OEM licenses: protection against unauthorized use of software functions
With the help of TwinCAT 3 license technology a PLC application can be protected against unauthorized use/cloning through binding to hardware (Beckhoff IPC or TwinCAT dongle). With the same licensing technology, additional functionalities of the PLC application can also be activated for end customers.
Prerequisite for using this function: Issue of a TwinCAT OEM certificate
System requirements
- TwinCAT 3 OEM certificate
(only for the creation of a license type and the signing of license files, not for the use of an OEM license) - Operating system: at least Windows 10
(Windows CE / Windows Embedded Compact is not supported!) - Beckhoff IPC or TwinCAT 3 license dongle
- TwinCAT version: at least TwinCAT 3.1 Build 4024
- TC3 PLC Lib Tc2_Utilities v3.3.24 (or higher)
Note: a User DB is not required for the use of OEM licenses.
 | Reliable protection can only be guaranteed when a Beckhoff IPC or TwinCAT license dongle is used For safe protection, always use a Beckhoff IPC or a TwinCAT 3 license dongle. The use of OEM licenses on non-Beckhoff computers without TwinCAT 3 license dongle is insecure and is not supported! |
| Reliable protection only when using the latest TwinCAT 3 version For reliable protection (e.g. secure encryption), always use the latest TwinCAT 3 version. This provides the maximum security. Use at least TwinCAT 3.1 Build 4024.x. |
General notes
| If you use OEM licenses make sure you encrypt your boot project! Remember that the license ID queried via FB_CheckLicense in the binary code can easily be found and (with a little effort) manipulated with a hex editor. Therefore, be sure to encrypt your boot project (safest), or at least disguise the queried license ID in the source code as best as possible. |
- A user database is not required for the application licensing.
- The license is validated by the TwinCAT 3 runtime (XAR). The TwinCAT 3 runtime must therefore be installed on the IPC.
- The validity of the application license is independent of the validity period of the OEM certificate. The application license thus remains valid even after the validity of the OEM certificate has expired.
- The use of OEM application licenses always requires a TwinCAT 3 dongle or a Beckhoff IPC.
- For IPCs with a platform level >= 90 (non-Beckhoff IPCs) a TwinCAT-3 dongle must always be used as a "License Device" for security reasons!
Typical applications
- The application is to be protected against cloning by binding it to hardware (TwinCAT 3 dongle or Beckhoff IPC).
- Additional functions in the application are to be enabled by an associated license.
Procedure
First of all, the TwinCAT 3 Engineering must be configured for the generation of application licenses. Among other things you need a small tool for this that is not part of the standard scope of delivery of the TwinCAT 3 Engineering.
The preparation of the TwinCAT 3 Engineering for application licenses is described in the section Preparation of the TwinCAT 3 Engineering.
The principle of the licensing process is illustrated in the following graphic:
Request OEM certificate
The basis for the licensing is an OEM certificate signed by Beckhoff with which the license is issued (by signing the License Request File).
How to apply for and install this certificate is described in the section Creating the "OEM Certificate Request File".
Be sure to use a strong password for your OEM certificate!
Create OEM license type
With the aid of data (OEM GUID) from the OEM certificate, a description file is generated for a license type. This license description file is the basis for the creation of a “License Request File” (see next step).
The process for generating a license description file is described in the section Creating a license description file for an OEM application license.
With an OEM certificate any number of license description files can be generated:
Create license request file
Now you can generate a “license request file” for a specific “license device” (TwinCAT 3 dongle or Beckhoff IPC).
The process for generating the file is described in the section Creating License Request Files for an OEM application license.
Application licenses for a non-Beckhoff IPC (platform level 90 or higher) always require a TwinCAT-3 dongle for security reasons!
Sign license request file
The "license request file" generated must be signed with the OEM certificate and thus becomes a "license response file". This is the actual license file that is bound to the specific device that was specified when creating the "license request file".
The procedure to sign the “license request file” with the OEM certificate is described in the section Manual creation via the TwinCAT Engineering.
Subsequently, the license generated must be made available on the “license device” (TwinCAT 3 dongle or Beckhoff IPC) (see Importing License Response Files for an OEM application license).
Version 3.3.24 of the TwinCAT 3 PLC Library Tc2_Utilities, which provides various function blocks for license handling, is available from TwinCAT 3 Build 4022.16. Among other things, it includes function blocks with whose help license files can be stored directly in a PLC application on a TwinCAT 3 dongle or downloaded from the latter. (See documentation on TwinCAT 3 PLC Library Tc2 Utilities)
You can download the required TwinCAT 3 PLC Library Tc2_Utilities: Tc2_Utilities.zip
Check for valid OEM license
At the start (and during the runtime), the TwinCAT 3 runtime checks whether the application license is valid. You can query the result of this check with the PLC function block FB_CheckLicense (see Querying the OEM application license in a PLC application).
In your PLC application you can then react as required to the result of the license validation check and can thus control the reaction to the presence or absence of your application license.