Data Traffic Security

Datamine License Services supports the transfer of both unencrypted and encrypted (recommended) data traffic when communicating licensing information over a network.

TLS (Transport Layer Security) data encryption is a cryptographic protocol that provides secure communication over a network, ensuring that data transmitted between systems is protected from eavesdropping, tampering, and forgery. In the context of Windows network traffic, TLS is often used to secure data exchanged between clients and servers, such as in HTTPS connections, Remote Desktop Protocol (RDP), and other Windows services.

TLS helps mitigate several security threats, including:

Man-in-the-Middle Attacks – Preventing attackers from intercepting or altering traffic.
Data Breaches – Protecting sensitive information such as credentials, personal data, and financial details.

Digital Certificates

Ensuring secure communication between the Datamine License Server and client machines requires a valid SSL/TLS certificate. The responsibility for obtaining and managing this certificate depends on the hosting environment:

Self-Hosted License Servers

If you are hosting your own Datamine License Server, you are responsible for purchasing, installing, and renewing the SSL/TLS certificate. You must ensure that the certificate is correctly deployed to enable encrypted communication and prevent security vulnerabilities.

Datamine-Hosted License Servers

If Datamine is hosting the licensing server, Datamine will provide and manage the SSL/TLS certificate, including its renewal, to maintain a secure and seamless connection.

Where to Purchase an SSL/TLS Certificate

If you need to obtain a trusted certificate for your self-hosted license server, consider purchasing one from a reputable Certificate Authority (CA). Some well-known CAs include:

Commercial Certificate Authorities (Best for Production Use)

DigiCert (digicert.com) – Enterprise-grade certificates with excellent support.
GlobalSign (globalsign.com) – Trusted provider with extended validation options.
Sectigo (formerly Comodo) (sectigo.com) – Affordable certificates with wide compatibility.
Entrust (entrust.com) – Provides secure, high-assurance SSL/TLS solutions.

Note: Datamine is not affiliated with any of the certificate vendors above and can't provide certificate installation or post-installation certificate support.

Digital Certificate Friendly Name

By default, Datamine expects a certificate with a Friendly Name of "Datamine Licensing Certificate", although you can choose your own SSL Certificate Name by adjusting the following registry key:

HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Datamine\License Services\SSL CertificateName

If no key exists, "Datamine Licensing Certificate" is assumed.

Note: The license server will not check the certificate chain, only clients will do this.

Client-Server Handshaking

Server

Once a suitable certificate is installed and configured on the server, Datamine License Manager can be opened by a local Administrator and set to SSL/TLS mode using the Options screen.

If Use SSL/TLS is checked, the server runs in enhanced security mode after the License Services Service is restarted.

Client

The traffic mode on a client is set automatically - no client configuration is required. The running License Service will initially attempt both encrypted and non-encrypted modes, storing the successful connection configuration.

If a 7.0 or later server has been set to expect encrypted traffic, clients connecting to the server will transmit network information in the encrypted format.
If any server has been set to expect non-encrypted traffic, clients are automatically set to use non-encrypted traffic.

In summary, there is no need to manually adjust 7.0 or later client machine settings to connect to licensing servers.

The client follows the following logic to achieve this:

If the client has not attempted to connect to a secure-traffic server before, the client attempts to connect to the server first in non-encrypted mode (the default, legacy setting).
As the server expects encrypted traffic, the connection is initially rejected.
The client automatically adjusts to attempt to connect to the server in encrypted mode (that is, enabling the Use SSL/TLS setting.
The connection is successful and license information is returned.
The configuration of the client is saved so that subsequent connection attempts are made in encrypted mode.

Note: There is no need to manually configure client communication settings. This is done automatically. If the server protocol changes, restart the client licensing service to reconnect.

License Manager Enhancements

In addition to the additional Options >> Network License Service setting to activate SSL/TLS traffic, an encrypted and connected server is now represented by a new lock icon, for example:

Log File Enhancements

To support the introduction of enhanced traffic security, additional logging information is provided, including:

Client Logs

The following events are recorded:

If a connection attempt is made from an unencrypted client to an encrypted server, the attempt is logged as is the automatic attempt to try encrypted mode.
If the connection was successful, which mode was used.
If the certificate chain was checked.
If a server certificate was found to be expired.

Server Logs

If a certificate was found.
If the certificate was found, but is expired.
If a non-SSL connection was attempted on an encrypted server and was refused.

