Sentinel LDK - v.7.

4
Software Licensing and Protection Guide
2 Sentinel LDK Software Licensing and Protection Guide

Revision History

Part number 007-012168-001, Rev A

Copyrights and Trademarks

Copyright © 2015 SafeNet, Inc. All rights reserved.

HARDLOCK, HASP, SENTINEL, SUPERPRO and ULTRAPRO are registered trademarks of SafeNet, Inc.
and/or its subsidiaries and may not be used without written permission.
All other trademarks are property of their respective owners.

Disclaimer

We have attempted to make this document complete, accurate, and useful, but we cannot
guarantee it to be perfect. When we discover errors or omissions, or they are brought to our
attention, we endeavor to correct them in succeeding releases of the product. SafeNet, Inc. is not
responsible for any direct or indirect damages or loss of business resulting from inaccuracies or
omissions contained herein. The specifications contained in this document are subject to change
without notice.
September 2015 Revision 1509-2
 3

SAFENET SENTINEL LDK PRODUCT END USER LICENSE AGREEMENT

IMPORTANT INFORMATION - PLEASE READ THIS AGREEMENT CAREFULLY BEFORE USING THE
CONTENTS OF THE PACKAGE AND/OR BEFORE DOWNLOADING OR INSTALLING THE SOFTWARE
PRODUCT. ALL ORDERS FOR AND USE OF THE SENTINEL® LDK PRODUCTS (including without
limitation, the Developer's Kit, libraries, utilities, diskettes, CD_ROM, DVD, Sentinel keys, the
software component of SafeNet Sentinel LDK and the Sentinel LDK Software Protection and
Licensing Guide) (hereinafter “Product”) SUPPLIED BY SAFENET, INC., (or any of its affiliates - either
of them referred to as “SAFENET”) ARE AND SHALL BE, SUBJECT TO THE TERMS AND CONDITIONS
SET FORTH IN THIS AGREEMENT.
BY OPENING THE PACKAGE CONTAINING THE PRODUCTS AND/OR BY DOWNLOADING THE
SOFTWARE (as defined hereunder) AND/OR BY INSTALLING THE SOFTWARE ON YOUR COMPUTER
AND/OR BY USING THE PRODUCT, YOU ARE ACCEPTING THIS AGREEMENT AND AGREEING TO BE
BOUND BY ITS TERMS AND CONDITIONS.
IF YOU DO NOT AGREE TO THIS AGREEMENT OR ARE NOT WILLING TO BE BOUND BY IT, DO NOT
OPEN THE PACKAGE AND/OR DOWNLOAD AND/OR INSTALL THE SOFTWARE AND PROMPTLY (at least
within 7 days from the date you received this package) RETURN THE PRODUCTS TO SAFENET, ERASE
THE SOFTWARE, AND ANY PART THEREOF, FROM YOUR COMPUTER AND DO NOT USE IT IN ANY
MANNER WHATSOEVER.

This Agreement has 3 sections:

Section I applies if you are downloading or using the Product free of charge for evaluation
purposes only.
Section II applies if you have purchased or have been otherwise granted by SafeNet a license to
use the Product.
Section III applies to all grants of license.

1. SECTION I - TERMS APPLICABLE TO GRANT OF EVALUATION LICENSE

License Grant. SafeNet hereby grants to you, and you accept, a nonexclusive license to use the Product in machine-
readable, object code form only, free of charge, for the purpose of evaluating whether to purchase an ongoing license
to the Product and only as authorized in this License Agreement. The evaluation period is limited to the maximum
amount of days specified in your applicable evaluation package. You may use the Product, during the evaluation period,
in the manner described in Section III below under “Extent of Grant.”.

DISCLAIMER OF WARRANTY. The Product is provided on an “AS IS” basis, without warranty of
any kind. IMPLIED WARRANTIES OF FITNESS FOR A PARTICULAR PURPOSE, SATISFACTION AND
MERCHANTABILITY SHALL NOT APPLY. SOME JURISDICTIONS DO NOT ALLOW EXCLUSIONS OF AN
IMPLIED WARRANTY, SO THIS DISCLAIMER MAY NOT APPLY TO YOU AND YOU MAY HAVE OTHER
LEGAL RIGHTS THAT VARY BY JURISDICTION. The entire risk as to the quality and performance of
the Product is borne by you. This disclaimer of warranty constitutes an essential part of the
agreement.
If you initially acquired a copy of the Product without purchasing a license and you
wish to purchase a license, contact SafeNet or any SafeNet representative.

2. SECTION II - APPLICABLE TERMS WHEN GRANTED A LICENSE

4 Sentinel LDK Software Licensing and Protection Guide

License Grant. Subject to your payment of the license fees applicable to the type and amount of licenses purchased by you
and set forth in your applicable purchase order, SafeNet hereby grants to you, and you accept, a personal,
nonexclusive and fully revocable limited License to use the Software (as such term is defined in Section III hereunder, in
the Intellectual Property subsection), in executable form only, as described in the Software accompanying user
documentation and only according to the terms of this Agreement: (i) you may install the Software and use it on
computers located in your place of business, as described in SafeNet's related documentation; (ii) you may merge and
link the Software into your computer programs for the sole purpose described in the Sentinel LDK Software Protection
and Licensing Guide; however, any portion of the Software merged into another computer program shall be deemed
as derivative work and will continue to be subject to the terms of this Agreement; and (iii) you are permitted to make a
reasonable number of copies of the Software solely for backup purposes. The Software shall not be used for any other
purposes.

Sub-Licensing. After merging the Software in your computer program(s) according to the License
Grant section above, you may sub-license, pursuant to the terms of this Agreement, the merged
Software and resell the hardware components of the Product, which you purchased from SafeNet,
if applicable, to distributors and/or users. Preceding such a sale and sub-licensing, you shall make
sure that your contracts with any of your distributors and/or end users (and their contracts with
their customers) shall contain warranties, disclaimers, limitation of liability, and license terms
which are no less protective of SafeNet's rights than such equivalent provisions contained herein.
In addition, you shall make it abundantly clear to your distributors and/or end users, that SafeNet
is not and shall not, under any circumstances, be responsible or liable in any way for the software
and software licenses contained in your computer programs which you merge with the SafeNet
Software and distribute to your distributors and/or end users, including, without limitation, with
respect to extending license terms and providing maintenance for any software elements and/or
computer programs which are not the SafeNet Software. SafeNet expressly disclaims any
responsibility and liability with respect to any computer programs, software elements, and/or
hardware elements which are not and do not form part of the SafeNet product.
Limited Warranty. SafeNet warrants, for your benefit alone, that (i) the Software, when and as
delivered to you, and for a period of three (3) months after the date of delivery to you, will
perform in substantial compliance with the Sentinel LDK Software Protection and Licensing Guide,
provided that it is used on the computer hardware and with the operating system for which it was
designed; and (ii) that the Sentinel HL key and microSD card, for a period of twenty four (24)
months after the date of delivery to you, will be substantially free from significant defects in
materials and workmanship. You may enable or disable certain features when applying the
Sentinel LDK protection software by changing settings in the Sentinel LDK tools in accordance with
the Sentinel LDK Software Protection and Licensing Guide; HOWEVER, IT IS IMPORTANT TO NOTE
THAT WHEN ENABLING OR DISABLING SOME FEATURES YOU MIGHT REDUCE THE LEVEL OF
PROTECTION PROVIDED BY THE SOFTWARE.
Warranty Disclaimer. SAFENET DOES NOT WARRANT THAT ANY OF ITS PRODUCT(S) WILL MEET
YOUR REQUIREMENTS OR THAT THEIR OPERATION WILL BE UNINTERRUPTED OR ERROR-FREE. TO
THE EXTENT ALLOWED BY LAW, SAFENET EXPRESSLY DISCLAIMS ALL EXPRESS WARRANTIES NOT
STATED HERE AND ALL IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED
WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE. NO SAFENET'S
DEALER, DISTRIBUTOR, RESELLER, AGENT OR EMPLOYEE IS AUTHORIZED TO MAKE ANY
MODIFICATIONS, EXTENSIONS, OR ADDITIONS TO THIS WARRANTY. If any modifications are made
to the Software or to any other part of the Product by you; if the media, the Sentinel key or the
microSD card is subjected to accident, abuse, or improper use; or if you violate any of the terms
of this Agreement, then the warranty in Section 2.3 above, shall immediately be terminated. The
warranty shall not apply if the Software is used on or in conjunction with hardware or program
 5

other than the unmodified version of hardware and program with which the Software was
designed to be used as described in the Sentinel LDK Software Protection and Licensing Guide. The
limited warranty does not cover any damage to the microSD card that results from improper
installation, accident, abuse, misuse, natural disaster, insufficient or excessive electrical supply,
abnormal mechanical or environmental conditions, or any unauthorized disassembly, repair or
modification. This limited warranty shall not apply if: (i) the microSD card was not used in
accordance with any accompanying instructions, or (ii) the product was not used for its intended
function. This limited warranty also does not apply to any microSD card on which the original
identification information has been altered, obliterated or removed, that has not been handled or
packaged correctly, that has been sold as second-hand or that has been resold contrary to U.S.
and other applicable export regulations.
Limitation of Remedies. In the event of a breach of the warranty set forth above, SafeNet's sole
obligation, and your sole remedy shall be, at SafeNet's sole discretion: (i) to replace or repair the
Product, or component thereof, that does not meet the foregoing limited warranty, free of
charge; or (ii) to refund the price paid by you for the Product, or component thereof. Any
replacement or repaired component will be warranted for the remainder of the original warranty
period or 30 days, whichever is longer. Warranty claims must be made in writing during the
warranty period and within seven (7) days of the observation of the defect accompanied by
evidence satisfactory to SafeNet. All Products should be returned to the distributor from which
they were purchased (if not purchased directly from SafeNet) and shall be shipped by the
returning party with freight and insurance paid. The Product or component thereof must be
returned with a copy of your receipt. SafeNet is not liable for, and does not cover under warranty,
any damages or losses of any kind whatsoever resulting from loss of, damage to or corruption of,
content or data or any costs associated with determining the source of system problems or
removing, servicing or installing the microSD card. This warranty excludes third party software,
connected equipment or stored data. SafeNet is therefore not liable for any losses or damage
attributable to third party software, connected equipment or stored data. In the event of a claim,
SafeNet’s sole obligation shall be to issue a refund or replacement of the microSD card.

SECTION III - TERMS APPLICABLE TO ALL GRANTS OF LICENSE

Extent of Grant and Prohibited Uses. Except as specifically permitted in Sections 2.1 and 2.2 above, you agree not to (i)
use the Product in any manner beyond the scope of license purchased by you in accordance with your applicable
purchase order; (ii) use, modify, merge or sub-license the Software or any other of SafeNet's products except as
expressly authorized in this Agreement and in the Sentinel LDK Software Protection and Licensing Guide; and (iii) sell,
license (or sub-license), lease, assign, transfer, pledge, or share your rights under this License with/to anyone else; and
(iv) modify, disassemble, decompile, reverse engineer, revise or enhance the Software or attempt to discover the
Software's source code; and (v) place the Software onto a server so that it is accessible via a public network; and (vi) use
any back-up or archival copies of the Software (or allow someone else to use such copies) for any purpose other than to
replace an original copy if it is destroyed or becomes defective. If you are a member of the European Union, this
agreement does not affect your rights under any legislation implementing the EC Council Directive on the Legal Protection
of Computer Programs. If you seek any information within the meaning of that Directive you should initially approach
SafeNet.
Intellectual Property. THIS IS A LICENSE AGREEMENT AND NOT AN AGREEMENT FOR SALE. The software
component of the SafeNet Sentinel LDK Product, including any revisions, corrections, modifications, enhancements,
updates and/or upgrades thereto, (hereinafter in whole or any part thereof defined as: “Software”), and the related
documentation, ARE NOT FOR SALE and are and shall remain in SafeNet's sole property. All intellectual property rights
(including, without limitation, copyrights, patents, trade secrets, trademarks, etc.) evidenced by or embodied in and/or
attached/connected/related to the Product, (including, without limitation, the Software code and the work product
6 Sentinel LDK Software Licensing and Protection Guide

performed in accordance with Section II above) are and shall be owned solely by SafeNet. This License Agreement does
not convey to you an interest in or to the Software but only a limited right of use revocable in accordance with the terms of
this License Agreement. Nothing in this Agreement constitutes a waiver of SafeNet's intellectual property rights under any
law.
Audit. SafeNet shall have the right, at its own expense, upon reasonable prior notice, to periodically inspect and audit your
records to ensure your compliance with the terms and conditions of this license agreement.
Termination. Without prejudice to any other rights, SafeNet may terminate this license upon the breach by you of any term
hereof. Upon such termination by SafeNet, you agree to destroy, or return to SafeNet, the Product and the
Documentation and all copies and portions thereof.
Limitation of Liability. SafeNet's cumulative liability to you or any other party for any loss or damages resulting from any
claims, demands, or actions arising out of or relating to this Agreement and/or the sue of the Product shall not exceed the
license fee paid to SafeNet for the use of the Product/s that gave rise to the action or claim, and if no such Product/s is/are
so applicable then SafeNet's liability shall not exceed the amount of license fees paid by You to SafeNet hereunder during
the twelve (12) months period preceding the event. UNDER NO CIRCUMSTANCES AND UNDER NO LEGAL
THEORY, TORT, CONTRACT, OR OTHERWISE, SHALL SAFENET OR ITS SUPPLIERS OR RESELLERS OR
AGENTS BE LIABLE TO YOU OR ANY OTHER PERSON FOR ANY INDIRECT, SPECIAL, INCIDENTAL, OR
CONSEQUENTIAL DAMAGES OF ANY TYPE INCLUDING, WITHOUT LIMITATION, DAMAGES FOR LOSS OF
GOODWILL, BUSINESS INTERRUPTION, COMPUTER FAILURE OR MALFUNCTION, LOSS OF BUSINESS
PROFITS, LOSS OF BUSINESS INFORMATION, DAMAGES FOR PERSONAL INJURY OR ANY AND ALL OTHER
COMMERCIAL DAMAGES OR LOSSES, EVEN IF SAFENET SHALL HAVE BEEN INFORMED OF THE
POSSIBILITY OF SUCH DAMAGES, OR FOR ANY CLAIM BY ANY OTHER PARTY. SOME JURISDICTIONS DO
NOT ALLOW THE EXCLUSION OR LIMITATION OF INCIDENTAL OR CONSEQUENTIAL DAMAGES, SO THIS
LIMITATION AND EXCLUSION MAY NOT APPLY TO YOU.
No other Warranties. Except and to the extent specifically provided herein, SafeNet makes no warranty or representation,
either express or implied, with respect to its Products as, including their quality, performance, merchantability or fitness for
a particular purpose.
Export Controls. YOU ACKNOWLEDGE THAT THE SOFTWARE IS SUBJECT TO REGULATION BY UNITED STATES,
EUROPEAN UNION, AND/OR OTHER GOVERNMENT AGENCIES, WHICH PROHIBIT EXPORT OR DIVERSION
OF THE SOFTWARE TO CERTAIN COUNTRIES AND CERTAIN PERSONS. YOU AGREE TO COMPLY WITH
ALL EXPORT LAWS, REGULATIONS AND RESTRICTIONS OF THE UNITED STATES DEPARTMENT OF STATE,
DEPARTMENT OF COMMERCE OR OTHER LEGAL AUTHORITY WITHIN THE UNITED STATES OR ANY
FOREIGN ENTITY WHICH REGULATES THEIR SHIPMENT. YOU WILL NOT EXPORT IN ANY MANNER, EITHER
DIRECTLY OR INDIRECTLY, ANY SOFTWARE OR ANY PRODUCT THAT INCORPORATES ANY SOFTWARE
WITHOUT FIRST OBTAINING ALL NECESSARY APPROVAL FROM APPROPRIATE GOVERNMENT AGENCIES.
YOU AGREE TO INDEMNIFY SAFENET AGAINST ALL CLAIMS, LOSSES, DAMAGES, LIABILITIES, COSTS AND
EXPENSES, INCLUDING REASONABLE ATTORNEYS' FEES, TO THE EXTENT SUCH CLAIMS ARISE OUT OF
ANY BREACH OF THIS SECTION 3.7.
Governing Law & Jurisdiction.This License Agreement shall be construed, interpreted and governed by the laws of the
State of Delaware without regard to conflicts of laws and provisions thereof. The exclusive forum for any disputes arising
out of or relating to this License Agreement shall be an appropriate federal or state court sitting in Harford County, State
of Maryland, USA. The application of the United Nations Convention of Contracts for the International Sale of Goods is
expressly excluded. The failure of either party to enforce any rights granted hereunder or to take action against the other
party in the event of any breach hereunder shall not be deemed a waiver by that party as to subsequent enforcement of
rights or subsequent actions in the event of future breaches.
Third Party Software. The Product contains the Open SSL Toolkit which includes the OpenSSL software, as set forth in
Exhibit A, the Original SSLeay software, as set forth in Exhibit B, LLVM http://opensource.org/licenses/UoI-NCSA.php,
as set forth in Exhibit C, LLJVM subproject http://da.vidr.cc/projects/lljvm/, and BEA Engine
http://www.beaengine.org/licence. The Product uses Taggant Toolkit to sign binaries, which includes the OpenSSL
 7

software, as set forth in Exhibit A, the Original SSLeaysoftware, as set forth in Exhibit B, and IEEE software as set forth in
Exhibit D.Such third party's software is provided “As Is” and use of such software shall be governed by the terms and
conditions as set forth in Exhibit A, Exhibit B, and Exhibit C. If the Product contains any software provided by third
parties other than the software noted in Exhibit A, Exhibit B, and Exhibit C, such third party's software are provided
“As Is” and shall be subject to the terms of the provisions and condition set forth in the agreements contained/attached to
such software. In the event such agreements are not available, such third party's software are provided “As Is” without
any warranty of any kind and this Agreement shall apply to all such third party software providers and third party software
as if they were SafeNet and the Product respectively.
Miscellaneous. If the copy of the Product you received was accompanied by a printed or other form of “hard-copy” End User
License Agreement whose terms vary from this Agreement, then the hard-copy End User License Agreement governs
your use of the Product. This Agreement represents the complete agreement concerning this license and may be
amended only by a writing executed by both parties. THE ACCEPTANCE OF ANY PURCHASE ORDER PLACED BY
YOU, IS EXPRESSLY MADE CONDITIONAL ON YOUR ASSENT TO THE TERMS SET FORTH HEREIN,
COMBINED WITH THE APPLICABLE LICENSE SCOPE AND TERMS, IF ANY, SET FORTH IN YOUR PURCHASE
ORDER. If any provision of this Agreement is held to be unenforceable, such provision shall be reformed only to the
extent necessary to make it enforceable. The failure of either party to enforce any rights granted hereunder or to take
action against the other party in the event of any breach hereunder shall not be deemed a waiver by that party as to
subsequent enforcement of rights or subsequent actions in the event of future breaches.
© 2015 SafeNet, Inc. All rights reserved.

Exhibit A - Open SSL License

A. Notices
Copyright (c) 1998-2011 The OpenSSL Project. All rights reserved.

Redistribution and use in source and binary forms, with or without modification, are permitted
provided that the following conditions are met:
1. Redistributions of source code must retain the above copyright notice, this list of conditions
and the following disclaimer.
2. Redistributions in binary form must reproduce the above copyright notice, this list of conditions
and the following disclaimer in the documentation and/or other materials provided with the
distribution.
3. All advertising materials mentioning features or use of this software must display the following
acknowledgment: “This product includes software developed by the OpenSSL Project for use in
the OpenSSL Toolkit. (http://www.openssl.org/)”
4. The names “OpenSSL Toolkit” and “OpenSSL Project” must not be used to endorse or promote
products derived from this software without prior written permission. For written permission,
please contact openssl-core@openssl.org.
5. Products derived from this software may not be called “OpenSSL” nor may “OpenSSL” appear
in their names without prior written permission of the OpenSSL Project.
6. Redistributions of any form whatsoever must retain the following acknowledgment: “This
product includes software developed by the OpenSSL Project for use in the OpenSSL Toolkit
(http://www.openssl.org/)”

DISCLAIMER OF WARRANTY
8 Sentinel LDK Software Licensing and Protection Guide

THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY EXPRESSED OR IMPLIED
WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY
AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE OpenSSL
PROJECT OR ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL,
EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT
OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS
INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,
STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF
THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
This product includes cryptographic software written by Eric Young * (eay@cryptsoft.com). This
product includes software written by Tim * Hudson (tjh@cryptsoft.com).

Exhibit B - Original SSLeay License

A. Notices
Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com). All rights reserved.

This package is an SSL implementation written by Eric Young (eay@cryptsoft.com).

The implementation was written so as to conform with Netscapes SSL.
This library is free for commercial and non-commercial use as long as the following conditions are
adhered to. The following conditions apply to all code found in this distribution, be it the RC4,
RSA, lhash, DES, etc., code; not just the SSL code. The SSL documentation included with this
distribution is covered by the same copyright terms except that the holder is Tim Hudson
(tjh@cryptsoft.com).
Copyright remains Eric Young's, and as such any Copyright notices in the code are not to be
removed.
If this package is used in a product, Eric Young should be given attribution as the author of the
parts of the library used.
This can be in the form of a textual message at program startup or in documentation (online or
textual) provided with the package.
Redistribution and use in source and binary forms, with or without modification, are permitted
provided that the following conditions are met:
1. Redistributions of source code must retain the above copyright notice, this list of conditions
and the following disclaimer.
2. Redistributions in binary form must reproduce the above copyright notice, this list of conditions
and the following disclaimer in the documentation and/or other materials provided with the
distribution.
3. All advertising materials mentioning features or use of this software must display the following
acknowledgment: “This product includes cryptographic software written by Eric Young
(eay@cryptsoft.com)”.
4. If you include any Windows specific code (or a derivative thereof) from the apps directory
(application code) you must include an acknowledgement: “This product includes software written
by Tim Hudson (tjh@cryptsoft.com)”
 9

DISCLAIMER OF WARRANTY.

THIS SOFTWARE IS PROVIDED BY ERIC YOUNG ``AS IS'' AND ANY EXPRESS OR IMPLIED
WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF
MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN
NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT,
INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES
(INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR
SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER
CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH
DAMAGE.
The license and distribution terms for any publicly available version or derivative of this code
cannot be changed. i.e. this code cannot simply be copied and put under another distribution
license [including the GNU Public License.]

Exhibit C - University of Illinois/NCSA Open Source License

Copyright (c) <Year> <Owner Organization Name> All rights reserved.

Developed by: <Name of Development Group>
<Name of Institution>
<URL for Development Group/Institution> Permission is hereby granted, free of charge, to any
person obtaining a copy of this software and associated documentation files (the "Software"), to
deal with the Software without restriction, including without limitation the rights to use, copy,
modify, merge, publish, distribute, sublicense, and/or sell copies of the Software, and to permit
persons to whom the Software is furnished to do so, subject to the following conditions:
Redistributions of source code must retain the above copyright notice, this list of conditions and
the following disclaimers.
Redistributions in binary form must reproduce the above copyright notice, this list of conditions
and the following disclaimers in the documentation and/or other materials provided with the
distribution.
Neither the names of <Name of Development Group, Name of Institution>, nor the names of its
contributors may be used to endorse or promote products derived from this Software without
specific prior written permission.
THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR IMPLIED,
INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, FITNESS FOR A
PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE CONTRIBUTORS OR
COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER LIABILITY, WHETHER IN AN
ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, OUT OF OR IN CONNECTION WITH
THE SOFTWARE OR THE USE OR OTHER DEALINGS WITH THE SOFTWARE.
10 Sentinel LDK Software Licensing and Protection Guide

Exhibit D - IEEE License

This software was developed by The Institute of Electrical and Electronics Engineers, Incorporated
(IEEE), through the Industry Connections Security Group (ICSG) of its Standards Association.
Portions of it include software developed by the OpenSSL Project for use in the OpenSSL Toolkit
(http://www.openssl.org/), and those portions are governed by the OpenSSL Toolkit License.
IEEE License
Copyright (c) 2012 IEEE. All rights reserved.
Redistribution and use in source and binary forms, with or without modification, are permitted
provided that the following conditions are met:
1. Redistributions of source code must retain the above copyright notice, this list of conditions
and the following disclaimer.
2. Redistributions in binary form must reproduce the above copyright notice, this list of conditions
and the following disclaimer in the documentation and/or other materials provided with the
distribution.
3. All advertising materials mentioning features or use of this software must display the following
acknowledgment: "This product includes software developed by the IEEE Industry Connections
Security Group (ICSG".
4. The name "IEEE" must not be used to endorse or promote products derived from this software
without prior written permission from the IEEE Standards Association (stds.ipr@ieee.org).
5. Products derived from this software may not contain "IEEE" in their names without prior
written permission from the IEEE Standards Association (stds.ipr@ieee.org).
6. Redistributions of any form whatsoever must retain the following acknowledgment: "This
product includes software developed by the IEEE Industry Connections Security Group (ICSG)".

DISCLAIMER OF WARRANTY
THIS SOFTWARE IS PROVIDED "AS IS" AND "WITH ALL FAULTS." IEEE AND ITS CONTRIBUTORS
EXPRESSLY DISCLAIM ALL WARRANTIES AND REPRESENTATIONS, EXPRESS OR IMPLIED, INCLUDING,
WITHOUT LIMITATION: (A) THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A
PARTICULAR PURPOSE; (B) ANY WARRANTY OF NON-INFRINGEMENT; AND (C) ANY WARRANTY
WITH RESPECT TO THE QUALITY, ACCURACY, EFFECTIVENESS, CURRENCY OR COMPLETENESS OF
THE SOFTWARE.
IN NO EVENT SHALL IEEE OR ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT,
INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES, (INCLUDING, BUT NOT LIMITED
TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR
BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN
CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY
WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH
DAMAGE AND REGARDLESS OF WHETHER SUCH DAMAGE WAS FORESEEABLE.
THIS SOFTWARE USES STRONG CRYPTOGRAPHY, WHICH MAY BE SUBJECT TO LAWS AND
REGULATIONS GOVERNING ITS USE, EXPORTATION OR IMPORTATION. YOU ARE SOLELY
RESPONSIBLE FOR COMPLYING WITH ALL APPLICABLE LAWS AND REGULATIONS, INCLUDING, BUT
NOT LIMITED TO, ANY THAT GOVERN YOUR USE, EXPORTATION OR IMPORTATION OF THIS
 11

SOFTWARE. IEEE AND ITS CONTRIBUTORS DISCLAIM ALL LIABILITY ARISING FROM YOUR USE OF
THE SOFTWARE IN VIOLATION OF ANY APPLICABLE LAWS OR REGULATIONS.

Exhibit E - Android Asset Packaging Tool License

Copyright (c) 2005-2008, The Android Open Source Project

Licensed under the Apache License, Version 2.0 (the "License"); you may not use this file except in
compliance with the License.
Unless required by applicable law or agreed to in writing, software distributed under the License is
distributed on an "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either
express or implied. See the License for the specific language governing permissions and limitations
under the License.
Apache License
Version 2.0, January 2004
http://www.apache.org/licenses/
TERMS AND CONDITIONS FOR USE, REPRODUCTION, AND DISTRIBUTION
1. Definitions.
"License" shall mean the terms and conditions for use, reproduction, and
distribution as defined by Sections 1 through 9 of this document.
"Licensor" shall mean the copyright owner or entity authorized by the copyright
owner that is granting the License.
"Legal Entity" shall mean the union of the acting entity and all other entities that
control, are controlled by, or are under common control with that entity. For the
purposes of this definition, "control" means (i) the power, direct or indirect, to cause
the direction or management of such entity, whether by contract or otherwise, or (ii)
ownership of fifty percent (50%) or more of the outstanding shares, or (iii) beneficial
ownership of such entity.
"You" (or "Your") shall mean an individual or Legal Entity exercising permissions
granted by this License.
"Source" form shall mean the preferred form for making modifications, including but
not limited to software source code, documentation source, and configuration files.
"Object" form shall mean any form resulting from mechanical transformation or
translation of a Source form, including but not limited to compiled object code,
generated documentation, and conversions to other media types.
"Work" shall mean the work of authorship, whether in Source or Object form, made
available under the License, as indicated by a copyright notice that is included in or
attached to the work (an example is provided in the Appendix below).
"Derivative Works" shall mean any work, whether in Source or Object form, that is
based on (or derived from) the Work and for which the editorial revisions,
annotations, elaborations, or other modifications represent, as a whole, an original
12 Sentinel LDK Software Licensing and Protection Guide

work of authorship. For the purposes of this License, Derivative Works shall not
include works that remain separable from, or merely link (or bind by name) to the
interfaces of, the Work and Derivative Works thereof.
"Contribution" shall mean any work of authorship, including the original version of
the Work and any modifications or additions to that Work or Derivative Works
thereof, that is intentionally submitted to Licensor for inclusion in the Work by the
copyright owner or by an individual or Legal Entity authorized to submit on behalf of
the copyright owner. For the purposes of this definition, "submitted" means any
form of electronic, verbal, or written communication sent to the Licensor or its
representatives, including but not limited to communication on electronic mailing
lists, source code control systems, and issue tracking systems that are managed by,
or on behalf of, the Licensor for the purpose of discussing and improving the Work,
but excluding communication that is conspicuously marked or otherwise designated
in writing by the copyright owner as "Not a Contribution."
"Contributor" shall mean Licensor and any individual or Legal Entity on behalf of
whom a Contribution has been received by Licensor and subsequently incorporated
within the Work.
2. Grant of Copyright License. Subject to the terms and conditions of this License, each
Contributor hereby grants to You a perpetual, worldwide, non-exclusive, no-charge, royalty-free,
irrevocable copyright license to reproduce, prepare Derivative Works of, publicly display, publicly
perform, sublicense, and distribute the Work and such Derivative Works in Source or Object form.
3. Grant of Patent License. Subject to the terms and conditions of this License, each Contributor
hereby grants to You a perpetual, worldwide, non-exclusive, no-charge, royalty-free, irrevocable
(except as stated in this section) patent license to make, have made, use, offer to sell, sell, import,
and otherwise transfer the Work, where such license applies only to those patent claims licensable
by such Contributor that are necessarily infringed by their Contribution(s) alone or by
combination of their Contribution(s) with the Work to which such Contribution(s) was submitted.
If You institute patent litigation against any entity (including a cross-claim or counterclaim in a
lawsuit) alleging that the Work or a Contribution incorporated within the Work constitutes direct
or contributory patent infringement, then any patent licenses granted to You under this License
for that Work shall terminate as of the date such litigation is filed.
4. Redistribution. You may reproduce and distribute copies of the Work or Derivative Works
thereof in any medium, with or without modifications, and in Source or Object form, provided
that You meet the following conditions:
(a) You must give any other recipients of the Work or Derivative Works a copy of this
License; and
(b) You must cause any modified files to carry prominent notices stating that You
changed the files; and
(c) You must retain, in the Source form of any Derivative Works that You distribute,
all copyright, patent, trademark, and attribution notices from the Source form of the
Work, excluding those notices that do not pertain to any part of the Derivative
Works; and
(d) If the Work includes a "NOTICE" text file as part of its distribution, then any
Derivative Works that You distribute must include a readable copy of the attribution
 13

notices contained within such NOTICE file, excluding those notices that do not
pertain to any part of the Derivative Works, in at least one of the following places:
within a NOTICE text file distributed as part of the Derivative Works; within the
Source form or documentation, if provided along with the Derivative Works; or,
within a display generated by the Derivative Works, if and wherever such third-party
notices normally appear. The contents of the NOTICE file are for informational
purposes only and do not modify the License. You may add Your own attribution
notices within Derivative Works that You distribute, alongside or as an addendum to
the NOTICE text from the Work, provided that such additional attribution notices
cannot be construed as modifying the License.
You may add Your own copyright statement to Your modifications and may provide additional or
different license terms and conditions for use, reproduction, or distribution of Your modifications,
or for any such Derivative Works as a whole, provided Your use, reproduction, and distribution of
the Work otherwise complies with the conditions stated in this License.
5. Submission of Contributions. Unless You explicitly state otherwise, any Contribution
intentionally submitted for inclusion in the Work by You to the Licensor shall be under the terms
and conditions of this License, without any additional terms or conditions. Notwithstanding the
above, nothing herein shall supersede or modify the terms of any separate license agreement you
may have executed with Licensor regarding such Contributions.
6. Trademarks. This License does not grant permission to use the trade names, trademarks,
service marks, or product names of the Licensor, except as required for reasonable and customary
use in describing the origin of the Work and reproducing the content of the NOTICE file.
7. Disclaimer of Warranty. Unless required by applicable law or agreed to in writing, Licensor
provides the Work (and each Contributor provides its Contributions) on an "AS IS" BASIS,
WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied, including,
without limitation, any warranties or conditions of TITLE, NON-INFRINGEMENT, MERCHANTABILITY,
or FITNESS FOR A PARTICULAR PURPOSE. You are solely responsible for determining the
appropriateness of using or redistributing the Work and assume any risks associated with Your
exercise of permissions under this License.
8. Limitation of Liability. In no event and under no legal theory, whether in tort (including
negligence), contract, or otherwise, unless required by applicable law (such as deliberate and
grossly negligent acts) or agreed to in writing, shall any Contributor be liable to You for damages,
including any direct, indirect, special, incidental, or consequential damages of any character arising
as a result of this License or out of the use or inability to use the Work (including but not limited
to damages for loss of goodwill, work stoppage, computer failure or malfunction, or any and all
other commercial damages or losses), even if such Contributor has been advised of the possibility
of such damages.
9. Accepting Warranty or Additional Liability. While redistributing the Work or Derivative Works
thereof, You may choose to offer, and charge a fee for, acceptance of support, warranty,
indemnity, or other liability obligations and/or rights consistent with this License. However, in
accepting such obligations, You may act only on Your own behalf and on Your sole responsibility,
not on behalf of any other Contributor, and only if You agree to indemnify, defend, and hold each
Contributor harmless for any liability incurred by, or claims asserted against, such Contributor by
reason of your accepting any such warranty or additional liability.
END OF TERMS AND CONDITIONS
14 Sentinel LDK Software Licensing and Protection Guide

Exhibit F - Sentinel LDK Free Software Components for Sentinel EMS and
Sentinel Cloud Licensing

Sentinel® LDK™ contains certain free software components, as listed below. Any use of the free
software components is subject to the applicable license agreements, referenced below. If you
choose to distribute or otherwise use the free software components independent of Sentinel LDK,
you may only do so in accordance with the applicable licenses below, and any and all proprietary
notices of SafeNet, Inc. ("SafeNet"), must be removed from any resulting product. In no event
shall you state or imply that a derivative product you created with the free software components
is produced by SafeNet or otherwise endorsed or supported by SafeNet.
A. The following free software components, utilized within Sentinel LDK, are used and distributed
pursuant to the Apache License, Version 1.1, and are subject to the terms and conditions of said
License: (i) Avalon framework 4.1.3 and (ii) logkit-1.0.1.jar. The Apache License, Version 1.1, is
located at: http://www.apache.org/licenses/LICENSE-1.1.
B. The following free software components, utilized within Sentinel LDK, are used and distributed
pursuant to the Apache License, Version 2.0, and are subject to the terms and conditions of said
Li-cense: (i) Spring 3.0.5; (ii) IzPack; (iii) json-lib-2.2.3-jdk15; (iv) EHCache; (v) acegi-security-1.0.2; (vi)
derby 10.2.2.jar; (vii) ezmorph-1.0.6.jar; (viii) lucene-core-2.3.2.jar; (ix) xercesImpl-2.8.1; (x) xalan-
2.6.0; (xi) standalone-compiler.jar; (xii) commons-beanutils-1.7.0; (xiii) commons-collections-3.2;
(xiv) commons-lang-2.4; (xv) commons-logging-1.1; (xvi) Quartz 1.6.5; (xvii) Apache Tomcat 6; (xviii)
JCS; (xviv) Log4j; and (xvv) Log4net. Said free software components are subject to the following
copyright: Copyright © 2012 The Apache Software Foundation. All rights reserved. The Apache
License, Version 2.0, is located at: http://www.apache.org/licenses/LICENSE-2.0.
C. The following free software components, utilized within Sentinel LDK, are used and distributed
pursuant to the GNU Lesser GPL License 2.1, and are subject to the terms and conditions of said
Li-cense: (i) XLightWeb; (ii) Hibernate; and (iii) DynamicJasper 3.1.1. The GNU Lesser GPL License 2.1
is located at: http://www.gnu.org/licenses/old-licenses/lgpl-2.1.html.
D. The free software component, utilized within Sentinel LDK, known as "XStream" is used and
distributed pursuant to the BSD License for XStream, and is subject to the terms and conditions
of said License. The BSD License for XStream is located at:
http://xstream.codehaus.org/license.html.
E. The free software component, utilized within Sentinel LDK, known as "Bouncy Castle" is used
and distributed pursuant to the terms and conditions of the License located at:
http://www.bouncycastle.org/licence.html.
F. The free software component, utilized within Sentinel LDK, known as “Libcurl” is used and
distributed pursuant to the terms and conditions of the License located at:
http://curl.haxx.se/legal/licmix.html.
G. The free software component, utilized within Sentinel LDK, known as “Libconfig” is used and
distributed pursuant to the terms and conditions of the License located at:
hhttp://www.gnu.org/licenses/lgpl.html.
H. The free software component, utilized within Sentinel LDK, known as “Liblogger” is used and
distributed pursuant to the terms and conditions of the License located at:
http://www.gnu.org/licenses/lgpl-3.0.txt.
 15

I. The free software component, utilized within Sentinel LDK, known as “GenX” is used and
distributed pursuant to the terms and conditions of the License located at:
http://www.tbray.org/ongoing/genx/COPYING.
J. The free software component, utilized within Sentinel LDK, known as “Libexpat” is used and
distributed pursuant to the MIT License, and is subject to the terms and conditions of said License
located at: http://opensource.org/licenses/MIT
K. The free software component, utilized within Sentinel LDK, known as “uthash” is used pursuant
to the terms and conditions of the License located at: http://uthash.sourceforge.net/license.html.
L. The free software component, utilized within Sentinel LDK, known as “SpiderMonkey” is used
and distributed pursuant to the MPL/GPL/LGPL tri-license, and is subject to the terms and
conditions of said Licenses.
M. The free software component, utilized within Sentinel LDK, known as “OpenSSL” is used and
distributed pursuant to the terms and conditions of the License located at:
http://www.openssl.org/source/license.html.
N. The free software component, utilized within Sentinel LDK, known as "YUI" is used and
distributed pursuant to the BSD License, and is subject to the terms and conditions of said
License. The said software component is subject to the following copyright: Copyright © 2010,
Yahoo! Inc. All rights reserved. The BSD License for YUI is located at:
http://developer.yahoo.com/yui/license.html.
O. The free software components, utilized within Sentinel LDK, known as (i) JasperReports and (ii)
JasperBerry_002 are used and distributed pursuant to the LGPL License, and is subject to the
terms and conditions of said License. The LGPL license is available at:
http://www.gnu.org/copyleft/lesser.html.
P. The free software component, utilized within Sentinel LDK, known as "Javolution.jar" is used
and distributed pursuant to the BSD License for Javolution.jar, and is subject to the terms and
conditions of said License. The BSD License for Javolution.jar is located at:
http://javolution.org/LICENSE.txt.
Q. The free software component, utilized within Sentinel LDK, known as "jempbox-0.2.0.jar" is
used and distributed pursuant to the BSD License for jempbox-0.2.0.jar, and is subject to the
terms and conditions of said License. The BSD License for jempbox-0.2.0.jar is located at:
http://www.jempbox.org/license.html.
R. The free software component, utilized within Sentinel LDK, known as "JDOM" is used and
distributed pursuant to the JDOM License, and is subject to the terms and conditions of said
License. The JDOM License is located at: http://vmgump.apache.org/gump/public-
jars/jdom/jars/LICENSE.txt.
S. The free software component, utilized within Sentinel LDK, known as "icu4j-2.6.1.jar" is used
and distributed pursuant to ICU4J License, and is subject to the terms and conditions of said
License. The ICU4J License is located at: http://www.xom.nu/lib/normalizer_license.html.
T. The free software component, utilized within Sentinel LDK, known as "Dojo 1.3" is used and
distributed pursuant to the terms and conditions of the license located at:
http://o.dojotoolkit.org/license.
16 Sentinel LDK Software Licensing and Protection Guide

U. The free software component, utilized within Sentinel LDK, known as "7-zip 4.65" is used and
distributed pursuant to the terms and conditions of the license located at: http://www.7-
zip.org/license.txt.
V. The free software component, utilized within Sentinel LDK, known as "Curl 7.15.1" is used and
distributed pursuant to the terms and conditions of the license located at:
http://curl.haxx.se/docs/copyright.html.
W. The free software component, utilized within Sentinel LDK, known as "JRE 1.6" is used and
distributed pursuant to the terms and conditions of the license located at:
http://www.oracle.com/technetwork/java/javase/terms/license/index.html

Exhibit G - BSD 3-Clause License for smali/baksmali

The following is a BSD 3-Clause ("BSD New" or "BSD Simplified") license template. To
generate your own license, change the values of OWNER, ORGANIZATION and YEAR
from their original values as given here, and substitute your own.
Note: You may omit clause 3 and still be OSD-conformant. Despite its colloquial
name "BSD New", this is not the newest version of the BSD license; it was followed
by the even newer BSD-2-Clause version, sometimes known as the "Simplified BSD
License". On January 9th, 2008 the OSI Board approved BSD-2-Clause, which is used
by FreeBSD and others. It omits the final "no-endorsement" clause and is thus
roughly equivalent to the MIT License.
Historical Background: The original license used on BSD Unix had four clauses. The
advertising clause (the third of four clauses) required you to acknowledge use of U.C.
Berkeley code in your advertising of any product using that code. It was officially
rescinded by the Director of the Office of Technology Licensing of the University of
California on July 22nd, 1999. He states that clause 3 is "hereby deleted in its
entirety." The four clause license has not been approved by OSI. The license below
does not contain the advertising clause.
This prelude is not part of the license.
<OWNER> = Regents of the University of California
<ORGANIZATION> = University of California, Berkeley
<YEAR> = 1998
In the original BSD license, the occurrence of "copyright holder" in the 3rd clause read
"ORGANIZATION", placeholder for "University of California". In the original BSD license, both
occurrences of the phrase "COPYRIGHT HOLDERS AND CONTRIBUTORS" in the disclaimer read
"REGENTS AND CONTRIBUTORS".
Here is the license template:
Copyright (c) <YEAR>, <OWNER>
All rights reserved.
Redistribution and use in source and binary forms, with or without modification, are permitted
provided that the following conditions are met:
 17

1. Redistributions of source code must retain the above copyright notice, this list of conditions
and the following disclaimer.
2. Redistributions in binary form must reproduce the above copyright notice, this list of conditions
and the following disclaimer in the documentation and/or other materials provided with the
distribution.
3. Neither the name of the copyright holder nor the names of its contributors may be used to
endorse or promote products derived from this software without specific prior written permission.
THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS "AS IS" AND ANY
EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES
OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT
SHALL THE COPYRIGHT HOLDER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT,
INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED
TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR
BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN
CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY
WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH
DAMAGE.
 Contents
Familiarizing Yourself with Sentinel Vendor Suite 29
Contents of the Sentinel License Development Kit 29
Sentinel LDK - Demo Kit 29
Sentinel LDK - Starter Kit 29
About This Book 30
Major Components of the Vendor Suite 31
Sentinel LDK Data Protection Utility 31
Contacting Us 34
Training 34
Obtaining Support 34

PART 1 - GETTING STARTED 35

Chapter 1: Understanding Sentinel LDK Software Protection and Licensing 37

Fundamentals of Protection 37
What is Protection? 37
Major Protection Solutions 38
Hardware-based Solutions 38
Software-based Solutions 38
Comparative Benefits of Hardware-based and Software-based Solutions 39
Advantages of a Combined Solution 39
Fundamentals of Licensing 40
Flexible and Secure Licensing Solutions 40
Licensing Planning and Models 40
Updating and Enforcing Usage Terms 41
Principles of Sentinel LDK 41
Protect Once—Deliver Many—Evolve Often 42
Cross-locking 42
Mixing and Matching Licenses and Sentinel Protection Keys 42
Customizing Your Unique Solution 43
Personalized Vendor and Batch Codes 43
Selecting the Best Key for Your Requirements 44
Sentinel Vendor Keys 44
End-User Keys 44
Protection Key Attributes 47
Sentinel LDK Protection Process 48
Obtaining Additional Information About Sentinel LDK 49
20 Sentinel LDK Software Licensing and Protection Guide

Chapter 2: Understanding Sentinel Cloud Licensing 51

Software as a Service 51
What is Sentinel Cloud Licensing? 52
How Does Sentinel Cloud Licensing Work? 53
Cloud License Types 54
For More Information 54

PART 2 - PROTECTION 55

Chapter 3: Protecting Software 57

Sentinel LDK Protection 57
Elements of Sentinel LDK Protection 57
Selecting a Protection Method 59

Chapter 4: Sentinel Licensing API Protection 61

Overview 61
Universal Sentinel Licensing API 62
Sentinel Licensing API Prerequisites 62
Vendor Code 62
Learning About the Sentinel Licensing API 63
Sentinel LDK ToolBox 63
Sentinel Licensing API Samples 64
Implementation 64
Planning Your Requirements 64
Sentinel Licensing API Workflow 65
Sentinel Licensing API Login Function 65
Sentinel Licensing API Functionality 67
Function Groups 67

Chapter 5: Sentinel LDK Envelope Protection 69

Functionality 69
Basic Protection Workflow 70
Required and Optional Protection Parameters 71
General Customizable Parameters 72
Sentinel LDK Envelope for Windows 73
Prerequisites for Windows 73
Running Sentinel LDK Envelope 73
Protecting Windows Programs 74
Enhancing Protection With "AppOnChip" 75
Accessing and Protecting Data Files 76
 21

Running Sentinel LDK Envelope from a Windows Command Line 77

Protecting .NET Assemblies 77
.NET Considerations 78
Global Features in .NET Assemblies 78
Method-level Protection 78
Code and Symbol Obfuscation in .NET Assemblies 81
Defining Sentinel LDK Envelope Protection Settings in Source Code 81
Sentinel LDK Envelope for Linux Applications 83
Sentinel LDK Envelope for Mac Binaries 83
Sentinel LDK Envelope Prerequisites for Mac 83
Running Sentinel LDK Envelope for Mac 83
Sentinel LDK Envelope for Mac Protection Parameters 84
Accessing and Protecting Data Files 84
Sentinel LDK Envelope for Java Executables 84
Java Considerations 85
Sentinel LDK Envelope Prerequisites for Java 85
Running Sentinel LDK Envelope for Java Engines 86
Sentinel LDK Envelope for Java Protection Parameters 86
Protecting Java Executables 86
Sentinel LDK Envelope for Android Applications 86
Sentinel LDK Envelope Prerequisites for Android 87
Android Considerations 87

Chapter 6: Protection Strategies 89

Overview 89
General Protection Guidelines 90
Types of Attack and Their Sentinel LDK Defense 91
Patching Executables and DLLs 91
Modifying Key Memory 91
Emulating Protection Keys 92
Using Remote Desktops and Remote Desktop Solutions 92
Cloning Hardware Keys 92
Clock Tampering 92
Additional Sentinel LDK-specific Strategies 93

Chapter 7: Protecting Data Files 95

Overview 95
When to Protect Data Files 98
Users of Sentinel LKD Data Protection Utility 98
Data Encryption for Mac 98
Data Protection Prerequisites 99
Launching Sentinel LDK Data Protection Utility 99
22 Sentinel LDK Software Licensing and Protection Guide

Data File Protection Plugin 99

Licensing Data Files—Getting Started 100
Licensing an FLV File to be Viewed Using Internet Explorer 101
Licensing data files to be accessed using a proprietary application 102
Working With the dfcrypt Command Line Utility 104

PART 3 - LICENSING 107

Chapter 8: Introduction to Sentinel EMS 109

Sentinel EMS Overview 109
Sentinel EMS Major Workflows 109
Sentinel EMS Users and User Roles 111
Getting Started With Sentinel EMS 112
Prerequisites for the Sentinel LDK Administrator 113
Using the Sentinel EMS Help 115
Sentinel License Generation API 115
Switching Between Sentinel License Generation API and Sentinel EMS 116

Chapter 9: Preparing Your Sentinel LDK Licensing Plan 117

Licensing Overview 117
Preparing Your Licensing Plan 118
Identifying Functional Components (Features) 119
Combining Features Into Products 119
Choosing the Protection Level for Your Products 120
Sentinel HL Key Protection and Activation 121
Sentinel SL Key Protection and Activation 121
Specifying the Protection Level for Individual Orders 122
Designating Products for Trial or Grace Period Use 122
Assigning License Terms to Features 123
Specifying License Values for Individual Orders 123
Utilizing Protection Key Memory 124
Using Your Licensing Plan With Sentinel EMS 125

Chapter 10: Implementing Your Sentinel LDK Licensing Plan 127

License Planning in Sentinel EMS 127
Managing Features 128
Defining Features 128
Deleting Features 129
Managing Products 129
Defining New Products 131
 23

Defining Unlocked Products 136

Product Status Values 137
Duplicating a Product 137
Withdrawing a Product 137
Maintaining Products and Licenses 137
Managing Product Versions 138
Canceling Product Licenses 140

Chapter 11: Sentinel LDK Entitlements, Production, and Development Tasks 143

Sentinel LDK Entitlement Processing and Production 143
Managing Entitlements 144
Defining Entitlements 145
Entitlement Status Values 149
Processing C2V Information 149
Order Processing and Production Examples 150
Producing Entitlements 152
Producing Sentinel HL Key Entitlements 153
Producing Entitlements for Product Keys 153
Producing Protection Key Update Entitlements 154
Withdrawing Entitlements 154
Customer Portal - Activating Entitlements 154
Viewing License Updates 155
Applying License Updates to SL AdminMode Keys 156
Performing Development-related Tasks 157
Generating Bundles of Unlocked Products 157
Generating the Sentinel LDK Run-time Environment Installer 158
Exporting Definition Data 158
Customizing and Branding the RUS utility 159
Enabling Trial Use and Grace Periods 159
Example 1: Issuing an Unlocked Trialware Product for Trial Use 159
Example 2: Issuing a Product for a Grace Period 160

Chapter 12: Sentinel LDK Administration and Customer Services 161

Administration Tasks 161
Maintaining User Details 162
Maintaining Sentinel Master Keys 163
Customer Services 164

Chapter 13: Sentinel Remote Update System 165

RUS Utility Overview 165
RUS Workflow 166
24 Sentinel LDK Software Licensing and Protection Guide

Example: Using RUS for License Updates 167

Using RUS utility 167
Instructions for Customers Using the RUS utility 167

Chapter 14: Generating Sentinel LDK Reports 171

Reports Facility Overview 171
Permissions for Working With Reports 172
Scheduling Reports 172
Presentation Formats 173
Export Formats 173
Available Reports 173
Custom Reports 173

PART 4 - DISTRIBUTING SOFTWARE 175

Chapter 15: Distributing Sentinel LDK With Your Software 177

Sentinel LDK Software for End Users 177
Protection-related Software 177
Network Environment Management 178
Software for Updating Licenses 178
Data File Protection Plugin 178
Distributing Sentinel LDK Run-time Environment 179
Protection Keys That Require Sentinel LDK Run-time Environment 179
Sentinel LDK Run-time Environment for Windows 180
Sentinel LDK Run-time Environment for Mac 184
Sentinel LDK Run-time Environment for Linux 184
Sentinel LDK Run-time Environment for Android 185

Chapter 16: Sentinel Admin Control Center 187

Introduction to Admin Control Center 187
Sentinel License Manager 188
Types of License Managers 188
Selection of License Manager Under Windows 190
Selection of License Manager for Protected Data Files Under Windows 192
Selection of License Manager Under Mac and Linux 192
License Manager Under Android 192
Loss of Connection with a Network License 192
Launching Admin Control Center 193
Admin Control Center Interface 193
Administrator’s Workflow 194
 25

Configuration Considerations 195

Applying Basic Configuration Changes Globally 198
Customizing Admin Control Center Look and Feel 198
Writing Templates 199
Configuring Admin Control Center to Use Your Custom Template 201
Working With Sentinel Admin API 202

PART 5 - LICENSING MODELS 203

Chapter 17: Sentinel LDK Licensing Models: Overview 205

Introduction 205
Sentinel LDK Licensing 206
Determining the Best Protection and Licensing Method 207
About This Section 207
How to Use the Licensing Models 208

Chapter 18: Sentinel LDK Licensing Models: Description of Models 209

Evaluation Licensing Models 210
Trialware 211
High-security Time-limited Evaluation 212
Execution-limited Evaluation 213
Demoware 214
Component-based Licensing Models 215
Module-based (Suites) 216
Feature-based 217
Metered Licensing Models 218
Time-limited Rental 219
Phased Rental 220
Micro-rental 221
Subscription 222
Pay-by-Peak Time (Peak Time) 224
Time-based Overdraft 226
Standard Counter 227
Phased Counter 228
Capacity (CPU/Memory/Disk) 229
Locked License Models 230
Machine-locked 231
User-locked 232
Mobile License Models 234
Portable 235
Commuter 235
26 Sentinel LDK Software Licensing and Protection Guide

Software on a Key 236

Network License Models 237
Limited Concurrent End Users in a Network 238
Time-limited Concurrent End Users in a Network 239
Execution-limited Concurrent End Users in a Network 241
Volume 243
Site 244
Sales Boosting Licensing Models 245
KickStart (Quick-delivery Grace) 246
Referral-based Sales 247
Automatic Sales Agent 249
Perpetual Licensing Models 251
Standard Perpetual Licensing model 252
Perpetual Unlocked Licensing Model 253

PART 6 - APPENDICES 255

Appendix A: Understanding the Sentinel LDK Master Key Licenses 257

Licensing Concepts 258
Product Activation Module 259
New SL Key Pool 259
Network Seats 260
How New Activations and Update of Your Software Affect the Pool 261
Unlimited Concurrency 262
Additional Information 263
Unlocked Trialware Module 263
Unlocked Unlimited Module 263
V-Clock Module 264
AppOnChip Module 264
Advanced Data File Protection Module 264
Reporting Module 265

Appendix B: Sentinel LDK Run-time Network Activity 267

Local Communications 268
Remote Communications 269

Appendix C: Maximum Number of Features in a Sentinel HL Key 271

Appendix D: How Sentinel LDK Detects Machine Cloning 273

 27

Overview 273
Clone Detection for Physical Machines 275
PMType1 Scheme 275
PMType2 Scheme 275
PMType3 Scheme 276
FQDN Scheme 276
Clone Detection for Virtual Machines 276
VMType1 Scheme 276
FQDN Scheme 278

Appendix E: How Sentinel LDK Protects Time-based Licenses With V-Clock 279

Tampering with the System Clock 280
Re-enabling a Blocked Protected Application 280
Setting Fallback to V-Clock If the RTC Battery in a Sentinel HL key is Depleted 280

Appendix F: How to Bundle Unlocked Products Manually 283

Appendix G: How to Optimize Performance for Sentinel LDK Run-time

Environment 285
SL UserMode License 285
Run-time Environment 285
Testing for Presence of Features 285

Appendix H: Upgrading Sentinel HL Keys 287

Upgrading a Sentinel HL Key to Driverless Configuration 287
Upgrade Requirements 289
Upgrade Process 290
Converting a Sentinel HL Standalone Key to a Network Key 290

Appendix I: How to Make Product Names Visible on the End User's Machine 293

Appendix J: Troubleshooting 295

Checklist 295
Problems and Solutions 296

Glossary 299

Index 307
 Familiarizing Yourself with
Sentinel Vendor Suite
This topic provides an introduction to Sentinel Vendor Suite. SafeNet recommends that you review
this information to familiarize yourself with:
n The contents of the Sentinel License Development Kit – Starter or Demo kit
n The major components of Sentinel Vendor Suite
n The information provided in this book
n How to obtain additional technical support for these products

Contents of the Sentinel License Development Kit

Two Sentinel License Development Kits (Sentinel LDK) are available as part of the Sentinel Vendor
Suite—the Demo kit enables you to evaluate Sentinel LDK protection and licensing; the Starter kit
enables you to apply Sentinel LDK protection and licensing to your software. (The software
provided in the two kits is identical.)

Sentinel LDK - Demo Kit

The Sentinel License Development Kit - Demo kit contains the software and hardware you need to
evaluate Sentinel LDK protection and licensing. The following items are included:
n Sentinel LDK software on a single DVD
n Sentinel HL Demo keys to facilitate the evaluation process
n Sentinel LDK Software Protection and Licensing Quick Start card
n Sentinel LDK Software Protection and Licensing Tutorial
Additional documentation, including the Sentinel LDK Software Licensing and Protection Guide
(this book) and the Sentinel LDK Installation Guide, can be found on the computer where Sentinel
LDK is installed and on the product DVD.

Sentinel LDK - Starter Kit

The Sentinel License Development Kit - Starter kit contains the software and hardware you need to
apply Sentinel LDK protection and licensing. The following items are included:
n Sentinel LDK software on a single DVD
n Sentinel Vendor keys:
o Sentinel Developer key for applying protection
30 Sentinel LDK Software Licensing and Protection Guide

o Sentinel Master key for generating license updates and activating software
keys
n Sentinel LDK Software Protection and Licensing Quick Start card
n Sentinel LDK Software Protection and Licensing Tutorial
Additional documentation, including the Sentinel LDK Software Licensing and Protection Guide
(this book) and the Sentinel LDK Installation Guide, can be found on the computer where Sentinel
LDK is installed and on the product DVD.
Sentinel HL keys for distribution to your customers must be ordered separately.

About This Book

This book is designed to help software publishers protect and license their software using
Sentinel LDK. The guide provides background information and details about how Sentinel LDK can
best serve your protection and licensing requirements.
The book is divided into the following parts:
n "PART 1 - GETTING STARTED" on page 35
Introduces Sentinel LDK, presents basic protection and licensing concepts, and leads you
through the process of configuring the system. You should read this part after opening
your kit.
n "PART 2 - PROTECTION" on page 55
Provides an in-depth presentation of Sentinel LDK protection methods. This part includes
strategies for maximizing the protection of your software using Sentinel LDK. This part is
specifically for software engineers who have the responsibility for using the Sentinel LDK
protection applications to protect software.
n "PART 3 - LICENSING" on page 107
Discusses the options that Sentinel LDK provides to enable you to apply flexible licensing
terms to your software and provides case studies for you to examine. This part is
particularly relevant to product and business managers who have to make decisions
about how their software is licensed. This part should also be read by operations staff and
others involved in production.
n "PART 4 - DISTRIBUTING SOFTWARE" on page 175
Details the Sentinel LDK software that can be delivered to end users to ensure easy and
trouble-free deployment of protected software. This part also describes the various ways
of effectively delivering the Sentinel LDK software components.
n "PART 5 - LICENSING MODELS" on page 203
Provides an overview and detailed description of the various Sentinel LDK Licensing
models that you can use to distribute your software.
 Major Components of the Vendor Suite 31

n "PART 6 - APPENDICES" on page 255

Provides supplementary information regarding Sentinel LDK.
n "Glossary" on page 299

Major Components of the Vendor Suite

Sentinel License Development Kit (Sentinel LDK) Vendor Suite contains many modules, tools, and
APIs that assist you to manage the protection and licensing of your application. This section
provides an overview of the most significant items in the Vendor Suite.

