Preparing for Software Interlock
Roles: Core Administrator
This functionality controls user access to specific software programs, governed using a combination of iLab’s Scheduling and Calendars functionality, Equipment Kiosk interface, and Sassafras K2-KeyServer.
Once you have received the required devices, software and completed set up and implementation, refer to Setting Up Software Interlock.
K2-KeyServer is an IT software asset management product from Sassafras Software. Generally, Sassafras KeyServer can keep track of both hardware and software, discover what software you have, track who is using it and how often, and report on usage. Specifically, when used with iLab, K2 is able to enforce policies, which will either allow or disallow the use of software, after consulting with the iLab database. Therefore, software usage can be tied to trained usage or usage based on scheduling.
- A unique Sassafra K2-KeyServer needs to be installed within the Institution's network. This KeyServer's responsibility will be to govern any computers that will need to use the Software Interlock functionality.
- If an institution already has an installation of Sassafras, we recommend configuring a separate, unique instance of KeyServer to avoid any potential software Deny/Control policy and/or version upgrades conflicts.
- iLab recommends there be a central point of contact(s) at the institution to work with both iLab and Sassafras to configure and manage the Software Interlock KeyServer installation and configuration. It is recommended that this POC(s) be from the Institution's IT Department.
- Install the Sassafras driver that supports Client Authentication via the iLab method. Agilent will provide you the appropriate binaries and instructions on where to place them. This is ideally done by the administrator of the Sassafras server.
- Each computer that hosts controlled software will need to have a Sassafras Client (KeyAccess) installed on it. The KeyAccess client allows Sassafras's KeyServer to recognize the computer and identify all software programs installed on it.
- Institutions and/or cores will need to purchase enough client licenses to accommodate the total number of computers that will host controlled software programs (not the total number of software programs).
- Provide local administrative access to the Sassafras KeyConfigure interface.
- KeyConfigure is the interface that allows a local administrator to view computers and installed software, and will be the access point for configuring software Control and Deny Policies[R(1]
- Any computer on the Institution network that wants to use the Software Interlock solution will need to have network connectivity to this KetServer (but not necessarily internet access) and controlled applications will be governed by this new Sassafras server.
Additional information on how to set up Sassafras for use with iLab can be found in iLab/Sassafras set-up documentation
Coordination will be required with the institution’s IT and networking teams. The IT professionals should be able to follow the instructions below and utilize the linked resources in this document to set up the bridge.
An onsite IT team will need to create a secure local network in which the iLab Bridge will reside. The Bridge and Sassafras server do not have to be on the same subnet:
- The Bridge needs only to be able to initiate an outgoing SSH connection to the iLab server.
- When the Bridge is installed, the Sassafras server should be able to connect to the Bridge on port 3306 to send MySQL requests.
Once an agreement is in place, the iLab engineering team will configure and send you an iLab bridge. Your interlock devices will be connected to this bridge, and will require a static IP. The bridge will then initiate a secure local connection to our iLab servers from within your organization. The bridge and the subnet do not need to be visible to the outside - they only need to be able to SSH out to the iLab server.
There are two possible scenarios for how your devices will connect to the VLAN/subnet:
- Multiple devices on subnet
- Multiple devices on multiple subnets
Diagram 1: All devices on one subnet/VLAN
Diagram 2: Multiple devices on multiple subnets