`US 6,574,612 B1
`(10) Patent No.:
`(12)
`Baratti et al.
`(45) Date of Patent:
`Jun. 3, 2003
`
`
`US006574612B1
`
`2236604 A * 10/1991
`(54) LICENSE MANAGEMENT SYSTEM
`OTHER PUBLICATIONS
`(75)
`Inventors: Paolo Baratti, Rome (IT); Paolo
`Software License Management in a Network Environment;
`Squartini, Rome(IT)
`French A. H. et al,; 1988.*
`.
`.
`UNIX Review vol. 6, No. 9, Sep. 1988, M Olson et al.,
`(73) Assignee: eeeseriea. anaMEE
`
`OEPOESMON:2EMOnSs (US) “Concurrent access licensing”, pp. 67-72, and also DIA-
`
`(*) Notice:
`Subject to any disclaimer, the term of this
`LOG unecession No. OL257918.
`patent is extended or adjusted under 35
`* cited by examiner
`U.S.C. 154(b) by 0 days.
`
`.
`
`.
`
`GB
`
`(21) Appl. No.: 09/342,555
`(22)
`Filed:
`Jun. 29, 1999
`
`(30)
`Foreign Application Priority Data
`b
`Feb. 19, 1999
`(GB) cecescessesssssssesssssseesssessesssssesses SUES
`(SL) nt. C17 cesssesssnsnssseseserereretene GO06F 17/60
`(52) US. Ch ccc.
`.. 705/59; 713/167
`
`(58) Field of Search ......cscsssuseeeeeen 70971, 35,51,
`705/59, 55: 702/35; 380/201 380 702,
`_ 077 283: 713165 167
`a ,
`
`(56)
`
`References Cited
`
`U.S. PATENT DOCUMENTS
`395/615
`5.671.412 A *
`9/1997 Christiano
`6.047242 A *
`4/2000 Benson eeeeccccc 70235
`
`1/2002 Clark cecccccscsccssssesseseeees 705/55
`6.343.280 B2 *
`FOREIGN PATENT DOCUMENTS
`
`Primary [E’xaminer—Pierre E. Elisca
`(74) Aitorney, Agent, or Firm—Edward H. Duttield
`(57)
`ABSTRACT
`
`A method and system for providing flexibility to a license
`management system. A license management system permits
`“the, concurrent use wEn copiesmi.a solimare proeram over a
`network comprising a plurality of client workstations, each
`client workstation having a copy of the software program
` tusidlled thereon requiring. am authervalien Hom igueron a
`plurality of S license servers each time the software program
`is used. For security reasons, the license management sys-
`tem requires that at least the integer majority of the plurality
`of license servers is active at any time. The method and
`system allow to change the number of license servers, but
`impose the following limit: taken s1 and s2 respectively as
`the minimum and the maximum numberofservers that may
`belong to the cluster, the sum of the integer majority of sl
`and of the integer majority of s2 must be strictly greater than
`s2.
`
`GB
`
`2 236 604 A A991 ee GO6F/1/00
`
`13 Claims, 7 Drawing Sheets
`
`401
`
`101
`
`
`im
`at D
`
`SERVER
`SERVER
`
`
`A
`CLUSTER 10=
`CUED (Os
`CLUSTER ID=
`
`
`
`
`LxHH
`ota
`XX XXX
`
`
`
`
`.
`MEMBERS =
`MEMBERS =
`
`
`MEMBERS=| SERVER A
`
`
`
`SERVER A
`
`SERVER A
`SERVER B
`
`
`SERVER B
`
`
`
`SERVER B
`SERVER C
`
`
`SERVER C
`
`SERVER C
`SERVER D
`LICENSE INFO=
`
`LICENSE INFO=|
`SERVER E
`
`
`PRODUCT 12
`
`PRODUCT tn
`LICENSE INFO=
`
`PRODUCT 10
`
`
`
`
`
`
` CLUSTER ID=
`CLUSTER ID=
`
`
`XXXXX
`XXXXX
`
`
`
`MEMBERS =
`MEMBERS =
`
`
`
`SERVER A
`SERVER A
`
`
`
`SERVER B
`SERVER B
`
`
`
`SERVER C
`SERVER C
`
`
`SERVER D
`SERVER D
`
`
`SERVER £
`
`SERVER E
`LAN SPLIT (2LANS INSTEAD OF 1)
`
`LICENSE INFO=
`LICENSE INFO =
`1 CLUSTER WITH 2 SERVERS OUT
`
`
`
`PRODUCT in
`PRODUCT 110
`
`OF 3.