Sentinel LDK Envelope and Sentinel Licensing API

Sentinel LDK Envelope is a tool that wraps your application in a protective shield. This shield
ensures that:
n The application is protected against disassembly and reverse engineering. Your intellectual
property is protected.
n The protected application cannot run unless a suitable Sentinel protection key can be
accessed by the application.
An application that has been protected by Sentinel LDK Envelope can contain the Data Protection
module to automatically encrypt data files to disk and to read them back. You can use the
Sentinel LDK Data Protection utility to pre-encrypt data files for use with the protected
application.
You can use Sentinel Licensing API to provide enhanced protection for your application and to
enable the licensing of specific Features in the application.

Sentinel LDK Data Protection Utility

Sentinel LDK Data Protection utility is a tool that can do either of the following:
n Protect data files with encryption. A protected data file can only be accessed by an
application that has been protected with Sentinel LDK Envelope and that possesses the
required encryption key.
n Protect data files with encryption and licensing. A protected data file can be accessed:
o only by an application that has been protected with Sentinel LDK Envelope or by a
vendor-specific Web Browser plugin, AND
o only when the end user has the required license on a protection key.

Sentinel LDK ToolBox

Sentinel LDK ToolBox is an interactive application that enables software developers to learn about
the following Sentinel APIs:
n Sentinel Licensing API
n Sentinel License Generation API
32 Sentinel LDK Software Licensing and Protection Guide

n Sentinel Admin API

In ToolBox, software developers can execute API functions, observe the behavior of the functions,
and then copy the relevant source code into their own applications.

Admin Control Center

Sentinel Admin Control Center is a customizable, web-based, end-user utility that enables
centralized administration of Sentinel License Managers and Sentinel protection keys.

Sentinel RUS (Remote Update System)

Sentinel RUS utility is an advanced tool that enables you to perform secure, remote updating of
the license and memory data of Sentinel protection keys after they have been deployed on the
end user’s computer.

Sentinel Cloud Licensing

Sentinel Cloud Licensing is an alternative to the LDK licensing solution that is used by Sentinel LDK
for protected applications. Sentinel Cloud Licensing provides a cloud-based licensing solution for
vendors who want ongoing control over customers' license terms and who want to track the
usage of features by the customers.
Sentinel Cloud Licensing is suitable both for SaaS (Software as a Service) applications that are
hosted in the cloud and for on-premise applications that are installed at the customer's site.
Using Sentinel Cloud Licensing, you can enable feature-level authorization of your applications and
leverage a wide range of feature and product packaging options—ranging from simple
subscription to complex usage-based models. In this way, you can maximize return on investment
through greater product versatility and simplified operations.
Sentinel Cloud Licensing simplifies your billing process management by providing automated
metering and export of usage data for billing.
Sentinel Cloud Run-time provides a common set of APIs that enable you to deploy your
applications on cloud without any change in application source code.

Sentinel EMS (Entitlement Management System)

Sentinel EMS is a web-based graphical application that is used to perform a range of functions
required to manage the licensing, distribution, and maintenance of protected applications and
data files.
You can use Sentinel EMS Web Services to perform the same functions programmatically. This
enables you to integrate the EMS functionality into your own back end infrastructure.

Sentinel License Generation API

For ISVs who prefer to use their own ERP back-ends, Sentinel License Generation API provides
access to the power and flexibility of Sentinel protection keys without the need to install the full
Sentinel EMS system. You can use Sentinel LDK ToolBox to examine the API functions, create
license templates, and to generate protection keys.
 Sentinel LDK Data Protection Utility 33

Sentinel HL Drive Partitioning Utility

Sentinel HL Drive is a device that includes Sentinel HL Max key functionality and a flash memory
that can be used as a mass storage device or as a CD ROM emulator (or both).
Using the Sentinel HL Drive Partitioning utility or the Sentinel HL Drive Partitioning API, you can
load your Sentinel LDK-protected applications and data files onto the CD ROM partition of a
Sentinel HL Drive, and deliver it to your customers. Your customers can save files to the Sentinel
HL Drive, or load additional software on it, thus utilizing the convenience of portable USB disk
functionality.
By default, the flash memory in Sentinel HL Drive is fully allocated as a mass storage device. Using
the Partitioning utility or API, you can create a CD ROM emulation partition on which you can
load your software data.

Sentinel EMS Customer Portal

Sentinel LDK provides a product activation mechanism. This mechanism enables a customer to
quickly and easily:
n convert a trialware version of your protected application or data file (an Unlocked
Trialware Product) to a fully-enabled version.
n directly activate a fully-enabled protected application or data file (a Locked Product).
The end users activate the relevant version using a unique Product Key that they receive from you
after completing the required commercial transaction to purchase a license for the application. In
either case, your investment against software piracy is protected.
Sentinel EMS contains a separate Customer Portal. This is a Web portal that your customers can
access in order to activate Unlocked Trialware Products or Locked Products. The customer logs in
to the Customer Portal by providing a Product Key. The customer completes a registration form (if
you require this) and then chooses the method to activate the Product. Online activation is
completely automatic and activates the license on the local machine. Offline activation enables the
customer to download a utility that can be used to activate the license manually on a different
machine.
The Sentinel LDK tutorials leads you through the complete process: define a Feature in Sentinel
EMS, define Products, enter an order, generate a product key, and finally activate the trialware
using the Customer Portal.

Master Wizard

You use the Sentinel LDK Master Wizard tool to introduce your unique Batch Code (from your
Sentinel Vendor keys) into Sentinel LDK, for use with the various Vendor Suite applications. This
tool also imports your vendor-specific files from SafeNet servers, including API libraries and the
vendor library used for software-based protection
The Master Wizard tool also generates your customized Data File Protection plugin. This plugin
enables your customers to view certain types of protected data files in the Internet Explorer Web
browser.
34 Sentinel LDK Software Licensing and Protection Guide

Contacting Us
SafeNet has both international offices and many local distributors providing support for
Sentinel LDK—virtually whenever and wherever required.

Training
For additional information and training about Sentinel LDK implementation issues, contact our
team of international consultants at the URL provided above. The consultants can provide you
with tailored training sessions on the following:
n Integration of Sentinel LDK into your product
n Analysis of the best protection strategy for your applications
n Assistance in implementation of your protection and licensing models

Obtaining Support
You can contact us using any of the following options:
n Business Contacts - To find the nearest office or distributor, use the following URL:
http://www.safenet-inc.com/contact-us/
n Technical Support - To obtain assistance in using SafeNet products, feel free to contact
our Technical Support team:
o Phone: 800-545-6608 (US toll free), +1-410-931-7520 (International)
o E-mail: support@safenet-inc.com
o URL: http://sentinelcustomer.safenet-inc.com/sentinelsupport/
n Downloads - You may want to check out updated installers and other components here:
www.sentinelcustomer.safenet-inc.com/sentineldownloads/
 PART 1 - GETTING STARTED
In this section:

n "Chapter 1: Understanding Sentinel LDK Software Protection and Licensing" on page 37

Provides an overview of the concepts of software and intellectual property protection and
licensing, discusses the primary protection solutions, and focuses on how Sentinel LDK
provides a comprehensive solution to all your protection requirements.
 1
Chapter 1:
Understanding Sentinel LDK
Software Protection and Licensing
This chapter provides an overview of the concepts of software and intellectual property protection
and licensing, discusses the primary protection solutions, and focuses on how Sentinel LDK
provides a comprehensive solution to all your protection needs.
SafeNet recommends that you familiarize yourself with the information in this chapter so that you
can maximize the benefits of using Sentinel LDK.
In this chapter:

n "Fundamentals of Protection" on page 37

n "Major Protection Solutions" on page 38
n "Fundamentals of Licensing" on page 40
n "Flexible and Secure Licensing Solutions" on page 40
n "Principles of Sentinel LDK" on page 41
n "Customizing Your Unique Solution" on page 43

Fundamentals of Protection
This section examines the nature of protection, and identifies the two types of protection that you
need to consider.

What is Protection?
Protection is the process of securing an application or intellectual property by incorporating
automated and customized security strategies.
Protection is achieved by implementing specific security strategies, such as wrapping your
application in a security envelope, and incorporating various security measures within the
application’s code during development. The greater the number of security measures
incorporated, and the higher the level of their complexity, the more secure your application
becomes.
It is not sufficient to protect only your software—you must also protect your intellectual property.
Your professional expertise and the secrets that you use in developing your software, for example
algorithms, must also be protected.
38 Chapter 1: Understanding Sentinel LDK Software Protection and Licensing

Copy Protection

Copy protection is the process of encrypting your software and incorporating various security
measures throughout the code and binding it to a key so that it can only be accessed by
authorized users who are in possession of the key. The more complex the copy protection applied
to your software, the less likely it is to be compromised.
Similarly, important data files can be encrypted and protected with licensing so that only users
who possess the key are able to access the files.

Intellectual Property Protection

Your intellectual property is the foundation on which your products are developed. Intellectual
property theft is surprisingly easy. Every year, companies report the loss of proprietary
information and intellectual property valued at many billions of dollars.
The algorithms and other secret information that you use to make your products unique and
competitive must be protected against attempts to discover their secrets, or to apply reverse
engineering to the software code.

Major Protection Solutions

With Sentinel LDK, the ability to protect and license your software is facilitated by the use of
flexible protection and licensing tools, together with a Sentinel protection key to which your
software is subsequently bonded. This key may be either hardware-based or software-based.

In general, references in this section to protection and licensing of software are also
applicable to protection and licensing of data files.

Hardware-based Solutions
In hardware-based solutions, you supply an external hardware device together with your
software. The functioning of your software is dependent on the device being connected to the
end user’s computer. At run-time, your software communicates with the hardware device, and
only functions correctly if it receives an authentic response from the device.
Sentinel LDK provides a variety of hardware devices in the form of Sentinel HL keys. You can select
the type of Sentinel HL key that best suits your requirements. For more information about
Sentinel HL keys, see "Sentinel HL Keys" on page 45.

Software-based Solutions
In software-based solutions, following the installation of your software on an end user’s computer,
the protection and licensing is bonded to that specific machine. Your software will only function
after a Product Key has been entered by the user. At run-time, the Sentinel License Manager
checks that the software is on the machine on which it is licensed to run and that it is being used
in accordance with the user’s license terms.
 Major Protection Solutions 39

Sentinel LDK provides a robust software-based solution using Sentinel SL keys. A Sentinel SL key
resides in the secure storage of a specific computer and is patterned on the functionality of a
Sentinel HL key.
For more information about Sentinel SL keys, see "Sentinel SL Keys" on page 46.

Comparative Benefits of Hardware-based and Software-based Solutions

Strong protection and licensing security can be provided with either hardware- or software-based
solutions. While many protection and licensing features are common to both options, each also
offers specific strengths that might be comparatively limited in the other.
The following table highlights and compares some of the available benefits of hardware- and
software-based solutions, and the relative strengths of each option.

Feature Hardware-based Software-based

Software and Intellectual Property **** ***
protection
Secure Licensing **** **
Trialware ** ****
Portability **** *
Electronic Software Distribution ** ****
Multiple Feature/Module Licensing *** ****

Advantages of a Combined Solution

As shown in the preceding section, both solutions have their relative strengths in protecting and
licensing your software.
It is probable that you utilize various strategies for marketing, selling, and distributing your
software. For example, these strategies may include:
n Determining the level of protection according to the price of the software
n Determining the level of protection according to market segments, including vertical
markets
It is likely that your strategies will also require the following:
n The ability to turn trialware into a fully functional version using hardware-based or
software-based activation
n The ability to sell software over the Internet, protected with a hardware-based or
software-based key

Sentinel LDK Combined Solution

Sentinel LDK provides the industry’s first software DRM solution that combines hardware-based
and software-based protection and licensing.
40 Chapter 1: Understanding Sentinel LDK Software Protection and Licensing

This innovative, self-contained, flexible system enables you to:

n Implement multiple protection solutions
n Define multiple license models according to the requirements of your market, and apply
their usage terms independently of the protection process
n Select hardware-based (Sentinel HL) or software-based (Sentinel SL) protection keys
independently of the protection process

Fundamentals of Licensing
In addition to protecting your software and intellectual property, you need to protect the revenue
from sales of your product. You want to ensure that your software is only available to the
appropriate users, according to the terms that you define. This process is controlled by licensing.
Licensing provides you with the flexibility to implement your business strategies for your software
distribution. When you define the licensing terms on which your software is distributed or sold,
you select the terms that are commercially beneficial to your company.
For example, you may decide that you initially want to distribute your software free of charge, so
that users can try it before purchasing. You will want to ensure that users can use it for only a
limited time before it must be purchased.
Alternatively, you may publish very complex, expensive software. You may decide to make specific
components of that software available for a lower price, thus making parts of it accessible to users
who cannot afford the full-featured version. Such a decision creates an additional revenue source.
To obtain the maximum benefit from your company’s licensing strategy, you need a software
licensing system that provides you with the flexibility to tailor licensing terms to fit your business
strategies, and to adapt quickly to changes in the market and in your business needs. Your
licensing system must also be able to track your defined usage terms along with secure licensing
methods.

Flexible and Secure Licensing Solutions

Sentinel LDK gives you the flexibility to choose and apply licensing models and license terms for
your protected software on-the-fly. This enables your company to offer attractive software
packages and to adapt rapidly to changes in customer purchasing preferences.

Licensing Planning and Models

An important step in the development of a licensing strategy is the preparation of a licensing plan.
Business decision-makers in an organization, such as product or marketing managers, define
protection and business rules, and specify the licensing models required to meet the company’s
software distribution needs.
A licensing model is the logic behind a business transaction relating to licensing. For example, a
rental license model enables you to charge for the use of software for a specific period of time.
 Principles of Sentinel LDK 41

Sentinel LDK enables you to choose from a variety of built-in licensing models, and to customize
and build licensing models and software usage terms to meet your company’s individual
requirements.
Sentinel LDK supports numerous out-of-the-box license models, that can be used individually or in
combination, including:
n Trialware (try-before-you-buy)
n Rental/Subscription
n Module-/Feature-based
n Floating Usage
n Time-based
n Execution-based
You can easily define custom licensing models and usage terms using the functionality provided
by Sentinel LDK. For example, Sentinel LDK functionality enables you to utilize secure read-only
and read/write memory storage, flexible counters, and a real-time clock or virtual clock
incorporated in the Sentinel protection key.
The separation of the engineering and licensing processes embodied in Sentinel LDK makes it
possible to modify your company’s licensing strategy as necessary when circumstances change,
and to implement these changes quickly and efficiently.

Updating and Enforcing Usage Terms

When implementing a licensing plan, it is essential to ensure that the software usage terms
defined in the plan are securely applied and that licenses reach their legitimate owners. New
licenses, and changes and extensions to licenses that have already been deployed, can be subject
to tampering if not adequately protected.
Sentinel LDK applies optimal security to the enforcement of usage terms and license extensions.
License extensions sent to end users are highly protected, and require the return of a secure
receipt. In addition, state-of-the-art Sentinel LDK technology prevents tampering with usage terms.

Principles of Sentinel LDK
The strength, uniqueness, and flexibility of Sentinel LDK are based on two primary principles:
n Protect Once—Deliver Many—Evolve Often: The concept of separating the Sentinel LDK
engineering and business processes.
n Cross-Locking: The technology that supports the Protect Once—Deliver Many—Evolve
Often concept, enabling a protected application to work with either a Sentinel HL key or a
Sentinel SL key.

In general, references in this book to protected applications are also applicable to

protected data files.
42 Chapter 1: Understanding Sentinel LDK Software Protection and Licensing

Protect Once—Deliver Many—Evolve Often

At the heart of Sentinel LDK lies the Protect Once—Deliver Many—Evolve Often concept. This
concept is the process of protecting your software completely independently of the process of
defining sales and licensing models.

Separation of Protection and Business Functions

The engineering process—that is, the protection of your software—is performed by your software
engineers using Sentinel LDK Envelope, Sentinel LDK ToolBox and the Sentinel Licensing API
protection tools.
The business processes—that is, software licensing and selection of the appropriate
Sentinel protection key—are performed by business management using Sentinel EMS.
As part of the business processes, the Evolve Often stage delivers the capability for you and your
end-users to:
n Actively track delivery and activation status of end-user entitlements.
n Track when, how, and by whom your software is being consumed.
n Easily manage terms of each entitlement using Sentinel EMS.
The protection processes and the licensing processes—including selection of the appropriate
Sentinel protection key type—are performed completely independently of each other.

Cross-locking
Cross-locking is the Sentinel LDK process that enables you to choose the device to which your
protected application and license will be locked—either to a Sentinel HL key or, via a Sentinel SL
key, to a specific computer.
The decision about the type of Sentinel protection key to which your software is locked is
determined after protection has been implemented—you choose the options that best suit your
current business strategies.

Mixing and Matching Licenses and Sentinel Protection Keys

Sentinel LDK gives you complete flexibility to choose the combination of license and
Sentinel protection key that best suits your business requirements. This means that you decide
how to bundle your protection, licensing and distribution requirements.
You may choose to release protected software as a downloadable product with a Trialware license
that, after purchase, is activated with a Sentinel SL key. Additionally, you may choose to ship the
same protected software with a network license that is locked to a Sentinel HL key, and allow
users unlimited access to all features.
Sentinel LDK offers you an unprecedented number of possible options to combine licenses and
Sentinel protection keys.
 Customizing Your Unique Solution 43

Customizing Your Unique Solution

Sentinel LDK provides you with a variety of applications and personalized devices that enable you
to customize a protection and licensing solution that is appropriate to your business needs:
n Sentinel LDK Envelope enables you to wrap your software in a protective shield at the
touch of a button—without having to adjust your source code. It establishes a link
between your protected software and a Sentinel protection key, even though the
selection of key is determined at a later time.
n Sentinel LDK Data Protection utility enables you to encrypt data files so that they can only
be accessed by specific protected application. You can additionally apply licensing
protection so that the data files can only be accessed when an appropriate
Sentinel protection key is present.
n Sentinel LDK ToolBox and the Sentinel Licensing API enable you to enhance the protection
offered by Sentinel LDK Envelope, by incorporating complex protection mechanisms into
your source code.
n Sentinel EMS enables you to create licenses and lock them to Sentinel protection keys, to
write specific data to the memory of a Sentinel protection key, and to update licenses
already deployed in the field. These processes are performed independently of the
protection process.
n Customized Sentinel Vendor keys are used in-house by your staff, together with
Sentinel LDK state-of-the-art security applications.
n A selection of Sentinel protection keys enable you to meet the specific requirements of
your business. Your unique Sentinel protection keys ensure that your applications will
only function when the correct key, supplied by you, is present.
n Additional applications and utilities provide advanced support for these key elements of
Sentinel Vendor Suite.

Personalized Vendor and Batch Codes

When you purchase a Sentinel License Development Kit – Starter from SafeNet, you are provided
with Sentinel Vendor keys that contain unique Vendor Codes that are specific to your company.
The codes are used by Sentinel LDK to communicate with your Sentinel protection keys, and to
differentiate your keys from those of other software vendors.
Vendor Code

The Vendor Code is a unique confidential code assigned to you by SafeNet when you place your
first order for Sentinel protection keys. It is integrated into your Sentinel Vendor keys. When you
are protecting your software and licenses to Sentinel protection keys for distribution, the Vendor
Code is extracted from your Sentinel Vendor keys.
Batch Code

A Batch Code consists of five characters that represent your company’s unique Vendor Code.
When you order Sentinel protection keys from SafeNet, you specify your Batch Code, which is
then written to the keys before dispatch. To easily identify the Batch Code to which a Sentinel HL
key belongs, the Batch Code is written on the outside of each key.
44 Chapter 1: Understanding Sentinel LDK Software Protection and Licensing

Selecting the Best Key for Your Requirements

Sentinel LDK protection and licensing are key-based. Your software is distributed with unique
actual and/or virtual Sentinel protection keys that you code according to your requirements.
There is a strong inherent link between a protected application and its corresponding
Sentinel protection key. Protection is based on making access to the protected application
dependent on the presence of a correct Sentinel protection key.
Similarly, when licensing is implemented using Sentinel LDK, the operation of your software is
dependent on the presence of a valid license in a Sentinel protection key.
A variety of Sentinel protection keys are available to provide you with the flexibility to sell your
software in the ways that are most beneficial to your business goals.

Sentinel Vendor Keys

When you purchase Sentinel LDK, you are provided with two Sentinel Vendor keys—the
Sentinel Master key and the Sentinel Developer key. These keys enable you to apply protection to
your programs, program the Sentinel protection keys that you send to your end users, and to
specify the license terms under which your software can be used.
n Sentinel Developer key
The Sentinel Developer key is used by your programmers in conjunction with the
Sentinel LDK protection tools to protect your software and data files. This key is typically
connected to the machine on which Sentinel Envelope executes.
n Sentinel Master key
The Sentinel Master key is used by your production staff to create licenses and lock them
to Sentinel protection keys, to write specific data to the memory of a Sentinel protection
key, and to update licenses already deployed in the field. This key is typically connected
to the machine on which Sentinel EMS is installed or where the program that calls Sentinel
License Generation API is running.

The Sentinel Developer key and Sentinel Master key can be accessed using a remote
connection. For more information, see the Sentinel LDK Installation Guide.

End-User Keys
Two types of Sentinel protection keys are available:
n The Sentinel HL key is a physical USB or ExpressCard key that connects to a computer, or
a chip that is embedded in the computer.
n The Sentinel SL key is a software-based key that locks your software to a specific machine.
Your software and the user license are locked to the Sentinel protection key that you
select.
 Customizing Your Unique Solution 45

All Sentinel HL keys—with the exception of Sentinel HL Basic keys—contain internal read/write

memory. You can use the memory to do any of the following:
n Control access to specific software modules and/or packages
n Assign a unique code to each software user
n Store licenses from your own licensing schemes
n Save passwords, program code, program variables, and other data
Sentinel SL keys are patterned on the functionality of Sentinel HL keys. However, the data is
located in the secure storage of the computer on which the Sentinel SL key resides.

Sentinel HL Keys

Sentinel HL keys are distributed with your software to end users. The keys connect to the end
users’ computers. A variety of Sentinel HL keys are available to suit your requirements. Sentinel HL
keys are available in either of two configurations:
n Sentinel HL (HASP configuration) keys: These keys are fully compatible with software that
requires the older HASP HL keys.
Sentinel HL (HASP configuration) keys can be upgraded in the field to Sentinel HL
(Driverless configuration) keys. For more information, see "Appendix H: Upgrading
Sentinel HL Keys" on page 287.

n Sentinel HL (Driverless configuration) keys: These keys provide several advantages over
Sentinel HL (HASP configuration) keys:
o (On a Windows machine) Employ HID drivers instead of HASP key drivers. (HID
drivers are an integral part of the Windows operating system.) In many cases, it is
possible to use these keys without installing any additional support software.
o (On a Windows machine) Support the use of "AppOnChip" functionality. With
AppOnChip, selected functions in the protected application are actually executed by
the HL key. This provides significantly enhanced security for the application.
o Support a higher number of Features.
o Provide larger on-key memory space.
o All Driverless keys (except for Basic keys) support a virtual clock for time-based
licenses.
o All Driverless keys (except for Basic keys) support concurrency (network-based
licenses).
Sentinel HL keys offer the highest level of security. In order for a user to access your software, and
for it to function correctly, the key must be accessible by the application. Furthermore,
Sentinel LDK uses LicenseOnChip technology to protect Sentinel HL keys against license tampering.
Sentinel HL keys also have the advantage of portability. This means that the key can be moved
from one computer to another. Software may therefore be installed on multiple computers but
will only run if the key is connected and authenticated by the software.
46 Chapter 1: Understanding Sentinel LDK Software Protection and Licensing

Sentinel LDK continues to support the older HASP HL keys. All references to Sentinel HL
keys in this document and other Sentinel LDK documents can be understood to include
HASP HL keys unless the context of the reference clearly states otherwise.

Sentinel SL Keys

Sentinel SL keys are virtual, software-based keys that reside in the secure storage of a specific
computer. Sentinel SL keys provide the same functionality as Sentinel HL keys, without requiring
physical distribution.
After your software is installed on a computer, the end user typically enters a Product Key that is
sent, via the Internet or by file transfer, to Sentinel EMS, together with the fingerprint of the
machine. Sentinel EMS confirms that the Product Key has not been used to activate the software
on more than the permitted number of machines—as determined by you—then sends back the
Sentinel SL key, which is installed on the end user’s machine. This process is also used for
updating license terms.
Several types of Sentinel SL keys exist:
n SL Legacy - SL keys that were generated with versions of Sentinel HASP prior to Sentinel
LDK v.6.0
n SL AdminMode - SL keys that provide the highest level of security and functionality
n SL UserMode - SL keys that provide a greater level of flexibility under certain
circumstances

Sentinel SL Unlocked Licenses

An unlocked license is one that is not locked to a specific machine. An application with an
unlocked license (referred to as an Unlocked Product) is protected against disassembly. However,
the protected application can be duplicated, installed , and used on any machine for as long as
the unlocked license allows. Unlocked licenses are used in the following situations:
Trialware products
The ability to create and distribute trialware products without exposing the protected software to
piracy provides a significant marketing advantage when selling software applications. Potential
customers can work with the actual application and experience what the application has to offer
and how it can benefit the individual or the organization. In addition, anybody that has access to
trialware can copy it and distribute it to other people; this multiplies the exposure of the
application within the marketplace. Each person who installs and works with the application must,
at the end of the grace period (typically 30 to 90 days), decide to purchase an HL or SK key for the
application or else be blocked from using the application.
 Protection Key Attributes 47

Unlocked products
Unlocked products are used when vendors want to protect their applications against reverse
engineering but either:
n Have no need to license the application (for example, software that is part of a larger
hardware package). The vendor may not need to protect against duplication of the
software. However, they want to protect the software against theft of intellectual
property.
n Are using a separate product or system to handle licensing of the software.
An unlocked product typically has no time restriction or has a long-term license.

Protection Key Attributes

The various types of Sentinel protection keys that are available provide different levels of security
and flexibility, as described below.

Supports
Supported Supports Concurrency
Type of Sentinel Level of
Operating Time-based and
Protection Key Security
Systems Licenses Detachable
Licenses
SL AdminMode key ++++ Windows Mac Uses V-Clock Yes1
Linux
SL UserMode key +++ Windows Uses V-Clock No
(Excluding Unlocked Android
Products)
SL UserMode (Unlocked + Windows Uses V-Clock No
Product)
SL Legacy key ++++ Windows Mac Uses V-Clock Yes1
Linux
HL Basic key +++++ Windows Mac No No
Linux Android
HL (HASP configuration) +++++ Windows Mac No No
Pro key Linux Android
HL (Driverless +++++ Windows Mac Uses V-Clock Yes 2 3
configuration) Pro key Linux Android (Requires V-Clock (Detach not
module on the supported)
Master key)
HL (HASP configuration) +++++ Windows Mac No No
key (Max, Drive) Linux
HL (Driverless +++++ Windows Mac Uses V-Clock Yes 2 3
configuration) key (Max, Linux Android (Detach not
Drive) supported)
48 Chapter 1: Understanding Sentinel LDK Software Protection and Licensing

Supports
Supported Supports Concurrency
Type of Sentinel Level of
Operating Time-based and
Protection Key Security
Systems Licenses Detachable
Licenses
HL (HASP configuration) +++++ Windows Mac Uses real-time clock No
Time key Linux on the key
HL (Driverless +++++ Windows Mac Yes 2 3
configuration) Time key Linux Android (Detach not
supported)
HL (HASP configuration) +++++ Windows Mac Yes
NetTime key Linux (Detach not
HL (Driverless +++++ Windows Mac supported)
configuration) NetTime key Linux
HL (HASP configuration) +++++ Windows Mac No
Net key Linux
HL (Driverless +++++ Windows Mac Uses V-Clock
configuration) Net key Linux
Legend:
1 - Requires network seats from the Master key.
2 - Requires network seats from the Master key. Requires License Manager v.7.3 or later on the
machine where the protected application executes. The required version of License Manager is
provided in Run-time Environment v.6.65 or later.
3 - Android does not support concurrency.
For information on V-Clock (the virtual clock available on most Sentinel protection keys), see
"Appendix E: How Sentinel LDK Protects Time-based Licenses With V-Clock" on page 279.
For full technical specifications of the available Sentinel HL keys, refer to the Sentinel HL Data
Sheet.
For additional information, see "Protection Keys That Require Sentinel LDK Run-time
Environment" on page 179.

Sentinel LDK Protection Process

When you are developing your software, your engineers integrate a variety of calls to data stored
in the memory of the Sentinel protection key.

Encryption and Decryption

Sentinel LDK encryption and decryption are based on the Advanced Encryption Standard (AES)
algorithm. The encryption secret of the algorithm is stored in the Sentinel protection key. To
enhance security, all communication between an application and a Sentinel protection key is
randomly encrypted. This inhibits emulation of a Sentinel protection key.
 Obtaining Additional Information About Sentinel LDK 49

Obtaining Additional Information About Sentinel LDK

This chapter has provided an overview of the major concepts and principles of Sentinel LDK, and
the comprehensive protection and licensing solution that Sentinel LDK provides.
The remainder of this book explains in detail how you can best use the many elements of
Sentinel LDK to meet your company’s software protection, licensing, and distribution
requirements.
Additional information is available in the help systems for the various Sentinel LDK tools, and in
additional Sentinel LDK documentation that you can download using the following URL:
www.sentinelcustomer.safenet-inc.com/sentineldownloads/
 2
Chapter 2:
Understanding Sentinel Cloud
Licensing
This chapter provides an overview of the concepts of software and intellectual property protection
and licensing, discusses the primary protection solutions, and focuses on how Sentinel Cloud
Licensing provides a comprehensive solution for your SaaS licensing requirements.
SafeNet recommends that you familiarize yourself with the information in this chapter so that you
can maximize the benefits of using Sentinel Cloud Licensing.
In this chapter:

n "Software as a Service" on page 51

n "What is Sentinel Cloud Licensing?" on page 52
n "How Does Sentinel Cloud Licensing Work?" on page 53
n "Cloud License Types" on page 54
n "For More Information" on page 54

Software as a Service
Software as a service (referred to as SaaS) is a software delivery model in which an application and
associated data are centrally hosted on the vendor's servers or some other public server. SaaS is
typically accessed by users using a thin client via a web browser. SaaS is becoming an increasingly
common model for many business applications. SaaS offers the potential to reduce IT support
costs for customers by outsourcing hardware and software maintenance and support to the SaaS
provider (you, the vendor).
Most of the licensing considerations described earlier (in "Fundamentals of Licensing" on page 40)
are application to SaaS. You need to protect the revenue from sales of your product. You want to
ensure that your software is only available to the appropriate users, according to the terms that
you define.
Using the SaaS model, you can select from a number of licensing options to achieve greater
product versatility and simplified operations.
52 Chapter 2: Understanding Sentinel Cloud Licensing

What is Sentinel Cloud Licensing?

To obtain the maximum benefit from your company’s licensing strategy, you need a software
licensing system that provides you with the flexibility to tailor licensing terms to fit your business
strategies, and to adapt quickly to changes in the market and in your business needs. Your
licensing system must also be able to track your defined usage terms along with secure licensing
methods.
Sentinel Cloud Licensing is a cloud-based license provisioning system that provides an alternative
to the on-site Sentinel SL licensing:
n Sentinel SL enables you to employ pre-paid licensing. For metered licensing, customers
can purchase the authorization to use an application for a specific period of time or for a
specific number of executions. When the license expires or the allowed executions are
consumed, the customer must extend the license in order to continue using the
application.
n Sentinel Cloud licensing enables you to employ either pre-paid or post-paid licensing. With
post-paid licensing, there is no predetermined limitation on the usage of the application.
Customers can be billed based on the number of hours that they use the application or
the number of times that the product is used.
Note that a given application can be licensed using either Sentinel SL or Sentinel Cloud Licensing.
You cannot apply both schemes to a single executable.
Sentinel Cloud Licensing provides you with the benefits described below.

Feature-based Authorization

Using Sentinel Cloud Licensing, you can enable feature-level authorization of your applications and
leverage a wide range of feature and product packaging options—ranging from simple
subscription to complex usage-based models. In this way, you can maximize return on investment
through greater product versatility and simplified operations.

Usage-based Licensing

Sentinel Cloud Licensing simplifies your billing process management by providing automated
metering and export of usage data for billing and analysis.

Segregated Design and Delivery

After you have carried out the simple, one-time process of integrating Sentinel Cloud Licensing
with your application, your product management and delivery tasks is totally separated from your
product design and development tasks. This empowers you to choose from a wide range of
license models without affecting the design and development of the product.

Remote Control of License Terms

You can use the Sentinel EMS user interface or Web Services to instantly change the license terms
for any customer who is using your licensed application.
 How Does Sentinel Cloud Licensing Work? 53

Cloud Support

Sentinel Cloud Run-time provides a common set of APIs that enable you to deploy your
applications in the cloud without any change in application source code.

How Does Sentinel Cloud Licensing Work?

Using Sentinel EMS, you define the products that you want to license. For each products, you
define the features to be licensed and the licensing scheme to be used.
You integrate your web application with Sentinel Cloud Licensing in one of two ways:
n Integrate with Cloud Run-time. You insert Cloud Run-time API calls into your web
application. These API calls perform the following functions:
User authorization: This function grants or blocks access to features in the application.
Specific users can be granted access to different sets of features in the application.

Sentinel Cloud Run-time does not handle user authentication (that is, the
determination that a given user should be granted access to the application). This
function is the responsibility of the vendor.

Usage data collection: This function collects data relating to the usage of the application
by each user, at the feature level. This data is later used for billing purposes. Sentinel
Cloud Licensing stores this data locally and periodically transfers it to Sentinel Cloud
Connect (described below) for metering and data aggregation
n Integrate with Sentinel Cloud Connect Web Services. This provides Sentinel Cloud
Licensing capabilities for direct use by the application. Web Services can be used for
applications on platforms that are not supported by Cloud Run-time.
Your application can be deployed in either of two configurations:
n Cloud: The application is hosted on a cloud server, from where the customer can access
the application. The server is managed either by the vendor or by an external provider
contracted by the vendor.
n On-premise: The application is installed on the customer's machine.
Sentinel Cloud Licensing does not incorporate protection of the licensed
application against disassembly and theft of intellectual property. If you intend to
use On-premise deployment, consider taking appropriate steps to protect your
application. One such protection scheme is the use of Sentinel LDK unlocked
licenses, described later in this book.

You use Sentinel EMS to create entitlements for your customers to access the features in your
application. The entitlements are registered in Sentinel Cloud Connect. This component is hosted
in the cloud, managed by SafeNet. When your customers attempt to use a feature in your
application, the licensed application sends queries to Sentinel Cloud Connect for license-serving
decisions.
54 Chapter 2: Understanding Sentinel Cloud Licensing

Sentinel Cloud Connect also accumulates usage data for the features in your application. This can
be used for billing and metering purposes. This data also provides you with valuable insight into
how your customers are working with your application. You can access this information using the
Sentinel EMS user interface or Sentinel EMS Web Services. Your customers can access their usage
data using the Cloud End User Portal in Sentinel EMS.

Cloud License Types

In Sentinel EMS, you can specify the licensing details for each feature in the product that you are
defining.
Licensing terms for a feature can be defined when the product is being created or at the time you
generate an entitlement for a customer.
You can choose from one of the following license types:
n Concurrent—This is a subscription-based license model in which there is a limit on the
concurrent use of a Feature. You can specify the number of concurrent instances allowed
for a feature, and select how concurrent instances are counted.
n Prepaid—Specifies a limit on the maximum number of times a license can be used, in
addition to license validity.
n Subscription—Specifies that the license to use the product is valid for a specified duration
(for example, 3 months, 6 months, 1 year). The product can be used unlimited number of
times within the specified duration.
n Postpaid—Specifies that the license to use the product is valid for a specified duration,
but the billing can be done based on the usage model, which can either be:
o Time Based—Billing can be done based on the duration for which the product is
used.
o Count Based—Billing can be done based on the number of times the product is
used within the specified period.
When you select the license type, you can also specify the values for the license terms. These
license values will apply to all orders for this Product. For maximum flexibility, you can choose to
leave the values to be specified at the time when each individual order is processed.

For More Information

The remainder of this book deals primarily with using Sentinel LDK to protect and license your
applications. For more information on Sentinel Cloud Licensing, see the Sentinel Cloud Run-time
Guide for Sentinel LDK.
 PART 2 - PROTECTION
In this section:

n "Chapter 3: Protecting Software" on page 57

Provides an overview of Sentinel LDK software protection, including its fundamental
elements, a summary of how it works, and an introduction to Sentinel LDK protection
methods.
n "Chapter 4: Sentinel Licensing API Protection" on page 61
Provides an overview of the Sentinel Licensing API, details the prerequisites for using the
API, introduces the Sentinel LDK ToolBox application and describes the functionality of the
API.
n "Chapter 5: Sentinel LDK Envelope Protection" on page 69
Provides an overview of software protection using Sentinel LDK Envelope, details the
prerequisites for using the application, and describes its functionality. In addition, it
describes the Sentinel LDK Envelope protection parameters and how to encrypt data files.
n "Chapter 6: Protection Strategies" on page 89
Outlines strategies for maximizing Sentinel LDK protection, including best practices and
optimizing the use of the Sentinel Licensing API and Sentinel LDK Envelope.
n "Chapter 7: Protecting Data Files" on page 95
Describes data file protection using the Sentinel LDK Data Protection utility. It includes
information about the types of protection that are available.
 3
Chapter 3:
Protecting Software
This chapter provides an overview of Sentinel LDK software protection, including its fundamental
elements, a summary of how it works, and an introduction to Sentinel LDK protection methods.

Sentinel LDK Protection
Sentinel LDK is an innovative, advanced solution for protecting software against illegal or
unauthorized use. The solution deters illegal access and execution of protected applications.
A deployed application that is protected with Sentinel LDK requires access to a specific
Sentinel protection key in order to run. The protected application queries the Sentinel protection
key for predefined information. If the Sentinel protection key is not present, or the information
returned is incorrect, the program does not execute, or stops functioning.
After you have selected a Sentinel LDK protection method, implementation is straightforward.
Regardless of the selected protection strategy, protected applications only work correctly if they
can access the information stored in a specific Sentinel protection key.

Elements of Sentinel LDK Protection

The Sentinel LDK protection system is based on the following:
n Protecting programs and data files
n Identifying the Sentinel protection key
n AES encryption
n Confidential protection parameters
n Utilizing Protection Key memory
n Anti-debugging and reverse engineering measures

Protecting Programs and Data Files

Sentinel LDK provides two primary protection methods:

n Sentinel LDK Envelope
n Sentinel Licensing API
58 Chapter 3: Protecting Software

When you protect your software using either of these methods, you are essentially forming an
inherent link between the protected application and a specific Sentinel protection key.
What can be Protected

Sentinel LDK enables you to protect a variety of applications and data files. You can apply
protection directly to:
n Compiled executables, DLLs and .NET assemblies
n Specific functions or entire programs. Sentinel LDK protects all levels of software from
function level to entire programs
n Sensitive data and intellectual property
All the above are protected against any attempt at reverse engineering.
For additional information about the available protection parameter options, see the following
chapters:
n "Chapter 4: Sentinel Licensing API Protection" on page 61
n "Chapter 7: Protecting Data Files" on page 95

Availability of the Sentinel protection key

The Sentinel protection key, or to be more precise—the intelligence contained within the

Sentinel protection key—is the primary component of the Sentinel LDK protection system.
The main factor governing Sentinel LDK protection is whether a deployed program can identify
and access the intelligence contained in a specific Sentinel protection key at run-time. This factor is
unambiguous—the Sentinel protection key is either available or is not available!
Regardless of the protection method adopted, protected applications only function when they can
access the required information contained in a specific Sentinel protection key.
Sentinel protection keys, and their ‘intelligence’ cannot be cloned to replicate the link between
them and the protected application.

AES Encryption

A protected application relies on the ‘intelligence’ in the memory of a specific Sentinel protection

key in order to function. In addition to the checks for the Sentinel protection key, data can be
encrypted and decrypted using the intelligence available in the Sentinel protection key.

AES Encryption and Decryption

The encryption engine in the Sentinel protection key is based on the AES algorithm. Sentinel LDK
encryption uses a set of confidential 128-bit encryption keys that remain in the Sentinel protection
key.
Your protection schemes should always involve greater sophistication than merely confirming the
presence of the required Sentinel protection key. However, verifying the required
Sentinel protection key through data encryption and decryption requires forward planning. First,
encrypted data must be available. This data must then be sent to the Sentinel protection key,
where it is decrypted.
 Sentinel LDK Protection 59

If the data is correct, the Sentinel protection key is considered to be “present.” For additional
information, see "Time Functions" on page 68.

Confidential Protection Parameters

The essence of software protection is confidentiality. Without confidential elements, any software
security system is vulnerable to attack.
Vendor Code

Each Sentinel LDK customer is assigned a unique Vendor Code that must be kept confidential. The
Vendor Code forms an integral part of the protection parameters that constitute the inherent link
between the protected applications and the Sentinel protection key. However, the Vendor Code is
only part of the link. The code on its own is insufficient to prevent illegal use of the software. It
merely provides the protected software with access to the Sentinel protection key and its
resources.
All Sentinel LDK protection applications require the Vendor Code. For information on how to
access the code, see "Extracting the Vendor Code from Sentinel Vendor Keys" on page 63.

Utilizing Protection Key Memory

The secure memory on Sentinel protection keys can be utilized (read and write) as a component of
the protection scheme for the software. Confidential data can be stored in the Protection Key
memory, including snippets of program code, customer name, or any other data.
Use the memory editors included in Sentinel LDK ToolBox to read or write data in the Protection
Key memory. (In your production environment, use Sentinel EMS or Sentinel License Generation
API to handle Protection Key memory.) For additional information, see "Memory Functions" on
page 68.

Anti-Debugging and Reverse Engineering Measures

Sentinel LDK protects intellectual property and provides the functionality to combat anti-
debugging and reverse engineering. Anti-debugging and reverse engineering usually try to unravel
the protection scheme of protected software by tracing a compiled application to its source code.
Sentinel LDK Envelope implements contingency measures to ward off such attacks and prevent
hackers from uncovering algorithms used inside protected software.

Selecting a Protection Method

Sentinel LDK offers two software protection methods; Sentinel Licensing API and Sentinel LDK
Envelope. Both methods establish an inherent link between the protected software and the
intelligence contained in a specific Sentinel protection key.
When selecting a protection method, the following issues must be considered:
n What the Sentinel protection key should protect
n How the Sentinel LDK protection parameters are best applied
n Whether the time required to implement the solution is a critical factor
n Whether flexibility in implementing the protection scheme is important
These issues are discussed in the following sections.
60 Chapter 3: Protecting Software

What to Protect

When protecting software with Sentinel LDK, there are various options for applying protection.
Sentinel Licensing API is used to protect the software before it is compiled. Protection can also be
applied after the software is compiled using Sentinel LDK Envelope. You can choose whether to
apply protection to an entire program, a subprogram, or simply to a Feature.
You may opt to use either the Sentinel Licensing API or the Sentinel LDK Envelope protection
method, or both, depending on your specific requirements. Use the following table to determine
which method best meets your specific requirements.

Sentinel LDK Envelope Sentinel Licensing API

Quick, automatic protection process that shields your software Manual implementation of
calls to Sentinel Licensing API
Define specific protection parameters for your programs Controlled process ensuring
maximum security. The
strength of protection is
proportional to the degree to
which the Sentinel Licensing
API functionality is invested in
implementation.
No source code required Source code must be available
Anti-debugging and reverse engineering measures provided Maximum flexibility

Importance of Control over the Protection Scheme

When applying protection using Sentinel Licensing API, you control the entire protection process.
You determine when the protected application queries the Sentinel protection key, and how it
should behave in different scenarios. With Sentinel LDK Envelope, compiled programs are wrapped
with random protection parameters. If you run Sentinel LDK Envelope twice to protect the same
program, two different output files are produced with different protective modules and shields.

Significance of the Time Factor

When a high protection level is specified in Sentinel LDK Envelope, file size increases and the
protected application takes longer to launch. Consider this factor when you are deciding on the
protection level settings that you choose. Aim for the optimal balance between protection level
and launch time.

How to Apply Protection

When using the Sentinel Licensing API, protection is integrated at the source code level in a
carefully considered manner. You determine where in the source code to place calls to the Sentinel
Licensing API.
Sentinel LDK Envelope offers an automated, speedier method of protecting software. You define
settings for protection parameters that are applied to protected applications.

When enabling or disabling some features you might reduce the level of protection
provided by the software.
 4
Chapter 4:
Sentinel Licensing API Protection
This chapter describes the Sentinel Licensing API protection method.
In this chapter:

n "Overview" on page 61
n "Sentinel Licensing API Prerequisites " on page 62
n "Learning About the Sentinel Licensing API" on page 63
n "Implementation" on page 64
n "Sentinel Licensing API Functionality" on page 67

The Sentinel Licensing API is not applicable for protecting data files.

Overview
The Sentinel Licensing API (application programming interface) is a robust method of software
protection, the strength of which is wholly dependent on its implementation.
The extent to which the functionality afforded by the Sentinel Licensing API is utilized, determines
the overall level of software security. To fully utilize the protection offered by the Sentinel Licensing
API, strive to maximize the complexity and sophistication of your implementation.
It is essential that, before protecting your application, you are familiar with the overall
functionality of the Sentinel Licensing API. For a description of the functions that make up the
Sentinel Licensing API, see the Sentinel LDK ToolBox help system.
To protect your software using the Sentinel Licensing API, you insert calls to a Sentinel protection
key throughout your application’s source code. You can add calls to your application that check
for the presence of a Sentinel protection key at any point during run-time, and you can designate
responses to these checks. For example, if the required Sentinel protection key is not found, you
might specify that the protected application suspend or terminate itself.
Your application can also check the memory of a Sentinel protection key for specific data. In
addition, you can use the Sentinel Licensing API to encrypt or decrypt data.
To facilitate a speedy learning curve, SafeNet recommends that you familiarize yourself with and
test specific Sentinel Licensing API functions using Sentinel LDK ToolBox. Sentinel LDK ToolBox is a
GUI-based application that interfaces with various Sentinel LDK APIs. For additional information,
see "Learning About the Sentinel Licensing API" on page 63.
62 Chapter 4: Sentinel Licensing API Protection

Sentinel LDK also includes Sentinel Licensing API sample folders for specific compilers. Each
Sentinel LDK interface includes a sample application demonstrating API usage and a specific header
file. The sample applications are located in the Samples folder in the Windows directories on the
Sentinel LDK installation DVD.

Universal Sentinel Licensing API

The Sentinel Licensing API is a universal API that works with all Sentinel protection keys. Sentinel
Licensing API implementation and usage is independent of the Sentinel protection key you use.
Utilization of the Sentinel Licensing API is independent of the access mode used to search for a
specific Sentinel protection key. The same Sentinel Licensing API functions are used to enable
programs’ access to remote Sentinel protection keys, or Sentinel protection keys that are present
locally.

Sentinel Licensing API Prerequisites

You may have to install the Sentinel Run-time Environment in order to enable the Licensing API.
For more information, see "Protection Keys That Require Sentinel LDK Run-time Environment" on
page 179. For additional information, see the Sentinel LDK Installation Guide.

Vendor Code
It is necessary to provide the Vendor Code in order to access a Sentinel protection key and its
resources, including memory. Vendor Codes are usually stored in the VendorCodes directory. The
location of the directory is described later in this topic.
In the Sentinel LDK Demo Kit, customers are provided with Sentinel HL Demo keys that work with
the DEMOMA Vendor Code. This Vendor Code can be used to apply protection with the Sentinel
Licensing API.

Do not distribute software protected with a Sentinel HL Demo key. This Sentinel protection

key is only for evaluation purposes.

The first time you order Sentinel protection keys, you also receive two Sentinel Vendor keys—a
Sentinel Developer key and a Sentinel Master key—that contain your company’s unique
confidential Vendor Code. The Sentinel Developer key is used by engineers for adding protection
to your software. The Sentinel Master key is used for producing licenses and orders.
Sentinel Vendor Suite applications (Sentinel LDK Envelope, Sentinel LDK ToolBox, and Sentinel EMS)
must recognize and have access to the unique Vendor Code that was assigned to you when your
first order was supplied by SafeNet. The Vendor Code is stored inside your Sentinel Vendor keys.
Sentinel Vendor keys are introduced using the Master Wizard, as described in the following
section.

If you have already introduced your Sentinel Developer key, it is usually not necessary to
re-introduce it.
 Learning About the Sentinel Licensing API 63

Extracting the Vendor Code from Sentinel Vendor Keys

You need to extract the Vendor Code from your Sentinel Vendor keys so that the Sentinel LDK
system will recognize it when you are working with any of the Vendor Suite applications. The
Master Wizard extracts the Vendor Code for you.
Depending on your Sentinel LDK configuration, if you launch a Sentinel Vendor Suite application,
and you have connected a new Sentinel Vendor key to your computer, the Master Wizard will
launch automatically. Alternatively, you can launch the Master Wizard manually.
For detailed information on using the Master Wizard, see the chapter on introducing Vendor keys
in the Sentinel LDK Installation Guide.
By default, your Vendor Code information is saved in the following directory:
n For Windows Vista or Windows 7:
%UserProfile%\Documents\SafeNet\Sentinel LDK 7.4\VendorCodes
n For Windows XP:
%UserProfile%\My Documents\SafeNet\Sentinel LDK 7.4\VendorCodes

Vendor-specific File Naming Conventions

The format of a Vendor Code file name is BatchCode.hvc. For example, if your Batch Code is
W3FLY, the file name will be W3FLY.hvc. (The Batch Code is a representation of your confidential
Vendor Code.) Your Sentinel Vendor keys and all your Sentinel HL keys are labeled with your Batch
Code.
By default, Sentinel Vendor Suite applications search the VendorCodes folder for your Vendor
Code/Batch Code information.
The format of API library names (for Windows) is hasp_windows_language_
vendorID.libraryExtension . For example, hasp_windows_demo.lib is a C-language API library
associated with a demo key.

Learning About the Sentinel Licensing API

There are two components of Sentinel LDK that enable you to study how the Sentinel Licensing
API works, and its range of capabilities.
n Sentinel LDK ToolBox: A utility with a graphical user interface that is part of
Sentinel Vendor Suite. For more information, see "Sentinel LDK ToolBox" on page 63.
n Sentinel Licensing API Samples: A set of examples for implementing the Sentinel Licensing
API. For more information, see "Sentinel Licensing API Samples" on page 64.

Sentinel LDK ToolBox

Sentinel LDK ToolBox is an interactive interface to work with various Sentinel LDK APIs. You can
execute calls to the Sentinel Licensing API using Sentinel LDK ToolBox. The calls are then relayed to
a Sentinel protection key.
64 Chapter 4: Sentinel Licensing API Protection

To use Sentinel Licensing API with Sentinel LDK ToolBox you must have a Sentinel Developer key
and a valid Vendor Code so that you can access Sentinel protection keys. Sentinel LDK ToolBox is
launched from Sentinel Vendor Suite. For more information, see the Sentinel LDK ToolBox help
system.

API-related Functionality

Sentinel LDK ToolBox serves as a training tool for the Sentinel APIs. Sentinel LDK ToolBox
functionality enables you to:
n Display the source code generated for each function call. This generated source code can
be copied and pasted into your application source code.
n Evaluate manual implementation of each API . Every API function included in Sentinel LDK
ToolBox is displayed on a separate screen. To execute a function call, you provide specific
information related to the selected function.
n Transfer memory buffers to the AES encryption engine in a Sentinel protection key. The
program can also be used to decrypt data buffers.
n Create multiple programming language interfaces for the various APIs.

Sentinel Licensing API Samples

Sample applications are provided to demonstrate how to implement Sentinel Licensing API
protection in your source code. The samples demonstrate how the API functions work.
Your Sentinel LDK installation contains folders for various interfaces and compilers. Each folder
includes the requisite API libraries, a header file and a sample application. The Sentinel HL Demo
key—marked DEMOMA—must be connected to your computer when using the sample
applications.

See the Sentinel Web site and the Sentinel LDK Installation DVD for information on
available samples for specific programming languages.

Implementation
This section describes the pre-implementation issues you should consider, and the workflow for
implementing the Sentinel Licensing API. It also provides an overview of how to log in to and out
of a session.

Planning Your Requirements

Before implementing the Sentinel Licensing API, the following preliminary issues should be
considered.
n What do you want to protect?
This may seem obvious, but it is crucial when you decide where to place the calls to the
Sentinel protection key. Typically, you would want to verify the presence of the
Sentinel protection key at startup. However, you can also identify certain aspects of the
software to protect, and apply your Sentinel Licensing API calls accordingly.
 Implementation 65

n Will encrypted data be included in your implementation scheme?

If you plan to use encrypted data at run-time, use Sentinel LDK ToolBox to encrypt the
data. Insert the encrypted data when implementing the Sentinel Licensing API. The data is
decrypted at run-time by the Sentinel protection key.
n Is data going to be stored in the Protection Key memory?
If the software is protected by a Sentinel protection key with memory functionality, sensitive
data can be stored in the Sentinel protection key. The Sentinel Licensing API enables access
to read from or write to Protection Key memory. Use Sentinel LDK ToolBox to write data
buffers to Protection Key memory.

Sentinel Licensing API Workflow

After planning what data is going to be protected and how that protection will be applied, you are
ready to protect your application with the Sentinel Licensing API.
The recommended workflow for implementing the Sentinel Licensing API is as follows:
1. Study the code of the sample application corresponding to your development
environment.
2. In your application source code, insert a login call to the Sentinel protection key. A
successful login establishes a login session. The login session has its own unique handle
identifier.

The session identifier is self-generated and applies to a single login session. For more
information, see the description of the LoginScope function in the Sentinel Licensing API
help system or in the Sentinel LDK ToolBox help system.

3. After a login session is established, you can use other Sentinel Licensing API functions to
communicate with the Sentinel protection key. For example, you can use the Decrypt
function to decrypt important data used by your application. You can also read data stored
in the Protection Key memory, set timestamps, and other actions.
4. Using the output generated in Step 3, check for potential mismatches and notify the user
accordingly.
5. Repeat steps 2–4 throughout the code.
6. Compile the source code.

After you have compiled the source code, use Sentinel LDK Envelope to add an extra layer
of protection to your software. This process also prevents reverse engineering of protected
code.

Sentinel Licensing API Login Function

The login function is the gateway to Sentinel Licensing API implementation. You must open a
successful login session to search for and communicate with a Sentinel protection key. To log into
a Sentinel protection key, you need to provide a Feature ID and a valid Vendor Code.
66 Chapter 4: Sentinel Licensing API Protection

If the Sentinel protection key is not accessible by the computer, an error message is displayed. An
error message is also displayed if the declared Vendor Code is not valid for a detected
Sentinel protection key.

Sentinel LDK Login Operation Summary

Login Options

When using the Sentinel Licensing API implementation, login calls are not dependent on specific
Sentinel protection keys. However, when performing login calls you must specify what it is that
you are actually logging into. When logging in you must declare:
n If you are logging into a default or a specific Feature
n How to search for the Sentinel protection key
n How the login counter should be handled
n Whether to enable or disable connection to the Sentinel protection key via a terminal
server

Declaring Feature IDs

You can either log into a specific Feature, or to the default Feature stored in the
Sentinel protection key. The default Feature is assigned Feature ID 0.
When logging into a licensed Feature, the protected application not only checks for the presence
of the Sentinel protection key, it also checks the terms of the license contained in that key. If the
license is valid, the Feature is enabled.

Controlling Login Calls

Additional aspects of a login call can be controlled when implementing the Sentinel Licensing API,
as follows:
n Search options
n Login counter
 Sentinel Licensing API Functionality 67

n Terminal server detection

n Enabling access to Sentinel HL v.1.x keys
Search Options

The default search setting enables a protected application to search both the local computer and
the network for the required Sentinel protection key. You can limit the Sentinel protection key
search option, as follows:
n Search only the local PC for a Sentinel protection key
n Search only the network for a connected Sentinel protection key
Login Counter

By default, when a Sentinel LDK license is accessed in a Sentinel HL network key key, license usage
is determined by counting the number of workstations that use the protected application. You
can change this condition so that license usage is based on the number of protected application
processes that are in use.
Access to Legacy Memory on Sentinel HL Key

By default, the Sentinel LDK system does not enable access to the legacy memory on Sentinel HL
keys. To override this restriction, select the Allow access to Sentinel HL v.1.x check box in the
Sentinel LDK ToolBox Settings window.

Every Sentinel protection key login session must be terminated with a corresponding

logout call.

Sentinel Licensing API Functionality

The extent of the protection afforded by the Sentinel Licensing API is dependent on the way that it
is implemented. Calls to a Sentinel protection key that are inserted in the source code control
access to the application at run-time.
This section describes the Sentinel Licensing API options that are available after a successful login
session is established. For a detailed discussion about how to optimize your Sentinel Licensing API
implementation, see "Chapter 6: Protection Strategies" on page 89. For a demonstration of how
the Sentinel Licensing API works, use Sentinel LDK ToolBox.

Function Groups
Sentinel Licensing API functions are categorized into five groups, based on common functionality
and linkage.
n Session functions
n Encryption/Decryption functions
n Memory functions
n Time functions
n Management functions
68 Chapter 4: Sentinel Licensing API Protection

Session Functions

A session is created by executing a successful login call to a license residing in a specific

Sentinel protection key. For more information about logging in, see "Login Options" on page 66.
At the end of a session, use the logout function to close the session.

Encryption Functions

You can encrypt or decrypt data buffers using the AES-based encryption engine in the
Sentinel protection key. The encryption engine uses symmetric encryption. This means that the
same encryption key is used later to decrypt the data buffer.

