You're viewing documentation for release 6 (LTS). Looking for a different release?

Manage licensing in virtualized environments

A virtual machine (VM) is a software-based computer that runs inside a physical device. It behaves like an independent computer with its own operating system (called the “guest” operating system), operating on top of the physical machine’s primary system (called the “host”). Because multiple virtual machines can run on a single physical device at the same time, a single user or machine can host several separate environments.

When licensing your client applications, you must consider how virtual environments impact your ability to track and control license consumption. Because VMs can be easily duplicated, moved, or deleted, traditional hardware-bound licensing models may not accurately restrict how your customers access your software.

Challenges in licensing in virtualized environments

Trying to protect software in virtualized environments introduces challenges for traditional, hardware-bound licensing models:

  • Virtual machines are frequently reset, re-imaged, or assigned random hardware IDs upon reboot, which can cause conventional node-locking or concurrent session tracking to leak seats.

  • A VM can be easily cloned, making it easy for a user to copy an active virtual machine state, potentially allowing multiple concurrent instances to access your licensed software using a single license seat.

  • Some virtualized environments are completely isolated or air-gapped from the internet. When an application cannot communicate state changes back to a live licensing server, preventing unauthorized duplication of local license files becomes exceptionally difficult.

10Duke Enterprise licensing solutions for virtual machines

To minimize the risk of license misuse, 10Duke Enterprise provides deployment options tailored for both online and air-gapped virtual environments.

Use count-based licensing

The most secure and direct option for virtualized environments is to grant licenses based on a use count model where license consumption is tracked using the count requested by the client application.

When client applications run across multiple cloned machines presenting identical hardware IDs, they will all consume from the same limited pool of use counts. 10Duke Enterprise enforces the overall quantity independent of the node or machine count, and no overage is allowed unless explicitly configured in your license model.

To protect use count-based pools from exploitation across cloned instances, configure short lease times (leaseTimeCache) for your use count-based license models.

Seat-based licensing in online environments

If your business model requires seat-based licensing for internet-connected VMs, tracking static hardware IDs alone is not secure. See more information on how to select and maintain stable hardware IDs on a host device.

To resolve the security risks associated with identical hardware IDs, 10Duke Enterprise provides an enforcement mechanism known as lease chaining through the ConcurrentSessions constraint.

By setting leaseTrackingMode to REQUIRE_LEASE_ID in the license model, you shift trust from a static hardware ID to a cryptographic state machine managed between the client application and 10Duke Enterprise.

When lease chaining is enforced, 10Duke Enterprise mandates that any subsequent request to extend or renew an active session must explicitly prove it holds the unique cryptographic token ID—the jti claim in the license token—generated by the immediate previous request.

If an active virtual machine is cloned, the cloned instance may copy the active license token over. When the cloned machine triggers a renewal loop, 10Duke Enterprise accepts the old token ID (the jti claim value), completes the loop, and responds with an entirely new token ID (a new jti claim value). This causes the original virtual machine to fail its next consecutive token check because its stored token ID is now outdated. The original virtual machine is forced to start a brand-new lease, consuming an additional license seat from the pool and blocking unauthorized free duplication.

We recommend that you configure short lease times (leaseTimeCache) in your seat-based license model to prevent unauthorized clones from utilizing a copied, active token file for an extended period without triggering the API renewal check.

Virtual machines in air-gapped environment

For client applications running in virtualized environments that are completely offline and isolated from the internet, a live connection to 10Duke Enterprise is not possible. In this scenario, you can utilize offline license tokens.

You can download license tokens from 10Duke Enterprise and deliver them to users through secure manual transport.

Once a license token is distributed to the client application running on a VM in an offline environment, there is a risk that the license token can be copied and potentially a large number of cloned VMs could access the licensed software. Therefore, if your customers require running your client application in an isolated virtual machine, offsetting the risk of cloning becomes really difficult.

To minimize the risk of unauthorized concurrent use in air-gapped environments, issue offline license tokens with a short validity period.

License consumption workflow in virtualized environments

In your client application logic, implement the license consumption and renewal cycle as follows:

  1. Initial consumption (the first request)

    Make a standard authorization call to the 10Duke License Consumption API. Parse the returned license token, extract the jti claim, and store it as the active leaseId.

  2. Lease renewal (enforcing the chain)

    Before the current lease token expires, make a subsequent consumption call to renew the seat. You must include the leaseId query parameter mapping exactly to your stored jti. When the request is validated, a new token with a new jti is returned. Your application must immediately update its stored leaseId with this new value for the next cycle.

  3. Session clean-up

    When the user closes the application or terminates the session, send an explicit release request to the 10Duke License Consumption API using the active leaseId to instantly free up the concurrent seat for other virtual sessions.

Configure the license model in 10Duke SysAdmin

To configure a license model that enforces lease chaining for online virtual environments using 10Duke SysAdmin:

  1. Create a custom license model.

    Follow the standard steps to create a license model.

  2. Define the ConcurrentSessions constraint rule.

    • Define the limits for how many concurrent sessions are permitted per user or device.

    • Set leaseTrackingMode to REQUIRE_LEASE_ID.

    • Define what is counted as a license session in sessionAnchors.

The following JSON example shows a configuration that enforces lease chaining while utilizing Hardware as a session anchor:

{
   "ConcurrentSessions": {
      "maxCache": 1,
      "maxCheckOut": 1,
      "maxTotal": 1,
      "leaseTrackingMode": "REQUIRE_LEASE_ID",
      "sessionAnchors": {
         "__objType": "ArrayList",
         "Items": [{
            "__objType": "String",
            "value": "Hardware"
         }]
      }
   }
}

Best practices

We recommend that you follow these best practices related to virtual deployments.

Shorten lease validity

We recommend that you configure a short cache lease time (leaseTimeCache) in your license model. If a virtual container or VDI instance crashes abruptly without executing a clean license release request, the seat will automatically unlock as soon as the brief lease time expires.

Combine with process anchors

If multiple users share a single terminal server setup (such as Remote Desktop Services), a hardware session anchor alone will lock out the entire machine after the first user logs in. To prevent this, consider adding LicensedProcess to your sessionAnchors alongside Hardware. This tracks concurrency on a per-process level instead of locking the host machine.