Administrator's Online Documentation
|
|
|
KeyServer ® Administrator's Online Documentation |
| |||
| Home | Support | Legal | Contact Us |
|
Introduction |
|
Welcome to the KeyServer. The KeyServer Package has been carefully designed to facilitate management of the licenses for an entire software library distributed throughout a network of computers. The KeyServer Package can be used to:
In this Getting Started document, "you" refers to the KeyServer Administrator; the person who will be setting up the KeyServer. You will find that KeyServer greatly simplifies software management while promoting efficient utilization of the software assets that have been purchased for your networked site. It gives you the technology to enforce license agreements, while it gives users transparent access to licensed software.
The KeyServer Package ships on three diskettes:
The License & Documentation diskette contains a text file named SERVER.LIC that acts as an "Electronic License Certificate". This certificate provides a unique serial number and unique configuration parameters that enable your KeyServer to run on either a Windows or Macintosh computer while supporting clients on both platforms. The SERVER.LIC file must be installed on the KeyServer computer as part of the KeyServer installation process.
This License Certificate and the serial number are authorized for use on one single computer. You may not make copies except for backup purposes. It is the obligation of the licensee to protect this electronic license certificate from theft, from unauthorized use, and from use on more than one single computer. In addition to the legal prohibitions, usage of the same serial number by two or more computers at once could lead to unpredictable behavior for both the client and administrative software.
The License & Documentation diskette contains Online Documentation for KeyServer Package 5.0. Most of this is reference documentation that is shipped in electronic format only, but some pieces are formatted for printing as well as screen viewing. Files named with the HTML suffix can be read using the open command from any web browser, such as Netscape Navigator or Internet Explorer. Files named with the PDF suffix can be read and printed with Acrobat Reader, available on the web from www.adobe.com. Standard hypertext linking conventions are used within the documentation folders to link the various documents and to aid in navigation. Hence the documents are best kept without changes to their name or location in the folder hierarchy.
KeyServer Documentation is divided into the following main sections:
Whenever possible, KeyServer documentation will be generic so it applies to both the Windows and Macintosh platforms. While the KeyServer component is licensed for use on only one computer, Windows or Macintosh, other components of KeyServer Package 5.0 are licensed for simultaneous use on both platforms. Duplicate software is included for the two operating systems. Even though the exact set of component files and file names, and the exact details of the user interface differ between operating systems, often these differences can be ignored or covered with generic language.
 | When it is necessary to explicitly document operating system differences, the Windows and Macintosh icons will be used to tag the details that are operating system specific. |
 | In electronic versions of the documentation, details can be hidden behind hypertext links. In printed versions, you may want to treat the operating system icons as a signal to skip over the text, depending on your platform focus. |
Software components in the KeyServer Package fall into three main classes depending on their primary function:
The generic names KeyServer, KeyConfigure, and KeyAccess are used to refer to the software which implements server, administrator, and client functions respectively. On the Macintosh, the generic name matches the file name of the component implementing each function. For a complete list of component file names and functions, consult the Online Documentation.
The word "server" is used to refer to the KeyServer process running on a single Windows or Macintosh computer. When the KeyServer program is launched, the KeyServer process becomes active so license requests from client computers can be serviced. There is no "network operating system" or file server requirement. Run KeyServer on a single computer to turn it into a "license server" which supports both Macintosh and Windows clients.
The KeyServer computer may be an individual user's workstation, it may be a computer dedicated to running the KeyServer program, or it may be a general purpose network services computer that is simultaneously acting as a file server, print server, ftp server, web server, router, etc. The KeyServer process listens to the network wire much like a router process. It can respond to each client using the appropriate protocol: TCP/IP, IPX, or AppleTalk.
The "key" in the word KeyServer refers to approximately 1K of information that must be received by a client computer before it can proceed with the launch of a "keyed" program. A keyed program has had this 1K of code excised so it can't run without contacting KeyServer to get the missing information. Details of the KeyServer implementation have evolved over the past 10 years to include many variations on this simple idea, but the functional behavior remains the same.
The word "client" is used to refer to each end-user computer that has KeyServer's client software, KeyAccess, installed. Without KeyAccess, a keyed program cannot run. Usually client computers are connected to the KeyServer through some form of network connection. This could be a local ethernet LAN connection, a global WAN connection, an Internet connection, a dial-up link, etc.
A "mobile client" or portable laptop computer must "check out" software licenses for use offsite where there is no network connection., The KeyCheckout program lets the user specify a particular expiration time for "portable keys" used on the mobile client computer.
The word "network" refers to the physical system of wires, hubs, repeaters, bridges, routers, relays, and other hardware that conveys data packets from computer to computer. A "network connection" does not imply the existence of any file server or other network services. In particular, we are not implying the existence of a "network operating system" (NOS). A mixed network of Windows and Macintosh computers can communicate without any NOS and KeyServer does not require one. The common phrase "log onto the network" is actually a source of some confusion and should more accurately be "log onto the network file server" or "log onto the file server". Again, for us, the word network does not imply file server.