Memory Functions

Use the memory to store data to be used by the application at run-time, and information that can
be used later to verify and identify an end-user. Control of access to sensitive data forms an
integral part of your protection scheme.
The Sentinel Licensing API can be used to:
n Read data buffers stored in the Protection Key memory
n Write data buffers to the Protection Key memory
The size of the data buffers is restricted by the memory available in the specific Sentinel protection
key type. For information about the memory capacity of the available Sentinel protection keys,
refer to the Sentinel HL Data Sheet.

Time Functions

Sentinel Licensing API can be used to access:

n the real-time clock in a Sentinel HL Time key or Sentinel HL NetTime key
n the V-clock in a Sentinel HL (Driverless configuration) key. For more information, see
"Appendix E: How Sentinel LDK Protects Time-based Licenses With V-Clock" on page 279.
This functionality enables you to read the time. Two date and time conversion functions are
included in the Sentinel Licensing API.

Management Functions

The Sentinel Licensing API includes functions that enable you to retrieve information on the
system components, the current login session, the status of a deployed Sentinel protection key,
and license updates.
When using Sentinel SL keys, the Transfer function enables you to:
n detach a license from a pool of network seats
n rehost a protection key from one computer to another at the customer site.
You can also use the Update function to install updates. You do not need to be logged in to a
session in order to perform this function. For additional information, see the help system for the
Sentinel Licensing API or the Sentinel LDK ToolBox.
 5
Chapter 5:
Sentinel LDK Envelope Protection

This chapter describes software protection using Sentinel LDK Envelope.

In this chapter:

n "Functionality" on page 69
n "Sentinel LDK Envelope for Windows" on page 73
n "Accessing and Protecting Data Files" on page 76
n "Protecting .NET Assemblies" on page 77
n "Sentinel LDK Envelope for Linux Applications" on page 83
n "Sentinel LDK Envelope for Mac Binaries" on page 83
n "Sentinel LDK Envelope for Java Executables" on page 84
n "Sentinel LDK Envelope for Android Applications" on page 86

Functionality
Sentinel LDK Envelope is a wrapping application that protects your applications with a secure
shield. This application offers advanced protection features to enhance the overall level of security
of your software.
Sentinel LDK Envelope protects Win32, Windows x64, and .NET executables and DLLs, and Java
executables—providing a means to counteract reverse engineering and other anti-debugging
measures.
Sentinel LDK Envelope can also be used to protect Mac executables and dynamic shared libraries
(Mach-O) (see "Sentinel LDK Envelope for Mac Binaries" on page 83 for more information) , and
Linux executables and shared objects (see "Sentinel LDK Envelope for Linux Applications" on page
83 for more information).

The words program and application are used throughout this chapter as a generic
reference to the various types of programming code that can be protected using
Sentinel LDK Envelope, regardless of whether they are executables, binaries, assemblies,
libraries or shared objects.
70 Chapter 5: Sentinel LDK Envelope Protection

Sentinel LDK Envelope is not used directly to protect data files. However, it can enable a
protected application to access and write data to a protected data file.

By using Sentinel LDK Envelope to protect your application, you establish a link between the
protected application and a Sentinel protection key. This link is broken whenever the protected
application cannot access the required Sentinel protection key.
Implementing Sentinel LDK Envelope protection is the fastest way to secure your application without
requiring access to your software source code.
Sentinel LDK Envelope provides both graphical user interface (GUI) and command-line utility
options. The graphical interface enables you to:
n Protect Windows and .NET executables and DLL files, and Java executables
n Enhance the protection of .NET and Java executables by defining Method-level protection
n Protect Mac Mach-o binaries
n Protect 32-bit and 64-bit Linux executables and shared objects
n Define a variety of global protection parameters for your program
n Specify a Vendor Code to authenticate the presence of a specific Sentinel protection key
n Customize the run-time messages that will be displayed to end users running protected
applications
In addition to linking protected applications to a specific Sentinel protection key, Sentinel LDK
Envelope wraps the application file with numerous protection layers that are randomly assembled.

The random multi-layer wrapping of protected applications by Sentinel LDK Envelope

ensures that implemented protection strategies differ from one protected application to
another.

Command-line utilities enable you to protect:

n Win32, Windows x64, and .NET executables and DLL files
n Java executables
n 32-bit and 64-bit Linux executables and shared objects
n Mac binaries
The command-line utilities also enable you to easily apply protection parameters that were
defined using the Sentinel LDK Envelope GUI. This simplifies the process of reapplying protection
parameters to your application during the development process.

Basic Protection Workflow

This section provides a workflow that describes the elements of protecting applications using
Sentinel LDK Envelope. Additional information about specific procedures is provided in the
Sentinel LDK Envelope help system.
 Functionality 71

1. Launch the Sentinel LDK Envelope graphical interface from Sentinel Vendor Suite.

2. Add the executable, library, or .NET assembly you want to protect to the project.
3. Define protection parameters for the protected application.
4. Protect the program.
5. Distribute the protected software together with your encrypted Sentinel protection keys.

Sentinel LDK Envelope does not affect the files being protected. However, it is highly
recommended that you designate a separate output folder for the protected application in
order to distinguish between source (unprotected) and output (protected) files.

Sentinel LDK Envelope protection involves the application of protection parameters that are
controlled by the engines running Sentinel LDK Envelope. You apply these parameters to an
unprotected source.
Sentinel LDK Envelope does not affect the original files or the way a protected application actually
works. The only modification is that user access is conditional on the presence of a required
Sentinel protection key. If the Sentinel protection key is present, the protected file runs.
The logic of Sentinel LDK Envelope protection is illustrated in the following diagram. Note that the
original file can be a Win32, or Windows x64 executable or DLL; a Windows .NET assembly
executable or dynamic library; a Java executable; a Linux executable or shared object; or a Mac
binary.

To ensure the highest level of security for your software, Sentinel LDK Envelope for Win32
removes debugging data from the programs that it is protecting.
It is recommended that Linux software engineers strip extraneous symbols from the executable
prior to protecting with Sentinel LDK Envelope.

Required and Optional Protection Parameters

This section outlines the mandatory and customizable parameters that can be specified for
protecting software with Sentinel LDK Envelope.

Mandatory Parameters

The following information must be provided in order to protect software using Sentinel LDK
Envelope:
72 Chapter 5: Sentinel LDK Envelope Protection

n Input file location: You must specify the location of the program that you want to
protect. By default, this is the directory from which you added the program to the
project.
n Output file location: You must specify the directory where the protected output will be
saved. By default, the directory is:
%LocalAppData%\SafeNet\Sentinel LDK 7.4\VendorTools\VendorSuite\Protected
n Vendor Code: You must provide a valid Vendor Code in order to access a
Sentinel protection key. On initial activation of Sentinel LDK Envelope, the default Vendor
Code is specified as DEMOMA. Select your Vendor Code in the Sentinel Vendor Code
screen.
This information is sufficient to protect a program.

General Customizable Parameters

The customizable parameters described in this section are identical for all supported applications,
assemblies and dynamic libraries.
n Feature ID: You can select a unique Feature to protect your program. For additional
information about Features, see "Using Features to Protect Programs" on page 72.
n Protection key search mode: You can determine where a protected application searches
for the Sentinel protection key. For additional information, see "Searching for a
Sentinel protection key" on page 72.

When enabling or disabling some features you might reduce the level of protection
provided by the software.

Searching for a Sentinel protection key

Sentinel LDK Envelope enables you to determine where a protected application searches for a
required Sentinel protection key.
The following options are available:
n Local and remote: The protected application first searches the local machine for a
required Sentinel protection key (default), and then the network.
n Local only: The protected application searches only the local computer for a required
Sentinel protection key.
n Remote only: The protected application searches only the network for a required
Sentinel protection key.

Using Features to Protect Programs

A Feature is an identifiable functionality of a software application. Features may used to identify

entire executables, software modules, .NET or Java methods, or a specific functionality such as
Print, Save or Draw. Each Feature is assigned unique identifier called a Feature ID. The default
Feature ID in Sentinel LDK Envelope is Feature ID 0.
 Sentinel LDK Envelope for Windows 73

For additional information on Features and licensing, see "Identifying Functional Components
(Features) " on page 119 and "Managing Features " on page 128.
When you protect a Win32, Windows x64, Mac or Linux application with Sentinel LDK Envelope,
you specify a single Feature ID for the entire executable. If you wish to apply unique Features to
separate components or functionalities, you must use the Sentinel Licensing API. For additional
information, see "Chapter 4: Sentinel Licensing API Protection" on page 61.
Protecting .NET Assemblies

When you protect a .NET assembly with Sentinel LDK Envelope, you have the flexibility to specify
Features at two levels:
n A global Feature that relates to the entire .NET assembly, with the exception of
individually-protected methods. For additional information, see "Global Features in .NET
Assemblies" on page 78.
n Method-specific Features. For additional information, see "Method-specific Features and
Parameters in .NET Assemblies" on page 79.
At run-time, a protected .NET assembly searches for all Features in the Sentinel protection key.

Sentinel LDK Envelope for Windows

This section describes how to use Sentinel LDK Envelope on Windows platforms.

Prerequisites for Windows

To use Sentinel LDK Envelope, all of the following components must be installed on your system:
n Sentinel LDK Run-time Environment
n Sentinel Vendor Suite
n A valid Vendor Code stored in the VendorCodes folder. For additional information, see
"Extracting the Vendor Code from Sentinel Vendor Keys" on page 63.
n dfcrypt.exe (if you are planning to encrypt data files by means of a command line)
n The Win32, Windows x64, .NET or Java executables or DLLs that you want to protect
n .NET Framework 2.0 or later (if you are protecting .NET assemblies)

Running Sentinel LDK Envelope

In the Start menu, select Programs > SafeNet Sentinel > Sentinel LDK > Vendor Suite. From the
Sentinel Vendor Suite program selection screen, launch Sentinel LDK Envelope.

Sentinel LDK Envelope Protection Parameters

After your program has been included in a Sentinel LDK Envelope project, protection can be
performed effortlessly, based on the default Sentinel LDK Envelope settings. In addition, you can
define and calibrate a range of protection parameters that affect the attributes and behavior of
the protected application.
74 Chapter 5: Sentinel LDK Envelope Protection

Sentinel LDK Envelope customizable parameters are displayed in the Protection Details screen and
the Default Protection Settings screen. You can select a specific program in the Project pane and,
from the Protection Details screen, view and edit the application’s parameters using the following
three tabs:
n General tab
n Advanced tab
n Protection Settings tab
All parameters are detailed in the Sentinel LDK Envelope help system.
This section provides an overview of the Sentinel LDK Envelope protection settings that are
common to all program types. Mandatory parameters that are required in order to protect a
program are described in "Mandatory Parameters" on page 71. Other common parameters are
described in "General Customizable Parameters" on page 72.
Sentinel LDK Envelope also provides settings that are specific to the type of program protected.
n For additional information about settings for Win32 or Windows x64 programs, see
"Protecting Windows Programs" on page 74, and "Accessing and Protecting Data Files" on
page 76.
n For additional information about settings for .NET assemblies, see "Protecting .NET
Assemblies" on page 77, and "Code and Symbol Obfuscation in .NET Assemblies" on page
81.
n For additional information about settings for Java executables, see "Protecting Java
Executables" on page 86.

Protecting Windows Programs

When you protect a Windows program with Sentinel LDK Envelope, you can determine protection
attributes and aspects of the behavior of the protected application.

Protected Application Behavior

Sentinel LDK Envelope enables you to define the following additional properties for Win32 and
Windows x64 programs:
n The frequency at which random queries are sent to a Sentinel protection key. These
queries include random encryption and decryption procedures.
n The time interval between checks for the presence of a required Sentinel protection key.
n Whether support for programs that require overlays to execute correctly should be
enabled.
n The length of time that the protected application waits for the Sentinel LDK Run-time
Environment to load.
 Sentinel LDK Envelope for Windows 75

Protection Attributes

You can define specific security attributes for protected Win32 and Windows x64 programs
including parameters for:
n Detection of both system and user-level debugging measures. You can activate measures
to be undertaken by the Sentinel LDK system to block potential attacks intended to
undermine the protection scheme.
n Specifying the frequency of Sentinel protection key access for encryption. The parameter
controls the compactness of the Sentinel protection key calls made by the protected
application.

Run-time User Support

You can customize run-time messages for end users who are using applications protected by
Sentinel LDK Envelope. Sentinel LDK Envelopeincludes a set of message codes. Each code is mapped
to a corresponding message that is displayed at run-time of the protected application.
In addition, you can choose to display a message for end users during startup of a protected
application that explains there may be delays due to required data decryption.

Enhancing Protection With "AppOnChip"

Sentinel LDK Envelope incorporates AppOnChip protection to significantly increase the security of
an application that is protected with a Sentinel HL (Driverless configuration) key.
Currently, the following limitations apply for the application to be protected using AppOnChip:
n 32-bit native binaries only (.NET assemblies are not supported.)
n You cannot use AppOnChip to protect the Licensing API DLL.
n AppOnChip protection cannot be applied to applications and DLLs that have already been
protected with tools from other vendors or sources.

An application that is protected using AppOnChip is not compatible with Sentinel SL keys
or with any HL keys other than Sentinel HL (Driverless configuration) keys.
If the protected application will be licensed using a Sentinel HL Basic key or Sentinel HL Pro
key, you must connect a Sentinel Developer key or Master key that contains the
AppOnChip module at the time that you protect the application. For more information,
see "AppOnChip Module" on page 264.

Once enabled, AppOnChip uses a code transformation engine to analyze the application code.
AppOnChip determines which functions are eligible to be executed by the Sentinel HL key. The
eligible functions are listed in a table on the AppOnChip tabbed page in the Sentinel Envelope
interface.
AppOnChip identifies the functions contained in the application as follows:
n AppOnChip looks for the map file in the application. If the application was compiled with
Microsoft Visual Studio compiler, AppOnChip uses the map file generated by the compiler
76 Chapter 5: Sentinel LDK Envelope Protection

to identify the eligible functions. (Map files from other compilers cannot be processed by
AppOnChip.)
n AppOnChip searches in the application code for exported functions and adds them to the
list of eligible functions.
You examine the list of eligible and selected functions, and modify the selections to include only
those functions that you want AppOnChip to protect.
AppOnChip also provides a Performance Profiling facility. This facility creates a specialized version
of your application that can be used to accumulate real-life statistics on the usage of selected
functions in the application. The accumulated information is then used by AppOnChip to help you
fine-tune the list of functions to be protected using AppOnChip.
When Envelope generates the protected application, AppOnChip automatically extracts the code
or code segments for selected functions from the protected binary of the application and replaces
the extracted code with a placeholder. The extracted code is encrypted and signed with a vendor-
specific sign key, and saved as part of the protected application.
Note that with the supported compiler (described above), the protection process is fully
automatic. It is not necessary for you to make any changes to your application code to
accommodate this process.
At run-time, when the application calls one of the protected functions, the encrypted function
code is uploaded to the Sentinel HL key. Within the key, the code is decrypted and loaded into a
virtual machine. Once loaded, the code is executed by the virtual machine. The output of the code
is passed back to the protected application through the placeholder that was inserted into the
function during the protection process.
As a result of this process, protected functions are never exposed in any manner that would
enable a cracker to analyze or disassemble the code.
For more information regarding the AppOnChip functionality, see the Sentinel LDK Envelope help
system.

Accessing and Protecting Data Files

When you use Sentinel LDK Envelope to protect a Windows application, you can add the
capability to access and write data to protected data files.
A given protected application can be equipped with either of two modes of data file protection:
n Version 1 - This is appropriate for general-purpose data files. In this mode, the contents
of the data files are encrypted. The data files can only be accessed by applications that
have been protected with the vendor's unique Vendor Code and that have been provided
with a specific encryption key.
n Version 2 - This is appropriate for important data files that you want to license separately,
such as training video files and courseware. In this mode, the data files are encrypted and
protected by assigning a Feature ID. Only users that purchase the specific license required
for the files are able to access the files.
For a complete description of the available data protection options, see "Chapter 7: Protecting
Data Files" on page 95.
 Protecting .NET Assemblies 77

Running Sentinel LDK Envelope from a Windows Command Line

Sentinel LDK Envelope can be initiated using a command-line prompt. This is useful when running
automated processes that do not require a graphical interface.

The command-line version of Sentinel LDK Envelope is primarily used for automated

processes. Before running the command-line utility, create and save protection projects
using envelope.exe.

To access the command-line version of Sentinel LDK Envelope, go to:

%SystemDrive%\Program Files (x86)\SafeNet Sentinel\Sentinel LDK\VendorTools\VendorSuite\envelope.com

(For Windows x86, go to: %SystemDrive%/Program Files\)

To start the command-line version of Sentinel LDK Envelope, type ENVELOPE in the command line.

Command-line Options

The following parameters are available for use with the Sentinel LDK Envelope command-line
version:

Command Description
-h Displays the list of command-line parameters. Press Enter to return to
--help the command-line console.
-p <project> The command-line utility uses the specified project as input data for
--protect <project> the application-wrapping process—all the files included in the project
are protected.
<project> The command-line version starts the GUI version with the specified
project running as the current project.

Protecting .NET Assemblies
Sentinel LDK Envelope provides significant flexibility when protecting .NET assemblies. In addition
to global protection settings that you specify using the Protection Details and Protection
Template Settings functionalities, you can also specify Method-level protection, by defining
individual methods in the .NET assembly.
You can also define protection settings in your source code using custom attributes.
For details about the prerequisites for protecting a .NET assembly, and other considerations to
take into account, see ".NET Considerations" on page 78.
When you protect a .NET assembly with Sentinel LDK Envelope, you specify a global Feature that
protects the entire assembly. For additional information, see "Global Features in .NET Assemblies"
on page 78.
In addition to the global Feature, you can define Features for individual methods. You can also
define other method-specific parameters. For additional information, see "Method-specific
Features and Parameters in .NET Assemblies" on page 79.
78 Chapter 5: Sentinel LDK Envelope Protection

You can also apply different levels of obfuscation to your .NET assembly. For additional information,
see "Code and Symbol Obfuscation in .NET Assemblies" on page 81.

.NET Considerations
When protecting .NET assemblies, consider the following issues:
n You must protect your assemblies in a development environment. Sentinel LDK Envelope
requires libraries that are not part of the .NET framework, but are included in the
development environment.
n Sentinel LDK Envelope for .NET requires access to all assemblies and their dependencies.
n Sentinel LDK Envelope breaks the strong name signature of signed assemblies. You can
choose to re-sign the assembly in Sentinel LDK Envelope, as part of the protection
process.
n When you protect a .NET Framework 1.x assembly, the Sentinel LDK Envelope output is in
Framework 2.0, requiring Framework 2.0 to be installed on the end-user machine.
n For your protected .NET assembly to function at run-time, a Sentinel LDK DLL is required.
For more information, see "Protection-related Software" on page 177.

Global Features in .NET Assemblies

When you protect a .NET assembly with Sentinel LDK Envelope, you specify a global Feature that
protects any methods that have not had individual protection parameters applied. The global
Feature is also used when background checks are implemented.

Method-level Protection
When you select a .NET assembly for protection, Sentinel LDK Envelope automatically determines
the Protection type that will provide the best protection for your program, depending on whether
you are protecting an executable or a DLL. The Protection type determines the methods that are
available for individual protection.

It is recommended that you do not change the automatic Protection type settings.

This section describes how you select individual methods and the behavior of different method
types, in addition to the parameters you can select for the methods.

Selecting .NET Methods for Protection

The .NET assembly is displayed in the Protection Details screen, in the Methods selected for
protection list. The list displays class constructors and methods, in a tree layout that mimics the
structure of the .NET assembly.
Items in the list are identified by icons that indicate the method type, and by the class or method
name. Method signatures are displayed as a tool tips.
When the check box to the left of a method is selected, that method is selected for Sentinel LDK
Envelope protection.
 Protecting .NET Assemblies 79

n Selecting or clearing the check box of a higher-level item does not affect nested
items. For example, if you clear the check box of a class constructor, methods
nested under it remain selected.
n When a method name is grayed-out, it cannot be selected for protection.
n If the Protection type is Only Win32 shell or Only Windows x64 shell, you
cannot protect individual methods in that .NET assembly.
n An assembly cannot be protected when the check boxes for all items in the list
have been cleared.

Method-specific Features and Parameters in .NET Assemblies

You can use Sentinel LDK Envelope to define separate Feature IDs for individual methods in
your .NET assembly. This enables you to:
n Make use of the separate encryption key inherent in each Feature to provide enhanced
security for individual methods
n Determine how often the protected application logs into an individual method
At run-time, the protected application searches for all relevant Feature IDs in the
Sentinel protection key.
You can determine how often the protected application logs into each Feature ID in the
Sentinel protection key and performs decryption using that Feature ID by specifying the Frequency
for specific methods.

n You can only specify the Feature ID and Frequency for methods that have been
selected for protection.
n If the Protection type is Only Win32 shell or Only Windows x64 shell, you
cannot specify a Feature ID or Frequency for individual methods.
n You can select multiple methods and specify the same Feature ID and Frequency
for all selected items.

The available Frequency options are described in the following table:

Frequency
Description
Type
Once per A check is performed the first time a method using the Feature ID indicated for that
program method is called, regardless of the number of methods that share the same
(Default) Feature ID across the program.
80 Chapter 5: Sentinel LDK Envelope Protection

Frequency
Description
Type
Once per A check is performed when the method is run, once for each Feature ID within the
class same class.
instance If the same Feature ID is also assigned to the class constructor, the check is
performed the first time the .ctor method is run.
If the same Feature ID is used in other classes, the check is performed separately
for each class.
The Once per class instance frequency is available only for Instance
methods.

Every time A check is performed every time the method is called

Recommendations:

n Use the Once per Application default setting. The Once per Instance and Every time
settings may slow the performance of your program.
n If a counter-based license is being defined, use the Every time setting only for the method
that determines licensing, as the counter is decremented every time the method is called.
If you choose to assign separate Feature IDs for individual methods, you must ensure that your
application code can only call the Feature IDs for those methods for which a valid license has been
installed in a Sentinel protection key.
If methods that do not have a valid license in a Sentinel protection key are called, it will cause
Sentinel LDK Envelope to generate an error loop that can only be stopped by installing a valid
license.
An API is provided as part of the Sentinel LDK installation that enables you to ensure that the error
loop does not occur. The API is located in:
%SystemDrive%\Program Files (x86)\SafeNet Sentinel\Sentinel LDK\Samples\
Envelope\EnvelopeRuntime.NET
(For Windows x86, in: %SystemDrive%\Program Files\)

To use the API

To prevent an error loop occurring if a method for which a license has expired or does not exist,
register a NotificationDelegate handler, as follows:
1. Include the Aladdin.HASP.EnvelopeRuntime assembly in your source code.
2. Select one of the following handlers, depending on the behavior that you require when the
handler is invoked.

EnvelopeRuntimeStatus.StatusThrowException Discontinue execution path by throwing an

exception
EnvelopeRuntimeStatus.StatusReturnNothing Discontinue execution path by returning a null
reference (Nothing)
 Protecting .NET Assemblies 81

EnvelopeRuntimeStatus.StatusAlertAndRetry Default
Display message box that asks the user for the
license, then retry.
EnvelopeRuntimeStatus.StatusRetry Transparently retry
The NotificationDelegate handler will be invoked whenever the Sentinel LDK Envelope run-
time cannot decrypt a protected method. It will also receive the appropriate Sentinel LDK error
status code. You can use this information in your own “license required” error message,
instructing your user to abort or retry their action.

Code and Symbol Obfuscation in .NET Assemblies

Obfuscation is the process of turning meaningful strings into random strings of letters or
numbers. Using Sentinel LDK Envelope, you can apply obfuscation as an anti-reverse engineering
security measure.
By default, all symbol names in the protected .NET assembly are obfuscated as part of the
protection process. In addition, you can choose to obfuscate the entire code of a selected
method. Since code obfuscation may slow the performance of your program, it is not selected by
default.
You can apply Code obfuscation to a method regardless of whether it is selected for protection in
the Methods selected for protection list.

Defining Sentinel LDK Envelope Protection Settings in Source Code

Instead of specifying your protection settings using the Sentinel LDK Envelope GUI, you can use
the .NET framework custom attributes for the Aladdin.HASP.Envelope assembly to add
definitions directly to your source code.
The custom attributes can be applied to assemblies, classes, and methods. Protection settings in
your source code are processed according to hierarchy, in descending order of method, class, and
assembly.
Protection settings that are defined in your source code override settings already specified in the
Sentinel LDK Envelope GUI, and you cannot use the GUI to edit the settings once they have been
integrated in your code. However, you can use the GUI to view the protection settings that have
been specified in your code.
To use the custom attributes, you must include the Aladdin.HASP.Envelope assembly in your
project.

Aladdin.HASP.Envelope.dll is not required for protected assemblies and does not have
to be distributed to your customers.

Using the custom attributes, you can define the following protection settings:

Name Description Type Default Value

Protect Protect this method bool true
82 Chapter 5: Sentinel LDK Envelope Protection

Name Description Type Default Value

FeatureId Feature ID to be used for int -1 (global Feature)
protection
Encrypt Encrypt this method bool true
Code Obfuscate complete code for bool false
Obfuscation this method
Frequency When license for method is EnvelopeMethod CheckOncePerApplication
to be checked ProtectionFrequency

Sample

The following sample shows how protection settings can be applied in source code. The source
code comments are italicized.

using System;
using Aladdin.HASP.Envelope;

/// do not protect any methods in this assembly

[assembly: EnvelopeMethodProtectionAttributes(Protect=false)]
namespace MyProgram
{
/// methods in this class do not get protected, because protection
/// settings are inherited from assembly
class MyExample
{
/// this method does not get protected
static void Main(string[] args)
{
Console.WriteLine("{0} + {1} = {2}", 3, 4, MyClass.Add(3, 4));
Console.WriteLine("{0} * {1} = {2}", 3, 4, MyClass.Multiply(3, 4));
}
}

/// protect all methods in this class with Feature ID 0

[EnvelopeMethodProtectionAttributes(Protect=true, FeatureId=0)]
class MyClass
{
/// protect the Add method using Feature ID 1, obfuscate the code,
/// check the license everytime this method is invoked
[EnvelopeMethodProtectionAttributes(Protect=true, FeatureId=1, Encrypt=true,
CodeObfuscation=true, Frequency=EnvelopeMethodProtectionFrequency.
CheckEveryTime)]
public int Add(int a, int b)
{
return a + b;
}

/// protection settings for this method are inherited from the settings of the class
public int Multiply(int a, int b)
{
return a * b;
}
}
}
 Sentinel LDK Envelope for Linux Applications 83

Additional Sentinel LDK Envelope .NET API Information

n The protection definitions and defaults are based on those provided in the Sentinel LDK
Envelope GUI
n By default, static methods and methods that have a very small footprint are not
protected. To protect these methods, you must specify the protection settings at method
level in your source code.

Sentinel LDK Envelope for Linux Applications

Sentinel LDK Envelope protection can be implemented for Linux executables and shared objects
using a command-line utility.
For a complete description of the Sentinel LDK Envelope command-line utility for Linux application,
see the Sentinel LDK Envelope for Linux User Guide. This book can be found under
\Linux\Docs\Manuals & Tutorials\ in the Sentinel LDK for Linux installation and on the Sentinel
LDK installation DVD.

Sentinel LDK Envelope for Mac Binaries

Sentinel LDK Envelope for Mac enables you to protect Mach-O executables and dynamic libraries
(referred to as binaries). Both GUI and command-line versions of the application are available.
Before using Sentinel LDK Envelope for Mac, it is recommended that you familiarize yourself with
the general Sentinel LDK Envelope information about Sentinel LDK Envelope protection that is
provided at the beginning of this chapter.

Sentinel LDK Envelope Prerequisites for Mac

To use the Sentinel LDK Envelope utility, all of the following components must be installed on your
system:
n Sentinel LDK Run-time Environment
n Sentinel Vendor Suite, containing the Sentinel LDK Envelope and the Master Wizard
n A valid Vendor Code stored in the VendorCodes folder. For additional information, see
"Extracting the Vendor Code from Sentinel Vendor Keys" on page 63.
n The Mac binaries that you want to protect

Running Sentinel LDK Envelope for Mac

Navigate to the location in which Sentinel LDK is stored. Select MacOS > VendorTools >
VendorSuite > Envelope. Sentinel LDK Envelope is launched.
To access the command-line version of Sentinel LDK Envelope, go to:
...\MacOS\VendorTools\VendorSuite\envelope_darwin
Type envelope_darwin -h in the command line to start the command-line version of Sentinel LDK
Envelope.
84 Chapter 5: Sentinel LDK Envelope Protection

Sentinel LDK Envelope for Mac Protection Parameters

After your Mac executable or dynamic library has been included in a Sentinel LDK Envelope
project, protection can be performed effortlessly, based on the default Sentinel LDK Envelope
settings. In addition, you can define and calibrate a range of protection parameters that affect the
attributes and behavior of the protected binary.
Sentinel LDK Envelope customizable parameters are displayed in the Protection Details screen and
the Default Protection Settings screen. You can select a specific binary in the Project pane and,
from the Protection Details screen, view and edit the binary’s parameters using the following
three tabs:
n General tab
n Advanced tab
n Protection Settings tab
All parameters and procedures are detailed in the Sentinel LDK Envelope help system.

Accessing and Protecting Data Files

When you use Sentinel LDK Envelope to protect a Mac application, you can add the capability to
access and write data to protected data files.
A given protected application can be equipped to create, access, and update protected data files.
The data files can only be accessed by applications that have been protected with the vendor's
unique Vendor Code and that have been provided with the encryption key that was used to
protect the files.
You can use Sentinel LDK Data Protection utility to pre-encrypt data files that you want to deliver
together with the protected application.
For a complete description of the available data protection options, see "Chapter 7: Protecting
Data Files" on page 95.

Sentinel LDK Envelope for Java Executables

Sentinel LDK Envelope for Java enables you to protect JAR and WAR executables. Before using
Sentinel LDK Envelope for Java, it is recommended that you familiarize yourself with the general
Sentinel LDK Envelope information about Sentinel LDK Envelope protection that is provided at the
beginning of this chapter.
Protection of your software is performed on a Windows machine, after which you distribute the
protected software together with the appropriate Java run-time libraries for the end-user
operating system—Windows, Mac, or Linux.

Java applications that have been obfuscated, or protected using third-party tools, are not
supported by Sentinel LDK Envelope.
 Sentinel LDK Envelope for Java Executables 85

Java Considerations
When protecting Java executables, consider the following issues:
n The methods selected for protection by Sentinel LDK Envelope by default are not the
optimal choices for your application or library. You must review and modify the list of
selected methods to provide the best mix of security and performance. For more
information, see the description of optimizing protection settings in the Sentinel LDK
Envelope help system.
n Sentinel LDK Envelope does not support protection of Java paint methods, but it allows
you to select them in the user interface. As a result, the protected application may cause
a deadlock when it executes a protected paint method at runtime with no
Sentinel protection key connected. To prevent this issue from occurring, you can deselect
all paint methods. Note that paint methods do not usually contain application logic;
therefore, deselecting them typically has no impact on security. As an alternative, you can
select console output for messages by enabling stderr output instead of windows in the
Advanced settings panel.
n When you test Sentinel LDK Envelope for the first time with your application, it is
recommended that you clear the default selection and start with the protection of a single
method that you want to protect. After you protect the method, test your application. If
the application works as expected, continue to protect additional methods and test after
each addition until you have reached the desired protection selection for the application.
Do not try to apply this selection to different applications.
n Sentinel LDK Envelope does not support protection of methods that use the Hibernate
service.
n Sentinel LDK Envelope does not support protection of methods that, in turn, use
Synthetic methods that are created as bootstrap methods or as arguments of bootstrap
attributes.
n Tomcat does not support Java 8 applications. Therefore, Java 8 protected applications are
not supported on Tomcat.

Sentinel LDK Envelope Prerequisites for Java

To use the Sentinel LDK Envelope for Java engine, all of the following components must be
installed on your system:
n The Java JRE or JDK must be installed
n Sentinel LDK Run-time Environment
n Sentinel Vendor Suite, containing the Sentinel LDK Envelope and the Master Wizard
n A valid Vendor Code stored in the VendorCodes folder. For additional information, see
"Extracting the Vendor Code from Sentinel Vendor Keys" on page 63.
n The JAR or WAR executables that you want to protect
Before your JAR/WAR archive is protected, include the following customized Sentinel Licensing API
dynamic libraries with the archive:
86 Chapter 5: Sentinel LDK Envelope Protection

Operating System Customized Sentinel Licensing API Dynamic Libraries

Windows (32/64-bit) hasp_windows_****_<vendorId>.dll
Mac OSX hasp_darwin_<vendorId>.dylib
Linux (32/64-bit) libhasp_linux_***_<vendorId>.so
During protection of the Java applications, Sentinel LDK Envelope copies these libraries
automatically to the output directory.
For your protected Java executables to function at run-time, one or more Sentinel LDK DLLs are
required. For more information, see "Protection-related Software" on page 177.

Running Sentinel LDK Envelope for Java Engines

In the Start menu, select SafeNet Sentinel > Vendor Suite. From the Sentinel Vendor Suite
program selection screen, launch Sentinel LDK Envelope.

Sentinel LDK Envelope for Java Protection Parameters

After your Java executable has been included in a Sentinel LDK Envelope project, protection can be
performed, starting from the default Sentinel LDK Envelope settings. In addition, you can define
and calibrate a range of protection parameters that affect the attributes and behavior of the
protected file.
Sentinel LDK Envelope customizable parameters are displayed in the Protection Details screen and
the Default Protection Settings screen. You can select a specific Java executable in the Project
pane and, from the Protection Details screen, view and edit its parameters using the available
tabbed pages.

Protecting Java Executables

When you protect a Java executable with Sentinel LDK Envelope, you can determine protection
attributes and aspects of the behavior of the protected application.

Protected Application Behavior

Sentinel LDK Envelope enables you to define the following additional properties for Java
executables:
n The compression level of protected classes.
n The time interval between checks for the presence of a required Sentinel protection key.
All parameters and procedures are detailed in the Sentinel LDK Envelope help system.

Sentinel LDK Envelope for Android Applications

Sentinel LDK Envelope for Android enables you to protect Android applications. Sentinel LDK
Envelope protects the Android application and encrypts the entire DEX file for the application.
 Sentinel LDK Envelope for Android Applications 87

Before using Sentinel LDK Envelope for Android, it is recommended that you familiarize yourself
with the general Sentinel LDK Envelope information about Sentinel LDK Envelope protection that is
provided at the beginning of this chapter.
Protection of your software is performed on a Windows machine, after which you distribute the
protected software together with the appropriate Java run-time libraries.

Java applications that have been obfuscated, or protected using third-party tools, are not
supported by Sentinel LDK Envelope.

Sentinel LDK Envelope Prerequisites for Android

To use the Sentinel LDK Envelope for Android applications, the following components must be
installed on your system:
n Android Developer Tools - ADT bundle
n Sentinel LDK Run-time Environment
n Sentinel Vendor Suite, containing the Sentinel LDK Envelope and the Master Wizard
n A valid Vendor Code stored in the VendorCodes folder. For additional information, see
"Extracting the Vendor Code from Sentinel Vendor Keys" on page 63.
n The Android applications that you want to protect
For more information, see the Getting Started Guide for Android Applications.

Android Considerations
Sentinel LDK Envelope does not protect following types of classes/methods for Android
applications:
n Static method
n Methods that refer to classes/methods that are not public or that are static
n Overridden “onCreate” methods
For additional considerations, see the Sentinel LDK Envelope help system.
 6
Chapter 6:
Protection Strategies

Sentinel LDK provides the best hardware and software tools available in the market today. The
contribution that Sentinel LDK can make to the protection of your software and intellectual
property has already been well documented in the previous chapters. However, it is the strength
and sophistication of the strategies that you employ in partnership with Sentinel LDK that will
truly maximize your software protection.
In this chapter:

n "Overview" on page 89
n "General Protection Guidelines" on page 90
n "Types of Attack and Their Sentinel LDK Defense" on page 91

Overview
Parallel with advances in software and software security development, software crackers are
developing more sophisticated means of deconstructing software protection measures—in order
to duplicate and distribute illegal copies of unlicensed software—and to reverse engineer code in
order to steal intellectual property.
To maintain the rights to your revenue stream, it is essential that you remain vigilant about the
strategies of your “enemies”, and that you continually and wisely implement the latest and
strongest techniques for protecting your software.
The degree of investment that you make in limiting the ability of software crackers to illegally
access your software will depend on a number of considerations, including:
n The value of your software
n The history of previous cracking attempts related to your software
n The geographical region in which your software will be distributed
n The target market for your software (for example, whether it is intended to be sold to
individual consumers, small office/home office users, or enterprise users)
There is no software protection that is absolutely uncrackable. However, if you constantly
implement up-to-date strategies using the strongest software protection methods, you
significantly decrease your vulnerability to such attacks.
90 Chapter 6: Protection Strategies

This chapter describes general protection strategies for software vendors. It then outlines some of
the methods that software crackers employ in order to identify and negate software protection
and security, and recommends Sentinel LDK measures that you can use to enhance your
software security.
In addition to the information described in this manual, our team of SafeNet Consultants provides
personalized assistance in strengthening software security and protection. They can provide help
on a wide range of issues, including additional protection strategies and implementation
techniques.
For information on consultation services offered by SafeNet, contact your local SafeNet
representative.

General Protection Guidelines

The following guidelines should be followed, regardless of the software protection strategies being
implemented.
SafeNet thoroughly and constantly investigates potential and actual threats to software security,
and Sentinel LDK is continuously being updated to counter such threats—before they can
compromise the security of your software.
Use the Most Up-to-date Protection Software

Protection software updates generally include enhancements to counter the most recent threats.
Always check for and use the most recent version of Sentinel LDK protection software that is
available. The latest software can be downloaded from the Sentinel Web site, at www.safenet-
inc.com/SentinelLDK/InstallationDVD.
Constantly Re-evaluate Protection Strategies

Frequently consider what protection strategies you can upgrade or enhance to provide stronger
security for your software.
Use Evolving Strategies to Prevent Predictability

Vary the strategies that you implement between your software releases. If a software cracker is
able to detect a pattern to your protection strategies, the strategies can more easily be negated
or evaded.
Vary Behavior when Cracking Attempt is Detected

When a cracking attempt is detected (for example, through using a checksum—described later in
the chapter), delay the reactive behavior of your software, thus breaking the logical connection
between “cause” and “effect.” Delayed reaction confuses a software cracker by obscuring the link
between the cracking attempt and the negative reaction of the software to that attempt.
Behavior such as impairing program functionality when a cracking attempt is detected can be very
effective. Additional behaviors could include causing the program to crash, overwriting data files,
or deliberately causing the program to become inaccurate, causing the program to become
undependable.
 Types of Attack and Their Sentinel LDK Defense 91

Types of Attack and Their Sentinel LDK Defense

It is important to “know your enemy.” When you are well informed about the types of attacks
that a software cracker may make, you will be best able to devise and implement strategies that
limit or prevent their success.
This section describes the elements of some of the more common attacks that software crackers
use, and refers you to specific Sentinel LDK strategies that you can implement to counter such
attacks.

Patching Executables and DLLs

A software cracker disassembles and/or debugs EXE or DLL files to find protected code. The actual
file is then patched in order to modify run-time flow, or to remove calls in the code.
Commonly, the software cracker sends a small, standalone patch executable that the end user
runs in order to patch your software.

Sentinel LDK Solution

The more files that are protected, the longer it takes a software cracker to remove protection. You
can protect multiple executable and DLL files using Sentinel LDK Envelope. You can also use the
Data Protection facility to encrypt and protect data files that are accessed by protected
applications.

Modifying Key Memory

Licensing data is normally stored in the memory of a software protection key. A software cracker
attempts to access the Protection Key memory in order to modify the licensing terms. For
example, a depleted execution-based license might be changed to a perpetual license, or a feature
that has not been paid for might be enabled.

Sentinel LDK Solution

In the context of Sentinel LDK, Read-only memory (ROM) is a segment of the memory that can
contain data that the protected application can access, but cannot overwrite. Sentinel protection
keys contain two ROM segments, one of which contains Sentinel LDK Feature-based licenses. The
second segment provides an area in which vendor-customized data can be stored. These
segments can only be updated using remote updates.
Sentinel LDK automatic Feature-based licenses utilize read-only memory of Sentinel protection
keys. The different types of available licenses are sufficient for almost any licensing model.
You can customize your own licenses and still use a ROM segment in a Sentinel protection key’s
memory. Note however that licenses that have been customized must remain static (for example,
such licenses cannot include a decremented number of executions).
For additional information about licensing models, see "PART 5 - LICENSING MODELS" on page
203.
92 Chapter 6: Protection Strategies

Emulating Protection Keys

To emulate the software of a protection key manufacturer, a software cracker creates an
application that replays previously recorded calls, as if an actual protection key is returning the
calls.
Limited functionality emulators only record and replay calls. Full-functionality emulators also
emulate the key, including its encryption. A software cracker requires access to the encryption key
to create a full-functionality emulator.
There are several places in which emulators can reside. Primarily, they are an attempt to replace
the driver.

Sentinel LDK Solution

Sentinel LDK provides a secure channel between an application and the Sentinel HL key. Data that
passes between the protected application and the key is encrypted. Taking advantage of the
secure channel functionality between your application and a Sentinel HL key provides you with the
strongest possible protection.
A different encryption key is used in every session. This means that someone recording data
passing through the secure channel cannot replay the data, since the encryption key used to
encrypt the data will differ from that used to decrypt the data.

Using Remote Desktops and Remote Desktop Solutions

When using the remote desktops of some operating systems, it might be possible for an end user
with a standalone protection key to enable software on multiple remote desktops simultaneously.

Sentinel LDK Solution

The Sentinel LDK protection includes mechanisms to determine if a protected application is

running on a remote desktop. If such a situation is detected, and a Feature in the license is not
specifically enabled for remote desktops, the program will not function.

Cloning Hardware Keys

The software cracker reverse-engineers a hardware protection key, then creates duplicates. Such
an attack is extremely costly to the cracker, both in terms of the reverse engineering tools and the
expertise required. It is also costly in terms of ongoing production of hardware keys.

Sentinel LDK Solution

Sentinel HL keys are each unique and have their own ID. Keys that are in the same Batch Code
and behave identically are each uniquely encrypted, the key’s customized controller and memory
forming a unique locked pair. This means that if the memory of one Sentinel HL key is copied to
another Sentinel HL key, the second key will not function.

Clock Tampering
Clock tampering relates to either the system clock of the machine on which the protected
software is running, or to a real-time clock contained in keys. The software cracker resets the time
to enable extended, unlicensed use of the software.
 Types of Attack and Their Sentinel LDK Defense 93

Sentinel LDK Solution

When implementing time-based licenses for your software, use one of the following keys:
n Sentinel HL Time or Sentinel HL NetTime keys. These keys provide a real-time clock.
n Sentinel HL (Driverless configuration) key. This key provides a virtual clock (V-Clock). For
more information, see "Appendix E: How Sentinel LDK Protects Time-based Licenses With
V-Clock" on page 279.
Both the clock itself, and the license which is stored in read-only memory, cannot be modified.

Additional Sentinel LDK-specific Strategies

This section describes additional general protection strategies that are available to users of
Sentinel LDK.

Use Both the Sentinel Licensing API and Sentinel LDK Envelope

Maximize security by using the Sentinel Licensing API to implement calls to a Sentinel protection
key, and protect the application with Sentinel LDK Envelope. Using one protection method does
not preclude the use of the other.

Insert Multiple Calls in your Code

Inserting many calls, throughout the code, to the Sentinel protection key in order to check the
presence of the key, and binding data from the key with the software functionality, frustrates
those attempting to crack your software. Multiple calls increase the difficulty in tracing a
protection scheme.
You can also add obstacles to a potential software cracker’s progress by encrypting data that has
no bearing on the application. Similarly, you can divert attention by generating “noise” through
random number generators, time values, intermediate results of calculations, and other
mechanisms that do not lead to meaningful results or actions.

Encrypt/Decrypt Data with a Sentinel protection key

Encryption and decryption processes are performed inside a Sentinel protection key, well beyond
the reach of any debugging utility.
Encrypting data with the Sentinel LDK AES-based encryption engine considerably enhances
software security. By encrypting data used by your application, the decryption process depends
on both the presence of a Sentinel protection key and its internal intelligence.
By implementing a Sentinel Licensing API scheme in which data is decrypted by a
Sentinel protection key, the association between the protected application and the
Sentinel protection key cannot easily be removed. Cracking the software also necessitates the
software cracker decrypting the data.

Use a Checksum to Verify Integrity of Executable Files

Compare the value in the executable file with a checksum stored in Sentinel protection key
memory. If the two values are not equal, you can assume that someone has attempted to modify
94 Chapter 6: Protection Strategies

the files. Repeat this check in various places in the code, varying it in each place to make it more
difficult for a software cracker to detect.

This strategy is not necessary if you protect your application with Sentinel LDK Envelope.
Envelope implements its own integrity checks and uses code encryption to prevent
modification of the protected application.
 7
Chapter 7:
Protecting Data Files
This chapter describes how you can use Sentinel LDK Data Protection utility to protect data files.
In this chapter:

n "Overview" on page 95
n "Data Protection Prerequisites " on page 99
n "Launching Sentinel LDK Data Protection Utility" on page 99
n "Data File Protection Plugin " on page 99
n "Licensing Data Files—Getting Started" on page 100
n "Working With the dfcrypt Command Line Utility" on page 104

Overview
The material contained in a data file can represent a significant investment in time, effort, and
money. For example, a data file may contain valuable text-based, audio, or video courseware for a
training program.
Sentinel LDK provides you with a Data Protection facility to encrypt and (optionally) add licensing
protection to the contents of data files, similar to the licensing protection that is available for
software applications.
96 Chapter 7: Protecting Data Files

The Data Protection facility consists of the following components:

n Sentinel LDK Data Protection utility
This utility is used to protect data files that will be delivered together with a protected
application or as separate files. The utility can be invoked from within Envelope or as a
standalone application. The utility does the following:
o The utility encrypts the data file. Once encrypted, the file can only be accessed by
one of the modules described below.
o The utility optionally assigns a Feature ID to the data file. If this is done, the data
file can only be accessed if an appropriate protection key is available.
n Data Protection module
This module is optionally inserted into the protected application by Sentinel LDK
Envelope. This enables the protected application to access the data in a protected data
file. If the data file has been protected using the Version 2 protection mode (described
below), the data file can only be accessed if an appropriate protection key is available.
A protected application with the Data Protection module can work with both protected
data files and regular data files.
n Customized Data File Protection Plugin for Internet Explorer (Windows)
Sentinel LDK Master wizard generates a customized Data File Protection plugin for your
Vendor Code. This module is optionally installed in a Web browser on the end user's
machine. The module enables the Web browser to display a protected FLV or SWF data
file if an appropriate protection key is available. The protected data files that you provide
to your customers can only be viewed with the Data File Protectin plugin that was
generated for your Vendor Code.
The Data File Protection plugin is only compatible with data files that were protected
using the Version 2 protection mode (described below).
 Overview 97

Both the Sentinel LDK Data Protection utility and the Data Protection module provide two distinct
modes of operation:
n Version 1 (previously DataHASP)
In this mode, data files that are created by or accessed by a protected application can be
encrypted and decrypted by the Data Protection module in the protected application.
However, there are no specific license requirements to access the data files.
If you want to deliver data files together with the protected application, you can use the
Sentinel LDK Data Protection utility to encrypt these files.
The protected data files that can be accessed by a protected application are managed by
setting up the following controls in Sentinel LDK Envelope:
o Data filters - File masks that set rules to determine the names and file types of
protected files that the protected application can access.
o Data encryption key - An eight-character key used to add an extra layer of
encryption for protected data files. The same key must be provided in Sentinel LDK
Envelope for each protected application that will access a given protected data file or
collection of protected data files. This key is also used by the Data Protection utility
to encrypt the data files.
Version 1 is supported for data files to be accessed under Windows, .NET (Windows shell),
or Mac.
n Version 2
In this mode, you can both encrypt and license data files with the Sentinel LDK Data
Protection utility. Each data file or group of data files is assigned a specific Feature ID. To
access the data file, the end user requires a protection key with a license for the relevant
Feature ID. By distributing the relevant Feature IDs among various Products, you can
easily manage the licensing of a large collection of data files.
This mode is especially suited for educational data and courseware. Data files protected in
this mode are protected against video capture software that runs on the machine where
the user is viewing the protected video file.
The data file can be accessed and modified by one of the following:
o A protected application with the Data Protection module (Version 2). The
application and the data file must be protected with the same Batch Code.
o A Web browser with the vendor's customized Data File Protection plugin.
In this mode, the protected application cannot create a new protected data file. However
you can manually create an empty data file, protect it with the Sentinel LDK Data
Protection utility, and deliver the file together with the protected application. The
protected application can add content to the protected data file.
For protected data files that are accessed using a protected application, the locking type
for the data files is identical to the locking type for the application. For protected data files
that are accessed using the Data File Protection plugin, the locking type allows all types of
HL and SL keys to be used for licensing.
98 Chapter 7: Protecting Data Files

Version 2 is supported for data files to be accessed under Windows, .NET (Windows
shell), or Android.

To use Version 2 data protection mode, you must have the Advanced Data
Protection module on your Sentinel Master key or Developer key.

When to Protect Data Files

Protect your data files if:
n You want to maximize your software’s security. When your software is being protected,
consider adding another layer of security by protecting those data files that are accessed
by your software.
n You want to protect your intellectual property. Your data files may represent a significant
investment, so it is worthwhile preventing your intellectual property from being exposed
without protection.
n You want to license your data files. You can assign a different Feature ID to each data file
or to a group of data files. By distributing the relevant Feature IDs among various
Products, you can easily manage the licensing of a large collection of data files.

Users of Sentinel LKD Data Protection Utility

Anyone involved in the production or maintenance of data files for your protected software
should use Sentinel LDK Data Protection utility. This could include people in roles such as graphic
artists, information developers, or accountants.

Data Encryption for Mac

Sentinel LDK Envelope for Mac provides the capability for a protected application under Mac OS X
to encrypt and decrypt data that is written to and read from an external file.
Data files that will be delivered together with the protected application must be pre-encrypted
using the Sentinel LDK Data Protection utility for Mac or for Windows.
When using Sentinel LDK Data Protection utility to encrypt files for Mac:
n The Data Protection utility ignores TYPE/CREATOR for files.
n The Data Protection utility does not work with document types stored in File Bundles (for
example: Keynote presentations) since these are directory structures and not typical files.
 Data Protection Prerequisites 99

Data Protection Prerequisites

To use the Sentinel LDK Data Protection utility, you must prepare the following items:
n Sentinel keys
To protect data files with Version 2 data protection mode, you must connect your
Sentinel Developer key or Sentinel Master key with the Advanced Data File Protection
module to your machine.
If you are using Version 1 data protection mode, you can use a Sentinel HL or SL
protection key with the appropriate Batch Code instead of the Developer key or Master
key.
n (For Version 1 mode) Before protecting data files, you must create a Sentinel LDK
Envelope project containing one or more programs for which data protection has been
enabled and data filters have been defined. The data filters must include the data files
that you want to protect.
If two or more protected applications will access a given protected data file, the same
data encryption key must be defined in all the relevant protected applications.

Launching Sentinel LDK Data Protection Utility

You can launch Sentinel LDK Data Protection utility as follows:
n Directly from Sentinel LDK Envelope.
n From the Start menu, select Sentinel LDK Vendor Suite. From the Vendor Suite program
selection screen, select Additional Tools > Sentinel LDK Data Protection Utility.
n You can click the datahasp.exe file, located in the following directory on your system:
%SystemDrive%\Program Files (x86)
\SafeNet Sentinel\Sentinel LDK\VendorTools\VendorSuite\
(For Windows x86, in: %SystemDrive%\Program Files\...)

Data File Protection Plugin

Given the following circumstances:
n You are distributing FLV or SWF data files that are protected with Version 2 data file
protection.
n You want your customers to view these files using the Internet Explorer Web browser.
Each end user must install your customized version of the Data File Protection plugin in Internet
Explorer in order to view these files.
100 Chapter 7: Protecting Data Files

A version of the plugin for the DEMOMA Batch Code is provided in the Sentinel LDK installation in
the following path:
%SystemDrive%\Program Files (x86)\SafeNet Sentinel\Sentinel LDK\VendorTools\Utilities\Data File
Protection Plugin\Data File Protection Plugin.msi
(For Windows x86, in: %SystemDrive%\Program Files\...)
When you introduce your Sentinel Master key, the Sentinel Master Wizard generates the
customized version of this plugin for your Batch Code. The generated plugin can be found in the
following location:
n For Windows Vista or Windows 7:
%UserProfile%\Documents\SafeNet\Sentinel LDK 7.4\Utilities\Data File Protection Plugin
n For Windows XP:
%UserProfile%\My Documents\SafeNet\Sentinel LDK 7.4\Utilities\Data File Protection
Plugin
The name of the customized file is Data File Protection Plugin_BatchCode.msi.
To install the MSI plugin, the end user simply double-clicks the file and accepts all default values in
the installation wizard.
The requirement for generating and for installing the plugin are described in the Sentinel LDK
Release Notes:
n The requirements for using the Master Wizard to generate the Data File Protection plugin
can be found under: "Supported Platforms for Vendors" > "Sentinel LDK Vendor Tools"
n The requirements for installing the Data File Protection plugin can be found under:
"Supported Platforms for End Users" > "Data File Protection Plugin for Internet Explorer"

Licensing Data Files—Getting Started

This section demonstrates how to get started with licensing of data files.
The following procedures are described:
n Licensing an FLV file to be viewed using Internet Explorer.
n Licensing data files to be accessed using a proprietary application.
In each case, instructions are provided for working with the HL Demo key (DEMOMA Batch Code).

If you prefer to work with your own Batch Code (or if you do not have an HL Demo key),
prepare an HL or SL key that contains a license for Features 0 and 42. Use this key instead
of the Demo key where required. Where the Vendor Codes file is required, use your
unique Vendor Codes file instead of the DEMOMA Vendor Codes file. Connect your Master
key or Developer key (with the required module) to your machine.

It is assumed that you already have a basic familiarity with Sentinel LDK. If not, perform the
lessons provided in the Sentinel LDK Software Protection and Licensing Tutorial, described
elsewhere in this book.
 Licensing Data Files—Getting Started 101

Licensing an FLV File to be Viewed Using Internet Explorer

This procedure demonstrates how to protect and license an FLV data file to be viewed with
Microsoft Internet Explorer.
For this procedure, you will use Internet Explorer and a provided FLV file to represent the data file
that you want to protect. The FLV file will be licensed with Feature ID 42. (A license for this Feature
is already present on Demo key.)

How to Protect the Data File

1. Copy the following directory to your desktop from the machine where Sentinel LDK is
installed:
%SystemDrive%\Program Files (x86)\SafeNet Sentinel\Sentinel
LDK\VendorTools\VendorSuite\samples\DataProtection\flv\
(For Windows x86, go to: %SystemDrive%\Program Files\...)
2. Create the following directories on your desktop: FLV_42 and FLV_99.
3. From the Start menu, select Sentinel LDK Vendor Suite. From the Vendor Suite program
selection screen, select Additional Tools > Sentinel LDK Data Protection Utility.
4. Do the following in Sentinel LDK Data File Protection utility:
a. From the menu bar, select File > New project.
b. In the resulting dialog box, browse to the DEMOMA Vendor Codes file. This can
usually be found in:
%SystemDrive%\Program Files (x86)\SafeNet Sentinel\Sentinel LDK\VendorCodes\
(For Windows x86, go to: %SystemDrive%\Program Files\...)
c. Select the DEMOMA.hvc file and click Open. The Batch Code field now displays
DEMOMA.
d. From the menu bar, select Actions > Add Files.
e. In the Files to Encrypt dialog box, click Add.
f. Browse to the test FLV file in the following path:
Desktop\flv\local\test.flv
g. Select the test.flv file. The file now appears in the Files to Encrypt dialog box.
h. Set the Feature ID field on the right side of the box to 42.
i. Set the output directory to Desktop\FLV_42.
j. Click OK. The dialog box closes, and the text file is listed in the main pane.
k. Repeat step d through step j above. However, this time set the Feature ID to 99 and
set the output directory to Desktop\FLV_99.
l. From the menu bar, select Actions > Encrypt All. The FLV files are protected.
5. Close Sentinel LDK Data File Protection utility.
102 Chapter 7: Protecting Data Files

How to Access the Protected FLV File

1. Install the Data File Protection plugin as follows:

a. Browse to the directory %SystemDrive%\Program Files (x86)\SafeNet
Sentinel\Sentinel LDK\VendorTools\Utilities\Data File Protection Plugin\.
(For Windows x86, go to: %SystemDrive%\Program Files\...)
b. Double-click Data File Protection Plugin.msi. The plugin installer is launched. Accept
all defaults to install the plugin.
c. If Internet Explorer was active, restart it.

If you are working with your own Batch Code, install your customized Data File
Protection plugin. For more information, see "Data File Protection Plugin " on page
99.

2. Connect the Demo (DEMOMA) key to your machine.

3. Copy test.flv from Desktop\FLV_42\ to Desktop\local\sample\flv\local\.
4. Open Desktop\local\sample\flv\local\sample.htm in Internet Explorer. The test.flv file can
be viewed successfully. (The Demo key contains a license for Feature 42. Therefore, the FLV
Player can operate in Internet Explorer and display the file that was protected with Feature
42.)
For the current release of Sentinel LDK, you must use the 32-bit version of Internet
Explorer to view a protected data file.

5. Copy test.flv from Desktop\FLV_99\ to Desktop\local\sample\flv\local\.

6. Open Desktop\local\sample\flv\local\sample.htm in Internet Explorer. The test.flv file
cannot be viewed in Internet Explorer (The Demo key contains a license for Feature 42 while
this test.flv file requires a license for Feature 99.)

Licensing data files to be accessed using a proprietary application

This procedure demonstrates how to prepare a data file to be licensed and accessed with your
own application.
For this procedure, you will use a text viewer application (TextViewer.exe), provided by SafeNet,
to represent your proprietary application, and a simple text file to represent the data file that you
want to protect. The text viewer will be licensed with Feature ID 0 and the data file will be licensed
with Feature ID 42. (Licenses for these Features are already present on the Demo key.)

