KeyAccess

The Windows client OS must include the Windows Management Interface (WMI) in order to fully support K2's hardware audit functionality. WMI is not necessary for gathering some basic hardware information (e.g., ethernet hardware address and free disk space) or for auditing software. WMI is included as a standard part of Windows beginning with Windows 98. It can be added to Windows 95 with a component installer from Microsoft.

By default, KeyAccess settings are stored globally for all users in the registry:

    HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\KeyAccess

The KeyAccess installer provides an option to install settings individually for each user account. When present, these per-user settings will take precedence:

    HKEY_CURRENT_USER\Software\Sassafras\KeyAccess

A third option is to read all settings from the file "keyacc.ini" which is located in the WINDOWS (or WINNT) directory. Unless a site has a specific reason to store settings uniquely for each user or to avoid the registry altogether, the default should be used. Note: The file keyacc.ini is created in all cases and contains an entry specifying what registry entry, if any, to use.

The client installer (K2Client.exe or K2Mobile.exe) contains both an .exe and an .msi-based installer. The .msi is used unless the OS is older (Windows 9x or NT) and has not been retrofitted with MSI support. Sites using a GPO or other means of distribution may need to extract the MSI in order to facilitate deployment. In the Miscellaneous folder of the K2 image archive, there is a tool called "k2clientconfig.exe" that will do the extraction and also allow customization of the MSI-based installer. Type "k2clientconfig.exe" at the command prompt to see all the various available options including the ability to customize for a silent install with the correct server address. Note: k2clientconfig only customizes the MSI portion of the installer (regardless of whether it has been extracted), so when you run the customized installer on a system that does not have MSI support, the custom configuration will not be honored.

If you are upgrading to KeyAccess 6.1.3 (or higher) from an older version, the installer will preserve the previous settings. Typically this means KeyAccess will preserve the older behavior of running as a user program and not as a service. If you want KeyAccess to run as a service, uninstall the older KeyAccess version before installing the newer version. Alternatively, remove the startup item and then enter "keyacc32.exe -install" into the Run item in the Start menu.

On Windows 2000 and older, when the computer first boots up and starts KeyAccess as a service (before any user logs in), KeyConfigure will display the name, "SYSTEM" in its Users window. This will change to the login name when the first user logs in, and it will be updated with the next user name whenever a new user logs in (after the first user has logged out). Note: KeyConfigure will never revert the session name to "SYSTEM" until the computer is re-booted, even though the user has logged out and the computer has returned to its login screen.

If you have no need to control any 16-bit programs, you can remove the file named keyacc.exe (but not keyacc32.exe) from your WINDOWS (or WINNT) directory.

 KeyConfigure

The Windows Admin installer, K2Admin.exe, also installs the KeyServer ODBC driver and customizable example reports written in Crystal Reports and Microsoft Access. You don't have to install KeyConfigure to use these external reports (K2Admin.exe will let you install just the reports and driver), but these reporting examples are only available on Windows.

Note: KeyConfigure's internal reports can be used to query usage data exported through KeyServer's export feature. An appropriate Windows ODBC driver matching the external database server must be installed on the KeyConfigure computer.

 KeyServer

When hosting KeyServer on Windows (using K2Server.exe to install ks.exe and supporting components), the installer will configure KeyServer as a service set to start "automatically" whenever your system starts up. If you install the KeyServer as a service on any drive other than your system drive (typically C:), you may have to change the default privileges: the SYSTEM account (used by KeyServer) must have "Full Control" rights for all folders in the resulting path (e.g., D:\Program Files\Sassafras K2\Server). It's easiest to install the KeyServer in the default location of C:\Program Files\..., if that is possible.

KeyServer must be hosted on Windows in order to support:

• Data export through ODBC
• Windows NT authentication method
• SQL authentication method

 KeyReporter

When hosting KeyReporter on Windows (using K2Reporter.exe to install kr.exe and supporting components), the installer will configure KeyReporter as a service set to start "automatically" whenever your system starts up. If you install the KeyReporter as a service on any drive other than your system drive (typically C:), you may have to change the default privileges: the SYSTEM account (used by KeyReporter) must have "Full Control" rights for all folders in the resulting path (e.g., D:\Program Files\Sassafras K2\Reporter). It's easiest to install the KeyReporter in the default location of C:\Program Files\..., if that is possible.