While the server, administrator, and client functions are often thought of as running on three separate computers, this is not a requirement. A single computer can have software installed to perform all three functions. Typically the KeyConfigure administrative software will be installed on several computers that are also functioning as clients. It may be convenient to install KeyConfigure on the computer functioning as the KeyServer as well, but this is not necessary.
In addition to the main components described above, the KeyServer Package includes several utility components including:
This section gives an overview of basic KeyServer functionality and its underlying implementation. It describes KeyServer features and a conceptual framework that you will need in order to plan your license management strategy and to effectively deploy KeyServer at your site.
KeyServer uses TCP/IP, IPX, and AppleTalk to stay in contact with the various computers connected to your network. On each networked computer, the KeyServer client software, KeyAccess, handles communication with the KeyServer. When a client computer first starts up, KeyAccess automatically contacts the KeyServer and opens a session. KeyServer makes an entry in its session table and uses this to track all current software usage on that client computer.
When a user launches a program, the operating system passes the launch request to KeyAccess, which then conveys the request over the network to the KeyServer. It doesn't matter whether the application file being launched is stored on a local disk or on a remote file server; the transaction with the KeyServer is the same. KeyServer consults its database of software licensing information and its current software usage table in order to determine how to respond to the launch request. Possible responses from the KeyServer back to the client include:
Unlike other license management systems, KeyServer clients do not access a file server in order to query and register program usage information. With KeyServer, transactions between clients and the license server process are conveyed via a secure point-to-point protocol that is highly optimized for network and processor efficiency.
You use the KeyConfigure program to configure usage limits and license options for each software application that you want to manage with KeyServer. In its simplest configuration, you set a usage limit for each particular program to the number of software licenses that you own. Clients can use the software on a first-come, first-served basis until the number of simultaneous users reaches the licensed maximum that you have set.
Beyond its most basic operation, KeyServer offers a great deal of flexibility that lets you customize the way individual programs are managed and the particular level of access granted to specific users or computers. In this manual, we focus on the basic configuration issues while leaving the details and advanced features to the Online Documentation.
All transactions between clients and KeyServer can be logged, so in addition to KeyServer's real time control of current software usage, you can run historical usage reports based on the logged data. Although some sites find that software usage reports alone suffice to document license compliance, most sites will want to also use KeyServer's ability to actually control usage.
There are two distinct methods that KeyServer uses to bring a program under control:
Since a keyed program will not run without getting its key from the KeyServer, it can be freely distributed and copied without risk of piracy. KeyServer cannot protect an unkeyed program from piracy even if KeyServer is set to control its usage. KeyServer makes no attempt to lock down files or to prevent copying. Users can copy keyed and unkeyed programs alike and transfer them to other computers or take them offsite. But the keyed programs will not run offsite without permission from KeyServer, while the unkeyed programs will.
Furthermore, KeyServer's ability to actually enforce the usage limit for an unkeyed program is dependent on KeyAccess being installed and active on the client computer. If a user removes KeyAccess, a keyed program simply can't run, but an unkeyed program will be free to launch regardless of any license limit set up in a Control.
| Several Macintosh programs use a technique called "Network Copy Detection" to ensure that a single serial number for a program can be used on at most one networked computer. Most of these programs turn off this serial number checking whenever you key the program. |
In previous versions of KeyServer, usage control was only available for keyed programs and logging was either enabled for all programs or for keyed programs only. With version 5.0, logging and other actions can be individually configured for each distinct unkeyed program, just as keyed programs are configured individually.
Whenever Unkeyed Actions is enabled, KeyServer begins accumulating the names and program signatures of all unkeyed software that is launched on client workstations. A sorted list is displayed in the Unkeyed Actions window where you can select each program name and individually specify an unkeyed action. There are three choices:
Ignored
Logged
Controlled
Since KeyServer's default action for unkeyed programs is set to "ignored" (or to "logged" if you have changed the default), usage is not limited or managed in any way.
 | You must be very careful when setting an unkeyed action to "controlled". By default, unkeyed programs are identified by program signature only, so a Control item applies to all versions of a program and to everyone! Consult the Online Documentation for details on how to customize the Control options for distinct program versions and so that individual users are given different access, depending on group membership or location. |
When you distribute a keyed program to your users, it is easy to communicate the clear understanding that usage may be subject to a usage limit or to other control options that you have set. In contrast, a new Control for an unkeyed program immediately imposes its usage limit and other control options on all existing copies of the program on all client computers. It may be quite an unwelcome surprise for a user to suddenly have their access to a program become controlled, especially if they personally installed it years ago. Of course a frustrated user could disable KeyAccess in order to run an unkeyed program without control, but then keyed programs would be disabled as well.
| Versions of KeyAccess prior to 5.0 do not support control of unkeyed software and will report the signature only, not the name, of an unkeyed program to the KeyServer log. In order to make sure everyone is using the new 5.0 client software, you can use KeyConfigure to set up the "KeyAccess Version Control" item in the Admin menu. |
KeyServer ships with unkeyed actions enabled, so as clients launch programs, the names will accumulate in the Unkeyed Actions window. The default action for programs as they are added to this window is "ignored". You can change this default to "logged" if you want the Unkeyed report to summarize usage of all programs on your client computers, but the additional log size requirements may be prohibitive. It is usually more efficient to selectively change the ignored action to logged for specific programs you are interested in.
