This functionality controls user access to specific software programs, governed using a combination of iLab’s Scheduling and Calendars functionality, Equipment Kiosk interface, and Sassafras K2-KeyServer. 

• Sassafras K2-KeyServer
• On-site Requirements
• iLab Bridge

Once you have received the required devices, software and completed set up and implementation, refer to Setting Up Software Interlock.

Sassafras K2-KeyServer

K2-KeyServer is an IT software asset management product from Sassafras Software. Generally, Sassafras KeyServer can keep track of both hardware and software, discover what software you have, track who is using it and how often, and report on usage. Specifically, when used with iLab, K2 is able to enforce policies, which will either allow or disallow the use of software, after consulting with the iLab database. Therefore, software usage can be tied to trained usage or usage based on scheduling. 

1. A unique Sassafra K2-KeyServer needs to be installed within the Institution's network. This KeyServer's responsibility will be to govern any computers that will need to use the Software Interlock functionality.
   • If an institution already has an installation of Sassafras, we recommend configuring a separate, unique instance of KeyServer to avoid any potential software Deny/Control policy and/or version upgrades conflicts.
   • iLab recommends there be a central point of contact(s) at the institution to work with both iLab and Sassafras to configure and manage the Software Interlock KeyServer installation and configuration. It is recommended that this POC(s) be from the Institution's IT Department.
2. Install the Sassafras driver that supports Client Authentication via the iLab method. Agilent will provide you the appropriate binaries and instructions on where to place them. This is ideally done by the administrator of the Sassafras server.
3. Each computer that hosts controlled software will need to have a Sassafras Client (KeyAccess) installed on it. The KeyAccess client allows Sassafras's KeyServer to recognize the computer and identify all software programs installed on it.
   • Institutions and/or cores will need to purchase enough client licenses to accommodate the total number of computers that will host controlled software programs (not the total number of software programs).
4. Provide local administrative access to the Sassafras KeyConfigure interface.
   • KeyConfigure is the interface that allows a local administrator to view computers and installed software, and will be the access point for configuring software Control and Deny Policies[R(1]
5. Any computer on the Institution network that wants to use the Software Interlock solution will need to have network connectivity to this KetServer (but not necessarily internet access) and controlled applications will be governed by this new Sassafras server.

Additional information on how to set up Sassafras for use with iLab can be found in iLab/Sassafras set-up documentation

On-site Requirements

Personnel Requirements

Coordination will be required with the institution’s IT and networking teams. The IT professionals should be able to follow the instructions below and utilize the linked resources in this document to set up the bridge.

Network Requirements

An onsite IT team will need to create a secure local network in which the iLab Bridge will reside. The Bridge and Sassafras server do not have to be on the same subnet:

• The Bridge needs only to be able to connect to the internet. 
• When the Bridge is installed, the Sassafras server should be able to connect to the Bridge on port 3306 to send MySQL requests. 

iLab Bridge

Once an agreement is in place, the iLab engineering team will configure and send you an iLab bridge. Your interlock devices will be connected to this bridge, which will require a static IP. The bridge will establish a secure HTTPS (Port 443) connection to AWS (Amazon Web Services) IoT services from within your organization. The bridge and the subnet do not need to be exposed to the outside world; only the bridge needs to have internet connectivity.

There are two possible scenarios for how your devices will connect to the VLAN/subnet:

1. Multiple devices on one subnet
2. Multiple devices on multiple subnets

Diagram 1: Multiple devices on one subnet

Diagram 2: Multiple devices on multiple subnets