`1 PRODUCT n LICENSES
`1 CLUSTER WITH 3 SERVERS OUT
`OF 5.
`1 PRODUCT n LICENSES
`TOTAL LICENSES = 2n
`
`GOOGLE 1009
`
`GOOGLE 1009
`
`1
`
`
`
`U.S. Patent
`
`Jun.3, 2003
`
`Sheet 1 of 7
`
`US 6,574,612 B1
`
`2
`
`
`
`U.S. Patent
`
`Jun.3, 2003
`
`Sheet 2 of 7
`
`US 6,574,612 B1
`
`START
`
`201
`
`READ LICENSE DATABASE
`IN MEMORY
`
`
`
`203
`205 IS
`
`WAIT FOR NEXT
`CLIENT REQUEST
`
`207
`
`CLIENT REQUEST
`A LICENSE
`
`
`
`CLIENT REQUEST
`
`A LICENSE
`
`
`215 IS
`
`3
`
`
`
`U.S. Patent
`
`Jun.3, 2003
`
`Sheet 3 of 7
`
`US 6,574,612 B1
`
`
`
`301
`
`FIND AVAILABLE LICENSE SERVERS
`
`
`SEND LICENSE REQUEST
`TO NEXT SERVER
`
`WAIT FOR REPLY FROM SERVER
`
`LICENSE
`GRANTED
`
`
`IS
`ANOTHER
`SERVER
`AVAILABLE
`?
`
`317
`
`
`
`
`
`
`
` YES
` IS
`
`
` NO
`
`
`RUN APPLICATION
`
`SEND LICENSE
`RELEASE TO SERVER
`
`WAIT FOR REPLY FROM SERVER
`
`
`
`FIG. 3
`
`4
`
`
`
`U.S. Patent
`
`Jun.3, 2003
`
`Sheet 4 of 7
`
`US 6,574,612 B1
`
`EXAMPLE OF LICENSE DATABASE
`
`401
`
`LICENSES
`
`CLUSTER INFO
`
`CLUSTER 1D
`
`MEMBERS=
`
`SERVER
`
`SERVER
`
`SERVER
`
`SERVER
`
`LICENSE
`
`INFO
`
`PRODUCT 1
`
`na LICENSES
`
`PRODUCT 2
`
`m LICENSES
`
`PRODUCT 3
`
`{
`
`FIG. 4
`
`5
`
`
`
`U.S. Patent
`
`Jun.3, 2003
`
`Sheet 5 of 7
`
`US 6,574,612 B1
`
`
`
` =O4NI3SN3910JY3AN3S@Y3AN3SVY3Au3S
`
`ULLINQOYd
`
`=SHIGW3W
`
`XXXXX
`
`L047
`
`
`
`=Q1Y31SnDqY3AY3S
`
`LOL
`
`
`
`L047
`
`
`
`=Qi¥3lsni)
`
`XXXXX
`
`VY3AuaS
`
`=SYIGWIW
`
`ULL3NdOdd
`
`XXXXX
`
`=SYJGWIW
`
`
`
` =O03NI3SN39NJY3AN3S@Y3AN3SVYSAYaS
`
`ULLINDOYd
`
`
`
`SISNIIITY==LINTOYdL(Z=ALIMOPWW)SYSAMIS€HLIMY3LSN13
`
`
`
`
`
`=Q)Y31SN1)Vv
`
`Y3AY3S
`
`LOL
`
`6
`
`
`
`
`
`
`
`
`U.S. Patent
`
`Jun. 3, 2003
`
`Sheet 6 of 7
`
`US 6,574,612 B1
`
`XXXXX
`
`VY3IAY3S
`
`=SY3GW3W
`
`
`
` =QJNI3SN3IN13Y3AN3S0Y3AN3S2Y3AN3S@SANS
`
`ULLNdddd
`
`
`
`=Q1Y3Isn13>}
`
`YSAy3S
`
`LOL
`
`
`
`=Q)Y¥3lsn)
`
`=SY39WIWXXXXX
`
`JY3AN3S@Y3ANISVY3AN3S
`
`uyLonNdodYd
`
`qY3AN3S
`
`LOL
`
`
`
` =Q)yaisnidWY3AN3S
`
`LOL
`
`=SY3WIWXXXXX
`
`
`
` =O3NI3SN39N013Y3AN3SQY3AY3SJY3AY3S@Y3ANIS¥Y3AN3S
`
`ULLNdONd
`
`LOS
`
`NV]
`
`L0%
`
`
`
`=Q)aaisny)
`
`=SYIdWIWXXXXX
`
`
`
