Administrator's Reference
|
|
|
KeyServer ® Administrator's Reference |
| |||
| Home | Support | Legal | Contact Us |
|
KeyCheckout |
|
A user must create a portable key to use keyed programs away from the network. KeyCheckout can be used to create portable keys, and can move portable keys from one disk to another. Portable keys moved from one disk to another with the Finder, File Manager, or Windows Explorer will not work for security reasons. KeyCheckout also has the ability to extend the check-out time limit on portable keys.
In order to use KeyCheckout to create portable keys, the user must be connected to the KeyServer. KeyCheckout is a special KeyServer-controlled program, so to enable all functionality, KeyCheckout must get permission to run from the KeyServer. The KeyCheckout key is stored in the Active Controls file, just like any other Control. As with any other Control, the version number must match between the application and the Control itself. The Standard Controls file shipped with KeyServer always contains the appropriate standard Control for the version of KeyCheckout included on the disk.
When KeyCheckout gets permission to run, the user is able to:
If for some reason KeyCheckout cannot get permission to run, it can still be used to move portable keys from one disk to another. The KeyServer administrator can use the authentication method to control who is allowed to use all of KeyCheckout's functionality, and thus control who is allowed to create portable keys. The administrator can then give KeyCheckout to all users, and only the authorized users of KeyCheckout will be able to create portable keys. Since all users have a copy of KeyCheckout, they can still move a portable key from one disk to another. The "move options" of each portable key can be set up to limit the number of times a portable key can be moved, or to disallow movement altogether (see Move & Use Options below).
All keyed programs that the KeyServer supports will not necessarily be available for portable use. First, a keyed program must be enabled for portable use in the Control Details dialog within KeyConfigure. Second, the KeyServer must have an available license to grant to the user. Finally, the user must belong to a group that is allowed to create and use portable keys for that specific program.
The KeyServer administrator has complete control over which programs can be checked out for portable use and how long they may be used, can decide who is allowed to create portable keys, and can see which users have currently checked out portable keys.
Note that portable keys cannot be restored from backup onto a machine that has crashed or been reinitialized for any reason, because the portable key will interpret the restore as a non-KeyCheckout move and disable itself. If you have to restore from backup a machine with a portable key, you must reissue the portable key after restoring the machine. See also Reclaiming a Portable Key, below.
The Portable Keys window lists all of the portable keys that a given user has on the mounted disks. If the users happens to be connected to a KeyServer, the Portable Keys window also shows the portable keys which that KeyServer has available. Portable keys saved on unmounted disks are not shown in the list.
Portable Keys can be made for and used by any KeyServer user, regardless of hardware platform. Macintosh or Power Mac users who launch KeyCheckout will see the portable Mac and Power Mac keys available for checkout, and Windows users will see any Windows keys that have been made portable.
Note that if you have designated some of your programs as portable but no information displays in the upper half of the portable keys window even when you're connected to the KeyServer (the window should look like the one below), you should make sure that you are using correct KeyCheckout Control: Does the version number of KeyCheckout match the version number of the key in the Active Controls Window? If the versions don't match, cut the KeyCheckout Control from the Active Controls file and replace it with the correct (newer) one from the Standard Controls file on the most recent KeyServer disk you received.
The Portable Keys window displays the maximum amount of time that each portable key can be used. When you check out a portable key, you can specify any return date from the present up to this maximum. Also listed are the return dates for any portable keys that are currently installed on the mounted disks. Any portable keys that are set to time out during the current day display only the time.
To check out a portable key, simply drag it from the KeyServer's list to one of the mounted disks. KeyCheckout will then prompt you for a return time, which can be any time between the present and the maximum allowed time.
Users running KeyCheckout 4.2 or later have the ability to sign out entire suites of applications. Signing out a suite license automatically signs out all the components of that suite, whether or not all the associated programs will be used. Each user has the option of displaying the suite components in the KeyCheckout window, by toggling the "Show Suite Members" selection located in KeyCheckout's File menu. Note that signing out a suite will give the user access to all suite components, whether or not the members are displayed in KeyCheckout's window.
On the right side of the window are displayed the time-lines for each portable key, giving a visual indication of the keys' return dates. Using these time-lines, you can quickly determine which keys will need to be extended for later return dates. Drag the vertical date marker to pinpoint a critical date (the corresponding date and time appear to the right of the triangle handle). Portable keys with solid black lines extending beyond the vertical date marker (like FrameMaker 5.5 in the picture above) will still be valid after the critical date, while those with solid black lines that fall short of the date marker (like ClarisWorks Suite in the picture) will expire before the critical date. The grayed portion of a portable key's time-line indicates the maximum possible return time. Most portable keys will expire before that maximum, but you can always extend the return time.
Sometimes, you may have a portable key that is set to expire sooner than you desire. In some cases, you can extend the return time on such a portable key. To extend the return time, first you must be connected to the KeyServer from which you obtained the portable key. Drag the extend box in order to extend the time on a portable key (the extend box is the small box that separates the solid part from the grayed part of a portable key's time-line). You can estimate the new return time, and then fine-tune it in the dialog box that appears. If you are not connected to a KeyServer, or if the KeyServer you are connected to is different from the one that granted the original key, the extend box will not appear. Furthermore, you will not be able to extend a portable key if other people are waiting in line to use the keyed program, or if the administrator has recently disabled the Control for the program.
 | A floating calendar window provides handy reference to a full monthly calendar, and also provides a hot-link to various features of KeyCheckout. For example, when specifying a return time for a portable key, clicking in the calendar window automatically enters the appropriate date and time. The current date always appears in gray. Also, when you click on a portable key in the main Portable Keys window, the calendar reflects the period during which the key is valid (valid dates are shown white-on-black). |
In order to get a portable key for a keyed program, first launch KeyCheckout while connected to the KeyServer. KeyCheckout must be able to get its key (which might require that you type a name and password). Once KeyCheckout is connected to the KeyServer and has permission to run, it will display a list of all of the keyed programs for which portable keys can be made. Find the desired program in the upper list, and drag it onto one of the local disks. You will then be asked how long you wish to use the program.
You can enter the return time that you require in one of two ways. If you know that you need the portable key for three days, for instance, enter "3 days" in the top text box. The date in the lower box is automatically adjusted to reflect this return time. If, on the other hand, you know that you need the portable key until a specific date, enter the date and time in the lower text box. The time period in the upper box is changed to match your return date. Note that you will not be able to use a portable key for longer than the specified maximum time, or past the specified maximum date.
| You can also use the calendar window in order to adjust the return date and time. Move the Return time dialog aside so that you can see the calendar window, and find the date that you need on the calendar. When you click on the date, the return times are changed to that date. You can then adjust the time to your exact needs. |
Once you have set the return time, click OK. KeyCheckout will forward your request to the KeyServer, which will determine if you can use the keyed program away from the network. Note that, just because you can use the keyed program on the network, this does not mean that you can use it off the network with a portable key. The administrator can set restrictions on a program-by program basis.
If the KeyServer granted a portable key, this key will be stored on the specified disk in a "Portable Keys (don't move)" folder or, on a Windows machine, in the PORTABLE.DIR directory, and will appear in KeyCheckout's main window. You can then use KeyCheckout to move the portable key from one disk to another. Each portable key is created with default restrictions on use and portability. To change these options, double click on the portable key in KeyCheckout's main window. This will bring up the Move & Use Options dialog box, described below.
Occasionally you may want to reclaim a portable key, for example if you give someone a disk with an extended-length portable key and the disk gets lost or the key becomes otherwise useless.
To reclaim a portable key, open KeyConfigure on a Macintosh and find the portable key user in the Users. Double-clicking on the portable key user will display a dialog asking you if you want to return the key to KeyServer or make a copy on your local system.