KeyReporter uses port 80 by default (the standard http port). If you have a web server running on the same computer you should change the port used by the web server or KeyReporter.

 KeyAccess

There is no point in using the mobile client installer, K2Mobile.exe, since thin clients are always connected - use K2Client.exe. When installing for thin client support on WTS (or Citrix Winframe), you should be sure to enter "install mode" and then use the "Add/Remove Programs" control panel to run the installer. If your server does not enter install mode automatically, follow these steps:

1. Login as the Administrator (or installation) account
2. Open a command prompt window and type: change user /install
3. Install KeyAccess via the K2Client.exe
4. Return to the command prompt and type: change user /execute

The essential KeyAccess client files will be placed in the WTS (or WINFRAME) directory and the KeyAccess service will be configured to start whenever the host computer starts.

If you are upgrading to KeyAccess 6.1.3 (or higher) from an older version, the installer will preserve the previous settings. On WTS this means KeyAccess will be configured to run as a user program and not as a service. We recommend that you first uninstall the older KeyAccess version before installing the newer version. This will guarantee that the newer version is installed to run as a service.

Thin clients with KeyAccess installed on a Terminal Server as described above will have K2's auditing feature turned off by default. If you want to include an audit of the server volume in your K2 audit database, you will have to pick one of the thin client computers listed in KeyConfigure's Computers window (computer ID begins with W) and turn its audit option back on. There is probably little point in turning auditing on for more than one thin client since they all share the same disk.

Running KeyAccess as a Service

Beginning with version 6.1.3, it is recommended that you run KeyAccess as a service. When KeyAccess runs as a service there will be only one keyacc32.exe process, which will manage the KeyServer connections for all users who are logged into Windows. Unlike with previous KeyAccess versions installed as a program, there is no special configuration needed in order to support Published Applications.

Running KeyAccess as a User Program

If for some reason you decide to run KeyAccess as a normal program there are some special considerations.

When WTS is serving out a complete Windows desktop to a thin client, no further configuration is required. KeyAccess will startup/shutdown when the thin client session is opened/closed and application usage within the session will be tracked as expected.

When serving "Published Apps" (e.g., without a surrounding Windows desktop), you must configure special options to ensure that KeyAccess is properly launched and quit so it can correctly report the Published Application activity to KeyServer.

KeyAccess has been optimized for minimal processor overhead so even on a Terminal Server running 20 instances of KeyAccess on a single cpu (ie, with 20 thin client sessions active) it will not tie up undue system resources.

 KeyConfigure

KeyConfigure is installed like any other application program. You may want to restrict access to specific users and make it available to only a few, if any, thin clients. KeyConfigure running from any Windows or Mac computer (including a thin client, if you wish) will be able to manage the KeyServer process - just enter the KeyServer IP address and password.

 KeyServer

KeyServer will function properly when hosted on a Terminal Server, providing license management to both thin and regular clients. However, it is recommended that you host the KeyServer process on a different computer in order to ensure the best performance from Terminal Server and KeyServer.

 KeyReporter

KeyReporter will function properly when hosted on a Terminal Server. However, it is recommended that you host the KeyReporter process on a different computer in order to ensure the best performance from Terminal Server and KeyReporter.

 KeyServer

The components for KeyServer on NetWare are installed from any Windows computer that is connected to the NetWare server with the SYS volume mounted, and with access privileges to write into the SYS:\SYSTEM directory.

From your Windows computer, run the K2srvNLM.exe program. When prompted for an install directory, be sure to specify the drive letter and path of your SYS:\SYSTEM directory (if you run server NLMs from a different directory, you can install KeyServer there instead). During the install process, you are asked whether your NetWare server is version 4.x or version 5.x or higher. It is important that you indicate the proper version.

