Path: utzoo!utgpu!watmath!clyde!att!osu-cis!tut.cis.ohio-state.edu!bloom-beacon!mit-eddie!apollo!molson
From: molson@apollo.COM (Margaret Olson)
Newsgroups: comp.sys.apollo
Subject: NLS servers
Message-ID: <4014e53a.1837d@apollo.COM>
Date: 5 Dec 88 23:13:00 GMT
Reply-To: molson@apollo.com
Organization: Apollo Computer, Chelmsford, MA
Lines: 44


    Folks,

    There have been some questions in the group about why application 
    licenses are locked to NLS servers.  I'll try to explain the 
    tradeoffs we faced and why we picked to do things the way we did.

    In designing the license server, we had the following concerns:
        -scalability
        -availability
        -response time
        -security

    If licenses could be freely moved from one server to another there
    would be no real security in the network licensing system: users could
    just move licenses from one server to another, and then restart the
    original server from the original database (or passwords).  This would
    allow the unscrupulous to increase the number of licenses at will.

    In order to provide adequate security AND moveable licenses, you need
    strongly consistent replicated databases.  Licenses would be locked to
    a *group* of replicated servers, rather than to one server.  Although
    this would provide continued service in the unlikely event that a server
    fails, it has serious problems.  First of all, no operation on the
    server could occur without the notification of all of the other servers.
    This would be quite expensive.  Secondly, in the event of a network
    partition replicas in the minority partition would have to shut down.
    You could solve this problem by having several sets of replicated
    servers, but then you just have essentially the same arrangement that
    NLS has now - staticly paritioned licenses.
                                                            
    In the end, we felt that replicated servers would solve a problem
    that occurs very rarely (failed disks) and was not worth the runtime 
    expense.  Replicated servers do nothing to solve the problems of network 
    partitions, which in a large network are quite frequent.

    By the way, in the unlikely event that a server node dies, I believe that 
    your service rep can move the nodeid prom to a new machine.  This will 
    allow you to move your license database to this new machine.  Since the 
    prom can only be in one place at a time, there is no security hole here.
    
    Margaret Olson
    Apollo R & D
    molson@apollo.com