Secure binding workflow

US 10,693,968 B2
Filed: 09/12/2018
Issued: 06/23/2020
Est. Priority Date: 09/12/2018
Status: Active Grant

First Claim

Patent Images

1. A system comprising one or more computers and one or more storage devices storing instructions that, when executed by the one or more computers, cause the one or more computers to perform operations comprising:

receiving a service bind request for an application in a cloud application platform system, wherein the service bind request comprises a request to bind a service provided by a service host in the cloud application platform system, wherein the service bind request specifies (i) an identifier for the service and (ii) a unique identifier for the application;

receiving, from the service host, credentials for the application to access the service;

providing the credentials to a secure credential hub installed on the cloud application platform system, wherein the secure credential hub stores the credentials in association with a credential location identifier;

granting, to the unique identifier for the application, read access to the credential location identifier; and

storing the credential location identifier as application metadata for the application.

View all claims

2 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

Methods, systems, and computer programs encoded on computer storage media, for binding service credentials to an application. One example system receives a service bind request for an application in a cloud application platform. The service bind request includes a request to bind a service provided by a service host in the cloud application platform. The service bind request specifies (i) an identifier for the service and (ii) a unique identifier for the application. The system receives, from the service host, credentials for the application to access the service. The system provides the credentials to a secure credential hub installed on the cloud application platform. The secure credential hub stores the credentials in association with a credential location identifier. The system grants, to the unique identifier for the application, read access to the credential location identifier. The system stores the credential location identifier as application metadata for the application.

14 Citations

27 Claims

1. A system comprising one or more computers and one or more storage devices storing instructions that, when executed by the one or more computers, cause the one or more computers to perform operations comprising:
- receiving a service bind request for an application in a cloud application platform system, wherein the service bind request comprises a request to bind a service provided by a service host in the cloud application platform system, wherein the service bind request specifies (i) an identifier for the service and (ii) a unique identifier for the application;
  
  receiving, from the service host, credentials for the application to access the service;
  
  providing the credentials to a secure credential hub installed on the cloud application platform system, wherein the secure credential hub stores the credentials in association with a credential location identifier;
  
  granting, to the unique identifier for the application, read access to the credential location identifier; and
  
  storing the credential location identifier as application metadata for the application.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12, 13)
- - 2. The system of claim 1, wherein the operations further comprise:
    - receiving a request to populate the credentials within an environment of the application;
      
      generating, by a computing resource host that hosts the application within the cloud application platform system, a certificate that encodes the unique identifier of the application;
      
      providing, by the computing resource host to the secure credential hub, the certificate that encodes the unique identifier of the application and the credential location identifier; and
      
      receiving, by the computing resource host from the secure credential hub, the credentials for the application to access the service.
  - 3. The system of claim 2, wherein the operations further comprise:
    - populating the credentials within a process environment of a running instance of the application on the computing resource host,wherein the application is configured to access the service by obtaining the credentials from the process environment.
  - 4. The system of claim 3, wherein populating the credentials within a process environment of a running instance of the application on the computing resource host occurs at application launch.
  - 5. The system of claim 2, wherein the secure credential hub verifies that the application has read access to the location identified by the credential location identifier.
  - 6. The system of claim 2, wherein generating the certificate includes generating a public and private key pair.
  - 7. The system of claim 2, wherein generating the certificate includes signing the certificate with an intermediate certificate.
  - 8. The system of claim 7, wherein the computing resource host is preconfigured with the intermediate certificate.
  - 9. The system of claim 1, wherein storing the credential location identifier as application metadata for the application comprises storing the credential location identifier in a centralized database on the cloud application platform, and wherein the operations further comprise:
    - retrieving, by a computing resource host that hosts the application within the cloud application platform, the credential location identifier from the centralized database.
  - 10. The system of claim 1, wherein providing the credentials to a secure credential hub comprises:
    - authenticating with a preconfigured client.
  - 11. The system of claim 1, wherein the unique identifier is for an application that has not yet launched.
  - 12. The system of claim 1, wherein the credential location identifier is a path.
  - 13. The system of claim 1, wherein multiple applications have read access to a same credential location identifier.

