customer receives
an email. The email contains the Product
Keys and information on how to log in the
Sentinel EMS Customer Portal and activate
the protection key.
Produced In an entitlement that includes multiple
Product Keys, at least one Product Key has
been used to activate the protected software.
The entitlement contains additional Product
Keys that have not yet been used.
Completed In an entitlement for protection key updates
or for HL keys, the entire entitlement has
been produced. In an entitlement for Product
Keys, all the Product Keys have been used to
activate the protected applications.
Acknowledged The end user has verified that the entitlement
was applied at the customer site.
C2V files can be generated using the Sentinel Remote Update System utility (RUS utility). For
additional information on the RUS utility, see "Chapter 12: Sentinel Remote Update System" on
page 144.
C2V information stored in Sentinel HL keys and in C2V files can be retrieved for use in connection
with Protection Key Update orders.
When a C2V file or Sentinel HL key is received from a customer, you must check in the
information, in order to make the data in the file or key available to Sentinel EMS. The process of
checking in the C2V information stores the data securely in Sentinel EMS, and enables you to view
some of the information.
When you check in a C2V file, you can view the identifying information for the Sentinel protection
key associated with the file, including the Batch Code, ID and key type. You can also view the
Product details contained in the file. When you check in a Sentinel HL key, you can view similar
information.
If you attempt to check in a C2V file for a Sentinel SL key, and Sentinel EMS detects that it
has come from a cloned machine, you will not be able to check the C2V file into the
database. For additional information about dealing with cloned Sentinel SL keys, see
"Protection Against Cloning" on page 113.
You can format a Sentinel HL key to make it available for reuse. The process of formatting a
Sentinel HL key deletes any orders that have been defined for the key but not yet produced. It
also produces a V2C file that contains Protection Key Update information to be applied to the key
using the RUS utility. Applying the Protection Key Update erases all license and memory data
stored in the key.
Scenario: A new customer, ABC Design, orders the SafeNetCAD Office Product from HQ Software
with a license for 20 users.
Since the SafeNetCAD Office Product is defined with Sentinel HL key protection, the details for
this order are defined as follows:
n Customer: ABC Design
n Product: SafeNetCAD Office
n Order type: Sentinel HL keys
n Number of keys: 20
Managing Entitlements 130
When this order is produced, the SafeNetCAD Office Product license is programmed on
20 Sentinel HL keys, which are then shipped to the customer.
Scenario: On March 15, 2007, another customer, JL Optics, orders the SafeNetCAD Home
Product, with a license for use on two computers.
The SafeNetCAD Home Product is defined with Sentinel SL key protection and an annual rental
license. To ensure that the customer enjoys a full year’s licensed use, the expiration date needs to
be specified when the order is placed.
The details for this order are defined as follows:
n Customer: JL Optics
n Product: SafeNetCAD Home
n Expiration date for DRAW and SAVE: March 15, 2008
n Order type: Product Key-based
n Number of Product Keys: 1
n Number of Activations per Product Key: 2
This example assumes that JL Optics has installed and used the SafeNetCAD Home[Trial]
Provisional Product on the two computers before ordering the SafeNetCAD Home
Product. As a result, the Sentinel LDK Run-time Environment for Sentinel SL has already
been initialized on those computers.
When this order is produced, a file is generated containing a Product Key. HQ Software sends this
file to JL Optics by e-mail.
Two end users at JL Optics open the file and enter the Product Key as required on the
HQ Software Web site. The HQ Software customer interface application sends the Product Key to
Sentinel EMS, which validates the Product Key and returns a Sentinel SL key to the customer.
The Sentinel SL key is installed on the two computers at JL Optics with the license information, and
the SafeNetCAD Home Product can be activated under the terms of the license.
Scenario: HQ Software informs ABC Design that a new version of SafeNetCAD Office has been
released, containing the REPORT GENERATOR Feature, and that an upgrade is available for
purchase. ABC Design orders the enhanced Product for five of its 20 users.
HQ Software has defined a Modification Product for the new version, SafeNetCAD Office v.2.0.
This Product is ready for inclusion in customer orders.
Before defining the Protection Key Update order, HQ Software needs to receive C2V files for the
five Sentinel HL keys to be updated. ABC Design uses the RUS utility to generate the required C2V
files and sends them to HQ Software.
131 Chapter 10: Sentinel LDK Entitlements, Production, and Development Tasks
After the C2V files have been received and checked in, HQ Software defines a Protection Key
Update order for the Modification Product.
The details for this order are defined as follows:
n Customer: ABC Design
n Product: SafenetCAD Office v2.0
n Order type: Protection Key Update
n Number of Sentinel protection keys to be updated: 5.
During the order definition process, the five Sentinel HL keys to be updated are selected from all
the keys issued to ABC Design, according to the C2V files received.
When this order is produced, a V2C file is generated for each selected Sentinel HL key and sent to
the customer.
The selected five end users install the update on their Sentinel HL keys, using the RUS utility. They
are then able to activate the upgraded version of SafeNetCAD Office and to generate tailored
reports.
Producing Entitlements
This section is intended for Sentinel EMS users assigned the Entitlement Manager or Production
role.
On the Entitlements page in Sentinel EMS, you can view the details of all entitlements awaiting
production.
You can perform the following production tasks using the Entitlements page:
Producing Entitlements 132
n Produce Entitlements
n View Entitlements
If you have been assigned both the Entitlement Manager and the Production roles, you
can choose to produce an entitlement immediately after you finish defining it.
While producing any entitlement, you can open the entitlement and view its details.
Sentinel EMS determines which Sentinel HL keys are valid for the entitlement according to a
number of factors, including:
n The license terms defined for the Features in the Products included in the entitlement
n The data defined in memory for each Product
n The space required on the key to accommodate the entitlement
For example, if the license terms for a Product in the entitlement are based on a number of days
or an expiration date, the entitlement can be produced only on Sentinel HL keys with date and
time monitoring capabilities, such as Sentinel HL Time.
Similarly, if the license terms for a Product in the entitlement specify a number of concurrent
instances in a network environment, the entitlement can be produced only on Sentinel HL keys
with network monitoring capabilities, such as Sentinel HL Net.
For additional information about Sentinel HL key types and their capabilities, see "Available
Sentinel protection keys" on page 39.
After the file has been generated, the Product Keys are available for use. If customer information
was provided in the entitlement, an email containing the Product Keys is generated automatically
and sent to the customer. You could also print the Product Keys on the cover of a CD.
A default file location for V2C files may have been specified by the Sentinel LDK
Administrator.
Withdrawing Entitlements
Under certain circumstances, you may need to withdraw an entitlement before it has been
produced, or if it has been only partly produced. For example: If the customer cancels the order
or significantly changes the order requirements.
If the entitlement is not yet in the production queue (Queued status), you can delete it. An
entitlement cannot be deleted after it has been added to the production queue. You can,
however, remove the entitlement from the production queue by reopening it. This changes the
status of the entitlement to Draft.
A Draft entitlement is no longer available for production, but its content are available to view for
reference.
This screen displays the status of the Product Key, including the number of activations remaining.
The customer uses this screen to activate the entitlement as follows:
n If the customer logged in to the Customer Portal from the machine where the license
should be installed, the customer can click Online Activation. Activation of the
entitlement proceeds automatically.
n If the customer did not log in to the Customer Portal from the machine where the license
should be installed, the customer can click Offline Activation. The customer can then
download the RUS utility. The customer uses this utility in order to generate a C2V file and
perform the activation process manually.
The V2C files on a given computer can be found in the following locations:
135 Chapter 10: Sentinel LDK Entitlements, Production, and Development Tasks
Do not remove or modify these files. If any of these files are removed or modified, the
protection key may become invalid.
Software that has been supplied with a trial license or for a grace period can be activated
after a valid license is purchased, with either a Sentinel HL key or a Sentinel SL key.
For additional information on the purpose and use of Provisional Products, see "Designating
Products for Trial or Grace Period Use" on page 103.
The process of generating a bundle of Provisional Products involves:
n Selecting the Provisional Products to be included in the bundle
n Producing a file containing the Provisional Product license and Vendor library. This file can
be:
o An EXE file containing V2C data
o A V2C file that can be used with the RUS utility. For additional information on the
RUS utility, see "Chapter 12: Sentinel Remote Update System" on page 144.
The output file from this process must be installed on each end user’s computer in order to:
n Create an initial Sentinel LDK Run-time Environment that enables your protected software
to communicate with Sentinel SL keys.
n Enable a trialware or grace period license.
To simplify the installation process at end users’ sites, it is recommended that you generate a
Sentinel LDK Run-time Environment installer executable. You can embed the Run-time
Environment installer in your software setup to create a ready-to-run Sentinel LDK-protected and
licensed application.
To generate a Sentinel LDK Run-time Environment installer executable, you need to specify the
V2C file generated when a Provisional Product bundle is produced. An EXE file containing V2C data
cannot be used to generate a Sentinel LDK Run-time Environment installer.
137 Chapter 10: Sentinel LDK Entitlements, Production, and Development Tasks
You can embed the Sentinel LDK Run-time Environment installer in your software setup to create a
ready-to-run application that is protected and licensed by Sentinel LDK.
You have the option of installing a Locked Product or Detached Product license on the end user
computer. In this case, the Product is never installed as a Provisional Product.
To install Sentinel LDK Run-time Environment on the computer, you generate the Sentinel LDK
Run-time Environment Installer without providing a V2C file. In this case, the installer contains
only the Run-time Environment and the vendor libraries.
For examples of the output file contents, see the Sentinel EMS help system.
Before you export the Features, you must select the required Batch Code, specify the required file
type, and define the name and location for the file.
As your software develops and additional Features are defined, you can use the Export
Definitions function whenever you want to retrieve the data definitions from Sentinel EMS.
Enabling Trial Use and Grace Periods 138
The first part of this chapter is intended for users authorized to perform Sentinel LDK
Administration tasks. It describes how to use Sentinel EMS to define user details, manage
Sentinel LDK licenses and Sentinel Master keys, and configure system settings.
The second part of this chapter is intended for users authorized to perform Sentinel EMS
Customer Services tasks. It describes how to use Sentinel EMS to view and edit customer details,
and to perform manual Product activation for customers.
For an overview of Sentinel EMS and for information on starting to use the application, see
"Chapter 7: Introduction to Sentinel EMS" on page 90.
In this chapter:
This chapter provides high-level information on the Administration and Customer Services
processes in Sentinel EMS. For detailed practical instructions for using each function in
Sentinel EMS, see the Sentinel EMS help system.
Administration Tasks
After you first install Sentinel LDK in your organization, you can log in to Sentinel EMS using the
default user name and password (admin) provided for your use by SafeNet. By default, this user is
authorized to perform all tasks in Sentinel EMS, including Administration tasks.
The ‘admin’ administrator details cannot be viewed or modified. Only the password can be
changed.
After logging in to Sentinel EMS the first time, it is recommended that you select the Change
Password function at the top of the screen and change your user password as soon as possible.
To be able to use Sentinel LDK with your company-specific Batch Codes and license, you must first
introduce the Sentinel Master keys provided for your use by SafeNet.
141 Chapter 11: Sentinel LDK Administration and Customer Services
For additional information on Sentinel Vendor keys, see "Personalized Vendor and Batch Codes"
on page 36.
For additional information on introducing Sentinel Master keys, see "Maintaining Sentinel Master
Keys" on page 142.
From time to time, you will need to renew your Sentinel LDK license, or to replenish your pool of
Standalone licenses or Network Seat licenses. You can schedule email notifications to be sent
when it is time to renew or reorder, ensuring you uninterrupted use of Sentinel LDK.
For additional information about the Sentinel Master Key modules, Standalone licenses and
Network seats, see "Appendix A: Understanding the Sentinel LDK Master Key Licenses" on page
232.
For additional information about configuring and scheduling email notifications, refer to the
Sentinel EMS help system.
If you are evaluating Sentinel EMS, you can use the provided DEMOMA Batch Code, which
does not require a Sentinel Master key.
You can now define additional Sentinel LDK users in your organization, including assigning the
users the appropriate roles and authorizing access to Batch Codes. For additional information, see
"Maintaining User Details " on page 141.
Before you start to define Sentinel LDK users, ensure that you have the following information
available for each new user:
n The user name to be assigned to the user for the purpose of logging in to Sentinel LDK
n The password to be assigned to the user
After you have defined a user, you can change any of the user’s details.
Users can change their own passwords. However, if necessary, you can change the password for a
user without knowing the current password. This is useful in the event that the user has lost or
forgotten his/her password.
In certain circumstances, you may want to prevent a user from logging in to Sentinel LDK. If the
user has left the company, for example, or will no longer be using Sentinel LDK, you can delete the
user details.
You can prevent or allow a user to access Sentinel LDK by clearing or selecting the Login Allowed
check box.
n Apply the V2C file returned to you by your SafeNet representative to the Sentinel Master
key. This updates the Master key with the contents of your order.
n Specify Mail Notification properties
For more information on the Sentinel Master key, see "Appendix A: Understanding the
Sentinel LDK Master Key Licenses" on page 232.
Before you can work effectively, you must introduce your Sentinel Master key(s) on the Sentinel
EMS Server machine. The Sentinel Master Wizard is available from the Sentinel Vendor Suite. You
must have a separate Sentinel Master key connected to each machine on which Sentinel EMS is
installed.
You can introduce additional Sentinel Vendor keys—Sentinel Master keys or Sentinel Developer
keys—in order to enable Batch Codes for use with Sentinel LDK applications.
When you introduce a Sentinel Vendor key, you can select the libraries for which you want to
generate APIs.
143 Chapter 11: Sentinel LDK Administration and Customer Services
When you submit an order for an update to your Sentinel LDK Master Key licenses, regardless of
whether it is to renew a license or to replenish your pools of Standalone licenses or Network Seat
licenses, you need to generate a C2V file for the Sentinel Master key that is to be updated. You
then send the C2V to your Sentinel LDK supplier, together with your order. The C2V file contains
encrypted information about the current status of your Sentinel Master key, including its unique
ID.