New program names appear in red when first added to the Unkeyed Actions window. You should periodically examine this window and for each red program name, explicitly confirm the default action or change it to the log or control action. As you set the action, the font will change to black so you can easily distinguish programs that have been explicitly configured from those that have not.
When an unkeyed program action is set to "logged", KeyServer makes a log entry every time it receives a launch or quit notification for the program. If a client computer crashes or the network connection fails, KeyServer may never receive these notifications. Missing log entries for launch or quit can make the Unkeyed program usage report somewhat inaccurate. In contrast, when a program is controlled (e.g. the unkeyed action is set to controlled or the program is keyed), KeyServer maintains a session table in RAM which tracks each user and all the controlled programs they are using. This gives you a real time view of current usage in the Active Controls window as opposed to a report based view. The session table also gives KeyServer a way to notice and compensate for inconsistent information such as missing launch or quit notifications, thus making usage reports for controlled programs more accurate.
KeyServer lets you pick a management strategy that is best suited to each program. It is perhaps easiest to decide which programs should be ignored (i.e. not logged and not controlled). A good example might be the system utility WordPad (TeachText on Mac), which is used to read simple text files. Other system utilities may be interesting to log, even though from a licensing standpoint, tracking is unnecessary. An example might be Microsoft Internet Explorer.
Having decided to log a particular application, there are three different management strategies to choose from:
Each strategy has its pros and cons, depending on your goals. The Log Only strategy lets you run the "Unkeyed" report to produce an approximate summary of the program's usage. But in order to use KeyConfigure's complete set of report modules, and for greater reporting accuracy, you will need to create a Control either by keying the program or by setting its unkeyed action to "controlled" in the Unkeyed Actions window. In either case, the Control can be configured to allow infinite usage or it can be configured to enforce a usage limit.
As soon as you create a Control for the program, not only are there better reporting options, but you have the ability to manage usage based on group membership, network location, time of day, name, password, etc. The Control can also be grouped with others in a "Suite" so that all the member programs are controlled by the single usage limit and license options for the Suite. A custom message can be configured in the Control so that users are informed of important information such as the existence of a new upgrade. Access to the program can be disabled entirely, or only allowed at certain scheduled times or from certain locations.
When the controlled program is in fact "keyed", all of the Control options are securely enforced, both on networked computers and on mobile computers. Users cannot bypass KeyServer control either intentionally or unintentionally. Some software publishers require this level of security in exchange for using "concurrent use" licensing rights.
The table below summarizes the features and requirements for each of the three management strategies:
Features |
Log Only | Log & Control Unkeyed |
Log & Control Keyed |
| log based usage reports |  |
|
|
| usage control |  |
|
|
| detailed reports | |
|
|
| real time usage view | |
|
|
| optional message displayed at launch | |
|
|
| distinct versions logged separately | |
|
|
| distinct versions controlled separately | |
|
|
| existing program copies controlled | |
|
|
| serial # checking defers to KeyServer | |
|
|
| secure license control | |
|
|
| secure piracy prevention | |
|
|
| mobile client software check out | |
|
|
Requirements |
Log Only | Log & Control Unkeyed |
Log & Control Keyed |
| client must be running KeyAccess | |
|
|
| client must use keyed programs | |
|
|
When you set up a Control for an unkeyed program, you get most of the advantages of KeyServer's real time control and metering accuracy but without the security of keyed software and without being able to distinguish between versions. Control of keyed programs gives you security and version control but does not give you immediate control over existing unkeyed copies of the program. Most sites will use a combination of both the unkeyed and keyed control strategies. By keying some essential programs, the security level for control of unkeyed software is enhanced. Users cannot afford to remove KeyAccess as a workaround for gaining uncontrolled access to unkeyed programs.
The gradual approach to bringing a site into license compliance focuses metering and enforcement on new software installs.You may find it easiest to start by setting up Controls for several of your existing unkeyed programs with the usage limits set to infinite. Monitor software usage in the Active Controls window and run Summary and Histogram reports in order to gather usage statistics for each program. Based on these statistics, you can purchase the appropriate number of upgrade licenses to the latest version and then introduce the upgrade to your site as a keyed program only.
| To aid in the deployment of new programs or upgrades in the secure keyed format, KeyConfigure includes the ability to "deputize" third party installers. When a "deputized installer" finishes, the program it has just installed will already be keyed and hence under secure KeyServer control. The 5.0 version of KeyConfigure for Windows does not include the ability to deputize a third party installer. |
When you have a mix of old unkeyed program versions and new keyed upgrades, you can manage all of these as part of a "suite" with a single usage limit, or you can manage the unkeyed programs separately so they can be disabled after a reasonable time.
Some sites introduce KeyServer as part of an overall license compliance project that includes both license management and auditing components. The KeyAudit utility is included in the KeyServer package in order to help you quickly transform an unmanaged site into a KeyServer managed site.
