The BSA (Business Software alliance) organization runs a cool widget on their site – They call it the Global Software Piracy Study for 2011. It shows the globe divided to political territories. The user can select a country and see the rate of software piracy resident in that country. I admit I find it rather amusing to bet the piracy rate per territory, but apparently BSA officers don’t see the funny side in it. This is the drive for stepping up software license audits.
As software auditing is becoming ubiquitous, organizations around the world turn to Software Asset Management (SAM) tools to help them come through what some IT members would consider a nightmare.
Strict abiding to license agreements may not be sufficient when it comes to keeping track of software license compliance; As licensing options become increasingly complex, the average honest license administrator may inadvertently slip out of compliance.
Reasons for such a slip are numerous, and can be attributed to :
Structural changes in the organization:
- Unification and splitting of license pools.
- Shift of responsibility for license compliance and inventory keeping between IT personnel.
- Migration to other license servers.
Unclear restrictions imposed by the license agreement
- Change between different license versions.
- What was right for the previous version may not be OK for the current one.
- Restrictions that were signed upon in an antecedent licensing agreement.
The human factor
- Inexperienced IT personnel.
- Unclear notion of the license inventory.
- End users malcompliance with the organization’s software regulations.
These types of triggers for software compliance glitches are addressed by software license monitoring tools such as OpenLM:
OpenLM was designed to absorb drifts in license compliance caused by structural changes in the organization. It can interfaces multiple license managers over WAN or LAN, and assign license usage constraints according to licensing policies.
OpenLM provides clear accounts of license availability thus eliminating errors that stem from lack of “How many of these do we actually have” and
Lifting mundane tasks off the shoulders of license managers and system administrators, thus mitigating the effect of human error.
license server components
The vendor daemon and the license server manager jointly comprise the FlexLM (Flexnet) license server. The license server manager contacts a FlexEnabled application, and dispatches the handling of that application to the appropriate vendor daemon. It also serves as an interface between the Vendor daemon and the Application, for checking out licenses.
License server manager types
There are two versions of the license server manager:
• lmgrd – the original license server manager with a command-line interface.
• lmadmin – a newer web-based license server manager.
The following table summarizes the conceptual differences between the two license server manager types:
||Web-based license server manager
||Configuration information is acquired from the command-line options used when the program is started
||No configuration options are required upon program start.
|Persistence of change
||Changes need to be done in the license file
||Settings are maintained after relaunching the tool, and they override the license file.
|License file import
||A single license file set by the configuration options upon running lmgrd
||Import (multiple) license files.
|Number of running instances
||One instance of lmgrd is run for each vendor daemon.
||Supports multiple vendor daemons with one lmadmin process.
More changes between lmgrd & lmadmin
On top of these conceptual changes, there have been some changes in commands:
- Some commands are no longer supported or have been replaced in lmadmin (e.g. lmremove, lmdown)
- Some have changed in behavior (e.g. lmreread)
- Other commands have been added into the lmadmin to integrate the functionality previously provided by the LMTOOLS (Stop server)
OpenLM Utilizer Agent
The OpenLM Utilizer Agent is the end user tool of the OpenLM system. It completes the OpenLM license monitoring tool from the End user’s point of view. It provides end users the following capabilities:
- Query license availability.
- Check which users are holding required licenses.
- View a user’s full set of details as they appear on the LDAP, and communicate with users regarding license availability.
- Receive license availability notifications as soon as requested licenses become available.
- Report the session’s active project (mainly for billing purposes).
OpenLM Active Agent
The Active Agent incorporates all the characteristics of the Utilizer Agent. On top of that, it supports an extension that enables system administrators to shut down open applications either manually, or by defining a timeout policy. In this manner, system administrators can suspend or save and close idle applications, in order to make more efficient use of licenses. The Active Agent features a user-friendly interface that enables users to quickly reopen closed applications, or resume suspended ones.
Download and save the Openlm Utilizer or Active Agent MSI installation file from the Download section of OpenLM’s site. Double-click it, and follow the instructions of the installation wizard.
When installing the Active Agent, the Extensions “OpenLM Extensions” dialog window appears.
The user may either:
- Select to install the appropriate software extensions, thus ruling an idle application to be treated in the “Save and Close” method, or
- Select NOT to install the appropriate software extensions, thus ruling an idle application to be treated in the “Suspend and Resume” method, even though it is an “Extension Supported” application.
For more information on Extension-Enabled applications, please refer to “Application Note 1005: Configuring OpenLM to close idle Licenses”.