You can specify who is to receive notifications that your Sentinel LDK Master Key licenses and
pools of Standalone licenses or Network Seat licenses are about to expire. In addition, you can
define the thresholds after which the notifications are sent.
Customer Services
If you have been assigned the Customer Services role, you can manage the list of customers —
you can define customers, change customer details, and mark customers as obsolete.
You can enable or disable a Product key for a customer, or increase the number of activations
available for a Product key.
If a customer is unable for any reason to activate a Product remotely, you can activate the
Product manually for the customer, using the Product Key and a Customer-to-Vendor (C2V) file for
the customer’s Sentinel protection key.
The output of the manual activation process is a Vendor-to-Customer (V2C) file that can be sent to
the customer. You can request that the customer returns a C2V file to confirm that the Product
has been activated.
For additional information on C2V files, see "Processing C2V Information" on page 128.
12
Chapter 12:
Sentinel Remote Update System
This chapter describes the Sentinel Remote Update System utility (RUS utility) and explains how to
use this utility to update license data remotely for deployed Sentinel protection keys.
You can also apply updates to a deployed Sentinel protection key using the Sentinel
Licensing API, by calling the hasp_update function. For additional information, see the
Sentinel Licensing API help system. For SL AdminMode keys, also see "Applying License
Updates to SL AdminMode Keys" on page 135.
In this chapter:
n The RUS utility can be used to transfer (rehost) an SL key from one computer to another
at your customer's site, without any intervention on your part. (An SL key can only be
rehosted if this function was enabled by the vendor when the SL key was generated.)
All Sentinel protection keys except the Sentinel HL Basic key can be updated using RUS
utility.
The RUS utility is an executable utility (rus.exe) that can be distributed to end users with your
software.
It is important that you customize the RUS utility with the Batch Code associated with the
Sentinel protection keys that you produce for your customers, before you distribute the
executable to them. For additional information on Batch Codes, see "Personalized Vendor and
Batch Codes" on page 36.
You can use Sentinel EMS to customize the RUS utility with the required Batch Code, and also to
brand the GUI to display your vendor-specific information to end users. For additional
information, see "Customizing and Branding the RUS utility" on page 138.
RUS Workflow
When you deliver your Products to a customer, you can include a customized version of the RUS
utility with the installation package. You can also include the instructions for using RUS.
(To perform rehost, your customer will require a customized version of the RUS utility.)
When a license update is required, you have the option of either retrieving customer licensing
information from Sentinel EMS, or of requesting that a customer produces and sends you a
Customer-to-Vendor (C2V) file for the Sentinel protection keys to be updated. C2V files have a
.c2v extension and contain information on the licensing and memory content of the
Sentinel protection keys.
When you receive C2V files from a customer, you check them in using Sentinel EMS. For additional
information, see "Processing C2V Information" on page 128.
Regardless of whether you obtain the data from Sentinel EMS or in the form of a C2V file from
your customer, the collected data enables you to produce an update most suited to the
customer’s needs. At no point in this workflow is it necessary to reconfigure security or protection
at the customer’s site.
You define the requested license updates in Sentinel EMS as Protection Key Update orders for
delivery to the customer. For more information on defining Protection Key Update orders, see
"Defining Entitlements" on page 124.
The process of producing a Protection Key Update order generates a file for each
Sentinel protection key to be updated. This can be either a Vendor-to-Customer (V2C) file or an
executable that contains the license update data. For more information on the Protection Key
Update order production process, see "Producing Protection Key Update Entitlements" on page
133.
The output file is then delivered to the end user, who either runs the executable as instructed by
you, or uses the RUS utility to apply the license update data contained in the V2C file.
Using RUS utility 146
If you are using the RUS utility with a Sentinel HL key, (hardware-based key) you must connect the
key before performing either of the following procedures. The RUS utility automatically locates any
Sentinel SL keys (software-based keys) installed on your computer.
You can use the RUS utility to produce a Customer-to-Vendor (C2V) file containing information on
the current status of the licenses in your Sentinel protection keys. You can then send this file in
order to receive a license update.
147 Chapter 12: Sentinel Remote Update System
You can use the RUS utility to produce a Customer-to-Vendor (C2V) file containing information on
the computer where you want to install a Sentinel protection key for a protected application. You
can then send this file in order to receive a license update. This procedure would be used if a
Sentinel protection key does not currently exist on the computer.
Applying an Update
You can use the RUS utility to apply an update to the licenses stored in your Sentinel protection
keys.
1. Launch the RUS utility (rus.exe) or double-click the Vendor-to-Customer (V2C) file that you
have received containing the update data.
If you have received an update as an executable, double-click the file and it will
automatically launch RUS utility.
2. Click the Apply License File tab. (This might be the only tab displayed.)
Using RUS utility 148
You can use the RUS utility to transfer a Sentinel protection key from one computer (the source
computer) to another (the recipient computer). This is a three-step procedure that uses the RUS
utility on both computers.
Step 1: Collect Information About the Recipient Computer
After you perform this step, the SL key is no longer available on the source computer. Be
sure to keep a copy of the transfer file until you have completed the transfer procedure.
1. On the recipient computer, in the RUS utility, click the Apply License File tab
2. In the Update File field, click the browse button and locate the license transfer (h2h) file.
3. Click Apply Update. The SL key is installed on the recipient computer.
To ensure the success of the transfer procedure, all the steps in the procedure should be
completed within no more than a few days of the time you first start the process.
13
Chapter 13:
Generating Sentinel LDK Reports
In this chapter:
The Sentinel EMS Reports facility provides you with the ability to produce reports with valuable
business information, based on data in the Sentinel EMS database. With this tool, managers can
obtain data for analyzing how their software is used and the purchasing preferences of their
customers. The information can also be leveraged to maximize revenues from license renewals, to
up-sell existing customers, and turn trial users into buyers.
151 Chapter 13: Generating Sentinel LDK Reports
The Sentinel EMS Reports facility connects directly to the Sentinel EMS database, and generates
reports based on SQL queries. Both predefined and custom (user-defined) reports are available.
The Sentinel EMS Reports facility can present information both in tabular and (where appropriate)
graphical formats, and can export report data in a variety of formats for further processing and
analysis.
The remainder of this chapter provides an overview of features and options available in the
Reports facility.
For detailed information on operating the facility, see the Sentinel EMS help system.
Scheduling Reports
An authorized Sentinel EMS user can generate and view reports on demand. In addition, the user
can define a schedule for generation of each report and a distribution list of people to receive the
report automatically by e-mail each time the report is generated. Both predefined and custom
reports can be scheduled.
Presentation Formats 152
Reports can be scheduled for generation and distribution based on a daily, weekly, or monthly
scheduling definitions. A scheduled report can also be generated and distributed on-demand.
Presentation Formats
All reports are generated in tabular (text-based) format. In addition, where relevant, each report
includes a graphical presentation of the data, in either pie chart or bar chart format.
Export Formats
Each report can be exported from Sentinel EMS or sent to the recipients in the distribution list in
any of the following formats:
n Adobe Acrobat (PDF file)
n Microsoft Word (RTF file)
n Microsoft Excel (XLS file)
n HTML file
n Comma-separated values (CSV file)
Available Reports
The reports listed below are available in the Sentinel EMS Reports facility.
Custom Reports
The Sentinel EMS Reports facility provides you with the capability of defining custom reports. This
enables you to design reports that satisfy the specific business requirements for your
organization.
Custom Reports are defined by creating an SQL query that extracts the specific information you
require from the Sentinel EMS database. For more information, select the Administration >
Custom Reports tab in the Sentinel EMS window.
153 Chapter 13: Generating Sentinel LDK Reports
The Custom Reports facility is licensed separately from Sentinel EMS. To obtain a license to use
the Custom Reports facility, contact your SafeNet representative.
PART 4 - DISTRIBUTING SOFTWARE
In this section:
This chapter introduces options for distributing required software to your end users.
In this chapter:
Protection-related Software
In many instances, the Sentinel LDK Run-time Environment must be installed on the computer of
each end user who will use the protected application so that the application can communicate
with the Sentinel protection key. For information on when the Run-time Environment is required,
see "Protection Keys That Require Sentinel LDK Run-time Environment" on page 158.
There are a number of ways in which the Run-time Environment can be installed. For more
information, see "Distributing Sentinel LDK Run-time Environment" on page 157.
For protected .NET assemblies or Java applications, the following additional files must be
distributed with your protected application:
For Linux applications that were protected using Sentinel LDK Envelope and that run under
Red Hat EL 6.4: The installer for the protected application should determine if libXaw
libraries are present on the end user's computer and, if not, install them.
Sentinel LDK Run-time Environment is always required under the following circumstances:
n When the protected application executes under Mac or Linux.
n When the protected application uses the Data Encryption facility to encrypt and
decrypt data in an external file.
Standalone Licenses
A Standalone license is for a single protected application that executes on the computer where the
protection key is located (no concurrency).
A Network Seat license (Sentinel SL key with concurrency or Sentinel HL Network key) is installed
on a single computer with a Run-time Environment. The protected applications can run on remote
computers in the same network. The table below describes the requirements for the remote
computers where the protected applications execute.
Windows Update
If your end users are running the protected software on Windows XP or later platforms, and can
access the Internet, they simply need to connect a Sentinel protection key on their machines. The
Sentinel LDK Run-time Environment is certified by Microsoft, and is therefore automatically
downloaded from the Microsoft Update site.
When your end users connect a Sentinel protection key:
1. The system informs them that a new component has been detected.
2. The Sentinel LDK Run-time Environment is automatically installed.
3. The LED on the Sentinel protection key lights up, indicating that the installation process is
complete.
The Sentinel LDK Run-time Environment installation is available as a merge module, in the file
haspds.msm . You can use the merge module to seamlessly integrate the Sentinel LDK Run-time
Distributing Sentinel LDK Run-time Environment 160
Environment installation in your MSI installation. Merge modules deliver shared Windows Installer
components, code, files, resources, registry entries and setup logic in a single, composite file.
When integrated with your MSI installer, the haspds.msm merge module copies the haspds_
windows.dll into the Win32 system directory of the end user’s computer. The haspds_
windows.dll is called by the MSI module to install or uninstall the Sentinel LDK Run-time
Environment.
The benefits of using the Sentinel LDK installation merge modules in a single unified MSI installer
include:
n Providing end users with a single, compound file for your application that includes the
Sentinel LDK Run-time Environment installation
n Installation self-repair provided by reusing the MSI installer
A demonstration of the use of the haspds.msm merge module is provided. For more information,
see "Sample Merge Module Installer" on page 161.
Implementation Requirements
Before including the Sentinel LDK merge module in your installer, review the following
requirements:
n The Sentinel LDK merge module require Windows Installer version 2.0 or later.
n To successfully execute the Run-time Environment installation, end users require
administrator rights. Ensure that this is accounted for in your installation scripts.
n Processes that require the Sentinel LDK Run-time Environment should not be active in the
background when installing the Run-time Environment.
n Before validating the WSM module, change the project properties to relate to your
specific development environment.
n If you intend to apply a digital signature to your installer, ensure that you first adjust the
properties in our development environment.
n Before compiling the MSI project, change the path to external files to match your
development environment
Implementation
n Do not alter the versioning data in the default merge module, or the MSI DLL
161 Chapter 14: Distributing Sentinel LDK With Your Software
sample.
n Do not alter any entity in the default merge module.
n When the Run-time Environment is already installed on a target machine:
o If you install a version of haspds_windows.dll that is newer than the
already-installed haspds_windows.dll, the installed DLL will be replaced with
the new one.
o If a new version of haspds_windows.dll is the same as the previous
version, the file timestamp will be compared. If the version of the DLL that
is being installed is equal to or older than the existing haspds_windows.dll,
the DLL will not be replaced.
In any case the haspds_windows.dll will be executed.
A sample MSI installer containing the Sentinel LDK merge module is provided and should be
reviewed before implementing the haspds.msm merge module into your own installer.
The sample installer is a full MSI-installer containing the Sentinel LDK Run-time Environment
installation merge module and the required shared libraries for installing the Run-time
Environment.
The sample installer does the following:
n Verifies that the user has the requisite administrator rights to install the Run-time
Environment
n Stops a running Sentinel License Manager service before the Run-time Environment is
installed, and re-starts the service after the installation is complete.
n Installs or removes Run-time Environment
Before attempting to try the sample installer, review the following requirements:
n Administrator rights are generally required in order to install the Driver sample. However,
it is possible for a restricted user to install the Driver. For more information, see Microsoft
Support Knowledge Base article # 259459 (http://support.microsoft.com/kb/259459/en-
us).
n You must change the resource path to your own environment in the project files (*.wsi,
*.wsm) in order to successfully compile the samples.
You can incorporate a branded DLL into the sample by replacing the name of the demo
DLL with the name of the branded DLL.
Use the Sentinel LDK Run-time Environment installer API to integrate the installation process into
your custom setup application. For additional information, see the separate help file in the
Distributing Sentinel LDK Run-time Environment 162
haspdinst.exe
For a full list of the available switches for the haspdinst.exe utility, see the Sentinel LDK
Installation Guide.
HASPUserSetup.exe
This easy-to-use program has an intuitive GUI-based wizard. After your end users run the file, they
should follow the on-screen instructions to complete the Run-time Environment installation.
The software required to distribute the daemons is provided in the MacOS/Redistribute/ directory
on the Sentinel LDK installation DVD.
Multiple options are available for distributing the Mac daemons to end users. The following two
options are described:
n Installer Distribution Using a Multi-packager
n Installer Scripts
Installation Using a Multi-packager
The installation package can be integrated into any multi-package installer that includes the
installation for your own application. Include the Sentinel Runtime Installer.pkg in the mpkg.
To locate the Sentinel Runtime Installer.pkg:
For additional information, see the welcome.rtf file provided in the MacOS/Redistribute/
directory.
Installer Scripts
Open the Linux/Redistribute/Runtime/script directory. The directory contains dinst (install) and
dunst (uninstall) scripts and the Sentinel LDK Run-time Environment.
You can integrate the scripts in your installer. The scripts are not configurable.
This option is available for Ubuntu, Debian, SUSE, CentOS, and RedHat Linux.