Questions & Answers

Updating License Services

Will this update be applied to my client machine when I install a new version of a Studio product?

Yes. License Services is installed with Studio products, unless custom installation options are set.

Can I just upgrade my server and client as normal? Do I need to set something else?

If you plan to continue using the legacy traffic mode, you can upgrade your server or client (or both) as normal and things just carry on as before.

Do I have to upgrade my client versions of License Services?

A minimum version of License Services is expected by Studio products, and this changes with every product update. License Services 7.0 will be installed, and is a minimum required version for the following product versions:

Product	Version
Studio EM	Studio EM 3.1
Studio Geo	Studio Geo 1.1 (arriving 2025)
Studio Mapper	Studio Mapper 4.1
Studio NPVS	Studio NPVS 3.1
Studio NPVS+	Studio NPVS+ 1.1 (arriving 2025)
Studio OP	Studio OP 4.1
Studio RM	Studio RM 3.1
Studio Survey	Studio Survey 3.1
Studio UG	Studio UG 4.1

Later product versions may require higher License Services versions.

Client & Server Encryption Modes

If I set up my server to run in encrypted mode, do I have to adjust every client to speak the same 'language'?

No, this configuration is automatic.

If I set my server to encrypted mode and then decide to set it back to legacy mode, do I have to adjust client machines?

In this situation, if clients have previously connected to the server, they will be auto-configured to use encrypted traffic. To reset them, the License Services running service must be restarted (either through the Administrator's options, or by a PC restart). They will then automatically reconfigure to use the unencrypted mode.

If I upgrade my license server, do I have to reset the encryption mode?

No, all settings are preserved between product upgrades and reinstallations.

Client-Server Compatibility

If I set up my server to run in encrypted mode, what is the minimum client License Services version required?

If a server is running in encrypted mode, client machines must have License Services v7.0 or later installed. Encrypted client traffic is not possible in earlier versions.

Can I connect to a 7.0 server running in encrypted mode from an earlier client version of License Services?

No. Only client versions 7.0 and later can communicate with a server expecting encrypted network traffic.

Can I connect a client using License Services 7.0 or later to a legacy (pre-7.0) server?

Yes, no problem.

To be clear, if I don't enable encrypted traffic on the server, everything is just as it was before 7.0?

Yes, that's correct.

Digital Certificates

Who is responsible for providing and installing a certificate?

Unless Datamine hosts your licenses, you will need to organize your digital certification and renewal. See "Digitial Certificates", above.

I don't plan to use encrypted traffic. Do I still need a digital certificate?

No, this is only required for server authentication if the Use SSL/TLS setting is checked.

Must be certificate be self-signed, or is a certificate chain checked? Can I use an End-Entity certificate?

By default, the Datamine License Server enforces certificate chain validation, ensuring that all certificates in the chain, up to a trusted root Certificate Authority (CA), are valid and properly issued. This process enhances security by preventing unauthorized or compromised certificates from being used.

Can a Self-Signed Certificate Be Used?

Yes, but this is not recommended for production environments.

A self-signed certificate does not have a valid chain to a trusted CA, meaning it may trigger trust warnings on client machines.
If using a self-signed certificate, it must be manually installed on all clients to establish trust.

Can an End-Entity Certificate Be Used?

Yes, an End-Entity (leaf) certificate issued by a CA can be used, as long as it has a valid certificate chain.
The certificate must match the server’s host name and be within its validity period to ensure proper authentication.

Is it possible to disable certificate chain checking?

By default, a certificate chain is checked, meaning all certificates up to the trusted root certificate must be valid. However, in some cases (such as internal deployments where strict validation is not required) certificate chain checking can be disabled on client machines by modifying the Windows Registry:

Steps to Disable Certificate Chain Checking:

Open Registry Editor (regedit.exe).

Navigate to:

Computer\HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Datamine\License Services\SSLCheckChain

Set the SSLCheckChain value to 0 to disable chain verification.
Restart the Datamine License Service for the changes to take effect. You can do this using License Manager (Options >> License Service).

Warning: Disabling certificate chain validation can reduce security by allowing untrusted or expired certificates to be accepted. This setting should only be used if necessary and in a controlled environment.

Note: Registry editing and License Services management should only be performed by an IT System Administrator.

What happens if a certificate expires?

Servers, if running in encrypted mode, will check that a certificate is unexpired, as will all client connections. Where a certificate expires, a connection is refused and license data transmission is blocked.