System and method for providing least privilege access in a microservices architecture

US 10,484,379 B2
Filed: 03/16/2017
Issued: 11/19/2019
Est. Priority Date: 03/16/2017
Status: Active Grant

First Claim

Patent Images

1. A method of providing administrative access to an endpoint server, the method comprising:

responsive to receiving a key update request at a bootstrap server,generating an admin key at the bootstrap server,partitioning, at the bootstrap server, the admin key into a first portion and a second portion,transmitting, from the bootstrap server, the admin key to the endpoint server,deleting the admin key from the bootstrap server after transmitting the admin key to the endpoint server, andstoring, at the bootstrap server, the first portion and the second portion of the admin key in a secret management server;

receiving, at an admin server, a request for performing an admin operation on the endpoint server and the first portion of the admin key from a microservice server;

receiving, at the admin server, the second portion of the admin key;

generating, at the admin server, a copy of the admin key based at least in part on the first portion and the second portion of the admin key;

performing, via the admin server, the admin operation on the endpoint server using the copy of the admin key;

deleting the copy of the admin key on the admin server after performing the admin operation on the endpoint server;

transmitting, from the admin server, a first key update request to the bootstrap server; and

transmitting, from the microservice server, a second key update request to the bootstrap server.

View all claims

1 Assignment

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

System and method of providing administrative access to an endpoint server. In one example, the method includes receiving, at an admin server, a request for performing an admin operation on the endpoint server and a first portion of an admin key from a microservice server. The method also includes receiving, at the admin server, a second portion of the admin key. The method further includes generating, at the admin server, a copy of the admin key based at least in part on the first portion and the second portion of the admin key. The method also includes performing, via the admin server, the admin operation on the endpoint server using the copy of the admin key. The method further includes deleting the copy of the admin key on the admin server after performing the admin operation on the endpoint server.

37 Citations

16 Claims

1. A method of providing administrative access to an endpoint server, the method comprising:
- responsive to receiving a key update request at a bootstrap server,generating an admin key at the bootstrap server,partitioning, at the bootstrap server, the admin key into a first portion and a second portion,transmitting, from the bootstrap server, the admin key to the endpoint server,deleting the admin key from the bootstrap server after transmitting the admin key to the endpoint server, andstoring, at the bootstrap server, the first portion and the second portion of the admin key in a secret management server;
  
  receiving, at an admin server, a request for performing an admin operation on the endpoint server and the first portion of the admin key from a microservice server;
  
  receiving, at the admin server, the second portion of the admin key;
  
  generating, at the admin server, a copy of the admin key based at least in part on the first portion and the second portion of the admin key;
  
  performing, via the admin server, the admin operation on the endpoint server using the copy of the admin key;
  
  deleting the copy of the admin key on the admin server after performing the admin operation on the endpoint server;
  
  transmitting, from the admin server, a first key update request to the bootstrap server; and
  
  transmitting, from the microservice server, a second key update request to the bootstrap server.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8)
- - 2. The method of claim 1, wherein the admin server receives the second portion of the admin key from the secret management server.
  - 3. The method of claim 2, further comprising authenticating the admin server to the secret management server prior to receiving the second portion of the admin key.
  - 4. The method of claim 2, further comprisingreceiving, at the microservice server, the first portion of the admin key from the secret management server, wherein the microservice server is unable to obtain the second portion of the admin key;
    - transmitting, from the microservice server, the request for performing the admin operation on the endpoint server to the admin server; and
      
      transmitting, from the microservice server, the first portion of the admin key to the admin server.
  - 5. The method of claim 4, further comprising authenticating the microservice server to the secret management server prior to receiving the first portion of the admin key.
  - 6. The method of claim 1, wherein the admin key is a first admin key, the method further comprisingresponsive to receiving the first and second key update requests at the bootstrap server generating a second admin key at the bootstrap server,partitioning, at the bootstrap server, the second admin key into a third portion and a fourth portion,transmitting, from the bootstrap server, the second admin key to the endpoint server,deleting the second admin key from the bootstrap server after transmitting the second admin key to the endpoint server, andstoring, at the bootstrap server, the third portion and the fourth portion of the second admin key in the secret management server.
  - 7. The method of claim 1, further comprisingreceiving, at the admin server, an operation result from the endpoint server after performing the admin operation on the endpoint server;
    - andtransmitting, from the admin server, the operation result to the microservice server.
  - 8. The method of claim 1, wherein the microservice server is a first microservice server, wherein the endpoint server includes at least one selected from a group consisting of an application server, a second microservice server, and a database.