` =Q3Ni3SN3IN3Y3AN3S0Y3AN3SJY3AN3S@Y3AUNISVY3A43S
`
`ULLNGdYd
`
`3Y3AN3S
`
`Y3AN3S==
`
`
`
`=Q]43ISNT)
`
`=SUI0WIWXXKXX
`
`=Q4NI3SN39113Y3AN3SQY3Au3SJ¥3AN3S@Y3ANISVY3AN3S
`
`ULLACOYd
`
`
`
`(€=ALIMOFVW)(O300VZ)
`
`SYSAN3SSHLIM¥31SN1)
`
`S3SN3II18LINGONdL
`
`7
`
`
`
`
`
`
`
`
`
`
`
`U.S. Patent
`
`Jun. 3, 2003
`
`Sheet 7 of 7
`
`US 6,574,612 B1
`
`L04
`
`
`
`=O!¥3lsni)
`
`XXXXX
`
`=SY3OWIN
`
`
`
` =Q4NISSN39N1JY3AN3SOY3AN3SJY3AN3S@Y3AYSSVY3AN3S
`
`ULLNddud
`
`NV1
`
`SOS
`
`L047
`
`Y3Ad3S
`
`OL
`
`Y3AY3S
`
`
`
`=Q]¥31SN1)
`
`XAXXKXK
`
`=SYIGW3IW
`
`JY3AN3S@Y3AY3SVY3Au3S
`
`
`
`=Q4NI3SN3910
`
`ULLINDOdd
`
`
`
` =O4NI3SN3317JY3AY3S@Y3AN3SVY3Au3s
`
`ULLINGOY%d
`
`=SUIBWIW
`
`XXXXX
`
`=QIY¥slsn3
`
`VY3AY3S
`
`LOL
`
`
`
`
`
`=Q)Y3aisni
`
`XXXXX
`
`=SY3GWIW
`
`
`
` =QJNI3SN30103Y3AN3SGY3AN3S2Y3AN3S@Y3AN3SVY3AN3S
`
`utLondddd
`
`Y3AY3S
`
`=Q)¥31sni)
`
`qY3AN3S
`
`=SYI8WIWXXXXX
`
`
`
` =O4NI3SN3IN13Y3Au3SQY3AN3SJY3AN3S@Y3ANISVY3AN3S
`
`ULLangodd
`
`yol
`
`
`
`
`
`INOSY3AYSS2HLIMYSLSNT)L(LdOOVSLSNISNV1Z)LIldSNVI
`
`
`
`LNOSY3AKSS€HLIMY3LSN1bS3SN337&LINGOYd|‘EJO
`
`SISNIIITYLINGONdLS40
`
`
`
`U2=S3ISNSIITTWLOL
`
`8
`
`
`
`
`
`
`
`
`
`
`
`
`
`US 6,574,612 Bl
`
`1
`LICENSE MANAGEMENTSYSTEM
`
`FIELD OF THE INVENTION
`
`invention relates to license management
`The present
`systems and particularly to a method and system for pro-
`viding flexibility to a license management system.
`BACKGROUND OF THE INVENTION
`
`traditionally
`The licensing of computer software was.
`accomplished by providing a copy of the software and a
`license for each computer which was authorized to use the
`software. The software could be generally used only on that
`computer, unless it was deleted from that computer and
`transferred to another one together with the license. With the
`advent of wide spread computer networks a moreefficient
`solution was required. A license management system allows
`a user to install a copy of a soltware program on N nodes of
`a network, but acquire only a limited number n licenses,
`where at any time, only the maximum number n copies of
`that program can be simultaneously run on the network.