KeyAudit has the unique ability to distinguish between keyed program copies and unkeyed copies. Furthermore, KeyAudit contacts KeyServer for a list of all the keyed programs that KeyServer is managing. If an audit of a user volume turns up an unkeyed copy of one of these programs, KeyAudit can be instructed to transform this copy into a keyed program, thus bringing it under secure KeyServer control. After you have keyed the basic software library for your site, use KeyAudit on client computers to both document your license compliance efforts and to clean up user volumes.
The appropriate installer diskette, Windows or Macintosh, is designed to directly install the KeyServer onto a single computer. In addition to the server, there are three other types of installation:
These three functions are usually required on several computers, and perhaps thousands. Hence the setup diskettes (Windows and Macintosh) create separate installer folders for these functions rather than actually performing an install from the diskette. Typically you will copy the client installer folders onto a shared file server so that anyone can easily access the appropriate installer program to set up a computer as a KeyServer client. You may want to use your file server privileges to restrict access to the Administrator installer, or you can copy it to a diskette if you prefer.
Before proceeding to run the setup programs from the installer diskettes, it is important to check the software and hardware requirements for each type of install.
A single KeyServer will effectively manage software licenses at sites supporting from 10 to 10,000 or more computers. KeyServer's scalability is achieved by directly accessing the basic network protocols (TCP/IP, IPX, and AppleTalk). Communication between the license server and its clients does not use any higher level file server or Network Operating System (NOS) services. Hence standard network wiring and routing between machines is all that is required to support clients spread across the globe. You don't need a file server.
To run the KeyServer process, you should choose a single computer (either Windows or Macintosh) that is in a robust location on your network. Client computers must be able to exchange network packets reliably with the KeyServer machine at all times. This computer should be secure from unauthorized users. It should be on at all times and not subject to frequent restarts or reconfiguration. If you are already running a file server on a Windows or Macintosh computer, this may be the logical place to put the KeyServer so that one secure machine is supporting multiple network services.
KeyServer running on either Windows or Macintosh will support clients on both platforms but some protocols are not supported by various server and client combinations:
| The Windows KeyServer and the Windows client do not support AppleTalk. |
| The Macintosh client does not support IPX, but the Macintosh KeyServer does. |
You must run KeyServer on Macintosh in order to support AppleTalk clients. A Macintosh KeyServer will support Macintosh clients with AppleTalk and TCP/IP, while supporting Windows clients with TCP/IP and IPX.
If KeyServer is run on Windows, the Macintosh clients must connect using TCP/IP. A Windows KeyServer will support Windows clients with TCP/IP and IPX, while supporting Macintosh clients with TCP/IP. Of course these Macintosh clients can still use AppleTalk and IPX for other network services.
The processor demands of KeyServer are minimal. A slow computer will suffice and there will typically be power left over to run user programs or other services at the same time. Many sites find it convenient to run the KeyServer process on a general purpose, network services computer that is also set up as a mail server, print server, file server, fax server, web server, etc. In such an environment, KeyServer will typically be the least demanding of processor overhead. An alternate strategy is to put only a few services on several inexpensive computers both for redundancy and so that reconfigurations and restarts don't affect all processes at once.
The amount of disk space required for logs is highly dependent on exactly how logging is configured, especially logging of unkeyed programs. A KeyServer supporting several thousand clients may generate several megabytes of log information per day. A several hundred client KeyServer will require proportionally less space, perhaps a megabyte per week. Eventually you may want to customize the level of logging detail or configure KeyServer to store logs on a remote volume, but it will be most convenient to initially set KeyServer up with space for at least several weeks' worth of standard logs.
The RAM requirement for KeyServer depends both on the number of clients it is configured to support and on the number of Controls that have been set up to manage programs. Allow 1.5 MB memory for up to 1,000 clients plus at least 0.5 MB for each additional 1,000 clients.
Support for AppleTalk clients is the only consideration in choosing between Windows versus Macintosh for the one computer which will run KeyServer. If you want to support any of your Macintosh clients with AppleTalk instead of TCP/IP, you must run KeyServer on a Mac. Even if you have AppleTalk installed under Windows NT, neither the Windows server nor the Windows client can make use of it.
If KeyServer will be supporting clients over TCP/IP, its address should be static. It will be convenient to register a name for this IP address with your Domain Name Server so clients can locate KeyServer using the DNS name instead of the raw IP address.
|
You must use Windows 95, 98 or Windows NT, version 3.5 or better, in order to run
KeyServer (but this is not a requirement for clients). Any computer with enough
RAM and processor power to run these operating systems will be fine for
KeyServer. Service to clients from a 66 MHz Intel 486 CPU will be
indistinguishable from a 233 MHz Pentium CPU, even when supporting thousands of
KeyServer clients with typical program usage. For a large KeyServer, the one
reason to consider a faster processor is to speed up KeyConfigure's response
when running reports.
If KeyServer will be using IPX to communicate with its clients, you must install Novell's IPX stack instead of Microsoft's stack, since KeyServer needs a complete implementation of the protocol. Client computers can use IPX from either Microsoft or Novell. |
|
You must use System 7 or System 8 in order to run KeyServer, but this is not a
requirement for clients. Any computer with enough RAM and processor power to
run these operating systems will be fine for KeyServer. Service to clients from
a 16 MHz Motorola 68030 CPU will be indistinguishable from a 300 MHz PowerPC
CPU, even when supporting thousands of KeyServer clients with typical program
usage. For a large KeyServer, the one reason to consider a faster processor is
to speed up KeyConfigure's response when running reports.