The standard install of KeyServer for NetWare does not set KeyServer to run automatically when NetWare starts up. You should edit the AUTOEXEC.NCF file, adding the following line:

      LOAD KS.NLM

Command Line options:
The KeyServer NLM recognizes a few command line options that you can use to control how it runs. The most useful options are listed below.

d <dir>

By default, KeyServer looks for its data folder (KeyServer Data Folder or KSDATA) in the same directory as the KS.NLM. If you want to store the data folder in a different location, use this option to specify the directory in which the data folder is stored.

l

By default, KeyServer will try to use long file names when support for long file names is installed on the volume that contains KeyServer and its data folder (SYS by default). To force KeyServer to use short file names, even when long file name support is available, use this option.

s

By default, KeyServer displays its status in a simple text screen. Use this option if you want this status to be displayed on a formatted screen, with usage statistics and additional information.

x

KeyServer requires that the NETDB NLM be loaded in order to function as a shadow server, send status e-mail messages, and refer clients to other KeyServers. Normally, when KeyServer first starts up, it will attempt to automatically load this NLM. If you are not using the e-mail or referral features on this KeyServer, and if this KeyServer is not acting as a shadow, you can tell KeyServer not to load the NETDB NLM by using this option.

A Netware host can still support Macintosh clients using the AppleTalk protocol even though most sites will find IP to be better supported (both by your network and by Apple). If you need Appletalk support, make sure that the AppleTalk NLMs are configured for automatic load in the AUTOEXEC.NCF or some other startup script.

To use KS NDS authentication, KeyServer must run on Netware.

 KeyAccess

From the K2Client.dmg, run the installer named K2Client.mpkg to install KeyAccess on a Mac OS X computer. The installer must be run from a Login session that has Admin privileges, and will require re-entry of an admin password. It will prompt for the IP address (or DNS name) of the KeyServer during installation (Appletalk is no longer supported in version 6.1 and beyond). If you want to include the KeyCheckout utility in the client install, use the K2Mobile.dmg and run K2Mobile.mpkg. Note: the two installer packages are essentially the same. They can be transformed from one to the other using the k2clientconfig utility. See Customized client install:Mac for details.

Mac OS 9 & Classic - chooser extension

On a PowerPC Mac OS X computer that has a System Folder containing Mac OS 9, you can often "start the Classic environment" as a process within the running OS X operating system, or you can reboot the computer as a Mac OS 9 machine. Version 6.0.x of the KeyAccess Chooser extension (in the classic System Folder/Extensions) will work in either case: Under Classic (within OS X) or under Mac OS 9 (as the boot OS). KeyAccess 6.1 is not compiled for Mac OS Classic.

The K2Client.mpkg and K2Mobile.mpkg installers include the installation of the 6.0.2.6a KeyAccess chooser extension for the Classic environment. Management of Classic programs requires this final version of the KeyAccess chooser extension to be installed into the "blessed" System Folder. KeyAccess versions prior to 5.2.3 will not communicate correctly with Mac OS X. Do not install an older KeyAccess extension in the Mac OS 9 system folder!

If you do not need to control or log any Classic applications, the KeyAccess chooser extension is unnecessary. Note: the KeyAccess OS 9 system extension running in Classic within Mac OS X will do nothing without the required Mac OS X KeyAccess files properly installed (but if you boot in Mac OS 9, it is all that is required).

Note: if you have multiple OS 9 System Folders, each one should have the 6.0.2.6a KeyAccess extension installed. This comment applies regardless of whether you have Mac OS X installed. It is perhaps worth emphasizing in a Mac OS X context, however, since the Mac OS X System Preference for starting Classic makes shifting among various Classic environments so easy. It is all right to duplicate the KeyAccess extension from one Classic environment to another without running the client installer. You won't have to set up the KeyServer address in Classic since it is managed globally by OS X.

Uninstall

KeyAccess client software for Mac OS X uses a pkg based uninstaller. You will need admin permissions to run the uninstaller, just as you do for the installer. The uninstaller can be found in the full archive of K2 installers, in:

Installers/Macintosh Installers/Misc/KeyAccess Uninstaller.dmg

 KeyConfigure

The Macintosh Admin installer, K2Admin.mpkg (inside the K2Admin.dmg), also installs the KeyServer ODBC driver in order to support customized reports written in reporting tools such as FileMaker. The OS utility, ODBC Administrator, is used to configure the DSN, ”KeyServer Datasource“, with the correct KeyServer ip address, report account name, and password.

Note: KeyConfigure's "internal reports" can be used to query usage data exported through KeyServer's export feature. An appropriate ODBC driver matching the external database server must be installed on the KeyConfigure computer.

 KeyServer

To install KeyServer on Mac OS X, run the installer K2Server.app installer. It will install new components or update any previously installed components to the latest version while preserving your custom configuration information.