Once you have returned the portable key in this manner, go into the users window and you'll see that the original user is no longer listed as having that application either in the Users or the Active Controls window.
 | When KeyCheckout makes a portable key on Windows it places the key in a file called PORTABLE.PKY which is placed in the PORTABLE.DIR directory on the selected disk (or within the Windows directory). Moving either this file or directory via DOS, the File Manager, or Windows Explorer is a security violation and will disable the key. If you need to move the portable keys file (for instance from the hard drive to a floppy) you must use KeyCheckout to perform the move. |
| When KeyCheckout makes a portable key for a Macintosh, it places the key in a folder called "Portable Keys (don't move)". This folder is normally placed in the main window or "root directory" of the disk on which it is created. If the portable key is created on or moved to the System disk, it is placed in the Portable Keys (don't move) folder that is located in the Preferences folder. |
When a user double-clicks on a keyed program, KeyAccess always checks for the presence of a portable key for that application before asking the KeyServer for network license. On the Macintosh KeyAccess checks all local disks. On a Windows machine, KeyAccess checks the local disks and drives that have been selected in KeyCheckout's Scannable drives dialog. Each Windows user specifies the drives he or she wants both KeyAccess and KeyCheckout to scan for portable keys.
As a rule, Windows users who are launching portable keys from a floppy disk should set both their hard and floppy drives to be scanned. Windows users running a portable key off their hard drive, or who are not running portable keys at all, can exclude their floppy drives from the search.
On both Macintosh and Windows, if no portable keys for the keyed program are found, KeyAccess tries to get a license from the KeyServer (of course, the user might not be on the network, in which case the attempt will fail).
As mentioned before, portable keys copied or moved via the Finder, File Manager, or Windows Explorer will not be usable. For security reasons, KeyCheckout is the only program that knows how to properly move a portable key so that it is still usable by the keyed program.
When a portable key is made, the person who creates it may place restrictions on the number of times that the key may be moved, and may also specify that the portable key must be moved to a System disk before it can be used.
Once you create a portable key, double-click on it in the lower list in the KeyCheckout window. A dialog box will appear that details the location, time limit, and options settings for that portable key. To control the number of times a portable key can be moved, choose one of the three top buttons. The option Key can be moved as often as needed places no limits on the number of times a user can move a portable key (but the portable key will never exist on more than one disk). The option titled Key can be moved only one more time allows the user to move the key from its present disk to another disk. Once moved, the key cannot be moved again. The last option, Key cannot be moved again, effectively locks the portable key onto the disk. This last option is very useful if you wish to load a portable key onto a portable computer, and "dedicate" the portable key to that computer.
Four checkboxes allow you to customize the security of portable keys. The options Must be used from System volume, Can't be used with a floppy System disk, and Use strong calculation of current time make it more difficult for changes in the system clock to allow unauthorized use of a portable key beyond its expiration time. The option Can't be moved onto a floppy disk prevents users from employing a disk-copy program to duplicate portable keys.
The settings pictured in the dialog below provide the most security, but do not get in the way of proper use of the portable key. For this keyed program, the administrator has allowed the user to move the key one time after initial creation. This allows the user perhaps to bring the portable key home and transfer it to a personal hard drive, on which it will remain for the duration of its use.
In some situations, floppy disks are necessary to transport a portable key from one location to another. For example, a user might need to create a portable key at work, and then take it home to use the keyed program there as well. Because of the utility of floppy disks, KeyCheckout will create portable keys on a floppy. However, this presents a security risk, as there are programs that will "bit copy" floppy disks, and can therefore be used to make one portable key into many. For this reason, it is recommended that you place portable keys on floppy disks only when absolutely necessary.
Although file servers are useful for sharing files, KeyCheckout will never place a portable key on a remotely mounted file server. Furthermore, you cannot send portable keys via electronic mail or any other network file transport. Only KeyCheckout can move a portable key from one place to another.
| |||
| Home | Support | Legal | Contact Us |
|