If you are using Open Transport network software you must use version 1.1.1 or better (OT 1.2 or 1.3 is recommended). If you are using Classic networking software, the AppleTalk version must be at least 58 and MacTCP must be at least 2.0.6. If you are using the MacIPX control panel (from Novell) it should be at least version 1.2. The Macintosh KeyServer ships with the default memory request set to 1.5 MB, which will suffice for up to 1000 clients. If your KeyServer license supports more than 1,000 clients you should increase the memory request by 50 KB for each additional 100 clients. |
Installation of the license server itself (that is, the KeyServer executable program) is unique in that you only do it once, and only on one computer. This one computer also requires a license certificate which includes a unique KeyServer serial number and other parameters. You can choose to install the administrative program, KeyConfigure, on this same computer, but it is not required since remote operation of KeyConfigure is just as effective.
| It is important to emphasize that KeyServer runs on a single computer to support both Windows and Macintosh clients. Use of the same license certificate on two or more computers at once could lead to unpredictable behavior for both client and administrative software. |
After installation, the KeyServer program must be launched in order to begin supporting client connections. For robust service, you should configure the operating system to automatically launch the KeyServer program whenever the computer is restarted.
|
If you want your KeyServer process to run on a Windows computer, insert the
Windows installer diskette and launch KS50WIN.EXE. In the Setup dialog,
choose whether or not to include KeyConfigure on your KeyServer machine. The
Setup program also gives you the opportunity to make installer folders for
administrator and client installs. You can extract these installer folders and
then later copy them to a file server or diskette when convenient.
Near the end of the install, you will be asked for the License & Documentation diskette. The SERVER.LIC file will be copied into the KeyServer Data Folder. This configures the KeyServer with your serial number and configuration parameters. To automatically launch KeyServer at startup, add a shortcut to the Startup group or configure KeyServer as an NT service. |
|
If you want your KeyServer process to run on a Macintosh computer, insert the
Macintosh installer diskette and launch the self extracting archive. This will
decompress all the KeyServer components and create folders for each type of
functionality: KeyServer, Administrator, Basic Client, Mobile Client.
Near the end of the install, you will be asked for the License & Documentation diskette. The SERVER.LIC file will be copied into the KeyServer Data Folder (a sub-folder of the KeyServer folder) in order to enable the KeyServer with your serial number and configuration parameters. To automatically launch KeyServer at startup, put an alias to the KeyServer® program file into the Startup Items folder inside the active System Folder. |
Although most of KeyConfigure's capabilities are identical on Windows and Macintosh, when "keying" a program for secure KeyServer control, you must run KeyConfigure on the same platform as the program to be "keyed". Hence, if your KeyServer is going to control keyed software on both platforms, you must install KeyConfigure on a least two computers: one Windows and one Macintosh.
KeyConfigure communicates with KeyServer using the network protocol and services of the KeyAccess client. Therefore you must install and configure the KeyAccess client software before using KeyConfigure. The hardware and software requirements are the same as for any client (see Client Requirements below).
Install KeyConfigure on any client computer where it will be convenient for you to manage KeyServer. You may also find it convenient to install KeyConfigure on the KeyServer machine itself, but this is not a requirement.
| The Windows setup program gives you the option of installing KeyConfigure at the same time you install KeyServer. You can also create an Administrator folder that has its own SETUP.EXE for installing KeyConfigure on any Windows client. |
| The Macintosh installer diskette creates a folder called Administrator which includes KeyConfigure plus other tools and components. Copy KeyConfigure onto any Macintosh client or run it from a file server. |
Every client computer must be connected to the network and properly configured with one of the protocols, TCP/IP, IPX, or AppleTalk. The only exception is for mobile clients, i.e. portable or laptop computers, which can be setup to use controlled software offsite without a network connection.
The client software, KeyAccess, is designed to have negligible impact on performance regardless of the specific operating system and hardware environment. KeyAccess is active briefly at startup time while it establishes a session with KeyServer, and then again whenever a program launches or quits. In addition, KeyAccess responds to session maintenance tickles from the KeyServer approximately every 5 minutes. With a properly functioning network connection to KeyServer, these transactions are essentially instantaneous.
|
An Intel 286 or higher microprocessor running Windows 3.1, Windows for
Workgroups, Windows 95, 98, Windows NT, or OS/2 is required for clients.
Communication to the KeyServer requires either TCP/IP (WinSock 1.1 compliant) or IPX. When using IPX on Windows 3.1, you must have the NetWare Client for Windows installed; the NetWare Client for DOS is not sufficient. KeyAccess can use either Microsoft's or Novell's IPX drivers on Windows 95, 98 and Windows NT. |
|
Any 68000 or PowerPC processor running any Macintosh OS version will run the
KeyAccess client software. This includes System 6, System 7, and System 8
running on Macintosh or clones. KeyAccess also runs under A/UX and MAE. The
system memory requirement is about 130 KB.
