Provisioning new virtual machine with credentials

US 10,171,508 B2
Filed: 09/27/2016
Issued: 01/01/2019
Est. Priority Date: 12/21/2011
Status: Active Grant

First Claim

Patent Images

1. A method of provisioning a virtual data processing instance in a virtualized environment, comprising:

provisioning, by a data processing apparatus configured for hosting virtual data processing instances, a new virtual data processing instance for retrieval of credential information from a credential management system;

connecting, by the new virtual data processing instance hosted in the data processing apparatus, to the credential management system;

authenticating the new virtual data processing instance to the credential management system; and

receiving, by the new virtual data processing instance, the credential information from the credential management system.

View all claims

1 Assignment

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

Certain embodiments provide means for managing automated access to computers, e.g., using SSH user keys and other kinds of trust relationships. Certain embodiments also provide for managing certificates, Kerberos credentials, and cryptographic keys. Certain embodiments provide for remediating legacy SSH key problems and for automating configuration of SSH keys, as well as for continuous monitoring.

80 Citations

View as Search Results

22 Claims

1. A method of provisioning a virtual data processing instance in a virtualized environment, comprising:
- provisioning, by a data processing apparatus configured for hosting virtual data processing instances, a new virtual data processing instance for retrieval of credential information from a credential management system;
  
  connecting, by the new virtual data processing instance hosted in the data processing apparatus, to the credential management system;
  
  authenticating the new virtual data processing instance to the credential management system; and
  
  receiving, by the new virtual data processing instance, the credential information from the credential management system.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12, 13, 14)
- - 2. The method according to claim 1, wherein the receiving comprises receiving at least one key from a key management system.
  - 3. The method according to claim 2, wherein the at least one key comprises a host key.
  - 4. The method according to claim 3, wherein the new virtual data processing instance comprises a virtual host and the host key is for another host.
  - 5. The method according to claim 2, wherein the at least one key comprises a private key that authorizes the new virtual data processing instance to log into at least one other data processing instance.
  - 6. The method according to claim 2, wherein the at least one key comprises a public key that authorizes an account on another data processing instance to log into the new virtual data processing instance.
  - 7. The method according to claim 1, further comprising:
    - receiving credential information from the credential management system allowing the new virtual data processing instance to authenticate itself to the credential management system; and
      
      using the received credential information by the new virtual data processing instance for authentication to the credential management system.
  - 8. The method according to claim 7, wherein the received credential information comprises one of:
    - a shared secret; and
      
      a public key for the credential management system and a private key for the new virtual data processing instance.
  - 9. The method according to claim 1, comprising using management system information that has been preconfigured into a virtual machine image for the connecting and authenticating to the credential management system.
  - 10. The method according to claim 1, further comprising installing credentials for the credential management system on the new virtual data processing instance before booting thereof or during a booting process.
  - 11. The method according to claim 10, wherein the credentials for the credential management system are inserted into a virtual machine image before the booting.
  - 12. The method according to claim 10, wherein the credentials for the credential management system are installed into the new virtual data processing instance by a provisioning system.
  - 13. The method according to claim 1, further comprising configuring the new virtual data processing instance based on the received credential information for at least one of:
    - authentication to the credential management system, use of a host key for at least one other host in the virtualized environment, enabling an account in another data processing instance to log into the new virtual data processing instance, and logging into at least one other data processing instance.
  - 14. The method according to claim 1, wherein the virtualized environment comprises a paravirtualized environment where parts of a kernel are shared by multiple instances.

15. A data processing apparatus for providing a virtual data processing instance in a virtualized environment, configured to:
- host virtual data processing instances;
  
  provision a new virtual data processing instance for retrieval of credential information from a credential management system;
  
  connect the new virtual data processing instance to the credential management system;
  
  authenticate the new virtual data processing instance to the credential management system; and
  
  configure the new virtual data processing instance based on credential information received from the credential management system.
- View Dependent Claims (16, 17, 18, 19, 20, 21)
- - 16. The data processing apparatus according to claim 15, wherein the new virtual data processing instance is configured to receive at least one of:
    - at least one key from a key management system; and
      
      credential information from the credential management system allowing the new virtual data processing instance to authenticate itself to the credential management system.
  - 17. The data processing apparatus according to claim 15, configured to use credential management system information that has been preconfigured into a virtual machine image for connecting and authenticating to the credential management system.
  - 18. The data processing apparatus according to claim 15, comprising a provisioning system configured to install credentials for the credential management system on the new virtual data processing instance before booting thereof or during a booting process.
  - 19. The data processing apparatus according to claim 15, comprising a provisioning system configured to install credentials for the credential management system on the new virtual data processing instance before booting thereof or during a booting process.
  - 20. The data processing apparatus according to claim 15, further configured to configure the new virtual data processing instance based on the received credential information for at least one of:
    - authentication to the credential management system, use of a host key for at least one other host in the virtualized environment, enabling an account in another data processing instance to log into the new virtual data processing instance, and logging into at least one other data processing instance.
  - 21. The data processing apparatus according to claim 15, wherein the virtualized environment comprises a paravirtualized environment where parts of a kernel are shared by multiple instances.

22. A non-transitory computer readable media comprising program code for causing an apparatus, operable in a virtualized environment to host virtual data processing instances and comprising a processor, to perform instructions for:
- hosting a new virtual data processing instance by the apparatus in the virtualized environment, wherein the hosting comprises;
  
  provisioning the new virtual data processing instance for retrieval of credential information from a credential management system;
  
  connecting the new virtual data processing instance to the credential management system;
  
  authenticating the new virtual data processing instance to the credential management system; and
  
  configuring the new virtual data processing instance based on credential information received from the credential management system.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
SSH Communications Security Oyj
Original Assignee
SSH Communications Security Oyj
Inventors
Ylonen, Tatu J.
Primary Examiner(s)
Bayou, Yonas A

Application Number

US15/277,491
Publication Number

US 20170019386A1
Time in Patent Office

826 Days
Field of Search
US Class Current
CPC Class Codes

G06F 21/575   Secure boot

H04L 61/4523   using lightweight directory...

H04L 63/0428   wherein the data content is...

H04L 63/0435   wherein the sending and rec...

H04L 63/0442   wherein the sending and rec...

H04L 63/061   for key exchange, e.g. in p...

H04L 63/062   for key distribution, e.g. ...

H04L 63/065   for group communications cr...

H04L 63/08   for authentication of entit...

H04L 63/0807   using tickets, e.g. Kerbero...

H04L 63/10   for controlling access to d...

H04L 63/101   Access control lists [ACL]

H04L 63/166   at the transport layer

H04L 63/20   for managing network securi...

H04L 67/01   Protocols

H04L 67/10   in which an application is ...

H04L 9/083   involving central third par...

H04L 9/0891   Revocation or update of sec...

H04L 9/14   using a plurality of keys o...

H04L 9/30   Public key, i.e. encryption...

H04L 9/321 : involving a third party or ...

H04L 9/3263 : involving certificates, e.g...

H04L 9/3268 : using certificate validatio...

View All

Provisioning new virtual machine with credentials

First Claim

1 Assignment

0 Petitions

Accused Products

Abstract

80 Citations

22 Claims

Specification

Solutions

Use Cases

Quick Links

Provisioning new virtual machine with credentials

First Claim

1 Assignment

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

80 Citations

22 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links