`When all
`the available licenses are allocated, additional
`users requesting the use of that software must wait for a
`license to become available. This kind of license manage-
`ment system has a number of advantages for both the
`software vendor and the user, because it allows the user ta
`purchaseall and only the licenses really needed and, on the
`other hand, allows the vendorto fight software piracy.
`An example of a state of the art license management
`system available on the market, is the License Use Man-
`agement product of International Business Machines Cor-
`poration.
`In a typical network of interconnected computers with a
`license managementsystem,as illustrated in FIG. 1, one or
`more of the nodes 101 act as license servers, while a
`plurality of nodes 103 act as clients of the license servers.
`The service provided bya license server 101 to its client 103
`is that of granting or denying permission to run a given
`software program, according to the availability of a license
`record in the license server data base, and to the terms and
`conditions encoded in the license record itself. The license
`
`server usually creates and stores license records in the
`license data base upon processing license certificate files,
`whichare provided bythe software vendor and complement
`the software program to which theyare related. This license
`data base must be locked in some wayto the specific
`instance of the license server (hardware+software) to pre-
`vent malicious users from copying the license data base to
`another license server machine and multiplying by two the
`numberoflicensesforall the software products contained in
`the license data base. License certificate files may contain
`some encryption or checksum information that allow the
`license server to verify their authenticity and integrity.
`The fact that a license management system is monitoring
`the use of a given software program should be as transparent
`as possible to the users of that software program whereasit
`should be evident and beneficial to the administrator of
`
`licenses for that and other software programs. This consid-
`eration places a strong requirement on the license manage-
`ment system in terms of reliability and performance. The
`ideal license management system should be one which never
`causes software program failures because of its outage nor
`becomes a bottleneck for the software programs that
`it
`monitors.
`
`10
`
`15
`
`25
`
`30
`
`35
`
`40
`
`45
`
`50
`
`55
`
`60
`
`65
`
`2
`satisfy incoming requests (either granting or denying per-
`mission to run) within the time limits set by the served
`environment. High availability systems attempt to provide a
`continuous service within a particular operational window
`by minimising causes of failure and minimising recovery
`time when failures occur. Usually this requires a large
`degree of redundancy in system components, so that the
`continued operation of the entire system is protected from
`failure of any single component. The ultimate objective is to
`eliminate all single points of failure in the system. This can
`be accomplished by having redundant components or
`systems, and “availability management technology”that can
`automate the transfer of services to those redundant com-
`ponents when a failure occurs. Availability is a crucial
`feature of license management systems, since an outage of
`one or more license servers of a license management system
`can prevent many users from running their critical
`applications, due to a failure to acquire a license. An obvious
`solution to ensure good availability would be to use well
`knownclustering techniques. In the network data processing
`field, a cluster is a set of independent processors (nodes),
`connected over the network. A cluster constitutes a sort of
`“black box” which provides certain services to end users.
`Like any ideal black box system, the end users do not need
`to know which node in the cluster they are connecting to.
`However, commonclustering techniques, aimed at increas-
`ing the overall availability of the system through server
`redundancy, cannot be applied in a straightforward way to
`license management systems because of the secure nature of
`the license serving environment. A redundantlicense server
`cannot simply take over the amount of licenses, served by
`another
`failing server;
`it must also ensure that,
`in no
`circumstances,
`the total number of licenses concurrently
`served can exceed the total number of available licenses,
`stored into the license authorization record.
`
`Solutions to this problem, based on a method called
`“majority” or “quorum”, are known,
`in which a certain
`numberof license servers are configured to work coopera-
`tively. As long as the majority of those servers is up and
`running and communicating with each other, all licenses are
`available, whereas as soon as the numberofactive license
`servers becomesless than the majority, all of the servers stop
`serving licenses. All existing solutions do not allow flex-
`ibility in the numberoflicense servers that participate in the
`cluster. This numberis either fixed by the licensing system
`vendor or can be chosen upfront by the user when config-
`uring the system, butit is not possible to increase or decrease
`the number of license servers in the cluster, during the
`life-cycle of the cluster itself. Having the possibility of
`adding and removinglicense servers to and from a clusteris
`an important feature to ensure the required flexibility for
`adapting the system capacity to the changing demandsofthe
`application environment.
