Methods, systems and computer program products for transferring security processing between processors in a cluster computing environment
First Claim
1. A method of transferring network security based communications from a first distribution processor, which provides secure communications over a network in a distributed workload environment having target hosts which are accessed through the first distribution processor by a common network address, to a second distribution processor, the method comprising:
- providing information sufficient to restart the transferred network security based communications at the second distribution processor;
detecting takeover of the common address by the second distribution processor;
terminating existing network security based communications to the first distribution processor;
restarting the transferred network security based communications at the second distribution processor utilizing the provided information;
routing both inbound and outbound network security based communications with target hosts utilizing the common network address through the second distribution processor; and
network security processing both the inbound and the outbound network security based communications utilizing the common network address at the second distribution processor.
2 Assignments
0 Petitions
Accused Products
Abstract
Methods, systems and computer program products provide for transferring network security based communications from a first distribution processor, which provides secure communications over a network in a distributed workload environment having target hosts which are accessed through the first distribution processor by a common network address, to a second distribution processor. Information sufficient to restart the transferred network security based communications at the second distribution processor is provided. Takeover of the common address by the second distribution processor is detected and existing network security based communications to the first distribution processor are terminated. The transferred communications are restarted at the second distribution processor utilizing the provided information. Both inbound and outbound network security based communications with target hosts utilizing the common network address are routed through the second distribution processor. Network security processing for both the inbound and the outbound network security based communications utilizing the common network address is performed at the second distribution processor.
-
Citations
23 Claims
-
1. A method of transferring network security based communications from a first distribution processor, which provides secure communications over a network in a distributed workload environment having target hosts which are accessed through the first distribution processor by a common network address, to a second distribution processor, the method comprising:
-
providing information sufficient to restart the transferred network security based communications at the second distribution processor;
detecting takeover of the common address by the second distribution processor;
terminating existing network security based communications to the first distribution processor;
restarting the transferred network security based communications at the second distribution processor utilizing the provided information;
routing both inbound and outbound network security based communications with target hosts utilizing the common network address through the second distribution processor; and
network security processing both the inbound and the outbound network security based communications utilizing the common network address at the second distribution processor. - View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10)
-
-
11. A method of transferring Internet Protocol Security (IPSec) communications from a first routing communication protocol stack to a second routing communication protocol stack, wherein the first routing communication protocol stack routes the IPSec communications from a network to a plurality of application instances executing on a cluster of data processing systems utilizing a virtual Internet Protocol Address (VIPA) Distributor and which distributes the IPSec communications for connections to at least one dynamically routable VIPA (DVIPA) to a plurality of target communication protocol stacks, the method comprising the steps of:
-
detecting takeover of the at least one DVIPA by the second routing communication protocol stack;
reading IPSec information for IPSec security associations (SAs) associated with the at least one DVIPA from a coupling facility of the cluster of data processing systems;
deleting the IPSec SAs associated with the at least one DVIPA at the first routing communication protocol stack;
renegotiating the IPSec SAs between the second routing communication protocol stack and remote IPSec peers utilizing the at least one DVIPA based on the IPSec information read from the coupling facility;
re-routing the connections to the at least one DVIPA through the second routing communication protocol stack; and
performing IPSec processing for the re-routed connections to the at least one DVIPA at the second routing communication protocol stack utilizing the renegotiated IPSec SAs. - View Dependent Claims (12, 13, 14, 15, 16, 17, 18, 19)
-
-
20. A system for transferring network security based communications from a first distribution processor, which provides secure communications over a network in a distributed workload environment having target hosts which are accessed through the first distribution processor by a common network address, to a second distribution processor, comprising:
-
means for providing information sufficient to restart the transferred network security based communications at the second distribution processor;
means for detecting takeover of the common address by the second distribution processor;
means for terminating existing network security based communications to the first distribution processor;
means for restarting the transferred network security based communications at the second distribution processor utilizing the provided information;
means for routing both inbound and outbound network security based communications with target hosts utilizing the common network address through the second distribution processor; and
means for network security processing both the inbound and the outbound network security based communications utilizing the common network address at the second distribution processor.
-
-
21. A system for transferring Internet Protocol Security (IPSec) communications from a first routing communication protocol stack to a second routing communication protocol stack, wherein the first routing communication protocol stack routes the IPSec communications from a network to a plurality of application instances executing on a cluster of data processing systems utilizing a virtual Internet Protocol Address (VIPA) Distributor and which distributes the IPSec communications for connections to at least one dynamically routable VIPA (DVIPA) to a plurality of target communication protocol stacks, comprising:
-
means for detecting takeover of the at least one DVIPA by the second routing communication protocol stack;
means for reading IPSec information for IPSec security associations (SAs) associated with the at least one DVIPA from a coupling facility of the cluster of data processing systems;
means for deleting the IPSec SAs associated with the at least one DVIPA at the first routing communication protocol stack;
means for renegotiating the IPSec SAs between the second routing communication protocol stack and remote IPSec peers utilizing the at least one DVIPA based on the IPSec information read from the coupling facility;
means for re-routing the connections to the at least one DVIPA through the second routing communication protocol stack; and
means for performing IPSec processing for the rerouted connections to the at least one DVIPA at the second routing communication protocol stack utilizing the renegotiated IPSec SAs.
-
-
22. A computer program product for transferring network security based communications from a first distribution processor, which provides secure communications over a network in a distributed workload environment having target hosts which are accessed through the first distribution processor by a common network address, to a second distribution processor, comprising:
a computer readable medium having computer readable program code embodied therein, the computer readable program code comprising;
computer readable program code which provides information sufficient to restart the transferred network security based communications at the second distribution processor;
computer readable program code which detects takeover of the common address by the second distribution processor;
computer readable program code which terminates existing network security based communications to the first distribution processor;
computer readable program code which restarts the transferred network security based communications at the second distribution processor utilizing the provided information;
computer readable program code which routes both inbound and outbound network security based communications with target hosts utilizing the common network address through the second distribution processor; and
computer readable program code which network security processes both the inbound and the outbound network security based communications utilizing the common network address at the second distribution processor.
-
23. A computer program product for transferring Internet Protocol Security (IPSec) communications from a first routing communication protocol stack to a second routing communication protocol stack, wherein the first routing communication protocol stack routes the IPSec communications from a network to a plurality of application instances executing on a cluster of data processing systems utilizing a virtual Internet Protocol Address (VIPA) Distributor and which distributes the IPSec communications for connections to at least one dynamically routable VIPA (DVIPA) to a plurality of target communication protocol stacks, comprising:
a computer readable medium having computer readable program code embodied therein, the computer readable program code comprising;
computer readable program code which detects takeover of the at least one DVIPA by the second routing communication protocol stack;
computer readable program code which reads IPSec information for IPSec security associations (SAs) associated with the at least one DVIPA from a coupling facility of the cluster of data processing systems;
computer readable program code which deletes the IPSec SAs associated with the at least one DVIPA at the first routing communication protocol stack;
computer readable program code which renegotiates the IPSec SAs between the second routing communication protocol stack and remote IPSec peers utilizing the at least one DVIPA based on the IPSec information read from the coupling facility;
computer readable program code which reroutes the connections to the at least one DVIPA through the second routing communication protocol stack; and
computer readable program code which performs IPSec processing for the re-routed connections to the at least one DVIPA at the second routing communication protocol stack utilizing the renegotiated IPSec SAs.
Specification