How to Protect the Text Viewer Application and the Data File

1. Using the Windows notepad application, prepare and save two copies of a text file that
contains the name of your organization (or any other text string). Name the files test_42.txt
and test_99.txt.
 Licensing Data Files—Getting Started 103

2. Do the following in Sentinel LDK Envelope:

a. Add the TextViewer.exe application to a new Sentinel LDK Envelope project. This
application can be found in:
%SystemDrive%\Program Files (x86)\SafeNet Sentinel\Sentinel
LDK\VendorTools\VendorSuite\samples\DataProtection\
(For Windows x86, go to: %SystemDrive%\Program Files\...)
b. In the Project pane, select the TextViewer program.
c. On the General tabbed page, select the Enable data file protection check box.
d. In the version list box, select Version 2.
e. Click Protect to protect the application. The application is protected and licensed
with Feature ID 0. Be sure to note the location where the protected application is
saved.
f. Close the Protection Status box.
g. Save the Envelope project.
h. On the General tabbed page, click Encrypt Data. Sentinel LDK Data File Protection
utility is launched. The Batch Code field displays DEMOMA.
3. Do the following in Sentinel LDK Data File Protection utility:
a. From the menu bar, select Actions > Add Files.
b. In the Files to Encrypt dialog box, click Add.
c. Browse to the text files that you prepared in step 1 above. Select the test_42.txt file.
The file now appears in the Files to Encrypt dialog box.
d. Set the Feature ID field on the right side of the box to 42.
e. Set the output directory to the location where the protected text file should be
written.
f. Click OK. The dialog box closes, and the text file is listed in the main pane.
g. Repeat step a through step f above. However, this time select the test_99.txt file,
and assign it the Feature ID 99.
h. From the menu bar, select Actions > Encrypt All. The text files are protected.
4. Close Data File Protection utility and Envelope.

How to Access the Protected Data File

1. Open each protected text file with Microsoft Notepad or with the unprotected version of
the TextViewer application. Random characters are displayed.
2. Connect the Demo key to your machine.
3. Open the protected version of the test_42.txt file with the protected version of the
TextViewer application. The original text is successfully displayed. (The Demo key contains
104 Chapter 7: Protecting Data Files

licenses for Features 0 and 42. Therefore, the protected TextViewer application can operate
and the file that was protected with Feature 42 can be accessed.)
4. Open the protected version of the test_99.txt file with the protected version of the
TextViewer application. Random characters are displayed. (The Demo key does not contain
a license for Feature 99.)

Working With the dfcrypt Command Line Utility

The dfcrypt utility provides an alternative to the Sentinel LDK Data Protection utility. dfcrypt
enables you to encrypt data files by specifying the relevant information in a command line instead
of a graphical user interface.
The following limitations apply to dfcrypt:
n dfcrypt can only be executed on a Windows platform.
n dfcrypt only provides the Version 1 data protection mode.
The dfcrypt.exe utility is located in the following path:
SystemDrive%\Program Files (x86)\SafeNet Sentinel\Sentinel LDK\VendorTools\VendorSuite\
(For Windows x86, in: %SystemDrive%\Program Files\...)
To encrypt or decrypt data files using dfcrypt, enter the following command:

dfcrypt <options> <source> <destination>

The parameters used in the dfcrypt command line are described in the table that follows.

Parameter Description
options List of options that indicate the function to be performed by the dfcrypt utility.
See the table of options that follows.
source The file to be read and processed by the utility. To process multiple files, place
the files in a directory and specify the name of the directory for this parameter.
destination The file to be generated by the utility. If you specified a directory as the source,
specify the name of directory to contain the generated output.
The options that determine the function to be performed by the dfcrypt utility are described in
the table that follows. Each option can be specified using either of two formats.

Options Action
-e dfcrypt reads the source file or directory and generates an encrypted file or a
--encrypt directory of encrypted files. (This is the default action.)
-d dfcrypt reads an encrypted source file or directory and generates an
--decrypt unencrypted file or a directory or unencrypted files.
-c:<file> Name of a Vendor Code file (mandatory).
--vcf:<file>
 Working With the dfcrypt Command Line Utility 105

Options Action
-k:<key> The encryption key to be used to encrypt or decrypt data files (mandatory). You
--key:<key> must also specify this encryption key in Sentinel LDK Envelope for each
protected application that will access the protected data files. The key must
contain 8 printable characters. If you include special characters, enclose the
entire command in quotation marks. For example: "-k:qe4<!r^B"
-o Overwrite destination files, if any.
--overwrite
-r Enables recursive handling of all files in all subdirectories contained in the
--recursive specified source directory.
-h Displays the help screen, listing dfcrypt commands
--help
-q Suppresses output by excluding copyright information and the progress
--quiet indicator. Only error messages are displayed. This is particularly useful in
Makefile integration.
For example:
dfcrypt -h

Displays the dfcrypt parameters.

dfcrypt -c:demoma.hvc -k:4873Asdb data.txt data_crypt.txt

Encrypts the file data.txt using the specified Vendor Codes file and encryption key. The
encrypted file is written to data_crypt.txt.
dfcrypt --decrypt --recursive --vcf:demomb.hvc --key:4873Asdb myInputs myOutputs

Decrypts all the files in the directory myInputs and in all contained subdirectories, using
the specified Vendor Codes file and encryption key. The decrypted files are written to the
directory myOutputs.
 PART 3 - LICENSING
In this section:

n "Chapter 8: Introduction to Sentinel EMS" on page 109

Provides an overview of Sentinel EMS and the major processes it facilitates, lists its
prerequisites, and explains how to use the application.
n "Chapter 9: Preparing Your Sentinel LDK Licensing Plan " on page 117
Outlines the importance of licensing your software products, describes the licensing options
provided by Sentinel LDK, and explains how to prepare a licensing plan for use with
Sentinel EMS.
n "Chapter 10: Implementing Your Sentinel LDK Licensing Plan" on page 127
Describes how to use Sentinel EMS to define and manage the Features and Products
included in your Sentinel LDK licensing plan, and how to maintain Products and licenses as
circumstances change.
n "Chapter 11: Sentinel LDK Entitlements, Production, and Development Tasks" on page
143
Describes how to use Sentinel EMS to manage and produce entitlements, and to perform
additional development-related tasks.
n "Chapter 12: Sentinel LDK Administration and Customer Services" on page 161
Describes how to use Sentinel EMS to define Sentinel LDK user details, maintain Batch
Codes, configure system settings, perform manual Product activation and maintain
customer data.
n "Chapter 13: Sentinel Remote Update System" on page 165
Describes the Sentinel Remote Update System utility (RUS utility) and explains how to use
the RUS utility to remotely update license data in deployed Sentinel protection keys.
n "Chapter 14: Generating Sentinel LDK Reports" on page 171
Provides an overview of the Sentinel EMS Reporting facility and describes some of the main
features of the facility.
 8
Chapter 8:
Introduction to Sentinel EMS

This chapter provides an overview of Sentinel EMS and the major processes it facilitates. It also
describes the user roles and their functions in Sentinel EMS, lists its prerequisites, and explains
how to start using the application.
An alternative to Sentinel EMS, the Sentinel License Generation API, is also described.

In this chapter:

n "Sentinel EMS Overview" on page 109

n "Sentinel EMS Users and User Roles" on page 111
n "Getting Started With Sentinel EMS" on page 112
n "Sentinel License Generation API" on page 115

This chapter provides high-level information on Sentinel EMS processes. For detailed

practical instructions for using each function in Sentinel EMS, see the Sentinel EMS help
system.

Sentinel EMS Overview
Sentinel EMS is a powerful role-based application designed to manage the business activities
required to implement and maintain Sentinel LDK in your organization.
Sentinel EMS streamlines the major workflows in the licensing lifecycle of a protected software
application, from the moment it is developed, through its packaging, marketing, selling, and
order-taking, to its distribution and upgrading.
Sentinel LDK separates the software protection process (implemented with Sentinel Licensing API
or Sentinel LDK Envelope) from the licensing and production processes (implemented with
Sentinel EMS), enabling you to modify your company’s licensing strategy as necessary when
circumstances change, and to implement these changes quickly and efficiently.

Sentinel EMS Major Workflows

Sentinel EMS is installed as a service under Windows. The Sentinel EMS Service handles three
major workflows: license planning, order processing and production, and software activation.
110 Chapter 8: Introduction to Sentinel EMS

License Planning

Before starting to use Sentinel EMS, it is recommended that business decision-makers in your

organization, such as product or marketing managers, prepare a licensing plan based on the
company’s licensing strategy.
The licensing plan identifies each individual functional component in your software applications
that can be independently controlled by a license. In Sentinel LDK, these components are referred
to as Features. A Feature may be an entire application, a module, or a specific functionality such
as Print, Save or Draw. Over 64,000 Features can be defined using Sentinel EMS.
In addition, the licensing plan can include the Products that your company wants to sell and/or
distribute for evaluation. In Sentinel LDK, a Product is a collection of one or more licensed
Features that can be sold or distributed as an item.
After completing the licensing plan, the Features and Products can be defined in Sentinel EMS. The
output of this process is a repository of Products that are stored in the Sentinel EMS database—
ready for customer orders.

You can make changes to your licensing plan and license models at any time, adding
Features and Products as required.

For additional information on preparing a licensing plan for use with Sentinel LDK, see "Chapter 9:
Preparing Your Sentinel LDK Licensing Plan " on page 117.
For a description of the many types of model licenses you can implement using Sentinel LDK, see
"PART 5 - LICENSING MODELS" on page 203.
For additional information on defining Features and Products in Sentinel EMS, see "Chapter 10:
Implementing Your Sentinel LDK Licensing Plan" on page 127.

Order Processing and Production

Staff in your organization’s orders department receive and fulfil entitlements. An entitlement is an
order for Sentinel LDK items, and can be one of the following:
n An order for Products to be supplied with one or more Sentinel protection keys
n A Protection Key Update that specifies changes to be made to the license terms and/or
data stored in Sentinel protection keys that have already been deployed
Order processing personnel process the entitlement details using Sentinel EMS. The license terms
of each Feature in the ordered Products may be specified when the Product is defined, or when
the entitlement is processed.
When all the details of an entitlement have been defined, the entitlement can be produced. The
Product details, including the license terms and memory data, are stored in the specified
Sentinel protection keys at the production stage or when the Product is activated, and can be
updated after the keys have been deployed.
For additional information on processing and producing entitlements in Sentinel EMS, see
"Chapter 11: Sentinel LDK Entitlements, Production, and Development Tasks" on page 143.
 Sentinel EMS Users and User Roles 111

Software Activation and Online Updates

Product activation and online updates are performed using Sentinel EMS when your software is at
the end user’s site.
Product Activation with Sentinel SL Keys

With Sentinel SL keys, the software is only activated and usable after the following steps are
completed:
1. A Product Key is produced in Sentinel EMS and supplied to the end user.
2. The end user sends the Product Key to Sentinel EMS for validation.
3. A Sentinel SL key with license terms is sent back and installed on the end user’s computer.
Online Updates

Online updates can be implemented in the following ways:

n The Protection Key Update information is stored in Sentinel EMS for use in software that
you provide to your end users. The update is then implemented as part of the end users’
installation process.
n A file that contains the Protection Key Update information is generated and sent to the
end user. This file can then be used with the Sentinel Remote Update System (RUS utility)
utility to ensure secure, remote updating of the deployed Sentinel protection keys.
For additional information on RUS utility, see "Chapter 13: Sentinel Remote Update
System" on page 165.
A receipt can be generated when a Protection Key Update is processed, to verify that the update
has been applied.

Sentinel EMS Users and User Roles

Sentinel EMS is a role-based application. The functions and tasks that you can perform are
determined by the user roles assigned to you by the Sentinel LDK Administrator.
The table that follows describes the roles available. (Almost all of the tasks listed in the table relate
to functionality in Sentinel EMS.)

Role Authorized Tasks For more information

Product Manager Define and manage Features and Products "Chapter 9: Preparing Your
Sentinel LDK Licensing Plan " on
page 117
"Chapter 10: Implementing
Your Sentinel LDK
Licensing Plan" on page 127
Entitlement Manager Define and manage customers "Chapter 11: Sentinel LDK
Enter and manage entitlements Entitlements, Production,
and Development Tasks" on
page 143
112 Chapter 8: Introduction to Sentinel EMS

Role Authorized Tasks For more information

Production Produce entitlements "Chapter 11: Sentinel LDK
Entitlements, Production,
and Development Tasks" on
page 143
Customer Services Define and manage customers "Chapter 12: Sentinel LDK
Manage Product activations Administration and Customer
Services" on page 161
Report Generation Run and view reports "Chapter 14: Generating
Schedule generation of and arrange Sentinel LDK Reports" on page
distribution of reports. 171
Development Perform development-related tasks "Chapter 11: Sentinel LDK
Operate Sentinel LDK ToolBox and Entitlements, Production,
Sentinel LDK Envelope and Development Tasks" on
page 143
Batch Code Admin Can perform the following functions for "Chapter 12: Sentinel LDK
the assigned Batch Codes: Administration and Customer
n Manage Sentinel LDK users Services" on page 161
n Maintain Master keys

n Configure system settings

n Generate reports

n Manage scheduled reports

Super User Can perform the following functions for all "Chapter 12: Sentinel LDK
Batch Codes: Administration and Customer
n Manage Sentinel LDK users Services" on page 161
n Maintain Master keys

n Configure system settings

n Generate reports

n Manage scheduled reports

The “admin” user is authorized to perform all functions in Sentinel LDK. Only the admin user can
assign the Super User role to another user.

Getting Started With Sentinel EMS

Before you start to use Sentinel EMS, ensure that:
n You have a URL to access the installation of Sentinel EMS at your site.
n You have received a Sentinel LDK user name and password from your Sentinel LDK system
administrator.
After you have logged in to Sentinel EMS, you can change the Sentinel LDK password that you
received to a password of your own choice. For additional information on changing your
password, see the Sentinel EMS help system.
 Getting Started With Sentinel EMS 113

Sentinel LDK passwords are case-sensitive, so ensure that you use upper-case and lower-
case letters correctly when you type your password.

Prerequisites for the Sentinel LDK Administrator

If you are performing administration functions for Sentinel LDK in your organization, it is essential
that you check the following requirements before you (or other users) start to use Sentinel EMS:
n A valid connection to the Sentinel EMS Server machine must exist. For additional
information on installing Sentinel EMS, see the Sentinel LDK Installation Guide.
n You must have a Sentinel Master key that contains your license for Sentinel LDK and your
company’s specific Vendor Code. If not previously introduced, the Sentinel Master key is
introduced during the Sentinel EMS Service installation process.
n The Sentinel Master key must remain connected to the Sentinel EMS Server machine in
order to enable you to perform Sentinel EMS functions. If Sentinel EMS is installed on
more than one machine, each machine must have a separate Sentinel Master key
connected locally.

If you are evaluating Sentinel EMS, you can use the DEMOMA Batch Code provided, which
does not require a Sentinel Master key.

n You must define user names, passwords, roles, and Batch Code access for each
Sentinel EMS user, and also for yourself. For additional information, see "Maintaining User
Details " on page 162.
A default user name and password is provided with Sentinel LDK to enable you to log in to
Sentinel EMS as the Sentinel LDK Administrator. The default user name and password is
admin .

For additional information on the Sentinel LDK administration tasks and options in Sentinel EMS,
see "Administration Tasks" on page 161.

Sentinel EMS Home Screen

When you log in, the Sentinel EMS Home screen is displayed.

114 Chapter 8: Introduction to Sentinel EMS

The Sentinel EMS Home screen provides a snapshot of the current status of important
information in Sentinel EMS. The information relates to all the Batch Codes for which the current
user has authorizations.
To return to this screen at any later time, click the Home tab.
The functions that each user sees on the Function bars will vary based on the roles that are
assigned to the user.

Sentinel EMS Screen

When you select any of the Function bars, the Sentinel EMS screen is displayed.
 Sentinel License Generation API 115

Sentinel EMS top-level web screens typically includes the following:

n Function bars, in which you select the function to perform.
n Main pane, in which you view and select items.
n Filter tool, which you can use to filter the items that are listed in the main pane.
n Details pane, in which you view details of the item selected in the Main pane.
n Task buttons, which you use to perform actions for the selected item.
The functions that each user sees on the Function bars will vary based on the roles that are
assigned to the user.

Using the Sentinel EMS Help

Detailed instructions for using each function and task in Sentinel EMS are provided in the
Sentinel EMS help system.
To access help, click the Help link at the top right of the screen. Many individual screens also
contain a help button for information about the contents of the screen.

Sentinel License Generation API

For sites that already have a licensing infrastructure in place or that prefer to implement an
alternative to Sentinel EMS, Sentinel LDK offers a standalone licensing solution.
You can use Sentinel License Generation API together with your existing licensing server software
and ERP and CRM back office systems for maximum flexibility and control over your business
processes.
Sentinel License Generation API provides the functionality required to generate and maintain
Sentinel protection keys, but without any of the back office services that are provided by Sentinel
116 Chapter 8: Introduction to Sentinel EMS

EMS. All the required services are provided by the system that you choose to implement. You
would use Sentinel LDK only to handle the protection and Feature-control functions for your
applications.
Sentinel License Generation API is included in Sentinel LDK ToolBox. Documentation for the API is
included in the ToolBox help system.

To generate licenses, the Sentinel Master key must be connected to the machine where
the program that calls Sentinel License Generation API is running. To connect the Sentinel
Master key from a remote machine, refer to the Sentinel LDK Installation Guide.

Switching Between Sentinel License Generation API and

Sentinel EMS
Wa r ning:
Se nt ine l E M S a nd Se nt ine l L ic e nse Ge ne r a t ion API c a nnot be use d in pa r a lle l
t o upda t e lic e nse s for a give n c ust ome r .

Sentinel EMS retains an update counter for each protection key that was created or updated
using Sentinel EMS. This update counter must remain synchronized with the update counter that
is stored in each protection key. If a protection key that was updated with Sentinel EMS is then
updated with Sentinel License Generation API, the synchronization with Sentinel EMS is lost, and it
is no longer possible to update the key using Sentinel EMS.
You can, on a one-time basis, move from using Sentinel EMS to using Sentinel License Generation
API to maintain a protection key, or vice-versa.
n You can move from Sentinel EMS to Sentinel License Generation API because Sentinel
License Generation API does not store the update counter. Instead, it relies on receiving
the update counter each time in the C2V file sent by the customer.
n You can move from Sentinel License Generation API to Sentinel EMS once. When Sentinel
EMS receives a C2V file for a given protection key for the first time, Sentinel EMS initializes
the update counter for that key in its database. From that point, the update counters in
Sentinel EMS and in the protection key must remain synchronized.
New functionality in Sentinel LDK is often introduced first in Sentinel License
Generation API and then, in a following release, in Sentinel EMS. Before you move
from Sentinel License Generation API to Sentinel EMS, make sure that all the
functionality that you are using is supported in Sentinel EMS. Otherwise, the C2V
files sent by customers may contain parameters that Sentinel EMS does not
recognize.
 9
Chapter 9:
Preparing Your Sentinel LDK
Licensing Plan

Before you start to use Sentinel EMS in your organization, you may want to prepare a detailed
licensing plan for use with Sentinel LDK. Although it is recommended that you prepare a licensing
plan, it is not a prerequisite for using Sentinel EMS. Licensing decisions can be implemented or
modified at any point.
This chapter outlines the importance of licensing your software products, describes the licensing
options provided by Sentinel LDK, and suggests how you might prepare a detailed licensing plan
for use with Sentinel EMS.
In this chapter:

n "Licensing Overview" on page 117

n "Preparing Your Licensing Plan" on page 118
n "Choosing the Protection Level for Your Products" on page 120
n "Designating Products for Trial or Grace Period Use" on page 122
n "Assigning License Terms to Features" on page 123
n "Utilizing Protection Key Memory" on page 124
n "Using Your Licensing Plan With Sentinel EMS" on page 125

This chapter provides high-level information about Sentinel LDK licensing options. For
detailed practical instructions for implementing the licensing options in Sentinel EMS, see
the Sentinel EMS help system.

Licensing Overview
"PART 2 - PROTECTION" on page 55, in this book explained in detail how to protect your software
and intellectual property. In addition to protecting these valuable assets, it is essential that you
protect your company’s revenue by ensuring that your software is available only to the
appropriate users, according to the terms that you define. This process is controlled by licensing.
118 Chapter 9: Preparing Your Sentinel LDK Licensing Plan

Licensing provides you with the flexibility to implement your business strategies for the sale and
distribution of your software products. You define the licensing terms with which your software is
distributed or sold according to your decisions about what is commercially beneficial to your
company.
For example, you may decide that you initially want to distribute your software free of charge, so
that users can try it before purchasing. You will want to ensure that users can use it for only a
limited time before it must be purchased.
Alternatively, you may publish very complex, expensive software. You may decide to make specific
components of that software available for a lower price, thus making parts of it accessible to users
who cannot afford the full-featured version.
The versatility of Sentinel LDK enables you to implement a wide variety of licensing models. For
more information on the many models you can apply to your software offering, see "PART 5 -
LICENSING MODELS" on page 203.

Preparing Your Licensing Plan

A useful step in the development of a licensing strategy is the preparation of a licensing plan.
Business decision-makers in your organization, such as product managers or marketing managers,
define protection and business rules, and specify the licensing models required to meet your
company’s business needs.
A licensing model is the logic behind a business decision relating to the way a Product is licensed.
For example, a rental license model enables you to charge for the use of software for a specific
period of time.
Sentinel LDK enables you to choose from a variety of out-of-the-box licensing models, including:
n Trialware (try-before-you-buy)
n Rental/Subscription
n Module-based
n Feature-based
n Floating users
n Time-based
n Execution-based
n Perpetual
n Unlocked
You can define additional licensing models and software usage terms to meet your company’s
individual requirements.
It is recommended that you prepare a licensing plan before you start to use Sentinel LDK to
streamline the implementation of your company’s licensing strategy. Your Sentinel LDK licensing
plan should be based on the detailed licensing requirements that you define for all the protected
software applications to be sold by your company, and/or distributed for trial use.
 Preparing Your Licensing Plan 119

The process of preparing a Sentinel LDK licensing plan can include the following steps:
1. Analyzing all the relevant software applications and identifying each functional component
that can be licensed individually.
2. Combining these components into licensed entities that can be offered to customers.
3. Deciding which Sentinel protection keys you want to supply with your software
applications.
4. Specifying the detailed licensing terms to be applied, according to your licensing strategy.
The output of such a process is a comprehensive licensing plan that can be implemented using
Sentinel EMS.

You can make changes to your licensing plan and license models at any time.

Identifying Functional Components (Features)

The recommended first step in evaluating and planning your licensing requirements involves
analyzing your software applications and identifying their functional components. Most
applications can be segmented into a number of distinct functional components. In Sentinel LDK,
these components are referred to as Features.
Each individual Feature is an identifiable functionality of a software application that can be
independently controlled by a license. In Sentinel LDK, a Feature may be an entire application, a
module or a specific functionality such as Print, Save or Draw.

Example: Specifying Features

Scenario: The Product Manager of High Quality Software Ltd. (HQ Software), a company providing
design software for the construction industry, identifies the specific functional components that
the company wants to license, and assigns a Feature name to each component.
The following table lists the defined functional components and the Feature names assigned to
each component:

Functional Component Feature

Drawing design plans DRAW
Viewing design plans VIEW
Saving projects SAVE
Printing designs PRINT DESIGNS
Printing predefined reports PRINT REPORTS
Generating tailored reports REPORT GENERATOR

Combining Features Into Products

After you have identified and listed all the individual Features to license, you can define the
different combinations of licensed Features that your company wants to sell.
120 Chapter 9: Preparing Your Sentinel LDK Licensing Plan

In Sentinel LDK, a collection of one or more licensed Features that can be sold as an item is
referred to as a Product. Products can differ from each other, not just in the Features that they
contain, but also in the license terms specified for each Feature.
Your licensing plan can contain the names of all the Products that your company wants to sell
and/or distribute for evaluation, and the Features that each Product includes.
In Sentinel LDK, you have full control over the specific Products you define, the Features they
include, and the license terms assigned to each Feature in each Product.

Example: Defining Products

Scenario: The HQ Software Product Manager decides to define a trial Product intended for
distribution to customers who want to evaluate their software. This Product, HQ Design Demo,
includes only the VIEW and PRINT DESIGNS Features.
In addition, the company defines:
n A Product intended for small-office customers, HQ Design Lite, offering the Features
included in HQ Design Demo, with the addition of DRAW and SAVE
n A Product targeted towards larger customers, HQ Design Pro, that offers all available
Features
(The REPORT GENERATOR Feature has not yet been fully developed and is not currently included
in the HQ Design Pro Product. This Feature is planned for a future release.)

Choosing the Protection Level for Your Products

Your choice of the Sentinel protection keys to be distributed together with your licensed software
reflects the level of protection you wish to apply and the way you intend to control the use of or
access to each Product.
Two types of Sentinel protection keys are available:
n Sentinel HL keys: The hardware-based protection and licensing component of
Sentinel LDK that provides the safest and strongest level of protection.
n Sentinel SL keys: The software-based protection and licensing component of
Sentinel LDK—virtual Sentinel HL keys. Sentinel SL keys are further divided into
AdminMode and UserMode keys
For more information on the different types of keys and a comparison of the benefits for each
type, see "End-User Keys" on page 44.
Your software and the user license are both locked to the Sentinel protection key that you select.
When you define the Products to be included in your licensing plan, you also select which
Sentinel LDK locking type to assign to each Product. The locking type determines the level of
protection for each Product, as follows:
n HL hardware-based level of protection
n SL AdminMode or SL UserMode: software-based level of protection
 Choosing the Protection Level for Your Products 121

n HL or SL AdminMode or HL or SL AdminMode or SL UserMode: software-based level of

protection

Sentinel HL Key Protection and Activation

A Product that is protected with a Sentinel HL key can be activated only after the end user
receives a Sentinel HL key containing the license terms for the Product and connects the key to
the computer.

Benefits of Sentinel HL Key Protection

Sentinel HL key protection provides the strongest level of protection against piracy. The correct
functionality of the software depends on the internal logic of the Sentinel HL key, which is virtually
tamper-proof.
In addition, Sentinel HL key protection:
n Offers the strongest enforcement for license terms, which are stored and protected inside
the Sentinel HL key.
n Enables portability—the software can be used on any computer to which the Sentinel HL
key is connected.
n Does not require transaction with the software vendor to enable activation of the
Product.

Sentinel SL Key Protection and Activation

A Product that is protected with a Sentinel SL key can be activated only after the following steps
have been completed:
1. A Product Key, consisting of a string of characters, is generated in Sentinel EMS and
supplied to the end user.
2. The end user returns the Product Key as proof of purchase.
3. The Product Key is sent to Sentinel EMS for verification.
4. A Sentinel SL key with license terms is sent back and installed on the end user’s computer.
(The end user can perform steps 2, 3, and 4 automatically with the Sentinel EMS Customer Portal.)

Benefits of Sentinel SL Key Protection

With Sentinel SL key protection:

n Product activation is instantaneous. End users can immediately start using the software
with its fully licensed functionality.
n The activation process for end users is convenient and transparent.
n The online connection with end users can enable user registration data to be collected
and used for marketing purposes.
122 Chapter 9: Preparing Your Sentinel LDK Licensing Plan

n When using a network license that is locked to a Sentinel SL key, you can specify that a
license can be detached from the pool of network seats and attached to a remote
recipient machine.

Specifying the Protection Level for Individual Orders

Sentinel LDK gives you the flexibility to choose the Sentinel protection keys for a Product or
according to the requirements of each individual order.
If you prefer not to specify the protection level in advance, you can assign the HL or SL
AdminMode or SL UserMode locking type to a Product. With this locking type, the decision on
which type of Sentinel protection key is to be shipped with the Product is made when each order
is processed.

Although SL keys provide a high level of protection, HL key security is superior.

A Product that can be distributed with both HL and SL keys provides HL key-level
protection if the Product is only shipped with HL keys.
However if the Product is also shipped with SL keys, the overall level of security should be
considered to be that provided by SL keys. This is because there is always the possibility
that an attacker could have access to a deployed SL key.

Designating Products for Trial or Grace Period Use

Sentinel LDK enables you to create, protect, and distribute secure trialware versions of your
software. You can invite users to download your trial software from networks, to share it with
other users, and to give it away to their friends or colleagues. End users then have the option to
purchase your software and to turn their trial copy of into a fully-functional version by activating it
with a Sentinel protection key.
You can also use Sentinel LDK to define grace periods for your software. During the grace period,
and even after activation, end users can pass copies of their purchased software to as many
friends as they wish. When a friend installs the software, it automatically reverts to a limited trial
version for the entire grace period. After the grace period expires, the software can no longer run
until it is activated with a Sentinel protection key.
Sentinel LDK enables you to define trial and grace periods for software protected with any type of
Sentinel protection key.
For example, software protected with Sentinel HL keys can be purchased and delivered over the
Internet while the Sentinel HL keys are shipped, and end users can start using the software while
waiting for the arrival of their key.
Similarly, end users who purchase and install a software application can use it for a 30-day grace
period without activating it. During this grace period, they can activate the software remotely and
receive a Sentinel SL key, after which the software will run according to the purchased license
terms stored in the keys. If the grace period expires and the software has not been activated, it
will stop running until activated by the end user.
In Sentinel LDK, a Product that is intended for distribution as trialware or for use during a grace
period is referred to as an Unlocked Trialware Product. Sentinel LDK locking types are not
 Assigning License Terms to Features 123

applicable to Unlocked Trialware Products, since these Products are distributed without
Sentinel protection keys.
Your licensing plan can include all the Unlocked Trialware Products to be offered by your
organization.

Assigning License Terms to Features

Sentinel LDK enables you to assign individual license terms to each Feature in each Product that
you define. You can also define Products that include the same Features, but with different license
terms. Such decisions are based on the commercial requirements of your organization, and on the
license models that you choose to implement.
You can control Feature usage through the license by specifying the license type to be applied.
You can choose one of the following license types:
n Perpetual: Indicates that the license can be used an unlimited number of times for an
unlimited period of time.
n Expiration Date: Specifies the date on which the license expires.
n Executions: Specifies the maximum number of times that the Feature can be used.
n Time Period: Specifies the number of days until the license expires, from the date of first
use.
After you select the type of license to apply to each Feature in a Product, you can specify its
value, for example, the number of times that a Feature can be used.
If the Feature is intended to be used on a network or remote desktop, you can also specify the
number of concurrent instances (network seats) allowed, and you can specify how concurrent
instances are to be counted for the purpose of the license. In addition, if the Feature will be used
in Products that are locked to Sentinel SL keys, you can specify that the Feature and its license
may be temporarily detached from the network for attachment to a remote recipient machine.

Specifying License Values for Individual Orders

Sentinel LDK offers you maximum flexibility with regard to license terms, enabling you to supply
the same Product to different customers with different license term values.
You do not have to specify in advance the exact values for the license type or the number of
concurrent instances for each Feature in the Product. When each order for the Product is
processed, the person processing the order defines the values required for that specific order.

Example: Specifying License Terms and Protection Levels

Scenario: The HQ Software Product Manager decides to specify the following license terms for its
three Products:
n A trial period of 30 days for the PRINT and VIEW Features in its HQ Design Demo Product
n A low-cost annual rental license for the DRAW and SAVE Features in the HQ Design Lite
Product, with unlimited usage for the PRINT and VIEW Features
124 Chapter 9: Preparing Your Sentinel LDK Licensing Plan

n A more costly, full-featured license for the HQ Design Pro Product that specifies unlimited
usage for all Features
The following protection levels are defined for each of the Products:
n HQ Design Demo is defined as an Unlocked Trialware Product, to enable it to be
distributed freely for evaluation
n HQ Design Lite is supplied with Sentinel SL key protection, enabling electronic distribution
n HQ Design Pro is supplied with Sentinel HL key protection, for maximum security
The following table summarizes the three Products, their protection levels, and their licensed
Features:

Product: HQ Design Demo HQ Design Lite HQ Design Pro

Protection Level: Unlocked Trialware Sentinel SL keys Sentinel HL keys
License Model: Trial Rental Unlimited
Feature
DRAW – Expires after 1 year Unlimited
VIEW 30 days Unlimited Unlimited
SAVE – Expires after 1 year Unlimited
PRINT DESIGNS 30 days Unlimited Unlimited
PRINT REPORTS – – Unlimited
REPORT GENERATOR – – Not yet available

Utilizing Protection Key Memory

All Sentinel protection keys—with the exception of Sentinel HL Basic keys—contain secure internal
read-only and read/write memory. You can define specific segments for memory data and choose
whether the data is added when you create a Product or when an order is being processed.
You can use the memory, for example, to:
n Store licenses from your own licensing schemes
n Save passwords, program code, program variables, and other data
Memory data can be defined for each Product. The contents of the memory are transferred to the
secure memory of the selected Sentinel protection keys together with the Features, license terms
and other data defined for the Product.
You can add any specific data that is required to be stored in memory for each Product to your
licensing plan. For more information, see "Defining Protection KeyMemory Data" on page 134.
 Using Your Licensing Plan With Sentinel EMS 125

Using Your Licensing Plan With Sentinel EMS

Your licensing plan can be implemented using Sentinel EMS. As your licensing requirements
change, you can revise the licensing plan and ensure that the changes are implemented using
Sentinel EMS. Your licensed Products can be easily and securely updated as required, after they
have been deployed to customers.
For additional information on implementing and maintaining your licensing plan, see "Chapter 10:
Implementing Your Sentinel LDK Licensing Plan" on page 127.
Sentinel LDK offers you the flexibility to update your licensing strategy as necessary, and to adapt
rapidly to changes in the market, in your company’s business strategy, or in customer purchasing
preferences.
 10
Chapter 10:
Implementing Your Sentinel LDK
Licensing Plan

This chapter is intended for Sentinel EMS users who are assigned the Product Management role.
It describes how to use Sentinel EMS to define and manage Features and Products in Sentinel LDK,
and to maintain Products and licenses as circumstances change.
For information on preparing a licensing plan and on Sentinel LDK licensing options, see "Chapter
9: Preparing Your Sentinel LDK Licensing Plan " on page 117.
For an overview of Sentinel EMS and for information on starting to use the application, see
"Chapter 8: Introduction to Sentinel EMS" on page 109.
In this chapter:

n "License Planning in Sentinel EMS" on page 127

n "Managing Features " on page 128
n "Managing Products" on page 129
n "Maintaining Products and Licenses" on page 137

This chapter provides high-level information on license planning and definition processes.
For detailed practical instructions for using each function in Sentinel EMS, see the
Sentinel EMS help system.

License Planning in Sentinel EMS

Before you start to use Sentinel EMS for license planning, it is suggested that you prepare a
licensing plan. For additional information, see "Chapter 9: Preparing Your Sentinel LDK Licensing
Plan " on page 117.
When you start Sentinel EMS, you have access to the Licensing Plan group of functions, including:
n Managing Features
n Managing Products
Each of these functions is described in this section.
128 Chapter 10: Implementing Your Sentinel LDK Licensing Plan

All Sentinel LDK Features and Products are associated with a Sentinel LDK Batch Code. For
additional information on Batch Code, see "Personalized Vendor and Batch Codes" on
page 43.

Managing Features
When you display the Features screen in the Sentinel EMS window, you can view the details of all
defined Features associated with the selected Batch Code. You can perform the following tasks
using the Features screen in Sentinel EMS:
n Define Features
n Withdraw Features from use

Defining Features
If you have prepared a licensing plan, the first stage in its implementation is to use Sentinel EMS
to define all the Features that you listed in the plan.
Before you begin to define Features, ensure that you have the following information available for
each new Feature:
n The Batch Code associated with the Feature
n A Feature Name that is unique in the selected Batch Code (mandatory). The maximum
length for a Feature Name is 50 characters.
n A free-text description that provides additional information about the Feature (optional)
n The ID number that you want to assign to the Feature (optional). The ID must be unique
in the selected Batch Code. The same Feature ID may be used in more than one Batch
Code.
 Managing Products 129

After you have defined a Feature, and until the Feature is included in a Product, you can change
these properties in Sentinel EMS. After the Feature has been included in one or more Products,
you can open the Feature to view its details, but you cannot change them.

License terms are Feature-specific in Sentinel LDK. However, they are not defined as part of
the Feature properties. The license terms for a Feature are specified when the Feature is
added to a Product, or when the Product is added to an entitlement. This is because the
same Feature may be included in a number of Products, and the license terms for the
Feature may vary according to the requirements of the Product or of the entitlement.

Feature Identification

By default, Sentinel EMS generates a unique Feature ID for each new Feature. You can assign your
own numeric identifier to the Feature, for example, to maintain consistency with existing Feature
data. The Feature ID that you specify must be unique in the selected Batch Code.

Transferring Feature Definitions for Development Use

After you have defined the Features for a selected Batch Code, users authorized to perform
Development tasks can transfer the Feature data to a file that can be used for development and
protection purposes. For more information on transferring Feature definitions, see "Exporting
Definition Data" on page 158.

Feature Status Values

When a Feature is first defined, you can edit the Feature and modify any of its attributes,
including the Feature Name and Feature ID.
Once the Feature has been included in one or more Products, the Feature Name and Feature ID
can no longer be modified.

Deleting Features
If the Feature has not been included in any Product, you can delete it. A Feature cannot be
deleted once it has been deployed in at least one Product.

Managing Products
When you display the Products screen in the Sentinel EMS window, you can view the details of all
defined Products associated with the selected Batch Code.
130 Chapter 10: Implementing Your Sentinel LDK Licensing Plan

You can perform the following tasks using the Products screen in Sentinel EMS:
n Define new Base Products
n Define new Unlocked Products
n Copy existing Products
n Define new Modification Products
n Define Cancellation Products
n Open a Product to view or modify details
n Withdraw Products from use
n Restore Products that have been made obsolete
n Delete a Product

You cannot modify license terms for a Product or delete a Product that has been fully
defined (with the Complete status).
 Managing Products 131

Defining New Products

Before you start to define the new Products in your licensing plan, ensure that you have the
following information available for each Product:
n The Batch Code associated with the Product
n A Product Name that identifies the Product and is unique in the selected Batch Code
(mandatory). The maximum length for a Product Name is 50 characters.
n A free-text description that provides additional information about the Product, for
example, the functionality it includes (optional)
n Product reference information that can identify the Product in a different system, for
example, a product code in your company's ERP system (optional)
n The level of protection (locking type) that you want to apply to the Product
n The Features to be included in the Product
n The license terms for each Feature to be included in the Product
n The data to be stored in the memory associated with the Product
After a Product has been defined, it can be included in orders. For additional information on
processing orders, see "Defining Entitlements" on page 145.
Until the Product is included in an order, you can change the Product properties, Features, and
memory contents in Sentinel EMS. After the Product has been included in at least one order, you
can open the Product to view its details. However, you cannot make any changes.
The only changes that can be made after a Product is included in an order are those related to
licensing terms and memory data that have been previously specified as definable at order time,
and these changes are made when the order is being processed.

Product Types

The basic unit on which all Products are built is the Base Product. A Base Product can contain all
the Product attributes such as Features, licensing data and memory—and can be used as a
Product that you offer for sale, and/or as a “shell” on which other Product types are built.
You can define Unlocked Products for use during a grace period or as trialware. A Unlocked
Product can also be defined for an extended period or with a perpetual license for distributing
Unlocked Products. The properties for Unlocked Products are not identical to those for standard
Products. For additional information, see "Defining Unlocked Products" on page 136.
You can copy an existing Product to create a new Product. For additional information, see
"Duplicating a Product" on page 137.
You can define Modification Products and Cancellation Products to modify or cancel Products
that have been deployed at customer sites. For additional information, see "Maintaining Products
and Licenses" on page 137.
132 Chapter 10: Implementing Your Sentinel LDK Licensing Plan

Selecting the Locking Type for the Product

When you define a Product, you must select a locking type. The locking type determines:
n The level of protection for the Product
n The type of Sentinel protection keys that can be shipped with the Product
n The way that the Product can be activated
The locking type options are described in "Choosing the Protection Level for Your Products" on
page 120.

Protection Against Cloning

This section describes the protection of your protected application against attempts to clone the
physical or virtual machine on which the protected application is installed.
One of the methods sometimes employed to enable the illegitimate use of licensed software is
machine cloning. Machine cloning involves creating an image of one machine (including your
software and its legitimate license) and copying this image to one or more other machines. If
there is no way to detect that the new image is running on different hardware than that on which
it was originally installed, multiple instances of the software are available even though only a
single license was purchased.
Sentinel LDK can detect probable machine cloning and disable protected software that is locked to
Sentinel SL keys. Clone detection is effective whether the protected software is installed on a
physical machine or on a virtual machine.

When software is locked to a Sentinel HL key, the physical key must be present in order
for the software to run. Even if a machine image, including your software, is cloned, the
software cannot run without the Sentinel HL key to which the software license is locked.

Protection against cloning is applied automatically when a protection application is locked to a

Sentinel SL key
For each Feature, you specify whether you want to allow the Feature to be accessible on virtual
machines at the time you add the Feature to the Product or when preparing the order for the
Product. By default, each Feature is accessible on virtual machines.
The clone protection functionality is tuned to minimize the occurrence of potential false positives
(detection of a clone when no cloning exists), and reduce unnecessary calls to your technical
support. As a result, it is possible that the clone protection functionality may not detect a cloned
machine in every case. However, the possibility of this occurrence is low, especially when physical
machines are cloned. (For information on how Sentinel LDK detects cloned software and clone
protection schemes, see "Appendix D: How Sentinel LDK Detects Machine Cloning" on page 273.)
When the Sentinel LDK Run-time Environment detects cloning, it disables the licenses for which
clone protection was specified. The end user is unable to log in to the software for which cloned
licenses have been detected. The end user must activate the software before it can be used. Other
licenses for which clone protection was not specified are not affected and the user may continue
to log in and use the applications.
 Managing Products 133

Detection of cloned licenses is recorded in the Sentinel License Manager and displayed in the
Sentinel Admin Control Center. For additional information, see the Admin Control Center help
system.
The following workflows provides an overview of how to enable clone detection for licenses locked
to Sentinel SL keys, and how to manage licenses that have been disabled due to the detection of
machine cloning.
During software protection:

n During protection of your software, use the Sentinel Licensing API to define how your
application should behave when machine cloning is detected. For example, the application
might display a message telling the end user that the software is disabled due to clone
detection and that they should contact your customer services team.

If you use only Sentinel LDK Envelope for applying protection, (that is, without
incorporating any additional software engineering), software that is disabled due to
detection of cloning will return the following message to the end user: Unknown error.
H64

During Product definition:

n When defining Products in Sentinel EMS:

o For each Feature, decide whether the Feature should be accessible on virtual
machines (this can also be decided during order entry). By default, accessibility on
virtual machines is enabled.
During Product activation:

1. When Sentinel EMS detects cloning via the C2V file, it disables the protected application on
the end user's machine.
2. To enable the protected on the end user's machine, the end user must send a new
fingerprint for machine. This fingerprint can be generated with the RUS utility, or with the
GetInfo function in Sentinel Licensing API. Use the fingerprint to generate a new entitlement
for the end user.
Additional Information about Clone Protection

n If you attempt to check in a C2V file, and Sentinel EMS detects that the C2V is from a
cloned machine, you cannot check the file into the Sentinel EMS database. Similarly, you
cannot use a C2V file from a cloned machine to create a license update.
You can click View Details in the Check in Key screen to view details of the C2V if required.

Specifying the License Terms for Features in a Product

When you include a Feature in a Product, the following default license terms are assigned:
n License type: Perpetual
n Number of concurrent instances: Unlimited
134 Chapter 10: Implementing Your Sentinel LDK Licensing Plan

To specify the required license terms for the Feature, you can:
n Select a different license type:
o Expiration Date
o Executions
o Time Period
n Assign a value for the selected license type:
o The expiration date
o The number of executions
o The number of days until the license expires, from the date of first use
If the Feature is intended to be used on a network, virtual machine, or remote desktop, you can
specify the number of concurrent instances allowed, and you can select how concurrent instances
are counted:
n Station: Each login request for a single machine is counted as an instance (default)
n Login: Each login request is counted as an instance
n Process: Each login request for a single process is counted as an instance
If the Feature is in a Product that will be locked to a Sentinel SL key, and is defined to be used on
a network, you can specify that the license is allowed to be temporarily detached from the
network pool. This means that the license can be attached to a remote recipient machine that is
not connected to the network, to enable a user to work offline.
If required, you can specify that a user working in Remote Desktop (terminal machine) mode can
access the license. Similarly, you can specify that the license for a Feature in a Product that will be
locked to a Sentinel SL key can be enabled to run on a virtual machine.
If you choose to make a Feature excludable, you enable the decision about whether the Feature is
to be included in a specific order to be made at the time the order is being produced.
You can leave the value for the license type undefined at this stage, and specify that the exact
value will be defined when each order for the Product is processed.
Similarly, you can specify that the number of concurrent instances will be defined when an order
for the Product is processed.
The above license term options do not apply to Unlocked Products. For additional
information, see "Defining Unlocked Products" on page 136.

Defining Protection KeyMemory Data

When you define a Product in Sentinel LDK, you can define the layout and contents of the
memory data associated with the Product. At the customer site, memory data is stored in the
protection key on the end user's computer or network.
 Managing Products 135

Sentinel LDK provides two types of Protection Key memory:

n Default memory
Default memory is available in all Sentinel HL and SL keys, except for Sentinel HL Basic
keys. The amount of memory available depends on the type of key.
Default memory is divided into two fixed partitions:
o Read/Write memory: Data that can be updated when the deployed protected
application is running, such as dynamic values for counters, or information
retrieved during interaction with the user.
o Read-Only memory: Data that can be read when the protected application is
running but cannot be changed. For example: the Product version number, text to
be used in a “Welcome” message, fixed threshold values for counters.
You can divide each partition into multiple segments and enter data into them as
required. Each segment is defined by an offset from the start of the partition and a
length. It is the developer's responsibility to keep track of the location and size of each
segment. You can redefine the data and the layout of each partition as required. In
Sentinel EMS, you can specify that data is entered in one or more of the memory
segments at order time.
n Dynamic memory
Dynamic memory is available in all Sentinel HL (Driverless configuration) keys except for
Sentinel HL Basic keys and Sentinel HL Pro keys. Dynamic memory is not available in
Sentinel (HASP configuration) keys or Sentinel SL keys.
Dynamic memory is significantly larger than Default memory. However, dynamic memory
space is shared between dynamic memory files (the space available to you for your
applications, similar to default memory files) and license data (Features and Product). All
space that is not utilized for license data can be used for dynamic memory files. For more
information, see "Appendix C: Maximum Number of Features in a Sentinel HL Key" on
page 271.
Dynamic memory can be divided into dynamic memory files. Each file is assigned an
identifier, which is used by your application to refer to that file. You can assign a size to
the file at the time you create it, or allow the file size to be assigned automatically based
on the amount of data that is written to the file. The following types of dynamic memory
files can be created:
o Read/Write file: Data that can be updated when the deployed protected
application is running, such as dynamic values for counters, or information
retrieved during interaction with the user.
o Read-Only file: Data that can be read when the protected application is running
but cannot be changed. For example: the Product version number, text to be used
in a “Welcome” message, fixed threshold values for counters.
o Read/Write-Once file: Data that can be updated once when the deployed
protected application is running. After a successful update, the memory becomes
read-only memory.
Protection Key memory is set up using either Sentinel EMS or Sentinel License Generation API.
136 Chapter 10: Implementing Your Sentinel LDK Licensing Plan

In the current release of Sentinel LDK, dynamic memory files can only be created,
modified, or deleted using Sentinel License Generation API.

You can use any of the different types of memory to store and control licenses from your own
licensing schemes.
For information on the amount of memory available for each type of Sentinel HL key, see the
Sentinel HL Data Sheet. Sentinel SL keys contain 2,048 bytes of read-only Default memory and
4,032 bytes of read/write Default memory.

The memory in the protection key is shared by all Products in the key. When you allocate
memory for a Product: Make sure that the memory space does not conflict with memory
space for any other Product that may be protected with the same protection key.

The data defined in memory is written to the secure memory of the Sentinel protection keys
together with the Features, license terms and other data defined for the Product.

Defining Unlocked Products

An Unlocked Product can be created:
n to be distributed for use during a grace period or as trialware.
n to be distributed as an Unlocked Product, which is, in effect, a perpetual trialware
Product. The vendor can use Sentinel LDK to protect the application, but can use a
mechanism other than Sentinel LDK to license the application (or can impose no license
restrictions on the application). Note: To generate an Unlocked Product, the vendor must
purchase the Unlocked License Module for the Sentinel Master key.
The properties of an Unlocked Product are similar to those for a standard Product, with the
following exceptions:
n Locking Type: Unlocked Products do not require a locking type, since they can be
activated and used for a limited period without a Sentinel protection key.
n License Terms: Each Feature in an Unlocked Trialware Product is automatically assigned a
Time Period value of 30 days. This value can be changed to a value with the range of 1–90
days. For an Unlocked Product, each Feature can be assigned a license for any amount of
time or a Perpetual license.
For additional information on the purpose and use of Unlocked Products for trialware, see
"Designating Products for Trial or Grace Period Use" on page 122.
Unlocked Products are not available for inclusion in customer orders. Users authorized to perform
Development tasks can bundle Unlocked Products for distribution. For additional information, see
"Generating Bundles of Unlocked Products" on page 157.

When packaging a Run-time Environment installer with a V2C file for one or more Products
in Sentinel EMS, you cannot include a Product that only has the locking type SL
UserMode.
 Maintaining Products and Licenses 137

Product Status Values

A Product can be assigned one of the following statuses:
Draft - The Product is not ready for distribution. The Product can be modified or deleted.
Complete - The Product can be included in an entitlement. The Product can be modified.
However, it cannot be deleted. You can change its status to End of Life if you do not want the
Product to be distributed any longer. Once the Product has been included in an entitlement
("Deployed"), the license terms can no longer be modified.
End of Life - The Product cannot be included in an entitlement. The Product's license terms
cannot be modified. However, if you edit and save the Product, its status changes back to
Complete and the Product can again be included in an entitlement.

Duplicating a Product
After you have defined a Product, you can easily define additional Products with similar details,
using the Copy option in Sentinel EMS. This option creates a new Product using the defined
properties, Features, and memory contents of the original Product, and enables you to make any
changes you require, with the exception of changing the Base Product or the Product locking
type.

If you duplicate a Base Product, you can give it a new name.

Withdrawing a Product
At some stage, you may want to withdraw a selected Product from use and specify that it can no
longer be included in orders, for example, if it is being replaced by an updated version.
If the Product has the status Draft, you can delete it. A Product cannot be deleted once it has
been assigned the status Complete. You can, however, withdraw the Product from use by
marking it as End of Life.
A withdrawn Product cannot be added to entitlements, but its details are maintained in
Sentinel EMS for tracking purposes, and it continues to be functional when already at the end
user’s site.

Restoring a Product

A Product whose status is End of Life can be restored to the Complete status. A restored Product
can be used in the same way as any other Product.

Maintaining Products and Licenses

After you have defined the initial Features and Products, you can use the Licensing Plan options in
Sentinel EMS to cater for changing circumstances, such as the release of new software versions
and changes in customer requirements.
138 Chapter 10: Implementing Your Sentinel LDK Licensing Plan

Sentinel EMS enables you to maintain your licensing plan by defining new Features and Products
as required. In addition, you can use Sentinel EMS to:
n Manage Product versions
n Cancel Product licenses

Managing Product Versions

After you have implemented your initial licensing plan, you need to continue to review and
update it to allow for changes in your company’s software applications, in customer demand, in
the market, and other considerations. For example:
n Your company develops an enhanced version of an existing Product and you want to
offer the new versions for sale instead of (or in addition to) the original Products.
n You want to offer your existing customers the opportunity to replace their current version
of a Product with an upgraded version that has additional Features.
n Feedback from your customers indicates that they want to purchase a specific Product
with different license terms than you are currently offering.
In circumstances such as these, since you cannot change the properties of an existing Product
after it has been ordered, you can define a Modification Product based on the Base Product.
A Modification Product is a modified version of an existing Product, containing changes such as:
n A software upgrade
n Extended license terms
n Added or removed Features
You can define several Modification Products for the same Base Product, with different Features,
memory and/or license terms.

You can also define Modification Products based on an existing Modification Product.

Defining a Modification Product

Before you start to define a Modification Product, ensure that you have the following information
available:
n The name of the Product that is being modified
n The Batch Code associated with the Product that is being modified
n A Product Name that identifies the Modification Product and is unique in the selected
Batch Code (mandatory). The maximum length for a Product Name is 50 characters.
n A description (free text) that provides additional information about the Modification
Product, for example, the changes it includes (optional)
n The details of the required changes, including Features to be added or removed, memory
and license term updates, or any combination of these.
 Maintaining Products and Licenses 139

Specifying License Terms and Memory for a Modification Product

To change the license terms for each Feature in the Modification Product, you can:
n Change the value for the license type by adding or subtracting days or number of
executions
n Change the settings for concurrent instances, if appropriate
n Overwrite the license terms including selecting a new license type
n Change memory segments or data
n Cancel the license
You can leave the license type value and the concurrent instances settings unchanged at this
stage, and specify that they will be changed when each individual order for the Modification
Product is processed.

Example: Defining a Modification Product

Scenario: When the Product Manager of HQ Software originally defined the HQ Design Pro
Product (in the example "Example: Specifying License Terms and Protection Levels " on page 123),
the REPORT GENERATOR Feature was not yet available.
This Feature has now been developed, tested, and protected, and has been included in an
enhanced version of HQ Design Pro (v.2.0). This version of the Product is ready for sale to new
customers, and can also be issued to customers who hold current licenses.
Accordingly, the Product Manager for HQ Software defines a Modification Product for the HQ Design
Pro Product, named HQ Design Pro v.2.0.
When the Modification Product is defined, the REPORT GENERATOR Feature is added to the
Product, with the same license terms as for the other Features.

Issuing Modification Products

Modification Products can be included in orders in the same way as the original Products.
For example, if the Modification Product is intended to replace the Product in Sentinel protection
keys that have already been deployed, it can be included in a Protection Key Update order. When
the Protection Key Update is applied, the data for the Modification Product is added to the data
for the original Product in the Sentinel protection keys.
For additional information on defining and producing orders, see "Chapter 11: Sentinel LDK
Entitlements, Production, and Development Tasks" on page 143.
140 Chapter 10: Implementing Your Sentinel LDK Licensing Plan

Canceling Product Licenses

In certain circumstances, it may be necessary to cancel the license terms for one or more Features
in a Product that has been delivered to a customer. For example:
n To revoke a deployed license
n To cancel the license for a Product that has been returned before its license terms have
expired
A Cancellation Product can be defined for the Product, with values that cancel previous license
terms. This Cancellation Product can be used whenever the license terms of the original Product
need to be cancelled.
The process of canceling the license terms of a specific instance of a Product can include the
following stages:
1. When the original Product needs to be cancelled, a Customer-to-Vendor (C2V file) is
requested from the customer, containing the required license information.
2. An order for the Cancellation Product is defined and produced.
3. If the Product license is being moved to another computer, a new order for the original
Product is produced with the appropriate details.
4. The changed license information is sent to the customer.
5. An acknowledgment receipt is returned by the customer when the change has been
implemented.
For additional information on C2V files and on defining and producing orders, see "Chapter 11:
Sentinel LDK Entitlements, Production, and Development Tasks" on page 143.

Defining a Cancellation Product

Before you start to define a Cancellation Product, ensure that you have the following information
available:
n The name of the Product to be cancelled
n The Batch Code associated with the Product to be cancelled
n A Product Name that identifies the Cancellation Product and is unique in the selected
Batch Code (mandatory). The maximum length for a Product Name is 50 characters.
n A description (free text) that provides additional information about the Cancellation
Product, for example, the reason it is required (optional)
n The Features to be cancelled

Specifying License Terms or Memory for a Cancellation Product

The options for defining the license terms for a Cancellation Product are exactly the same as for a
Modification Product. For additional information, see "Specifying License Terms and Memory for a
Modification Product" on page 139.
 Maintaining Products and Licenses 141

Example: Canceling a License

Scenario: A new customer, TOP Construction, purchased a one-year rental license for the
HQ Design Lite Product. After three months, the customer wants to cancel the license and receive
a refund.
HQ Software defines a Cancellation Product for the HQ Design Lite Product, with the license terms
cancelled for all the Features in the Product. This Cancellation Product is only defined once—it can
subsequently be used whenever required in similar circumstances.
TOP Construction is asked to send a Customer-to-Vendor (C2V) file. The file is received and
processed in Sentinel EMS.
A Protection Key Update order is defined and produced for the HQ Design Lite Cancellation
Product. The resulting Vendor-to-Customer (V2C) file containing the changed license details is sent
to TOP Construction. TOP Construction applies the V2C file, then generates and returns a C2V file,
confirming that the license cancellation has been applied. HQ Software then issues a refund.
For additional information on C2V and V2C files, and on defining and producing orders, see
"Chapter 11: Sentinel LDK Entitlements, Production, and Development Tasks" on page 143.
 11
Chapter 11:
Sentinel LDK Entitlements,
Production, and Development Tasks

The first part of this section is intended for users assigned the Entitlement Manager and
Production roles in Sentinel EMS. It describes how to use Sentinel EMS to manage and produce
entitlements (customer orders).
The final part of this section is intended for users assigned the Development role. It describes how
to use Sentinel EMS to perform development-related tasks, including generating bundles of
Unlocked Products and Sentinel LDK Run-time Environment installer files, and exporting definition
files.
For an overview of Sentinel EMS and for information on starting to use the application, see
"Chapter 8: Introduction to Sentinel EMS" on page 109.
In this chapter:

n "Sentinel LDK Entitlement Processing and Production " on page 143

n "Managing Entitlements " on page 144
n "Producing Entitlements" on page 152
n "Performing Development-related Tasks" on page 157
n "Enabling Trial Use and Grace Periods" on page 159

This chapter provides high-level information on the entitlement management, production,

and development-related processes in Sentinel EMS. For detailed practical instructions for
using each function, see the Sentinel EMS help system.

Sentinel LDK Entitlement Processing and Production

An entitlement is the execution of a customer order for Sentinel LDK items, and can be one of the
following:
n An order for Products to be supplied with one or more Sentinel protection keys
n A Protection Key Update that specifies changes to be made to the license terms and/or
data stored in Sentinel protection keys that have already been deployed
144 Chapter 11: Sentinel LDK Entitlements, Production, and Development Tasks

For entitlements that generate Product Keys, the customer receives an email from Sentinel EMS
that contains the keys. The customer is able to log in to the EMS Customer Portal using the
Product Key in order to activate the Product.
After Features and Products have been defined in Sentinel EMS, entitlements can be processed
and produced using the Production group of functions, including:
n "Managing Entitlements " on page 144
n "Producing Entitlements" on page 152
n "Performing Development-related Tasks" on page 157

The specific Sentinel EMS functions you can access in the Production group of functions depend
on the role assigned to you, as follows:
n If you have been assigned the Entitlement Manager role, you have access to both the
Order Management and the Customer Services functions
n If you have been assigned the Production role, you have access only to entitlement
production functions
n If you have been assigned the Development role, you have access only to the
Development functions

Managing Entitlements
This section is intended for users assigned the Entitlement Manager role.
When you select the Entitlements > Entitlements tab in the Sentinel EMS window, you can view
the details of all entitlements associated with the selected Batch Code.
 Managing Entitlements 145

For additional information on Batch Codes, see "Personalized Vendor and Batch Codes" on
page 43.