The KeyServer process will start up automatically when you reboot. You can also use the applescript applet, “ks-StartStop”. To disable KeyServer's automatic startup, delete or change the name of the startup script: /Library/StartupItems/KeyServer/KeyServer. On OS 10.4 and higher, you will also need to disable a Launch Daemon, which you can do by: sudo launchctl unload -w /Library/LaunchDaemons/com.sassafras.KeyAccess.plist

Since ks is just a unix program, you can also start it by typing "sudo /Library/KeyServer/ks" in a terminal window. This is useful when you want to see diagnostic output (or when installing a shadow and starting it for the first time), but the ks process will quit when the terminal window is closed.

Command Line options:
The KeyServer program recognizes a few command line options that you can use to control how it runs. The most useful options are listed below. If you need to use any of these options for your KeyServer you should modify the StartService() routine in the startup script, /Library/StartupItems/KeyServer/KeyServer.

b <dir>

By default, KeyServer looks for its data folder (KeyServer Data Folder or KSDATA) in the current working directory. If you want to store the data folder in a different location, use this option to specify the directory in which the data folder is stored.

d

By default, KeyServer runs as a simple console program, and writes basic status information to the terminal in which it was started. If the terminal is closed, the KeyServer will stop running. To run KeyServer as a "daemon" process, use this option. When running as a daemon, KeyServer does not write status information to the terminal, and continues to run even after the originating terminal is closed.

e <log-file-path>

KeyServer can optionally write some status messages to a separate log file, other than the KeyServer log (where program usage information is stored) and the system log (where startup and shutdown information is written). If you want a simple log of KeyServer's startups and shutdowns, specify the log's location using this option.

n <hostname>

When KeyServer is running on a multi-homed host (a host with more than one IP address assigned to it as in the case of multiple NIC interfaces), it will open its service port on the default IP address. Use this option to force KeyServer to open its service port on a specific IP address. [e.g. change the final command in the StartService() routine to also have the -n option, something like: /Library/KeyServer/ks -d -n 123.456.78.9 ]

To use the Unix Authentication method, KeyServer must run on Mac OS X or Linux.

If the KeyServer is supporting third party add-in libraries and/or hardware dongles for custom secure management of pre-keyed third party programs, there will be support libraries with names like rf_xxx in the KeyServer Data Folder. These third party libraries may need to be upgraded when moving the KeyServer process to different hardware. In particular, older versions of the rf_xxx files may not be compiled in Universal Binary format in which case they cannot be used on a Macintosh Intel platform.

 KeyReporter

To install KeyReporter on Mac OS X, run the installer K2Reporter.app installer. It will install new components or update any previously installed components to the latest version while preserving your custom configuration information.

KeyReporter uses port 80 by default (the standard http port). If you have a web server running on the same computer you should change the port used by the web server or KeyReporter.

 KeyAccess

The Linux client implements most of the same functionality as the Windows and Mac clients. On Linux, “interesting programs” are defined by the client as those the make use of the X11 libraries in order to display a graphic user interface. In addition, the default configuration will only pay attention to executables within one of two directories:

     /opt
     /usr

However, more paths (or specific executables) can be added by editing the config file on each client computer:

     /usr/share/ka/ident.xml

The K2 client for Linux will report such “interesting programs” to KeyServer and they will appear in KeyConfigure's programs window. Usage events (launch and quit) will be reported whenever the action is set to logged or controlled. Note: since there is no KeyConfigure for Linux, there is no way to “key” a Linux program. Of course you can still Control (and report on) a Linux program on any computer that has the Linux K2 client installed, but without using the keyed option.

On some types of Linux, you can simply double-click the deb or rpm file, and it will be opened by an installer manager and installed. On some other types of Linux, you may instead have to use the command line, e.g. one of the following:

     sudo rpm -i KeyAccess-6.2.0.5-201004.i386.rpm
     sudo rpm -i KeyAccess-6.2.0.5-201004.x86_64.rpm
     sudo dpkg -i KeyAccess_6.2.0.5-201004_i386.deb
     sudo dpkg -i KeyAccess_6.2.0.5-201004_amd64.deb

