Administrator's Reference
|
|
|
KeyServer ® Administrator's Reference |
| |||
| Home | Support | Legal | Contact Us |
|
KeyShadow |
|
One of KeyServer's major benefits is that it provides centralized management of an entire library of programs over a network. This benefit is also a potential pitfall: If license service is not available at all times, users could be left without access to needed programs, and would therefore be locked out of getting their work done. If your network is not entirely robust, and some of your users cannot use programs critical to their work, the benefits of central management diminish.
To solve the problem of this single point of failure, KeyServer implements a network-redundancy strategy called shadowing. With shadowing, the network administrator sets up automatic backup servers called KeyShadows in critical locations around the network. KeyShadows maintain a network connection to the main KeyServer, and automatically take over service for the KeyServer whenever this connection is broken. When the connection is re-established, the KeyShadow passes service back to the central KeyServer. This process is transparent to the users of keyed programs running under any version of the Mac or Windows operating systems, regardless of which protocol they are using to connect to the KeyServer.
When the network connection to a file server is broken, programs run from the file server are shut down almost immediately, and work-in-progress can be lost without warning. In contrast, when the network connection to a KeyServer is broken, but is re-established within about ten minutes, KeyServer users will not notice the break. If the connection is not re-established within ten minutes, users are requested to quit from any KeyServer-controlled programs (unless the Controls have the "detachable" bit set, in which case users can continue running the current sessions of any applications, without interruption). Even if a user ignores repeated dialogs requesting that KeyServer-controlled programs be quit, the client software never never puts work-in-progress at risk.
The two main reasons for loss of service are: problems on the KeyServer machine; and failed network bridges, routers, or hubs. You can prepare for these eventualities by having backup KeyServers, called KeyShadows, ready at other computers on your network. First, you need to install KeyShadows at critical locations throughout your network. The sections Installing a KeyShadow and Where to place KeyShadows describe how and where to install shadows.
KeyShadows can be installed at any time, on any computer on the network (other than the KeyServer computer), and in as many locations as necessary, even when the network is down. Theoretically you can place a shadow on every computer on your network. However, in practice you should choose a few optimal locations, as every running shadow adds to the network traffic and requires some memory from the machine on which it runs. The section Where to Place KeyShadows in this chapter gives some hints for deciding which locations are optimal on your network.
A KeyShadow is simply a KeyServer installation that has a "shadow license" installed instead of a full "server license" (your server license must only be installed on one computer). The executable file needed to implement a KeyShadow is the same "KeyServer" (ks.exe) program file that implements the server process. Whether the KeyServer program file executes as a server or shadow is determined solely based on the license that is installed.
In order to set up a shadow you first need to get a shadow license, which you can do in either of two ways. Each time your main KeyServer starts up. it creates a shadow license named "shadow.lic" in the KeyServer Data Folder, in a subfolder named "Other Licenses". This license can be copied to a floppy disk, sent via e-mail, or otherwise transported to the computer that will run the shadow. The second way to get a shadow license is to create it within KeyConfigure. With KeyConfigure connected to the server, choose "Create Shadow License" from the Shadows menu.
Every shadow license has an associated password that will be required the first time you launch the shadow process with the license in place. By default, this password is "Sassafras", but it is best to change this default before making use of any shadow license. With KeyConfigure connected to the server, choose "Set Shadow Password" from the Shadow menu, and type the new default. This password will be used by KeyServer when it creates a shadow license in the Other Licenses folder (a new license will be created immediately whenever you set a new password). This password will also be used any time you create a shadow license with KeyConfigure, unless you explicitly enter a different password in the Create License dialog.
 | Shadow licenses created by KeyServer and KeyConfigure are identical (except perhaps for the shadow password). There is no benefit to using one method of creating the shadow license over the other method, so use whichever method is most convenient. Shadow licenses can be duplicated and used on as many different computers as you need, wherever you decide to install a shadow. They can be sent via e-mail, transferred using a floppy disk, file server, or any other means available. However, the text contents of shadow licenses cannot be modified, otherwise they will be invalidated and will not be recognized by KeyServer. |
Once you have a shadow license, you need to install server software (the KeyServer program) on the computer that will run the shadow process. Use the appropriate server installer for the target platform and follow the instructions in the Getting Started chapter for a KeyServer install. If you want the KeyShadow program to run in background with no visible interface, use the installer's Custom option for creating a Service or Background-Only task.