`In theoryflexibility could be provided, for example, by
`binding the license authorization key to a software based,
`random generated, binary identifier that can be securely
`stored into the license server’s data base instead of binding
`them (the license key)
`to some specific license server
`hardware-based identifier. The same software-based binary
`identifier can be shared byall license servers participating in
`the cluster. However providing sucha flexibility without any
`limitations on the way license servers can be added or
`removed from the cluster breaks the security of the license
`management system.
`It is an object of the present invention to alleviate the
`above drawbacks of the priorart.
`SUMMARY OF THE INVENTION
`
`In a license management system, “availability” is a mea-
`sure of the degree to which the system can process and
`
`in a
`According to the present invention, we provide,
`network comprising a plurality of client workstations having
`
`9
`
`
`
`US 6,574,612 Bl
`
`3
`a software program installed thereon, and a cluster compris-
`ing an initial plurality of S license servers, a license man-
`agement system for allowing the concurrent use of a maxi-
`mum number n of copies of the software program, each
`client workstation requiring an authorisation from one of the
`license servers for using the software program, the license
`management system requiring thatat least the integer major-
`ity of the plurality of license servers in the cluster is active
`at any time, the license management system comprising:
`meansfor allowing an increase or decrease in the number
`of license servers;
`meansfor limiting the number of the plurality of license
`servers with respect to the initial number S so that the
`integer majority of the minimum numbers1 of servers
`io the cluster plus the integer majority of the maximum
`number s2 of servers in the cluster is strictly greater
`than the maximum numbers2 of servers in the cluster.
`
`4
`FIG. 4 is an example of a license data base according to
`a preferred embodiment of the present invention;
`FIGS. 5A-5C are an example of malicious use of the
`possibility of increasing the numberofservers in the cluster.
`
`DETAILED DESCRIPTION OF THE
`PREFERRED EMBODIMENT
`
`10
`
`15
`
`As mentioned above, FIG. 1 represents a typical network
`(e.g. a Local Area Network) using a license management
`system which could implement the present invention. Serv-
`ers 101 may be,
`for example IBM RISC System/6000
`43P-140 produced by International Business Machines Cor-
`poration. Client nodes 103 could be any personal computer
`or workstation available on the market, e.g. IBM Personal
`Computer 300 GL produced by International Business
`Machines Corporation.
`With reference to FIG. 2 and FIG. 3 the method of a
`
`Furthermore, according to the present invention, we pro-
`vide a method for providing flexibility to a license manage-
`ment system, the license managementsystem permitting the -
`concurrent use of n copies of a software program over a
`network comprising a plurality of client workstations, each
`client workstation having a copy of the software program
`installed thereon requiring an authorisation from one of a
`plurality of S license servers each time the software program
`is used,
`the license management system requiring that at
`least the integer majority of the plurality of license servers
`is active at any time, the method comprising the step of:
`allowing an increase or decrease in the numberof license
`Servers;
`
`25
`
`30
`
`limiting the numberof the plurality of license servers with
`respect
`to the initial number S so that
`the integer
`majority of the minimum numbers1 ofserversplus the
`integer majority of the maximum numbers2 of servers
`is strictly greater than the maximum number s2 of
`servers.
`
`Also according to the present invention we provide a
`computer program product stored on a computer readable
`medium for allowing, in a network comprising a plurality of
`client workstations having a software program installed
`thereon, and an initial plurality of S license servers,
`the
`concurrent use of a maximum number n of copies of the
`software program, each client workstation requiring an
`authorisation from one of the license servers before using
`the software program, the computer program product requir-
`ing that at least the integer majority of the plurality of license
`serversis active at any time, the computer program product
`comprising:
`computer readable program code means for allowing an
`increase or decrease in the numberoflicense servers;
`computer readable program code meansfor limiting the
`number of the plurality of license servers with respect
`to the initial number S so that the integer majorityof the
`minimum numbers1 ofservers plus the integer major-
`ity of the maximum number s2 of servers is strictly
`greater than the maximum numbers2 ofservers.
`
`BRIEF DESCRIPTION OF THE DRAWINGS
`
`Various embodiments of the invention will now be
`described in detail by way of examples, with reference to
`accompanying figures, where:
`FIG. 1 shows schematically an example of a license
`management system;
`FIGS. 2 and 3 are diagrams showing the functioning of a
`license management system;
`
`35
`
`40
`
`45
`
`50
`
`55
`
`60
`
`65
`
`10
`
`license managementsystem is described. FIG.2 is a diagram
`of the method of functioning of a server according to a
`preferred embodimentof the present invention. The process
`starts at step 201 and goesstraight to step 203 where the
`information about the software product to be licensed and
`the number of available licenses are read into the server
`memory. This information is usually provided by the soft-
`ware vendor andis usually protected against counterfeiting.