Open the Linux/Redistribute/Runtime directory. The directory contains the Sentinel LDK Run-time
Environment and the following files:
n For Ubuntu or Debian: aksusbd_version_i386.deb
n For RedHat, SUSE or CentOS: aksusbd-version.i386.rpm
15
Chapter 15:
Sentinel Admin Control Center
All of the functionality that is available in Admin Control Center can also be accessed from any
program by calls to the Admin API. For more information, see "Working With Sentinel Admin API"
on page 176.
The Admin License Manager is part of the Run-time Environment. The Run-time
Environment also includes device drivers, data file encryption drivers, and Sentinel Admin
Control Center, which is the user interface for the License Manager. (Installation of the
Run-time Environment on a computer requires admin rights.) The Admin License Manager
can manage all Sentinel HL and Sentinel SL keys, except for SL UserMode keys. (Addition
of management for SL UserMode keys is planned for a future release.)
(Windows only) The Admin License Manager is never used for access to remote keys.
However, when the Sentinel LDK License Manager service is active, the Integrated License
Manager or External License Manager uses the search parameters defined in the Admin
License Manager in order to locate protection keys. The search parameters are specified in
Admin Control Center (Configuration option > Access to Remote License Manager
tabbed page > Specify Search Parameters field).
n Integrated License Manager
(Windows only) The Integrated License Manager is included in all applications that are
protected with Sentinel LDK Envelope. Admin rights are not required. This License
Manager can only handle SL Usermode keys and Sentinel HL Driverless mode keys. The
Integrate License Manager has no user interface.
Sentinel License Manager 166
(Windows only) The External License Manager is similar to the Integrated License
Manager. However, the External License Manager is contained in a standalone file (hasp_
rt.exe). This file is placed by Sentinel LDK Envelope in the same directory as the protected
application. (Your customized Vendor library must also be placed in this directory.) Unlike
the Integrated License Manager, the External License Manager can be upgraded by simply
replacing the haspr_rt.exe file with a later version of the file. Admin rights are not
required. This License Manager can only handle SL Usermode keys and Sentinel HL
Driverless mode keys.
ISVs who choose not to use the Admin-mode Sentinel LDK Run-time Environment
(for example, for reasons of limited end-user permissions) are advised to upgrade to
the External License Manager. The External License Manager, introduced with
Sentinel LDK 7.0, is supported in this release as an alternative to the less-flexible
Integrated License Manager. The Integrated License Manager will be discontinued in
the next Sentinel LDK release, leaving the External License Manager as the only
UserMode License Manager option to be supported in Sentinel LDK. To start using
the External License Manager, simply compile your software with LDK 7.0 Licensing
API libraries and include the file hasp_rt.exe in the same directory as the protected
application.
The table that follows summarizes which type of protection keys are supported by each type of
License Manager.
External Integrated
Type of Protection Key Admin License Manager License License
Manager Manager
Sentinel HL (Driverless Yes Yes Yes
configuration) key
Sentinel HL (HASP configuration) Yes No No
key and HASP HL key
SL AdminMode key Yes No No
SL UserMode key No Yes Yes
SL Legacy key Yes No No
Remote network key Yes Yes Yes
n Features enables you to view a list of the Features that are licensed in each of the
Sentinel protection keys that are currently present on the network, including locally
connected keys. In addition, you can see the conditions of the license, and the current
activity related to each Feature.
n Sessions lists all the sessions of clients on the local machine, and those remotely logged in
to Sentinel License Manager on the local machine. You can view session data and
terminate sessions.
n Update/Attach enables you to update existing licenses on a Sentinel protection key in the
field and, in the case of Sentinel SL keys, to attach a detachable license to a recipient
machine. It also enables you to apply identification details of an offline recipient machine
to a host machine in order to create a file for a detachable license.
n Access Log enables you to view a history of log entries for the server on which
Sentinel License Manager is running.
n Configuration enables you to specify certain operating settings for Sentinel Admin Control
Center running on the connected machine. You can set parameters relating to user
access, access to remote Sentinel License Managers, and access from remote clients. In
addition, you can customize log template files in terms of the data they return.
n Diagnostics enables you to view operating information for the Sentinel License Manager
to which you are currently logged in, to assist in diagnosing problems. You can generate
reports in HTML format. This option also enables you to view miscellaneous data relating
to the use of the server on which Sentinel License Manager is running.
169 Chapter 15: Sentinel Admin Control Center
n Help displays the Sentinel Admin Control Center help system. Context-sensitive help is
available within each of the functions described above, by clicking the Help link at the
bottom of the page.
n About provides information about the version of Sentinel License Manager, and a link to
the SafeNet, Inc. Web site.
n Country Flags enables you to change the language of the user interface by clicking on the
flag of the country appropriate to the language you require. Languages other than English
can be downloaded from the Sentinel Web site.
Administrator’s Workflow
When you first launch Admin Control Center, the utility is pre-configured to run automatically.
However, you may want to customize it to your requirements and to specify users and their
access permissions, and access permissions between remote machines and local servers. Changes
to the configuration of Admin Control Center are made in the Configuration tab of the application.
The basic configuration changes that you can make include:
n Specifying a name for the local machine
n Enabling access from remote machines to the Admin Control Center on this machine
n Setting the display refresh time
n Defining how many rows of data will be displayed on a page
n Specifying the logs that are to be created and their content, and customizing information
that will be displayed in the log
n Setting an Admin password
Configuration Considerations
Before you make certain configuration changes to Admin Control Center, it is recommended that
you consider their implications. This section provides a guide to assist you in this process.
You can specify whether Admin Control Center should create an access log and the data that
should be included in the log file.
Access the Edit Log Parameters page by clicking Edit Log Parameters in the Basic Settings tab of
the Configuration page.
Administrator’s Workflow 170
The Edit Log Parameters page contains two fields. The upper field displays the parameters of the
current template. The Available tags for log field lists all the tags and their descriptions. By
selecting a tag and clicking Add, the tag is appended to the text in the upper field.
The default log parameters are used the first time that Admin Control Center is launched and will
also be used if an empty template is submitted. The default template is:
You can reset your log parameters to the factory default by clicking Set Defaults in the Edit Log
Parameters page. The default log parameters will also be used if there is no data in the upper field
of the Edit Log Template page.
Managing Access to Sentinel License Managers is performed in the Users and Access from Remote
Clients tabs in the Configuration page. The following paragraphs discuss the issues that you need
to consider when setting these parameters.
Users
The user restrictions that you define are evaluated in the order in which they are specified, and
the evaluation process stops when the first match is found. You therefore need to take care that
the restrictions are listed in an order that satisfies this logic.
The value allow=all@all is implicitly added to the end of the list. According to the logic just
described, if this value was at the beginning of the list, all subsequent restriction values would be
ignored.
Additional information about defining restriction values is provided in the Admin Control Center
help system.
Access from Remote Clients
When you define criteria relating to the remote machines that can access Sentinel License
Manager on the current machine, you need to define access restrictions. The remote client access
restrictions that you define are evaluated in the order in which they are specified, and the
evaluation process stops when the first match is found. You therefore need to take care that the
restrictions are listed in an order that satisfies this logic.
The value allow=all is implicitly added to the end of the list. According to the logic just described,
if this value was at the beginning of the list, all subsequent restriction values would be ignored.
Additional information about defining remote client access restriction values is provided in the
Admin Control Center help system.
Accessing Sentinel License Manager Located on a Different Subnet
When a Windows application that is protected with Sentinel LDK v.6.0 or later is located on a
different subnet than Sentinel License Manager and the Sentinel protection key, you must create a
separate configuration file to enable the application to find the License Manager. Create a file
called hasp_vendorID.ini, where vendorID is the Vendor ID associated with your Batch Code (for
the DEMOMA Batch Code, use hasp_demo.ini). Place the file on the same machine as the
protected application, in the following directory:
171 Chapter 15: Sentinel Admin Control Center
For example, for Vendor ID 37517 and a user named test1, create the following file:
n For Windows XP:
C:\Documents and Settings\test1\Local Settings\Application Data\SafeNet
Sentinel\Sentinel LDK\hasp_37517.ini
n For Windows Vista or Windows 7:
C:\Users\test1\AppData\Local\SafeNet Sentinel\Sentinel LDK\hasp_37517.ini
A separate .ini file must be created on the machine for each user of the protected
application.
SERVERADDR = remoteServerAddress
where remoteServerAddress is the IP address or computer name of the remote machine that
contains Sentinel License Manager and the protection key.
The Access to Remote License Manager tab in the Configuration page is used determine which
locations to include when the local Sentinel License Manager searches for remote Sentinel License
Managers.
When you define criteria relating to the machines that may be searched for Sentinel License
Manager, you can choose to:
n Enable a “broadcast” that searches all machines on the local network
n Search the default local group in an IPv6 subnet
n Restrict the search to specific machines. In this case, it is necessary to specify each
machine that may be searched—by specifying either its name or its IP address.
In Sentinel EMS, it is possible to flag network-based licenses for Features in Products that will be
locked to Sentinel SL keys as being detachable. This means that the Product license can be
temporarily detached from a pool of network seats and attached to a remote recipient machine
for a specific period of time. At the end of the detachment period, the license is automatically
restored to the network pool. Prior to the expiration of the license, it is possible to extend its
detachment period, or to cancel the detachment and to return the license to the network pool
early.
You enable or disable the ability to detach licenses in the Detachable License tab of the
Configuration page. You can also specify criteria relating to the number of licenses that can be
detached from the pool of network seats and the maximum period for which the licenses can be
detached. You can specify global settings for all Products, or click the Per-Product Settings button
to customize settings for individual Products. Global settings will also affect any Products for
which individual settings have not been specified.
Diagnostics
The Diagnostics page enables you to view and extract operating information for the
Sentinel License Manager to which you are currently logged in, to assist in diagnosing problems.
You can generate diagnostics reports in HTML format.
Occasionally, it is necessary to create a file containing the machine identity details of a remote
recipient machine. This information is required in order for a host machine to identify which
machine a detachable license will be attached to. The Diagnostics page enables you to create this
file for the local machine on which Admin Control Center is running by using the Create ID File
button.
Additional information about the data provided in the Diagnostics page is available in the Admin
Control Center help system.
o If you are using Windows in a language other than English, locate the directory in
which the common files are stored. (In English Windows, the Common Files folder).
3. Copy hasplm.ini and use it to overwrite hasplm.ini on all the other machines on the
network.
As an alternative to customizing Admin Control Center, you can develop your own
interface to Admin Control Center functionality by using the Sentinel Admin API. For more
information, see "Working With Sentinel Admin API" on page 176.
1. Locate the templates directory inside the Sentinel LDK base directory. The Sentinel LDK
base directory is:
For Windows: ...\Program Files\Common Files\Aladdin Shared\HASP
For Mac: /var/hasplm
For Linux: /etc/hasplm
To determine the precise location of this directory on your system:
o Open Admin Control Center on your local machine (http://127.0.0.1:1947). Under
Administration Options, click Configuration. Read the full path name of hasplm.ini, which
is located at the bottom of the page. The Sentinel LDK base directory is the directory in
which the hasplm.ini file resides.
o If the folder is empty, click Submit. The base path of hasplm.ini is updated at the bottom
of the Configuration page.
Add \SafeNet Sentinel\Sentinel LDK\templates\<your_template_folder_name> to the directory.
For example, using an English version of Windows XP, the full path is
C:\Program Files\Common Files\Aladdin Shared\HASP\templates\<yourTemplateDirectory>
Writing Templates
A template is an ASCII text file (typically HTML, but also XML, CSV, or other possibilities) that
contains place holders (tags) for variables that are inserted by the Sentinel License Manager when
a request is made via HTTP.
In addition, the file may contain block tags that surround a block of text and tags, and generally
iterate a list (of Sentinel protection keys, Features, sessions, or other entities). For example,
{tagname}repeatingblock{/tagname}
The place holders are written as {placeholdername}. For a complete list of available place holder
names, their description and usage, see tagxref.txt in
…\Program Files\SafeNet Sentinel\Sentinel LDK\Docs\Manuals & Tutorials\Admin Control Center Customization\templates.
Customizing Admin Control Center Look and Feel 174
Not all tags work in every context, and some will have different values depending on how they are
used. For example, when {logincount} is used in a global context, it returns the total login count
for the server. When logincount is used inside {devicelist} {/devicelist}, it returns the login
count for the currently selected Sentinel protection key. If logincount is used inside
{featurelist} {/featurelist}, it returns the login count for the currently selected Feature.
A special include tag is available—{#include "filename.ext"}—that will return the contents of a
specific file instead of a value. Includes (included files) must not be nested, and must not include a
path (meaning that included files must reside in the same directory as the template).
If a table displayed in a browser page returns *** illegal tag: xxx ***, the tag is either
unrecognized, or is illegal in the current context.
In JavaScript, {placeholders} are replaced. To use an opening curly bracket {, without it being
replaced or generating an illegal tag error, ensure that a white space (space, CR, LF, or tab)
follows the curly bracket. In this case, it will be passed without modification.
To output something such as {this} without it being parsed, use the HTML notation for a curly
bracket—{this}.
For additional assistance, refer to the sample templates in
…\Program Files\SafeNet Sentinel\Sentinel LDK\Docs\Manuals & Tutorials\Admin Control Center Customization\templates.
This section provides a sample CSV output. Such output is useful for tasks such as importing the
data into spreadsheets or databases.
Using a template such as:
1. Open Admin Control Center in your browser. By default, the application opens at this URL:
http://[servername]:1947/_int_/index.html
2. In the URL, replace _int_ with the name of the custom template you wish to use.
3. Create a shortcut to the address of Admin Control Center with your template.
Using this process, multiple browser windows can use multiple templates simultaneously.
URL Redirections Using HTTP 302
Following is a list of sample URLs to which the browser is redirected when a specific URL is
entered.
Note that you do not require this information for translation or simple layout changes in your
template. However, it is required if you are changing the logic of Admin Control Center (for
example, by adding or removing pages, or merging Admin Control Center functions into another
application).