When the server installer has finished, place a copy of the shadow.lic file into the KeyServer Data Folder. You must not use the server.lic file on any computer other than the KeyServer itself, but the shadow.lic file can be used on as many computers as you like. Note that if you mistakenly place a shadow.lic file into a KeyServer Data Folder that already has a server.lic file, the shadow.lic will take precedence (unless it is buried in a subfolder).
Finally, with the program and license installed, launch the KeyServer program file (which will run as a shadow because of the license). For the first launch, you will be prompted to enter the shadow password, and then the shadow process will be started. Subsequently, whenever the shadow computer is restarted, a startup item will automatically launch the KeyShadow process with no password required.
 | When you install a shadow as an NT service (the default install under Windows NT) you need to launch the program once as an application in order to enter the shadow password. After inserting the shadow.lic, double-click on the KeyServer shortcut or on ks.exe in Windows NT Explorer and enter the shadow password. The KeyShadow status window appears, confirming the successful launch. The shadow is at this point running as an application but will run silently as an NT service after the next restart of that computer. |
Once running, the shadow will download all pertinent information from the main KeyServer. The following files are mirrored on the shadow:
KeyShadows will periodically update these files so that they contain the latest settings. When you change something on the KeyServer, those changes should be reflected on all shadows within 30 minutes, providing the network connection is available.
There should be no need to configure individual shadows. All configuration is done on the KeyServer, and changes are propogated automatically to all shadows within 30 minutes. You can force a shadow to update its information immediately by using the Sync Shadow Now command in KeyConfigure.
The Shadows Window is available by selecting "Show Shadows" from the Shadows menu. It shows you the extent and current state of all the shadows on the network. Note that all KeyShadows found on your network are listed, regardless of which KeyServer they are shadowing. Thus, even if your KeyServer is not available (due to network failure or a crashed KeyServer machine), you can still locate your KeyShadow servers to determine what state they are in.
The Shadows window has three columns. The first column lists the location of each KeyShadow, including the computer name and the zone name, for AppleTalk Shadows; the TCP/IP address of the shadow machine, for TCP/IP shadows; and the username "at" IPX, for an IPX shadow. The second column indicates the current state of the KeyShadow (states are detailed in the next section). The final column gives the time at which the KeyShadow last synchronized its license data with the KeyServer.
Note that a given machine can appear up to three times beneath a given KeyServer. If for instance a shadow has been installed to serve clients across all three possible protocols, that shadow machine will appear three times in the Shadows window (once for each protocol).
You can tell which protocols a given machine is supporting by clicking on a line item you know belongs to that machine. A small arrow will appear to the left of that line item; if that shadow is supporting other protocols, arrows will simultaneously appear next to the appropriate line item in the earlier, or later, sections.
If for example you know the IP address of a shadow machine, and click on it, you'll see the arrow appear next to that IP address. If you scan up and see a second arrow next to a line item in the AppleTalk section, you know that that shadow is also supporting AppleTalk users. If you scan down and see an arrow next to "name@IPX" you know that that shadow has been enabled to support IPX users, as well.
When first displayed, the Shadows window lists the KeyShadow servers by location in alphabetic order. Click the Location, State, or Last Synchronized headings to change the order in which KeyShadows are listed. You can re-scan the network for KeyShadows at any time by using the "Start Searching" command in the Shadows menu.
If you are having difficulties with your network, this window might not list all of the KeyShadows that you have installed. This indicates either that a portion of your network is not reachable from the computer on which you are running KeyConfigure, or that the computer on which the KeyShadow is installed is currently turned off.
On large networks, waiting for KeyConfigure to search in all zones for installed shadows can take a long time. The Shadow Search Filter provides a way for you to tell KeyConfigure which zones to search, thus decreasing the time it takes to find all of your shadows. Optionally, KeyConfigure will search through the entire network after it has looked for shadows in the Shadow Search Filter.
