Secure access to a virtual machine

US 10,552,189 B2
Filed: 08/02/2016
Issued: 02/04/2020
Est. Priority Date: 04/20/2010
Status: Active Grant

First Claim

Patent Images

1. A remote server comprising:

a hypervisor to support a number of virtual machines on the remote server; and

a number of virtual machines dispensed to the remote server by a separate management appliance that communicates with the remote server via a computer network, wherein, during instantiation, a first of the virtual machines is cryptographically associated with the management appliance that dispensed that first virtual machine to the remote server, the cryptographic association creating a trusted relationship between the first virtual machine and the management appliance from which the first virtual machine was dispensed;

wherein, because of this trusted relationship, a user who has access to the management appliance and is using the management appliance for remotely accessing the first virtual machine on the remote server is granted access to the first virtual machine based on the trusted relationship between the management appliance and the virtual machine; and

wherein any user with access to the management appliance will have access to the first virtual machine based on the trusted relationship between the management appliance and the virtual machine such that the user accessing the first virtual machine on the remote server via the management appliance can vary.

View all claims

1 Assignment

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

A method for providing secure access to a virtual machine includes dispensing an image corresponding to a virtual machine from a management appliance to a distributed computing system such that the virtual machine is implemented by at least one of a plurality of interconnected physical computing devices in the distributed computing system; establishing a trusted relationship between the management appliance and the virtual machine; and providing a user with access to the virtual machine from the management appliance without further authentication credentials from the user.

60 Citations

18 Claims

1. A remote server comprising:
- a hypervisor to support a number of virtual machines on the remote server; and
  
  a number of virtual machines dispensed to the remote server by a separate management appliance that communicates with the remote server via a computer network, wherein, during instantiation, a first of the virtual machines is cryptographically associated with the management appliance that dispensed that first virtual machine to the remote server, the cryptographic association creating a trusted relationship between the first virtual machine and the management appliance from which the first virtual machine was dispensed;
  
  wherein, because of this trusted relationship, a user who has access to the management appliance and is using the management appliance for remotely accessing the first virtual machine on the remote server is granted access to the first virtual machine based on the trusted relationship between the management appliance and the virtual machine; and
  
  wherein any user with access to the management appliance will have access to the first virtual machine based on the trusted relationship between the management appliance and the virtual machine such that the user accessing the first virtual machine on the remote server via the management appliance can vary.
- View Dependent Claims (2, 3, 4, 5, 6)
- - 2. The remote server of claim 1, wherein the user accessing the first virtual machine based on the trusted relationship is not required to enter additional credentials for the virtual machine.
  - 3. The remote server of claim 1, wherein the first virtual machine to establishes the trusted relationship with the management appliance using private/public key cryptography.
  - 4. The remote server of claim 1, wherein the first virtual machine to establish the trusted relationship in response to the virtual machine having been dispensed from the management appliance.
  - 5. The remote server of claim 1, wherein the first virtual machine to accept the trusted relationship in response to a user attempted to access the first virtual machine.
  - 6. The remote server of claim 1, wherein the trusted relationship expires after a predetermined amount of time.

7. A management appliance, the management appliance comprising:
- a processor; and
  
  a memory communicatively coupled to the processor, the memory comprising executable code stored thereon such that the processor, upon executing the executable code;
  
  dispenses an image corresponding to a virtual machine to a remote server separate from the management appliance, the remote server having a hypervisor, the hypervisor to support the virtual machine on the remote server, wherein, during instantiation, the virtual machine is cryptographically associated with the management appliance that dispensed that virtual machine to the remote server, the cryptographic association creating a trusted relationship between the virtual machine and the management appliance from which the virtual machine was dispensed;
  
  establishes the trusted relationship with the virtual machine implemented on the remote server, the trusted relationship being based on the cryptographic association between the virtual machine and the management appliance as the source of the virtual machine; and
  
  ,using this trusted relationship, provides a user who has access to the management appliance and is using the management appliance for remotely accessing the virtual machine on the remote server with access to the virtual machine based on the trusted relationship without authentication credentials specifically for the virtual machine from the user, wherein any user with access to the management appliance will have access to the virtual machine based on the trusted relationship between the management appliance and the virtual machine such that the user accessing the virtual machine can vary.
- View Dependent Claims (8, 9, 10, 11, 12, 13, 14, 15)
- - 8. The management appliance of claim 7, the processor, upon executing the executable code, further:
    - filters a request for access to the virtual machine based on access privileges of the user,wherein the filtering comprises, in response to a determination that the user has access to the management appliance and not the virtual machine, restricting the user'"'"'s access to the virtual machine based on credentials provided by the user upon accessing the management appliance.
  - 9. The management appliance of claim 7, wherein the processor, upon executing the executable code, further establishes the trusted relationship in response to successfully dispensing the image corresponding to the virtual machine to the remote server.
  - 10. The management appliance of claim 7, wherein the processor, upon executing the executable code, further establishes the trusted relationship in response to the user attempting to access the virtual machine.
  - 11. The management appliance of claim 7, wherein the trusted relationship is set to expire after a predetermined amount of time.
  - 12. The management appliance of claim 7, wherein the processor is to establish the trusted relationship through public-key cryptography.
  - 13. The management appliance of claim 12, wherein the processor is to:
    - associate a public key with the virtual machine image; and
      
      associate a private key with the management appliance.
  - 14. The management appliance of claim 13, wherein the processor is to maintain the private key in a secured storage location.
  - 15. The management appliance of claim 7, wherein the processor is to access the virtual machine through a protocol selected from:
    - a Secure Shell (SSH) protocol and a File Transfer Protocol (FTP).

16. A computer-implemented method (CIM) comprising:
- sending, from a management appliance, over a communication network and to a remote physical server computer, a first virtual machine image;
  
  instantiating a first virtual machine instantiation from the first virtual machine image on the remote physical server;
  
  creating a trusted relationship between the first virtual machine instantiation and the management appliance by cryptographic association between the first virtual machine instantiation and the management appliance;
  
  determining that a first user who is using the management appliance may be granted access to the first virtual machine instantiation through the management appliance and over the communication network based, at least in part, on the trusted relationship between the management appliance and the first virtual machine instantiation; and
  
  responsive to the determination that the first user may be granted access, granting access to the first user to use the first virtual machine instantiation.
- View Dependent Claims (17, 18)
- - 17. The CIM of claim 16 further comprising:
    - subsequent to the granting of access to the first user, using, by the first user, through the management appliance, and over the communication network, the first virtual machine instantiation running on the remote physical server computer.
  - 18. The CIM of claim 17 wherein the first virtual machine instantiation runs on a hypervisor that runs on the remote physical server computer.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
International Business Machines Corporation
Original Assignee
International Business Machines Corporation
Inventors
Ashok, Rohith K., Shook, Aaron K., Jemiolo, Daniel E., Kaplinger, Todd E.
Primary Examiner(s)
Dada, Beemnet W

Application Number

US15/226,582
Publication Number

US 20160342440A1
Time in Patent Office

1,281 Days
Field of Search
US Class Current
CPC Class Codes

G06F 2009/45587   Isolation or security of vi...

G06F 2009/45595   Network integration; Enabli...

G06F 21/53   by executing in a restricte...

G06F 9/45558   Hypervisor-specific managem...

H04L 63/102   Entity profiles

Secure access to a virtual machine

First Claim

1 Assignment

0 Petitions

Accused Products

Abstract

60 Citations

18 Claims

Specification

Solutions

Use Cases

Quick Links

Secure access to a virtual machine

First Claim

1 Assignment

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

60 Citations

18 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links