Working With Sentinel Admin API 176
Sentinel Admin API is incorporated into Sentinel LDK ToolBox. The ToolBox help system includes
descriptions of the API functions and the XML templates required to work with the API.
PART 5 - LICENSING MODELS
In this section:
Introduction
Today’s software industry is more competitive than ever. As with many other industries that once
enjoyed exceptionally high margins, software products are increasingly regarded as commodities,
with resulting deterioration in both revenues and bottom line profits. To counteract these trends,
software publishers and vendors now see the need to change the way they market their products,
to increase the value they offer their customers and to better differentiate their offerings from the
competition.
Licensing is among the most promising approaches for achieving more-competitive, value-based
offerings. Today, software publishers and vendors are seeking ways of moving away from the
traditional model—based on perpetual licenses and printed End User License Agreements—toward
more flexible licensing models. New licensing tactics such as trialware, demoware, module- and
feature-based licensing, rental, subscription, network licensing—and combinations of these—
enable software publishers and vendors to adapt to dynamic markets by offering compelling
products that target broader, more segmented markets.
Sentinel LDK is designed specifically to assist software publishers and vendors in pursuit of more
competitive product offerings. It not only offers the highest possible level of protection—both
against illegal copying and in securing critical intellectual property (IP)—it also enables rapid
implementation of novel licensing and distribution models, without the need for extensive
engineering of product source code. This enables software publishers and vendors to aggressively
extend their market reach and penetration, without negatively impacting their operating margins,
to protect the bottom line.
This section describes a wide range of licensing strategies and models designed to provide end
users with greater value and additional options for purchasing software products. Using
Sentinel LDK’s versatile abilities, these strategies and models can be implemented immediately,
and can serve as the basis for elaboration and for creating new, tailor-made licensing models.
181 Chapter 16: Sentinel LDK Licensing Models: Overview
Sentinel LDK Licensing
Sentinel LDK offers a wide range of options and unprecedented flexibility for making and revising
both licensing and protection strategies. Virtually any licensing model can be created—supported
by the following fundamental Sentinel LDK concepts, technologies and applications:
n Protect Once—Deliver Many—Evolve Often™
The process of protecting software is completely autonomous of marketing and licensing
processes, so that after protection has been implemented, diverse licensed products can be
created without necessitating changes in the code.
n Cross-Locking™
Using Sentinel LDK, the software vendor can choose the device to which the protected
software and license are locked—either to one of the many hardware-based Sentinel HL
keys, or to a specific computer by means of a versatile software-based Sentinel SL key. The
required level of protection, the licensing model, and the manner in which the software will
be accessed and used collectively determine the most appropriate type of
Sentinel protection key. Locking the license to a hardware-based Sentinel HL key provides
the strongest security.
n Sentinel Remote Update System utility (RUS utility)
The RUS utility provides a simple and secure method of remotely updating the licenses on
deployed Sentinel protection keys. Using the RUS utility, software vendors can renew,
extend, revise or revoke a license.
n LicenseOnChip® and UpdateOnChip
When a license is supplied on a hardware-locked Sentinel HL key, the licensing logic is
embedded in the key’s chip, employing Sentinel LDK’s patented LicenseOnChip technology.
This practice ensures that licenses are hardware-secured and effectively tamper-proof.
Likewise, license updates are authenticated in the key’s chip.
n Role-based licensing application
Sentinel EMS is a role-based application in which access to each type of task is restricted to
authorized personnel. Restricted access provides separation of business activities from order
creation, license manufacture and customer follow-up.
n Versatile Implementation
Software protection can be implemented using the GUI-driven Sentinel LDK Envelope, the
Sentinel Licensing API, or a combination of both. The considerations for choosing a
protection method are provided in "Determining the Best Protection and Licensing
Method" on page 182.
n Detachable Licenses
A detachable license is available for Products that are locked to Sentinel SL keys in a
network environment. Such a license can be temporarily detached from the network pool
for use on a remote recipient machine for a defined period.
Sentinel LDK Licensing 182
To enhance the security of your application, when you choose an API-based protection
method, it is recommended that you also protect your application with Sentinel LDK
Envelope. You can do this using a dedicated Feature ID or with Feature ID 0, which is not
linked to a specific license.
For additional information, see "Chapter 8: Preparing Your Sentinel LDK Licensing Plan " on page
98.
This section provides an outline of how to use Sentinel LDK to implement the described
licensing models. For detailed instructions on how to protect and license your software,
refer to earlier sections in this book and to the integral help system included in each of the
Sentinel LDK applications.
Trialware
Sentinel LDK Creates a time-limited, software-based trialware license
Functionality
Software Distribution n Physical package
Method n Electronic distribution
Applicable Key Types Sentinel SL
Protection Method n Envelope-based automatic implementation
n API-based automatic implementation
Description
Trialware is fully functional software that is made available for a limited time period (currently for
any period between 1 and 90 days) as a marketing tool. The software is protected with a software-
based license, so that it can be distributed both electronically—for example, via a Web site, and
on media such as a CD.
The time-limited trialware license does not use a dedicated Sentinel protection key and does not
require activation during the trial period. The license is linked to the machine on which the
trialware is installed. After the time period expires, the software can no longer run on that
machine. However, it can be installed on other machines, creating a super-distribution mechanism
when the trialware is referred to others.
Implementation
n Select the executable file that you want to license, and determine by which Feature ID it
will be identified.
n Select your protection method:
o Envelope-based automatic implementation
Protect the executable file using Sentinel LDK Envelope, specifying its Feature ID.
o API-based automatic implementation
In your code, insert a Sentinel Licensing API Login call to the Feature ID.
n Create a Provisional Product in Sentinel EMS, including the Feature IDs you defined.
n Distribute your trialware with Sentinel LDK Run-time Environment.
n When a fully licensed product is purchased, provide the end user with the appropriate
Sentinel protection key programmed with the license.
187 Chapter 17: Sentinel LDK Licensing Models: Description of Models
Description
The time-limited evaluation software is distributed, protected with a Sentinel HL key for maximum
security. Due to the extra cost of providing software with a hardware-based Sentinel HL key, this
evaluation method is suitable for high-end software or for software with a high evaluation-to-
purchase conversion rate.
Implementation
n Select the executable file that you want to license, and determine by which Feature ID it
will be identified.
n Select your protection method:
o Envelope-based automatic implementation
Protect the executable file using Sentinel LDK Envelope, specifying its Feature ID.
o API-based automatic implementation
In your code, insert a Sentinel Licensing API Login call to the Feature ID.
n Create the evaluation Product in Sentinel EMS and define the expiration date for each
Feature ID included in the Product.
n Distribute the evaluation software with a Sentinel HL key programmed with the license.
n Create the licensed Product in Sentinel EMS and define the required licensing terms for
each Feature ID included in the Product.
n When a fully licensed product is purchased, update the Sentinel HL key using the RUS
utility.
Evaluation Licensing Models 188
Execution-limited Evaluation
Sentinel LDK Manages the maximum number of software executions
Functionality
Software Distribution n Physical package
Method n Electronic distribution
Applicable Key Types n All Sentinel HL keys except Sentinel HL Basic
n Sentinel SL
Protection Method n Envelope-based automatic implementation
n API-based automatic implementation
Description
Implementation
n Select the executable file that you want to license, and determine by which Feature ID it
will be identified.
n Select your protection method:
o Envelope-based automatic implementation
Protect the executable file using Sentinel LDK Envelope, specifying its Feature ID.
o API-based automatic implementation
In your code, insert a Sentinel Licensing API Login call to the Feature ID.
n Create the evaluation Product in Sentinel EMS and define the permitted number of
executions for each Feature ID included in the Product.
n Distribute the evaluation software with a Sentinel protection key programmed with the
license.
n Create the licensed Product in Sentinel EMS, defining the licensing terms for each
Feature ID included in the Product.
n When the end user purchases a fully licensed product, update the Sentinel protection key
using the RUS utility.
189 Chapter 17: Sentinel LDK Licensing Models: Description of Models
Demoware
Sentinel LDK Functionality Manages active and inactive software functionality
Software Distribution n Physical package
Method n Electronic distribution
Applicable Key Types n All Sentinel HL keys except Sentinel HL Basic
n Sentinel SL
Protection Method API-based automatic implementation
Description
The demo version of the software is limited to a subset of the functions provided in the fully
licensed product. Demoware can be distributed either with a Sentinel SL key (for example via a
Web site or on a demo CD), or with the superior protection of a Sentinel HL key.
Demoware provides prospective end users with limited software functionality, at no charge. Even
if the end user does not subsequently purchase the software, the demoware is not discarded,
serving as a constant reminder that more powerful functionality can be purchased, with your
brand name at the forefront.
When distributing the demoware with a Sentinel HL key, the type of key provided must be
compatible with the licensing model that will subsequently be applied to the paid license.
For example, if the paid license is a rental license, a Sentinel HL Time or Sentinel HLL
NetTime key must be used.
Implementation
n Select the software functions that you want to license separately, and determine by which
Feature ID they will be identified.
n In your code, insert a Sentinel Licensing API Login call to the Feature ID.
n Create two Products in Sentinel EMS:
o The demoware Product, including only those Feature IDs that are designated for
the demoware. Define a Permanent license for these Features.
o The fully licensed Product, including the full set of Feature IDs. Define the required
license terms for these Features.
n Envelope your software for additional security (optional).
n Distribute the demoware.
n When the end user purchases the software, send a Sentinel protection key programmed
with the full license.
Component-based Licensing Models 190
Module-based (Suites)
Sentinel LDK Functionality Manages licensing of individual executables
Software Distribution n Physical package
Method n Electronic distribution
Applicable Key Types n All Sentinel HL keys except Sentinel HL Basic
n Sentinel SL
Protection Method n Envelope-based automatic implementation
n API-based automatic implementation
Description
Each module (executable file) is licensed separately. Assorted software can be bundled into a suite,
including software from other software vendors. The license for the entire suite is supplied on a
single Sentinel protection key.
Implementation
n Select the executable files that you want to license separately, and determine by which
Feature ID they will be identified.
n Select your protection method:
o Envelope-based automatic implementation
Protect the executable file using Sentinel LDK Envelope, specifying its Feature ID.
o API-based automatic implementation
In your code, insert a Sentinel Licensing API Login call to the Feature ID.
n In Sentinel EMS:
a. Create one or more Products.
b. Include the required Feature IDs in each Product.
c. Define the appropriate license terms for each Feature—for example, the number of
executions, expiration date or concurrency.
n Distribute your software suite with the appropriate Sentinel protection key programmed
with the license.
Component-based Licensing Models 192
Feature-based
Sentinel LDK Manages licensing of separate functional components
Functionality
Software Distribution n Physical package
Method n Electronic distribution
Applicable Key Types n All Sentinel HL keys except Sentinel HL Basic
n Sentinel SL
Protection Method API-based automatic implementation
Description
Implementation
n Select the software functions that you want to license separately, and determine by which
Feature ID they will be identified.
n In your code, insert a Sentinel Licensing API Login call to each Feature ID.
n In Sentinel EMS:
a. Create one or more Products.
b. Include the required Feature IDs in each Product.
c. Define the appropriate license terms for each Feature—for example, number of
executions, expiration date or concurrency.
n Envelope your software for additional security (optional).
n Distribute your software with the appropriate Sentinel protection key programmed with
the license.
193 Chapter 17: Sentinel LDK Licensing Models: Description of Models
Time-limited Rental
Sentinel LDK Functionality Manages the time period over which your software can be used
Software Distribution n Physical package
Method n Electronic distribution
Applicable Key Types n Sentinel HL Time
n Sentinel HL NetTime
n Sentinel SL
Protection Method n Envelope-based automatic implementation
n API-based automatic implementation
Description
The end user pre-pays a fee for a specific period of time, either for a predetermined number of
days or terminating on a pre-determined expiration date.
End users can monitor the remaining time using Sentinel Admin Control Center, and can order a
license renewal before the license expires. License renewal is implemented using the RUS utility.
You can also specify a licensing period that is shorter than one day, as described in "Micro-
rental" on page 196
Implementation
n Select the executable file that you want to license, and determine by which Feature ID it
will be identified.
n Select your protection method:
o Envelope-based automatic implementation
Protect the executable file using Sentinel LDK Envelope, specifying its Feature ID.
o API-based automatic implementation
In your code, insert a Sentinel Licensing API Login call to the Feature ID.
n In Sentinel EMS, create a Product that includes the Feature ID and define either an
expiration date or the number of days until expiration.
n Distribute your software with the appropriate Sentinel protection key programmed with
the license.
n Renew the license remotely using the RUS utility.
195 Chapter 17: Sentinel LDK Licensing Models: Description of Models
Phased Rental
Sentinel LDK Functionality Manages the time period over which your software can be used
Software Distribution n Physical package
Method n Electronic distribution
Applicable Key Types n Sentinel HL Time
n Sentinel HL NetTime
n Sentinel SL
Protection Method n Envelope-based automatic implementation
n API-based automatic implementation
Description
The end user pays a monthly fee, with a phased pricing structure, which can be associated with an
entire product or a specific functionality. The transition from one phase to another is
implemented using the RUS utility.
n Phase 1: A fraction of the regular usage price is charged (micro-payment) for a limited
period of time. This provides an incentive for the end user to enter into a rental
agreement for use of the software. If payment is not received for Phase 2, the license
expires at the end of the defined time period.
n Phase 2: The full monthly rental price is charged, for an indefinite time period.
Implementation
n Select the executable file or software functions that you want to license, and determine by
which Feature ID each file or function will be identified.
n Select your protection method:
o Envelope-based automatic implementation
Protect the executable file using Sentinel LDK Envelope, specifying its Feature ID.
o API-based automatic implementation
In your code, insert a Sentinel Licensing API Login call to the Feature ID.
To set the time limit for a specific functionality, apply API-based automatic
implementation. To set the time limit for an executable file, apply either Sentinel LDK
Envelope-based or Sentinel Licensing API-based automatic implementation.
n In Sentinel EMS, create a Product that includes the Feature ID and define an expiration
date or the number of days until expiration of Phase 1.
n Distribute your software with the appropriate Sentinel protection key programmed with
the license.
n Subject to receiving payment for Phase 2 from the user, extend the license remotely using
the RUS utility.