To edit the Shadow Search Filter, choose the "Shadow Search Filter" command from the Shadows menu. A window appears containing all of the zones on your network that are visible (if you are having network difficulty, some or all of the zones may not be listed). Zones marked with a check will be searched (in alphabetical order) before unchecked zones. Place a check mark next to a zone by clicking on the zone name.
If you know that there are no shadows in the zones that are not checked in the Shadows Hint List, KeyConfigure does not need to search in these zones. To search only in the checked zones, hilight the Search checked zones only button.
In order to help KeyAccess more quickly locate a shadow server in an emergency, you can select a set of AppleTalk Zones (for AppleTalk clients) and enter a list of IP addresses (for TCP/IP clients).
To specify where your shadows are, choose "Shadow Hint List" from the Shadows menu in KeyConfigure. The Shadow Hint List dialog appears:
The list on the left of this window contains all of the AppleTalk Zones on your network. Clicking on one of the Zones places a checkmark beside it, indicating that you have placed a KeyShadow in that Zone. If there are no shadows in that Zone, KeyAccess' using AppleTalk will look for a shadow in another Zone. Furthermore, if a KeyAccess using AppleTalk does not find any shadows in the checked Zones, it will search through the entire network (including those Zones that are not checked).
The list on the right contains the IP addresses of your TCP/IP-enabled KeyShadows. When you run a newly installed KeyShadow that supports IP, that shadow will contact the server and add its address tot he shadow hint list. To enter a new IP address, type it in the text box and click Add. Up to 100 IP addresses can be specified. As with the AppleTalk case, you do not have to have a KeyShadow installed at each of the addresses in the list; a KeyAccess using TCP/IP will look for a KeyShadow at a different address. However, unlike AppleTalk, if there are no shadows found at any of the IP addresses listed, users connected to the KeyServer via TCP/IP will not be able to get any service from KeyShadows.
Note that when entering the locations of your TCP/IP-enabled KeyShadows, you must use the IP address, and cannot specify the IP host name. When KeyShadows are needed, presumably you are experiencing network problems. At these times there is no guarantee that any Domain Name Servers (DNS) are reachable on your network (if any are installed in the first place), so mapping an IP host name to an address is unreliable.
Each KeyAccess will update its copy of the appropriate Shadow Hint List the next time it connects to the KeyServer.
KeyShadows can be placed on any computer on your network, even when the network is down. This is useful if your network fails unexpectedly and isolates users from the KeyServer and any previously installed KeyShadows. Once the network heals, you may wish to remove or disable certain temporarily placed shadows.
To permanently disable a KeyShadow, open KeyConfigure and show the Shadows window. When the desired shadow appears in the list, select it and then choose the "Disable KeyShadow" command from the Shadows menu. The KeyShadow will be disabled immediately, and you will need to enter the shadow password again in order to enable shadow service. You might then go to the computer on which the shadow was running and remove the unusable shadow files into the trash, but this is not necessary. Note that you can only disable a shadow that is monitoring the KeyServer to which your current KeyConfigure session is connected. You cannot disable a shadow belonging to a KeyServer to which you are not connected.
At times you may wish to temporarily deactivate certain KeyShadows. For example, when you are analyzing your network, you might want to cut down on unnecessary network traffic. When a KeyShadow is inactive, it suspends all network polling until it is re-activated. To deactivate a shadow, select it in KeyConfigure's Shadows window and choose "Deactivate KeyShadow" from the Shadows menu. When you want the KeyShadow to resume shadowing, either choose "Activate KeyShadow" from the Shadows menu or restart the shadow program.
A KeyShadow can be in one of several states, depending on the integrity of your network and the locations of other KeyShadows. The Shadows window lists the state of any KeyShadow found on your network. If you double-click on any shadow in the Shadows Window, the following summary window appears:
The possible states and descriptions for Shadows are:
A KeyShadow will distribute licenses to users only when it is in the Serving state.
It is possible, and perhaps even common, for a shadow supplying service across more than one protocol to reflect one state for one protocol and a different state for the second and/or third protocol. For instance, if AppleTalk is functioning fine but your IP network is broken in some way, the AppleTalk (and perhaps IPX) shadow status might be Deferring, or Shadowing, while the IP state would be shown as Serving.
KeyShadows allow users to run keyed software without connecting to the main KeyServer. For this reason, you should make sure KeyShadows are not taken from the computers on which they were originally installed. Each KeyShadow performs a check every time it starts up, just to make sure it has not moved to another disk. Furthermore, as explained in the next section, KeyShadows cannot provide extended service without periodically contacting the main KeyServer.
You should be aware of the potential security leak that KeyShadows introduce, and install KeyShadows accordingly. If possible, install your shadows on Macs that are running other network services, like local AppleShare file servers, mail servers, or print servers. Since these machines are often physically secure, or at least are not in personal use, the KeyShadow file is less likely to be accidentally copied or removed.
The security of your main KeyServer is even more important. KeyServer does not employ the limited copy protection that KeyShadow does, so if someone copies your KeyServer (and the license information contained in the Active Controls file), they will be able to run keyed programs without the permission of the real KeyServer. Just as important, if two copies of the same KeyServer are running on the network, your shadows and users will get confused. For this reason, each KeyServer periodically searches the network for other copies with the same server ID, and posts a message if another copy is ever found. You can then look in KeyConfigure's Shadows window to determine the location of the duplicate KeyServer. Previous versions of KeyServer would shut down if a duplicate was found on the network. This is no longer the case; newer versions of KeyServer inform you that another copy of your KeyServer has been found. Use the Shadows window to help locate and shut down the conflicting KeyServer before it has a chance to confuse your users and the shadow service.
KeyShadows are emergency backup KeyServers, and hence should not be used for day-to-day license service. There are limitations built into each KeyShadow that serve to lessen a shadow's impact on the host computer and network, and discourage improper use. These limitations are reasonable, and you should never encounter them if KeyShadows are installed and used as intended.
An individual KeyShadow will honor the concurrent use maximums for each keyed program, but since there is no communication between shadows, there is no ongoing reconciliation of the in-use counters. When your network is fixed after a network failure, KeyServer will bring the entire network back into compliance with the concurrent use maximum, even if the failed network forced the in-use count to exceed the global network limit.
Limitations fall into three categories: copying limitations, time limitations, and feature limitations. There is one copying limitation: You can copy the KeyShadow installation to a different computer, but in this case you will have to re-enter the shadow password. This limitation prevents users from moving the powerful KeyShadow file and its license data to a personal machine, which would otherwise give them full access to keyed programs.
Time limitations act to enhance a KeyShadow's security, and include the following:
Continuous service time limit: In case of network or KeyServer failure, KeyShadows automatically begin serving users of keyed programs. The network technician or KeyServer administrator is thus given ample time to fix the problem, and users are not blocked from running keyed programs. However, KeyShadows will only provide continuous emergency service for up to seven days, after which they will become inactive. This does not mean that KeyShadows will be totally useless if the network is not fixed within seven days. KeyShadows can be re-activated in one of two ways. First, anyone can restart the KeyShadow program. Second, the KeyServer administrator can use KeyConfigure to activate the shadow. In either case, the shadow will again start serving emergency licenses (unless the KeyServer has come back into view).
Stand-alone service time limit: KeyShadows must periodically communicate with the main KeyServer in order to update old license information and learn about new keyed programs. If a shadow has not contacted the main KeyServer after two months, it will permanently disable itself. This limit is necessary only when a KeyServer is permanently removed from service, and also enhances the security of KeyShadows, should an unauthorized user obtain a working copy.
KeyShadows are intended to provide emergency service only, and certain features are not useful when the network is having trouble. There is only one main limitation in this category:
No (new) portable keys: Due to the complexity (and the probable infrequency) of checking out portable keys, KeyShadows will not issue portable keys. Of course, portable keys issued in the past from the main KeyServer will continue to work. In order to obtain a new portable key, users will have to wait until the network is fixed or the KeyServer comes back on-line.
It is important that you use KeyShadows the way they were intended: as emergency backup license servers. You should not rely on them for extended periods of time, because of the possibility that more than the licensed number of users could then run keyed programs. In any case, the KeyShadow time limitations make this unfeasible.
The optimal locations for KeyShadows vary from one network to the next. Where you place shadows greatly depends on the size of your network, how it is configured (how your Zones and IP network are set up and where your routers and bridges are located), and what type of hardware you are using (LocalTalk, Ethernet, Token Ring, etc.) Consult with people at your site who are familiar with the details of network outages that have occurred in the past. This information will help you anticipate the kinds of failures that are likely to occur and how to shield against the consequences.
Some of the issues that you should consider when installing KeyShadows are listed below. You will probably have other concerns particular to your network, which will also affect where KeyShadows are placed.
Rules of thumb: Consider installing one KeyShadow for every thirty to forty computers on your network. If you place one shadow per AppleTalk Zone, IP subnet, or IPX network, you will probably be in good shape. If you place one shadow on each network wire (where there are multiple network wires per zone/subnet), you could gain protection against a few more failure modes, but it may not be worth the extra administrative effort. In the extreme, you could install a KeyShadow on every computer on your network. However, this might generate more traffic than it's worth to protect against a very rare occurrence.
DO place a shadow on a remote network site. If your network includes remote sites that are connected via leased-line or other "weak" links, install at least one KeyShadow at each remote site. Each remote site should have additional shadows as suggested.
DO place shadows on the portions of your network that are failure-prone, or that have failed repeatedly in the past. Often networks are made up of several different types of hardware wiring, and support routers and bridges from multiple vendors. This means that there may be parts of your network that are more robust than others, and parts of your network that are always under repair. You should install a shadow on these unstable portions of your network.
DO place shadows on all networks that are directly connected to a newly installed router or bridge. If you are testing a new router, or you have just connected two networks with a new router, your network is more prone to trouble than normal. Install a KeyShadow on each network wire that is directly connected to the new router. When you are confident that the new router is properly configured and working, you can scale back the installed KeyShadows.
DO NOT place your only shadow in the same zone/subnet as the KeyServer. Failure of the KeyServer machine is extremely rare, while loss of communication to the KeyServer zone/subnet is more frequent and would also prevent access to the shadow. If you decide to install a small number of KeyShadows on your network, you should distribute them over your network, and not concentrate them on one portion of the network.
DO NOT place a shadow on a portable computer. Use portable keys to guarantee portable computer access to keyed programs while away from the network.
DO NOT install a KeyShadow on a computer that has no network connection in place. The shadow will not be able to communicate with the server to gather initial settings and license details, so it will not be useful. Emergency support for a standalone computer can be provided using portable keys. See the KeyCheckout section for details on using portable keys.
Hardware specifics: Client computers must be able to access the network to communicate with the KeyShadow (unless the client itself had a KeyShadow installed at the time of the failure). Depending on how a network is built and how it has failed there may be cases when a client cannot communicate over the network at all, so only clients that are themselves running KeyShadows will be protected. For example, an Ethernet running on thick or thin coax cabling that has become shorted out or lost its termination resistor will not transmit any packets on the open or shorted segment. In the case of a 10BaseT Ethernet, power loss at a 10BaseT hub or concentrator will break all network communication to each of the nodes supported by the hub. In the case of LocalTalk network cabling, a short to ground or a short across the signal lines will have a similar effect on all computers on the shorted segment.
A more common failure mode, regardless of transport medium, is the failure of network routers or bridges. Traffic across the broken bridge is impossible, but communication is fine on each side of the break, so users are supported by KeyShadows.
All network failures are different, so there is a chance that your shadows might not protect some computer during a network problem. The best way to solve this problem is to install a KeyShadow on the part of your network that is not being served by the KeyServer or a shadow. To do this, locate any existing shadow, copy the entire KeyServer Data Folder from that shadow to the new shadow computer, run the keyServer program and type the shadow password when prompted. When your network is again whole, you can either leave the KeyShadow in place, or you can disable it using KeyConfigure. Remember that the more shadows you have on your network, the more traffic you will have, so you should try to keep a basic set of shadows that are installed all the time, and then install other shadows in emergencies, removing them when the emergency has passed.
| |||
| Home | Support | Legal | Contact Us |
|