At the end of the installation process, in the “Agent Configuration” dialog window, type in the OpenLM server with which the Agent is required to connect, and click the “Apply” button. The Installation is now complete, can be changed at any time (see below).
The OpenLM Agent icon appears on the “system tray”.
OpenLM Agent in a connected state:
OpenLM Agent in a disconnected state:
- Right click on the agent icon and select ‘OpenLM Agent Configuration’. The Agent configuration window opens.
- Select the Agent’s language.
- Type in the OpenLM server name or IP.
- Type in the OpenLM server port. This is by default 7012.
- Click the “Check connectivity to OpenLM server” button.
- Logger Configuration File: Type in the location of the Agent Log File.
- Logging Level: Adjust the Agent’s logging level.
- Skip Double Instances Alert: This option either enables or blocks alerts when trying to open two agent sessions simultaneously. This option is set active by default.
- Use Local Computer’s Proxy Settings: This setting may solve issues that originate using a proxy server. This option is set inactive by default.
- Shut Agent when products Are inactive… : These parameters are relevant for VM servers. When OpoenLM closes a licensed application, the VM (e.g: Citrix) is kept in use by the workstation, unnecessarily consuming a license. This configuration shuts down the OpenLM Agent after INACTIVITY_TIME, thus releasing the VM license.
The OpenLM Java Agent window
The OpenLM Agent window shows the Feature usage status, per License Server, Vendor and User name. Individual user data is also available through the Agent; Just click a chart line to get more information on the user who is currently occupying the license.
Revision 0.1, Apr29 2012.
OpenLM supports the monitoring of a wide, and ever growing variety of license servers. Among those are Flexera FlexLM (Flexnet) , Beta LM, IBM LUM, DSLS, Sentinel HASP, Sentinel RMS, RLM, and LM-X. This is an description of the basic procedure for configuring the Openlm server to interface a FlexLM license manager, to monitor Flexnet reporting.
Please first refer to this Application Note. It gives a general description of the OpenLM system; what should be installed where, and who needs to communicate with whom.
Install the latest version of the OpenLM server. It is found on the OpenLM site.
- Configure the OpenLM server so that it would communicate with the License server:
- Open the “OpenLM server configuration window, On the “License Servers” tab (see image below).
- Click the ‘Add’ button, and type in the license server parameters (Type, Host name (or IP), port & time zone). In order to find the Server name and port, please refer to this post.
- You can type in a descriptive name to make recognizing the sever easier
- In the image above, these parameters are: FLEXlm, olm-lm-arcgis10, 27000, UTC+08, “ArcGIS 10 Head Office”.
- Click the ‘Apply’ button. Select ‘Restart now’. That’s it: the OpenLM server is
- Check the connection of the OpenLM server to the license server; click the ‘Check’ button. A text would follow. This text is a query of the License server. It indicates whether a connection to that server is established.
- Now open the EasyAdmin web application. Click start -> Management -> License servers. The “License servers” window appears. Verify that the configured license managers appear on the list. Circle nodes indicate a connection to a license server. Square nodes indicate a connection to a Broker which is installed on the License server machine.
OpenLM employs the Flexnet / FlexLM reporting mechanism to monitor and optimize concurrent license usage, and obtain license statistics. The FlexLM license manager interfaces licensed applications via predefined ports. You can verify that a port number is set correctly by:
1. Using Flexera’s LMTOOL utility: Select the “Server Status” tab, and click the “Perform Status inquiry” button. the port number would appear on the line that begins with “License server status:” e.g.:
License server status: 27000@My_server
2. You can also find the server name and port number (If defined as static) directly in the license file, in the SERVER line e.g.:
SERVER <ServerName> <hostId> <PortNumber>
The path and name of the license file is set in the LMTOOLS, under the “Config Services” tab.
Zero Day has reported that a security vulnerability has been discovered in FlexNet License Server Manager installations. This vulnerability enables attackers to execute arbitrary code on remote FlexNet License Server managers. Authentication is not required to exploit this vulnerability. The flaw was reported by Luigi Auriemma and Alexander Gavrun.
The specific flaw exists within lmgrd license server manager. lmgrd listens by default on TCP port 27000. A specially crafted packet sent to the server will cause a stack overflow allowing for remote code execution under the context of the server.
Flexera Software has issued an update to correct this vulnerability and also provided license administrators best practices for mitigating risk exposure.
More details can be found at: