Administrator's Online Documentation
|
|
|
KeyServer ® Administrator's Online Documentation |
| |||
| Home | Support | Legal | Contact Us |
|
This chapter provides essential instructions on how to upgrade to KeyServer 5.0 from an older version. If you are installing KeyServer for the first time, or if you are already running KeyServer 5.0 and are simply upgrading to a newer 5.0 release, these instructions do not apply and there is no reason to read this chapter.
The upgrade procedure described here should take no more than 20 minutes. The steps are designed to let you quickly revert back to your old KeyServer in case of any unforeseen difficulties, so you should first read over the instructions and then follow them carefully.
The new KeyServer 5.0 program can be installed on either a Macintosh or Windows computer, unlike prior versions which only ran on Macintosh. When upgrading to KeyServer 5.0, your users will have little, if any, awareness of the upgrade, regardless of whether you switch your KeyServer to Windows or leave it on Macintosh. All of your existing keyed applications on both Windows and Macintosh clients will continue to operate just as they do under your current KeyServer.
KeyServer 5.0 introduces many new features that help you manage your software library. However, some of these features will only be available to users running the new client software, KeyAccess version 5.0. Earlier versions of KeyAccess will continue to support the services available in previous versions of KeyServer, but you will not be able to take full advantage of the 5.0 enhancements until both the server and clients are up-to-date.
The steps outlined here are designed to get your KeyServer 5.0 upgrade configured and running on your existing KeyServer Macintosh with exactly the same behavior as your old KeyServer. From this starting point, you will typically make configuration changes that take advantage of new KeyServer 5.0 functionality. One such change might be the migration of the KeyServer process to Windows 95, 98 or Windows NT.
The upgrade to 5.0 must be performed on a Macintosh even if you will ultimately be moving KeyServer 5.0 to a Windows computer. The steps described below are performed entirely on the running KeyServer computer, but this is not an absolute requirement as long as you remember one thing: your KeyServer 5.0 upgrade is licensed with the same serial number as your active KeyServer, and this serial number is used by clients and shadows to find and identify KeyServer.
 | If you want to perform the upgrade steps and test KeyServer 5.0 on a separate computer, make sure that it is "off-line". Running more than one KeyServer using the same serial number on your network could cause unpredictable behavior in the client and administrator programs, not to mention that your KeyServer license allows only one KeyServer per serial number. |
There are several configuration settings that you will need to re-enter once KeyServer 5.0 is running, so first you need to record the existing settings. Launch your old KeyConfigure and connect to your running KeyServer. Under KeyConfigure's Admin menu, select each of the following six menu items so you can jot down the settings or take a screen snapshot of the dialog window:
If you are using the File Server authentication method, you will also need to make a note of the file server name and AppleTalk zone where it is located. If you are using the Zone Filter authentication method, jot down or take a screen snapshot of the zones that are check-marked for AppleTalk client access.
Before making any changes to the computer running your old KeyServer, you should first back up the System volume so you can easily recover from any catastrophe. At the very least, copy the running KeyServer file itself and the Active Keys file onto a diskette or remote network volume. The Active Keys file is contained in the folder named KeyServer Data f within the System Folder.
| If you have several folders named KeyServer Data f scattered throughout your mounted volumes, you must be particularly careful to find the one that is actually being used by your active KeyServer system extension. It is in the active System Folder. |
After backing up, insert the Macintosh Installer diskette and run the Macintosh installer program on the running KeyServer machine. This installer doesn't touch your running KeyServer or active System Folder. It simply creates a new folder with the default name KeyServer Package 5.0 and then extracts all of the Macintosh components from the compressed archive and places them in various subfolders.
In version 5.0, the server process is implemented as an application file rather than as a system extension. The installer places the KeyServer program in a folder called KeyServer along with its data folder which is now called KeyServer Data Folder rather than the old name, KeyServer Data f. In version 5.0, neither the file KeyServer nor the KeyServer Data Folder needs to be in the System Folder. They can be moved anywhere on your hard disk, as long as they are always kept together in the same enclosing folder.
At the end of the install process you will be asked to insert the "License & Documentation" diskette so the installer can copy the file named SERVER.LIC into its required location inside the KeyServer Data Folder. Also in the KeyServer Data Folder, the installer creates a file named Active Controls which plays the role of the old Active Keys file from previous versions. As installed, it contains only four keys for the special programs KeyAudit, KeyCheckout, KeySentry, and KeyVerify.