Metered Licensing Models 196
Micro-rental
Sentinel LDK Manages the time period over which your software can be used
Functionality
Software Distribution n Physical package
Method n Electronic distribution
Applicable Key Types n Sentinel HL Time
n Sentinel HL NetTime
n Sentinel SL
Protection Method API-based automatic implementation
Description
The end user purchases a predefined number of “usage hours.” When the hours are consumed, a
new package of hours is purchased.
Implementation
n Select the executable file that you want to license, and determine by which Feature ID it
will be identified.
n In your code, insert a Sentinel Licensing API Login call to the Feature ID.
n Determine what constitutes “active” for the purpose of counting usage and define this in
your code, for example:
o Your software window is focused and activity is detected.
o Your software is active, performing calculations, even if the window is not focused.
n In Sentinel EMS, in the Protection Key memory, define the total number of software
activity hours that has been purchased.
n Envelope your software for additional security (optional).
n Distribute your software with the appropriate Sentinel protection key programmed with
the license.
n Using the Sentinel Licensing API and the key’s built-in clock:
a. Calculate the accumulated active time.
b. Write the result to the Protection Key memory.
c. Verify that the accumulated time has not exceeded the number of purchased
hours.
d. When the number of purchased hours is about to expire, display a warning
message.
n When payment is received for additional usage, renew the license remotely using the RUS
utility.
197 Chapter 17: Sentinel LDK Licensing Models: Description of Models
Subscription
Sentinel LDK Functionality Creates an unconditional license that can be updated remotely
Software Distribution n Physical package
Method n Electronic distribution
Applicable Key Types n Sentinel HL Time
n Sentinel HL NetTime
n Sentinel SL
Protection Method n Envelope-based automatic implementation
n API-based automatic implementation
Description
The end user pays a monthly subscription fee that covers the initial software package plus
periodical updates. If the end user does not renew the subscription, the basic package and all paid
updates remain the property of the end user. New updates are not provided.
Implementation
n Select the executable file that you want to license, and determine by which Feature ID it
will be identified.
n Select the protection method for your software:
o Envelope-based automatic implementation
Protect the executable file using Sentinel LDK Envelope, specifying its Feature ID.
o API-based automatic implementation
In your code, insert a Sentinel Licensing API Login call to the Feature ID.
n In Sentinel EMS, create a Product that includes the Feature ID for your initial software and
define a perpetual license for the Feature.
n Create a component in your software that manages the installation of software updates,
and assign it a Feature ID. Select and implement your protection method for that
component (Sentinel LDK Envelope or Sentinel Licensing API-based).
n In Sentinel EMS, create a Product that includes the Feature ID for the update-installation
component and define an expiration date for that Feature.
n Envelope your software for additional security (optional).
n Distribute your software with the appropriate Sentinel protection key programmed with
the license.
n During the subscription period, use the RUS utility to send updates to the subscriber. The
updates are handled by the update-installation component in your software. Optionally,
use Sentinel LDK to encrypt the update files so that the Sentinel protection key is required
to decrypt them.
n Continue sending updates as long as the end user’s subscription is valid.
Metered Licensing Models 198
n When the end user renews the subscription, use the RUS utility to update the expiration
date for the update-installation component’s license.
199 Chapter 17: Sentinel LDK Licensing Models: Description of Models
The end user purchases a predefined number of “usage units”. Differential charging is calculated
according to the hour of the day or the day of the week in which your software is used. When
your software is used at peak demand time, more “usage units” are consumed than at low
demand time. This type of license might be applicable in an environment such as a learning
facility, in order to encourage students to use resources at low demand time.
Implementation
n Select the executable file that you want to license, and determine by which Feature ID it
will be identified.
n In your code, insert a Sentinel Licensing API Login call to the Feature ID.
n Determine what constitutes “active” for the purpose of calculating usage and define this
in your code, for example:
o Your software window is focused and activity is detected.
o Your software is active, performing calculations, even if the window is not focused.
n In Sentinel EMS, in the Protection Key memory, define the total number of “usage units”
that has been purchased and the pricing structure (number of “usage units” for each time
unit and each rate).
n Envelope your software for additional security (optional).
n Distribute your software with the appropriate Sentinel protection key programmed with
the license.
n Using the Sentinel Licensing API and the key’s built-in clock:
a. Calculate the accumulated active time for each separate rate.
b. Calculate the total number of “usage units” consumed.
c. Write the result to the Protection Key memory.
d. Verify that the accumulated consumption has not exceeded the total number of
“usage units” defined in the Protection Key memory.
e. When the “usage units” are about to expire, display a warning message.
Metered Licensing Models 200
n Using the RUS utility, replenish the pool of “usage units” when the license is renewed.
201 Chapter 17: Sentinel LDK Licensing Models: Description of Models
Time-based Overdraft
Sentinel LDK Functionality Manages the time period over which software can be used
Software Distribution n Physical package
Method n Electronic distribution
Applicable Key Types n Sentinel HL Time
n Sentinel HL NetTime
n Sentinel SL
Protection Method API-based automatic implementation
Description
A differential pricing structure is implemented, in which a nominal price is charged for use of your
software until a defined expiration date. Following expiration, a higher price may be charged for a
limited period, to enable the end user to continue using your software until the license is
renewed.
Implementation
n Select the executable file that you want to license, and determine by which Feature ID it
will be identified.
n In your code, insert a Sentinel Licensing API Login call to the Feature ID.
n In Sentinel EMS, create a Product that includes the Feature ID and define either an
expiration date or the number of days until expiration. Include both the regular usage
period and the overdraft period in the time that you define.
n Envelope your software for additional security (optional).
n Distribute your software with the appropriate Sentinel protection key programmed with
the license.
n Using the Sentinel Licensing API and the key’s built-in clock:
o Calculate the time period.
o When the regular usage period terminates, display a message informing the end
user that the usage is now subject to overdraft terms and state the expiration date
of the overdraft period.
o When the end user renews the license, billing includes payment for the overdraft
usage in addition to the license renewal.
o After payment has been received, renew the license remotely using the RUS utility.
Metered Licensing Models 202
Standard Counter
Sentinel LDK Functionality Manages the maximum number of software executions
Software Distribution n Physical package
Method n Electronic distribution
Applicable Key Types n All Sentinel HL keys except Sentinel HL Basic
n Sentinel SL
Protection Method n Envelope-based automatic implementation
n API-based automatic implementation
Description
The end user purchases a predefined number of software executions, which can be defined for
your software or for specific functionality. A counter-based license might appeal to end users who
use your software or a software functionality sporadically, and prefer to pay only when they
actually run your software or use the functionality.
End users can monitor the remaining executions using Sentinel Admin Control Center, and can
order a license renewal before the license expires. The license renewal is implemented using the
RUS utility.
Implementation
n Select the executable file or software function that you want to license, and determine by
which Feature ID the file or function will be identified.
n Select your protection method:
o Envelope-based automatic implementation
Protect the executable file using Sentinel LDK Envelope, specifying its Feature ID.
o API-based automatic implementation
In your code, insert a Sentinel Licensing API Login call to the Feature ID.
n In Sentinel EMS, create a Product that includes the Feature ID and define the number of
executions.
n Distribute your software with the appropriate Sentinel protection key programmed with
the license.
n Renew the license remotely using the RUS utility.
203 Chapter 17: Sentinel LDK Licensing Models: Description of Models
Phased Counter
Sentinel LDK Functionality Manages the maximum number of software executions
Software Distribution Method n Physical package
n Electronic distribution
Applicable Key Types n All Sentinel HL keys except Sentinel HL Basic
n Sentinel SL
Protection Method n Envelope-based automatic implementation
n API-based automatic implementation
Description
The end user purchases a predefined number of software executions, which can be associated
with all of your software or a specific functionality. The pricing structure is phased, and the
transition from one phase to another is implemented using the RUS utility.
n Phase 1: For a limited number of executions, the end user pays a fraction of the regular
usage price (micro-payment). This provides an incentive for the end user to start
purchasing executions. If payment is not received for Phase 2, the license expires when
these executions have been consumed.
n Phase 2: The end user pays the regular price for each software execution.
Implementation
n Select the executable file or software function that you want to license, and determine by
which Feature ID the file or function will be identified.
n Select your protection method:
o Envelope-based automatic implementation
Protect the executable file using Sentinel LDK Envelope, specifying its Feature ID.
o API-based automatic implementation
In your code, insert a Sentinel Licensing API Login call to the Feature ID.
n In Sentinel EMS, create a Product that includes the Feature ID and define the number of
executions included in Phase 1.
n Distribute your software with the appropriate Sentinel protection key programmed with
the license.
n Subject to receiving payment for Phase 2 from the end user, replenish the number of
executions remotely using the RUS utility.
Metered Licensing Models 204
Capacity (CPU/Memory/Disk)
Sentinel LDK Functionality Manages resource usage
Software Distribution n Physical package
Method n Electronic distribution
Applicable Key Types n All Sentinel HL keys except Sentinel HL Basic
n Sentinel SL
Protection Method API-based automatic implementation
Description
License consumption depends on utilization of resources—for example, CPU usage or disk space.
The more resources the end user consumes, the sooner the license runs out. This type of license
might be applicable in an environment such as a learning facility, in order to limit the resources
consumed by students.
Implementation
n Select the executable file that you want to license, and determine by which Feature ID it
will be identified.
n In your code, insert a Sentinel Licensing API Login call to the Feature ID.
n Determine the parameters for calculating software usage, and define them in your code,
for example:
o CPU activity related to your software.
o Disk space usage each time a file is saved from your software.
n In Sentinel EMS, create a Product that includes the Feature ID and define the license
terms—for instance, a perpetual license or a time-limited license.
n In Sentinel EMS, in the Protection Key memory, define the capacity that has been
purchased.
n Envelope your software for additional security (optional).
n Distribute your software with the appropriate Sentinel protection key programmed with
the license.
n Using the Sentinel Licensing API:
a. Calculate the accumulated usage.
b. Write the result to the Protection Key memory.
c. Verify that the accumulated usage has not exceeded the purchased capacity.
d. When purchased capacity has almost expired, display a warning message.
n When payment is received for additional usage, renew the license remotely using the RUS
utility.
205 Chapter 17: Sentinel LDK Licensing Models: Description of Models
Machine-locked
Sentinel LDK Creates an activation key that is locked to a specific machine
Functionality
Software Distribution n Physical package
Method n Electronic distribution
Applicable Key Types n All Sentinel HL keys except Sentinel HL Basic
n Sentinel SL
Protection Method n Envelope-based automatic implementation
n API-based automatic implementation
Description
The license can only be used on the machine on which it was installed. A machine-locked license
can be combined with any of the licensing models in this guide.
Implementation 1—Locking to a Sentinel SL key
This model is applicable when a Sentinel SL key provides sufficient security for your needs.
n Select and implement the required licensing model.
n Distribute your software using a Sentinel SL key. Sentinel SL keys are always locked to a
specific machine.
Implementation 2—Combined locking to both a Sentinel SL key and a Sentinel HL key
This model is applicable when you want to lock your software to a Sentinel HL key for enhanced
security, and also wants to use a Sentinel SL key to lock your software to a specific machine. The
Sentinel SL key will require remote activation.
n Select the executable file that you want to license, and determine two Feature IDs by
which it will be identified. One Feature ID will be used to lock the license to the Sentinel HL
key, and the other to lock the license to the Sentinel SL key and the machine.
n Select your protection method:
o For combined Envelope-based and API-based automatic implementation
Protect the executable file using Sentinel LDK Envelope , specifying one of the
Feature IDs. In your code, insert a Sentinel Licensing API Login call to other
Feature ID.
o For API-based automatic implementation
In your code, insert Sentinel Licensing API Login calls to both Feature IDs.
n In Sentinel EMS, create two Products, one for each Feature ID. Define the license terms for
both Products—for example, a counter-based license or a time-limited license.
n Burn a Sentinel HL key for one of the Products and create a Sentinel SL Product Key for
the other Product.
n Distribute your software with both Sentinel protection keys.
207 Chapter 17: Sentinel LDK Licensing Models: Description of Models
This model is applicable when you want to lock the license to both a machine and a Sentinel HL
key—but for security reasons, the end user will not be able to activate a Sentinel SL key online.
This implementation requires a utility to be written that will collect the required identifiers from
the machine before or during installation of your software, and subsequently every time your
software is run. The initial identifiers are saved in the Read-only memory of the protection key,
and the run-time identifiers are written to the Read/Write memory on the Sentinel HL key and
validated against the initial identifiers.
It is recommended that you contact SafeNet Sentinel Professional Services for a detailed
implementation plan.
User-locked
Sentinel LDK Compares end user data saved in the Protection Key memory with a
Functionality value collected during run-time
Software Distribution n Physical package
Method n Electronic distribution
Applicable Key Types n All Sentinel HL keys except Sentinel HL Basic
n Sentinel SL
Protection Method API-based automatic implementation
Description
The license can only be run by a specific logged-in end user. A user-locked license ensures that
only an entitled end user can activate your software. This model can be particularly useful when
your software resides on a server, or is activated by a remote end user. A user-locked license can
be combined with any of the licensing models in this guide.
Implementation
Select and implement the required licensing model, and distribute your software with the
appropriate Sentinel protection key programmed with the license.
There are two ways to lock the key to a specific end user:
n Option 1: Predefined locking
Identification is based on the login user name defined in the operating system. Predefined
locking enables a number of authorized end users to access your software residing on a
single machine.
n When a license is purchased, request the login user name of the end user for whom
the license is intended.
n Use Sentinel EMS to save the user name to the Read-Only memory of a
Sentinel protection key.
Locked License Models 208
n During run-time, read the user name from the machine, and use the Sentinel Licensing
API to validate it against the user name saved on the Sentinel protection key.
n Option 2: Password locking
During installation, the end user defines a user name and password, which are later
required in order to log in to your software. Password locking is less convenient for an end
user, but provides extra security. When a Sentinel HL key is used, your software can be
installed on more than one computer, but can only be accessed when the Sentinel HL key is
connected.
n During installation, request the end user to define a user name and password.
n Use the Sentinel Licensing API to save the data to the Read/Write memory on the
Sentinel HL key.
n During run-time, require the end user to log in, and validate the user name and
password against the data saved on the Sentinel protection key.
