From: Mark Buda [buda@tabasco.zko.dec.no.spam.com]
Sent: Monday, December 09, 2002 7:27 PM
To: Info-VAX@Mvb.Saic.Com
Subject: Re: Alternatives to "DEC LMF PAK GEN V1.3" ?

Here is an ASCII copy of the PAKGEN documentation.


--

Sincerely,
Mark Buda
Hewlett-Packard Company
VMS Engineering
110 Spitbrook Road
MS: ZK3-4/X57
Nashua, NH 03062
Voice: (603) 884-1969
FAX: (603) 884-3451

VMS Home Page http://www.openvms.compaq.com
OpenVMS Portal http://www.openvms.compaq.com/portal/index.html



------------------------------------------------------------------------
----------

Mark Schafer
January 18, 2002, updated November 9, 2002.

DSPP program. If you meet a partner, please ask them to contact the hp
developer & solution partner program.
800 249 3294
www.hp.com/dspp


Introduction

PAKGEN produces LMF PAKs for software.  Digital Equipment Corporation
developed LMF licensing technology for its OpenVMS operating system and
layered products in the late 1980s.  Later, LMF was extended to Digital
UNIX (now Tru64 UNIX).  A central tenet of LMF is the security of the
generator, PAKGEN.  PAKGEN was offered as a product, but Digital was
restrictive and not many companies purchased the software.  Some ISVs
asked for it, but it never was the mainstream.  Still, it's used to
license the OpenVMS operating system and planned to be in the Itanium
port of OpenVMS.  For this reason, I proposed to offer PAKGEN to ISVs as
a service of the CSA program.
Responsible Organizations & People

Leo Demers, OpenVMS product manager
Responsible for the PAKGEN technology and documentation

Mark Buda, OpenVMS engineer
Maintains LMF and PAKGEN software in the OpenVMS operating system

Mark Schafer, CSA TechSupport
Provides technical support to ISVs through the CSA program.

Susan Mill, License Key manager High Performance Server business unit
Issues and tracks LMF keys, including the PAKGEN key
CSA Service Offering PAKGEN for ISVs

Members of Compaq's CSA program may request PAKGEN.  They make their
request by logging into the Members Only website and filling out a form,
"Request for Technical Support" by following the links, "Request Porting
or Technical Support" for AlphaServer systems, "Development or Porting
Question."  In their request, the partner should put PAKGEN in the
Subject field and the requested TOKEN string in the textbox area "Your
request or concern."  CSA TechSupport will open a case for the request
and forward it to the License Key manager.  The manager issues a PAKGEN
key with the requested TOKEN string, and emails the key file to the ISV.
Scope

Worldwide.  CSA members must use the Members Only website to make a
request and to download documentation.  The PAKGEN key file will be sent
to them by email.
Cost

There is no cost to the member.
Prerequisite Software

Support for PAKGEN is integrated into OpenVMS Version 7.2 and later.  No
additional product installation is required.
Support

PAKGEN software is not warranted.  CSA TechSupport will provide "best
effort" support for ISVs that requested and received a PAKGEN key.
Backup support will come from OpenVMS engineering for questions that
cannot be answered or for bugs that are entered in the PTR system.
Documentation

General LMF documentation is provided in the OpenVMS product
documentation.
http://www.openvms.compaq.com/
OpenVMS License Management Utility Manual
Order Number: AA--PVXUF--TK

An API for software programs that use LMF is documented in "DEC VMS/LMF
System Services Reference Manual", available as a PDF file on the CSA
Members Only website.

PAKGEN user documentation is provided on the CSA Members Only website
for members to download and is here below:
Generating License PAKs

The License Management Facility (LMF) is an OpenVMS component that
provides system managers and product developers with a means to manage
and track software PAKs that have been issued to customers. Users of LMF
use the LMF Product Authorization Keys (PAKs) and the LMF database to
register and manage license PAKs.  Product developers use LMF to check
for valid product licenses.  Product developers and product vendors must
use LMF to generate new keys.

Each PAK includes a variety of fields that supply specific information
about a product.  The most relevant fields for generating and tracking
license keys are the product name, product issuer, product producer,
product authorization, and product token. The product name is the
designation for the particular product; that is, the specific product or
product group that is authorized by the key.  The producer is the name
of the organization that produced or created the product.  Together, the
producer and the product name uniquely identify a product license.  The
issuer identifies the organization that generated the license; this
organization may or may not be the same as the producer.  The
authorization field is an arbitrary alphanumeric string that the issuer
can use as a key serial number or a customer-order tracking number.

The product token is an alphanumeric string.  It cannot be more than 31
characters.  Don't associate the string with a specific product name.
The convention has historically been to refer to your Company name so
that the licenses are "identifiable" in an audit situation.  Please note
that you cannot change it.

Each product producer can have multiple product issuers; however, each
issuer is individually authorized to generate license keys for a
particular producer.  The ability to generate keys is specific to
individual producer/issuer pairs; the producer/issuer pair can generate
keys for only that pair. An issuer who needs to generate licenses for
multiple producers requires individual and separate authorizations for
each producer.

The run-time product license check is based on the product name and the
product producer.  The ability to generate product licenses is enabled
by a license key -- the product authorization key generation key.  The
key generator key name is PAKGEN, and the producer and issuer are both
DEC.  The PAKGEN key uses the product token to declare the
producer/issuer pair that is authorized by the particular PAKGEN key.