In order to prepare for the upgrade of your active KeyServer, it is safest and easiest to begin by duplicating the license control data on your running KeyServer. Select the KeyServer Data f folder in the Finder and then use the "Duplicate" command from the File menu (Command-D). Move the duplicate folder, KeyServer Data f copy, out of the System Folder onto the Desktop.
Drag the following files from KeyServer Data f copy into the new KeyServer Package 5.0/KeyServer Data Folder that was created by the 5.0 installer:
| Do not copy the old Authentication modules into the new KeyServer Data Folder since the installer has already placed the 5.0 versions in a subfolder. However, if you are using the Text File authentication method, you must drag the "Text File Users" data file into the Authentication Methods subfolder. |
The next step is to convert your existing keys and license management data from the old running KeyServer.
The format of the Active Keys file (and in fact any "keys" file) has been changed in order to support new functionality in KeyServer 5.0.
| There are some significant terminology changes in KeyServer 5.0. Most notable, the term "Controls" is now used in place of "Keys" to refer to the collection of usage limits and license options for a program. Where Keys used to be stored in a Keys file, now Controls are stored in a Controls file. The central file where all limits and options are stored has accordingly been renamed from "Active Keys" to "Active Controls". The term "key" is now used only in reference to the actual data removed from a program during the keying process. There are other related changes in terminology, which are explained in the "Getting Started" document. |
The first step is to rename the file Active Keys in the folder KeyServer Data f copy to Active Controls in preparation for converting the format. Then drag it into KeyServer Data Folder to replace the default file Active Controls that was created by the installer.
Next drag and drop this file, now named Active Controls, onto KeyConfigure 5.0 or open it from KeyConfigure's file menu. When KeyConfigure launches, you may be asked for a password. Just cancel, and then when KeyConfigure offers to convert the file, click the OK button. KeyConfigure will first make a backup duplicate named Active Controls (old) and then the file Active Controls will be converted to the new format and displayed in a window. The window will list a control item for each of your existing keyed programs.
KeyServer 5.0 ships with the latest versions of four pre-keyed programs: KeyAudit, KeyCheckout, KeySentry, and KeyVerify. The corresponding Controls are available in the file Standard Controls, which was used by the installer to make the default file Active Controls. But this default file was just deleted and replaced by the Active Controls file just converted from your old KeyServer. Thus the Controls from the file Standard Controls must be added back in to the file Active Controls in order to support the latest versions of the four pre-keyed utilities.
Use the "Open" item in KeyConfigure's File menu to open the file Standard Controls, which you will find in the same folder as KeyConfigure 5.0 itself: the Administrator subfolder inside the folder KeyServer Package 5.0. In the Edit menu, use "Select All" and then "Copy" to copy the four controls to the clipboard. Now, assuming your converted file Active Controls is still open from the step above, bring its window forward so you see the controls for all your old keyed programs. Select "Paste" from the Edit menu to add the four standard Controls.
At the bottom of the "name" column in the Active Controls window you will see a new total for the number of Controls in the merged file. You should double check that it is equal to your original number of keys plus four.
| It is more typical to open and modify the file Active Controls in KeyConfigure by connecting to a KeyServer. In the above case, however, KeyServer 5.0 is not yet running, so you must edit the Active Controls file "off-line" using Open from the File menu. You can tell that the window is actually opened off-line because it does not have a column in which to display software usage activity. |
Based on your familiarity with a previous version of KeyServer, it is probably obvious how to configure some of the parameters for the new standard Controls. At this point you may want to attach upgrade messages to the obsolete versions of KeyCheckout, KeySentry, and KeyAudit. Just like previous KeyServer versions, the steps for pasting in standard Controls must be performed every time you receive a new version of the pre-keyed utility programs.
If you don't already have KeyAccess installed on your old KeyServer computer, move a copy into the Extensions folder now. You don't need to restart at this point. Make sure KeyConfigure is not running and then launch KeyServer 5.0 on your active KeyServer computer. If you have a large KeyServer, you may be asked to launch a few times while KeyServer adjusts its memory requirements.
| Since this computer is already running your older KeyServer (as a system extension), your KeyServer serial number is already in use and the KeyServer 5.0 upgrade will not actually service clients. Nonetheless, watch the KeyServer launch for confirmation that the license certificate and Active Controls have been correctly loaded. |
With KeyServer 5.0 running, open the Chooser and select KeyAccess. You should see the name of your old KeyServer and also the new name "KeyServer 5.0". Select the new name "KeyServer 5.0" but don't bother to log on. Now quit the KeyServer 5.0 program.