209 Chapter 17: Sentinel LDK Licensing Models: Description of Models
Portable
Sentinel LDK Functionality Locks the license to a hardware-based Sentinel HL key
Software Distribution Physical package
Method
Applicable Key Types All Sentinel HL keys
Protection Method n Envelope-based automatic implementation
n API-based automatic implementation
Description
Your software can be installed on any number of machines, providing flexibility, but can only run
on the machine to which the Sentinel HL key is connected.
Implementation
Commuter
Sentinel LDK Enables a network-based license to be detached to a separate machine
Functionality while locked to a Sentinel SL key
Software Electronic distribution
Distribution Method
Applicable Key Types Sentinel SL Net
Protection Method n Envelope-based automatic implementation
n API-based automatic implementation
Description
n Select and implement the network concurrency licensing model, ensuring that the license
can be locked to a Sentinel SL key and that detachable licenses are enabled.
n Distribute your software with a Sentinel SL key, ensuring that the system administrator at
your end-user site knows how to permit and manage detachable licenses.
n If the employee requires the detached license for less time than originally planned, the
license can be manually returned to the network pool before its expiration date.
Mobile License Models 212
Software on a Key
Sentinel LDK Functionality Locks the license to a Sentinel HL Drive key that also contains your
software
Software Distribution Physical package
Method
Applicable Key Types Sentinel HL Drive
Protection Method n Envelope-based automatic implementation
n API-based automatic implementation
Description
Both your software and the license are stored on a Sentinel HL Drive key, providing maximal
mobility. The Sentinel HL Drive key contains 2 GB or 4 GB of flash memory in addition to the
license data memory, enabling all of your software to reside on the key. This method is applicable
for software that can be run from an external key without necessitating installation on a hard disk.
This method can be applied to all license models for which a hardware-based key is used, except
those requiring Sentinel HL Time, Sentinel HL NetTime or Sentinel HL Net keys.
Implementation
Description
A concurrency-limited network license limits the number of end users concurrently accessing the
licensed application in a network environment, preventing additional activations and unintentional
piracy if the maximum number of allowed concurrent licenses has been reached. The same license
can be used by more than one end user or workstation, so long as the total number of users
remains within the concurrency limit.
Sentinel Admin Control Center provides the end users’ system administrator with the tools to
track license users, and to terminate an inactive session.
Implementation
n Select the executable file that you want to license, and determine by which Feature ID the
file or function will be identified.
n Select your protection method:
o Envelope-based automatic implementation
Protect the executable file using Sentinel LDK Envelope, specifying its Feature ID.
o API-based automatic implementation
In your code, insert a Sentinel Licensing API Login call to the Feature ID.
n In Sentinel EMS:
a. Create a Product that includes the Feature ID, and define the license type as
Perpetual.
b. Set the concurrency counter to the required maximum number of concurrent
licenses, and determine whether concurrent instances will be counted for each
station, each login or each process.
Tip:
You can specify the number and type of concurrent instances each time a
specific order is created. This enables you to use the same Product to produce
more than one license, each with a different number of seats.
n Distribute your software with a Sentinel protection key programmed with the license.
215 Chapter 17: Sentinel LDK Licensing Models: Description of Models
Description
A combined concurrency- and time-limited network license restricts both the number of end users
concurrently accessing the licensed application in a network environment and the period during
which the license is valid. The same license can be used by more than one end user or machine,
so long as the total number of users remains within the concurrency limit.
Sentinel Admin Control Center provides the end user’s system administrator with the tools to
track license users, and to terminate an unused session.
Implementation
n Select the executable file that you want to license, and determine by which Feature ID it
will be identified.
n Select your protection method:
o Envelope-based automatic implementation
Protect the executable file using Sentinel LDK Envelope, specifying its Feature ID.
o API-based automatic implementation
In your code, insert a Sentinel Licensing API Login call to the Feature ID.
n In Sentinel EMS:
a. Create a Product that includes the Feature ID, and define the expiration date or
number of days until expiration.
b. Set the concurrency counter to the required maximum number of concurrent
licenses, and determine whether concurrent instances will be counted for each
station, each login or each process.
Tip
You can specify the number and type of concurrent instances each time a
specific order is created. This enables you to use the same Product to produce
more than one license, each with a different number of seats.
Description
A combined concurrency- and execution-limited network license restricts both the number of end
users concurrently accessing the licensed application in a network environment and the total
number of executions for each license. The same license can be used by more than one end user
or machine, so long as the total number of users remains within the concurrency limit. The
number of executions is calculated across the network, regardless of which end user runs your
software or on which machine it is run.
Sentinel Admin Control Center provides the end users’ system administrator with the tools to
track license users, and to terminate an unused session.
Implementation
n Select the executable file or software function that you want to license, and determine by
which Feature ID the file or function will be identified.
n Select your protection method:
o Envelope-based automatic implementation
Protect the executable file using Sentinel LDK Envelope, specifying its Feature ID.
o API-based automatic implementation
In your code, insert a Sentinel Licensing API Login call to the Feature ID.
n In Sentinel EMS:
a. Create a Product that includes the Feature ID, and define the maximum number of
executions.
b. Set the concurrency counter to the required number of concurrent licenses, and
determine whether the concurrent instances will be counted for each station, each
login or each process.
217 Chapter 17: Sentinel LDK Licensing Models: Description of Models
Volume
Sentinel LDK Functionality Enables a network-based license to be detached to a separate
machine while locked to a Sentinel SL key
Software Distribution Electronic distribution
Method
Applicable Key Types Sentinel SL
Protection Method n Envelope-based automatic implementation
n API-based automatic implementation
Description
A volume license enables you to sell a pool of licenses to an organization, without requiring
product activation on every machine, while still enforcing the maximum number of installed
workstations.
A license can be temporarily detached from the network pool to enable off-line use of your
software. In this case, a client machine periodically detaches a time-limited license at predefined
intervals—transparently to the end user. The license is installed locally and remains usable even if
the network connectivity is lost, as long as the detachment is still valid.
Implementation
n Select the executable file that you want to license, and determine by which Feature ID it
will be identified.
n Select your protection method:
o Envelope-based automatic implementation
Protect the executable file using Sentinel LDK Envelope, specifying its Feature ID.
o API-based automatic implementation
In your code, insert a Sentinel Licensing API Login call to the Feature ID.
n In Sentinel EMS, create a Product that contains the Feature ID used in the protection
phase of the implementation. Ensure that the license terms enable network concurrency,
locking to a Sentinel SL key, and detachable licenses.
n Distribute your software with a Sentinel SL key for network use, ensuring that the system
administrator at your end-user site knows how to permit and manage detachable
licenses.
n Using the Sentinel Licensing API, implement the license’s detachment in the protected
application. You may wish to let the customer organization decide the detached license
period and renewal intervals.
219 Chapter 17: Sentinel LDK Licensing Models: Description of Models
Site
Sentinel LDK Functionality Locks the license to a specific domain, network, or subnet
Software Distribution n Physical package
Method n Electronic distribution
Applicable Key Types n All Sentinel HL keys except Sentinel HL Basic
n Sentinel SL
Protection Method API-based automatic implementation
Description
A site license is a license that is locked to a specific domain, network, or subnet. A site license can
be combined with any of the licensing models in this guide.
Implementation
Description
Locking a license to a Sentinel HL key provides a higher level of security than locking to a
Sentinel SL key, but delivery of the Sentinel HL key to an end user can take time. This model
enables you to electronically supply your software with a quick-delivery license locked to a
Sentinel SL (software) key (“KickStart license”) as soon as an order is processed. For increased
protection, you may choose to limit some software functions in the KickStart license.
The KickStart license can be used as part of a two-phased sales model:
n Phase 1: The end user purchases your software, and a 30-day KickStart license with
limited functionality is supplied electronically.
The KickStart license can be defined for any period between 1 and 90 days.
n Phase 2: The Sentinel HL key, programmed with the full license (the “final” license), is
delivered within 30 days. The end user replaces the KickStart license with the full license,
using the RUS utility.
The KickStart license also serves as a super-distribution mechanism, since it will run for the grace
period on any computer on which it is installed.
Implementation
n Determine which global Feature ID you will use for the KickStart license.
n Select the software functions that you want to include only in the full license, and
determine by which Feature IDs each function will be identified.
n Select a protection method and do one of the following:
For Envelope-based automatic implementation:
n Determine which global Feature ID you will use for the full license.
n Create two executable files, one with limited functionality for the KickStart license, and the
other with full functionality for the full license.
n Envelope each executable file separately, using the global Feature IDs you defined for the
KickStart and full licenses respectively.
Sales Boosting Licensing Models 222
n In your code, insert a Sentinel Licensing API Login call to the global Feature ID for the
KickStart license.
n In your code, for each software function you want to include only in the full license, insert
Sentinel Licensing API Login calls to the appropriate Feature IDs.
In Sentinel EMS:
n Create a Product that includes the global Feature ID for the KickStart license.
n Select the Provisional product attribute.
n Distribute your software with Sentinel LDK Run-time Environment. Your software can run
for a grace period of 30 days and can be installed on any other computer, for a 30-day
period, as a super-distribution mechanism.
In Sentinel EMS:
If the full license is based on a metered licensing model, metering will commence only
when the full license is activated and not during the grace period.
n Distribute your software with a Sentinel protection key programmed with the full license.
Referral-based Sales
Sentinel LDK Functionality Creates a provisional Product that allows for unrestricted
distribution of the protected software
Software Distribution n Physical package
Method n Electronic distribution
Applicable Key Types n All Sentinel HL keys
n Sentinel SL
Protection Method n Envelope-based automatic implementation
n API-based automatic implementation
Description
A bonus mechanism that encourages end users to serve as “promoters” for software they find
useful. When an end user refers software to someone and a purchase is made based on that
referral, you give a bonus to the referrer.
This model requires the creation of two vendor mechanisms:
n User data collection mechanism—You maintain an end-user database in which registered
software owners (referrers) are linked to potential users to whom the software was
referred (referees). Data for the database can be sent to you by either the referrer or the
223 Chapter 17: Sentinel LDK Licensing Models: Description of Models
referee, using a variety of data collection mechanisms. For example, data can be collected
via a form displayed during software activation or on a Web site.
n Bonus-granting mechanism—When the software is purchased, your end-user database is
queried. If the purchase was made as the result of a referral, the referrer receives a bonus
from you.
The following implementation guidelines describe how to set up the referral-based sales model,
based on:
n Using trialware as the evaluation mechanism.
n Distributing the purchased software with a software-based Sentinel SL key.
n Collecting information from the referee during software activation.
Implementation
This is a typical implementation, however, the referral-based sales model can also be
applied to other licensing models, including those models that use a hardware-based
Sentinel HL key.
Sales Boosting Licensing Models 224
Description
When an end user purchases a subset of software modules, the sales staff is often requested to
follow up the purchase and to interest the user in additional modules. With Sentinel LDK, your
software can serve as its own automatic sales agent, providing the end user with the ability to
work with additional modules and encouraging purchase of any modules that are identified as
being of interest to the end user. This model consists of a number of phases:
n Phase 1: The end user purchases a subset of software modules. You supply a license that
includes the option to install additional bonus modules so that the user can experiment
with them.
n Phase 2: The end user uses your software, including the bonus modules. Behind the
scenes, your software monitors and evaluates usage of the bonus modules.
n Phase 3: Once the usage threshold of a monitored module has been reached, the module
is considered “of value” and Sentinel LDK progressively restricts usage of that module.
Concurrently, the Automatic Sales Agent comes into effect, issuing pop-up messages
encouraging the end user to purchase the module.
n Phase 4: When an end user purchases a license for an additional module, the license is
seamlessly upgraded at the end-user site, using the RUS utility, and the relevant bonus
modules are changed to fully paid modules.
Implementation
n Determine which Feature ID you will use for global protection of your software.
n Select the modules that you want to license separately, and determine by which
Feature ID each of the modules will be identified.
n In your code, insert Sentinel Licensing API Login calls to all Feature IDs.
n In Sentinel EMS, create a Product that includes only the global software Feature ID and
define the license terms.
n Determine the parameters for gauging module usage, and define them in your code, for
example:
o The number of times a monitored module has been activated during a time period
o The accumulated usage time of a monitored module
o The number of clicks on an item in the user interface
225 Chapter 17: Sentinel LDK Licensing Models: Description of Models
The traditional perpetual, unlimited licensing model can serve as a basis for other, more creative
marketing strategies, for example:
n Your software is initially supplied with a perpetual license. The end user purchases
additional modules as required.
n The initial release is supplied with a perpetual license. More sophisticated licensing models
are implemented with future releases.
n A limited license (“bronze”) is converted to a perpetual license (“gold”) for additional
payment.
Implementation
n Select the executable file that you want to license, and determine by which Feature ID it
will be identified.
n Select your protection method:
o Envelope-based automatic implementation
Protect the executable file using Sentinel LDK Envelope, specifying its Feature ID.
o API-based automatic implementation
In your code, insert a Sentinel Licensing API Login call to the Feature ID.
n In Sentinel EMS, create a Product that includes the Feature ID and define a perpetual
license for the Feature.
n Use the RUS utility to update a license currently held by the end user with the new
license.
Perpetual Licensing Models 228
An unlocked license is different from all other license types. Your application is protected against
disassembly and modification, but the license is not locked to a specific computer, and no
licensing restrictions are applied.
This type of license is applicable for any of the following situations:
n Licensing is not an issue. For example, you are distributing medical equipment with
embedded software. Since the software is specific to your equipment, you are not
concerned about the possibility of duplication of the software.
n You want to use a licensing system other than Sentinel LDK.
n You want to distribute the software as a Provisional Product with no time limit. For
example, you may want to allow users to access basic functionality as long as they want,
with the option to buy an upgrade later to access advanced functionality.