14. A method comprising:
- receiving a service bind request for an application in a cloud application platform system, wherein the service bind request comprises a request to bind a service provided by a service host in the cloud application platform system, wherein the service bind request specifies (i) an identifier for the service and (ii) a unique identifier for the application;
  
  receiving, from the service host, credentials for the application to access the service;
  
  providing the credentials to a secure credential hub installed on the cloud application platform system, wherein the secure credential hub stores the credentials in association with a credential location identifier;
  
  granting, to the unique identifier for the application, read access to the credential location identifier; and
  
  storing the credential location identifier as application metadata for the application.
- View Dependent Claims (15, 16, 17, 18, 19, 20, 21, 22, 23, 24, 25, 26)
- - 15. The method of claim 14, further comprising:
    - receiving a request to populate the credentials within an environment of the application;
      
      generating, by a computing resource host that hosts the application within the cloud application platform system, a certificate that encodes the unique identifier of the application;
      
      providing, by the computing resource host to the secure credential hub, the certificate that encodes the unique identifier of the application and the credential location identifier; and
      
      receiving, by the computing resource host from the secure credential hub, the credentials for the application to access the service.
  - 16. The method of claim 15, further comprising:
    - populating the credentials within a process environment of a running instance of the application on the computing resource host,wherein the application is configured to access the service by obtaining the credentials from the process environment.
  - 17. The method of claim 16, wherein populating the credentials within a process environment of a running instance of the application on the computing resource host occurs at application launch.
  - 18. The method of claim 15, wherein the secure credential hub verifies that the application has read access to the location identified by the credential location identifier.
  - 19. The method of claim 15, wherein generating the certificate includes generating a public and private key pair.
  - 20. The method of claim 15, wherein generating the certificate includes signing the certificate with an intermediate certificate.
  - 21. The method of claim 20, wherein the computing resource host is preconfigured with the intermediate certificate.
  - 22. The method of claim 14, wherein storing the credential location identifier as application metadata for the application comprises storing the credential location identifier in a centralized database on the cloud application platform, further comprising:
    - retrieving, by a computing resource host that hosts the application within the cloud application platform, the credential location identifier from the centralized database.
  - 23. The method of claim 14, wherein providing the credentials to a secure credential hub comprises:
    - authenticating with a preconfigured client.
  - 24. The method of claim 14, wherein the unique identifier is for an application that has not yet launched.
  - 25. The method of claim 14, wherein the credential location identifier is a path.
  - 26. The method of claim 14, wherein multiple applications have read access to a same credential location identifier.

27. One or more non-transitory computer storage media storing instructions that are operable, when executed by one or more computers, to cause the one or more computers to perform operations comprising:
- receiving a service bind request for an application in a cloud application platform system, wherein the service bind request comprises a request to bind a service provided by a service host in the cloud application platform system, wherein the service bind request specifies (i) an identifier for the service and (ii) a unique identifier for the application;
  
  receiving, from the service host, credentials for the application to access the service;
  
  providing the credentials to a secure credential hub installed on the cloud application platform system, wherein the secure credential hub stores the credentials in association with a credential location identifier;
  
  granting, to the unique identifier for the application, read access to the credential location identifier; and
  
  storing the credential location identifier as application metadata for the application.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Pivotal Software, Inc. (Broadcom, Inc.)
Original Assignee
Pivotal Software, Inc. (Broadcom, Inc.)
Inventors
Ley, Alexander David, Jackson, Colin, Malm, Eric James, Levine, Stephen C., Robinson, Zachary D.
Primary Examiner(s)
Keehn, Richard G

Application Number

US16/129,517
Publication Number

US 20200084281A1
Time in Patent Office

650 Days
Field of Search
US Class Current
CPC Class Codes

H04L 63/0823   using certificates cryptogr...

H04L 63/0884   by delegation of authentica...

H04L 67/1097   for distributed storage of ...

H04L 67/141   Setup of application sessio...

H04L 67/51   Discovery or management the...

H04W 12/068   using credential vaults, e....

Secure binding workflow

First Claim

2 Assignments

0 Petitions

Accused Products

Abstract

14 Citations

27 Claims

Specification

Solutions

Use Cases

Quick Links

Secure binding workflow

First Claim

2 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

14 Citations

27 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links