This will install some KeyAccess components in /usr/libexec and will also install kasetup, the program for configuring an address for KeyAccess, in /usr/bin . Once you have installed, you should restart your computer. After you login again, run kasetup from the terminal and enter the KeyServer address, then click Logon. Alternatively, you can set the KeyServer address during the install, if you use the command line to do the install. Use env to set a value for KA_SERVERHOST, e.g.:

     sudo env KA_SERVERHOST=keyserver.domain.com rpm -i KeyAccess-6.2.0.5-201004.i386.rpm
     sudo env KA_SERVERHOST=keyserver.domain.com rpm -i KeyAccess-6.2.0.5-201004.x86_64.rpm
     sudo env KA_SERVERHOST=keyserver.domain.com dpkg -i KeyAccess_6.2.0.5-201004_i386.deb
     sudo env KA_SERVERHOST=keyserver.domain.com dpkg -i KeyAccess_6.2.0.5-201004_amd64.deb

Upgrade

To upgrade using an rpm, you should use the -U command line switch instead of -i:

     sudo rpm -U KeyAccess-6.2.0.5-201004.i386.rpm
     sudo rpm -U KeyAccess-6.2.0.5-201004.x86_64.rpm

Uninstall

To uninstall Linux KeyAccess, use one of the following, depending on your OS:

     sudo rpm -e KeyAccess
     sudo dpkg -r KeyAccess

After a reboot, KeyAccess will no longer be active.

 KeyServer

The KeyServer process requires kernel version 2.2 or higher, version 2.3 or better of the glibc library, and OpenSSL 0.9.8.

The KeyServer components are packaged in an RPM or DEB file. To install the server, use one of the following command lines:

     sudo rpm -i KeyServer-6.2.0.5-201004.i386.rpm
     sudo rpm -i KeyServer-6.2.0.5-201004.x86_64.rpm
     sudo dpkg -i KeyServer_6.2.0.5-201004_i386.deb
     sudo dpkg -i KeyServer_6.2.0.5-201004_amd64.deb

This will install the files into /usr/local/k2 with a subdirectory called KeyServer Data Folder. It will also install a startup script in /etc/init.d and configure the computer to run the KeyServer process (ks) at system startup. All files will be installed with root as the owner.

Upgrade

To upgrade using an rpm, you should use the -U command line switch instead of -i:

     sudo rpm -U KeyServer-6.2.0.5-201004.i386.rpm
     sudo rpm -U KeyServer-6.2.0.5-201004.x86_64.rpm

If you are upgrading to K2 6.2 from version 6.1.x or lower, you must move data folder first, since the standard location is different for KeyServer 6.2: sudo cp -R /usr/local/KeyServer /usr/local/k2

Starting / Stopping

Once KeyServer is installed, you can start it either by rebooting the host computer or by using a manual command - one of the following, depending on OS:

     sudo /sbin/service KeyServer start
     sudo invoke-rc.d KeyServer start
     sudo /etc/init.d/KeyServer start

To stop a running KeyServer process, use one of the commands below:

     sudo /sbin/service KeyServer stop
     sudo invoke-rc.d KeyServer stop
     sudo /etc/init.d/KeyServer stop

Do not use kill -9 unless absolutely necessary, since this does not give KeyServer a chance to flush its file buffers.

Permissions

KeyServer files are installed with root as the owner, and the commands above assume the process will run as root. If you wish to run the KeyServer process in a different account you will need to change the ownership or permissions of the files in /usr/local/k2.

Command Line options:
The KeyServer program recognizes a few command line options that you can use to control how it runs. The most useful options are listed below. If you need to use any of these options for your KeyServer you should modify the startup script that was installed in /etc/init.d.

b <dir>

By default, KeyServer looks for its data folder (KeyServer Data Folder or KSDATA) in the current working directory. If you want to store the data folder in a different location, use this option to specify the directory in which the data folder is stored.

d

By default, the "sudo ks" command will run KeyServer as a simple console program and write basic status information to the terminal in which it was started. Running in a terminal window is often useful for diagnositc purposes but when the terminal is closed, the KeyServer will stop. Use the -d option to run KeyServer as a "daemon" process so it will continure to run even after the originating terminal is closed.

e <log-file-path>

KeyServer can optionally write some status messages to a separate log file, other than the KeyServer log (where program usage information is stored) and the system log (where startup and shutdown information is written). If you want a simple log of KeyServer's startups and shutdowns, specify the log's location using this option.

n <hostname>

When KeyServer is running on a multi-homed host (a host with more than one IP address assigned to it), it will open its service port on the default IP address. Use this option to force KeyServer to open its service port on a specific IP address.

z <zone>

When KeyServer is running on a multi-homed AppleTalk host (a host with more than one AppleTalk address assigned to it), it will open its service port in the default AppleTalk Zone. Use this option to force KeyServer to open its service port in a specific AppleTalk Zone.