Implementation
n Select the executable file that you want to license, and determine by which Feature ID it
will be identified.
n Select your protection method:
o Envelope-based automatic implementation
Protect the executable file using Sentinel LDK Envelope, specifying its Feature ID.
o API-based automatic implementation
In your code, insert a Sentinel Licensing API Login call to the Feature ID.
n In Sentinel EMS, create a Provisional Product (Perpetual) that includes the Feature IDs
that you want to include in the unlocked license.
PART 6 - APPENDICES
In this section:
n Trialware module
n Unlocked Licenses module
The components that you purchase depend on your specific requirements and whether you have
an in-house Sentinel EMS installation, or you utilize Sentinel Managed Services.
To view information regarding your Master key in Sentinel EMS, see "Maintaining Sentinel
Master Keys" on page 142.
In this appendix:
Licensing Concepts
In the descriptions of the Master Key licenses model, the following concepts are used:
n Provisional Product: A Product that can be used as trialware, or during a grace period.
Provisional Products do not require a locking type, since they can be activated and used
for a limited period without a Sentinel protection key. Provisional Products have a
maximum time period of 90 days.
n Unlocked License: A license that does not lock a protected application to a specific
machine and does not impose any licensing restrictions on the use of the protected
application. With this license type, the vendor can use Sentinel LDK to protect the
application, but can use a different mechanism to license the application (or can impose
no license restrictions on the application).
n Activation: The process in which a Sentinel LDK Provisional SL key is converted to a
locked, computer-specific license. Following Activation, the protected software can be
used on the end user's computer according to the licenses that were installed during the
Activation process.
n Concurrency: A licensing attribute that can be specified to allow a single protection key on
a computer in a network to be used by one or more instances of a protected application
running on different computers in the network.
Concurrency is defined separately for each Feature in a Product.
Each instance of the protected application that can be used simultaneously is referred to
as a network seat (or a floating license).
Network seats are not assigned to specific users. Instead, the concurrency attributes
specify how many instances (network seats) of the Feature in protected application can be
used simultaneously within the customer’s network. The customer purchases a specific
number (or an unlimited number) of network seats.
For example: A customer purchases 10 network seats for the Basic Feature and 5 network
seats for the Advanced Tools Feature for a protected application. As a result, 10 end users
can run the application and use the Basic Feature simultaneously. 5 of these users can
also use the Advanced Tools Feature simultaneously. All the users must be part of the
network where the protection key is located.
For more information about concurrency, see "Specifying the License Terms for Features in
a Product" on page 114.
Activation Module License 234
Standalone Licenses
Each time a Product Key for your software is submitted by an end user, their Provisional license
for your software is converted to a locked, machine-specific license, and one Standalone License is
consumed. End users can submit a Product Key online, or they can request and receive an
activation file to apply manually.
To use this activation functionality, you may need to purchase a pool of Standalone Licenses. (This
depends on the nature of your purchase plan or subscription plan for Sentinel LDK.)
When the Standalone Licenses pool is low, you purchase additional Standalone Licenses (if
required by your plan). You can configure Sentinel EMS to send notifications when the pool
reaches a predefined threshold, to ensure that you never run out of Standalone Licenses for your
software. For additional information about configuring notifications, refer to the Sentinel EMS help
system.
You do not require a pool of Standalone Licenses if you do not intend to create activation files for
Sentinel SL keys.
How Activations and Updates Are Deducted from the Standalone Licenses Pool
The following actions cause Sentinel LDK to deduct Standalone Licenses from your Master key:
n A provisional SL protection key is activated on an end user's computer.
n An HL or SL protection key is updated (either online or offline) using a Product Key.
n The end user activates an SL protection key more than once using the same Product Key
(from an order that was already applied to the key). This would typically occur when end
users reformat their hard drive and reinstall the software.
n The end user activates an SL protection key more than once using another Product Key
that was created by the same order.
n The end user activates a base license that updates read-only or read-write memory in a
protection key.
235 Appendix A: Understanding the Sentinel LDK Master Key Licenses
The following actions do not cause Sentinel LDK to deduct Standalone Licenses from your Master
key:
n The Vendor issues a regular Protection Key update using a V2C file, without using the
Product Key option.
n Activation of a Product Key order that contains only Products that have concurrency
enabled. (Only the network seats pool will have seats deducted.)
Additional Information
n When you purchase Standalone Licenses, SafeNet adds an extra 10% to the number of
Standalone Licenses provided, to compensate for situations in which a Standalone License
should not have been deducted from your Master key. (For example, if a customer’s hard
disk drive fails and the customer must reinstall the software on a new disk drive or a
different computer, you may choose to provide an additional activation even though the
customer did not purchase a second license.)
n If there are no Standalone Licenses remaining in your Master key, you will not be able to
perform an activation (if your purchase plan or subscription plan requires that you
purchase Standalone Licenses).
Network Seats
Network seats are required to enable users to run your software concurrently in a network
environment. When you enter an order for your customer: For each Feature in the Product, you
specify whether concurrency is enabled for that Feature, and the number of instances (network
seats) that are supported.
To enable concurrency for Features, you may need to purchase network seats for your Master
key (if required by your purchase plan or subscription plan). Each time a customer activates your
software, the number of concurrent instances that you included in the Product is deducted from
the network seats on your Master key. If a Product contains a number of Features that have
different concurrency attributes, and the number of network seats that are provided for the
Features differs, the total number of seats deducted from your Master key is that of the Feature
with the highest number of seats.
When the number of network seats remaining on your Master key is low, you replenish it by
purchasing additional network seats (if required by your plan). You can configure Sentinel EMS to
send notifications when the number of seats remaining reaches a predefined threshold, to ensure
that you never run out of network seats for your software.
You do not require network seats on your Master key if you do not intend to enable concurrency
for Sentinel SL keys.
Although performing an activation locks the license to the computer in the network on
which Sentinel License Manager is located, in the event that only ‘network” licenses (that
is, licenses that contain a concurrency value) are included in the order, only the seats pool
will be decremented. The activations pool will not be decremented.
Network Seats 236
How New Activations and Update of Your Software Affect the Pool
When your protected application is first activated at the customer site, Sentinel LDK examines
which Feature in the Product contains the greatest number of concurrency instances. The number
of concurrent instances defined in that Feature is deducted from network seats pool. (The
concurrency in all other Features is ignored.)
For the Sample Product in the graph below, the customer purchased as follows:
n For the Print Feature: 12 network seats
n For the Save Feature: 5 network seats
n For the Export Feature: 6 network seats
The Print Feature has the greatest number of concurrent instances. Therefore, when the Product
is activated, 12 network seats are deducted from the pool.
Later, the customer decided to purchase additional network seats or additional Features in the
protected application. For the sample Product in the graph below, the customer purchased as
follows:
n For the Print Feature: 3 network seats
n For the Save Feature: 11 network seats
n For the Export Feature: 5 network seats
n For the Reports Feature: 13 network seats
When you fulfil the order, Sentinel LDK calculates the number of seats to deduct from your
network seats pool as follows:
1. Sentinel LDK determines which Feature had the greatest number of seats until now—in this
case, the Print Feature with 12 seats.
2. The number of additional seats required for each Feature for the update order is added to
the original number of seats that the customer purchased. The chart above indicates the
total number of seats that the customer now has.
3. Sentinel LDK determines which Feature now has the greatest number of seats—in this case,
the Save Feature with 16 seats.
4. The number of seats for the Print Feature that the customer had already purchased is
deducted from the new total number of seats for the Save Feature (16 total seats - 12
already-purchased seats = 4).
5. The remainder (4) is the number of seats that is deducted from the network seats pool.
The customer purchased 13 seats for the Reports Feature in the update. However, the Save
Feature has the highest accumulated number of seats. Therefore, only the Save Feature is
considered when Sentinel LDK calculates the number of seats to deduct from the network seats
pool.
Additional Information
n When you purchase seats, SafeNet adds an extra 10% to the number of seats provided, to
compensate for situations in which you reduce the number of seats at a customer site, or
cancel a license on a computer on which Sentinel License Manager is located in order to
activate on a different computer.
n If you specify the concurrency value for a license as “unlimited” (for example, to create a
“site” license), Sentinel LDK deducts from your seat pool the number of seats specified in
the Unlimited Concurrency license type (also referred to as Value of Unlimited Seats) on
your Sentinel Master key. This is typically 100 seats.
n If the terms of a license include both an activation and concurrency, both the activations
pool and the seats pool are decremented.
n If there are not enough seats in your seats pool, your customer will not be able to
perform an activation (if seats are required by your plan).
the application must, at the end of the grace period (typically 30 to 90 days), decide to purchase a
license for the application or be blocked from using the application.
Creating Provisional Products is an optional part of the process of protecting software with
Sentinel SL protection keys.
A vendor who only distributes software protected by Sentinel HL keys can also take advantage of
the benefits provided by creating and distributing trialware.
Vendors must purchase the Trialware Module license separately from SafeNet in order to create
Provisional Products. The Trialware Module license is typically issued for a specific amount of time.
The ability to create and distribute Provisional Products is also included in the Sentinel LDK –
Demo and Starter packs. Vendors who want to experiment with Sentinel LDK can learn first-hand
about Provisional Products.
The ability to define, generate and view custom reports is included in the Sentinel License
Development Kit – Demo and Starter. Vendors who are experimenting with Sentinel LDK can learn
first-hand about the Custom Reports facility.
For information on the Reporting facility, see "Chapter 13: Generating Sentinel LDK Reports" on
page 150.
B
Appendix B:
Sentinel LDK Run-time Network
Activity
This appendix describes the type of network activity that occurs in the communication between:
n an application (protected using Sentinel LDK) and the local Sentinel License Manager
(referred to as “local communications”).
n the local Sentinel License Manager and one or more remote Sentinel License Managers
(referred to as “remote communications”).
Details regarding local communications and remote communications are provided on the pages
that follow.
This chapter is intended to assist IT managers who want to understand how run-time activity on
the network may impact the way they set up their network rules and policies.
Sentinel LDK communicates via TCP and UDP on socket 1947.This socket is IANA-registered
exclusively for this purpose.
In this appendix:
Local Communications
This section describes communication between a protected application and the local
Sentinel License Manager service.
A protected application communicates only with Sentinel License Manager on the computer where
the application is running, regardless of whether the Sentinel HL or SL Key is located on the same
computer or on a remote computer.
Sentinel License Manager service opens socket 1947 for listening (both for UDP packets and TCP
packets).
n IPv4 sockets are always opened (Sentinel License Manager currently does not work
without IPv4 installed).
n IPv6 sockets are opened if IPv6 is available.
Remote Communications
This section describes communication between the local Sentinel License Manager service and a
remote Sentinel License Manager service.
This type of communication occurs when the protected application is running on a different
computer from the computer where the Sentinel protection key is installed.
The protected application communicates only with the local Sentinel License Manager on the
computer where the application is running, as described in "Local Communications" on page 241.
The local Sentinel License Manager discovers and communicates with the License Manager on the
computer containing the Sentinel protection key using one of the following methods:
n The local Sentinel License Manager issues a UDP broadcast to local subnets on port 1947
using:
o IPv4 (always)
o IPv6 (if available)
You can disable this broadcast by clearing the Broadcast Search for Remote Licenses check
box in the Admin Control Center Configuration screen.
n The local Sentinel License Manager issues a UDP “ping” packet to port 1947 for all
addresses specified in the Admin Control Center field Specify Search Parameters. These
addresses may be individual machine addresses or broadcast addresses.
All Sentinel License Managers found by the discovery process are then connected via TCP port
1947, using IPv4 or IPv6 as detected during discovery, and data regarding the remote
Sentinel protection keys are transferred.
This discovery process is repeated at certain intervals. (The interval size depending on a number of
factors, but it is generally not less than five minutes.)
UDP packets sent and received in the discovery process contain the Sentinel License Manager
GUID (40 bytes of payload data).
When starting or stopping a Sentinel License Manager, and when adding or removing a
Sentinel protection key, a UDP notification packet is sent, containing the Sentinel License Manager
243 Appendix B: Sentinel LDK Run-time Network Activity
GUID and a description of the changes encountered. This is done to allow other Sentinel License
Managers to update their data before the next scheduled discovery process.
TCP packets between two Sentinel License Managers on different computers use HTTP with base-
64 encoded data in the body section.
C
Appendix C: Maximum Number of
Features in a Sentinel HL Key
Each Sentinel HL key can contain a certain maximum number of Features, depending on:
n the type of HL key
n the complexity of the license type defined in each Feature
n the number of Products among which the Features are distributed.
For example, a Sentinel HL Max (HASP configuration) key can contain as follows:
This appendix describes the techniques employed by Sentinel LDK to prevent unauthorized use of
protected software when the physical or virtual machine on which the software is installed is
cloned.
This topic is only relevant for software protected with a Sentinel SL key. Software that is protected
by a Sentinel HL key is not vulnerable to machine cloning.
For more information on protecting software against cloning, see "Protection Against Cloning" on
page 113.
Overview
One of the methods sometimes employed to enable the illegitimate use of licensed software is
machine cloning. Machine cloning involves copying the entire image of one machine (including
your software and its legitimate license) and duplicating it to one or more other machines. If there
is no way to detect that the new image is running on different hardware than that on which it was
originally installed, multiple instances of the software are available even though only a single
license was purchased.
When clone detection is enabled for a Product in Sentinel LDK, the Run-time Environment checks
for cloning using the criteria described in this appendix. If cloning is detected, Sentinel LDK disables
the license. As a result, the end user is unable to operate the software for which a cloned license
has been detected.
This appendix describes the criteria that are built in to Sentinel LDK for clone detection on physical
and virtual machines.
on the computer and is also returned to the Vendor in the C2V file. At the Vendor site, the
fingerprint is stored as part of the license information in the Sentinel EMS database.
Each time the end user starts the protected software, the Sentinel LDK Run-time Environment
creates a new fingerprint of the computer and compares it to the fingerprint stored in the secure
storage.
If the new and stored fingerprints are identical, Sentinel LDK Run-time Environment allows the
protected software to operate.