Management of entitlements includes the following tasks:

n Define new customers
n Define entitlements
n Delete entitlements
n Process Customer-to-Vendor (C2V) information

Defining Entitlements
Before you start to define an entitlement for a customer in Sentinel EMS, ensure that you have
the following information available:
n Details of the customer who placed the order (optional)
n The Products to be included in the entitlement
n The required values to specify in the entitlement for any license terms that were not
specified in the Products
n The production requirements, according to the type of entitlement:
o Entitlement for Sentinel HL keys
o Entitlement for Product Keys
o Entitlement for Protection Key Update
n Additional entitlement information (optional)

Sentinel EMS generates a unique entitlement ID (EID) for each new entitlement.

Defining the Customer for the Entitlement

When you define the entitlement in Sentinel EMS, you can specify the customer who placed the
order. You can search for an existing customer, using the customer name or other identifying
details, or you can define a new customer.

You can also define a new customer using the Customers page.

Including Products in the Entitlement

An entitlement can contain one or more Products. All Sentinel LDK Products are associated with a
Sentinel LDK Batch Code. You select the Batch Code before you create a new entitlement.

Unlocked Products are not available for inclusion in entitlements. The process of

generating files containing Unlocked Products is a Development task. For additional
information, see "Generating Bundles of Unlocked Products" on page 157.
146 Chapter 11: Sentinel LDK Entitlements, Production, and Development Tasks

Each Product is assigned a locking type when it is defined. The locking type determines the level
of Sentinel LDK protection and the type of Sentinel protection key that can be supplied with the
Product.
The locking type assigned to a Product may determine the type of entitlement that can be
produced:
n Products defined only with the HL locking type can be included in entitlements for
Sentinel HL keys, Product Keys, or for Protection Key Updates.
n Products defined only with the SL AdminMode or SL UserMode locking type can be
included only in entitlements for Product Keys or for Protection Key Updates.
n Products defined with the HL or SL AdminMode or HL or SL AdminMode or SL
UserMode locking type can be included in entitlements for Sentinel HL keys, Product
Keys, or for Protection Key Updates
You cannot add a Product defined only with the HL locking type and another Product defined only
with the SL locking type (whether AdminMode or UserMode) to the same entitlement.
For additional information on locking types, see "Choosing the Protection Level for Your Products"
on page 120.

Specifying License Term Values

When a Product is initially defined in Sentinel EMS, the exact license term values for each Feature
can be left unspecified. This enables you to include the same Product in different entitlements
with different license term values.
In this case, the license values must be specified when each entitlement for the Product is
processed.
You may be required to specify one or more of the following license term values for Features
when processing an entitlement:
n The date on which the license expires
n The maximum number of times that the Feature can be used
n The number of days until the license expires
You may also be required to specify the number of concurrent instances for one or more
Features. This value specifies the number of instances of simultaneous usage that the license
allows on the customer’s network. Concurrent instances may relate to the network, processes, or
machines.
An entitlement can be produced only after the license term values have been specified for all the
Features in every Product included in the entitlement.

Specifying Protection Key Memory Data

When a Product is initially defined in Sentinel EMS, memory data can be left unspecified. This
enables you to customize memory data for each Product when defining the entitlement. For
example, customer-specific memory data can be added to the Product when an entitlement is
being processed.
 Managing Entitlements 147

Specifying an Entitlement for Sentinel HL Keys

When an entitlement for Sentinel HL keys is produced, the ordered Products are programmed
(burned) on one or more Sentinel HL keys to be shipped to the customer. For additional
information on Sentinel HL keys, see "Sentinel HL Keys" on page 45.
When you define the entitlement, you must specify the total number of Sentinel HL keys to be
produced for the entitlement.

Specifying an Entitlement for Product Keys

An entitlement for Product Keys enables you to produce activation strings for Sentinel protection
keys.
The Products in the entitlement are associated with one or more Sentinel LDK Product Keys. A
Product Key is a string of characters generated by Sentinel EMS and stored in a file for delivery to
the customer.
After the end user receives the Product Key and returns it as proof of purchase, Sentinel EMS
validates the Product Key and produces a Sentinel protection key. The Sentinel protection key is
then sent back with the license terms and installed on the end user’s computer, enabling the
Product to be activated.
When you define an entitlement for Product Keys, you must specify the following information:
n The number of Product Keys to be produced for the entitlement
n The number of activations allowed for each Product Key. This is the number of machines
on which each Product Key can be used.
While it is mandatory to used Product Keys for activation of software locked to Sentinel SL keys,
Product Keys can also optionally be used for activating software that is locked to Sentinel HL keys.

Before a Sentinel SL key can be used on an end user’s computer, an Unlocked Trialware

Product is typically installed on the computer. When the Unlocked Trialware Product is
installed, it initializes the Sentinel LDK Run-time Environment, which is required for
communication between the Sentinel SL key and the software.

The process of generating files containing Unlocked Trialware Products is a Development

task. For additional information, see "Generating Bundles of Unlocked Products" on page
157.

Specifying a Protection Key Update Entitlement

A Protection Key Update entitlement specifies changes to be made to the license terms, Products,
and/or data stored in Sentinel protection keys that have already been deployed to end users. A
Protection Key Update can be applied remotely to Sentinel HL keys or Sentinel SL keys as follows:
n Using the Sentinel Licensing API by calling the Update function
n By using the Sentinel Remote Update System utility
n (For SL AdminMode keys) By placing the file that contains the update information in the
appropriate directory on the end user's computer.
148 Chapter 11: Sentinel LDK Entitlements, Production, and Development Tasks

When the Protection Key Update entitlement is produced, a file containing the details of the
changes is generated for each Sentinel protection key to be updated.
This file can be one of the following:
n An executable file (EXE) that can be delivered to end users for use as instructed by your
company
n A Vendor-to-Customer (V2C) file that end users can process using the Sentinel Remote
Update System utility (RUS utility)
For additional information on the RUS utility, see "Chapter 13: Sentinel Remote Update System"
on page 165. For additional information on updating SL AdminMode keys, see "Applying License
Updates to SL AdminMode Keys" on page 156.
When you define a Protection Key Update entitlement, you must specify the total number of
Sentinel protection keys to be updated as a result of this entitlement. You may also need to select
the specific Sentinel protection keys to be updated.
Locating the Sentinel protection keys to Update

When you define an entitlement for Protection Key Update, you may need to select the specific
Sentinel protection keys to be updated. For example, the entitlement may be for an organization
with 100 Sentinel protection keys, and this entitlement is required to update the keys for only 10
specific users.
In Sentinel EMS, you can:
n Display a list of the customer’s Sentinel protection keys
n View the contents of each key
n Select the keys to be updated

You cannot select more Sentinel protection keys than the total number of product keys
specified in the Product Details area in the New Entitlement screen.

Optional Entitlement Information

You can add the following optional information to the entitlement:

n Order reference information that can identify the order in a different system, for example,
an order number in your company's ERP system.
n A comment that provides additional information about the order.

Adding the Entitlement to the Production Queue

After you have specified all the necessary information for an entitlement, you can produce it
immediately or "queue" it to add it to the production queue. The queue is a list of all entitlements
that are awaiting production.
Entitlements in the production queue can be selected for production according to the criteria
determined by your organization.
 Managing Entitlements 149

Sentinel EMS enables you to save as "draft" any entitlement that have not been completely
defined, without losing the information that you may have already specified. You can open the
entitlement and continue to define the entitlement details when convenient.

Entitlement Status Values

During the course of its life cycle, an entitlement is assigned statuses as follows:

Resulting
User Action Entitlement Description of Status
Status
Create a new entitlement, Draft This status indicates that the entitlement is
click Save OR Re-open an not yet ready for production. The entitlement
entitlement. details can be modified, or the entitlement
can be deleted.
Create a new entitlement or Queued This status indicates that the entitlement is in
edit an existing entitlement, the production queue, awaiting production.
click Queue. The details of a Queued entitlement cannot
be changed. However, it can be deleted.
In an entitlement for Product Product Keys Indicates that Product Keys for one or more
Keys, select one or more Generated Products in the entitlement have been
Products and click Produce. generated. If the entitlement contains
customer information, the customer receives
an email. The email contains the Product
Keys and information on how to log in the
Sentinel EMS Customer Portal and activate
the protection key.
Produced In an entitlement that includes multiple
Product Keys, at least one Product Key has
been used to activate the protected software.
The entitlement contains additional Product
Keys that have not yet been used.
Completed In an entitlement for protection key updates
or for HL keys, the entire entitlement has
been produced. In an entitlement for Product
Keys, all the Product Keys have been used to
activate the protected applications.
Acknowledged The end user has verified that the entitlement
was applied at the customer site.

Processing C2V Information

C2V files contain protected information about the license terms and data stored in deployed
Sentinel protection keys. They do not contain private customer information.
150 Chapter 11: Sentinel LDK Entitlements, Production, and Development Tasks

C2V files can be generated using the Sentinel Remote Update System utility (RUS utility). For
additional information on the RUS utility, see "Chapter 13: Sentinel Remote Update System" on
page 165.
C2V information stored in Sentinel HL keys and in C2V files can be retrieved for use in connection
with Protection Key Update orders.
When a C2V file or Sentinel HL key is received from a customer, you must check in the
information, in order to make the data in the file or key available to Sentinel EMS. The process of
checking in the C2V information stores the data securely in Sentinel EMS, and enables you to view
some of the information.
When you check in a C2V file, you can view the identifying information for the Sentinel protection
key associated with the file, including the Batch Code, ID and key type. You can also view the
Product details contained in the file. When you check in a Sentinel HL key, you can view similar
information.

If you attempt to check in a C2V file for a Sentinel SL key, and Sentinel EMS detects that it
has come from a cloned machine, you will not be able to check the C2V file into the
database. For additional information about dealing with cloned Sentinel SL keys, see
"Protection Against Cloning" on page 132.

Formatting a Sentinel HL Key

You can format a Sentinel HL key to make it available for reuse. The process of formatting a
Sentinel HL key deletes any orders that have been defined for the key but not yet produced. It
also produces a V2C file that contains Protection Key Update information to be applied to the key
using the RUS utility. Applying the Protection Key Update erases all license and memory data
stored in the key.

Order Processing and Production Examples

In the examples in this section, HQ Software defines the following orders for its customers:
1. Order for Sentinel HL keys
2. Order for Product Keys (Sentinel SL keys)
3. Protection Key Update order

Order Example 1: Order for Sentinel HL Keys

Scenario: A new customer, ABC Design, orders the SafeNetCAD Office Product from HQ Software
with a license for 20 users.
Since the SafeNetCAD Office Product is defined with Sentinel HL key protection, the details for
this order are defined as follows:
n Customer: ABC Design
n Product: SafeNetCAD Office
n Order type: Sentinel HL keys
n Number of keys: 20
 Managing Entitlements 151

When this order is produced, the SafeNetCAD Office Product license is programmed on
20 Sentinel HL keys, which are then shipped to the customer.

Order Example 2: Order for Product Keys (Sentinel SL Keys)

Scenario: On March 15, 2007, another customer, JL Optics, orders the SafeNetCAD Home
Product, with a license for use on two computers.
The SafeNetCAD Home Product is defined with Sentinel SL key protection and an annual rental
license. To ensure that the customer enjoys a full year’s licensed use, the expiration date needs to
be specified when the order is placed.
The details for this order are defined as follows:
n Customer: JL Optics
n Product: SafeNetCAD Home
n Expiration date for DRAW and SAVE: March 15, 2008
n Order type: Product Key-based
n Number of Product Keys: 1
n Number of Activations per Product Key: 2

This example assumes that JL Optics has installed and used the SafeNetCAD Home[Trial]
Unlocked Trialware Product on the two computers before ordering the SafeNetCAD Home
Product. As a result, the Sentinel LDK Run-time Environment for Sentinel SL has already
been initialized on those computers.

When this order is produced, a file is generated containing a Product Key. HQ Software sends this
file to JL Optics by e-mail.
Two end users at JL Optics open the file and enter the Product Key as required on the
HQ Software Web site. The HQ Software customer interface application sends the Product Key to
Sentinel EMS, which validates the Product Key and returns a Sentinel SL key to the customer.
The Sentinel SL key is installed on the two computers at JL Optics with the license information, and
the SafeNetCAD Home Product can be activated under the terms of the license.

Order Example 3: Order for Protection Key Update

Scenario: HQ Software informs ABC Design that a new version of SafeNetCAD Office has been
released, containing the REPORT GENERATOR Feature, and that an upgrade is available for
purchase. ABC Design orders the enhanced Product for five of its 20 users.
HQ Software has defined a Modification Product for the new version, SafeNetCAD Office v.2.0.
This Product is ready for inclusion in customer orders.
Before defining the Protection Key Update order, HQ Software needs to receive C2V files for the
five Sentinel HL keys to be updated. ABC Design uses the RUS utility to generate the required C2V
files and sends them to HQ Software.
After the C2V files have been received and checked in, HQ Software defines a Protection Key
Update order for the Modification Product.
152 Chapter 11: Sentinel LDK Entitlements, Production, and Development Tasks

The details for this order are defined as follows:

n Customer: ABC Design
n Product: SafeNetCAD Office v2.0
n Order type: Protection Key Update
n Number of Sentinel protection keys to be updated: 5.
During the order definition process, the five Sentinel HL keys to be updated are selected from all
the keys issued to ABC Design, according to the C2V files received.
When this order is produced, a V2C file is generated for each selected Sentinel HL key and sent to
the customer.
The selected five end users install the update on their Sentinel HL keys, using the RUS utility. They
are then able to activate the upgraded version of SafeNetCAD Office and to generate tailored
reports.

Producing Entitlements
This section is intended for Sentinel EMS users assigned the Entitlement Manager or Production
role.
On the Entitlements page in Sentinel EMS, you can view the details of all entitlements awaiting
production.

You can perform the following production tasks using the Entitlements page:
n Produce Entitlements
n View Entitlements
 Producing Entitlements 153

If you have been assigned both the Entitlement Manager and the Production roles, you
can choose to produce an entitlement immediately after you finish defining it.

The process of producing an entitlement is determined by the type of entitlement:

n Order for Sentinel HL keys
n Order for Product Keys
n Order for Protection Key Update
While producing any entitlement, you can open the entitlement and view its details.

Producing Sentinel HL Key Entitlements

Before you start to produce an entitlement for Sentinel HL keys, Sentinel EMS enables you to
prepare the appropriate Sentinel HL keys to use for the entitlement, by displaying:
n The Sentinel HL key types that are valid for the entitlement
n The number of Sentinel HL keys to be produced, as specified in the entitlement
Sentinel EMS determines which Sentinel HL keys are valid for the entitlement according to a
number of factors, including:
n The license terms defined for the Features in the Products included in the entitlement
n The data defined in memory for each Product
n The space required on the key to accommodate the entitlement
For example, if the license terms for a Product in the entitlement are based on one (or both) of
these factors:
n A number of days or an expiration date
n A number of concurrent instances in a network environment
The entitlement can be produced only on Sentinel HL keys that support time-based licenses or
support concurrency licenses. Most Sentinel HL (Driverless configuration) keys support these types
of license terms.
For additional information about Sentinel HL key types and their capabilities, see "End-User Keys"
on page 44.

Producing Entitlements for Product Keys

When you produce an entitlement for Product Keys, a TXT file is generated containing the Product
Keys.
Before you generate the file, you must specify its required location, or accept the default location.
The file is saved in the format Product_Keys_[order ID].txt.
After the file has been generated, the Product Keys are available for use. If customer information
was provided in the entitlement, an email containing the Product Keys is generated automatically
and sent to the customer. You could also print the Product Keys on the cover of a CD.
154 Chapter 11: Sentinel LDK Entitlements, Production, and Development Tasks

Producing Protection Key Update Entitlements

The entitlement production process generates a file containing the Protection Key Update
information for each Sentinel protection key to be updated. After the files have been generated,
they can be sent to the customer.
Before you generate the file, you must select the required location and the type of files to be
generated for delivery to end users:
n Vendor-to-Customer (V2C) files that can be processed using the Sentinel Remote Update
System utility (RUS utility)
n Executable files (EXE) that contain V2C data and can be used as instructed by your
company
For additional information on the RUS utility, see "Chapter 13: Sentinel Remote Update System"
on page 165.

A default file location for V2C files may have been specified by the Sentinel LDK
Administrator.

Withdrawing Entitlements
Under certain circumstances, you may need to withdraw an entitlement before it has been
produced, or if it has been only partly produced. For example: If the customer cancels the order
or significantly changes the order requirements.
If the entitlement is not yet in the production queue (Queued status), you can delete it. An
entitlement cannot be deleted after it has been added to the production queue. You can,
however, remove the entitlement from the production queue by reopening it. This changes the
status of the entitlement to Draft.
A Draft entitlement is no longer available for production, but its content are available to view for
reference.

Customer Portal - Activating Entitlements

If an entitlement includes customer information, then at the time Product Keys are generated, an
email is automatically sent to the customer. The email contains the Product Keys and a link to the
Sentinel EMS Customer Portal in Sentinel EMS.
To log in to the Customer Portal, the customer clicks the provided link. At the login screen, the
customer enters a Product Key.
If you specified in the entitlement that user registration is desired (or mandatory), the customer is
requested (or required) to fill out a registration form.
 Viewing License Updates 155

Next, a screen similar to the following is displayed:

This screen displays the status of the Product Key, including the number of activations remaining.
The customer uses this screen to activate the entitlement as follows:
n If the customer logged in to the Customer Portal from the machine where the license
should be installed, the customer can click Online Activation. Activation of the
entitlement proceeds automatically.
n If the customer did not log in to the Customer Portal from the machine where the license
should be installed, the customer can click Offline Activation. The customer can then
download the RUS utility. The customer uses this utility in order to generate a C2V file and
perform the activation process manually.

Viewing License Updates

With certificate-based Sentinel SL keys, you can examine the sequence of updates that were
applied to a Protection Key at a customer site. The V2C files that were applied to a protection key
reside in a directory on the computer where the protection key is located.
(For protection keys that were rehosted from a different computer, you can also examine the H2H
files that contain rehost information.)
The licensing information in each V2C file is specified using XML tags. You can open any of these
files using a simple text editor and read the contents. If you examine the files for a specific
Protection Key ID in sequence, you can follow the history of updates that were applied to the key.

Information regarding SL legacy protection keys is not available in these files.

156 Chapter 11: Sentinel LDK Entitlements, Production, and Development Tasks

The V2C files on a given computer can be found in the following locations:
n For SL AdminMode keys:

Windows %SystemDrive%\Program Files (x86)\Common Files\SafeNet Sentinel\

Sentinel LDK\installed\[vendorID]\
(For Windows x86, in: %SystemDrive%\Program Files\...)
Linux, Mac /var/hasplm/installed/[vendorID]/

n For SL UserMode keys:

Windows XP %SystemDrive\Documents and Settings\All Users\Application Data\SafeNet

Sentinel\Sentinel LDK\Installed\[vendorID]\
Windows 7 %SystemDrive%ProgramData\SafeNet Sentinel\Sentinel LDK\installed\
and later [vendorID]\

The naming convention for the files is as follows:

keyID_provisional.v2c Unlocked Product

keyID_base.v2c Base Product
keyID_updateX.v2c Update to a Base Product. Updates are numbered sequentially.
keyID_rehost.h2h Rehost of a protection key
keyID is the Protection Key ID.

Do not remove or modify these files. If any of these files are removed or modified, the
protection key may become invalid.

Applying License Updates to SL AdminMode Keys

Several methods exist to apply updates to a Sentinel protection key. However, for SL AdminMode
keys, an additional simplified method to apply updates exists.
You can do either of the following:
n Programatically place the V2C file containing the license update directly into the installed
directory described above (see "Viewing License Updates" on page 155).
n Instruct the end user to place the file into the installed directory. The Sentinel License
Manager detects the V2C file in the installed directory and automatically applies the
license update.
If the license update is applied successfully, the Sentinel License Manager then moves the V2C file
from the installed directory to the appropriate installed\vendorID\ subdirectory.
If the license update installation fails, the Sentinel License Manager moves the V2C file to a
separate directory called invalid. The failure is recorded in the Admin Control Center access log.
The log can be viewed from the Access Log option in Admin Control Center.
 Performing Development-related Tasks 157

Performing Development-related Tasks

This section is intended for users assigned the Development role.
From the Developer tab in the Sentinel EMS screen, you can select one of the following
development-related activities:
n Generate bundles of Unlocked Products
n Export catalog data definitions to a file
n Customize the Sentinel Remote Update System utility (RUS utility)
n Generate a customized Sentinel LDK Run-time Environment (RTE) installer file

Generating Bundles of Unlocked Products

When a Product is defined in Sentinel EMS, it can be specified as an Unlocked Product that is not
locked to a single machine. The Product can be further defined as an Unlocked Trialware Product
for distribution as trialware or for use during a grace period.
Unlocked Products are distributed as bundles. Each bundle can contain one or more Unlocked
Products.
Bundles of Unlocked Trialware Products can be distributed for use for a restricted period of time,
up to 90 days.

Software that has been supplied with a trial license or for a grace period can be activated
after a valid license is purchased, with either a Sentinel HL key or a Sentinel SL key.

For additional information on the purpose and use of Unlocked Trialware Products, see
"Designating Products for Trial or Grace Period Use" on page 122.
The process of generating a bundle of Unlocked Products involves:
n Selecting the Unlocked Products to be included in the bundle
n Producing a file containing the Unlocked Product license and Vendor library. This file can
be:
o An EXE file containing V2C data
o A V2C file that can be used with the RUS utility. For additional information on the
RUS utility, see "Chapter 13: Sentinel Remote Update System" on page 165.
The output file from this process must be installed on each end user’s computer in order to:
n Create an initial Sentinel LDK Run-time Environment that enables your protected software
to communicate with Sentinel SL keys.
n Enable a trialware or grace period license.

When a bundle of Unlocked Products is installed on an end user’s computer, a provisional

Key ID is generated for the SL key. If a fully licensed Product is installed on the computer
where the bundled Unlocked Product exists, a new key ID is created in addition to the
original provisional key ID.
158 Chapter 11: Sentinel LDK Entitlements, Production, and Development Tasks

To simplify the installation process at end users’ sites, it is recommended that you generate a
Sentinel LDK Run-time Environment installer executable. You can embed the Run-time
Environment installer in your software setup to create a ready-to-run Sentinel LDK-protected and
licensed application.
To generate a Sentinel LDK Run-time Environment installer executable, you need to specify the
V2C file generated when an Unlocked Product bundle is produced. An EXE file containing V2C data
cannot be used to generate a Sentinel LDK Run-time Environment installer.

Generating the Sentinel LDK Run-time Environment Installer

You can generate a Sentinel LDK Run-time Environment installer that simplifies the installation
process at end users' sites, for Unlocked Products or Locked Products.
The input to this process is a V2C file that contains your vendor-specific data. For Unlocked
Products, the V2C file also contains the Unlocked Product bundle data.

When packaging a Run-time Environment installer with a V2C file for one or more Products
in Sentinel EMS, you cannot include a Product that only has the locking type
SL-UserMode.

The output can be one of the following:

n An executable file that creates a Run-time Environment command-line installer
n A DLL that can be used with the Sentinel LDK Run-time Environment installer API
n A Mac PKG Sentinel LDK Run-time Environment installer
You can embed the Sentinel LDK Run-time Environment installer in your software setup to create a
ready-to-run application that is protected and licensed by Sentinel LDK.

Generating a Sentinel LDK Run-time Environment Installer for a Locked Product or Detached

Product

You have the option of installing a Locked Product or Detached Product license on the end user
computer. In this case, the Product is never installed as an Unlocked Trialware Product.
To install Sentinel LDK Run-time Environment on the computer, you generate the Sentinel LDK
Run-time Environment Installer without providing a V2C file. In this case, the installer contains
only the Run-time Environment and the vendor libraries.

Exporting Definition Data

You can export data about Features, Products, vendors, and other information in various file
formats. This information can then be used for development, protection backup, and other
purposes. You can also export metadata for use in Admin Control Center.
You can use the Export Definitions function to produce the following output file types:
n Metadata in Admin Control Center format
n Features and Products in a C-style header file
n Features and Products in a CPP-style header file
 Enabling Trial Use and Grace Periods 159

n Features and Products in XML format

n Features in CSV format
For examples of the output file contents, see the Sentinel EMS help system.
Before you export the Features, you must select the required Batch Code, specify the required file
type, and define the name and location for the file.
As your software develops and additional Features are defined, you can use the Export
Definitions function whenever you want to retrieve the data definitions from Sentinel EMS.

Customizing and Branding the RUS utility

The RUS utility is a tool that can be distributed to end users to enable secure, remote updating of
the license and memory data of Sentinel protection keys after they have been deployed.
End users can invoke the RUS utility directly in order to generate a C2V file, or they can launch the
utility by double-clicking an EXE file containing a license update.
Before you distribute the RUS utility, you must customize it with the Batch Code associated with
the Sentinel protection keys that you have deployed to your end users, in order to enable them
to generate C2V files, or to process files containing V2C information.
In addition, you can brand the text that is displayed to an end user when the RUS utility is
opened. For example, you may want to display your company name and information about your
software.
The RUS Branding option in Sentinel EMS enables you to associate the RUS utility with the
selected Batch Code. You can also use the simple HTML editor provided to enter, format, and
preview the text to be displayed in the RUS utility.
It is recommended that you distribute your protected software with a customized and branded
version of the RUS utility.
For additional information on the RUS utility, see "Chapter 13: Sentinel Remote Update System"
on page 165.

Enabling Trial Use and Grace Periods

This section provides examples that demonstrate the use of Unlocked Trialware Products:
n To distribute a Product for use on a trial basis for a limited period
n To enable use of a licensed Product during a grace period

Example 1: Issuing an Unlocked Trialware Product for Trial Use

Scenario: HQ Software decides to offer visitors to their Web site the option of downloading and
using their HQ Design Demo Product for 30 days.
When the original licensing plan definitions were implemented, the HQ Design Demo Product was
defined as an Unlocked Product.
The license terms for the two Features were set to Time Period with a value of 30 days.
160 Chapter 11: Sentinel LDK Entitlements, Production, and Development Tasks

The software developer at HQ Software defines a bundle of Unlocked Trialware Products that
contains the HQ Design Demo Product, and generates the bundle as a V2C file.
A Sentinel LDK Run-time Environment installer is then generated as an EXE file, using this V2C file
as input.
The HQ Software Web master adds the EXE to the Web site, with download instructions for
potential trial users.

Example 2: Issuing a Product for a Grace Period

Scenario: A new customer, XYZ Construction, has purchased a 50-user license for the HQ Design
Pro Product, which is available only with Sentinel HL key protection. The Sentinel HL keys are
being prepared and shipped, but meanwhile the customer wants to start using the HQ Design Pro
Product immediately.
HQ Software needs to enable XYZ Construction to activate and use the HQ Design Pro Product
during a grace period, until the Sentinel HL keys arrive and are distributed to the end users.
For this purpose, a version of the HQ Design Pro Product is defined as an Unlocked Product, with
the Product name HQ Design Pro Grace. The PRINT REPORTS Feature is removed from this
version. The license terms for the remaining four Features are set to Time Period with a value of
30 days.
A bundle of Unlocked Products is defined containing the HQ Design Pro Grace Product, and
generated as a V2C file.
A Sentinel LDK Run-time Environment installer is then generated as an EXE file, using this V2C file
as input.
The EXE file is sent to the customer, for distribution to the end users. End users can run the EXE,
which installs the Sentinel LDK Run-time Environment and the HQ Design Pro Grace Product on
their computers. They can then use the program for 30 days until they receive their Sentinel HL
keys and can activate the full Product.
 12
Chapter 12:
Sentinel LDK Administration and
Customer Services

The first part of this chapter is intended for users authorized to perform Sentinel LDK
Administration tasks. It describes how to use Sentinel EMS to define user details, manage
Sentinel LDK licenses and Sentinel Master keys, and configure system settings.
The second part of this chapter is intended for users authorized to perform Sentinel EMS
Customer Services tasks. It describes how to use Sentinel EMS to view and edit customer details,
and to perform manual Product activation for customers.
For an overview of Sentinel EMS and for information on starting to use the application, see
"Chapter 8: Introduction to Sentinel EMS" on page 109.
In this chapter:

n "Administration Tasks" on page 161

n "Customer Services" on page 164

This chapter provides high-level information on the Administration and Customer Services
processes in Sentinel EMS. For detailed practical instructions for using each function in
Sentinel EMS, see the Sentinel EMS help system.

Administration Tasks
After you first install Sentinel LDK in your organization, you can log in to Sentinel EMS using the
default user name and password (admin) provided for your use by SafeNet. By default, this user is
authorized to perform all tasks in Sentinel EMS, including Administration tasks.

The ‘admin’ administrator details cannot be viewed or modified. Only the password can be
changed.

After logging in to Sentinel EMS the first time, it is recommended that you select the Change
Password function at the top of the screen and change your user password as soon as possible.
To be able to use Sentinel LDK with your company-specific Batch Codes and license, you must first
introduce the Sentinel Master keys provided for your use by SafeNet.
162 Chapter 12: Sentinel LDK Administration and Customer Services

For additional information on Sentinel Vendor keys, see "Personalized Vendor and Batch Codes"
on page 43.
For additional information on introducing Sentinel Master keys, see "Maintaining Sentinel Master
Keys" on page 163.
From time to time, you will need to renew your Sentinel LDK license, or to replenish your pools of
SL keys or network seat licenses. You can schedule email notifications to be sent when it is time to
renew or reorder, ensuring you uninterrupted use of Sentinel LDK.
For additional information about the various modules on your Sentinel Master Key, see "Appendix
A: Understanding the Sentinel LDK Master Key Licenses" on page 257.
For additional information about configuring and scheduling email notifications, refer to the
Sentinel EMS help system.

If you are evaluating Sentinel EMS, you can use the provided DEMOMA Batch Code, which
does not require a Sentinel Master key.

You can now define additional Sentinel LDK users in your organization, including assigning the
users the appropriate roles and authorizing access to Batch Codes. For additional information, see
"Maintaining User Details " on page 162.

Maintaining User Details

When you select the Users function in Sentinel EMS, you can view the Sentinel LDK details of all
currently defined Sentinel LDK users.
You can perform the following tasks using the Users function in Sentinel EMS:
n Define Sentinel LDK users
n Change user details and passwords
n Control user access

Defining Sentinel LDK Users

Before you start to define Sentinel LDK users, ensure that you have the following information
available for each new user:
n The user name to be assigned to the user for the purpose of logging in to Sentinel LDK
n The password to be assigned to the user

Users can change their own passwords after logging in to Sentinel EMS.

n The user's email address

n The Batch Codes that the user is authorized to access
n The roles to assign to the user. For additional information on the functions authorized for
each role, see "Sentinel EMS Users and User Roles" on page 111.
 Administration Tasks 163

Changing User Details and Passwords

After you have defined a user, you can change any of the user’s details.
Users can change their own passwords. However, if necessary, you can change the password for a
user without knowing the current password. This is useful in the event that the user has lost or
forgotten his/her password.

Controlling User Access

In certain circumstances, you may want to prevent a user from logging in to Sentinel LDK. If the
user has left the company, for example, or will no longer be using Sentinel LDK, you can delete the
user details.
You can prevent or allow a user to access Sentinel LDK by clearing or selecting the Login Allowed
check box.

Maintaining Sentinel Master Keys

When you select the Administration > Master function in Sentinel EMS, you can view the details,
for the selected Batch Code, of all available Sentinel Master keys that are currently connected to
the EMS Server.
You can perform the following tasks using the Master page in Sentinel EMS:
n Generate a C2V file for a selected Sentinel Master key. You send this file to your SafeNet
representative when you want to:
o update your Sentinel Master key license modules
o replenish your pool of SL keys
o replenish your pool of HL or SL network seat licenses
n Apply the V2C file returned to you by your SafeNet representative to the Sentinel Master
key. This updates the Master key with the contents of your order.
n Specify Mail Notification properties
For more information on the Sentinel Master key, see "Appendix A: Understanding the
Sentinel LDK Master Key Licenses" on page 257.

Introducing Sentinel Vendor Keys

Before you can work effectively, you must introduce your Sentinel Master key(s) on the Sentinel
EMS Server machine. The Sentinel Master Wizard is available from the Sentinel Vendor Suite. You
must have a separate Sentinel Master key connected to each machine on which Sentinel EMS is
installed.
You can introduce additional Sentinel Vendor keys—Sentinel Master keys or Sentinel Developer
keys—in order to enable Batch Codes for use with Sentinel LDK applications.
When you introduce a Sentinel Vendor key, you can select the libraries for which you want to
generate APIs.
164 Chapter 12: Sentinel LDK Administration and Customer Services

Generating a C2V File

When you submit an order for an update to your Sentinel LDK Master Key licenses, regardless of
whether it is to renew a license or to replenish your pools of SL keys or Network Seat licenses, you
need to generate a C2V file for the Sentinel Master key that is to be updated. You then send the
C2V to your Sentinel LDK supplier, together with your order. The C2V file contains encrypted
information about the current status of your Sentinel Master key, including its unique ID.

Defining Mail Notification Properties

You can specify who is to receive notifications that your Sentinel LDK Master Key licenses and
pools of SL keys or Network Seat licenses are about to expire. In addition, you can define the
thresholds after which the notifications are sent.

Customer Services
If you have been assigned the Customer Services role, you can manage the list of customers —
you can define customers, change customer details, and mark customers as obsolete.
You can enable or disable a Product key for a customer, or increase the number of activations
available for a Product key.
If a customer is unable for any reason to activate a Product remotely, you can activate the
Product manually for the customer, using the Product Key and a Customer-to-Vendor (C2V) file for
the customer’s Sentinel protection key.
The output of the manual activation process is a Vendor-to-Customer (V2C) file that can be sent to
the customer. You can request that the customer returns a C2V file to confirm that the Product
has been activated.
For additional information on C2V files, see "Processing C2V Information" on page 149.
 13
Chapter 13:
Sentinel Remote Update System

This chapter describes the Sentinel Remote Update System utility (RUS utility) and explains how to
use this utility to update license data remotely for deployed Sentinel protection keys.

You can also apply updates to a deployed Sentinel protection key using the Sentinel
Licensing API, by calling the Update function. For additional information, see the Sentinel
Licensing API help system. For SL AdminMode keys, also see "Applying License Updates to SL
AdminMode Keys" on page 156.

In this chapter:

n "RUS Utility Overview" on page 165

n "RUS Workflow " on page 166
n "Using RUS utility" on page 167

RUS Utility Overview

The RUS utility is an advanced utility that enables secure, remote updating of the license and
memory data of Sentinel protection keys after they have been deployed. As part of the basic
concept underlying Sentinel LDK, the RUS utility facilitates ongoing licensing well after protection
has been implemented. For additional information on Sentinel LDK concepts, see "Protect Once—
Deliver Many—Evolve Often" on page 42.
The RUS utility is used for the following;
n The RUS utility provides a simple and secure method of updating your licenses remotely,
after you have delivered your protected software together with the Sentinel protection
keys. You simply need to update the license and deliver update files to your customers.
n The RUS utility enables you to receive information on the current status of Sentinel LDK
licenses at your customers’ sites, and to securely extend or reduce the functionality of
these licenses, without recalling the Sentinel protection keys.
n The RUS utility can be used by an end user to generate the fingerprint of a computer at
your customer's site. You can use this fingerprint to generate a V2C file for the customer.
The customer can then use the RUS utility to apply the V2C file and generate an SL key for
the protected application.
166 Chapter 13: Sentinel Remote Update System

n The RUS utility can be used to transfer (rehost) an SL key from one computer to another
at your customer's site, without any intervention on your part. (An SL key can only be
rehosted if this function was enabled by the vendor when the SL key was generated.)

All Sentinel protection keys except the Sentinel HL Basic key can be updated using RUS
utility.

The RUS utility is an executable utility (rus.exe) that can be distributed to end users with your
software.
It is important that you customize the RUS utility with the Batch Code associated with the
Sentinel protection keys that you produce for your customers, before you distribute the
executable to them. For additional information on Batch Codes, see "Personalized Vendor and
Batch Codes" on page 43.
You can use Sentinel EMS to customize the RUS utility with the required Batch Code, and also to
brand the GUI to display your vendor-specific information to end users. For additional
information, see "Customizing and Branding the RUS utility" on page 159.

RUS Workflow
When you deliver your Products to a customer, you can include a customized version of the RUS
utility with the installation package. You can also include the instructions for using RUS.
(To perform rehost, your customer will require a customized version of the RUS utility.)
When a license update is required, you have the option of either retrieving customer licensing
information from Sentinel EMS, or of requesting that a customer produces and sends you a
Customer-to-Vendor (C2V) file for the Sentinel protection keys to be updated. C2V files have a
.c2v extension and contain information on the licensing and memory content of the
Sentinel protection keys.
When you receive C2V files from a customer, you check them in using Sentinel EMS. For additional
information, see "Processing C2V Information" on page 149.
Regardless of whether you obtain the data from Sentinel EMS or in the form of a C2V file from
your customer, the collected data enables you to produce an update most suited to the
customer’s needs. At no point in this workflow is it necessary to reconfigure security or protection
at the customer’s site.
You define the requested license updates in Sentinel EMS as Protection Key Update orders for
delivery to the customer. For more information on defining Protection Key Update orders, see
"Defining Entitlements" on page 145.
The process of producing a Protection Key Update order generates a file for each
Sentinel protection key to be updated. This can be either a Vendor-to-Customer (V2C) file or an
executable that contains the license update data. For more information on the Protection Key
Update order production process, see "Producing Protection Key Update Entitlements" on page
154.
The output file is then delivered to the end user, who either runs the executable as instructed by
you, or uses the RUS utility to apply the license update data contained in the V2C file.
 Using RUS utility 167

Example: Using RUS for License Updates

Scenario: One of HQ Software’s customers, ABC Design, has ordered the upgraded version of HQ
Design Pro that contains the new REPORT GENERATOR Feature, for five of its 20 HQ Design Pro
users. The customer is asked to send C2V files containing details of the five deployed Sentinel HL
keys to be updated.
ABC Design uses the RUS utility to generate the C2V files and sends them to HQ Software. These
files contain the current status of the license on the specific Sentinel HL keys.
HQ Software checks in the C2V files, defines a Protection Key Update order for the HQ Design Pro
v.2.0 Modification Product, and produces a license update contained in five V2C files. For
additional information on this example order, see "Order Example 3: Order for Protection Key
Update" on page 151.
The V2C files are sent by email to ABC Design. Each of the five end users applies the update to
their Sentinel HL key using the RUS utility, and returns a C2V file containing a confirmation receipt.

Using RUS utility

The RUS utility window consists of the following tabs:
n Collect Status Information: The parameters in this tab are used to collect information on
the current status of the licenses in the Sentinel protection key or collecting fingerprint
information. The end user specifies a name and location for the generated C2V file. If
more than one Sentinel protection key is installed, the user selects the required key.
No private customer data is included in the C2V file.
n Apply License Update: The parameters in this tab are used to apply a V2C file and update
licenses in a Sentinel protection key.
n Transfer License: The parameters in this tab are used on the source computer and
recipient computer to rehost an SL key from the source computer to the recipient
computer.

Instructions for Customers Using the RUS utility

The following sections contain information and instructions that you can customize and send to
your customers.

Instructions for Using the RUS utility

If you are using the RUS utility with a Sentinel HL key, (hardware-based key) you must connect the
key before performing either of the following procedures. The RUS utility automatically locates any
Sentinel SL keys (software-based keys) installed on your computer.

Collecting Sentinel protection key License Data

You can use the RUS utility to produce a Customer-to-Vendor (C2V) file containing information on
the current status of the licenses in your Sentinel protection keys. You can then send this file in
order to receive a license update.
168 Chapter 13: Sentinel Remote Update System

To retrieve the current license information from a Sentinel protection key:

1. Launch the RUS utility (rus.exe).

2. Click the Collect Status Information tab.
3. Ensure that Update of Existing Protection Key is select at the bottom of the screen.
4. Click Collect Information. The Save key status as window is displayed.
5. Specify the directory where you want to store the C2V file. Enter a file name and click Save.
6. If more than one Sentinel protection key is located, a list of the keys is displayed. Select the
required key, or disconnect the keys that are not required, and click Refresh.
7. The C2V file for the Sentinel protection key is generated and saved in the required location.
The file can now be sent for processing to produce an update.

Collecting Computer Data

You can use the RUS utility to produce a Customer-to-Vendor (C2V) file containing information on
the computer where you want to install a Sentinel protection key for a protected application. You
can then send this file in order to receive a license update. This procedure would be used if a
Sentinel protection key does not currently exist on the computer.

To retrieve the current computer information :

1. Launch the RUS utility (rus.exe).

2. Click the Collect Status Information tab.
3. Ensure that Installation of New Protection Key is select at the bottom of the screen.
4. Click Collect Information. The Save key status as window is displayed.
5. Specify the directory where you want to store the C2V file. Enter a file name and click Save.
6. The C2V file for the Sentinel protection key is generated and saved in the required location.
The file can now be sent for processing to produce a Sentinel protection key.

Applying an Update

You can use the RUS utility to apply an update to the licenses stored in your Sentinel protection
keys.

To update the licenses in Sentinel protection keys:

1. Launch the RUS utility (rus.exe) or double-click the Vendor-to-Customer (V2C) file that you
have received containing the update data.

If you have received an update as an executable, double-click the file and it will
automatically launch RUS utility.

2. Click the Apply License File tab. (This might be the only tab displayed.)
 Using RUS utility 169

Rehosting a Sentinel protection key

You can use the RUS utility to transfer a Sentinel protection key from one computer (the source
computer) to another (the recipient computer). This is a three-step procedure that uses the RUS
utility on both computers.
Step 1: Collect Information About the Recipient Computer

1. On the recipient computer, launch the RUS utility (rus.exe).

2. Click the Transfer License tab.
3. Follow the instructions labeled "Step 1" to collect information about the computer and save
it to a file. Make sure that the file (or a copy of the file) is accessible on the source
computer.
Step 2: Generate the License Transfer File

1. On the source computer, launch the RUS utility (rus.exe).

2. Click the Transfer License tab.
3. Follow the instructions labeled "Step 2" to select the SL key to transfer, read the recipient
information file, and generate a license transfer (h2h) file. Make sure that the license
transfer file (or a copy of the file) is accessible on the recipient computer.

After you perform this step, the SL key is no longer available on the source computer. Be
sure to keep a copy of the transfer file until you have completed the transfer procedure.

Step 3: Apply the License Transfer File

1. On the recipient computer, in the RUS utility, click the Apply License File tab
2. In the Update File field, click the browse button and locate the license transfer (h2h) file.
3. Click Apply Update. The SL key is installed on the recipient computer.

To ensure the success of the transfer procedure, all the steps in the procedure should be
completed within no more than a few days of the time you first start the process.
 14
Chapter 14:
Generating Sentinel LDK Reports

This chapter describes the Reporting facility in Sentinel EMS.

In this chapter:

n "Reports Facility Overview" on page 171

n "Permissions for Working With Reports" on page 172
n "Scheduling Reports" on page 172
n "Presentation Formats" on page 173
n "Export Formats" on page 173
n "Available Reports" on page 173
n "Custom Reports" on page 173

Reports Facility Overview

The Sentinel EMS Reports facility provides you with the ability to produce reports with valuable
business information, based on data in the Sentinel EMS database. With this tool, managers can
obtain data for analyzing how their software is used and the purchasing preferences of their
customers. The information can also be leveraged to maximize revenues from license renewals, to
up-sell existing customers, and turn trial users into buyers.
172 Chapter 14: Generating Sentinel LDK Reports

The Sentinel EMS Reports facility connects directly to the Sentinel EMS database, and generates
reports based on SQL queries. Both predefined and custom (user-defined) reports are available.
The Sentinel EMS Reports facility can present information both in tabular and (where appropriate)
graphical formats, and can export report data in a variety of formats for further processing and
analysis.
The remainder of this chapter provides an overview of features and options available in the
Reports facility.
For detailed information on operating the facility, see the Sentinel EMS help system.

Permissions for Working With Reports

Access to the Reports facility is limited to Sentinel EMS users who have been granted the role
Report Generation or Batch Code Admin. Only these users can view reports directly in
Sentinel EMS. (The role Report Generation provides access only to the Reports facility, and only
for the specific Batch Codes selected.)
However, using the scheduling option in the Reports facility, an authorized user can define a
distribution list for each report. Each member of the distribution list receives the report by e-mail.
The list can include Sentinel EMS users (for whom an e-mail address has been specified in
Sentinel EMS) or any valid e-mail address.
No special authorization is required to receive reports by e-mail.

Scheduling Reports
An authorized Sentinel EMS user can generate and view reports on demand. In addition, the user
can define a schedule for generation of each report and a distribution list of people to receive the
report automatically by e-mail each time the report is generated. Both predefined and custom
reports can be scheduled.
 Presentation Formats 173

Reports can be scheduled for generation and distribution based on a daily, weekly, or monthly
scheduling definitions. A scheduled report can also be generated and distributed on-demand.

Presentation Formats
All reports are generated in tabular (text-based) format. In addition, where relevant, each report
includes a graphical presentation of the data, in either pie chart or bar chart format.

Export Formats
Each report can be exported from Sentinel EMS or sent to the recipients in the distribution list in
any of the following formats:
n Adobe Acrobat (PDF file)
n Microsoft Word (RTF file)
n Microsoft Excel (XLS file)
n HTML file
n Comma-separated values (CSV file)

Available Reports
The reports listed below are available in the Sentinel EMS Reports facility.

Report Name Report Description

Entitlements
Customer Entitlement Lists all entitlements for customers and channel partners.
Customer Activation Lists activations by customer
Total Entitlement Utilization Summarizes total and activated entitlements by Product
Licenses
License Expiration Lists all licenses due to expire within a specific period.
Most Popular Products Indicates orders for Products during a given period by channel
Ordered partner

Custom Reports
The Sentinel EMS Reports facility provides you with the capability of defining custom reports. This
enables you to design reports that satisfy the specific business requirements for your
organization.
Custom Reports are defined by creating an SQL query that extracts the specific information you
require from the Sentinel EMS database. For more information, select the Administration >
Custom Reports tab in the Sentinel EMS window.
174 Chapter 14: Generating Sentinel LDK Reports

The Custom Reports facility is licensed separately from Sentinel EMS. To obtain a license to use
the Custom Reports facility, contact your SafeNet representative.
 PART 4 - DISTRIBUTING SOFTWARE
In this section:

n "Chapter 15: Distributing Sentinel LDK With Your Software" on page 177

Describes options for distributing required software to your end users.
n "Chapter 16: Sentinel Admin Control Center" on page 187
Describes the configuration and management functionality of Sentinel Admin Control
Center, an end-user utility that enables centralized administration of Sentinel License
Managers and Sentinel protection keys.
 15
Chapter 15:
Distributing Sentinel LDK With Your
Software

This chapter introduces options for distributing required software to your end users.

In this chapter:

n "Sentinel LDK Software for End Users" on page 177

n "Distributing Sentinel LDK Run-time Environment" on page 179

Sentinel LDK Software for End Users

Every Sentinel LDK installation includes software that you need to distribute to your end users.
This software must be installed at your customer’s site to ensure that your protected and licensed
software functions correctly.

Protection-related Software
In many instances, the Sentinel LDK Run-time Environment must be installed on the computer of
each end user who will use the protected application so that the application can communicate
with the Sentinel protection key. For information on when the Run-time Environment is required,
see "Protection Keys That Require Sentinel LDK Run-time Environment" on page 179.
There are a number of ways in which the Run-time Environment can be installed. For more
information, see "Distributing Sentinel LDK Run-time Environment" on page 179.
For protected .NET assemblies or Java applications, the following additional files must be
distributed with your protected application:

Type of End User

Protected Operating Additional File Required
Application System
.NET assembly 32-bit Windows haspdnert.dll
64-bit Windows haspdnert_x64.dll
178 Chapter 15: Distributing Sentinel LDK With Your Software

Type of End User

Protected Operating Additional File Required
Application System
Java application 32-bit Windows HASPJava.dll
64-bit Windows HASPJava_x64.dll
Mac OSX libHASPJava.dyliblibHASPJava.jnilib
32-bit Linux libHASPJava.so
64-bit Linux libHASPJava_x86_64.so
All Customized Sentinel Licensing API dynamic libraries (copied
automatically to the output directory by Sentinel Envelope)
These native library files enable the protected application to communicate with the
Sentinel protection key.

For Linux applications that were protected using Sentinel LDK Envelope and that run under
Red Hat EL 6.4: The installer for the protected application should determine if libXaw
libraries are present on the end user's computer and, if not, install them.

Network Environment Management

Your end users can manage their network licenses online using Sentinel Admin Control Center.
Ensure that you send them the URL for accessing this application. For additional information, see
"Chapter 16: Sentinel Admin Control Center" on page 187.

Software for Updating Licenses

Sentinel Remote Update System is distributed when remotely updating licenses in deployed
Sentinel protection keys. For additional information on this utility, see "Chapter 13:
Sentinel Remote Update System" on page 165.

Data File Protection Plugin

Given the following circumstances:
n You are distributing FLV or SWF data files that are protected with Version 2 data file
protection.
n You want your customers to view these files using the Internet Explorer Web browser.
You must provide your customized version of the Data File Protection plugin to end users. For
more information, see "Data File Protection Plugin " on page 99.
For more information on data file protection, see "Chapter 7: Protecting Data Files" on page 95.
 Distributing Sentinel LDK Run-time Environment 179

Distributing Sentinel LDK Run-time Environment

Depending on the type of Sentinel protection key, Sentinel LDK Run-time Environment may be
required on the end user's computer to enable your protected software to run by communicating
with Sentinel protection keys. For more information, see "Protection Key Attributes" on page 47.
(For Mac and Linux, Sentinel LDK Run-time Environment is always required.
The following sections describe when the Run-time Environment is required and the various
options available for distributing the Run-time Environment to your end users.
n "Protection Keys That Require Sentinel LDK Run-time Environment" on page 179
n "Sentinel LDK Run-time Environment for Windows" on page 180
n "Sentinel LDK Run-time Environment for Mac" on page 184
n "Sentinel LDK Run-time Environment for Linux" on page 184
n "Sentinel LDK Run-time Environment for Android" on page 185

Protection Keys That Require Sentinel LDK Run-time Environment

Sentinel LDK Run-time Environment is a system component that enables communication between
a protected application and a Sentinel protection key. Sentinel LDK Run-time Environment also
contains Sentinel Admin Control Center, used to manage licenses.
Installation of Sentinel LDK Run-time Environment requires administrator privileges on the target
computer. However, on a Windows computer, Sentinel LDK Run-time Environment is not required
for all protected applications.
The tables that follow indicate when a protected application requires the presence of Sentinel LDK
Run-time Environment in order to execute.

Sentinel LDK Run-time Environment is always required under the following circumstances:
n When the protected application executes under Mac or Linux.
n When the protected application uses the Data Protection module to encrypt and
decrypt data in an external file AND the application was protected using Sentinel
LDK v.7.0 or earlier.

Standalone Licenses

A Standalone license is for a single protected application that executes on the computer where the
protection key is located (no concurrency).

Run-time Environment required on the computer

Type of protection key
where the protected application executes?
SL AdminMode key Yes
SL UserMode key No
SL Legacy key Yes
180 Chapter 15: Distributing Sentinel LDK With Your Software

Run-time Environment required on the computer

Type of protection key
where the protected application executes?
Sentinel HL (Driverless No
configuration) key
Sentinel HL (HASP Yes
configuration) key
HASP HL key Yes

Detachable Licenses

To attach a Detached license to a protected application installed on a remote computer, the Run-
time Environment must be installed on the remote computer.

Network Seat Licenses

A Network Seat license is installed on a single computer with a Run-time Environment.

The protected applications can run on remote computers in the same network. The Run-time
Environment is not required on the remote computer where the protected application executes.
The following Sentinel protection keys support Network Seat licenses:
n SL AdminMode keys (with concurrency)
n SL Legacy keys (with concurrency)
n Sentinel HL (HASP configuration) Net and NetTime keys
n Sentinel HL (Driverless configuration) keys (with concurrency) – all types except for Basic

Sentinel LDK Run-time Environment for Windows

The following options are available for distributing Sentinel LDK Run-time Environment for
Windows operating systems:
n Use Windows Update to download the Sentinel LDK Run-time Environment. An Internet
connection is required for this process.
n Integrate installation of the Sentinel LDK Run-time Environment into your application’s
installer using either of the two options below:
o Sentinel LDK Run-time Environment Merge module
o Sentinel LDK Run-time Environment Installation API
n Deliver either of the following Sentinel LDK Run-time Environment installation utilities to
your end users:
o HASPUserSetup.exe : A GUI-based installer
o haspdinst.exe : A command-line utility
Each of these methods is described in greater detail in this section.
 Distributing Sentinel LDK Run-time Environment 181

Windows Update

If your end users are running the protected software on Windows XP or later platforms, and can
access the Internet, they simply need to connect a Sentinel protection key on their machines. The
Sentinel LDK Run-time Environment is certified by Microsoft, and is therefore automatically
downloaded from the Microsoft Update site.
When your end users connect a Sentinel protection key:
1. The system informs them that a new component has been detected.
2. The Sentinel LDK Run-time Environment is automatically installed.
3. The LED on the Sentinel protection key lights up, indicating that the installation process is
complete.

Sentinel LDK Run-time Environment Merge Module

The Sentinel LDK Run-time Environment installation is available as a merge module, in the file
haspds.msm . You can use the merge module to seamlessly integrate the Sentinel LDK Run-time
Environment installation in your MSI installation. Merge modules deliver shared Windows Installer
components, code, files, resources, registry entries and setup logic in a single, composite file.

The haspds.msm merge module cannot be run as a standalone application.

When integrated with your MSI installer, the haspds.msm merge module copies the haspds_
windows.dll into the Win32 system directory of the end user’s computer. The haspds_
windows.dll is called by the MSI module to install or uninstall the Sentinel LDK Run-time
Environment.
The benefits of using the Sentinel LDK installation merge modules in a single unified MSI installer
include:
n Providing end users with a single, compound file for your application that includes the
Sentinel LDK Run-time Environment installation
n Installation self-repair provided by reusing the MSI installer
A demonstration of the use of the haspds.msm merge module is provided. For more information,
see "Sample Merge Module Installer" on page 182.
Implementation Requirements

Before including the Sentinel LDK merge module in your installer, review the following
requirements:
n The Sentinel LDK merge module require Windows Installer version 2.0 or later.
n To successfully execute the Run-time Environment installation, end users require
administrator rights. Ensure that this is accounted for in your installation scripts.
n Processes that require the Sentinel LDK Run-time Environment should not be active in the
background when installing the Run-time Environment.
182 Chapter 15: Distributing Sentinel LDK With Your Software

n Before validating the WSM module, change the project properties to relate to your
specific development environment.
n If you intend to apply a digital signature to your installer, ensure that you first adjust the
properties in your development environment.
n Before compiling the MSI project, change the path to external files to match your
development environment
Implementation

Implementation of Sentinel LDK merge modules is a straightforward process that simply requires

you to add the .msm file containing the Run-time Environment installation to your MSI-compliant
installer setup. After you have created your MSI installer, the wrapped file automatically includes
the Sentinel LDK installation merge module.
The haspds.msm merge module can be found in:
%SystemDrive%\Program Files (x86)\SafeNet Sentinel\Sentinel LDK\API\RuntimeInstall\MSI
(For Windows x86, in: %SystemDrive%\Program Files\...)

n Do not alter the versioning data in the default merge module, or the MSI DLL
sample.
n Do not alter any entity in the default merge module.
n When the Run-time Environment is already installed on a target machine:
o If you install a version of haspds_windows.dll that is newer than the
already-installed haspds_windows.dll, the installed DLL will be replaced with
the new one.
o If a new version of haspds_windows.dll is the same as the previous
version, the file timestamp will be compared. If the version of the DLL that
is being installed is equal to or older than the existing haspds_windows.dll,
the DLL will not be replaced.
In any case the haspds_windows.dll will be executed.

Sample Merge Module Installer

A sample MSI installer containing the Sentinel LDK merge module is provided and should be
reviewed before implementing the haspds.msm merge module into your own installer.
The sample installer is a full MSI-installer containing the Sentinel LDK Run-time Environment
installation merge module and the required shared libraries for installing the Run-time
Environment.
The sample installer does the following:
n Verifies that the user has the requisite administrator rights to install the Run-time
Environment
n Stops a running Sentinel License Manager service before the Run-time Environment is
 Distributing Sentinel LDK Run-time Environment 183

installed, and re-starts the service after the installation is complete.

n Installs or removes Run-time Environment
The sample installer can be found in:
%SystemDrive%\Program Files (x86)\SafeNet Sentinel\Sentinel LDK\API\RuntimeInstall\MSI
(For Windows x86, in: %SystemDrive%\Program Files\...)
Before attempting to try the sample installer, review the following requirements:
n Administrator rights are generally required in order to install the Driver sample. However,
it is possible for a restricted user to install the Driver. For more information, see Microsoft
Support Knowledge Base article # 259459 (http://support.microsoft.com/kb/259459/en-
us).
n You must change the resource path to your own environment in the project files (*.wsi,
*.wsm) in order to successfully compile the samples.

You can incorporate a branded DLL into the sample by replacing the name of the demo
DLL with the name of the branded DLL.

Sentinel LDK Run-time Environment Installer API

Use the Sentinel LDK Run-time Environment installer API to integrate the installation process into
your custom setup application. For additional information, see the separate help file in the
RuntimeInstall directory described above.

haspdinst.exe

haspdinst.exe is a command-line utility that installs the Sentinel LDK Run-time Environment.

Following installation of Sentinel Vendor Suite , the file is located in:
%SystemDrive%\Program Files (x86)\SafeNet Sentinel\Sentinel LDK\Redistribute\Runtime
Environment\cmd Install
(For Windows x86, in: %SystemDrive%\Program Files\...)
You can distribute this standalone application to your end users.
To install the Sentinel LDK Run-time Environment using haspdinst.exe:

n At the command-line prompt, type haspdinst -i.

For a full list of the available switches for the haspdinst.exe utility, see the Sentinel LDK
Installation Guide.