In order for KeyServer to support clients over the AppleTalk protocol, you only need to have your Linux kernel configured to support AppleTalk. On most Linux distributions, this support is built in by default (although you must still set up things like the default zone, etc.) You do not need to be running netatalk daemons, although KeyServer will operate alongside these services.

To use the Unix Authentication method, KeyServer must run on Mac OS X or Linux.

 KeyReporter

The KeyReporter process requires kernel version 2.2 or higher, version 2.3 or better of the glibc library, and OpenSSL 0.9.8.

The KeyReporter components are packaged in an RPM or DEB file. To install the server, use one of the following command lines:

     sudo rpm -i KeyReporter-6.2.0.5-201004.i386.rpm
     sudo dpkg -i KeyReporter_6.2.0.5-201004_i386.deb

Upgrade

To upgrade, you should use the -U command line switch instead of -i:

     sudo rpm -U KeyReporter-6.2.0.5-201004.i386.rpm
     sudo rpm -U KeyReporter-6.2.0.5-201004.x86_64.rpm

Ports

KeyReporter uses port 80 by default (the standard http port). If you have a web server running on the same computer you should change the port used by the web server or KeyReporter.

 KeyAccess

The Solaris client is compiled from the same source as the Linux client with approprate adjustments for Solaris OS calls and linked libraries. It implements most of the same functionality as the Windows and Mac clients.

On Solaris, “interesting programs” are defined by the client as those the make use of the X11 libraries in order to display a graphic user interface. In addition, the default configuration will only pay attention to executables within one of two directories:

     /opt
     /usr

However, more paths (or specific executables) can be added by editing the config file on each client computer:

     /usr/share/ka/ident.xml

The K2 client for Solaris will report such “interesting programs” to KeyServer and they will appear in KeyConfigure's programs window. Usage events (launch and quit) will be reported whenever the action is set to logged or controlled. Note: since there is no KeyConfigure for Solaris, there is no way to “key” a Solaris program. Of course you can still Control (and report on) a Solaris program on any computer that has the Solaris K2 client installed, but without using the keyed option.

The client installer for Solaris is a Solaris package compressed for downloading:

     KeyAccess-<version>-<platform>.pkg.gz

where <version> is the KeyAccess version (e.g., 6.2.0) and <platform> is one of "i386" or "sparc". To install it, do this as root (assuming the KeyAccess-<version>-<platform>.pkg.gz file was downloaded to /tmp):

     cd /tmp
     gunzip KeyAccess-<version>-<platform>.pkg.gz
     pkgadd -d KeyAccess-<version>-<platform>.pkg

The pkgadd program will ask which package you want to install.  Select "KeyAccess", then answer "y" (yes) to the subsequent questions.  The first question just confirms that you want to install KeyAccess, and the second question asks permission to run the installer script.

This will install some KeyAccess components in /usr/libexec and will also install kasetup, the program for configuring an address for KeyAccess, in /usr/bin.

Once pkgadd has finished installing KeyAccess, you must log out of any desktop sessions (and then re-login) in order to get the KeyAccess user agent to run. After you login again, run kasetup from the terminal and enter the KeyServer address, then click Logon. Alternatively, you can set the KeyServer address during the install, by using env to set a value for KA_SERVERHOST, e.g.:

     sudo env KA_SERVERHOST=keyserver.domain.com pkgadd -d KeyAccess-<version>-<platform>.pkg

Uninstall

To uninstall Solaris KeyAccess, run the following command line as root:

     pkgrm KeyAccess

After a reboot, KeyAccess will no longer be active.

 KeyServer

The KeyServer process requires Solaris 9 or higher and OpenSSL. The sparc compile requires OpenSSL 0.9.8 while the i386 compile requires OpenSSL 0.9.7. The server installer for Solaris is a Solaris package compressed for downloading:

     KeyServer-<version>-<platform>.pkg.gz

where <version> is the KeyServer version (e.g., 6.2.0) and <platform> is one of "i386" or "sparc". To install it, do this as root (assuming the KeyServer-<version>-<platform>.pkg.gz file was downloaded to /tmp):

     cd /tmp
     gunzip KeyServer-<version>-<platform>.pkg.gz
     pkgadd -d KeyServer-<version>-<platform>.pkg

The pkgadd program will ask which package you want to install.  Select "KeyServer", then answer "y" (yes) to the subsequent question, which asks permission to run the installer script.