If either the hard drive serial number or the motherboard ID does not match the characteristics in
the fingerprint in the secure storage, Sentinel LDK Run-time Environment still allows the protected
software to operate. Sentinel LDK recognizes that situations occur where an end user has a
legitimate reason for replacing one of these components in the user’s computer. This policy
possibly enables a user to operate protected software on a cloned computer. However, this policy
also frees the Vendor from dealing with numerous support calls from users who have replaced a
component in their computer. Such calls would otherwise generate costly support cases for the
Vendor’s customer support organization.
If both the hard drive serial number and the motherboard ID do not match the characteristics in
the fingerprint of the license, Sentinel LDK regards computer as a clone and prevents the
protected software from operating.(See the table that follows.)
Comparison Results
Characteristics Hard drive serial Identical Different Identical Different
Compared number
Motherboard ID Identical Identical Different Different
Sentinel LDK Behavior: launched launched launched launched disabled
The software is...
CPU Characteristics
In desktop/workstation environments such as VMware workstation or VMware player, the
desktop virtualization software does not expose the ability to virtualize the CPU. This increases the
difficulty for a user to bypass the protection by attempting to create a virtual copy of the source
computer. A number of CPU characteristics are available for inclusion in the virtual machine
fingerprint, including: processor make, model and speed.
Due to the large number of different processors available in the market, the likelihood of two
different desktop computers having completely identical CPU characteristics is low.
In centrally managed virtual infrastructures (also called server based virtualization), hardware
clusters can be virtualized. In this environment, the virtual infrastructure does not always utilize a
single, fixed set of physical hardware resources. Instead, it utilizes a shared pool of resources. For
the most common types of clustered environments, where live migration capabilities are typically
required, a requirement usually exists for different hosts in the cluster to have identical CPU
characteristics. Solutions such as VMware vCenter Server provide the ability to enable CPU
masking to improve compatibility for the high availability and fault tolerance virtualization
features. CPU masking allows host machines with different CPU characteristics to be used in the
cluster, while providing common (masked) CPU characteristics across all hosts in the cluster.
Therefore the CPU characteristics do not change when virtual machine migrates across the hosts
in a cluster. This enables licensed applications to continue working when migrated from one host
to another within a cluster. However, this type of environment is restricted to a limited subset of
CPU types. In addition, the migration can only be performed when the target computer contains
physical CPU whose capabilities match or exceed the characteristics of the virtual CPU.
software from running on most popular virtual machines by clearing the Virtual Machine check
box in the Define License Terms dialog box in Sentinel EMS.
However, when checking the fingerprint for cloning, Sentinel LDK examines all of these
characteristics. If one (or more) of these characteristics does not match the characteristics in the
fingerprint of the license, Sentinel LDK prevents the protected software from operating. Thus, the
combination of these parameters in the fingerprint provides protection against cloning. (See the
table that follows.)
Comparison Results
Characteristics Virtual MAC Identical Different Identical or Identical
Compared Address Different or
CPU Identical Identical or Different Different
Characteristics Different
UUID Identical Identical or Different
Different
Sentinel LDK launched disabled disabled disabled
Behavior:
The software is...
In a typical business environment (where computers in a given location are on the same network),
the requirement for a unique virtual MAC address make cloning impractical.
For server virtualization, or virtualized cluster where the cluster is typically managed by the
virtualized management solution (such as VMware vCenter), UUID acts as additional deterrent to
running a cloned virtual image.
For computers on different networks or computers that are not networked, the likelihood of a
cloned virtual machine sharing identical CPU characteristics with the original virtual machine is low.
The method employed by Sentinel LDK to protect against cloning of virtual machines is effective
for all types of virtual machine software commonly used by organizations.
E
Appendix E:
How Sentinel LDK Protects Time-
based Licenses Locked to
Sentinel SL Keys
This appendix describes the technology used in Sentinel LDK to prevent a user from extending the
duration of a software license that is locked to a Sentinel SL key by adjusting the computer’s
system clock.
Software that is used in conjunction with Sentinel SL keys is locked to the machine on which it is
activated. The expiration period or date is initially calculated according to the system clock of the
machine.
Sentinel License Manager reads the system time at Sentinel License Manager startup (by default,
part of the machine startup). It subsequently uses its internal running time to calculate the time.
When new software that is protected with a Sentinel SL key is executed for the first time,
Sentinel License Manager queries its internal clock to determine the start time of the software’s
license duration.
n If the license duration is a fixed period (for example, 30 days or 1 year), Sentinel License
Manager calculates the actual date on which the license must stop working and the
information is stored in the secure storage area of the Sentinel SL key.
n If the license is to expire on a specific date, Sentinel License Manager records that date.
To prepare Provisional Products for distribution, you must first create a "bundle" that will be
installed together with the protected applications. This bundle consists of:
n a V2C file containing the Provisional Product licenses
n your Vendor libraries
n a customized Run-time Environment installer
The customized Run-time Environment installer installs the Sentinel Run-time Environment and
your Vendor libraries, and applies the Provisional Product licenses to the Sentinel protection key .
You typically prepare a bundle using Sentinel EMS (see "Generating Bundles of Provisional
Products" on page 136). However, you have the option to write an installer that performs the
bundling process.
To perform the bundling process manually, the program that installs the protected application
should also do the following:
1. Install the Sentinel LDK Run-time Environment. Several methods exist to accomplish this.
For more information, see Distributing Sentinel LDK Run-time Environment.
2. Install your customized Vendor library. The file haspvlib_vendorID.dll can be found on the
computer where Sentinel Vendor Suite is installed, in the path:
%CommonProgramFiles%\SafeNet Sentinel\Sentinel LDK\
Your installation procedure must place a copy of this DLL file in the identical path on the
computer where the protected application is installed.
3. Apply the V2C file that contains the provisional licenses. To do this, call the function hasp_
update. This function is part of the Sentinel Licensing API.
G
Appendix G: How to Optimize
Performance for Sentinel LDK Run-
time Environment
SL-UserMode License
The presence of an SL-UserMode license in a protection key on the end user’s computer increases
the time required for the first login/get_info operation performed for a protected application,
even if the license is not required for that application. Therefore, do not place an SL-UserMode
license on a computer unless that license type is required.
Run-time Environment
For best performance, ensure that when the Run-time Environment is required, the Run-time
Environment on the end user’s computer is the most current. In addition, the Run-time
Environment provides better performance after it has been active for at least three minutes.
Sentinel HL (HASP configuration) Net keys and NetTime keys that were previously delivered to
customers can be upgraded to Sentinel HL (Driverless configuration) keys in the field. In Driverless
configuration, these keys will employ HID drivers instead of HASP key drivers. (HID drivers are an
integral part of the operating system.) As a result, these keys are less subject to issues related to
operating system upgrades. All of the licenses and key memory that existed in the Sentinel HL
(HASP configuration) key will continue to exist in the key after the upgrade.
An application that is protected with version 6.3 or 6.4 of Sentinel LDK, Licensing API
libraries and/or Envelope will work correctly after the Sentinel HL (HASP configuration) key
that licenses the application is upgraded to the Driverless configuration. However, the
requirement for the Run-time Environment will not change.
The tables that follow summarize the requirements for working with HL keys.
Standalone HL Keys
Wa r ning
A n applic ation that is pr ote c te d w ith ve r sion 6 .1 or e ar lie r of Se ntine l L DK
libr ar ie s, L ic e nsing A P I libr ar ie s and/or E nve lope w ill stop w or king if the
Se ntine l HL (HA SP c onfigur ation) ke y that lic e nse s the applic ation is upgr ade d
to the Dr ive r le ss c onfigur ation.
Th e u p gr ad e p r o c e ss fo r th e Se n tin e l HL ke y is n o t r e v e r sib le .
258
When you burn the entitlement for a Product to a Sentinel HL key, the Product name is not
necessarily visible in Sentinel Admin Control Center on the machine where the Sentinel HL is
connected by the end user. The Product name is visible if one of the following actions is
performed:
n You send a V2C file containing an update for the Product. After the user applies the V2C
file, the Product name will be visible in Sentinel Admin Control Center as long as the
Sentinel HL key is connected to the same machine. (If the user moves the key to a
different machine, the Product name will not be visible on the new machine.)
n You export Product names from Sentinel EMS to an XML file, and place the file on the end
user’s machine.
To export Product names from Sentinel EMS to the end user’s machine:
1. From the Developer menu in Sentinel EMS, click Export Catalog Definitions.
2. In the resulting screen, select the appropriate Batch Code. For Export File Type, select XML
format.
3. Click Export. The file vendorID.xml is saved.
4. On the end user’s machine, do the following:
a. Stop the Sentinel LDK License Manager service. (This must be done before you
perform the next step.)
b. Place the vendorID.xml file in the directory:
n Copy the vendorID.xml file from the source machine to the target machine using the
procedure in step 4 above.
J
Appendix J:
Troubleshooting
The first part of this appendix provides a checklist to help you solve some of the most common
problems that your customers might encounter when using the Sentinel HL keys. The second part
lists specific problems you or your customers may experience, together with the solutions.
Sentinel HL keys conform to the highest standards of quality assurance. However, like any other
PC peripheral device, a Sentinel HL key might not operate on certain PC configurations because of
faulty equipment or improper installation. This appendix can help you in such a situation.
In addition to the information in this appendix, you can access the Sentinel Knowledge Base at:
www.safenet-inc.com/technicalsupport.aspx
The Knowledge Base contains a comprehensive listing of solutions to general and specific
problems.
To avoid potential difficulties, ensure you are using current Sentinel LDK software versions.
Contact your local SafeNet representative for the latest updates, or visit the SafeNet downloads
page at:
www.sentinelcustomer.safenet-inc.com/sentineldownloads/
Checklist
If a customer reports a problem, check the following:
n What the returned error code or message says. For additional information, see the status
codes in the Licensing API help system.
n Whether a Sentinel HL key is connected correctly to the USB port.
n Whether your customer’s hardware or the operating system indicates technical
malfunction, such as device manager collisions, system events, bootlog failures, or other
issues.
n Whether Sentinel Admin Control Center can access the Sentinel HL key.
n Whether the problem occurs when the protected application runs on another PC of the
same model.
263 Appendix J: Troubleshooting
Problem You receive an error message when using haspdinst.exe to install the Sentinel HL key
driver under Windows 2000/XP/2003/Vista.
Solution Review the haspdinst.exe installation instructions. Alternatively, try to install the
drivers using the HASPUserSetup.exe. For additional information, see the Sentinel LDK
Installation Guide.
after a few seconds. If the LED lights, the application should be able to access
the key.
n The required Sentinel HL key drivers are not installed. If you are running
Sentinel LDK on a Windows platform, check for an entry for Sentinel LDK in the
Device Manager utility. If there is no entry, you must install the drivers using
one of the methods in the Sentinel LDK Installation Guide.
n Check if the USB port is functioning correctly. Disconnect all other USB devices
from their respective ports. Connect the Sentinel HL key to a different USB port.
Try using a different USB device in the port from which the Sentinel HL key was
not accessible.
n Open the Windows Services window and check that Sentinel License Manager is
running.
n Check that the Batch Code on the Sentinel HL key matches the Batch Code of
Problem The application takes a long time to find the Sentinel protection key on a large
network.
Solution It is recommended that you customize the search mechanism. Use Admin Control
Center configuration to specify a search criteria, and to define the server addresses to
be searched. By doing so, the Admin Control Center searches for the Sentinel
Problems and Solutions 264
Problem You receive an error message indicating that Sentinel License Manager was not found.
Solution The error message might be for one of the following reasons:
n Sentinel License Manager was not loaded. Try restarting Sentinel License
protection key is located. If you repeatedly receive the error message, try using
a different search mechanism.
Problem You cannot add files when using the Sentinel LDK Data Encryption utility.
Solution The problem may occur for one of the following reasons:
n You are attempting to add a list that includes problematic files. Remove all
in Sentinel Envelope. You must protect your software again using the new file
filter settings.
n For additional information, see "Chapter 6: Working with the Sentinel LDK Data
Problem When using Sentinel LDK Data Encryption utility, you receive a message that no data
filters were defined for a program in a Sentinel Envelope project.
Solution The problem cannot be solved using the Data Encryption utility. You need to use
Sentinel LDK Envelope to protect your software again, and to specify file filter settings.
K
Glossary
Activation counter Licensing element indicating the number of times a Feature, licensed
using Sentinel LDK, can be run
AES Advanced Encryption Standard (AES) algorithm that is the basis for
the Sentinel LDK encryption and decryption
Anti-debugging Measures applied by the Sentinel LDK system to block potential
attacks intended to undermine the protection scheme
API samples Sample applications that utilize the Sentinel Licensing API. A learning
tool used for implementing the Sentinel Licensing API.
Background checks Random checks executed by protected applications for a required
Sentinel protection key
Backward compatibility Ability to share data or commands with applications protected with
earlier versions. Sentinel LDK backward compatibility includes the
ability to read and write data, set real-time clocks, and process other
‘legacy' commands.
Base Product An original Product that has been created from scratch from which
other Products may be created. All Modification Products, Provisional
Products and Cancellation Products are created from Base Products.
Batch Code Unique character string that represents a Vendor Code. Used in
defining Features, Products and orders. It is also used for ordering
Sentinel protection keys. With Sentinel HL keys, the code is printed
on the Sentinel HL key label.
C2V file Customer-to-Vendor file. A file sent by the customer to the vendor,
containing data about deployed Sentinel protection keys or data
about the customer's computer.
Cancellation Product A Product that cancels the licensing details of another Product. Can
be used to revoke a deployed license, or to remove a license from a
specified computer so that it can be transferred to another
computer.
Customer Portal A Web portal in Sentinel EMS that can be accessed by customers
Cross-locking Indicates that protection can be applied to both Sentinel HL and
Sentinel SL keys
Data Encryption utility Utility for protecting data files that are accessed by programs
protected by Sentinel LDK Envelope
267 Glossary
V
V2C
data in EXE 127
default file location 133
file for Provisional Products 136
generating files 127, 133, 145
input to Runtime Environment 137
launching files 138
processing with RUS 127, 133
Vendor-to-Customer file
See V2C 127
Vendor Code
about 36
extracting 52
Master Wizard 52
Vendor ID 270
Vendor keys
Developer key 37