Each PAKGEN PAK authorizes a code for a particular producer/issue pair
and for no others.  Although multiple PAKGEN PAKs can be registered in
parallel in the LMF database, a maximum of one PAKGEN PAK can be loaded
and active at a time.

Support for PAKGEN is integrated into OpenVMS (VAX & Alpha) Version 7.2
and later.  No additional product installation is required.

The following sections describe how to use PAKGEN. The descriptions
assume basic familiarity with PAKS and with the DCL commands commonly
used with LMF.
Step 1: Register the PAKGEN License

The first step involved in the use of PAKGEN is registration of the
PAKGEN key.  To enable the PAKGEN key, use either the VMSLICENSE
procedure or the DCL commands LICENSE REGISTER and LICENSE LOAD.  You
must fill in each field of the PAKGEN license exactly as listed on the
product license document.

The following example shows how to register and load the PAKGEN license:

$ LICENSE CREATE -
/DATABASE=device:[directory]localdatabase.ldb

$ LICENSE REGISTER PAKGEN -
/DATABASE=device:[directory]localdatabase.ldb -
/ISSUER=DEC -
/PRODUCER=DEC -
/AUTHORIZATION=authorization-string -
/UNITS=license-units -
/RELEASE=release-date  -
/ACTIVITY=activity-code -
/TOKEN=producer-name~issuer-name -
/CHECKSUM=checksum
$ LICENSE LOAD PAKGEN -
/DATABASE=device:[directory]localdatabase.ldb


If licenses for multiple producer/issuer pairs are required, you must
first register the individual PAKGEN keys and then unload and load keys
for the specific producer/issuer pair.

The following example shows how to display a currently loaded PAKGEN
license:

$ SHOW LICENSE PAKGEN/FULL

Active licenses on node XDELTA:

PAKGEN
        Producer: DEC
        Units: 100
        Version: 0.0
        Release Date: 21-JAN-2000
        Termination Date: (none)
        Availability: 100
        Activity: 0
        VAX_ALPHA
        Product Token: FOO~BAR

Only the PAKGEN key that is issued by Compaq is honored for license
generation.  The only producer string that is valid for PAKGEN is DEC.
Step 2: Generate the Product License

To generate a license PAK, you must first use the DCL command PRODUCT
REGISTER with the /GENERATE qualifier. Then, to generate the PAK, you
must input specific product information by using the REGISTER/GENERATE
command with additional qualifiers.

It is strongly suggested that you register PAKGEN paks into a separate
database than the OpenVMS standard one.  This keeps the system LMF
database separate and untouched by anyone registering PAKGEN paks and
creating PAK's. Use the /DATABASE=device:[directory]database.ldb
qualifier to accomplish this.

Once the particular license is registered in the LMF database, you use
the PRODUCT ISSUE command to produce the completed license key in the
desired format.

The /GENERATE qualifier is valid only when the producer and issuer
specified on the license PAK match a valid, loaded PAKGEN key.  If you
need to issue licenses for another producer/issuer pair, you must first
unload the PAKGEN license and then reload the license associated with
that producer/issuer pair.

The following example shows how to generate a license and to create a
DCL procedure that contains the newly generated license:

$ LICENSE REGISTER/GENERATE product-name -
/DATABASE=device:[directory]localdatabase.ldb -
/PRODUCER=producer -
/ISSUER=issuer -
/AUTHORIZATION=authorization-string -
/UNITS=0 -
/TERMINATION_DATE=termination-date  -
/ACTIVITY=activity-code -
/TOKEN=product-token-code
$ LICENSE ISSUE/PROCEDURE product-name -
/DATABASE=device:[directory]localdatabase.ldb -
/OUTPUT=SYS$SCRATCH:PAK_PROCEDURE.COM -
/AUTHORIZATION=authorization-string


The following example shows the contents of the PAK_PROCEDURE.COM
procedure that was created by the preceding command:

$! Software Product Authorization Key Replica
$! Issued by BUDA
$! Issued on  7-JAN-2002 06:49
$!-----------------------------------
$ LICENSE REGISTER product-name -
/PRODUCER=producer -
/ISSUER=issuer -
/AUTHORIZATION=authorization-string -
/UNITS=0 -
/TERMINATION_DATE=termination-date  -
/ACTIVITY=activity-code -
/TOKEN=product-token -
/CHECKSUM=2-xxxx-xxxx-xxxx-xxxx
Using the Product Authorization String

You can use the product authorization string to track licenses,
customers, the person or system that generated the license, as a serial
number, and so on.  You should use a string format that allows all of
this information to be parsed easily; in particular, you should use a
format that permits you to identify the format used as changes are made.

For example, you can include an application-specific authorization
format identifier, a customer code, a unique serial number, and
information about when and where this particular license key was
generated:

1-CUSTCODE-1234-2000021-SITE

If the authorization format needs to be changed or enhanced in the
future, you can alter the value that you stored in the first field to
identify the particular format.  For example, in the authorization
string of the preceding example, you could change the leading 1 to a 2
when the format of the authorization string changes.
Securing the Product Authorization Key

Be careful to avoid both the release of the PAKGEN authorization key and
unintentional access to the OpenVMS system enabled for key generation.
Failure to maintain the security of the PAKGEN key or failure to control
access to the generator can result in the creation of unauthorized
license keys.

In particular, do not register the PAKGEN key in an untrusted system
environment; register and load the PAKGEN key only during use, and do
not release the PAKGEN key itself.

End of PAKGEN documentation
Frequently Asked Questions

Q: Where are the system services for LMF documented?
A:  Contact DSPP for the LMF System Service documentation.