HASPUserSetup.exe

HASPUserSetup.exe is a GUI-based installation program to independently install the Sentinel LDK

Run-time Environment. Following installation of Sentinel Vendor Suite, the file is located in:
%SystemDrive%\Program Files (x86)\SafeNet Sentinel\Sentinel LDK\Redistribute\Runtime
Environment\Setup
(For Windows x86, in: %SystemDrive%\Program Files\...)
184 Chapter 15: Distributing Sentinel LDK With Your Software

This easy-to-use program has an intuitive GUI-based wizard. After your end users run the file, they
should follow the on-screen instructions to complete the Run-time Environment installation.

Sentinel LDK Run-time Environment for Mac

Distribute the Sentinel LDK daemons—aksusbd and hasplmd—to end users running protected
and licensed applications on Mac OS X platforms.
All the Sentinel LDK software for Mac that is required for distribution to end users is provided in
the MacOS/Redistribute/ directory on your Sentinel LDK installation DVD.

Options for Distributing the Sentinel LDK Daemons

The software required to distribute the daemons is provided in the MacOS/Redistribute/ directory
on the Sentinel LDK installation DVD.
Multiple options are available for distributing the Mac daemons to end users. The following two
options are described:
n Installer Distribution Using a Multi-packager
n Installer Scripts
Installation Using a Multi-packager

The installation package can be integrated into any multi-package installer that includes the
installation for your own application. Include the Sentinel Runtime Installer.pkg in the mpkg.
To locate the Sentinel Runtime Installer.pkg:

1. In the MacOS/Redistribute/ directory, double-click Sentinel Runtime.dmg. The file opens.

2. Click the Install Sentinel Runtime Environment icon and select Show Original. The
.Packages window opens and Sentinel Runtime Installer.pkg is displayed.
For additional information, see the welcome.rtf file provided in the MacOS/Redistribute/
directory.
Installer Scripts

Installation scripts are provided in MacOS/Redistribute/ on the Sentinel LDK installation DVD.

Open the directory and click Sentinel Runtime Installer Scripts.dmg. A new volume named
Sentinel Runtime Installer Scripts is mounted on your desktop. The volume contains dinst and
dunst files and the payload/ directory.
You can copy the files in the volume and integrate them in your customized installer. The scripts
are not configurable.
For additional information on using the scripts, see the ReadMe.html file provided in the
Sentinel Runtime Installer Scripts volume.

Sentinel LDK Run-time Environment for Linux

Distribute the Sentinel LDK daemons—aksusbd and hasplmd—to end users running protected
and licensed applications on Linux platforms. Without the daemons, the end user’s system will
not recognize the connected Sentinel protection keys, and the protected applications will not run.
 Distributing Sentinel LDK Run-time Environment 185

All the Sentinel LDK software for Linux that is required for distribution to end users is provided in
the Linux/Redistribute/ directory on your Sentinel LDK installation DVD.

Using the Installer Scripts to Distribute the Sentinel LDK Daemons

Open the Linux/Redistribute/Runtime/script directory. The directory contains dinst (install) and
dunst (uninstall) scripts and the Sentinel LDK Run-time Environment.
You can integrate the scripts in your installer. The scripts are not configurable.

Using the DEB or RPM File to Distribute the Sentinel LDK Daemons

This option is available for Ubuntu, Debian, SUSE, CentOS, and RedHat Linux.
Open the Linux/Redistribute/Runtime directory. The directory contains the Sentinel LDK Run-time
Environment and the following files:
n For Ubuntu or Debian: aksusbd_version_i386.deb
n For RedHat, SUSE or CentOS: aksusbd-version.i386.rpm

Sentinel LDK Run-time Environment for Android

The protected Android application contains all required distribution files, including the Integrated
License Manager. No Run-time Environment is required.
 16
Chapter 16:
Sentinel Admin Control Center

Sentinel Admin Control Center is a customizable, Web-based, end-user utility that enables

centralized administration of Sentinel License Managers and Sentinel protection keys. This chapter
describes the configuration and Sentinel LDK management functionality.
In this chapter:

n "Introduction to Admin Control Center" on page 187

n "Sentinel License Manager" on page 188
n "Loss of Connection with a Network License" on page 192
n "Launching Admin Control Center" on page 193
n "Admin Control Center Interface" on page 193
n "Administrator’s Workflow" on page 194
n "Applying Basic Configuration Changes Globally" on page 198
n "Customizing Admin Control Center Look and Feel" on page 198
n "Working With Sentinel Admin API" on page 202

Introduction to Admin Control Center

Admin Control Center is designed to provide your end-user’s system administrator with the
means of managing the use of your licensed software by members of the organization. Admin
Control Center has been engineered in a way that makes it both flexible and customizable. This
makes Admin Control Center a useful add-on to your protected application.
Following are some of the benefits of Admin Control Center:
n Web-based, meaning that it can be easily accessed from any Web browser. The
administrator does not have to be physically present at your end user’s site in order to
manage the software licenses.
n Cross-platform capable, enabling it to be used on any platform on which a browser is
available.
n Fully customizable, enabling you to change the displayed information, appearance and
behavior so that it will, for example, integrate seamlessly into other applications or match
188 Chapter 16: Sentinel Admin Control Center

corporate styles. In addition, Admin Control Center can be displayed in a variety of

languages.
n Easy to use, meaning that it can be used with minimal configuration. In addition, the GUI
is intuitive, enabling the administrator to manage licenses without the need for a steep
learning curve.
n Enables configuration and control of licenses in a network.
All of the functionality that is available in Admin Control Center can also be accessed from any
program by calls to the Admin API. For more information, see "Working With Sentinel Admin API"
on page 202.

Sentinel License Manager

The Sentinel License Manager is a component of Sentinel LDK that is located on the machines
where the protected application executes and where the protection key is located.
The License Manager provides the protected application with information about the availability of
licenses (both local and remote) and manages access to the licenses.

Types of License Managers

Several types of License Managers exist, depending on the platform used.
n Integrated License Manager (Windows, Android)
The Integrated License Manager (Integrated LM) is included in the Sentinel LDK Licensing
API and in applications that were protected using Sentinel LDK Envelope.
The Integrated LM is able to directly handle local SL UserMode keys, local Sentinel HL
(Driverless configuration) keys, without the need for admin rights.
The Integrated LM has no user interface. Sessions for protection keys that are handled
directly by the Integrated LM are not visible in Admin Control Center. However, the
Integrated LM can be configured. For more information, see the Sentinel Admin API
Reference help file.
The Integrated LM can be upgraded by upgrading the Licensing API or by re-protecting
the application with the latest version of Sentinel LDK Envelope.

The Integrated License Manager for Windows is deprecated and will be

discontinued in one of the upcoming Sentinel LDK releases.

n External License Manager (Windows)

The External License Manager (External LM) is contained in a standalone file: hasp_rt.exe.
The hasp_rt.exe file must be placed in the same directory as the protected application.
The External LM is able to directly handle local SL UserMode keys, local Sentinel HL
(Driverless configuration) keys, without the need for admin rights. To handle SL UserMode
 Sentinel License Manager 189

protection keys, you must place your customized Vendor library in the same directory as
the protected application.
The External LM has no user interface. Sessions for protection keys that are handled
directly by the External LM are not visible in Admin Control Center. However, the External
LM can be configured. For more information, see the Sentinel Admin API Referencee help
file.
The External LM can be upgraded by simply replacing the hasp_rt.exe file with a later
version of the file.

n Admin License Manager (Windows, Mac, Linux)

The Admin License Manager (Admin LM) is included as part of the Run-time Environment.
The Run-time Environment also includes device drivers, data file encryption drivers, and
Sentinel Admin Control Center, which is the user interface for the Admin LM.
The Admin LM can manage all Sentinel HL and SL keys, with the exception of SL UserMode
keys. Sessions for protection keys that are handled by the Admin LM are visible in Admin
Control Center.
The Admin License Manager must be present on machines where remote protection keys
are located.
Installation of the Run-time Environment on a computer requires admin rights. No special
rights are required after the installation.
The table that follows summarizes the differences between the various types of License Managers.

Admin External Integrated

Attribute License License License
Manager Manager Manager
Supported platforms Windows, Windows Windows,
Mac, Linux Android
Requires admin rights for installation Yes No No
Easily upgradable Yes Yes No
Requires additional files Yes Yes No
Supports Sentinel HL (Driverless configuration) key Yes Yes Yes
Supports Sentinel HL (HASP configuration) key and Yes No No
HASP HL key
Supports SL AdminMode key Yes No No
Supports SL UserMode key No Yes Yes
Supports SL Legacy key Yes No No
Supports remote network key Yes No No
190 Chapter 16: Sentinel Admin Control Center

Selection of License Manager Under Windows

On a Windows platform, two or more types of License Manager may be available to a protected
application. The application selects the License Manager based on the type and location of the
protection key that contains the required license. This section describes the process by which the
License Manager that will directly access the protection key is selected.
The Integrated LM is always present in a protected application. The External LM is optionally
present also. One of the two is always selected to directly access a local protection key or to hand
off access requests to a local or remote Admin License Manager.
The License Managers to directly and indirectly access the protection key are selected as follows:
1. The Integrated LM is selected if the External LM is missing or is an older version. Otherwise,
the External LM is selected.
2. A local SL UserMode key is always directly accessed by the selected Integrated/External LM.
3. A local Sentinel HL (Driverless configuration) key is directly accessed by the selected
Integrated/External LM if a local Admin LM is absent or is an older version than the
Integrated/External LM. Otherwise, access requests are forwarded to the local Admin LM.
When a protection key is accessed directly by the Integrated/External LM, the
session created for the protection key is not displayed in Sentinel Admin Control
Center.

4. Access requests for other types of local protection keys are always forwarded to the local
Admin LM.
5. When the protection key (of a type that supports network operation) is on a remote
machine, the selected Integrated/External LM handles communication directly with the
Admin LM on the remote machine, even if a local Admin LM exists. However, if a local
Admin LM exists and is active, the Integrated/External LM retrieves the list of servers (if
such a list exists) from the local Admin LM.
The following diagram shows a graphical representation of the process by which the License
Manager to directly access the protection key is selected.
 Sentinel License Manager 191

Legend:

The External LM is selected unless the Integrated LM is a more recent version than the
External LM or unless the External LM is not present.
For the Sentinel HL (Driverless configuration) key: The key is directly accessed by the Admin
LM unless the selected Integrated/External LM is a more recent version than the Admin LM,
or unless the Admin LM is not present.
The following table provides a summary of which License Manager is selected to directly access
each type of protection key. Note that the Admin LM and External LM are not necessarily present
in all cases.
192 Chapter 16: Sentinel Admin Control Center

Type of protection key Location

License Manager selection priority (from
that contains the required of the
highest to lowest)
license key
Sentinel HL (Driverless Local 1. Admin LM (if the Admin LM is the same or a
configuration) key more recent version than the External LM and
the Integrated LM)
2. External LM (if the External LM is the same or
a more recent version than the Integrated
LM)
3. Integrated LM
Sentinel HL (HASP Local Admin LM
configuration) or HASP HL key
SL Legacy key or SL Local Admin LM
AdminMode key
SL UserMode key Local 1. External LM (if the External LM is the same or
a more recent version than the Integrated
LM)
2. Integrated LM
A protection key that supports Remote (Remote) Admin LM
concurrency

Selection of License Manager for Protected Data Files Under Windows

Selection of the License Manager for data files with licensing protection is determined by the
location of the protected application or the Web browser that is used to access the data files, and
not by the location of the data files. Therefore, the process for selection of the License Manager is
the same as for any other protected application on a Windows platform.

Selection of License Manager Under Mac and Linux

On Mac and Linux platforms, only the Admin LM is supported. For a local protection key, all
access requests are handled by the local Admin LM. For a remote protection key, the local Admin
LM passes the access request to the Admin LM on the remote machine where the protection key
is located.

License Manager Under Android

On Android platforms, only the Integrated LM is supported. The Integrated LM handles all access
requests for a local protection key. Remote protection keys are not supported.

Loss of Connection with a Network License

A network-type protection key (HL or SL) that contains Features with concurrency typically does
not reside on the same computer as the protected application.
 Launching Admin Control Center 193

Under certain circumstances, the communication between the protected application and the
protection key may be lost. For example, the protected application may fail or the computer that
hosts the protected application may crash. As a result, the protection key has an open session for
a non-existent instance of the protected application, reducing the number of available network
seats for the application in the license.
Sentinel License Manager contains an automatic function that identifies instances where a
network protection key and the relevant protected application (on separate computers) have
become disconnected. License Manager handles this situation as follows:
n If both computers contain active instances of License Manager, but the protected
application fails, License Manager on the computer that hosts the network protection key
immediately closes the session and frees the network seat for re-use.
n If only the computer that hosts the network protection key contains an active instance of
License Manager, the session times out after three minutes. At that point, License
Manager frees the network seat for re-use.
This functionality is completely automatic and requires no setup or configuration activities by the
software vendor or the end user.

Launching Admin Control Center

Admin Control Center is installed as part of the Sentinel LDK Run-time Environment driver
installation process.
Admin Control Center is launched by typing http://<machine_name or ip_address>:1947 in the
address field of the browser. If you are accessing the Sentinel License Manager residing on your
own machine, type http://localhost:1947.

If Admin Control Center Web pages do not display, see "Appendix J: Troubleshooting" on
page 295.

Admin Control Center Interface

When you launch Sentinel Admin Control Center, the Web interface displays a number of
Administration Options on the left of the page. The Sentinel Admin Control Center help system
provides information about the fields for each option. Note that the options relate to
Sentinel License Manager on the machine whose name or IP address appears in the title bar of
Admin Control Center. The following options are available:
n Sentinel Keys enables you to identify which Sentinel protection keys are currently present
on the network, including locally connected keys.
n Products enables you to view a list of all the Base Products available on all
Sentinel License Managers (local and network). In addition, when a Product contains
Features with detachable licenses you can see the number of licenses for the Product that
are currently available to be detached from the network and the maximum duration for
which they may be detached. This option also enables you to access the Detach/Extend
194 Chapter 16: Sentinel Admin Control Center

functions.
The Product name for Products that are licensed with Sentinel HL keys are not
necessarily displayed in Admin Control Center. For more information, see
"Appendix I: How to Make Product Names Visible on the End User's Machine" on
page 293.

n Features enables you to view a list of the Features that are licensed in each of the
Sentinel protection keys that are currently present on the network, including locally
connected keys. In addition, you can see the conditions of the license, and the current
activity related to each Feature.
n Sessions lists all the sessions of clients on the local machine, and those remotely logged in
to Sentinel License Manager on the local machine. You can view session data and
terminate sessions.
n Update/Attach enables you to update existing licenses on a Sentinel protection key in the
field and, in the case of Sentinel SL keys, to attach a detachable license to a recipient
machine. It also enables you to apply identification details of an offline recipient machine
to a host machine in order to create a file for a detachable license.
n Access Log enables you to view a history of log entries for the server on which
Sentinel License Manager is running.
n Configuration enables you to specify certain operating settings for Sentinel Admin Control
Center running on the connected machine. You can set parameters relating to user
access, access to remote Sentinel License Managers, and access from remote clients. In
addition, you can customize log template files in terms of the data they return.
n Diagnostics enables you to view operating information for the Sentinel License Manager
to which you are currently logged in, to assist in diagnosing problems. You can generate
reports in HTML format. This option also enables you to view miscellaneous data relating
to the use of the server on which Sentinel License Manager is running.
n Help displays the Sentinel Admin Control Center help system. Context-sensitive help is
available within each of the functions described above, by clicking the Help link at the
bottom of the page.
n About provides information about the version of Sentinel License Manager, and a link to
the SafeNet, Inc. Web site.
n Country Flags enables you to change the language of the user interface by clicking on the
flag of the country appropriate to the language you require. Languages other than English
can be downloaded from the Sentinel Web site.

Administrator’s Workflow
When you first launch Admin Control Center, the utility is preconfigured to run automatically.
However, you may want to customize it to your requirements and to specify users and their
access permissions, and access permissions between remote machines and local servers. Changes
to the configuration of Admin Control Center are made in the Configuration tab of the application.
 Administrator’s Workflow 195

The basic configuration changes that you can make include:

n Specifying a name for the local machine
n Enabling access from remote machines to the Admin Control Center on this machine
n Setting the display refresh time
n Defining how many rows of data will be displayed on a page
n Specifying the logs that are to be created and their content, and customizing information
that will be displayed in the log
n Setting an Admin password
Following the configuration set up, you can define:
n Users and their access privileges
n Access parameters to remote Sentinel License Managers
n Access privileges from remote client machines to a Sentinel License Manager on the
current machine

Configuration Considerations
Before you make certain configuration changes to Admin Control Center, it is recommended that
you consider their implications. This section provides a guide to assist you in this process.

Customizing Log Parameters

You can specify whether Admin Control Center should create an access log and the data that
should be included in the log file.
Access the Edit Log Parameters page by clicking Edit Log Parameters in the Basic Settings tab of
the Configuration page.
Additional information about log file parameters is provided in the Admin Control Center help
system.

Managing Access to Sentinel License Managers

Managing Access to Sentinel License Managers is performed in the Users and Access from Remote
Clients tabs in the Configuration page. The following paragraphs discuss the issues that you need
to consider when setting these parameters.
Users

The user restrictions that you define are evaluated in the order in which they are specified, and
the evaluation process stops when the first match is found. You therefore need to take care that
the restrictions are listed in an order that satisfies this logic.
The value allow=all@all is implicitly added to the end of the list. According to the logic just
described, if this value was at the beginning of the list, all subsequent restriction values would be
ignored.
Additional information about defining restriction values is provided in the Admin Control Center
help system.
196 Chapter 16: Sentinel Admin Control Center

Access from Remote Clients

When you define criteria relating to the remote machines that can access Sentinel License
Manager on the current machine, you need to define access restrictions. The remote client access
restrictions that you define are evaluated in the order in which they are specified, and the
evaluation process stops when the first match is found. You therefore need to take care that the
restrictions are listed in an order that satisfies this logic.
The value allow=all is implicitly added to the end of the list. According to the logic just described,
if this value was at the beginning of the list, all subsequent restriction values would be ignored.
Additional information about defining remote client access restriction values is provided in the
Admin Control Center help system.
Accessing Sentinel License Manager Located on a Different Subnet

When a Windows application that is protected with Sentinel LDK v.6.0 or later is located on a
different subnet than Sentinel License Manager and the Sentinel protection key, you must create a
separate configuration file to enable the application to find the License Manager. Create a file
called hasp_vendorID.ini, where vendorID is the Vendor ID associated with your Batch Code (for
the DEMOMA Batch Code, use hasp_demo.ini). Place the file on the same machine as the
protected application, in the directory described below.

Type of application Directory

Desktop %LocalAppData%/SafeNet Sentinel/Sentinel LDK/
(Windows Vista/7 or
later)
Desktop %UserProfile%/Local Settings/Application Data/SafeNet
(Windows XP) Sentinel/Sentinel LDK/
Service (LocalSystem) %windir%\SysWOW64\config\systemprofile\AppData\Local\SafeNet
x64 operating system Sentinel\Sentinel LDK\
Service (LocalSystem) %windir%\System32\config\systemprofile\AppData\Local\SafeNet
x86 operating system Sentinel\Sentinel LDK\
Service (Network) %windir%\ServiceProfiles\NetworkService\AppData\Local\SafeNet
Sentinel\Sentinel LDK\
Example
For a desktop application, for Vendor ID 37517 and a user named test1, create the following file:
n For Windows Vista or Windows 7:
%SystemDrive%\Users\test1\AppData\Local\SafeNet Sentinel\Sentinel LDK\hasp_
37517.ini
n For Windows XP:
%SystemDrive%\Documents and Settings\test1\Local Settings\Application Data\SafeNet
Sentinel\Sentinel LDK\hasp_37517.ini

A separate .ini file must be created on the machine for each user of the protected
application.
 Administrator’s Workflow 197

The hasp_vendorID.ini file should contain the following line:

SERVERADDR = remoteServerAddress
where remoteServerAddress is the IP address or computer name of the remote machine that
contains Sentinel License Manager and the protection key.

Searching for Sentinel License Managers

The Access to Remote License Manager tab in the Configuration page is used determine which
locations to include when the local Sentinel License Manager searches for remote Sentinel License
Managers.
When you define criteria relating to the machines that may be searched for Sentinel License
Manager, you can choose to:
n Enable a “broadcast” that searches all machines on the local network
n Search the default local group in an IPv6 subnet
n Restrict the search to specific machines. In this case, it is necessary to specify each
machine that may be searched—by specifying either its name or its IP address.

Configuring Detachable License Definitions

In Sentinel EMS, it is possible to flag network-based licenses for Features in Products that will be
locked to Sentinel SL keys as being detachable. This means that the Product license can be
temporarily detached from a pool of network seats and attached to a remote recipient machine
for a specific period of time. At the end of the detachment period, the license is automatically
restored to the network pool. Prior to the expiration of the license, it is possible to extend its
detachment period, or to cancel the detachment and to return the license to the network pool
early.

Licenses cannot be detached unless this functionality is enabled as described in this

section.

You enable or disable the ability to detach licenses in the Detachable License tab of the
Configuration page. You can also specify criteria relating to the number of licenses that can be
detached from the pool of network seats and the maximum period for which the licenses can be
detached. You can specify global settings for all Products, or click the Per-Product Settings button
to customize settings for individual Products. Global settings will also affect any Products for
which individual settings have not been specified.

Diagnostics

The Diagnostics page enables you to view and extract operating information for the
Sentinel License Manager to which you are currently logged in, to assist in diagnosing problems.
You can generate diagnostics reports in HTML format.
Occasionally, it is necessary to create a file containing the machine identity details of a remote
recipient machine. This information is required in order for a host machine to identify which
machine a detachable license will be attached to. The Diagnostics page enables you to create this
198 Chapter 16: Sentinel Admin Control Center

file for the local machine on which Admin Control Center is running by using the Create ID File
button.
Additional information about the data provided in the Diagnostics page is available in the Admin
Control Center help system.

Applying Basic Configuration Changes Globally

You can make configuration changes to Admin Control Center, and deploy them to multiple
machines on the network, as follows:
1. Make the required changes on one machine, using the Configuration page of Admin
Control Center. The changes are saved in the hasplm.ini file.
2. Read the full path name of hasplm.ini, which is located at the bottom of the Configuration
page. The Sentinel LDK base directory is the directory in which the hasplm.ini file resides.
By default, the Sentinel LDK base directory is:
o For Windows x64: %CommonProgramFiles(x86)%\Aladdin Shared\HASP\hasplm.ini
o For Windows x86: %CommonProgramFiles%\Aladdin Shared\HASP\hasplm.ini
o For Linux/Mac: /etc/hasplm/hasplm.ini (The file is created the first time that the
Run-time Environment starts and you submit configuration changes.)

If you are using Windows in a language other than English, locate the directory in
which the common files are stored. (In English Windows, the Common Files folder).

3. Copy hasplm.ini and use it to overwrite hasplm.ini on all the other machines on the
network.

Customizing Admin Control Center Look and Feel

You can change the language, displayed information, appearance, and behavior of Admin Control
Center so that, for example, it will integrate into other applications or match your organization’s
corporate styles.
The Admin Control Center user interface consists of HTML, GIF, and other files, which are located
inside the executable (EXE) file hasplms.exe. When you implement additional template sets, you
must add them to a fixed directory structure under the Sentinel LDK base directory.

As an alternative to customizing Admin Control Center, you can develop your own
interface to Admin Control Center functionality by using the Sentinel Admin API. For more
information, see "Working With Sentinel Admin API" on page 202.
 Customizing Admin Control Center Look and Feel 199

To create a directory for a custom template:

1. Locate the templates directory inside the Sentinel LDK base directory. The location of the
Sentinel LDK base directory is described in "Applying Basic Configuration Changes Globally"
on page 198.
2. Add \SafeNet Sentinel\Sentinel LDK\templates\<your_template_folder_name> to the directory. For
example, using an English version of Windows 7, the full path is:
%SystemDrive%\Program Files (x86)\Common Files\Aladdin
Shared\HASP\templates\myTemplates

You can create multiple templates inside your templates directory

Each time Sentinel License Manager is launched, the application reads the files in all
the directories (except .bak files). To expedite the launch time, it is recommended
that you keep the directories free of unnecessary files.

3. Restart the Sentinel License Manager,

OR
Call http://127.0.0.1:1947/action.html?reload_templates to reload the new template.
To verify your customized template, from a browser on your local machine, open:
http://127.0.0.1:1947/<yourTemplateDirectory>.

Writing Templates
A template is an ASCII text file (typically HTML, but also XML, CSV, or other possibilities) that
contains place holders (tags) for variables that are inserted by the Sentinel License Manager when
a request is made via HTTP.
In addition, the file may contain block tags that surround a block of text and tags, and generally
iterate a list (of Sentinel protection keys, Features, sessions, or other entities). For example,
{tagname}repeatingblock{/tagname}

The place holders are written as {placeholdername}. For a complete list of available place holder
names, their description and usage, see tagxref.txt in:
%SystemDrive%\Program Files (x86)\SafeNet Sentinel\Sentinel LDK\Docs\Manuals &
Tutorials\Admin Control Center Customization\templates
(For Windows x86, in: %SystemDrive%\Program Files\...)
Not all tags work in every context, and some will have different values depending on how they are
used. For example, when {logincount} is used in a global context, it returns the total login count
for the server. When logincount is used inside {devicelist} {/devicelist}, it returns the login
count for the currently selected Sentinel protection key. If logincount is used inside
{featurelist} {/featurelist}, it returns the login count for the currently selected Feature.
A special include tag is available—{#include "filename.ext"}—that will return the contents of a
specific file instead of a value. Includes (included files) must not be nested, and must not include a
path (meaning that included files must reside in the same directory as the template).
If a table displayed in a browser page returns *** illegal tag: xxx ***, the tag is either
unrecognized, or is illegal in the current context.
200 Chapter 16: Sentinel Admin Control Center

In JavaScript, {placeholders} are replaced. To use an opening curly bracket {, without it being
replaced or generating an illegal tag error, ensure that a white space (space, CR, LF, or tab)
follows the curly bracket. In this case, it will be passed without modification.
To output something such as {this} without it being parsed, use the HTML notation for a curly
bracket—&#123;this}.
For additional assistance, refer to the sample templates in the templates directory described
above.
Default Templates and Samples

Three sets of template source code are provided:

n sample provides a very simple example of how to use templates and tags.
n csv provides an example for generating a comma-separated (.csv) file for importing to a
spreadsheet or database, or for processing by your own program. It produces a CSV list
of all available Features.
n en is the complete English-language version of Admin Control Center, as included in the
Sentinel License Manager application (hasplms.exe). The template uses AJAX technologies
to increase ease of use. For translations, or creating a specific corporate identity, use this
template set as a starting point.
You can also incorporate some or all of the Sentinel Admin Control Center functionality into your
own Web application, possibly with the use of (i)frames or other methods.

Sample CSV Output

This section provides a sample CSV output. Such output is useful for tasks such as importing the
data into spreadsheets or databases.
Using a template such as:

c:\>type templates\csv\features.txt{featurelist}{index}, {hhlid}, {featureid}, "

{local}", "{concurrtext}", {priority}, {fileid},
{filetag}, {logincount}, {loginlimit}, {sessioncount}{/featurelist}

The following output is produced:

c:\&gt;wget http://10.24.2.23:1947/csv/features.txt -Of.txt &amp; type f.txt

--17:23:44-- http://10.24.2.23:1947/csv/features.txt
=&gt; `f.txt'
Connecting to 10.24.2.23:1947... connected!
HTTP request sent, awaiting response... 200 OK
Length: 1,411 [text/plain]
1, 0x335918F1, 0x00000000, "local", "L", 0, 0xFFCB, 0x0B, 0, 0, 0
2, 0x335918F1, 0x0000BEEF, "local", "LNS", 0, 0x1234, 0x0C, 0, 7, 0
3, 0x335918F1, 0x00001357, "local", "L", 0, 0xABCD, 0x0B, 0, 0, 0
4, 0x335918F1, 0x000CAFF1, "local", "L", 0, 0xCAF1, 0x0B, 0, 0, 0
5, 0x335918F1, 0x000CAFF2, "local", "L", 0, 0xCAF2, 0x0B, 0, 0, 0
6, 0x335918F1, 0x000000A1, "local", "LNS", 0, 0xCAF3, 0x0C, 1, 7, 4
7, 0x335918F1, 0x000000A2, "local", "LNS", 0, 0xCAF4, 0x0C, 0, 7, 0
8, 0x335918F1, 0x0000BEEF, "local", "LNS", 0, 0x1235, 0x0C, 0, 7, 0
9, 0x335918F1, 0x0000BEEF, "local", "LNS", 0, 0x1236, 0x0C, 0, 7, 0
 Customizing Admin Control Center Look and Feel 201

10, 0x335918F1, 0x0000BEEF, "local", "LNS", 0, 0x1237, 0x0C, 0, 7, 0

11, 0x335918F1, 0x0000BEEF, "local", "LNS", 0, 0x1238, 0x0C, 0, 7, 0
12, 0x389C1FAB, 0x00000000, "local", "L", 0, 0xFFCB, 0x0B, 0, 0, 0
13, 0x389C1FAB, 0x00012345, "local", "LNS", 0, 0xAFFE, 0x0C, 0, 7, 0
14, 0x389C1FAB, 0x00055779, "local", "L", 0, 0xBEEF, 0x0B, 0, 0, 0
15, 0x33C90F7A, 0x00011223, "10.24.2.17", "LNS", 0, 0xAFFE, 0x0C, 0, 7, 0
16, 0x33C90F7A, 0x00097531, "10.24.2.17", "LNS", 0, 0x1234, 0x0C, 0, 7, 0
17, 0x33C90F7A, 0x00002FAC, "10.24.2.17", "LNS", 0, 0xCAF2, 0x0C, 0, 7, 0
18, 0x33C90F7A, 0x000AFFEE, "10.24.2.17", "LNS", 0, 0xCAF5, 0x0C, 0, 7, 0
19, 0x33C90F7A, 0x000DFEED, "10.24.2.17", "LNS", 0, 0xCAF9, 0x0C, 0, 7, 0
20, 0x33C90F7A, 0x000FFE01, "10.24.2.17", "LNS", 0, 0x00A1, 0x0C, 0, 7, 0

Configuring Admin Control Center to Use Your Custom Template

After you have created your template, you want to be sure that Admin Control Center loads your
customized settings whenever it launches.
By default, when you enter http://[servername]:1947 in your browser, the internal factory default
templates are used. The URL is redirected to http://[servername]:1947/_int_/index.html. _int_ denotes the
internal directory. If you replace _int_ with sample, the templates from the sample directory are
used.

To direct Admin Control Center to use your Custom Template:

1. Open Admin Control Center in your browser. By default, the application opens at this URL:
http://[servername]:1947/_int_/index.html

2. In the URL, replace _int_ with the name of the custom template you wish to use.
3. Create a shortcut to the address of Admin Control Center with your template.
Using this process, multiple browser windows can use multiple templates simultaneously.
URL Redirections Using HTTP 302

Following is a list of sample URLs to which the browser is redirected when a specific URL is
entered.
Note that you do not require this information for translation or simple layout changes in your
template. However, it is required if you are changing the logic of Admin Control Center (for
example, by adding or removing pages, or merging Admin Control Center functions into another
application).

URL Entered URL Displayed

[server name]:1947 [server name]:1947/_int_
Provides a shortcut to the main Admin Control Center page /index.html
[server name]:1947/corporate.html [server name]:1947/_int_
Automatically switches to the internal template. (_ini_) is set /corporate.html
when no template has been specified
[server name]:1947/csv/devices.txt [server
Does not change because the template (csv) and file name are name]:1947/csv/devices.txt
specified
202 Chapter 16: Sentinel Admin Control Center

URL Entered URL Displayed

[server name]:1947/sample [server
Automatically redirects to the index.html file when no file name name]:1947/sample/index.html
has been specified
It is sufficient to type only the URL of Sentinel Admin Control Center— it automatically
redirects to the index page.

Working With Sentinel Admin API

Sentinel Admin API provides the functionality available in Admin Control Center and Sentinel
License Manager in the form of callable API functions. You can call functions to retrieve
information from local or remote License Managers and to perform actions in these License
Managers. For example, you can call functions to:
n Examine the configuration of a License Manager installation and make modifications to
the configuration
n Examine a list of accessible protection keys; retrieve all Feature data for a specific
protection key
n Detach a protection key from one computer and attach it to a different computer
n Apply a V2C file
Sentinel Admin API is incorporated into Sentinel LDK ToolBox. The ToolBox help system includes
descriptions of the API functions and the XML templates required to work with the API.
Sentinel Admin API is only available under the Windows operating system.
 PART 5 - LICENSING MODELS
In this section:

n "Chapter 17: Sentinel LDK Licensing Models: Overview" on page 205

Provides an overview of Sentinel LDK Licensing models.
n "Chapter 18: Sentinel LDK Licensing Models: Description of Models" on page 209
Provides a detailed description of the various Sentinel LDK Licensing models that you can
use to distribute your software.
 17
Chapter 17:
Sentinel LDK Licensing Models:
Overview
In this chapter:

n "Introduction" on page 205

n "Sentinel LDK Licensing" on page 206
n "Determining the Best Protection and Licensing Method" on page 207
n "About This Section" on page 207
n "How to Use the Licensing Models" on page 208

Introduction
Today’s software industry is more competitive than ever. As with many other industries that once
enjoyed exceptionally high margins, software products are increasingly regarded as commodities,
with resulting deterioration in both revenues and bottom line profits. To counteract these trends,
software publishers and vendors now see the need to change the way they market their products,
to increase the value they offer their customers and to better differentiate their offerings from the
competition.
Licensing is among the most promising approaches for achieving more-competitive, value-based
offerings. Today, software publishers and vendors are seeking ways of moving away from the
traditional model—based on perpetual licenses and printed End User License Agreements—toward
more flexible licensing models. New licensing tactics such as trialware, demoware, module- and
feature-based licensing, rental, subscription, network licensing—and combinations of these—
enable software publishers and vendors to adapt to dynamic markets by offering compelling
products that target broader, more segmented markets.
Sentinel LDK is designed specifically to assist software publishers and vendors in pursuit of more
competitive product offerings. It not only offers the highest possible level of protection—both
against illegal copying and in securing critical intellectual property (IP)—it also enables rapid
implementation of novel licensing and distribution models, without the need for extensive
engineering of product source code. This enables software publishers and vendors to aggressively
extend their market reach and penetration, without negatively impacting their operating margins,
to protect the bottom line.
This section describes a wide range of licensing strategies and models designed to provide end
users with greater value and additional options for purchasing software products. Using
206 Chapter 17: Sentinel LDK Licensing Models: Overview

Sentinel LDK’s versatile abilities, these strategies and models can be implemented immediately,
and can serve as the basis for elaboration and for creating new, tailor-made licensing models.

Sentinel LDK Licensing
Sentinel LDK offers a wide range of options and unprecedented flexibility for making and revising
both licensing and protection strategies. Virtually any licensing model can be created—supported
by the following fundamental Sentinel LDK concepts, technologies and applications:
n Protect Once—Deliver Many—Evolve Often™
The process of protecting software is completely autonomous of marketing and licensing
processes, so that after protection has been implemented, diverse licensed products can be
created without necessitating changes in the code.
n Cross-Locking™
Using Sentinel LDK, the software vendor can choose the device to which the protected
software and license are locked—either to one of the many hardware-based Sentinel HL
keys, or to a specific computer by means of a versatile software-based Sentinel SL key. The
required level of protection, the licensing model, and the manner in which the software will
be accessed and used collectively determine the most appropriate type of
Sentinel protection key. Locking the license to a hardware-based Sentinel HL key provides
the strongest security.
n Sentinel Remote Update System utility (RUS utility)
The RUS utility provides a simple and secure method of remotely updating the licenses on
deployed Sentinel protection keys. Using the RUS utility, software vendors can renew,
extend, revise or revoke a license.
n LicenseOnChip® and UpdateOnChip
When a license is supplied on a hardware-locked Sentinel HL key, the licensing logic is
embedded in the key’s chip, employing Sentinel LDK’s patented LicenseOnChip technology.
This practice ensures that licenses are hardware-secured and effectively tamper-proof.
Likewise, license updates are authenticated in the key’s chip.
n Role-based licensing application
Sentinel EMS is a role-based application in which access to each type of task is restricted to
authorized personnel. Restricted access provides separation of business activities from order
creation, license manufacture and customer follow-up.
n Versatile Implementation
Software protection can be implemented using the GUI-driven Sentinel LDK Envelope, the
Sentinel Licensing API, or a combination of both. The considerations for choosing a
protection method are provided in "Determining the Best Protection and Licensing
Method" on page 207.
n Detachable Licenses
A detachable license is available for Products that are locked to Sentinel SL keys in a
 Determining the Best Protection and Licensing Method 207

network environment. Such a license can be temporarily detached from the network pool
for use on a remote recipient machine for a defined period.

Determining the Best Protection and Licensing Method

Sentinel LDK offers two software protection methods that establish an inherent link between the
protected software, the license, and the intelligence contained in a specific Sentinel protection key.
n Envelope-based protection (automatic)
Sentinel LDK Envelope automatically wraps software in a protective shield and validates the
licensing terms. Sentinel LDK Envelope protection offers ease of use, short time-to-delivery,
and anti reverse-engineering features such as file encryption and anti-debugging. It is
suitable for protecting compiled executables and DLLs.
n API-based protection (automatic or customized)
Executables or specific functions are protected using Sentinel Licensing API calls that are
embedded in the software code. This protection method offers maximum flexibility, and
compatibility with a wide variety of development tools and operating systems. API-based
protection can be based on predefined Sentinel LDK functions and calls so that licensing
terms are validated automatically, or can apply a customized license validation mechanism
in order to implement specialized licensing models.
Most licensing models discussed in this book can be applied using either Envelope-based
protection or API-based protection. However, some specialized models require customized
implementation using the Sentinel Licensing API. Each licensing model notes the appropriate
method or methods.

To enhance the security of your application, when you choose an API-based protection
method, it is recommended that you also protect your application with Sentinel LDK
Envelope. You can do this using a dedicated Feature ID or with Feature ID 0, which is not
linked to a specific license.

For additional information, see "Chapter 9: Preparing Your Sentinel LDK Licensing Plan " on page
117.
For information on which important licensing functionality is supported by the various types of
protection keys, see "Protection Key Attributes" on page 47. This will assist you in determining
which types of protection keys can be used for the various licensing models described in this
section.

About This Section

This section describes a wide variety of licensing models, and provides guidelines for implementing
them using Sentinel LDK. The licensing models include:
n Evaluation licenses (trialware or demoware)
n Component-based licenses
n Metered licenses
208 Chapter 17: Sentinel LDK Licensing Models: Overview

n Locked licenses
n Mobile licenses
n Network licenses
n Sales-assisting licenses
n Perpetual licensing

This section provides an outline of how to use Sentinel LDK to implement the described
licensing models. For detailed instructions on how to protect and license your software,
refer to earlier sections in this book and to the integral help system included in each of the
Sentinel LDK applications.

How to Use the Licensing Models

Each licensing model in this section is introduced with a legend that describes the following:
n Sentinel LDK functionality—the Sentinel LDK functionality that enables creation of the
described licensing model
n Software distribution method—the available methods for software distribution when
using the described licensing model (physical package or electronic distribution)
n Applicable key types—the Sentinel protection keys that can be used to implement the
licensing model
n Protection method—the Sentinel LDK protection methods (Sentinel LDK Envelope or the
Sentinel Licensing API) that can be used to implement the licensing model
For example:

Sentinel LDK Manages the maximum number of software executions

Functionality
Software Distribution n Physical package
Method n Electronic distribution
Applicable Key Types n All Sentinel HL keys except Sentinel HL Basic
n Sentinel SL
Protection Method n Envelope-based automatic implementation
n API-based automatic implementation
The legend is followed by:
n A short description of the licensing model
n Guidelines for implementation using Sentinel LDK
 18
Chapter 18:
Sentinel LDK Licensing Models:
Description of Models
This chapter provides a detailed description of the many types of licensing models that you can
define using Sentinel LDK.
In this chapter:

n "Evaluation Licensing Models" on page 210

n "Component-based Licensing Models" on page 215
n "Metered Licensing Models" on page 218
n "Locked License Models" on page 230
n "Mobile License Models" on page 234
n "Network License Models" on page 237
n "Sales Boosting Licensing Models" on page 245
n "Perpetual Licensing Models" on page 251
210 Chapter 18: Sentinel LDK Licensing Models: Description of Models

Evaluation Licensing Models

Evaluation licensing models are marketing tools for the software publisher, providing potential
end users with the opportunity to test software without making a financial commitment. An
evaluation license can be based on fully-functional trialware or on semi-functional demoware. The
license can be limited by time or by executions.
When a potential end user subsequently decides to purchase the software, the software vendor
can offer any of the paid licensing models described in this book, with the appropriate key type
and locking type. The software vendor uses Sentinel EMS to create and produce the new license.
The evaluation license is then seamlessly converted to a purchased license at the end-user site,
using the RUS utility.
The evaluation licensing models described below are:
n "Trialware" on page 211
n "High-security Time-limited Evaluation" on page 212
n "Execution-limited Evaluation" on page 213
n "Demoware" on page 214
 Evaluation Licensing Models 211

Trialware
Sentinel LDK Creates a time-limited, software-based trialware license
Functionality
Software Distribution n Physical package
Method n Electronic distribution
Applicable Key Types Sentinel SL
Protection Method n Envelope-based automatic implementation
n API-based automatic implementation

Description

Trialware is fully functional software that is made available for a limited time period (between 1
and 90 days) as a marketing tool. The software is protected with a software-based license, so that
it can be distributed both electronically—for example, via a Web site, and on media such as a CD.
The time-limited trialware license does not use a dedicated Sentinel protection key and does not
require activation during the trial period. The license is linked to the machine on which the
trialware is installed. After the time period expires, the software can no longer run on that
machine. However, it can be installed on other machines, creating a super-distribution mechanism
when the trialware is referred to others.

Implementation

n Select the executable file that you want to license, and determine by which Feature ID it
will be identified.
n Select your protection method:
o Envelope-based automatic implementation
Protect the executable file using Sentinel LDK Envelope, specifying its Feature ID.
o API-based automatic implementation
In your code, insert a Sentinel Licensing API Login call to the Feature ID.
n Create an Unlimited Trialware Product in Sentinel EMS, including the Feature IDs you
defined.
n Distribute your trialware with Sentinel LDK Run-time Environment.
n When a fully licensed product is purchased, provide the end user with the appropriate
Sentinel protection key programmed with the license.
212 Chapter 18: Sentinel LDK Licensing Models: Description of Models

High-security Time-limited Evaluation

Sentinel LDK Manages the period over which your software can be activated
Functionality
Software Distribution Physical package
Method
Applicable Key Types n Sentinel HL Time
n Sentinel HL NetTime
n All Sentinel HL (Driverless configuration) keys except Sentinel
HL Basic
Protection Method n Envelope-based automatic implementation
n API-based automatic implementation

Description

The time-limited evaluation software is distributed, protected with a Sentinel HL key for maximum
security. Due to the extra cost of providing software with a hardware-based Sentinel HL key, this
evaluation method is suitable for high-end software or for software with a high evaluation-to-
purchase conversion rate.

Implementation

n Select the executable file that you want to license, and determine by which Feature ID it
will be identified.
n Select your protection method:
o Envelope-based automatic implementation
Protect the executable file using Sentinel LDK Envelope, specifying its Feature ID.
o API-based automatic implementation
In your code, insert a Sentinel Licensing API Login call to the Feature ID.
n Create the evaluation Product in Sentinel EMS and define the expiration date for each
Feature ID included in the Product.
n Distribute the evaluation software with a Sentinel HL key programmed with the license.
n Create the licensed Product in Sentinel EMS and define the required licensing terms for
each Feature ID included in the Product.
n When a fully licensed product is purchased, update the Sentinel HL key using the RUS
utility.
 Evaluation Licensing Models 213

Execution-limited Evaluation
Sentinel LDK Manages the maximum number of software executions
Functionality
Software Distribution n Physical package
Method n Electronic distribution
Applicable Key Types n All Sentinel HL keys except Sentinel HL Basic
n Sentinel SL
Protection Method n Envelope-based automatic implementation
n API-based automatic implementation

Description

Evaluation software that is restricted to a predetermined number of executions. The evaluation

software can be distributed with a Sentinel SL key—for example, via a Web site or on a demo CD.
Alternatively, it can be distributed with a Sentinel HL key, providing maximum security.
Using a Sentinel HL key for evaluation purposes is usually applicable for high-end software or for
software with a high evaluation-to-purchase conversion rate.
When distributing the evaluation software with a Sentinel HL key, the type of key provided must
be compatible with the licensing model that will subsequently be applied to the paid license. For
example, if the paid license is a rental license, the key used must be a Sentinel HL Time or Sentinel
HL NetTime key or must be a Sentinel HL key that supports V-Clock.

Implementation

n Select the executable file that you want to license, and determine by which Feature ID it
will be identified.
n Select your protection method:
o Envelope-based automatic implementation
Protect the executable file using Sentinel LDK Envelope, specifying its Feature ID.
o API-based automatic implementation
In your code, insert a Sentinel Licensing API Login call to the Feature ID.
n Create the evaluation Product in Sentinel EMS and define the permitted number of
executions for each Feature ID included in the Product.
n Distribute the evaluation software with a Sentinel protection key programmed with the
license.
n Create the licensed Product in Sentinel EMS, defining the licensing terms for each
Feature ID included in the Product.
n When the end user purchases a fully licensed product, update the Sentinel protection key
using the RUS utility.
214 Chapter 18: Sentinel LDK Licensing Models: Description of Models

Demoware
Sentinel LDK Functionality Manages active and inactive software functionality
Software Distribution n Physical package
Method n Electronic distribution
Applicable Key Types n All Sentinel HL keys except Sentinel HL Basic
n Sentinel SL
Protection Method API-based automatic implementation

Description

The demo version of the software is limited to a subset of the functions provided in the fully
licensed product. Demoware can be distributed either with a Sentinel SL key (for example via a
Web site or on a demo CD), or with the superior protection of a Sentinel HL key.
Demoware provides prospective end users with limited software functionality, at no charge. Even
if the end user does not subsequently purchase the software, the demoware is not discarded,
serving as a constant reminder that more powerful functionality can be purchased, with your
brand name at the forefront.

When distributing the demoware with a Sentinel HL key, the type of key provided must be
compatible with the licensing model that will subsequently be applied to the paid license.
For example, if the paid license is a rental license, a Sentinel HL Time or Sentinel HL
NetTime key must be used or the key must support V-Clock.

Implementation

n Select the software functions that you want to license separately, and determine by which
Feature ID they will be identified.
n In your code, insert a Sentinel Licensing API Login call to the Feature ID.
n Create two Products in Sentinel EMS:
o The demoware Product, including only those Feature IDs that are designated for
the demoware. Define a Permanent license for these Features.
o The fully licensed Product, including the full set of Feature IDs. Define the required
license terms for these Features.
n Envelope your software for additional security (optional).
n Distribute the demoware.
n When the end user purchases the software, send a Sentinel protection key programmed
with the full license.
 Component-based Licensing Models 215

Component-based Licensing Models

Often, software vendors do not want to sell all the software functionality as a single package,
preferring to mix and match components in order to create different offerings. Using Sentinel LDK,
software vendors have complete freedom to determine the granularity of licensed items, at the
level of a specific functionality or component, or at the level of an executable file.
The component-based licensing models described below are:
n "Module-based (Suites)" on page 216
n "Feature-based" on page 217
216 Chapter 18: Sentinel LDK Licensing Models: Description of Models

Module-based (Suites)
Sentinel LDK Functionality Manages licensing of individual executables
Software Distribution n Physical package
Method n Electronic distribution
Applicable Key Types n All Sentinel HL keys except Sentinel HL Basic
n Sentinel SL
Protection Method n Envelope-based automatic implementation
n API-based automatic implementation

Description

Each module (executable file) is licensed separately. Assorted software can be bundled into a suite,
including software from other software vendors. The license for the entire suite is supplied on a
single Sentinel protection key.

Implementation

n Select the executable files that you want to license separately, and determine by which
Feature ID they will be identified.
n Select your protection method:
o Envelope-based automatic implementation
Protect the executable file using Sentinel LDK Envelope, specifying its Feature ID.
o API-based automatic implementation
In your code, insert a Sentinel Licensing API Login call to the Feature ID.
n In Sentinel EMS:
a. Create one or more Products.
b. Include the required Feature IDs in each Product.
c. Define the appropriate license terms for each Feature—for example, the number of
executions, expiration date or concurrency.
n Distribute your software suite with the appropriate Sentinel protection key programmed
with the license.
 Component-based Licensing Models 217

Feature-based
Sentinel LDK Manages licensing of separate functional components
Functionality
Software Distribution n Physical package
Method n Electronic distribution
Applicable Key Types n All Sentinel HL keys except Sentinel HL Basic
n Sentinel SL
Protection Method API-based automatic implementation

Description

Software components or functionality are licensed separately, without necessitating changes in

the code. Feature-based licensing can be useful in many different scenarios.
n Example 1: Basic Software with Add-ons
Your basic software is provided with a perpetual license. Additional features are licensed
separately, and are available at a charge.
n Example 2: Software Levels
Different levels of your software are offered—for example, Student, Light, Standard, and
Professional versions. The protection method determines which components are active in
each version.
n Example 3: Customized Software
Your software is customized to display or hide functionality depending on the
requirements of different end users.
n Example 4: Skins or Themes
The end user is able to choose from a selection of skins or themes, or a user-specific
design is created and applied.

Implementation

n Select the software functions that you want to license separately, and determine by which
Feature ID they will be identified.
n In your code, insert a Sentinel Licensing API Login call to each Feature ID.
n In Sentinel EMS:
a. Create one or more Products.
b. Include the required Feature IDs in each Product.
c. Define the appropriate license terms for each Feature—for example, number of
executions, expiration date or concurrency.
n Envelope your software for additional security (optional).
n Distribute your software with the appropriate Sentinel protection key programmed with
the license.
218 Chapter 18: Sentinel LDK Licensing Models: Description of Models

Metered Licensing Models

In recent years, licensing models that are based on usage, rather than providing an end user with
ownership of the software, have become more prevalent. These models all apply some form of
metering, the most common of which are rental (time-based) and execution (counter-based)
metering. Some models require a prepaid fee, while others enable payment for each use. The
models in this section include:
n Rental packages—Time-limited rental, phased rental, micro-rental, subscription.
In this group of license models, the license is prepaid or paid on a monthly basis. When it
expires, the end user can only continue using your software by extending the license.
n Pre-paid execution-based packages—Standard counter and phased counter.
The license provides a prepaid number of executions. When these have been consumed,
the end user must purchase a new package of executions.
n Specialized packages—Capacity, pay-by-peak time, time-based overdraft, counter-based
overdraft.
The metered licensing models described below are:
n "Time-limited Rental" on page 219
n "Phased Rental" on page 220
n "Micro-rental" on page 221
n "Subscription" on page 222
n "Pay-by-Peak Time (Peak Time)" on page 224
n "Time-based Overdraft" on page 226
n "Standard Counter" on page 227
n "Phased Counter" on page 228
n "Capacity (CPU/Memory/Disk)" on page 229
 Metered Licensing Models 219

Time-limited Rental
Sentinel LDK Functionality Manages the time period over which your software can be used
Software Distribution n Physical package
Method n Electronic distribution
Applicable Key Types n Sentinel HL Time
n Sentinel HL NetTime
n All Sentinel HL (Driverless configuration) keys except
Sentinel HL Basic
n Sentinel SL
Protection Method n Envelope-based automatic implementation
n API-based automatic implementation

Description

The end user pre-pays a fee for a specific period of time, either for a predetermined number of
days or terminating on a predetermined expiration date.
End users can monitor the remaining time using Sentinel Admin Control Center, and can order a
license renewal before the license expires. License renewal is implemented using the RUS utility.

You can also specify a licensing period that is shorter than one day, as described in "Micro-
rental" on page 221.

Implementation

n Select the executable file that you want to license, and determine by which Feature ID it
will be identified.
n Select your protection method:
o Envelope-based automatic implementation
Protect the executable file using Sentinel LDK Envelope, specifying its Feature ID.
o API-based automatic implementation
In your code, insert a Sentinel Licensing API Login call to the Feature ID.
n In Sentinel EMS, create a Product that includes the Feature ID and define either an
expiration date or the number of days until expiration.
n Distribute your software with the appropriate Sentinel protection key programmed with
the license.
n Renew the license remotely using the RUS utility.
220 Chapter 18: Sentinel LDK Licensing Models: Description of Models

Phased Rental
Sentinel LDK Functionality Manages the time period over which your software can be used
Software Distribution n Physical package
Method n Electronic distribution
Applicable Key Types n Sentinel HL Time
n Sentinel HL NetTime
n All Sentinel HL (Driverless configuration) keys except
Sentinel HL Basic
n Sentinel SL
Protection Method n Envelope-based automatic implementation
n API-based automatic implementation

Description

The end user pays a monthly fee, with a phased pricing structure, which can be associated with an
entire product or a specific functionality. The transition from one phase to another is
implemented using the RUS utility.
n Phase 1: A fraction of the regular usage price is charged (micro-payment) for a limited
period of time. This provides an incentive for the end user to enter into a rental
agreement for use of the software. If payment is not received for Phase 2, the license
expires at the end of the defined time period.
n Phase 2: The full monthly rental price is charged, for an indefinite time period.

Implementation

n Select the executable file or software functions that you want to license, and determine by
which Feature ID each file or function will be identified.
n Select your protection method:
o Envelope-based automatic implementation
Protect the executable file using Sentinel LDK Envelope, specifying its Feature ID.
o API-based automatic implementation
In your code, insert a Sentinel Licensing API Login call to the Feature ID.

To set the time limit for a specific functionality, apply API-based automatic
implementation. To set the time limit for an executable file, apply either Sentinel LDK
Envelope-based or Sentinel Licensing API-based automatic implementation.

n In Sentinel EMS, create a Product that includes the Feature ID and define an expiration
date or the number of days until expiration of Phase 1.
n Distribute your software with the appropriate Sentinel protection key programmed with
the license.
n Subject to receiving payment for Phase 2 from the user, extend the license remotely using
the RUS utility.
 Metered Licensing Models 221

Micro-rental
Sentinel LDK Manages the time period over which your software can be used
Functionality
Software Distribution n Physical package
Method n Electronic distribution
Applicable Key Types n Sentinel HL Time
n Sentinel HL NetTime
n All Sentinel HL (Driverless configuration) keys except Sentinel HL
Basic
n Sentinel SL
Protection Method API-based automatic implementation

Description

The end user purchases a predefined number of “usage hours.” When the hours are consumed, a
new package of hours is purchased.

Implementation

n Select the executable file that you want to license, and determine by which Feature ID it
will be identified.
n In your code, insert a Sentinel Licensing API Login call to the Feature ID.
n Determine what constitutes “active” for the purpose of counting usage and define this in
your code, for example:
o Your software window is focused and activity is detected.
o Your software is active, performing calculations, even if the window is not focused.
n In Sentinel EMS, in the Protection Key memory, define the total number of software
activity hours that has been purchased.
n Envelope your software for additional security (optional).
n Distribute your software with the appropriate Sentinel protection key programmed with
the license.
n Using the Sentinel Licensing API and the key’s built-in clock:
a. Calculate the accumulated active time.
b. Write the result to the Protection Key memory.
c. Verify that the accumulated time has not exceeded the number of purchased
hours.
d. When the number of purchased hours is about to expire, display a warning
message.
n When payment is received for additional usage, renew the license remotely using the RUS
utility.
222 Chapter 18: Sentinel LDK Licensing Models: Description of Models

Subscription
Sentinel LDK Functionality Creates an unconditional license that can be updated remotely
Software Distribution n Physical package
Method n Electronic distribution
Applicable Key Types n Sentinel HL Time
n Sentinel HL NetTime
n All Sentinel HL (Driverless configuration) keys except Sentinel
HL Basic
n Sentinel SL
Protection Method n Envelope-based automatic implementation
n API-based automatic implementation

Description

The end user pays a monthly subscription fee that covers the initial software package plus
periodical updates. If the end user does not renew the subscription, the basic package and all paid
updates remain the property of the end user. New updates are not provided.

Implementation

n Select the executable file that you want to license, and determine by which Feature ID it
will be identified.
n Select the protection method for your software:
o Envelope-based automatic implementation
Protect the executable file using Sentinel LDK Envelope, specifying its Feature ID.
o API-based automatic implementation
In your code, insert a Sentinel Licensing API Login call to the Feature ID.
n In Sentinel EMS, create a Product that includes the Feature ID for your initial software and
define a perpetual license for the Feature.
n Create a component in your software that manages the installation of software updates,
and assign it a Feature ID. Select and implement your protection method for that
component (Sentinel LDK Envelope or Sentinel Licensing API-based).
n In Sentinel EMS, create a Product that includes the Feature ID for the update-installation
component and define an expiration date for that Feature.
n Envelope your software for additional security (optional).
n Distribute your software with the appropriate Sentinel protection key programmed with
the license.
n During the subscription period, use the RUS utility to send updates to the subscriber. The
updates are handled by the update-installation component in your software. Optionally,
use Sentinel LDK to encrypt the update files so that the Sentinel protection key is required
to decrypt them.
 Metered Licensing Models 223

n Continue sending updates as long as the end user’s subscription is valid.

n When the end user renews the subscription, use the RUS utility to update the expiration
date for the update-installation component’s license.
224 Chapter 18: Sentinel LDK Licensing Models: Description of Models

Pay-by-Peak Time (Peak Time)

Sentinel LDK Functionality Compares a value in the Protection Key memory with a value
collected during run-time
Software Distribution n Physical package
Method n Electronic distribution
Applicable Key Types n Sentinel HL Time
n Sentinel HL NetTime
n All Sentinel HL (Driverless configuration) keys except Sentinel
HL Basic
n Sentinel SL
Protection Method API-based automatic implementation
Description

The end user purchases a predefined number of “usage units”. Differential charging is calculated
according to the hour of the day or the day of the week in which your software is used. When
your software is used at peak demand time, more “usage units” are consumed than at low
demand time. This type of license might be applicable in an environment such as a learning
facility, in order to encourage students to use resources at low demand time.