Communication to the KeyServer requires either TCP/IP or AppleTalk. If you are using Open Transport networking software you must use version 1.1.1 or better. If you are using Classic networking software, the AppleTalk version must be at least 58 and MacTCP must be at least 2.0.6. |
Your KeyServer is licensed to support a fixed number of client computers which can be any mix of Windows and Macintosh. Each of these computers needs to have client software, KeyAccess, installed in order to communicate with KeyServer. The Basic Client install should be run on all of your networked computers.
For mobile computers (laptops or portables) that will use controlled software off the network, use the mobile client install. A mobile client needs an additional program, KeyCheckout, which is used to specify a fixed expiration time when checking out software for use offsite.
When first installed, the network name of your license server defaults to "KeyServer 5.0". IPX and AppleTalk clients will use this name to locate the KeyServer. If you want to change the name to a something more descriptive, e.g. "Engineering Group KeyServer", you should do so before installing KeyAccess on a lot of clients (use the "Change Network Name" item in KeyConfigure's Admin menu). To avoid using a raw address for IP clients, make sure your DNS has a name registered for the KeyServer IP address.
When KeyAccess is installed on a client computer, it will have to be configured with the desired network protocol and address to access the KeyServer. If your clients will be using TCP/IP, you will have to know the IP address or the DNS name of the KeyServer machine. For AppleTalk communication (available for Mac only), you will need to know the KeyServer name and the AppleTalk zone where KeyServer is located. For IPX connections, you need to know only the KeyServer name.
Your KeyServer should be up and running when you install clients so you can immediately get a KeyServer connection and test the communication.
|
The KS50WIN.EXE file on the Windows installer diskette does not directly
set up a computer as a client. Instead, it will create folders named Basic
Client and Mobile Client which contain the corresponding SETUP.EXE
programs for installing on clients. These folders can be copied to a file
server for convenient use by administrators or end users. The folders can also
be copied and used from a diskette.
During the install you will be asked to supply the KeyServer name or address and a name for the client computer that will be used in KeyServer's log files. |
|
The Macintosh installer diskette creates folders called Basic Client and Mobile
Client. To set up a Macintosh client, drop KeyAccess onto the System Folder
(Extensions) of any Macintosh. Then open KeyAccess with the Chooser. Either
select the KeyServer by name in the proper AppleTalk zone, or use the configure
button to set up the IP Host address (raw IP or DNS name). Restart the
Macintosh to get a KeyServer connection.
You may also want to copy the KeyVerify and KeyAudit utilities from the Client Folder, but these are not required. The Mobile Client folder has one additional program, KeyCheckout, which should be copied onto laptop or portable computers that need to use controlled programs offsite. |
After you have installed the client software and configured it with the address of KeyServer, open KeyAccess and press the Logon button. If KeyServer is running and everything is set up correctly, a new session is established and you will get a message confirming your connection.
Launch the KeyVerify utility in order to verify KeyServer's license control functionality. This test program is "keyed" so the launch will only succeed if KeyServer responds to the launch request by granting permission to run and by sending the key. After getting its key, the KeyVerify utility displays status information about the connection.
In order to monitor KeyServer status and client connection integrity, you should install KeySentry on a few client machines that have a network connection to KeyServer. Do not install KeySentry on the KeyServer computer itself. KeySentry will inform you of the following problems:
| KeySentry is installed when you run the Admin installer. You may want to create a shortcut named KeySentry in the Startup group and configure it to minimize at startup. Then monitoring will begin every time the computer is started up. |
| To install KeySentry on a Macintosh client, copy the KeySentry file into the Control Panels subfolder of the System Folder and restart. |
As you start up your monitoring computer, KeySentry will automatically load and display a message confirming its connection to KeyServer. Double click on KeySentry to change its default alarm thresholds.
By default, KeySentry is set to poll the KeyServer every 1 minute in order to test the connection and request status information. KeyServer's status reply includes the current number of connected clients and the amount of free disk space. KeySentry is set to post a warning if KeyServer is supporting more than 90% of its maximum number clients. The threshold for a low disk space warning is set to 1 MB by default.
KeySentry reports any problems with a dialog message displayed on the KeySentry computer. The OK button will dismiss the message but typically it will be posted again as soon as the next poll request is sent. Use the dialog's Snooze button to temporarily disable KeySentry polling for about an hour while you fix the problem.
KeyConfigure is the administrative interface to the KeyServer process. KeyConfigure communicates with KeyServer using the network protocol and KeyServer address from the KeyAccess client configuration. Operation of KeyConfigure on the KeyServer computer itself is identical to remote operation over the network and KeyAccess is still required. Several copies of KeyConfigure can simultaneously view and modify the configuration options for KeyServer. There are master and assistant passwords so you can maintain secure control of licensing configuration while allowing reports and other features to be managed by assistants.
On a client machine that has been setup correctly with a KeyAccess connection, launch KeyConfigure and enter the default password: "Sassafras".
In the Admin menu, select "Show Current Users".