`When a request is received from a client (step 205) the
`server checks whether it is a request for a license (207). If
`this is the case and a license is available (209), the server
`creates a new license instance record (211) and decrements
`by one the number of available licenses. The server then
`sends a reply to the client (221) authorising the client to use
`the software product. Otherwise, if no more licenses are
`available the reply sent to the client (221) will be that the
`software product cannot be used. Going back to step 207,it
`may be the case that the client is requesting to release a
`license (215) after having used the software product. The
`server then deletes the correspondentlicense instance record
`(217) and increments the numberof available licenses (219).
`With reference to FIG. 3 the functioning of a client wishing
`to use a software product is represented. When an available
`licenseserver is found (303) a license requestis issued to the
`server (305, 307). If the license is granted by the server then
`the client can use the software product (311), otherwiseit is
`checked whether another server is available and control
`
`either goes back to step 305 or terminates the process. When
`the client finishes using the software application, a message
`is sent to the server which granted the license to release the
`license (313, 315).
`Those skilled in the art will appreciate that a number of
`different method implementing similar license management
`procedures can be used instead of the one described above.
`FIG. 4shows an example oflicense data base 401, which,
`according to a preferred embodiment of the present
`invention, should be stored on each server 101. The infor-
`mation contained in this data base is:
`
`the cluster ID;
`the total number of servers belonging to the cluster;
`the secure ID (possibly hardware-based) of each license
`server that has ever participated to the cluster;
`the software products managed by the system;
`the number of available licenses for each product.
`Those skilled in the art will appreciate that a method to lock
`the above described data base to the server hardware and to
`ensure the security of the data base itself is needed. Fur-
`thermore those skilled in the art will appreciate that the
`
`10
`
`
`
`US 6,574,612 Bl
`
`10
`
`15
`
`25
`
`30
`
`35
`
`5
`above information could be organised in a number of
`different way according to well known programming, tech-
`niques.
`The network represented in FIG. 5a has three servers 101
`serving a number n of licenses for software product 1 to a
`plurality of N clients 103. Each server 101 has a data base
`file 401 containing all the information described above.
`From the client point of viewit does not make any difference
`whether a license is granted by server A, B or C. Any server
`101 of the cluster can provide a license to any client 103.
`With such a system the failure of one of the servers would
`not be a problem, because the other two can do the service
`for all the clients. One of the servers could be inactive and
`act just as a backup server in case of failure of one of the
`other two. The limitation with such a configurationis that the
`majority of the servers (in this case two over three) must be
`always active, otherwise the system interrupts its services.
`Without
`this strict limitation the security of the system
`cannot be granted, because a malicious user could detach a
`server from the cluster, create another cluster and make
`believe to both clusters that they are still working in a three
`server cluster with, respectively one and two servers non-
`active. In this way the numberof the possible licenses would
`be doubled. This protection mechanism is the “majority”
`requirement, well known by those skilled in the art.
`Anon limiting example of the system represented in FIG.
`5a may be the following: a cluster of three servers serving
`20 licences to 50 clients: the majority of the servers is two
`in this case, so at least two servers must be alwaysactive.
`Each of the server A and B manages 10 licenses each
`responding to the requests of the 50 clients, while server C
`stays non active. If one of the two active serversfails, then
`the server C takes over the licenses managed by that server
`and the service can continue without interruption and the
`majority rule is respected. Those skilled in the art will
`appreciate that a numberof different implementations can be
`realised instead of the one described above, depending also
`from the requirements of the network.
`As mentioned above, a desirable feature of a license
`management system is the flexibility of adding or deleting
`servers to the server cluster, in case circumstances change.
`In the system described in FIG. 5a the number of servers
`could be casily increased as shownin FIG. 5b. In this new
`configuration the data bases 401 in each server 101 have
`been updated to reflect
`the new situation. Each server
`“knows” that there are five servers belonging to the cluster
`and thatat Icast three servers must always be contemporarily
`active to ensure the security of the system.