Implementation

n Select the executable file that you want to license, and determine by which Feature ID it
will be identified.
n In your code, insert a Sentinel Licensing API Login call to the Feature ID.
n Determine what constitutes “active” for the purpose of calculating usage and define this
in your code, for example:
o Your software window is focused and activity is detected.
o Your software is active, performing calculations, even if the window is not focused.
n In Sentinel EMS, in the Protection Key memory, define the total number of “usage units”
that has been purchased and the pricing structure (number of “usage units” for each time
unit and each rate).
n Envelope your software for additional security (optional).
n Distribute your software with the appropriate Sentinel protection key programmed with
the license.
n Using the Sentinel Licensing API and the key’s built-in clock:
a. Calculate the accumulated active time for each separate rate.
b. Calculate the total number of “usage units” consumed.
c. Write the result to the Protection Key memory.
 Metered Licensing Models 225

d. Verify that the accumulated consumption has not exceeded the total number of
“usage units” defined in the Protection Key memory.
e. When the “usage units” are about to expire, display a warning message.
n Using the RUS utility, replenish the pool of “usage units” when the license is renewed.
226 Chapter 18: Sentinel LDK Licensing Models: Description of Models

Time-based Overdraft
Sentinel LDK Functionality Manages the time period over which software can be used
Software Distribution n Physical package
Method n Electronic distribution
Applicable Key Types n Sentinel HL Time
n Sentinel HL NetTime
n All Sentinel HL (Driverless configuration) keys except
Sentinel HL Basic
n Sentinel SL
Protection Method API-based automatic implementation

Description

A differential pricing structure is implemented, in which a nominal price is charged for use of your
software until a defined expiration date. Following expiration, a higher price may be charged for a
limited period, to enable the end user to continue using your software until the license is
renewed.

Implementation

n Select the executable file that you want to license, and determine by which Feature ID it
will be identified.
n In your code, insert a Sentinel Licensing API Login call to the Feature ID.
n In Sentinel EMS, create a Product that includes the Feature ID and define either an
expiration date or the number of days until expiration. Include both the regular usage
period and the overdraft period in the time that you define.
n Envelope your software for additional security (optional).
n Distribute your software with the appropriate Sentinel protection key programmed with
the license.
n Using the Sentinel Licensing API and the key’s built-in clock:
o Calculate the time period.
o When the regular usage period terminates, display a message informing the end
user that the usage is now subject to overdraft terms and state the expiration date
of the overdraft period.
o When the end user renews the license, billing includes payment for the overdraft
usage in addition to the license renewal.
o After payment has been received, renew the license remotely using the RUS utility.
 Metered Licensing Models 227

Standard Counter
Sentinel LDK Functionality Manages the maximum number of software executions
Software Distribution n Physical package
Method n Electronic distribution
Applicable Key Types n All Sentinel HL keys except Sentinel HL Basic
n Sentinel SL
Protection Method n Envelope-based automatic implementation
n API-based automatic implementation

Description

The end user purchases a predefined number of software executions, which can be defined for
your software or for specific functionality. A counter-based license might appeal to end users who
use your software or a software functionality sporadically, and prefer to pay only when they
actually run your software or use the functionality.
End users can monitor the remaining executions using Sentinel Admin Control Center, and can
order a license renewal before the license expires. The license renewal is implemented using the
RUS utility.

Implementation

n Select the executable file or software function that you want to license, and determine by
which Feature ID the file or function will be identified.
n Select your protection method:
o Envelope-based automatic implementation
Protect the executable file using Sentinel LDK Envelope, specifying its Feature ID.
o API-based automatic implementation
In your code, insert a Sentinel Licensing API Login call to the Feature ID.

To set a counter for a specific functionality, apply API-based automatic implementation. To

set a counter for an executable file, apply either Sentinel LDK Envelope-based or Sentinel
Licensing API-based automatic implementation.

n In Sentinel EMS, create a Product that includes the Feature ID and define the number of
executions.
n Distribute your software with the appropriate Sentinel protection key programmed with
the license.
n Renew the license remotely using the RUS utility.
228 Chapter 18: Sentinel LDK Licensing Models: Description of Models

Phased Counter
Sentinel LDK Functionality Manages the maximum number of software executions
Software Distribution Method n Physical package
n Electronic distribution
Applicable Key Types n All Sentinel HL keys except Sentinel HL Basic
n Sentinel SL
Protection Method n Envelope-based automatic implementation
n API-based automatic implementation

Description

The end user purchases a predefined number of software executions, which can be associated
with all of your software or a specific functionality. The pricing structure is phased, and the
transition from one phase to another is implemented using the RUS utility.
n Phase 1: For a limited number of executions, the end user pays a fraction of the regular
usage price (micro-payment). This provides an incentive for the end user to start
purchasing executions. If payment is not received for Phase 2, the license expires when
these executions have been consumed.
n Phase 2: The end user pays the regular price for each software execution.

Implementation

n Select the executable file or software function that you want to license, and determine by
which Feature ID the file or function will be identified.
n Select your protection method:
o Envelope-based automatic implementation
Protect the executable file using Sentinel LDK Envelope, specifying its Feature ID.
o API-based automatic implementation
In your code, insert a Sentinel Licensing API Login call to the Feature ID.

To set a counter for a specific functionality, apply API-based automatic implementation. To

set a counter for an executable file, apply either Sentinel LDK Envelope-based or Sentinel
Licensing API-based automatic implementation.

n In Sentinel EMS, create a Product that includes the Feature ID and define the number of
executions included in Phase 1.
n Distribute your software with the appropriate Sentinel protection key programmed with
the license.
n Subject to receiving payment for Phase 2 from the end user, replenish the number of
executions remotely using the RUS utility.
 Metered Licensing Models 229

Capacity (CPU/Memory/Disk)
Sentinel LDK Functionality Manages resource usage
Software Distribution n Physical package
Method n Electronic distribution
Applicable Key Types n All Sentinel HL keys except Sentinel HL Basic
n Sentinel SL
Protection Method API-based automatic implementation

Description

License consumption depends on utilization of resources—for example, CPU usage or disk space.
The more resources the end user consumes, the sooner the license runs out. This type of license
might be applicable in an environment such as a learning facility, in order to limit the resources
consumed by students.

Implementation

n Select the executable file that you want to license, and determine by which Feature ID it
will be identified.
n In your code, insert a Sentinel Licensing API Login call to the Feature ID.
n Determine the parameters for calculating software usage, and define them in your code,
for example:
o CPU activity related to your software.
o Disk space usage each time a file is saved from your software.
n In Sentinel EMS, create a Product that includes the Feature ID and define the license
terms—for instance, a perpetual license or a time-limited license.
n In Sentinel EMS, in the Protection Key memory, define the capacity that has been
purchased.
n Envelope your software for additional security (optional).
n Distribute your software with the appropriate Sentinel protection key programmed with
the license.
n Using the Sentinel Licensing API:
a. Calculate the accumulated usage.
b. Write the result to the Protection Key memory.
c. Verify that the accumulated usage has not exceeded the purchased capacity.
d. When purchased capacity has almost expired, display a warning message.
n When payment is received for additional usage, renew the license remotely using the RUS
utility.
230 Chapter 18: Sentinel LDK Licensing Models: Description of Models

Locked License Models

A locked license is limited to usage on a specific machine or by a specific end user.
The locked license models described below are:
n "Machine-locked" on page 231
n "User-locked" on page 232
 Locked License Models 231

Machine-locked
Sentinel LDK Creates an activation key that is locked to a specific machine
Functionality
Software Distribution n Physical package
Method n Electronic distribution
Applicable Key Types n All Sentinel HL keys except Sentinel HL Basic
n Sentinel SL
Protection Method n Envelope-based automatic implementation
n API-based automatic implementation

Description

The license can only be used on the machine on which it was installed. A machine-locked license
can be combined with any of the licensing models in this book.
Implementation 1—Locking to a Sentinel SL key

This model is applicable when a Sentinel SL key provides sufficient security for your needs.
n Select and implement the required licensing model.
n Distribute your software using a Sentinel SL key. Sentinel SL keys are always locked to a
specific machine.
Implementation 2—Combined locking to both a Sentinel SL key and a Sentinel HL key

This model is applicable when you want to lock your software to a Sentinel HL key for enhanced
security, and also wants to use a Sentinel SL key to lock your software to a specific machine. The
Sentinel SL key will require remote activation.
n Select the executable file that you want to license, and determine two Feature IDs by
which it will be identified. One Feature ID will be used to lock the license to the Sentinel HL
key, and the other to lock the license to the Sentinel SL key and the machine.
n Select your protection method:
o For combined Envelope-based and API-based automatic implementation
Protect the executable file using Sentinel LDK Envelope , specifying one of the
Feature IDs. In your code, insert a Sentinel Licensing API Login call to other
Feature ID.
o For API-based automatic implementation
In your code, insert Sentinel Licensing API Login calls to both Feature IDs.
n In Sentinel EMS, create two Products, one for each Feature ID. Define the license terms for
both Products—for example, a counter-based license or a time-limited license.
n Burn a Sentinel HL key for one of the Products and create a Sentinel SL Product Key for
the other Product.
n Distribute your software with both Sentinel protection keys.
232 Chapter 18: Sentinel LDK Licensing Models: Description of Models

Implementation 3—Locking to a Sentinel HL key

This model is applicable when you want to lock the license to both a machine and a Sentinel HL
key—but for security reasons, the end user will not be able to activate a Sentinel SL key online.
This implementation requires a utility to be written that will collect the required identifiers from
the machine before or during installation of your software, and subsequently every time your
software is run. The initial identifiers are saved in the read-only memory of the protection key,
and the run-time identifiers are written to the read/write memory on the Sentinel HL key and
validated against the initial identifiers.

It is recommended that you contact SafeNet Sentinel Professional Services for a detailed
implementation plan.

User-locked
Sentinel LDK Compares end user data saved in the Protection Key memory with a
Functionality value collected during run-time
Software Distribution n Physical package
Method n Electronic distribution
Applicable Key Types n All Sentinel HL keys except Sentinel HL Basic
n Sentinel SL
Protection Method API-based automatic implementation

Description

The license can only be run by a specific logged-in end user. A user-locked license ensures that
only an entitled end user can activate your software. This model can be particularly useful when
your software resides on a server, or is activated by a remote end user. A user-locked license can
be combined with any of the licensing models in this book.

Implementation

Select and implement the required licensing model, and distribute your software with the
appropriate Sentinel protection key programmed with the license.
There are two ways to lock the key to a specific end user:
n Option 1: Predefined locking
Identification is based on the login user name defined in the operating system. Predefined
locking enables a number of authorized end users to access your software residing on a
single machine.
o When a license is purchased, request the login user name of the end user for whom
the license is intended.
o Use Sentinel EMS to save the user name to the Read-Only memory of a
Sentinel protection key.
 Locked License Models 233

o During run-time, read the user name from the machine, and use the Sentinel
Licensing API to validate it against the user name saved on the Sentinel protection
key.
n Option 2: Password locking
During installation, the end user defines a user name and password, which are later
required in order to log in to your software. Password locking is less convenient for an end
user, but provides extra security. When a Sentinel HL key is used, your software can be
installed on more than one computer, but can only be accessed when the Sentinel HL key is
connected.
o During installation, request the end user to define a user name and password.
o Use the Sentinel Licensing API to save the data to the Read/Write memory on the
Sentinel HL key.
o During run-time, require the end user to log in, and validate the user name and
password against the data saved on the Sentinel protection key.
234 Chapter 18: Sentinel LDK Licensing Models: Description of Models

Mobile License Models

Many software vendors are looking for ways in which they can accommodate the growing trend
towards a mobile workforce. The models in this section provide options for mobile licenses.
The mobile license models described below are:
n "Portable" on page 235
n "Commuter" on page 235
n "Software on a Key" on page 236
 Mobile License Models 235

Portable
Sentinel LDK Functionality Locks the license to a hardware-based Sentinel HL key
Software Distribution Physical package
Method
Applicable Key Types All Sentinel HL keys
Protection Method n Envelope-based automatic implementation
n API-based automatic implementation

Description

Your software can be installed on any number of machines, providing flexibility, but can only run
on the machine to which the Sentinel HL key is connected.

Implementation

n Select and implement the required licensing model.

n Distribute your software with the appropriate Sentinel HL key, programmed with the
license.

Commuter
Sentinel LDK Functionality Enables a network-based license to be detached to a separate
machine while locked to a Sentinel SL key
Software Distribution Electronic distribution
Method
Applicable Key Types Sentinel SL Net
Protection Method n Envelope-based automatic implementation
n API-based automatic implementation

Description

A license can be temporarily detached from a network pool—using Sentinel Admin Control

Center—to enable off-line use of your software. For example, when employees leave the office to
work off site, they can take their laptops with them and continue using the protected software
locally.
Implementation

n Select and implement the network concurrency licensing model, ensuring that the license
can be locked to a Sentinel SL key and that detachable licenses are enabled.
n Distribute your software with a Sentinel SL key, ensuring that the system administrator at
your end-user site knows how to permit and manage detachable licenses.
n If the employee requires the detached license for less time than originally planned, the
license can be manually returned to the network pool before its expiration date.
236 Chapter 18: Sentinel LDK Licensing Models: Description of Models

Software on a Key
Sentinel LDK Functionality Locks the license to a Sentinel HL Drive key that also contains your
software
Software Distribution Physical package
Method
Applicable Key Types Sentinel HL Drive
Protection Method n Envelope-based automatic implementation
n API-based automatic implementation

Description

Both your software and the license are stored on a Sentinel HL Drive key, providing maximal
mobility. The Sentinel HL Drive key contains 2 GB or 4 GB of flash memory in addition to the
license data memory, enabling all of your software to reside on the key. This method is applicable
for software that can be run from an external key without necessitating installation on a hard disk.
This method can be applied to all license models for which a hardware-based key is used. For
software that requires a time-based license or concurrency, the key must use the Driverless
configuration.

Implementation

n Select and implement the required licensing model.

n Distribute your software on a Sentinel HL Drive key, together with the software’s license.
 Network License Models 237

Network License Models

Network licenses are designed for a network environment, in which the vendor’s software is run
by multiple end users or on multiple workstations. In such an environment, a single
Sentinel protection key can be used to protect and monitor usage of the vendor’s software across
the network. Network licenses can be implemented in conjunction with other licensing models
such as component-based or metering. A network license can be concurrency-based, site-specific,
or both.
The network license models described below are:
n "Limited Concurrent End Users in a Network" on page 238
n "Time-limited Concurrent End Users in a Network" on page 239
n "Execution-limited Concurrent End Users in a Network" on page 241
n "Volume" on page 243
n "Site" on page 244
238 Chapter 18: Sentinel LDK Licensing Models: Description of Models

Limited Concurrent End Users in a Network

Sentinel LDK Functionality Manages the number of concurrent software end users
Software Distribution n Physical package
Method n Electronic distribution
Applicable Key Types n Sentinel HL Net
n Sentinel HL NetTime
n All Sentinel HL (Driverless configuration) keys except
Sentinel HL Basic
n Sentinel SL
Protection Method n Envelope-based automatic implementation
n API-based automatic implementation

Description

A concurrency-limited network license limits the number of end users concurrently accessing the
licensed application in a network environment, preventing additional activations and unintentional
piracy if the maximum number of allowed concurrent licenses has been reached. The same license
can be used by more than one end user or workstation, so long as the total number of users
remains within the concurrency limit.
Sentinel Admin Control Center provides the end users’ system administrator with the tools to
track license users, and to terminate an inactive session.

Implementation

n Select the executable file that you want to license, and determine by which Feature ID the
file or function will be identified.
n Select your protection method:
o Envelope-based automatic implementation
Protect the executable file using Sentinel LDK Envelope, specifying its Feature ID.
o API-based automatic implementation
In your code, insert a Sentinel Licensing API Login call to the Feature ID.
n In Sentinel EMS:
a. Create a Product that includes the Feature ID, and define the license type as
Perpetual.
b. Set the concurrency counter to the required maximum number of concurrent
licenses, and determine whether concurrent instances will be counted for each
station, each login or each process.

Tip:
You can specify the number and type of concurrent instances each time a
specific order is created. This enables you to use the same Product to produce
more than one license, each with a different number of seats.

n Distribute your software with a Sentinel protection key programmed with the license.
 Network License Models 239

Time-limited Concurrent End Users in a Network

Sentinel LDK Manages the number of concurrent software end users in a network and the
Functionality time period over which your software can be used
Software n Physical package
Distribution n Electronic distribution
Method
Applicable Key n Sentinel HL NetTime
Types n All Sentinel HL (Driverless configuration) keys except Sentinel HL Basic
n Sentinel SL
Protection n Envelope-based automatic implementation
Method n API-based automatic implementation

Description

A combined concurrency- and time-limited network license restricts both the number of end users
concurrently accessing the licensed application in a network environment and the period during
which the license is valid. The same license can be used by more than one end user or machine,
so long as the total number of users remains within the concurrency limit.
Sentinel Admin Control Center provides the end user’s system administrator with the tools to
track license users, and to terminate an unused session.

Implementation

n Select the executable file that you want to license, and determine by which Feature ID it
will be identified.
n Select your protection method:
o Envelope-based automatic implementation
Protect the executable file using Sentinel LDK Envelope, specifying its Feature ID.
o API-based automatic implementation
In your code, insert a Sentinel Licensing API Login call to the Feature ID.
n In Sentinel EMS:
a. Create a Product that includes the Feature ID, and define the expiration date or
number of days until expiration.
b. Set the concurrency counter to the required maximum number of concurrent
licenses, and determine whether concurrent instances will be counted for each
station, each login or each process.

Tip
You can specify the number and type of concurrent instances each time a
specific order is created. This enables you to use the same Product to produce
more than one license, each with a different number of seats.
240 Chapter 18: Sentinel LDK Licensing Models: Description of Models

n Distribute your software with the appropriate network-based Sentinel protection key

programmed with the license.
 Network License Models 241

Execution-limited Concurrent End Users in a Network

Sentinel LDK Manages the number of concurrent software end users in a network and
Functionality the maximum number of software executions
Software n Physical package
Distribution n Electronic distribution
Method
Applicable Key n Sentinel HL Net
Types n Sentinel HL NetTime
n All Sentinel HL (Driverless configuration) keys except Sentinel HL Basic
n Sentinel SL
Protection Method n Envelope-based automatic implementation
n API-based automatic implementation

Description

A combined concurrency- and execution-limited network license restricts both the number of end
users concurrently accessing the licensed application in a network environment and the total
number of executions for each license. The same license can be used by more than one end user
or machine, so long as the total number of users remains within the concurrency limit. The
number of executions is calculated across the network, regardless of which end user runs your
software or on which machine it is run.
Sentinel Admin Control Center provides the end users’ system administrator with the tools to
track license users, and to terminate an unused session.

Implementation

n Select the executable file or software function that you want to license, and determine by
which Feature ID the file or function will be identified.
n Select your protection method:
o Envelope-based automatic implementation
Protect the executable file using Sentinel LDK Envelope, specifying its Feature ID.
o API-based automatic implementation
In your code, insert a Sentinel Licensing API Login call to the Feature ID.

If your protection method is feature-based, apply API-based automatic

implementation; if your protection method is for each executable file, you can
apply either Sentinel LDK Envelope-based or Sentinel Licensing API-based
automatic implementation.
242 Chapter 18: Sentinel LDK Licensing Models: Description of Models

n In Sentinel EMS:
a. Create a Product that includes the Feature ID, and define the maximum number of
executions.
b. Set the concurrency counter to the required number of concurrent licenses, and
determine whether the concurrent instances will be counted for each station, each
login or each process.
n Distribute your software with the appropriate network-based Sentinel protection key
programmed with the license.
 Network License Models 243

Volume
Sentinel LDK Functionality Enables a network-based license to be detached to a separate
machine while locked to a Sentinel SL key
Software Distribution Electronic distribution
Method
Applicable Key Types Sentinel SL
Protection Method n Envelope-based automatic implementation
n API-based automatic implementation

Description

A volume license enables you to sell a pool of licenses to an organization, without requiring
product activation on every machine, while still enforcing the maximum number of installed
workstations.
A license can be temporarily detached from the network pool to enable off-line use of your
software. In this case, a client machine periodically detaches a time-limited license at predefined
intervals—transparently to the end user. The license is installed locally and remains usable even if
the network connectivity is lost, as long as the detachment is still valid.

Implementation

n Select the executable file that you want to license, and determine by which Feature ID it
will be identified.
n Select your protection method:
o Envelope-based automatic implementation
Protect the executable file using Sentinel LDK Envelope, specifying its Feature ID.
o API-based automatic implementation
In your code, insert a Sentinel Licensing API Login call to the Feature ID.
n In Sentinel EMS, create a Product that contains the Feature ID used in the protection
phase of the implementation. Ensure that the license terms enable network concurrency,
locking to a Sentinel SL key, and detachable licenses.
n Distribute your software with a Sentinel SL key for network use, ensuring that the system
administrator at your end-user site knows how to permit and manage detachable
licenses.
n Using the Sentinel Licensing API, implement the license’s detachment in the protected
application. You may wish to let the customer organization decide the detached license
period and renewal intervals.
244 Chapter 18: Sentinel LDK Licensing Models: Description of Models

Site
Sentinel LDK Functionality Locks the license to a specific domain, network, or subnet
Software Distribution n Physical package
Method n Electronic distribution
Applicable Key Types n All Sentinel HL keys except Sentinel HL Basic
n Sentinel SL
Protection Method API-based automatic implementation

Description

A site license is a license that is locked to a specific domain, network, or subnet. A site license can
be combined with any of the licensing models in this book.

Implementation

n Select and implement the required licensing model.

n Envelope your software for additional security (optional).
n Distribute your software using the appropriate Sentinel protection key.
n To lock the Sentinel protection key to the license, collect the site identifier (domain,
subnet or network) from the customer. An identification value is written to the
Sentinel protection key. The application then validates the identifier every time your
software runs.
n There are two ways in which you can collect site-specific data and save it on the
Sentinel protection key:
o Option 1: Site identifier collected prior to installation
Provides more security, but is less convenient for the customer.
When a license is purchased, send the customer a utility that collects the required
site identifier from the customer.
Use Sentinel EMS to save the identification value to the Read-Only memory of the
Sentinel protection key.
o Option 2: Site identifier collected during installation
Requires less interaction with the customer, but is less secure.
During installation, collect the site identifier from the machine on which your
software is installed.
Use the Sentinel Licensing API to verify that there is no existing site identifier saved
in the Read/Write memory on the Sentinel protection key.
If the memory does not contain an existing site identifier, save the value to the
Read/Write memory on the Sentinel protection key.
n During run-time, read the site identifier, and use Sentinel Licensing API to validate it
against the identification value saved on the Sentinel protection key.
 Sales Boosting Licensing Models 245

Sales Boosting Licensing Models

The sales boosting licensing models described below are:
n "KickStart (Quick-delivery Grace)" on page 246
n "Referral-based Sales" on page 247
n "Automatic Sales Agent" on page 249
246 Chapter 18: Sentinel LDK Licensing Models: Description of Models

KickStart (Quick-delivery Grace)

Sentinel LDK Functionality Grants a grace period to use software until key is delivered
Software Distribution n Physical package
Method n Electronic distribution
Applicable Key Types n All Sentinel HL keys except Sentinel HL Basic
n Sentinel SL
Protection Method n Envelope-based automatic implementation
n API-based automatic implementation

Description

Locking a license to a Sentinel HL key provides a higher level of security than locking to a
Sentinel SL key, but delivery of the Sentinel HL key to an end user can take time. This model
enables you to electronically supply your software with a quick-delivery license locked to a
Sentinel SL (software) key (“KickStart license”) as soon as an order is processed. For increased
protection, you may choose to limit some software functions in the KickStart license.
The KickStart license can be used as part of a two-phased sales model:
n Phase 1: The end user purchases your software, and a 30-day KickStart license with
limited functionality is supplied electronically.

The KickStart license can be defined for any period between 1 and 90 days.

n Phase 2: The Sentinel HL key, programmed with the full license (the “final” license), is
delivered within 30 days. The end user replaces the KickStart license with the full license,
using the RUS utility.
The KickStart license also serves as a super-distribution mechanism, since it will run for the grace
period on any computer on which it is installed.

Implementation

n Determine which global Feature ID you will use for the KickStart license.
n Select the software functions that you want to include only in the full license, and
determine by which Feature IDs each function will be identified.
n Select a protection method and do one of the following:
For Envelope-based automatic implementation:

n Determine which global Feature ID you will use for the full license.
n Create two executable files, one with limited functionality for the KickStart license, and the
other with full functionality for the full license.
n Envelope each executable file separately, using the global Feature IDs you defined for the
KickStart and full licenses respectively.
 Sales Boosting Licensing Models 247

For API-based automatic implementation:

n In your code, insert a Sentinel Licensing API Login call to the global Feature ID for the
KickStart license.
n In your code, for each software function you want to include only in the full license, insert
Sentinel Licensing API Login calls to the appropriate Feature IDs.
In Sentinel EMS:

n Create a Product that includes the global Feature ID for the KickStart license.
n Select the Trialware/Unlocked Product attribute.
n Distribute your software with Sentinel LDK Run-time Environment. Your software can run
for a grace period of 30 days and can be installed on any other computer, for a 30-day
period, as a super-distribution mechanism.
In Sentinel EMS:

n Create a Product that includes the full license Feature IDs.

n Define appropriate license terms for each Feature.

If the full license is based on a metered licensing model, metering will commence only
when the full license is activated and not during the grace period.

n Distribute your software with a Sentinel protection key programmed with the full license.

Referral-based Sales
Sentinel LDK Functionality Creates an Unlocked Trialware Product that allows for unrestricted
distribution of the protected software
Software Distribution n Physical package
Method n Electronic distribution
Applicable Key Types n All Sentinel HL keys
n Sentinel SL
Protection Method n Envelope-based automatic implementation
n API-based automatic implementation

Description

A bonus mechanism that encourages end users to serve as “promoters” for software they find
useful. When an end user refers software to someone and a purchase is made based on that
referral, you give a bonus to the referrer.
This model requires the creation of two vendor mechanisms:
n User data collection mechanism—You maintain an end-user database in which registered
software owners (referrers) are linked to potential users to whom the software was
referred (referees). Data for the database can be sent to you by either the referrer or the
248 Chapter 18: Sentinel LDK Licensing Models: Description of Models

referee, using a variety of data collection mechanisms. For example, data can be collected
via a form displayed during software activation or on a Web site.
n Bonus-granting mechanism—When the software is purchased, your end-user database is
queried. If the purchase was made as the result of a referral, the referrer receives a bonus
from you.
The following implementation guidelines describe how to set up the referral-based sales model,
based on:
n Using trialware as the evaluation mechanism.
n Distributing the purchased software with a software-based Sentinel SL key.
n Collecting information from the referee during software activation.

Implementation

n Create a trialware version of your software.

n End users who have already purchased your software send the trialware to other
potential users.
n When a new user purchases your software—as part of your software activation process
using Sentinel LDK functionality—prompt the new user to provide you with the name and
contact information of the end user who referred your software to them.
n Reward the referrer.

This is a typical implementation, however, the referral-based sales model can also be
applied to other licensing models, including those models that use a hardware-based
Sentinel HL key.
 Sales Boosting Licensing Models 249

Automatic Sales Agent

Sentinel LDK Functionality Manages module usage
Software Distribution n Physical package
Method n Electronic distribution
Applicable Key Types n All Sentinel HL keys except Sentinel HL Basic
n Sentinel SL
Protection Method API-based automatic implementation

Description

When an end user purchases a subset of software modules, the sales staff is often requested to
follow up the purchase and to interest the user in additional modules. With Sentinel LDK, your
software can serve as its own automatic sales agent, providing the end user with the ability to
work with additional modules and encouraging purchase of any modules that are identified as
being of interest to the end user. This model consists of a number of phases:
n Phase 1: The end user purchases a subset of software modules. You supply a license that
includes the option to install additional bonus modules so that the user can experiment
with them.
n Phase 2: The end user uses your software, including the bonus modules. Behind the
scenes, your software monitors and evaluates usage of the bonus modules.
n Phase 3: Once the usage threshold of a monitored module has been reached, the module
is considered “of value” and Sentinel LDK progressively restricts usage of that module.
Concurrently, the Automatic Sales Agent comes into effect, issuing pop-up messages
encouraging the end user to purchase the module.
n Phase 4: When an end user purchases a license for an additional module, the license is
seamlessly upgraded at the end-user site, using the RUS utility, and the relevant bonus
modules are changed to fully paid modules.

Implementation

n Determine which Feature ID you will use for global protection of your software.
n Select the modules that you want to license separately, and determine by which
Feature ID each of the modules will be identified.
n In your code, insert Sentinel Licensing API Login calls to all Feature IDs.
n In Sentinel EMS, create a Product that includes only the global software Feature ID and
define the license terms.
n Determine the parameters for gauging module usage, and define them in your code, for
example:
o The number of times a monitored module has been activated during a time period
o The accumulated usage time of a monitored module
o The number of clicks on an item in the user interface
250 Chapter 18: Sentinel LDK Licensing Models: Description of Models

n In Sentinel EMS, in the Protection Key memory, define the usage threshold.

n Envelope your software for additional security (optional).
n Distribute your software with the appropriate Sentinel protection key programmed with
the license for the initial purchase, not including licenses for the bonus modules.
n Using the Sentinel Licensing API:
a. Calculate the accumulated usage of the gauging parameters.
b. Write the result to the Protection Key memory.
c. Compare the accumulated usage with the defined threshold.
When usage of a bonus module passes the threshold, begin to implement the restrictions,
for example:
o Progressively slow down the speed of the module as the time passes or as usage
increases
o Progressively increase the number of Automatic Sales Agent pop-up messages as the
time passes or as usage increases
o Prevent the module from saving a snapshot of work that has been done
n In Sentinel EMS, create a Product that includes both the global software Feature ID and
the Feature ID for the module identified as being sellable, and define the license terms.
n When the end user decides to purchase a license for a bonus module, update the license
on the Sentinel protection key to include the purchased module, using the RUS utility.
 Perpetual Licensing Models 251

Perpetual Licensing Models

The perpetual licensing models described below are:
n "Standard Perpetual Licensing model" on page 252
n "Perpetual Unlocked Licensing Model" on page 253
252 Chapter 18: Sentinel LDK Licensing Models: Description of Models

Standard Perpetual Licensing model

Sentinel LDK Functionality Creates an unconditional license
Software Distribution n Physical package
Method n Electronic distribution
Applicable Key Types n All Sentinel HL keys
n Sentinel SL
Protection Method n Envelope-based automatic implementation
n API-based automatic implementation
Description

The traditional perpetual, unlimited licensing model can serve as a basis for other, more creative
marketing strategies, for example:
n Your software is initially supplied with a perpetual license. The end user purchases
additional modules as required.
n The initial release is supplied with a perpetual license. More sophisticated licensing models
are implemented with future releases.
n A limited license (“bronze”) is converted to a perpetual license (“gold”) for additional
payment.
Implementation

n Select the executable file that you want to license, and determine by which Feature ID it
will be identified.
n Select your protection method:
o Envelope-based automatic implementation
Protect the executable file using Sentinel LDK Envelope, specifying its Feature ID.
o API-based automatic implementation
In your code, insert a Sentinel Licensing API Login call to the Feature ID.
n In Sentinel EMS, create a Product that includes the Feature ID and define a perpetual
license for the Feature.
n Use the RUS utility to update a license currently held by the end user with the new
license.
 Perpetual Licensing Models 253

Perpetual Unlocked Licensing Model

Sentinel LDK Functionality Creates an unconditional unlocked license
Software Distribution n Physical package
Method n Electronic distribution
Applicable Key Types n None
Protection Method n Envelope-based automatic implementation
n API-based automatic implementation
Description

An unlocked license is different from all other license types. Your application is protected against
disassembly and modification, but the license is not locked to a specific computer, and no
licensing restrictions are applied.
This type of license is applicable for any of the following situations:
n You want to distribute the software as an Unlocked Product with no time limit (or with an
extended time limit). For example, you may want to allow users to access basic
functionality as long as they want, with the option to buy an upgrade later to access
advanced functionality.
n You want to use a licensing system other than Sentinel LDK.
n Licensing is not an issue. For example, you are distributing medical equipment with
embedded software. Since the software is specific to your equipment, you are not
concerned about the possibility of duplication of the software.
Implementation

n Select the executable file that you want to license, and determine by which Feature ID it
will be identified.
n Select your protection method:
o Envelope-based automatic implementation
Protect the executable file using Sentinel LDK Envelope, specifying its Feature ID.
o API-based automatic implementation
In your code, insert a Sentinel Licensing API Login call to the Feature ID.
n In Sentinel EMS, create an Unlocked Product (Perpetual) that includes the Feature IDs that
you want to include in the unlocked license.
 PART 6 - APPENDICES
In this section:

n "Appendix A: Understanding the Sentinel LDK Master Key Licenses" on page 257

Describes the license modules that are available to software vendors on the Sentinel
Master key.
n "Appendix B: Sentinel LDK Run-time Network Activity" on page 267
Describes the type of network activity that occurs in the communication between the
Sentinel License Manager and a protected application, and between the local
Sentinel License Manager and remote Sentinel License Managers.
n "Appendix C: Maximum Number of Features in a Sentinel HL Key" on page 271
Describes considerations that determine the maximum number of Features that can be
contained in a Sentinel HL key.
n "Appendix D: How Sentinel LDK Detects Machine Cloning" on page 273
Describes the techniques employed by Sentinel LDK to prevent unauthorized use of
protected software when the virtual machine on which the software is installed is cloned.
n "Appendix E: How Sentinel LDK Protects Time-based Licenses With V-Clock" on page
279
Describes the technology used in Sentinel LDK to prevent a user from extending the
duration of a software license that is locked to a Sentinel SL key.
n "Appendix F: How to Bundle Unlocked Products Manually" on page 283
Describes how you can bundle Unlocked Products for distribution without using Sentinel
EMS.
256 Sentinel LDK Software Licensing and Protection Guide

n "Appendix G: How to Optimize Performance for Sentinel LDK Run-time Environment"

on page 285
Describes how you can optimize the performance in the Sentinel LDKRun-time
Environment
n "Appendix H: Upgrading Sentinel HL Keys" on page 287
Describes how you can upgrade a Sentinel HL (HASP configuration) key to a Sentinel HL
(Driverless configuration) key or convert a Sentinel HL standalone key to a network key.
n "Appendix I: How to Make Product Names Visible on the End User's Machine" on
page 293
Describes how you can make Product names visible in Admin Control Center when a
Sentinel HL key is moved from one machine to another.
n "Appendix J: Troubleshooting" on page 295
Provides a checklist to help you solve some of the most common problems that your
customers might encounter when using the Sentinel HL keys. Also includes a list of
specific problems you or your customers may experience, together with the solutions.
 A
Appendix A:
Understanding the Sentinel LDK
Master Key Licenses
This appendix describes the SafeNet Sentinel LDK model for the Master Key licenses. Its purpose is
to assist you in understanding how your Master Key licenses from SafeNet are implemented, and
how to make decisions about your license update requirements. (For more information on the
Master key, see "Sentinel Vendor Keys" on page 44.)
The Sentinel LDK licensing model includes the following components:
n Product Activation module
n New SL Key Pool
n Network seats (SL Pool of Seats, HL Pool of Seats)
n Value of Unlimited Seats
n Unlocked Trialware module
n Unlocked Unlimited module
n V-Clock module
n AppOnChip module
n Advanced Data Protection module
n Reporting module
The components that you purchase depend on your specific requirements and whether you have
an in-house Sentinel EMS installation, or you utilize Sentinel Managed Services.

To view information regarding your Master key in Sentinel EMS, see "Maintaining Sentinel
Master Keys" on page 163.

In this appendix:

n "Licensing Concepts" on page 258

n "Product Activation Module" on page 259
n "New SL Key Pool" on page 259
258 Appendix A: Understanding the Sentinel LDK Master Key Licenses

n "Network Seats" on page 260

n "Unlocked Trialware Module" on page 263
n "Unlocked Unlimited Module" on page 263
n "V-Clock Module" on page 264
n "AppOnChip Module" on page 264
n "Advanced Data File Protection Module" on page 264
n "Reporting Module" on page 265

Licensing Concepts
In the descriptions of the Master Key licenses model, the following concepts are used:
n Unlocked Trialware Product: A Product that can be used as trialware, or during a grace
period. Unlocked Trialware Products do not require a locking type, since they can be
activated and used for a limited period without a Sentinel protection key. Unlocked
Trialware Products have a maximum duration of 90 days. This period can be set to begin
either from the date of first use of the application or from the date that the license was
generated. (The Unlocked Trialware Product was formerly referred to as a Provisional
Product.)
n Unlocked Unlimited Product: A Product that does not lock a protected application to a
specific machine and does not necessarily impose any licensing restrictions on the use of
the protected application. (The Product can be granted a perpetual license or can be
limited to any length of time that you choose.) With this license type, the vendor can use
Sentinel LDK to protect the application, but can use a different mechanism to license the
application (or can impose no license restrictions on the application).
n Activation: The process in which the license for an Sentinel LDK Unlocked Trialware
Product is converted to a locked, computer-specific license. Following Activation, the
protected software can be used on the end user's computer according to the license that
was installed during the Activation process.
n Concurrency: A licensing attribute that can be specified to allow a single protection key on
a computer in a network to be used by one or more instances of a protected application
running on different computers in the network.
Concurrency is defined separately for each Feature in a Product.
Each instance of the protected application that can be used simultaneously is referred to
as a network seat (or a floating license).
Network seats are not assigned to specific users. Instead, the concurrency attributes
specify how many instances (network seats) of the Feature in protected application can be
used simultaneously within the customer’s network. The customer purchases a specific
number (or an unlimited number) of network seats.
 Product Activation Module 259

For example: A customer purchases 10 network seats for the Basic Feature and 5 network
seats for the Advanced Tools Feature for a protected application. As a result, 10 end users
can run the application and use the Basic Feature simultaneously. 5 of these users can
also use the Advanced Tools Feature simultaneously. All the users must be part of the
network where the protection key is located.
Management of the license in the network is controlled using the Sentinel License
Manager.
For more information about concurrency, see "Specifying the License Terms for Features
in a Product" on page 133.

Product Activation Module

Sentinel LDK provides a mechanism to easily perform interactive update to licenses on an end
user’s machine. This is accomplished by generating a Product Key for an entitlement in Sentinel
EMS and providing this code to the end user. The end user accesses the Sentinel EMS Customer
Portal over the Internet and enters the Product Key. Sentinel EMS then retrieves the necessary
information about the end user’s machine or existing license and completes the process to update
the license on the user’s machine. (This process can also be accomplished in program code using
Sentinel EMS Web Services.)
This mechanism is typically used to activate an application on the end user’s machine (that is, to
lock an SL key for the application to the machine), although the mechanism can be used for other
types of license updates.
To use the Product Key mechanism to update an SL key, you must have the Product Activation
module on your Master key. The Product Activation module is either perpetual or issued for a
limited time period. This depends on your purchase plan or subscription plan for Sentinel LDK. For
more information, consult with your SafeNet sales representative.
The Product Activation module is not required if you only want to use the Product Key
mechanism to update HL keys.

New SL Key Pool

Each time a new SL key is created for a given machine at a customer site, an SL key is consumed
from the New SL Key Pool on the Master key.
A new SL key is created in these situations:
n A Product Key for your software is submitted by an end user for the first time for a given
machine. End users can submit a Product Key online, or they can request and receive an
activation file to apply manually.
n You use Sentinel License Generation API to generate a license code for the first time for a
given machine.
To create new SL keys, you may need to purchase a pool of SL keys. (This depends on the nature
of your purchase plan or subscription plan for Sentinel LDK.)
260 Appendix A: Understanding the Sentinel LDK Master Key Licenses

When the New SL Key Pool is low, you purchase additional SL keys (if required by your plan). You
can configure Sentinel EMS to send notifications when the pool reaches a predefined threshold, to
ensure that you never run out of SL keys licenses for your software. For additional information
about configuring notifications, refer to the Sentinel EMS help system.
Additional Information

n When you purchase SL keys, SafeNet adds an extra 10% to the number of keys provided,
to compensate for situations in which an SL key should not have been deducted from
your Master key. (For example, if a customer’s hard disk drive fails and the customer
must reinstall the software on a new disk drive or a different computer, you may choose
to provide an additional activation even though the customer did not purchase a second
license.)
n If there are no SL keys remaining in your Master key (and your purchase plan or
subscription plan requires that you purchase SL keys), you will not be able to perform an
activation that installs a new SL key on a machine.

Network Seats
Network seats are required to enable users to run your software concurrently in a network
environment when your Product is licensed with a Sentinel SL key or Sentinel HL concurrency-
enabled key. (Network seats from your Master key are not required when your Product is licensed
with a Sentinel HL Net or NetTime key.) When you enter an order for your customer: For each
Feature in the Product, you specify whether concurrency is enabled for that Feature, and the
number of instances (network seats) that are supported.
Your Sentinel Master key contains the pools of network seats described below. To enable
concurrency for Features, you may need to purchase network seats for the appropriate pool on
your Master key (if required by your purchase plan or subscription plan).
n SL Pool of Seats
Each time a customer activates your software, the number of concurrent instances that
you included in the Product is deducted from the SL Pool of Seats on your Master key.
n HL Pool of Seats
Each time you burn or update an HL key for a Product with concurrency, the number of
network seats that you add to the key is deducted from the HL Pool of Seats on your
Master key.
If a Product contains a number of Features that have different concurrency attributes, and the
number of network seats that are provided for the Features differs, the total number of seats
deducted from your Master key is that of the Feature with the highest number of seats.
When the number of network seats remaining in the relevant pool on your Master key is low, you
replenish it by purchasing additional network seats (if required by your plan). You can configure
Sentinel EMS to send you notification when the number of seats remaining reaches a predefined
threshold, to ensure that you never run out of network seats for your software.
You do not require network seats on your Master key if you do not intend to enable concurrency.
 Network Seats 261

How New Activations and Update of Your Software Affect the Pool
When your protected application is first activated at the customer site or when you burn an HL
key for a Product with concurrency, Sentinel LDK examines which Feature in the Product contains
the greatest number of concurrency instances. The number of concurrent instances defined in
that Feature is deducted from the SL or HL pool of seats. (The concurrency in all other Features is
ignored.)
For the Sample Product in the graph below, the customer purchased as follows:
n For the Print Feature: 12 network seats
n For the Save Feature: 5 network seats
n For the Export Feature: 6 network seats
The Print Feature has the greatest number of concurrent instances. Therefore, when the Product
is activated, 12 network seats are deducted from the pool.
Later, the customer decided to purchase additional network seats or additional Features in the
protected application. For the sample Product in the graph below, the customer purchased as
follows:
n For the Print Feature: 3 network seats
n For the Save Feature: 11 network seats
n For the Export Feature: 5 network seats
n For the Reports Feature: 13 network seats
Sample Product - Number of Network Seats for Each Feature
262 Appendix A: Understanding the Sentinel LDK Master Key Licenses

When you fulfill the order, Sentinel LDK calculates the number of seats to deduct from your pool
of seats as follows:
1. Sentinel LDK determines which Feature had the greatest number of seats until now—in this
case, the Print Feature with 12 seats.
2. The number of additional seats required for each Feature for the update order is added to
the original number of seats that the customer purchased. The chart above indicates the
total number of seats that the customer now has.
3. Sentinel LDK determines which Feature now has the greatest number of seats—in this case,
the Save Feature with 16 seats.
4. The number of seats for the Print Feature that the customer had already purchased is
deducted from the new total number of seats for the Save Feature (16 total seats - 12
already-purchased seats = 4).
5. The remainder (4) is the number of seats that is deducted from the pool of seats.
The customer purchased 13 seats for the Reports Feature in the update. However, the Save
Feature has the highest accumulated number of seats. Therefore, only the Save Feature is
considered when Sentinel LDK calculates the number of seats to deduct from the pool of seats.

A Feature with unlimited seats is regarded as having the value defined for the Unlimited
Concurrency license type as described below.

Unlimited Concurrency
Your Sentinel Master key contains a license type called Unlimited Concurrency (also referred to as
Value of Unlimited Seats). When you specify the concurrency value for a license as “unlimited”
(for example, to create a “site” license), Sentinel LDK deducts the number of seats specified for this
license type from the HL pool of seats or SL pool of seats. This is typically 100 seats.
Given the following scenario
n A customer purchases 75 network seats for a Feature in a Product.
n Later, the customer purchases unlimited network seats for the Feature.
n The Unlimited Concurrency license type is set to 100 network seats.
Sentinel LDK charges this as an addition of 25 network seats. The pool of seats is decremented
accordingly.

If you set or increase the number of network seats to a value greater than the Unlimited
Concurrency value, the network seats pool will be decremented according to the value you
specify. This charge may be greater than the value set for Unlimited Concurrency.
 Unlocked Trialware Module 263

Additional Information
n When you purchase seats, SafeNet adds an extra 10% to the number of seats provided, to
compensate for situations in which you reduce the number of seats at a customer site, or
cancel a license on a computer on which Sentinel License Manager is located in order to
activate on a different computer.
n If you reduce the number of seats in a Product license, the seats are not returned to the
pool of seats. However, if the number of seats in the same Product license is later
increased (to the same amount as before or higher), the earlier reduction is taken into
consideration, and only seats beyond that amount (if any) are consumed.
n The activation of a new license whose terms include concurrency will decrement both the
New SL Key pool and the SL pool of seats.
n If the terms of a new license include more seats than exist in your pool of seats, your
customer will not be able to activate the license (if seats are required by your plan).

Unlocked Trialware Module

An Unlocked Trialware Product is a Product with an unlocked license that can be used for a period
of up to 90 days before the license expires. To continue using the Product, the user must
purchase a production license. You can define the Unlocked Trialware Product so that the Product
can be used either up to an absolute expiration date or for the defined number of days starting
from the date of first use.
To define Unlocked Trialware Products, you must purchase the Unlocked Trialware module for the
Master key.
The ability to create and distribute Trialware Products is included in the Sentinel LDK – Demo and
Starter packs. Vendors who want to experiment with Sentinel LDK can learn first-hand about
Unlocked Trialware Products.

When packaging a Run-time Environment installer with a V2C file for one or more Unlocked
Products in Sentinel EMS, you cannot include a Product that only has the locking type
SL-UserMode.

Unlocked Unlimited Module

The Unlocked license is for vendors who want to use Sentinel LDK to protect their applications
against reverse engineering (by using Sentinel LDK Envelope) but do not require a traditional
locked license.
An Unlocked license is similar to an Unlocked Trialware license. A protected application with an
Unlocked license can be installed and operated on any computer. However, an Unlocked license
can grant a perpetual license or a license for any length of time (with no 90-day restriction).
To generate Unlocked licenses, you must purchase the Unlocked Unlimited License module for the
Master key.
264 Appendix A: Understanding the Sentinel LDK Master Key Licenses

If you purchase the Unlocked Unlimited module, you can also create and distribute
Unlocked Trialware Products without the need to purchase the Unlocked Trialware module.

V-Clock Module
V-Clock is a virtual clock that is available in Sentinel SL keys and in all Sentinel HL (Driverless
configuration) keys except for Sentinel HL Basic keys. V-Clock is for vendors who want to use time-
based licenses to protect their applications but do not want to provide a Sentinel HL Time key or
Sentinel HL NetTime key. (These keys contain a real-time clock.)
The use of V-Clock with Sentinel SL keys and most Sentinel HL keys does not require a special
license. However, to generate time-based licenses that depend on V-Clock in Sentinel HL Pro keys,
you must purchase the V-Clock module for the Master key.
For more information on V-Clock, see "Appendix E: How Sentinel LDK Protects Time-based Licenses
With V-Clock" on page 279.

AppOnChip Module
AppOnChip functionality provides significant protection for applications by moving important
functions from the application code to a Sentinel HL (Driverless configuration) key. This creates a
strong binding between the protected application and the presence of the protection key, making
reverse engineering of the protected code virtually impossible.
The AppOnChip Module is not required for applications that are licensed using Sentinel HL Max,
Time, NetTime, Net, and Drive keys. For applications that are licensed using Sentinel HL Basic keys
or Sentinel HL Pro keys, an annual or perpetual AppOnChip module must be obtained from
SafeNet.
The AppOnChip Module can be placed on your Sentinel Developer key or the Sentinel Master key.
The key that contains the AppOnChip license must be accessible to Sentinel LDK Envelope at the
time that you apply AppOnChip protection to your application.

The Sentinel Developer key and Sentinel Master key can be accessed using a remote
connection. For more information, see the Sentinel LDK Installation Guide.

In the current version of Sentinel LDK, the AppOnChip module is not displayed when you view
Master Key modules in Sentinel EMS (from Administration > Master). However, you can use
Sentinel EMS to apply the AppOnChip module to the Master key or Developer key. You can view
all the modules on your Master key or Developer key in Sentinel Admin Control Center.

Advanced Data File Protection Module

The Version 2 data protection mode in Sentinel LDK Envelope and in Sentinel LDK Data Protection
utility enables you want to apply licensing protection to data files. This capability enables you to
license data files in the same manner that you license application. For more information, see
"Chapter 7: Protecting Data Files" on page 95.
 Reporting Module 265

The Advanced Data File Protection module is required by Sentinel LDK Envelope and Sentinel LDK
Data Protection utility when you select the Version 2 data protection mode. This module can be
placed on the Master key or Developer key.
In the current version of Sentinel LDK, the Advanced Data File Protection module is not displayed
when you view Master Key modules in Sentinel EMS (from Administration > Master). However,
you can use Sentinel EMS to apply the Advanced Data File Protection module to the Master key
or Developer key. You can view all the modules on your Master key or Developer key in Sentinel
Admin Control Center.

Reporting Module
The Reporting facility provides software vendors with the ability to produce real-time reports with
valuable business information. The Custom Reports facility enables vendors to design their own
reports to extract valuable information from the Sentinel EMS database.
Using the Custom Reports feature, managers can design reports to obtain data for analyzing how
their software is used, the purchasing preferences of their customers, and information for profiling
prospects and existing customers. The information can also be leveraged to maximize revenues
from license renewals and to turn trial users into buyers.
The Reporting facility includes both predefined reports and the Custom Reports facility. Use of
predefined reports does not require a specific license. However, use of the Custom Reports facility
requires the Reporting Module. This module is typically issued for a specific amount of time.
The ability to define, generate and view custom reports is included in the Sentinel License
Development Kit – Demo and Starter. Vendors who are experimenting with Sentinel LDK can learn
first-hand about the Custom Reports facility.
For information on the Reporting facility, see "Chapter 14: Generating Sentinel LDK Reports" on
page 171.
 B
Appendix B:
Sentinel LDK Run-time Network
Activity

This appendix describes the type of network activity that occurs in the communication between:
n an application (protected using Sentinel LDK) and the local Sentinel License Manager
(referred to as “local communications”).
n the local Sentinel License Manager and one or more remote Sentinel License Managers
(referred to as “remote communications”).
Details regarding local communications and remote communications are provided on the pages
that follow.
This chapter is intended to assist IT managers who want to understand how run-time activity on
the network may impact the way they set up their network rules and policies.
Sentinel LDK communicates via TCP and UDP on socket 1947.This socket is IANA-registered
exclusively for this purpose.

In this appendix:

n "Local Communications" on page 268

n "Remote Communications" on page 269
268 Appendix B: Sentinel LDK Run-time Network Activity

Local Communications

This section describes communication between a protected application and the local
Sentinel License Manager service.
A protected application communicates only with Sentinel License Manager on the computer where
the application is running, regardless of whether the Sentinel HL or SL Key is located on the same
computer or on a remote computer.

Under Windows, Sentinel License Manager is a service that is launched automatically by

hasplms.exe. Under Mac OS and Linux, the Sentinel License Manager is a process launched
automatically by hasplmd.

Sentinel License Manager service opens socket 1947 for listening (both for UDP packets and TCP
packets).
n IPv4 sockets are always opened (Sentinel License Manager currently does not work
without IPv4 installed).
n IPv6 sockets are opened if IPv6 is available.
A protected application tries to connect to 127.0.0.1:1947 TCP to communicate with
Sentinel License Manager. If an application uses multiple sessions, multiple concurrent TCP
connections may exist. If a session is unused for a certain number of minutes (at least seven
minutes, but the exact number depends on several factors), the session may be closed and
automatically re-opened later in order to limit resources used by the application.
These local communications currently use IPv4 only.
The communication uses binary data blocks of varying size.
 Remote Communications 269

Remote Communications

This section describes communication between the local Sentinel License Manager service and a
remote Sentinel License Manager service.
This type of communication occurs when the protected application is running on a different
computer from the computer where the Sentinel protection key is installed.
The protected application communicates only with the local Sentinel License Manager on the
computer where the application is running, as described in "Local Communications" on page 268.
The local Sentinel License Manager discovers and communicates with the License Manager on the
computer containing the Sentinel protection key using one of the following methods:
n If the option Broadcast Search for Remote Licenses is selected in the Admin Control
Center (in the Access From Remote Clients tab of the Configuration page), the local
Sentinel License Manager issues a UDP broadcast to local subnets on port 1947 using:
o IPv4 (always)
o IPv6 (if available)
The option Broadcast Search for Remote Licenses is selected by default.
n For addresses specified in the Admin Control Center field Remote License Search
Parameters or Specify Search Parameters (in the Access From Remote Clients tab of the
Configuration page), the local License Manager does the following:
o For a local Admin License Manager: The License Manager issues a UDP “ping”
packet to port 1947 for all addresses specified. These addresses may be individual
machine addresses or broadcast addresses.
o For a local Integrated License Manager or External License Manager: The License
Manager sends a TCP request to all individual addresses. If the field contains a
broadcast address (xxx.xxx.xxx.255), the License Manager send a UDP broadcast to
discover a running server at that broadcast address.
All Sentinel License Managers found by the discovery process are then connected via TCP port
1947, using IPv4 or IPv6 as detected during discovery, and data regarding the remote
Sentinel protection keys are transferred.
270 Appendix B: Sentinel LDK Run-time Network Activity

This discovery process is repeated at certain intervals. (The interval size depending on a number of
factors, but it is generally not less than five minutes.)
UDP packets sent and received in the discovery process contain the Sentinel License Manager
GUID (40 bytes of payload data).
When starting or stopping a Sentinel License Manager, and when adding or removing a
Sentinel protection key, a UDP notification packet is sent, containing the Sentinel License Manager
GUID and a description of the changes encountered. This is done to allow other Sentinel License
Managers to update their data before the next scheduled discovery process.
TCP packets between two Sentinel License Managers on different computers use HTTP with base-
64 encoded data in the body section.
 C
Appendix C: Maximum Number of
Features in a Sentinel HL Key
Each Sentinel HL key can contain a certain maximum number of Features, depending on:
n the type of HL key
n the complexity of the license type defined in each Feature
n the number of Products among which the Features are distributed.
The diagram below illustrates that:
n As you increase the number of higher-complexity license types on the key, the maximum
number of Features that the key can contain decreases.
n As you increase the number of Products on the key, the maximum number of Features
that the key can contain decreases.
For information on the range of Features that each Sentinel HL key can contain, see the Sentinel
HL Data Sheet.
The complexity of the license types are as follows:
n Lowest complexity: Perpetual HL
n Medium complexity: Perpetual HL + SL, Expiration
n Highest Complexity: Executions, Time Period
For example, a Sentinel HL Max (Driverless configuration) key can contain as follows:

The number of Features that can be written to a Sentinel SL key is unlimited.

In Sentinel HL (Driverless configuration) keys, Features are stored in dynamic memory

space. This space is shared between application data (the space available to you for your
applications) and Features. All space that is not utilized for Features can be used for
272 Appendix C: Maximum Number of Features in a Sentinel HL Key

application data. For more information, see "Defining Protection KeyMemory Data" on
page 134.
 D
Appendix D:
How Sentinel LDK Detects Machine
Cloning

This appendix describes the techniques employed by Sentinel LDK to prevent unauthorized use of
protected software when the physical or virtual machine on which the software is installed is
cloned.
This topic is only relevant for software protected with a Sentinel SL key. Software that is protected
by a Sentinel HL key is not vulnerable to machine cloning.
For more information on protecting software against cloning, see "Protection Against Cloning" on
page 132.

Overview
One of the methods sometimes employed to enable the illegitimate use of licensed software is
machine cloning. Machine cloning involves copying the entire image of one machine (including
your software and its legitimate license) and duplicating it to one or more other machines. If there
is no way to detect that the new image is running on different hardware than that on which it was
originally installed, multiple instances of the software are available even though only a single
license was purchased.
As part of the Activation process for a licensed Product, the Sentinel LDK License Manager creates
a “fingerprint” of the computer on which the protected software is installed. This fingerprint
contains hash values of a number of characteristics of the computer. This fingerprint (referred to
as the reference fingerprint) is stored within the secure storage on the computer and is also
returned to the Vendor in the C2V file. At the Vendor site, the fingerprint is stored as part of the
license information in the Sentinel EMS database.
Each time the end user starts the protected software, the Sentinel LDK License Manager creates a
new fingerprint of the computer (referred to as the system fingerprint) and compares it to the
reference fingerprint.
If the system and reference fingerprints are identical or sufficiently close (as described in this
appendix), Sentinel LDK allows the protected software to operate.
When clone detection is enabled for a Product in Sentinel LDK, the License Manager checks for
cloning using the criteria described in this appendix. If cloning is detected, Sentinel LDK disables
274 Appendix D: How Sentinel LDK Detects Machine Cloning

the license. As a result, the end user is unable to operate the software for which a cloned license
has been detected.
Several schemes exist in Sentinel LDK to create fingerprints for physical and virtual machines.
These schemes provide different level of protection to satisfy the various sets of requirements
that may exist in your organization. The list below summarizes the various clone protection
schemes available. A more detailed description of each clone protection scheme is provided later
in this appendix.
Schemes for Physical Machines
n PMType1: This scheme exists in all versions of Sentinel LDK. This scheme uses two
components to verify fingerprints: hard drive serial number and motherboard ID.
n PMType2: This scheme exists in Sentinel LDK v.7.1 and later. This scheme uses various
components such as CPU, ethernet card, optical drive, and PCI card slot peripherals,
along with the hard drive serial number and motherboard ID to verify fingerprints. This
scheme provides enhanced reliability against false positive clone detection and maintains
the inherent security of the scheme.
n PMType3: This scheme exists in Sentinel LDK 7.3 and later for Android applications. This
scheme uses three components to verify fingerprints: CPU model, CPU serial number, and
internal storage serial number.
n FQDN: This scheme exists in Sentinel LDK v.7.1 and later. This scheme uses only the
machine’s FQDN (Fully Qualified Domain Name) to verify fingerprints.
On MAC machines, FQDN licenses are bound to LocalHostName, and the value of
LocalHostName should not be empty.

Schemes for Virtual Machines:

n VMType1: This scheme exists in all versions of Sentinel LDK. This scheme uses three
components to verify fingerprints: Virtual MAC address, CPU characteristics, and UUID.
n FQDN: This scheme exists in Sentinel LDK v.7.1 and later. This scheme uses the machine’s
FQDN (Fully Qualified Domain Name) to verify fingerprints. This scheme provides increased
reliability and provides flexibility of operation in a server virtualization environment.