Having completed the steps above, KeyServer 5.0 is ready to support all your existing keyed programs from all your existing clients. The one further configuration step that you will need to make immediately when switching over to KeyServer 5.0, is to reset the KeyServer name for use by AppleTalk and IPX clients.
Prepare to execute the following steps quickly so there will be only a very short gap in KeyServer service during the switch over:
KeyServer 5.0 is now supporting client logons from anywhere on the network. If you watch the KeyServer 5.0 status screen or watch the Users window in KeyConfigure, you should see the user count go up as old user sessions, which were active before the restart, connect to the new KeyServer 5.0 process. You may want to go to another computer to test a few keyed programs.
| In case of trouble, you can quickly revert to your previous KeyServer version. In the Finder, select the old KeyServer system extension that was moved to the Desktop in step 1. Use "Put Away" from the File Menu or Command-Y to move it back to the Extension folder. Then restart the Macintosh. |
The only thing left to do is to reactivate any network access restrictions or authentication requirements and reset a few other preferences.
| The KeyServer 5.0 default is to accept all client logons over all network protocols enabled on the host computer. With TCP/IP enabled, this may include access from anywhere on the world-wide Internet. You will probably want to either disable the IP protocol entirely (using the KeyServer status screen), or impose Network Access restrictions as described below. |
When the old format Active Keys file was converted, several preferences contained in it were discarded. This means you must use KeyConfigure to manually set the preferences to match those of your old KeyServer. In particular, you will probably want to change the password immediately since the upgrade reverts it to default value, "Sassafras".
Select each menu item in the Admin menu to reset your preferences as described below:
Type the default password "Sassafras" into the "current Administrator's Password" box. Enter your desired password in the two other boxes (capitalization is important) and click OK. Then open this dialog a second time and click on the "Assistant's Password" radio button. Enter the "current Administrator's Password" that you just updated, enter the desired "Assistant's Password" twice, and then click OK.
Under each of the network protocol tabs, it is obvious how to disable the protocol, but you can't block the protocol currently in use by your KeyConfigure session. The new Network Access dialog also includes the functionality of the old Location Filter and Zone Filter authentication methods.
In order to restrict TCP/IP to a particular network, just click on the "New..." button under the TCP/IP tab. Enter the network range in a format like 204.167.90.*, click OK, and then uncheck the "All IP Addresses" line item.
In order to mimic the action of the old Zone Filter authentication method, click on the AppleTalk tab, click the "New..." button, enter each zone name that you want to allow, and then uncheck the "All Zones" line item.
If your old KeyServer used Location Filter, then click on the "Import..." button and point to your old "Location List" file in order to import the settings. Close and reopen to see the effect of the import.
| In the old Location Filter method, group membership for a particular address was determined completely by the first address range that included the address. Subsequent lines with a range that also included the address had no effect, but in 5.0, subsequent lines that include this same address can augment the membership list. Typically, an old Location List will not include overlapping ranges, so the import will be faithful to the original meaning. |
As in previous versions, the default authentication method for KeyServer 5.0 is "All Authent". Select the authentication method that you wish to use and set the "Allow Guests" preference as desired. The Single Password and File Server methods will require a few obvious parameters. Notice that the Location Filter and Zone Filter methods are no longer available since their functionality has been taken over by the new Network Access options.
Set the desired auto-swap settings and log file options. In previous versions of KeyServer, this dialog gave you the option to "Log unkeyed programs". This setting is now enabled or disabled from the new "Unkeyed Actions" window. The default behavior of KeyServer 5.0 is to ignore unkeyed programs. If you want to mimic the old "Log unkeyed programs" setting, open the "Unkeyed Actions" window (Command-J) and change the "Default Action" from the green setting (ignored) to the yellow setting (logged). Later you will probably want to take advantage of KeyServer's new ability to customize logging behavior for individual programs.
You can set up the assistant privileges to match your old KeyServer settings. In the terminology of version 5.0, note that the settings dialog often uses the word "Control" in place of the old word "Key".
Set the versions of KeyAccess that are too old to use, and/or that should be upgraded to a newer version. You might want to change the message that is displayed for users who are running old or obsolete versions of KeyAccess.