`However a system which allowed a change of configu-
`ration as the one described with reference to FIGS. 5a and
`55 would be unsafe, and would not guarantce the respect of
`the maximum numberoflicenses available with consequent
`damage for the software vendor who authorised the use of
`only n concurrent licenses. A malicious user could bypass
`the security check and act as illustrated in FIG. 5c. The
`malicious user could make a backup copy of the data base
`401 of FIG. 5a when the cluster included three servers. Then
`the number of servers are increased to five to arrive in the
`configuration of FIG. 5b, already described. At this pointthe
`malicious user splits the LAN 501 in two smaller ones not
`communicating with each other: one sub-LAN 505 includ-
`ing the three servers C, D and E; and a second sub-LAN 503
`including the other two servers A and B. The sub-LAN 505
`would continue its service because the Majority requirement
`is respected; each server believes that two servers are not
`active for some reason but, since the majority of servers is
`still available the service can be continued regularly by
`serving the n available licenses in the sub-LAN 505. The
`sub-LAN 503 would be interrupted, because the expected
`minimum number of three active server is not respected.
`However
`the malicious user restores the licensing
`
`40
`
`45
`
`50
`
`55
`
`60
`
`65
`
`6
`environment, by substituting the data bases in sub-LAN 503
`with the backup copies he made when the network wasin the
`original configuration of FIG. 5a. At this point the two
`servers A and B erroneously believe they are in a cluster of
`three servers with two of them (the Majority) active and they
`serve all the n licenses in the sub-LAN 503. In this way the
`malicious user has duplicated the number of available
`licenses causing a loss to the software vendor.
`According to a preferred embodiment of the present
`invention this unwanted security exposure is avoided, while
`still allowing flexibility, by imposing a limitation in the
`number of servers that can be added or removed by the
`original configuration.
`If we take S as the initial numberof licence servers, s1 and
`s2 respectively as the minimum and the maximum number
`of servers that may belongto the cluster, the limitation is the
`following: the sum of the integer majority of s1 and of the
`integer majority of s2 must be strictly greater than s2. In
`other words the following rule must be fulfilled:
`
`M(s1)+M(s2)>52;
`
`with sl<=S and s2>=S and
`
`where M(x) is the integer majority of x
`If the initial numberS is odd the aboverule is satisfied by
`limiting to 1 the number of servers that can be added or
`removed to the cluster.
`If the initial numberS is even therule is satisfied if either
`maximum 2 servers are addedto the cluster OR 2 servers are
`removed from the cluster. These two conditions are mutually
`exclusive:
`this means that the system administrator can
`chose either to increase the initial server number by one or
`two, or to decrease the initial number by one or two. Once
`the choice is done the initial number will be the minimum or
`the maximum limit respectively. As an example, once a
`server is removed from such a cluster, the initial number S
`becomes the maximum possible number of servers in the
`cluster and the only possible changes are to remove another
`server or to reintroduce the removed one. In a similar way
`if the first change to the numberof servers in the cluster is
`an addition of anotherserver, the initial number S becomes
`the minimum possible number of servers in the cluster and
`the only possible further changes are another additionor the
`removal of the initially added server.
`EXAMPLE1
`Odd Initial NumberS of Servers
`
`In the case of the example described above, where the
`initial number S of servers in the cluster was 3, the maxi-
`mum numberofserver that can be added to or removed from
`the cluster respecting the rule above is 1. In other words s1,
`as defined above, would be equal 2 and s2 would be equal
`4 and the above rule would be satisfied, since:
`
`M(2)+M(4)>4; >243>4.
`
`EXAMPLE2
`Even Initial Number S of Servers
`If the initial numberS of servers in the cluster was 8 there
`are two possible solution satisfying the rule: sl=6, s2=8 or
`sl=8, s2=10, since:
`
`M(6)+M(8)>8445>8
`
`OR
`
`M(8)+M(10)>10+5+6>10.