The clone protection provided by the VMType1 and FQDN protection schemes are based
on the following assumption: The customer’s IT department follows best practices to avoid
the collisions that would result from cloned machines that have identical UUID, MAC
addresses or hostnames.
If you are concerned that your customers may be willing to accept collisions in order to
attempt to bypass clone protection, consider one of the other Sentinel LDK solutions that
provides a different tradeoff of security and convenience and is not affected by such
deployment. A remote license (SL AdminMode, Sentinel HL, or Sentinel Cloud Licensing) will
provide the higher level of security that you require.

The remainder of this appendix provides a more detailed description of each of the clone
protection schemes.
 Clone Detection for Physical Machines 275

Clone Detection for Physical Machines

This section provides a detailed description of the clone protection schemes that are available to
protect again the cloning of physical machines.

PMType1 Scheme
The PMType1 scheme uses two components to verify fingerprints: hard drive serial number and
motherboard ID.
If either the hard drive serial number or the motherboard ID does not match the characteristics in
the fingerprint in the secure storage, Sentinel LDK License Manager still allows the protected
software to operate. Sentinel LDK recognizes that situations occur where an end user has a
legitimate reason for replacing one of these components in the user’s computer. This policy
possibly enables a user to operate protected software on a cloned computer. However, this policy
also frees the Vendor from dealing with numerous support calls from users who have replaced a
component in their computer. Such calls would otherwise generate costly support cases for the
Vendor’s customer support organization.
If both the hard drive serial number and the motherboard ID do not match the characteristics in
the fingerprint of the license, Sentinel LDK regards computer as a clone and prevents the
protected software from operating. (See the table that follows.)

Comparison Results
Characteristics Hard drive serial Identical Different Identical Different
Compared number
Motherboard ID Identical Identical Different Different
Sentinel LDK Behavior: launched launched launched disabled
The software is...

PMType2 Scheme
The PMType2 scheme uses various components such as CPU, ethernet card, optical drive, PCI
card slot peripherals (for example: display, storage, network, multimedia) along with the hard
drive serial number and motherboard ID to verify fingerprints on a physical machine.
Each component that makes up the reference fingerprint is assigned a weighted value. Sentinel
LDK performs the following computations:
n A = total for the weighted values of all components in the reference fingerprint.
n B = total for the weighted values of all components in the system fingerprint that match
components in the reference fingerprint.
n matching percentage = (B/A) * 100
Sentinel LDK computes a required percentage based on the level of agreement that is found
between the hard drive serial number and motherboard ID in the reference fingerprint and in the
system fingerprint.
276 Appendix D: How Sentinel LDK Detects Machine Cloning

If the matching percentage reaches the required percentage, the protected application is allowed
to execute.

PMType3 Scheme
The PMType3 scheme is specifically for Android applications. This scheme uses three components
to verify fingerprints: CPU model, CPU serial number, and internal storage serial number.
The CPU model must match the characteristics in the fingerprint in secure storage to allow the
protected software to operate. In addition, either the CPU serial number or the internal storage
serial number (or both) must match the characteristics in the fingerprint. See the table that
follows.

Comparison Results
Characteristics CPU model Identical Identical Identical Different
Compared CPU serial number Identical Different Identical Identical
or
Different
Internal storage serial Identical Identical Different Identical
number or
Different
Sentinel LDK Behavior: launched launched launched disabled
The software is...

FQDN Scheme
The FQDN scheme uses only the machine’s FQDN (Fully Qualified Domain Name) to verify
fingerprints on a physical machine.
If the FQDN in the reference fingerprint matches the FQDN in the system fingerprint, the
protected Software is launched.

Clone Detection for Virtual Machines

This section provides a detailed description of the clone protection schemes that are available to
protect again the cloning of virtual machines.

VMType1 Scheme
Clone detection for software installed on a virtual machine must employ a different technique
than that used for physical machines.
The two most important fingerprint characteristics - the physical hard drive serial number and the
physical motherboard ID - are not accessible to software running on the virtual machine. Instead,
the virtual machine has a virtual hard drive and a virtual motherboard.
 Clone Detection for Virtual Machines 277

On a cloned virtual machine, the characteristics of these virtual components are identical to the
source virtual machine. As a result, these characteristics are not suitable for use when creating the
fingerprint at the time the protected software is activated or subsequently operated.
The VMType1 scheme relies on three different parameters for verifying fingerprints on a virtual
machine: the virtual MAC address, CPU characteristics, and UUID of the virtual image. Each of
these parameters is discussed below.
Virtual MAC Address

Each physical network adapter or network card has a unique identifier, but this identifier is not
accessible to a virtual machine running on the computer. Instead, each virtual machine is assigned
a unique virtual MAC address.
Within a network, each virtual machine must possess a unique MAC address. If a user clones a
virtual machine and installs it on a second computer within the same network, working on either
the original or the cloned virtual machine will be impractical as the two machines will constantly
cause network collisions.
CPU Characteristics

In desktop/workstation environments such as VMware workstation or VMware player, the

desktop virtualization software does not expose the ability to virtualize the CPU. This increases the
difficulty for a user to bypass the protection by attempting to create a virtual copy of the source
computer. A number of CPU characteristics are available for inclusion in the virtual machine
fingerprint, including: processor make, model and speed.
Due to the large number of different processors available in the market, the likelihood of two
different desktop computers having completely identical CPU characteristics is low.
In centrally managed virtual infrastructures (also called server based virtualization), hardware
clusters can be virtualized. In this environment, the virtual infrastructure does not always utilize a
single, fixed set of physical hardware resources. Instead, it utilizes a shared pool of resources. For
the most common types of clustered environments, where live migration capabilities are typically
required, a requirement usually exists for different hosts in the cluster to have identical CPU
characteristics. Solutions such as VMware vCenter Server provide the ability to enable CPU
masking to improve compatibility for the high availability and fault tolerance virtualization
features. CPU masking allows host machines with different CPU characteristics to be used in the
cluster, while providing common (masked) CPU characteristics across all hosts in the cluster.
Therefore the CPU characteristics do not change when virtual machine migrates across the hosts
in a cluster. This enables licensed applications to continue working when migrated from one host
to another within a cluster. However, this type of environment is restricted to a limited subset of
CPU types. In addition, the migration can only be performed when the target computer contains
physical CPU whose capabilities match or exceed the characteristics of the virtual CPU.
UUID of the Virtual Machine

This is used as a means of unique identification of the virtual machine with the majority of virtual
machines technologies. The UUID consists of a 16-byte (128-bit) number. Each virtual machine is
assigned a different UUID.
When a user makes a clone of a virtual image or copies a virtual machine from one location to
another, a new UUID value is generated for the new virtual image or virtual machine.
278 Appendix D: How Sentinel LDK Detects Machine Cloning

None of the three characteristics used by this scheme to create a virtual machine fingerprint is
absolutely tamper-proof.
The protection against cloning provided by Sentinel LDK for virtual machines is not as secure as
the protection provided for physical machines. You have the option of blocking the protected
software from running on most popular virtual machines by clearing the Virtual Machine check
box in the Define License Terms dialog box in Sentinel EMS.
However, when checking the fingerprint for cloning, Sentinel LDK examines all of these
characteristics. If one (or more) of these characteristics does not match the characteristics in the
fingerprint of the license, Sentinel LDK prevents the protected software from operating. Thus, the
combination of these parameters in the fingerprint provides protection against cloning. (See the
table that follows.)

Comparison Results
Characteristics Virtual MAC Identical Different Identical or Identical
Compared Address Different or
CPU Identical Identical or Different Different
Characteristics Different
UUID Identical Identical or Different
Different
Sentinel LDK Behavior: launched disabled disabled disabled
The software is...
In a typical business environment (where computers in a given location are on the same network),
the requirement for a unique virtual MAC address make cloning impractical.
For server virtualization, or virtualized cluster where the cluster is typically managed by the
virtualized management solution (such as VMware vCenter), UUID acts as additional deterrent to
running a cloned virtual image.
For computers on different networks or computers that are not networked, the likelihood of a
cloned virtual machine sharing identical CPU characteristics with the original virtual machine is low.
The method employed by this scheme to protect against cloning of virtual machines is effective
for all types of virtual machine software commonly used by organizations.

FQDN Scheme
The FQDN scheme uses only the machine’s FQDN (Fully Qualified Domain Name) to verify
fingerprints on a virtual machine.
If the FQDN in the reference fingerprint matches the FQDN in the system fingerprint, the
protected Software is launched.
The FQDN clone protection scheme provides a solution for virtual machine live migration. It allows
the guest virtual machine to freely migrate between different physical hosts, while allowing
accurate license enforcement to continue. Virtual machine live migration does not cause the
license to be incorrectly marked as cloned (and thus disabled).
 E
Appendix E:
How Sentinel LDK Protects Time-
based Licenses With V-Clock

This appendix describes the technology used in Sentinel LDK to prevent a user from extending the
duration of a software license that is locked to the V-Clock in a Sentinel protection key by
adjusting the computer’s system clock.
V-Clock is a virtual clock that is available in Sentinel SL keys and in all types of Sentinel HL
(Driverless configuration) keys except for Sentinel HL Basic keys. For Products that are licensed
with Sentinel SL keys, V-Clock is always available. For Products that are licensed with Sentinel HL
(Driverless configuration) keys, V-Clock must be specifically enabled for each Product.

The use of V-Clock in Sentinel HL Pro keys is only available if your Sentinel Master key
contains a valid V-Clock module.

V-Clock does not provide the same level of control as the real-time clock in Sentinel HL Time keys
and Sentinel HL NetTime keys. However, V-Clock prevents the end user from setting the system
time back to an earlier date and time, and thus tampering with time-based licenses.
The expiration period or date for a time-based license is initially calculated according to the system
clock of the end user's machine.
Sentinel License Manager reads the system time at Sentinel License Manager startup (by default,
part of the machine startup). Sentinel License Manager subsequently uses its internal running time
to calculate the time. When an application that is protected with V-Clock is executed for the first
time, Sentinel License Manager queries its internal clock to determine the start time of the
software’s license duration.
n If the license duration is a fixed period (for example, 30 days or 1 year), Sentinel License
Manager calculates the actual date on which the license must stop working and the
information is stored in the secure storage area of the protection key. The secure storage
for a Sentinel SL key is on the hard drive of the end user's computer. The secure storage
for a Sentinel HL key is in the HL key.
n If the license is to expire on a specific date, Sentinel License Manager records that date.
280 Appendix E: How Sentinel LDK Protects Time-based Licenses With V-Clock

Expiration time is determined using the formula:

[current Sentinel License Manager time] + number of seconds to expiration

The information is stored in the secure storage area of the protection key.

Tampering with the System Clock

If a user resets the system clock of the machine to which the software license is locked:
n As long as Sentinel License Manager remains active, the changed time does not affect the
expiration time of the license, since the calculations are all made within the License
Manager, which uses the time of its last startup.
n If Sentinel License Manager is stopped and restarted (for example: if the machine is
rebooted), the License Manager compares its last recorded internal time with the time of
the system clock. When Sentinel License Manager detects that the time on the system
clock is earlier than that of its internal clock, protected applications with time-based
licenses are deactivated. The applications are reactivated automatically when the system
clock is equal to or later than the time in the License Manager.
Sentinel License Manager allows the system clock to run up to 24 hours earlier
than its internal clock. This accommodates situations where the protected
application is used across different time zones.

Re-enabling a Blocked Protected Application

As indicated above, a blocked protected application is automatically re-enabled when the time on
the system clock is no longer earlier than the V-Clock time. The application will be accessible if the
license for the application has not yet expired.
Under certain circumstances, you may want to re-enable blocked applications by changing the V-
Clock time. This can be accomplished by receiving a C2V file for the protection key from the
customer and then returning a V2C file that provides an update to the V-Clock time.

Setting Fallback to V-Clock If the RTC Battery in a Sentinel

HL key is Depleted
If the battery for the real-time clock on a Sentinel HL (Driverless configuration) Time or NetTime
key is depleted, the key is no longer accepted for time-based licenses.
You can configure a Sentinel HL Time or NetTime key to switch automatically to the V-Clock in the
event that the battery becomes depleted. If the real-time clock on the Sentinel HL key stops
operating, protected applications, including those with time-based licenses, with continue to run.
In Sentinel License Generation API, you can implement fallback to V-Clock for a Sentinel HL key by
including the tag <fallback_to_vclock> in a license definition. In Sentinel EMS, you can
 Setting Fallback to V-Clock If the RTC Battery in a Sentinel HL key is Depleted 281

select the global configuration parameter Fallback to V-Clock in the Administration Console in
order to implement fallback to V-Clock in all generated licenses.

n Once you have enabled fallback to V-Clock for a Sentinel HL Time or NetTime key,
this functionality cannot be disabled in the key.
n After the real-time clock stops working, the Sentinel HL key must be disconnected
and reconnected in order to switch over to the V-Clock.
 F
Appendix F:
How to Bundle Unlocked Products
Manually

To prepare Unlocked Products for distribution, you must first create a "bundle" that will be
installed together with the protected applications. This bundle consists of:
n a V2C file containing the Unlocked Product licenses
n your Vendor libraries
n a customized Run-time Environment installer
The customized Run-time Environment installer installs the Sentinel LDK Run-time Environment
and your Vendor libraries, and applies the Unlocked Product licenses to the Sentinel protection
key .
You typically prepare a bundle using Sentinel EMS (see "Generating Bundles of Unlocked Products"
on page 157). However, you have the option to write an installer that performs the bundling
process.
To perform the bundling process manually, the program that installs the protected application
should also do the following:
1. Install the Sentinel LDK Run-time Environment. Several methods exist to accomplish this.
For more information, see "Distributing Sentinel LDK Run-time Environment" on page 179.
2. Install your customized Vendor library. The file haspvlib_vendorID.* can be found on the
computer where Sentinel Vendor Suite is installed, in the following path:
n For Windows x64: %CommonProgramFiles(x86)%\Aladdin Shared\HASP\
n For Windows x86: %CommonProgramFiles%\Aladdin Shared\HASP\
n For Mac: /var/hasplm (By default, the /var path is hidden. You may need to
modify the operating system View option to display all files and folders in order to
access this path.)
n For Linux: /var/hasplm
On the computer where the protected application is installed, your installation procedure
must place a copy of this file in the same path as above.
284 Appendix F: How to Bundle Unlocked Products Manually

3. Apply the V2C file that contains the unlocked licenses. To do this, call the Update function
in the Sentinel Licensing API.
 G
Appendix G: How to Optimize
Performance for Sentinel LDK
Run-time Environment

Certain configuration parameters or activities performed by a protected application can lead to

reduced performance in the Sentinel LDK Run-time Environment.
This section describes how you can optimize the environment and protected application to
achieve better performance.

SL UserMode License
The presence of an SL UserMode license in a protection key on the end user’s computer increases
the time required for the first login/get_info operation performed for a protected application,
even if the license is not required for that application. Therefore, do not place an SL UserMode
license on a computer unless that license type is required.

Run-time Environment
For best performance, ensure that when the Run-time Environment is required, the Run-time
Environment on the end user’s computer is the most current. In addition, the Run-time
Environment provides better performance after it has been active for at least three minutes.

Testing for Presence of Features

To determine whether certain Features exist in a protection key before using them, the protected
application can call the GetInfo function in the Licensing API. This function can retrieve a list of all
the Features that exist in the protection key. This is more efficient than attempting to log in and
then log out immediately to individual Features just to determine if they exist. In addition, use of
the GetInfo function does not consume a license. However, after using the GetInfo function, the
protected application should call the Login function to log in to Features to use.
 H
Appendix H:
Upgrading Sentinel HL Keys
The configuration of Sentinel HL keys can be upgraded before or after delivery to customers as
follows:
n Sentinel HL (HASP configuration) keys can be upgraded to Sentinel HL (Driverless
configuration) keys.
n Sentinel HL (Driverless configuration) standalone (non-Net) keys can be converted to
Sentinel HL (Driverless configuration) network keys.
Each of these upgrades is described below.

Upgrading a Sentinel HL Key to Driverless Configuration

A Sentinel HL (HASP configuration) key that was previously delivered to a customer can be
upgraded to a Sentinel HL (Driverless configuration) key in the field. In Driverless configuration,
this key will employ HID drivers instead of HASP key drivers. (HID drivers are an integral part of
the operating system.) As a result:
n The key is less subject to issues related to operating system upgrades.
n The key may no longer require the presence of Sentinel LDK Run-time Environment.
All of the licenses and key memory that existed in the Sentinel HL (HASP configuration) key will
continue to exist in the key after the upgrade.

Given the following situation:

n An application is protected with version 6.3 or 6.4 of Sentinel Licensing API libraries
and/or Envelope.
n The Sentinel HL (HASP configuration) key that licenses the application is upgraded
to the Driverless configuration.
The application will work correctly after the upgrade. However, the requirement for the
presence of the Run-time Environment does not change.

The tables that follow summarize the requirements for working with HL keys.
288 Appendix H: Upgrading Sentinel HL Keys

Standalone HL Keys

Version of Licensing API or

Envelope used to protect the HASP HL key or Sentinel HL Sentinel HL (Driverless
application (lower of the (HASP configuration) key configuration) key
two)
HASP SRM, Sentinel HASP, or Requires Run-time Not supported. See the
Sentinel LDK v.6.0 or v.6.1 Environment from same (or warning below.
later) version that was used to
protect the application
Sentinel LDK v.6.3 Requires Run-time Environment from Sentinel LDK v.6.3 or later
Sentinel LDK v.6.4 Requires Run-time Environment from Sentinel LDK v.6.4 or later
Sentinel LDK v.7.0 or later Requires Run-time Under Windows, use of
Environment from Sentinel LDK Run-time Environment (from
v.7.0 or later Sentinel LDK v.7.0 or later) is
optional.

Net and NetTime HL Keys

Version of Licensing API or

Envelope used to protect the HASP HL key or Sentinel HL Sentinel HL (Driverless
application (lower of the (HASP configuration) key configuration) key
two)
HASP SRM, Sentinel HASP, or On the machine where the HL Not supported. See the
Sentinel LDK v.6.0 or v.6.1 key is connected: Requires warning below.
Run-time Environment from
same (or later) version that
was used to protect the
application
Sentinel LDK v.6.3 On the machine where the HL key is connected: Requires Run-
time Environment from Sentinel LDK v.6.3 or later
Sentinel LDK v.6.4 On the machine where the HL key is connected: Requires Run-
time Environment from Sentinel LDK v.6.4 or later
Sentinel LDK v.7.0 or later On the machine where the HL key is connected: Requires Run-
time Environment from Sentinel LDK v.7.0 or later
The following limitations apply:
n The application must be protected using version 6.4 or later of Sentinel Licensing API
libraries and/or Envelope. (For Sentinel HL Net keys and Sentinel HL NetTime keys, use
version 7.0 or later.)
n You must be using version 6.4 or later of Sentinel EMS or License Generation API to
generate the Product that upgrades the HL key. (For Sentinel HL Net keys and Sentinel HL
NetTime keys, use version 7.0 or later.)
 Upgrading a Sentinel HL Key to Driverless Configuration 289

n The firmware on the Sentinel HL key will be automatically updated as part of the upgrade
process.
n After upgrade, Sentinel HL (Driverless configuration) keys will not be visible in Admin
Control Center if the Run-time Environment is earlier than:
o version 6.50 (Sentinel LDK v.6.3) — for standalone keys
o version 6.60 (Sentinel LDK v.7.0) — for Net and NetTime keys
An application that is protected with version 6.3 of Sentinel LDK, Licensing API libraries and/or
Envelope will work correctly after the Sentinel HL (HASP configuration) key that licenses the
application is upgraded to the Driverless configuration. However, the requirement for the
presence of the Run-time Environment does not change.

Wa r ning
A n applic ation that is pr ote c te d w ith ve r sion 6 .1 or e ar lie r of Se ntine l L DK
libr ar ie s, L ic e nsing A P I libr ar ie s and/or E nve lope w ill stop w or king if the
Se ntine l HL (HA SP c onfigur ation) ke y that lic e nse s the applic ation is upgr ade d
to the Dr ive r le ss c onfigur ation.

Th e u p gr ad e p r o c e ss fo r th e Se n tin e l HL ke y is n o t r e v e r sib le .

Upgrade Requirements
The machine that is used to upgrade a Sentinel HL (HASP configuration) key to a Sentinel HL
(Driverless configuration) key must contain a Sentinel LDK Run-time Environment that satisfies the
following requirements:

Required
Sentinel HL (HASP configuration) key to upgrade Run-time
Environment
Standalone key that contains license information (Features and Products) Version 6.56
or later
Net or NetTime key that contains license information (Features and Products) Version 6.60
or later
Any HL key that contains no license information (Features and Products) AND No special
the license update used to upgrade the key contains no license information version
(Features and Products). Both the key and the license update can contain requirements
memory data.
290 Appendix H: Upgrading Sentinel HL Keys

Upgrade Process
To upgrade a Sentinel HL (HASP configuration) key to Sentinel HL (Driverless configuration)
key:
n Create a Base Product or Modification Product that contains the Upgrade to Driverless
attribute. The Product can be created exclusively to upgrade the Sentinel key, or the
Upgrade to Driverless attribute can be included in a Product that licenses or modifies the
license for a protected application. Apply the Product to the Sentinel HL (HASP
configuration) key to be upgraded.
The Upgrade to Driverless attribute is ignored if it applied to Sentinel HASP keys or to
Sentinel HL (Driverless configuration) keys. Similarly, the attribute is ignored if is applied to
an SL AdminMode key, SL UserMode key, or SL Legacy key. No error message is
generated.
The Product that contains the Upgrade to Driverless attribute can be created using
Sentinel EMS, Sentinel EMS Web Services, or Sentinel License Generation API.
To upgrade a Sentinel HL Basic key from HASP configuration to Driverless configuration:
n On the machine where the Sentinel HL Basic key is connected, use RUS to collect
information regarding the key. Use the resulting C2V file with Sentinel License Generation
API to generate a V2C file that uses the Upgrade to Driverless attribute to upgrade the
key.
Apply the V2C file to the Sentinel HL Basic key to be upgraded.

Converting a Sentinel HL Standalone Key to a Network Key

This topic does not apply to Sentinel HL Basic keys.

The table below describes the terminology used in this section:

Term Description
Sentinel HL standalone key Any Sentinel HL (Driverless configuration) key other
than Net or NetTime keys.
Sentinel HL concurrency-enabled key A Sentinel HL standalone key that has been updated to
support concurrency licenses.
Sentinel HL network key Any Sentinel HL key that supports network seat
licenses. This can be a Net or NetTime key, or a Sentinel
HL concurrency-enabled key.
Sentinel HL standalone keys can be updated, before or after delivery to end users, to Sentinel HL
concurrency-enabled keys, and thus provide practically the same network functionality as Sentinel
HL Net or NetTime keys.
The only difference between a Sentinel HL concurrency-enabled key and a Sentinel HL Net or
NetTime key is the manner in which you are charged for network seat licenses. Each Net or
 Converting a Sentinel HL Standalone Key to a Network Key 291

NetTime key is provided with a number of network seat licenses, based on the type of key. For HL
concurrency-enabled keys, network seat licenses that you provide to your customers are
deducted from the HL Pool of Seats on your Master key. This is similar to the way network seats
are charged for Sentinel SL keys.
You update a Sentinel HL standalone key to a Sentinel HL concurrency-enabled key simply by
assigning concurrency to a Feature on the key. When this occurs, the License Manager checks the
Firmware version of the key. If the version is earlier than 4.27, the License Manager upgrades the
Firmware on the key to the latest version.
The conversion can only occur if License Manager v.7.3 or later is present on the machine where
the Sentinel HL key is connected.

When you update a Sentinel HL standalone key to a Sentinel HL concurrency-enabled key,

you must also ensure that the Sentinel LDK Run-time Environment is installed on the
machine where the key is connected. For more information, see "Protection Keys That
Require Sentinel LDK Run-time Environment" on page 179.

Note the following:

n Feature 0 for a Sentinel HL concurrency-enabled key shows the key as a NET key with
unlimited concurrency as long as any other Feature on the key requires concurrency. If
the requirement for concurrency are removed from the key, Feature 0 will show the key
as a standalone key.
n In Sentinel License Generation API, you can prevent the upgrade of the Firmware for a
Sentinel key when you update a license. However, if the existing Firmware on the key
does not support the functionality in the update you are attempting to perform, the
update will fail as a result.
n All Sentinel HL (Driverless configuration) key (except for HL Basic keys) will be shown as
capable devices for licenses that require concurrency.
Sentinel HL (HASP configuration) standalone keys can be upgraded and updated to Sentinel HL
(Driverless configuration) concurrency-enabled keys in a single update operation. Upgrade the key
to the Driverless configuration as described earlier in this appendix, and at the same time assign
concurrency to a Feature on the key.
 I
Appendix I:
How to Make Product Names Visible
on the End User's Machine

When you burn the entitlement for a Product to a Sentinel HL key, the Product name is not
necessarily visible in Sentinel Admin Control Center on the machine where the Sentinel HL is
connected by the end user. The Product name is visible if one of the following actions is
performed:
n You send a V2C file containing an update for the Product. After the user applies the V2C
file, the Product name will be visible in Sentinel Admin Control Center as long as the
Sentinel HL key is connected to the same machine. (If the user moves the key to a
different machine, the Product name will not be visible on the new machine.)
n You export Product names from Sentinel EMS to an XML file, and place the file on the end
user’s machine.
To export Product names from Sentinel EMS to the end user’s machine:
1. From the Developer menu in Sentinel EMS, click Export Catalog Definitions.
2. In the resulting screen, select the appropriate Batch Code. For Export File Type, select
Metadata in Admin Control Center format.
3. Click Export. The file vendorID.xml is saved.
4. On the end user’s machine, do the following:
a. Stop the Sentinel LDK License Manager service. (This must be completed before you
perform the next step.)
b. Place the vendorID.xml file in the directory:
%SystemDrive%\Program Files (x86)\Common Files\Aladdin Shared\HASP\vendors\
(For Windows x86, use: %SystemDrive%\Program Files\...)
c. Restart the Sentinel LDK License Manager service.
294 Appendix I: How to Make Product Names Visible on the End User's Machine

To move Product names from one end user's machine to another:

n Copy the vendorID.xml file from the source machine to the target machine using the
procedure in step 4 above.
 J
Appendix J:
Troubleshooting

The first part of this appendix provides a checklist to help you solve some of the most common
problems that your customers might encounter when using the Sentinel HL keys. The second part
lists specific problems you or your customers may experience, together with the solutions.
Sentinel HL keys conform to the highest standards of quality assurance. However, like any other
PC peripheral device, a Sentinel HL key might not operate on certain PC configurations because of
faulty equipment or improper installation. This appendix can help you in such a situation.
In addition to the information in this appendix, you can access the Sentinel Knowledge Base at:
www.safenet-inc.com/technicalsupport.aspx

The Knowledge Base contains a comprehensive listing of solutions to general and specific
problems.
To avoid potential difficulties, ensure you are using current Sentinel LDK software versions.
Contact your local SafeNet representative for the latest updates, or visit the SafeNet downloads
page at:
www.sentinelcustomer.safenet-inc.com/sentineldownloads/

Checklist
If a customer reports a problem, check the following:
n What the returned error code or message says. For additional information, see the status
codes in the Licensing API help system.
n Whether a Sentinel HL key is connected correctly to the USB port.
n Whether your customer’s hardware or the operating system indicates technical
malfunction, such as device manager collisions, system events, bootlog failures, or other
issues.
n Whether Sentinel Admin Control Center can access the Sentinel HL key.
n Whether the problem occurs when the protected application runs on another PC of the
same model.
296 Appendix J: Troubleshooting

Problems and Solutions

Problem Sentinel HL key drivers do not install.

Solution Are older Sentinel HL key drivers installed on the machine? Uninstall the older driver
using the installer corresponding to the older driver version. For additional
information, see the Sentinel HL key driver documentation. After the older drivers are
removed, install the Sentinel HL drivers. For additional information, see the Sentinel
LDK Installation Guide.

Problem You receive an error message when using haspdinst.exe to install the Sentinel HL key
driver under Windows 2000/XP/2003/Vista.
Solution Review the haspdinst.exe installation instructions. Alternatively, try to install the
drivers using the HASPUserSetup.exe. For additional information, see the Sentinel LDK
Installation Guide.

Problem The protected application cannot find a Sentinel HL key.

Solution Does the Sentinel HL key LED light up? If not, this could be for one of the following
reasons:
n The key is not connected properly to the USB port. Disconnect, then reconnect
after a few seconds. If the LED lights, the application should be able to access
the key.
n The required Sentinel HL key drivers are not installed. If you are running
Sentinel LDK on a Windows platform, check for an entry for Sentinel LDK in the
Device Manager utility. If there is no entry, you must install the drivers using
one of the methods in the Sentinel LDK Installation Guide.
n Check if the USB port is functioning correctly. Disconnect all other USB devices
from their respective ports. Connect the Sentinel HL key to a different USB port.
Try using a different USB device in the port from which the Sentinel HL key was
not accessible.
n Open the Windows Services window and check that Sentinel License Manager is
running.
n Check that the Batch Code on the Sentinel HL key matches the Batch Code of
the protected application.

Problem Web pages for Admin Control Center do not display in your Web browser on a
Windows machine.
 Problems and Solutions 297

Solution Check the following:

n Confirm that the Sentinel LM service is running.

n Some other program that you installed may have incorrectly installed special
TCP/IP drivers. As a result, WinSock configuration may be damaged. To resolve
this problem, run the command netsh winsock reset from an Administrator
shell, and then restart the machine.

Problem The application takes a long time to find the Sentinel protection key on a large
network.
Solution It is recommended that you customize the search mechanism. Use Admin Control
Center configuration to specify a search criteria, and to define the server addresses to
be searched. By doing so, the Admin Control Center searches for the Sentinel
protection key at a specific address, which is much faster.

Problem You receive an error message indicating that Sentinel License Manager was not found.
Solution The error message might be for one of the following reasons:
n Sentinel License Manager was not loaded. Try restarting Sentinel License
Manager in the Windows Services window.
n There is a communication error with the machine on which the Sentinel
protection key is located. If you repeatedly receive the error message, try using
a different search mechanism.

Problem You cannot add files when using the Sentinel LDK Data Protection utility.
Solution The problem may occur for one of the following reasons:
n You are attempting to add a list that includes problematic files. Remove all
problematic files marked in red in the File list.
n You are attempting to add a file that is outside the scope of the filters defined
in Sentinel Envelope. You must protect your software again using the new file
filter settings.
n For additional information, see "Chapter 7: Protecting Data Files" on page 95.

Problem When using Sentinel LDK Data Protection utility, you receive a message that no data
filters were defined for a program in a Sentinel Envelope project.
Solution The problem cannot be solved using the Data Protection utility. You need to use
Sentinel LDK Envelope to protect your software again, and to specify file filter settings.
 K
Glossary

Activation counter Licensing element indicating the number of times a Feature, licensed
using Sentinel LDK, can be run
AES Advanced Encryption Standard (AES) algorithm that is the basis for
the Sentinel LDK encryption and decryption
Anti-debugging Measures applied by the Sentinel LDK system to block potential
attacks intended to undermine the protection scheme
API samples Sample applications that utilize the Sentinel Licensing API. A learning
tool used for implementing the Sentinel Licensing API.
AppOnChip A protection functionality in Sentinel LDK Envelope that moves the
execution of selected functions from the protected application to the
Sentinel HL (Driverless configuration) key. This enhances the security
of the protected application.
Background checks Random checks executed by protected applications for a required
Sentinel protection key
Backward compatibility Ability to share data or commands with applications protected with
earlier versions. Sentinel LDK backward compatibility includes the
ability to read and write data, set real-time clocks, and process other
‘legacy' commands.
Base Product An original Product that has been created from scratch from which
other Products may be created. All Modification Products, Unlocked
Products and Cancellation Products are created from Base Products.
Batch Code Unique character string that represents a Vendor Code. Used in
defining Features, Products and orders. It is also used for ordering
Sentinel protection keys. With Sentinel HL keys, the code is printed
on the Sentinel HL key label.
C2V file Customer-to-Vendor file. A file sent by the customer to the vendor,
containing data about deployed Sentinel protection keys or data
about the customer's computer.
Cancellation Product A Product that cancels the licensing details of another Product. Can
be used to revoke a deployed license, or to remove a license from a
specified computer so that it can be transferred to another
computer.
300 Glossary

Customer Portal A Web portal in Sentinel EMS that can be accessed by customers
Cross-locking Indicates that protection can be applied to both Sentinel HL and
Sentinel SL keys
Data Protection utility Utility for encrypting and (optionally) licensing data files that are
accessed by programs protected by Sentinel LDK Envelope. (Formerly
DataHASP)
Decryption Process of decrypting data that has been encrypted
Default Feature Feature that is always available in a Sentinel protection key. It
requires no configuration.
Demo Vendor Code See DEMOMA
DEMOMA Batch Code used for evaluation purposes with any Sentinel LDK
application. Its corresponding Vendor Code is available in the
VendorCodes folder of your Sentinel LDK installation.
Detach Temporarily remove a license from a network pool on a host machine
for attachment to a remote recipient machine
Encryption Translation of data into a confidential code. To read an encrypted file,
you must have the correct encryption engine for decrypting the file.
Encryption engine Encryption engine in a Sentinel protection key—based on the AES
algorithm
Encryption key Key used for encrypting a data file used with Sentinel Envelope
Encryption level Number of iterations that the Sentinel Envelope executes with the
Sentinel protection key for each interaction
Envelope See Sentinel Envelope
Expiration date Date after which a protected application or Feature stops running
Feature For software applications: An identifiable functionality that can be
independently controlled by a license. In Sentinel LDK, a Feature may
be an entire application, a module or a specific functionality such as
Print, Save or Draw.
For data files: A specific Feature can be assigned to an individual data
file or to a collection of data files. This enables the vendor to easily
manage the licensing of data files.
Feature ID Unique identifier for a Sentinel LDK-protected Feature
File filter File mask that is defined in Sentinel LDK Envelope for a protected
application. The file filter is used by the protected application do
determine which data files should be handled as encrypted files.
Grace period An initial period of time during which a Product can be used without
a Sentinel protection key. See also Unlocked Trialware Product.
H2H file Host-to-Host file. A file used to rehost (transfer) a protection key from
one end user's machine to another end user's machine.
 301

H2R file Host-to-Recipient file. A file that contains one or more detached
Products and their licenses for temporary attachment to a recipient
machine
Handle Unique identifier for accessing the context of a Sentinel LDK login
session
HASP A legacy term used to refer to Sentinel protection keys in the HASP
and LDK family of products. It is used in the following contexts:
n HASP HL keys. Legacy hardware protection keys, now replaced
by Sentinel HL keys.
n HASP SL keys. Previous name for the software-based Sentinel
SL Legacy keys.
n HASP_ prefix / namespace. Used in the Sentinel LDK licensing
API.
n HASPUserSetup.exe. GUI-based Run-time installer that
supports multiple key types (Sentinel HL, HASP HL, HASP4, and
Hardlock).
n haspdinst.exe. Command-line based Run-time installer similar
to HASPUserSetup.exe.
HASP ID See Key ID
Key See Sentinel protection key
Key ID Unique identity number for a Sentinel protection key
License Digital permit stored in a Sentinel protection key
License Manager See Sentinel License Manager
License terms Detailed conditions contained in a license
Locked Product A Product that is protected using Sentinel LDK and is locked to a
specific machine. An Unlocked Trialware Product becomes a Locked
Product after the customer activates an entitlement for the Product.
Locking type Determines the level of protection for a Product, according to the
type of Sentinel protection key supplied with the Product
Memory data Vendor-defined data (for example: passwords, values used by the
software) that is specified in memory for a Product and transferred to
the Sentinel protection key
Modification Product A modified version of an existing Product
Order A request for Products or protection key updates to be shipped to a
customer
Product A licensing entity that represents one of a vendor’s marketable
software products or data files. The Product is coded into the
memory of a Sentinel key and contains one or more Features. License
terms are defined for each Feature in a Product.
302 Glossary

Product Key A string generated by Sentinel EMS and supplied to the end user for
use as proof of purchase for Product Activation or Update Activation
Production The implementation of an order for Products or protection key
updates
Protect Once—Deliver The concept of separation between engineering and business
Many—Evolve Often processes, on which Sentinel LDK is designed
Protection key See Sentinel protection key.
Protection Key Memory Secure memory that resides within a Sentinel protection key (HL or
SL), for use by the protected software. Protection Key memory can
be accessed or modified using the Sentinel Licensing API. The
memory can be initialized when the key is generated, using data
entered when defining the Product or when entering an order for a
Product.
Protection Key Update File containing update information for deployed Sentinel protection
keys. See also V2C file.
Provisional Product See Unlocked Trialware Product.
R2H file Recipient-to-Host file. A file used to re-attach a cancelled detachable
license to the host machine.
Real-time Clock (RTC) Clock available in the Sentinel HL Time key and Sentinel HL NetTime
key. See also V-Clock.
Recipient machine Remote machine to which a license that has been detached from a
network pool on a host machine is temporarily attached
Rehost Transfer a Sentinel SL key from one end user computer to another.
The rehost process is performed entirely by the end user, with no
interaction with the vendor.
Reverse Engineering Software attacks intended to unravel the algorithms and execution
flow of a target program by tracing the compiled program to its
source code. Sentinel Envelope protection implements contingency
measures to repel such attacks and prevent hackers from discovering
algorithms used inside protected software.
RUS utility See Sentinel Remote Update System
Secure Storage Area reserved by Sentinel LDK on a computer’s local hard drive when
one or more Sentinel SL protection keys are installed on the
computer. The keys are installed in the secure storage area. This area
can only be accessed or modified by Sentinel LDK components.
Secure Storage ID A globally unique identifier of Secure storage on every machine.
Sentinel Admin Control Customizable, Web-based, end-user utility that enables centralized
Center administration of Sentinel License Managers and Sentinel protection
keys
 303

Sentinel Developer key A vendor-specific Sentinel HL key containing the confidential codes
assigned by SafeNet. The key is used by the software engineers when
protecting applications or data files using Sentinel LDK.
Sentinel EMS Role-based application used to generate licenses and lock them to
Sentinel protection keys, write specific data to the memory of a
Sentinel protection key, and update licenses already deployed in the
field. Sentinel EMS is installed as a service (Sentinel EMS Service)
under Windows.
Sentinel EMS Server Computer on which Sentinel EMS is installed and the Sentinel
EMS Service is active.
Sentinel HL key The hardware-based protection and licensing component of Sentinel
LDK. One of the Sentinel protection key types.
Sentinel HL Basic key Standard Sentinel HL local key that is used to protect software, and:
has a perpetual license. This key:
n does not have any memory functionality.

n does not support concurrency.

n does not support V-Clock.

Sentinel HL network key Any Sentinel HL key that supports concurrency. This includes the
following keys:
n Sentinel HL Net key

n Sentinel HL NetTime key

n Any Sentinel HL (Driverless configuration) key except for

Sentinel HL Basic keys
Sentinel HL (Driverless Type of Sentinel HL key that does not require the Run-time
configuration) key Environment in order to protect an application or data file on a
Windows machine.
Sentinel HL (HASP Type of Sentinel HL key that is fully compatible with protected
configuration) key applications that require the older HASP HL keys.
Sentinel LDK - Demo Kit Kit containing software, hardware and documentation for evaluating
the Sentinel LDK system
Sentinel LDK Envelope Application that wraps an application in a protective shield, ensuring
that the protected application cannot run unless a specified Sentinel
protection key is accessible by the program
Sentinel LDK Run time System component that enables communication between a Sentinel
Environment (RTE) protection key and a protected application or data file . The Run-time
Environment also contains Sentinel Admin Control Center.
Sentinel LDK ToolBox GUI application designed to facilitate software engineers’ use of
various Sentinel LDK APIs and to generate source code
Sentinel License Acts as a server and monitors concurrent usage according to the
Manager licenses stored in a Sentinel HL Net key
Sentinel Licensing API Interface for inserting calls to a Sentinel protection key
304 Glossary

Sentinel Master key A vendor-specific Sentinel HL key containing the confidential codes
assigned by SafeNet. The key is connected to the Sentinel EMS
machine. The Master key also contains license modules that enable
you to use various types of Sentinel LDK functionality.
Sentinel protection keys Sentinel HL keys and Sentinel SL keys
Sentinel Remote Update Utility that enables licenses in deployed Sentinel protection keys to
System (RUS) be securely, remotely updated, or the contents of the keys to be
modified. See also C2V file and V2C file
Sentinel SL key The software-based protection and licensing component of Sentinel
LDK—a virtual Sentinel HL key
Sentinel Vendor keys The Sentinel Master key and Sentinel Developer key that contain
your confidential and unique Vendor Codes. These keys enable you
to apply protection to your programs, program the Sentinel
protection keys that you send to your end users, and to specify the
license terms under which your software can be used.
Status code Error or status message returned by the Sentinel LDK system
Trialware Software or data files that can be distributed without a Sentinel
protection key for end-user evaluation during a limited time period.
See also Unlocked Trialware Product.
Unlocked license A type of license that does not lock a protected entity (application or
data file) to a specific machine and does not necessarily impose any
licensing restrictions on the use of the protected entity. The
protected entity can be installed on any number of machines. With
this license type, the vendor can use Sentinel LDK to protect the
entity, but can use a different mechanism to license the entity (or can
impose no license restrictions on the entity).
Unlocked Product A Product that is distributed with an Unlocked license.
Unlocked Trialware An Unlocked Product that is distributed as trialware for a period of up
Product to 90 days.
UTC Coordinated Universal Time—the standard time common to every
place in the world
V-Clock (Virtual Clock) Virtual clock available in Sentinel SL keys and Sentinel HL (Driverless
configuration) keys. See also Real-time Clock.
V2C file Vendor-to-Customer file that contains data to update a Sentinel
protection key on the end user's computer. This data can include
detailed changes to the license terms or data to be stored in the end
users' Sentinel protection keys.
Vendor Code A confidential, vendor-unique string containing vendor-specific secrets
that enables access to the vendor-specific Sentinel protection keys.
Vendor ID A unique number that is associated with a given Vendor Code and
Batch Code.
 305

Vendor libraries (Vlib) Vendor-specific API libraries. These libraries are built and customized
on SafeNet servers. In this process, the libraries are customized
differently for every vendor. These libraries are downloaded when
you introduce your Vendor keys.
 Index
Index

Android applications
. clone protection scheme 276
considerations 87
.NET assemblies distributing Runtime Environment 185
considerations 78 License Manager 192
global Feature 78 protecting 86
Method-level protection 78 AppOnChip functionality 75
method-specific settings 79 AppOnChip module 75, 264
obfuscation 81 Attacks
protecting 77 clock tampering 92
required RTE libraries 177 cloning hardware keys 92
A defense against 91
emulating protection keys 92
Activating Products modifying key memory 91
about 111 patching executables 91
manually 164 using remote desktops 92
with HL keys 121
with SL keys 121 B
Admin API, about 202 Base directory, location of 198
Admin Control Center Base Product 131
about 187 Batch Code Admin
administrator’s workflow 194 role 112, 172
configuration 195 Batch Codes
how to make Product names about 43
visible 293 DEMOMA 113, 162
interface 193 for Features 128
launching 193 for orders 144
troubleshooting 296 for Products 131
Admin License Manager See also License for RUS 159, 166
Manager introducing in Sentinel LDK 161
about 189 Sentinel LDK user access 162
Administration Bootstrap methods or attributes 85
functions 113 Branding RUS 159, 166
tasks 161 Broadcast Search for Remote Licenses 269
AdminMode keys See SL AdminMode keys Bundles See also Unlocked Products
AES decryption See Decryption how to prepare manually 283
AES encryption See Encryption
amin user account 112
308 Index

C Customer Portal 154

Customer Services
C2V
function 144
checking in files 150
role 112, 164
data for cancellation 140
Customers
data in files 149
authorization to manage 164
data in keys 150
defining 145
from cloned machine 150
entitlements for 145
generating files 150, 159, 166
locating 145
storing data in Sentinel EMS 150
Customized Vendor libraries See Vendor
viewing data 150 library
Canceling licenses 140 Customizing RUS 159, 166
Cancellation Products
about 140 D
defining 140
Data File Advanced Protection module 264
example 141
Data File Protection plugin
Certificate-based SL keys, viewing contents
about 99
of 155
generating 33
Checking in C2V files 150
getting started 100
Clock, virtual See V-Clock
overview 96
Clone protection 132
Data files
for physical machines 273
Advanced Data File Protection
for virtual machines 276
module 264
Clone protection schemes
how to protect 95
about 273
License Manager for protected data
Cloned machines
files 192
checking in C2V 150
licensing, getting started 100
Cloud licensing 52
locking type for protected data files 97
Code Transformation Engine 75
when to protect 98
Communication
Data Protection facility 96
between License Managers 269
Data Protection module 96
between protected application and local
Data Protection utility
LM 268
for Mac 98
Comparing protection solutions 39
getting started 100
Concurrent instances
how to launch 99
changing settings 139
overview 95
counting 134
prerequisites 99
in entitlement 146
who should use 98
license terms 134
DataHASP See Data Protection utility
network environment 134
Decryption
per order 134
about 48, 58
Connection loss with a Network
Default
license 192
password 161
Cross-locking 42
user name 161
Custom reports 173
Default memory 135
Customer orders See Entitlements
Demo kit 29
 Index 309

DEMOMA for Protection Key updates 147

Batch Code 113, 162 for SL keys 147
Detachable license holding 149
requirement for RTE 180 in production queue 148
Detachable licenses including Products 145
configuring in Features 197 producing 153
preparing recipient machine 158 Product locking types 146
Details pane (in Sentinel EMS screen) 115 status values 149
Development withdrawing 154
functions 157 Envelope
role 112, 144, 157 .NET considerations 78
Distributing See also End user software Android considerations 87
RUS 159 Android prerequisites 87
Distribution list for reports 172 authorization to operate 112
DLL for Runtime Environment installer 158 customizable parameters 72
Driverless configuration functionality 69
described 45 Java considerations 85
how to upgrade to 287 Linux, how to use 83
requirement for RTE 180 Mac prerequisites 83, 85
Duplicating mandatory parameters 71
Products 137 prerequisites 73
Dynamic memory 135 protecting .NET assemblies 77
protecting Android applications 86
E
protecting Java executables 84, 86
EID (entitlement ID) 145 protecting Mac binaries 83
EMS See Sentinel EMS protecting Win32 programs 74
Encryption protecting Windows x64 programs 74
about 48, 58 running from commandline 77, 83
End-of-life Product 137 using Features 72
End user software workflow 70
about 177 Examples
haspdinst.exe 183 defining Features 119
HASPUserSetup.exe 183 defining Products 120
merge modules 181 license cancellation 141
Entitlement Manager license terms 123
functions 144 Modification Product 139
role 111, 144, 152 order for HL keys 150
Entitlements order for Product Keys 151
about 110 order using SL 151
activating 154 protection levels 123
customers 145 Provisional Products 159
defining 145 trial use 159
EID (entitlement ID) 145 EXE file
examples 150 protecting See Envelope
for HL keys 147, 153 Runtime Environment installer 158
for Product Keys 147, 153 with V2C data 157, 166
310 Index

Export FQDN clone protection scheme 276

Admin Control Center format 158 description 278
C-style header 158 limitation 274
CPP-style header 158 Function bars (in Sentinel EMS screen) 115
CSV format 159
G
Feature data 129
XML format 159 Getting started
Exported functions (for AppOnChip) 76 licensing data files 100
External License Manager See also License Grace periods
Manager about 122
about 188 Unlocked/Trialware Products 136
F H
Fallback to V-Clock 280 HASP configuration 45, 180
Features HASP HL keys See also HL keys
about 110 HASP HL keys in Sentinel LDK 46
Batch Codes 128 HASP search mode 72
defining 128 HASP SL keys See SL keys
deleting 129 hasp_rt.exe file 188
detachable licenses 134 haspdinst.exe 183
example 119 hasplm.ini file 198
exporting 129 hasplmd process 268
Feature ID 129 HASPUserSetup.exe 183
Feature name 128 Hibernate service (Java) 85
identifying 119 HL concurrency-enabled key 290
in Envelope 72 HL keys
in Products 119, 131 attributes 47
license terms 123 entitlements 147
maximum number of 271 formatting 150
status values 129 order example 150
testing for presence of 285 orders 153
transferring data 129 Product activation 121
Files protection 121
C2V 140, 149 requirement for RTE 180
EXE with V2C data 148, 154, 157 tamper protection for time-based
export 129 licenses 279
Product Keys 147, 153 update standalone key to network
Runtime Environment EXE 158 key 290
Runtime Environment installer DLL 158 updating licenses with RUS 167
Unlocked Products 157 upgrade to Driverless
V2C 148, 154, 157 configuration 287, 290
Vendor Code 63 HL network keys
Filter tool (in Sentinel EMS screen) 115 description 290
fingerprint 46, 273 HL Pool of Seats
Formatting HL keys 150 about 260
 Index 311

HL standalone key overview 188

upgrading to HL network key 290 protected data files 192
HTTP Run-time network activity 267
for TCP packets between two LM 270 selection process 190
License terms
I
about 123
IANA-registered socket 267 assigning values 134
ID canceling 140
entitlement 145 concurrent instances 134
Feature 129 example 123
Installing for different entitlements 146
Runtime Environment 157 Modification Products 139
Server 113 network access 134
Unlocked Products 157 remote desktop users 134
Integrated License Manager See remote updates 147
also License Manager revoking 140
about 188 selecting license type 134
Introducing Vendor keys 113, 163 specifying 134
IPv4 sockets 268 transferring 140
IPv6 sockets 268 updating 147
values per order 134
J virtual machines 134
Java License types
behavior of protected executables 86 about 123
protecting executables 84 assigning values 134
required RTE libraries 177 selecting 134
Java executables values per order 134
considerations 85 Licensing
about 117
K fundamentals 40
planning 40, 110, 118
Key See also Protection keys; Vendor keys
solutions 40
L Licensing API
about 61
Legacy keys See SL Legacy keys
functionality 67
License Generation API 115
login function 65
License Manager
planning requirements 64
attributes 189
prerequisites 62
for Android 192
samples 64
for Mac and Linux 192
ToolBox 63
how it handles lost connection 192
workflow 65
local and remote LMs
Licensing models
about 190 detailed description of 209
overview 205
local and remote LMs
communication 269 preparing licensing plan 118
on a different subnet 196 Licensing Plan functions 127
312 Index

Linux defining 138

distributing Runtime Environment 184 example 139
Envelope, how to use 83 license terms 139
linuxenv application 83
N
List of reports 173
Locating keys for update 148 Network
location of 198 access to license 134
Locked Product concurrent instances 134
installing RTE for 158 Network activity (Run-time) in Sentinel
Locking Sentinel LDK users 163 LDK 267
Locking types Network Seat licenses
about 120 released after loss of connection 192
for protected data files 97 requirement for RTE 180
HL only 121 New SL Key Pool
HL or SL 122 about 259
Products in entitlements 146
selecting 132 O
SL only 121 Obfuscation in .NET assemblies 81
M Obsolete Product 137
Offline activation 155
Mac Online activation 155
distributing Runtime Environment 184 Order reference data 148
encrypting data for 98 Orders See Entitlements
License Manager selection 192
protecting binaries 83 P
MAC address Passwords (Sentinel LDK)
clone prevention 277 assigning to users 163
Main pane (in Sentinel EMS screen) 115 changing 112
Map file default 161
used by AppOnChip to identify receiving 112
functions 75 Performance Profiling 76
Master key See also Vendor keys PMType1 clone protection scheme 275
about 44 PMType2 clone protection scheme 275
maintaining 163 PMType3 clone protection scheme 276
Master Wizard 96 Pool of Seats
about 33 HL or SL 260
generating Data File Protection Product activation 147
plugin 100 manual 164
Memory with HL keys 121
about 124 with SL keys 121
defining 134 Product Activation module, about 259
storing data 136 Product Keys
utilizing 59 about 147
Merge modules 181 authorization to manage 164
Modification Products entitlements for 147
about 138 files 147, 153
 Index 313

order example 151 against copying 38

orders 153 Android applications 86
Product activation 164 API See Licensing API
proof of purchase 147 attack types 91
server verification 147 data files 95
use with SL keys 147 defense against attacks 91
Product Management role 127 elements 57
Product Manager role 111 encryption and decryption 48, 93
Product name fundamentals 37, 90
how to make visible in ACC 293 inserting multiple calls 93
Production intellectual property 38
entitlements in queue 148 Java executables 84
functions 144 Mac binaries 83
orders for HL keys 153 Method-level 78
orders for Product Keys 153 options 60
role 112, 144, 152 programs and data files 58
Products selecting method 59
about 110 solutions 38
activation 111 solutions, combined 39
Base Product 131 solutions, comparison 39
Batch Codes 131 using checksum verification 93
Cancellation Products 140 using Run-time API and Envelope 93
defining 131 Protection Key memory See Memory
duplicating 137 Protection Key updates
End-of-life 137 about 147
example 120 applying remotely 147
grace period See Unlocked Trialware applying with RUS 166
Products entitlements for 147
in entitlements 145 for SL AdminMode keys 156
including Features 120, 131 implementing 111
locking types 120, 132 locating keys 148
memory 134 Protection keys
Modification Products 138 for entitlements 146
Product name 131 HL keys 45
reference data 131 locating for update 148
restoring 137 locking 120
status values 137 memory 136
trial See Unlocked Trialware Products searching for 72
types 131 selecting 44
Unlocked Products 136 SL keys 46
withdrawing 137 updating 147
Protect Once–Deliver Many-Evolve Protection levels
Often 42 example 123
Protected data files See Data files HL keys 121
Protection per order 122
against cloning 132 SL keys 121
314 Index

Provisional Products distributing to end users 179

example 159 EXE file 158
generating installer 158
R
generating installer 158
Read-only memory 124, 135 initializing 147
Read/write-once memory 135 installer API 158
Read/write memory 124, 135 installer DLL 158
Real-time clock installer PKG 158
when the battery is depleted 280 Mac PKG 158
Recycling HL keys 150 required libraries for .NET and Java 177
Rehosting to optimize performance of 285
using RUS 169 updating 181
Remote desktop when required 179
access to license 134 Run-time network activity 267
Remote License Manager 269 RUS
Remote Update System See RUS applying Protection Key updates 166
Report Generation role 172 Batch Code 159, 166
Reports branding 159, 166
about the Reports facility 171 customizing 159, 166
custom (user-defined) 173 description 159, 165
export formats 173 distributing 159, 166
granting permissions to work with 172 executable 166
license to generate custom reports 265 generating C2V files 159, 166
list of available 173 instructions for end users 167
presentation formats 173 processing V2C files 148, 154, 166
scheduling 172 with HL keys 167
Restoring obsolete Products 137 with SL keys 167
Roles 111
S
Batch Code Admin 112, 172
Customer Services 112, 164 SaaS 51
Development 112, 144, 157 Secure storage 302
Entitlement Manager 111, 144 Sentine LDK users See Users (Sentinel LDK)
for Sentinel LDK users 162 Sentinel Cloud Licensing 52
Product Manager 111 Sentinel EMS
Production 112, 144 about 109
Report Generation 172 description of screen 114
Super User 112 evaluating 113, 162
RTC Home screen 113
when the battery is depleted 280 roles 111
RTE See Run-time Environment Sentinel HL keys See HL keys
Run-time Environment Sentinel LDK base directory, location
Admin License Manager 189 of 198
command-line installer 158 Sentinel LDK Envelope See Envelope
distributing for Android 185 Sentinel LDK Run-time
distributing for Linux 184 Environment See Run-time
distributing for Mac 184 Environment
 Index 315

Sentinel LDK ToolBox See ToolBox Standalone licenses

Sentinel License Manager See License requirement for RTE 179
Manager Starter kit 29
Sentinel Licensing API See Licensing API Status values
Sentinel Master key See Vendor keys Features 129
Sentinel protection keys See Protection orders 149
keys Products 137
Sentinel Remote Update System See RUS Super User 112
Sentinel SL keys See SL keys role 112
Sentinel Vendor keys See Vendor keys Support
Server training 34
connecting Master key 113 Synthetic methods 85
installing 113
SL AdminMode keys T
about 46 Task buttons (in Sentinel EMS screen) 115
applying update to 156 Technical specifications 48
attributes 47 Toolbox
requirement for RTE 179 authorization to operate 112
SL keys ToolBox
entitlements for 147 about 63
order example 151 encrypting data 65
Product activation 121, 147 Transferring an SL key 169
protection 121 Trialware
Runtime Environment 147, 157 about 122
tamper protection for time-based example 159
licenses 279 license to create 263
updating licenses with RUS 167 Unlocked/Trialware Products 136
viewing contents of 155 Trialware Module license, about 263
SL Legacy keys
about 46 U
attributes 47
uDP notification packet 112
requirement for RTE 179
UDP packets 270
SL Pool of Seats 260
Unlimited Concurrency license type 262
SL UserMode keys
Unlocked Products
about 46
defining 136
attributes 47
generating bundles 157
effect on performance 285
generating V2C file 158
including in an RTE package 263
how to bundle manually 283
requirement for RTE 179
in entitlements 145
socket 1947 267
installing 157
Software as a service 51
key ID 157
Solutions
license terms 136, 157
combined protection 39
license to create 263
customizing 43
output files 157
protection 38
properties 136
protection, comparison 39
Vendor library 157
316 Index

Unlocked Trialware module 263 introducing 113, 163

Unlocked Trialware Products maintaining Master keys 163
description 122 Master key 44
installing 147 remote connection of 44
Unlocked Unlimited module 263 Vendor library 157, 305
Updates See Protection Key updates Version 1 (Data Protection)
Updating deployed keys 147 about 97
Upgrade Sentinel HL key to Driverless Version 2 (Data Protection)
configuration 287 about 97
Upgrade to Driverless attribute 289 Virtual clock See V-Clock
User roles See Roles Virtual MAC address
Users (Sentinel LDK) clone protection 277
access to Batch Codes 162 Virtual machines
default user name 161 access to license 134
defining 162 clone protection 276
described 111 live migration 278
locking 163 Vlib See Vendor library
passwords 112, 163 VMType1 clone protection scheme
preventing access 163 description 276
roles 162 limitation 274
user names 112, 162 Volume license 243
V W
V-Clock Win32 programs
fallback to if the RTC in an HL key is behavior of protected applications 74
depeted 280 data file protection 76
Master key module 264 Windows x64 programs
tamper protection for time-based behavior of protected applications 74
licenses 279 data file protection 76
V2C Withdrawing
data in EXE 148 Products 137
default file location 154
file for Unlocked Products 157
generating files 148, 154, 166
input to Runtime Environment 158
launching files 159
processing with RUS 148, 154
Vendor-to-Customer file See V2C
Vendor Code
about 43
extracting 63
Master Wizard 63
Vendor ID 304
Vendor keys
Developer key 44
extracting Vendor Code 63