This brings up a display of KeyServer's session table which is tracking usage of controlled programs in real time. It shows each connected client followed by program names and running times for all controlled programs in use. You can watch KeyServer's usage tables change in response to the launch or quit of a controlled program on a client computer.
In the Controls menu, select "Show Active Controls".
You will see the names and status of the four standard Controls that are installed by default in a new KeyServer. If one of your clients is running KeyVerify, this will be reflected in the In Use counter in the first column on the line labeled KeyVerify.
Quit KeyVerify and watch its In Use count go to zero in the Active Controls window. Notice that in the Users window, the program name is no longer shown on the user line. KeyConfigure updates its display every few seconds so you can basically view your experiments in real time.
The usage limit for KeyVerify has the value "2" by default. This is displayed in the Active Controls window in the Enabled column. Try launching three copies of KeyVerify to see how KeyServer controls usage. You can duplicate KeyVerify and run several copies on a single client or launch it from different clients. Two of your launches will succeed and the third attempt will be blocked with an invitation to be put in a waiting queue. When you quit one of the running copies of KeyVerify, the queued requestor will be notified.
Double click on the KeyVerify item in the Active Controls window.
In the dialog window named "Control Details for KeyVerify", the tabs labeled General, Licenses, Portable, etc. are used to group together various sets of configuration options.
Click on the Licenses tab to see how usage limits are configured.
The licensing configuration for the Control of KeyVerify is very simple. A single Global pool containing 2 licenses is available to all users at all times. There are no other groups. There are no other license pools. All licensing is Unscheduled, meaning there is no special different behavior at scheduled times.
Select the line item labeled Global under Unscheduled Times. The box labeled Licenses: will become highlighted. Change the license count to zero and confirm your edit by hitting the OK button. Now try to launch KeyVerify again. The custom message will be displayed on the client.
Double click on the KeyVerify line in KeyConfigure's Active Controls window to get back to the Licenses configuration dialog. Under the General tab, you will see the configuration for the Custom Message. It is configured to display On Deny, that is, it will be displayed only if the license limit is set to zero. Typically, the custom deny message is used to inform clients that their program version is obsolete and it may give further instructions on where to get an update. In order to re-establish the usefulness of KeyVerify as a diagnostic tool, you should reset the license count (under the Licenses tab) to a nonzero value.
If you want to take a quick look at how your actions so far have been reflected in KeyServer's log file, use Control-R (Win) or Command-R (Mac) to bring up the choices for reports (also available from the Report Menu). The Summarize report will give you an overview of usage for programs that are controlled by KeyServer. Don't be alarmed if your most recent activity is not immediately reflected in a report. You may need to use "Flush Log to Disk" and then "Refresh Now" from the Admin menu in order to process the most recent log entries.
In the Controls menu, select "Show Unkeyed Actions".
The Unkeyed Actions window shows the names of unkeyed programs that have been launched on client computers. On a computer running KeyAccess, launch a few unkeyed programs and then click on the word Update at the bottom left of the window. The names of the programs that you just launched will appear in red with their action set to either ignored or logged, depending on the Default Action setting shown at the top right.
Every time KeyConfigure is launched this window is automatically updated, but unlike the Active Controls and Users windows, there is no scheduled refresh. You must initiate further updates explicitly. To completely rebuild the cached list of unkeyed programs, hold down the alt/option key while you click on Update.
Highlight a red program name in the list and then confirm the ignored action by clicking on the green Set Action button at the top right of the window. The red type will change to black to show that you have explicitly configured this unkeyed program action.
Now let's make a Control for an unkeyed program. In our example, we select FileMaker Pro and click on the blue Set Action button to create a Control.
Click OK. Then a new line labeled "FileMaker Pro Control" will appear in the Active Controls window. The blue square icon indicates that it is a Control for an unkeyed program.
Launch a copy of this newly controlled program on one of your client computers. You will see the default "post launch message" that confirms KeyServer control.
Now double click on the Control for this program in KeyConfigure's Active Controls window, or hold down the alt/option key while double clicking on the program name in the Unkeyed Actions window. You can customize or delete the post-launch message under the General tab. Customize the license limit under the Licenses tab.
If you want to change the action for an unkeyed program from controlled back to logged or ignored, you must first look in the Active Controls window to be sure that the In Use count is zero (blank). Then in the Unkeyed Actions window, select the program name and use the appropriate Set Action button. The obsolete Control item will be deleted from the Active Controls window.
In order to key a Windows program, use the Windows KeyConfigure. To key a Macintosh program, use the Macintosh KeyConfigure. Under the Controls menu, select "Install Key...". The standard file selection dialog comes up so you can select the program file that you want to key for secure KeyServer control. The selected program is duplicated and the keying process proceeds on the duplicate.