`
`According to a preferred embodiment of the present
`invention, once a licence server has been added to the
`cluster, its unique identification is stored in the license data
`
`11
`
`11
`
`
`
`7
`base of each server in the cluster and can never be deleted,
`unless the whole cluster and its identifier is deleted; this is
`to ensure that license servers cannot be replaced in the
`cluster. The license servers can only be added within the
`limits defined by the above rule and then deactivated to
`reduce the number of membersofthe cluster whose majority
`is to be up and running in orderfor the cluster to work. Once
`5. The license management system of claim 4 further
`the limit specified above has been reached, no new server
`comprising:
`can be added to the cluster, but previously deactivated
`servers must be used. Allowing removal of license servers
`means for identifying as core servers those servers
`from the cluster or substitution would break the security of
`belonging to the cluster, whenever the minimum num-
`the cluster itself; for the same reason the unique ID ofthe
`ber s1 is reached for the first time;
`license servers that initially form the cluster must be speci-
`meansfor preventing a deletion of any of the core servers
`fied at cluster creation time. Whenaserver is removed from
`from the cluster.
`the cluster (de-activated)
`this information is not
`lost,
`because the server is just marked as no longer active in the
`cluster. In this way, once the maximum numberofserversis
`reached the whole set of servers that can everbe part of the
`cluster is definitely determined.
`According to a preferred embodiment, to further increase
`the safety of the cluster, a minimum possible set mustalso -
`be permanently determined. This minimum set is composed
`of the servers belonging to the cluster the first time the
`cluster reaches the minimum possible numberof servers s1;
`thereafter,
`these core servers cannot be de-activated any
`longer. Further changes in the cluster configuration can be
`done only by operating on the previously de-activated
`servers. Thus, let us suppose an initial cluster of 5 servers A,
`B, C, D and E. Server E is then de-activated (i.e. removed
`from the cluster). A, B, C and D must permanently belong
`to the cluster and cannot be removed any more. Previously
`de-activated server E and new serverF can be addedto the
`cluster and all future changes can only relate to E and F
`without touching the core set A, B, C and D.
`Whatis claimedis:
`1. In a network comprising a plurality of license servers,
`a license management system for allowing a concurrent use
`of a maximum numbern of copies of a software program,
`each client workstation requiring an authorisation from one
`of the license servers for using the software program, the
`license managementsystem requiring that at least an integer
`majority of the plurality of license servers in the cluster is
`active at any time, the license management system compris-
`ing:
`meansfor allowing an increase or decrease in the number
`of license servers;
`means for limiting the number of the plurality of license
`servers with respect to an initial numberS so that the
`integer majority of a minimum numbers1 ofservers in
`the cluster plus the integer majority of the maximum
`number s2 of servers in the cluster is strictly greater
`than the maximum numbers2 of servers in the cluster
`
`6. A method for providing flexibility to a license man-
`agement system, the license management system permitting
`a concurrent use of n copics of a software program over a
`network comprising a plurality of client workstations, each
`client workstation having a copy of the software program
`installed thereon requiring an authorisation from one of a
`plurality of S license servers each time the software program
`is used, the license management system requiring that at
`least a integer majority of the plurality of license servers is
`active at any time, the method comprising the step of:
`allowing an increase or decrease in the numberoflicense
`Servers;
`
`limiting the numberofthe plurality of license servers with
`respect
`to an initial number S so that
`the integer
`majority of a minimum numbers1 ofservers plus the
`integer majority of a maximum numbers2 ofservers is
`strictly greater than the maximum number s2 ofserv-
`ers; and
`wherein n, sl, s2 are positive integers.
`7. The method of claim 6 further comprising the steps of:
`allocating to each server a unique ID,
`the maximum
`number of the IDs the system can allocate being s2;
`locking the unique ID on each server;
`storing on eachlicense server the ID of every other license
`server.
`
`8. The method of claim 7 further comprising the steps of:
`tracking license servers which are removed;
`preventing an addition of new servers once the maximum
`number of IDs that can be allocated has been reached.
`
`9. The method of claim 8 further comprising the steps of:
`identifying as core servers those servers belonging to the
`cluster, whenever the minimum numbersl is reached
`for the first time;
`preventing a deletion of any of the core servers from the
`cluster.
`10. A computer program product stored on a computer
`readable medium for allowing, in a network comprising a
`plurality of client workstations having a software program
`installed thereon, and aninitial plurality of S license servers,
`a concurrent use of a maximum numbernof copies of the
`software program, each client workstation requiring an
`authorisation from one of the license servers before using
`the software program, the computer program product requir-
`ing that at least an integer majority of the plurality of lic