This completes the upgrade of the KeyServer process to version 5.0 running on your existing KeyServer computer. With all the license control settings and options inherited from your previous version, support for both Windows and Macintosh clients should be identical to your previous version.
Unless you are about to move KeyServer to a new host computer, you should put an alias to the KeyServer program into the Startup Items folder (within the active System Folder) so that service will recover quickly after any restart.
Before moving KeyServer to a different computer, check the "Installation" section of the Getting Started chapter for hardware, network, and system requirements.
| If the new KeyServer host has a different TCP/IP address or if it will make use of different network protocols, you may have to reconfigure clients with the new address and reinstall KeyShadows. If you move KeyServer to a Windows 95, 98 or a Windows NT computer, the AppleTalk protocol is not supported and there is no support for the Macintosh based authentication methods (e.g. Users & Groups, Zone Filter, and File Server). |
 | In order to move KeyServer to a new Macintosh, it is just a matter of copying the folder KeyServer (which contains the KeyServer® program file and the KeyServer Data Folder) to the new computer. Remember to quit the KeyServer program on the old computer and remove its startup alias. |
 | In order to move KeyServer to a Windows 95 or a Windows NT computer, first install Windows KeyServer components using the Windows installer diskette. After installation, you will need to replace all of the default data files in the KeyServer Data Folder with the corresponding files from your Macintosh installation - replace only the files at the top level of the KeyServer Data Folder. Do not replace the sub-folders. |
|
If you are copying to a volume that only supports short file names (8.3
format), the KeyServer Data Folder will be called ksdata and you will have
to rename several files as follows:
Quit the KeyServer program on Macintosh and start up KeyServer on Windows. Remember to remove the startup alias from the Macintosh Startup Folder and place a shortcut to the KeyServer program, KS.EXE, into the Windows Startup group. If you are installing on Windows NT, you may want to consult the Administrator's Reference for details on how to setup KeyServer as an NT service. |
If clients accessing KeyServer via TCP/IP have been using a DNS name to reach your old KeyServer, reconfigure the address resolution in the DNS so that clients will now find the new KeyServer. Alternately, you may be able to configure the new server computer to use the old TCP/IP address.
If your old KeyServer was supporting Macintosh clients via AppleTalk, these clients will have to be reconfigured to use TCP/IP. Existing Windows clients using IPX will look for KeyServer by name, so be sure that you have set the KeyServer name to its old value.
| When KeyServer is running under Windows NT, the KeyServer name (used by IPX clients) is converted to all ALL CAPS, even if you specify the name in lower case letters using KeyConfigure. Hence, if your old KeyServer was supporting IPX clients and had a name with lower case letters, a move to NT requires that these clients will have to be reconfigured to use ALL CAPS. |
With KeyServer Package 5.0, KeyShadows still only run on Macintosh computers. Nonetheless, a KeyShadow running on a Macintosh can provide service to both Windows and Macintosh clients who have lost their connection to either a Windows or Macintosh-based KeyServer.
If installed KeyShadows are version 4.2.0.8 or higher, and your KeyServer 5.0 has the same IP address as the prior KeyServer, upgrading KeyShadows is not required. Of course if support for TCP/IP or IPX clients is newly enabled on your KeyServer 5.0, shadows will have to be re-installed anyway.
| Whenever the KeyServer IP address changes, any KeyShadows supporting TCP/IP must be reinstalled, regardless of whether there is a DNS name for KeyServer's IP address. |
The steps for installing shadows are unchanged from earlier versions. Remember to reconfigure the Shadow Hint List, if necessary, so clients will know where to look for TCP/IP and AppleTalk shadow service.
One of the paramount goals in designing KeyServer 5.0 has been to maintain backward compatibility with all of the older versions of KeyAccess as well as copies of programs that are already keyed. Once you have upgraded your KeyServer, you do not need to upgrade all of your clients immediately. KeyServer will tolerate any mix of client versions, so you can update your users' systems gradually when convenient. Of course, if you want to use some of the new KeyServer 5.0 functionality, your users will need to run the latest KeyAccess, and you should check the revision history for known bugs or incompatibilities that might effect specific old client versions.
The main new feature of KeyServer 5.0 that requires the upgrade to KeyAccess 5.0 is the support for unkeyed program control. Only the 5.0 version of KeyAccess is able to enforce launch limits for unkeyed programs, although unkeyed program usage on older clients will still be recorded in KeyServer's log files.
| |||
| Home | Support | Legal | Contact Us |
|