KeyConfigure extracts a small "key" from the program file and this is transferred to KeyServer for storage in the Active Controls file. The key is tagged internally with the complete program signature, version, and creation date so it is sure to match the exact keyed program version.
| On Windows, the resulting keyed program retains the original name. The original unkeyed program is untouched except to rename it with the .BAK extension in place of .EXE. |
| On Macintosh, the resulting keyed program gets a new name formed by appending the § symbol to the original name. The original unkeyed program is untouched. |
A new Control is automatically created as you key a program. When you launch the new keyed program copy you will see the default post-launch message which confirms that the program is under KeyServer control. Use Configure to customize or delete the message and to set up licensing options as above.
| Unlike unkeyed programs, deleting the Control for a keyed program from the Active Controls window does not revert the program to its previous state. The only way to revert is to throw away the keyed program and use a backup copy (this is why the keying process begins by making a duplicate). |
If for any reason the Active Controls file does not contain the Control for a keyed program, all copies become useless. To regain functionality for keyed program copies, you can either re-key an original unkeyed program (so your KeyServer once again has a key) or use a backup copy of the Active Controls file to restore the original key and Control. It is for this reason that you should always keep a backup of KeyServer's Active Controls file and a copy of each original unkeyed program.
| A single Macintosh program may exist in three different executable file formats: 68000 only, PowerPC only, and "Fat" (which runs on either processor). The PowerPC only case usually includes a 68000 "stub" to gracefully inform a user that the program won't run when launched on a 68000 machine. KeyConfigure must extract a key from both the 68000 and PowerPC sides of a Fat application (unless the 68000 side is merely a stub). KeyConfigure automatically groups the corresponding Controls together under a single "Suite Control" (see below) so all program versions are managed by a shared usage limit. |
Suites allow you to group several programs together under one license counter. Furthermore, if a user has opened one program within a suite, other programs in the suite may be launched by the same user without using up an additional license. The license is finally returned to KeyServer only after the user quits all programs from within the suite.
Members of a suite share more than the license counter. All control options with the exception of the Custom Message and Notes are inherited from the suite. Several common licensing scenarios are easily handled by grouping individual program Controls under a single Suite Control.
A Suite Control is created automatically when you key a "fat" Macintosh application, but more typically you use "New Suite Control" from the Controls menu. If some existing Controls are already selected when you create the new suite, they will automatically be moved into the suite. Otherwise, you just drag a program Control onto a Suite Control in order to add it to the suite, thus over-riding its individual licensing options.
| Make sure that the Controls window is properly set up to display suites and their members. Pull down the Controls menu, and verify that "Group Controls by Suite" is checked and "Hide Suite Members" is not checked. |
When Controls are grouped by suite, each member Control is indented underneath the Suite Control. Icons in the Active Controls window are also used to distinguish between six different types of Control: suite, keyed Win program, keyed Mac 68000 program, keyed Mac PowerPC program, unkeyed program, and deputized installer.
While support for TCP/IP connections enables KeyServer to manage software licensing throughout the worldwide Internet, it also means that you must protect your KeyServer from unauthorized clients. Support for IPX and AppleTalk may give your KeyServer similar undesired exposure but on a smaller scale. The first step in filtering out unauthorized clients is to restrict the allowable network addresses from which KeyServer will accept a connection. Further Authentication requirements can be imposed on any client that first passes through the Location Filter.
Use the "Network Access..." item under the Admin menu to bring up the Location Filter dialog.
The TCP/IP example above has All IP Addresses unchecked so world wide access is disabled. Access from the address range 204.167.90.* (i.e. 204.167.90.1 - 204.167.90.254) is permitted. To allow additional access, click on the New button and type in an additional address range using a format like 129.170.16.1 - 129.170.16.23. You can edit an existing entry by double clicking on it.
Filtering under the AppleTalk and IPX tabs is configured in a similar way. The New button under the AppleTalk tab lets you enter an AppleTalk zone name. The New button under the IPX tab lets you enter a range of network numbers in a format like 0x20426790 - 0x20426791.
The Groups: text box allows you to name each address range (or set of address ranges). Under the Licenses tab, you can use the named group as a way of restricting a pool of licenses to users from a certain set of addresses. KeyServer's Authentication modules let you further restrict group membership based on additional criteria beyond location.
For basic KeyServer configurations, there is no need to define groups when setting up the Location Filter. However, group definitions based on Location Filter and possibly Authentication, coupled with the ability to create multiple license pools for a single program offers enormous flexibility in customizing access to KeyServer and to individual programs. Consult the Online Documentation for details.
| The KeyServer 5.0 default is to accept all client logons over all network protocols enabled on the host computer. With TCP/IP enabled on KeyServer, this may include access from anywhere on the world-wide Internet. You will probably want to either disable a protocol entirely (using the KeyServer status screen), or impose Network Access restrictions and/or Authentication requirements to control KeyServer access. |
Consult the Online Documentation for further information on the basic topics discussed above, as well as documentation on every KeyConfigure menu item and configuration dialog. The online table of contents, CONTENTS.HTM, will give you an overview of the many advanced features of KeyServer that we have only hinted at above.
This Getting Started chapter has hardly mentioned a few important features that most sites will want to use sooner or later. Read the KeyShadow chapter to learn how you can set up a few Macintosh computers to provide alternate license services even when your network is broken. Read the KeyCheckout chapter to learn how to transfer a temporary program license to a mobile computer for use without a network connection. Read the KeyAudit chapter to learn how to perform a site-wide audit of installed software.
| |||
| Home | Support | Legal | Contact Us |
|