This will install some KeyServer components in /opt/sfw/k2, and attempt to start the server. You can determine if the KeyServer has started by using ps with the option to include processes owned by all users, and looking for the 'ks' command. If it has not started, you can look at the services log file to determine what might be wrong. It is usually found in:

     /var/svc/log

In order to manually start KeyServer, use the svcadm command:

     sudo svcadm enable application/keyserver

In order to manually stop KeyServer, use the svcadm command:

     sudo svcadm disable application/keyserver

Do not use kill -9 unless absolutely necessary, since this does not give KeyServer a chance to flush its file buffers.

KeyServer files are installed with root as the owner, and the commands above assume the process will run as root. If you wish to run the KeyServer process in a different account you will need to change the ownership or permissions of the files in /usr/local/k2.

Command Line options:
The KeyServer program recognizes a few command line options that you can use to control how it runs. The most useful options are listed below. If you need to use any of these options for your KeyServer you should modify the service file that was installed at /var/svc/manifest/application/keyserver.xml.

b <dir>

By default, KeyServer looks for its data folder (KeyServer Data Folder or KSDATA) in the current working directory. If you want to store the data folder in a different location, use this option to specify the directory in which the data folder is stored.

d

By default, the "sudo ks" command will run KeyServer as a simple console program and write basic status information to the terminal in which it was started. Running in a terminal window is often useful for diagnositc purposes but when the terminal is closed, the KeyServer will stop. Use the -d option to run KeyServer as a "daemon" process so it will continure to run even after the originating terminal is closed.

e <log-file-path>

KeyServer can optionally write some status messages to a separate log file, other than the KeyServer log (where program usage information is stored) and the system log (where startup and shutdown information is written). If you want a simple log of KeyServer's startups and shutdowns, specify the log's location using this option.

n <hostname>

When KeyServer is running on a multi-homed host (a host with more than one IP address assigned to it), it will open its service port on the default IP address. Use this option to force KeyServer to open its service port on a specific IP address.

z <zone>

When KeyServer is running on a multi-homed AppleTalk host (a host with more than one AppleTalk address assigned to it), it will open its service port in the default AppleTalk Zone. Use this option to force KeyServer to open its service port in a specific AppleTalk Zone.

Uninstall

To uninstall Solaris KeyServer, run the following command line as root:

     pkgrm KeyServer

 KeyReporter

The KeyReporter process requires Solaris 9 or higher and OpenSSL. The sparc compile requires OpenSSL 0.9.8 while the i386 compile requires OpenSSL 0.9.7. The reporter installer for Solaris is a Solaris package compressed for downloading:

     KeyReporter-<version>-<platform>.pkg.gz

where <version> is the KeyReporter version (e.g., 6.2.0) and <platform> is one of "i386" or "sparc". To install it, do this as root (assuming the KeyReporter-<version>-<platform>.pkg.gz file was downloaded to /tmp):

     cd /tmp
     gunzip KeyReporter-<version>-<platform>.pkg.gz
     pkgadd -d KeyReporter-<version>-<platform>.pkg

The pkgadd program will ask which package you want to install.  Select "KeyReporter", then answer "y" (yes) to the subsequent question, which asks permission to run the installer script.

This will install some KeyReporter components in /opt/sfw/k2, and attempt to start KeyReporter. You can determine if the KeyReporter has started by using ps with the option to include processes owned by all users, and looking for the 'kr' command. If it has not started, you can look at the services log file to determine what might be wrong. It is usually found in:

     /var/svc/log

In order to manually start KeyReporter, use the svcadm command:

     sudo svcadm enable application/keyreporter

In order to manually stop KeyReporter, use the svcadm command:

     sudo svcadm disable application/keyreporter

KeyReporter uses port 80 by default (the standard http port). If you have a web server running on the same computer you should change the port used by the web server or KeyReporter.

Uninstall

To uninstall Solaris KeyReporter, run the following command line as root:

     pkgrm KeyReporter