9. A system of providing administrative access to an endpoint server, the system comprising:
- a bootstrap server including a bootstrap transceiver, a bootstrap memory, and a bootstrap electronic processor electrically coupled to the bootstrap transceiver and the bootstrap memory, wherein responsive to receiving a key update request, the bootstrap electronic processor configured togenerate an admin key,divide the admin key into an first portion and an second portion,transmit, via the bootstrap transceiver, the admin key to the endpoint server;
  
  delete the admin key from the bootstrap memory after transmitting the admin key, andstore the first portion and the second portion of the admin key in a secret management server;
  
  a microservice server; and
  
  an admin server including an admin transceiver, an admin memory, and an admin electronic processor electrically coupled to the admin transceiver and to the admin memory, the admin electronic processor configured toreceive, via the admin transceiver, a request for performing an admin operation on the endpoint server and the first portion of the admin key from the microservice server,receive, via the admin transceiver, the second portion of the admin key,generate a copy of the admin key based at least in part on the first portion and the second portion of the admin key,perform the admin operation on the endpoint server using the copy of the admin key,delete the copy of the admin key stored in the admin memory after performing the admin operation on the endpoint server, andtransmit, via the admin transceiver, a first key update request to the bootstrap server,wherein the microservice server is configured to transmit, via a microservice transceiver, a second key update request to the bootstrap server.
- View Dependent Claims (10, 11, 12, 13, 14, 15, 16)
- - 10. The system of claim 9, wherein the admin electronic processor receives the second portion of the admin key from the secret management server.
  - 11. The system of claim 10, wherein the admin electronic processor is further configured to authenticate to the secret management server prior to receiving the second portion of the admin key.
  - 12. The system of claim 10, wherein the microservice server includes a microservice transceiver and a microservice electronic processor electrically coupled to the microservice transceiver, the microservice electronic processor configured toreceive, via the microservice transceiver, the first portion of the admin key from the secret management server, wherein the microservice server is unable to obtain the second portion of the admin key, andtransmit, via the microservice transceiver, the request for performing the admin operation on the endpoint server and the first portion of the admin key to the admin server.
  - 13. The system of claim 12, wherein the microservice electronic processor is further configured to authenticate to the secret management server prior to receiving the first portion of the admin key.
  - 14. The system of claim 9, wherein the admin key is a first admin key, wherein responsive to receiving the first and second key update requests, the bootstrap electronic processor is further configured togenerate a second admin key,divide the second admin key into a third portion and a fourth portion,transmit, via the bootstrap transceiver, the second admin key to the endpoint server,delete the second admin key from the bootstrap memory after transmitting the second admin key, andstore the third portion and the fourth portion of the second admin key in the secret management server.
  - 15. The system of claim 9, wherein the admin electronic processor is further configured toreceive, via the admin transceiver, an operation result from the endpoint server after performing the admin operation on the endpoint server;
    - andtransmit, via the admin transceiver, the operation result to the microservice server.
  - 16. The system of claim 9, wherein the microservice server is a first microservice server, wherein the endpoint server includes at least one selected from a group consisting of an application server, a second microservice server, and a database.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Motorola Solutions, Inc.
Original Assignee
Motorola Solutions, Inc.
Inventors
Lewis, Adam C., Thomas, Shanthi E.
Primary Examiner(s)
Najjar, Saleh
Assistant Examiner(s)
Chao, Michael W

Application Number

US15/461,299
Publication Number

US 20180270237A1
Time in Patent Office

978 Days
Field of Search

None
US Class Current
CPC Class Codes

G06F 15/16   Combinations of two or more...

H04L 63/04   for providing a confidentia...

H04L 63/06   for supporting key manageme...

H04L 63/061   for key exchange, e.g. in p...

H04L 63/062   for key distribution, e.g. ...

H04L 63/067   using one-time keys cryptog...

H04L 63/08   for authentication of entit...

H04L 63/10   for controlling access to d...

H04L 9/085   Secret sharing or secret sp...

H04L 9/088   Usage controlling of secret...

H04L 9/0891   Revocation or update of sec...

H04L 9/0894   Escrow, recovery or storing...

H04W 12/041   Key generation or derivation

System and method for providing least privilege access in a microservices architecture

First Claim

1 Assignment

0 Petitions

Accused Products

Abstract

37 Citations

16 Claims

Specification

Solutions

Use Cases

Quick Links

System and method for providing least privilege access in a microservices architecture

First Claim

1 Assignment

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

37 Citations

16 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links