Method and system for managing security material and sevices in a distributed database system

US 20040078569A1
Filed: 10/21/2002
Published: 04/22/2004
Est. Priority Date: 10/21/2002
Status: Active Grant

First Claim

Patent Images

1. A method for managing security material in a database system comprising at least one first database, at least one second database, and at least one third database, which method comprises steps, wherein:

said first database stores security material to be used in the database system, said security material is distributed from said first database to said third database, and said third database uses said security material to do one of the following;

to authenticate at least one application program and to authorize said at least one application program to access said second database in the database system.

View all claims

5 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

A method and system is introduced for managing security material and security services, and for securely distributing them in a distributed database system where one or multiple distributed applications operate on distributed data. One database hosted by database server 21 contains master version of the security data of databases hosted by database servers 22 and 23. The database hosted by database server 21 has a global view of the security material for managing security of databases 28, 29. A special database type, a Security Manager (SM), is responsible of providing security services to application database of a database server. This helps to control application programs to access data of a database in a database server. This also facilitates the security management issues of complex database topologies, such as multi-tier hierarchies or multi-master topologies.

125 Citations

67 Claims

1. A method for managing security material in a database system comprising at least one first database, at least one second database, and at least one third database, which method comprises steps, wherein:
- said first database stores security material to be used in the database system, said security material is distributed from said first database to said third database, and said third database uses said security material to do one of the following;
  
  to authenticate at least one application program and to authorize said at least one application program to access said second database in the database system.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12, 13, 14, 15, 16, 17, 18, 19, 20, 21)
- - 2. A method according to claim 1, wherein:
    - said third database uses said security material to authenticate at least one application program and authorize said at least one application program to access said second database in the database system.
  - 3. A method according to claim 1, wherein said first database provides a global view of at least some of said security material in the database system.
  - 4. A method according to claim 1, wherein said security material comprises at least some material that relates to managing access to the data of at least one said second database in the database system.
  - 5. A method according to claim 1, wherein said security material is frequently changeable.
  - 6. A method according to claim 1, wherein said first database is a master database.
  - 7. A method according to claim 1, wherein said second database is one of the following:
    - a master database or a replica database.
  - 8. A method according to claim 1, wherein said third database assigned to said second database is a replica database.
  - 9. A method according to claim 4, wherein said security material comprises at least some identity information embedded in an application program.
  - 10. A method according to claim 9, wherein said security material is encrypted.
  - 11. A method according to claim 1, comprising steps, wherein;
    - said security material is defined in a first database, said security material relating to said second database is exchanged between a first database and a third database, said third database uses said security material for authenticating at least one application program and authorizing said at least one application program to access data of a specified second database.
  - 12. A method according to claim 11, wherein said first database is a master database created for managing said security material.
  - 13. A method according to claim 11, wherein said third database is a replica database created for managing said security material.
  - 14. A method according to claim 1, wherein;
    - at least one application program of said second database, said application program comprising at least one security material, sends a request to access at least one said second database, at least one said third database assigned to said second database receives the request, at least one said third database sends at least one challenge relating to said security material to said application program of said second database, and an access to at least one said second database is granted or revoked by said third database on the basis of the response of said application program to said challenge, said challenge relating to said security material.
  - 15. A method according to claim 14, wherein said second database is one of the following:
    - a master database or a replica database.
  - 16. A method according to claim 1, wherein client application'"'"'s access to said second database of said second database server is authorized, comprises steps;
    - determining said security material for said second database in said first database, distributing said security material to said third database from said first database, logging in to said second database server, sending a request to access application data of said second database from said client application to said second database server, receiving said request from said client application in said third database and sending at least one challenge relating to said security material to said client application from said third database, responding to said challenge, said challenge relating to said security material, said challenge sent from said third database to said client application, approving the request from said client application by said third database and opening said second database by said third database, and allowing said client application to access said application data of said second database.
  - 17. A method according to claim 16, wherein a failure to respond said challenge, said challenge sent from said third database to said client application, results a security alert to be propagated to said first database.
  - 18. A method according to claim 1, wherein said second database is assigned to be in a role of said third database in a database system.
  - 19. A method according to claim 1, wherein the method is compliant with at least one of the following communication specifications:
    - TCP/IP, CDMA, GSM, HSCSD, GPRS, WCDMA, EDGE, Bluetooth, UMTS, Teldesic, Iridium, Inmarsat, WLAN, DIGI-TV, ISDN, xDSL, RPC, Home-PNA, and imode.
  - 20. A method according to claim 1, wherein at least one of the following operating systems is used in at least one terminal comprising at least one of the second databases of the database system:
    - UNIX, MS-Windows, Symbian, NT, MS Windows CE, Linux, PalmOS, and GEOS.
  - 21. A method according to claim 1, wherein at least one of the following operation systems is used in at least one server comprising at least one of the first databases of the database system:
    - UNIX, MS-Windows, Linux.

22. A system for managing security material in a database system comprising at least one first database, at least one second database, and at least one third database, wherein;
- said first database is arranged to store security material to be used in the database system, said security material is arranged to be distributed from said first database to said third database, and said third database is arranged to use said security material to do one of the following;
  
  to authenticate and authorize applications that are attempting to access said second database in the database system.
- View Dependent Claims (23, 24, 25, 26, 27, 28, 29, 30, 31, 32, 33, 34, 35, 36, 37, 38, 39, 40, 41, 42, 43)
- - 23. A system according to claim 22, wherein:
    - said third database is arranged to use said security material to authenticate and authorize applications that are attempting to access said second database in the database system.
  - 24. A system according to claim 22, comprising at least one first database server and at least one second database server, wherein;
    - a first database is arranged to be managed by at least one of said first database servers, and a second database and a third database is arranged to be managed by at least one of said second database servers.
  - 25. A system according to claim 22, wherein said first database comprises means for providing a global view of at least some of said security material in the database system.
  - 26. A system according to claim 22, wherein said security material is arranged to comprise at least some material that relates to managing access to the data of at least one said second database.
  - 27. A system according to claim 22, wherein said first database is arranged to be a master database.
  - 28. A system according to claim 22, wherein said second database is arranged to be one of the following:
    - a master database or a replica database.
  - 29. A system according to claim 22, wherein said third database assigned to said second database is arranged to be a replica database
  - 30. A system according to claim 26, wherein said security material is arranged to comprise at least some application identity information that is derived from data embedded in an application program.
  - 31. A system according to claim 30, wherein said security material is arranged to be encrypted.
  - 32. A system according to claim 24, wherein the system comprises means for defining said security material in a first database, means for exchanging said security material relating to said second database between a first database and a third database, and means for authenticating on the basis of said security material at least one application program and authorizing said application program to access data of a specified second database.
  - 33. A system according to claim 32, wherein said first database is arranged to be a master database created for managing said security material.
  - 34. A system according to claim 32, wherein said third database is arranged to be a replica database created for managing said security material.
  - 35. A system according to claim 24, wherein;
    - at least one application program of said second database, said application program comprising at least one security material, is arranged to send a request to access at least one said second database, at least one said third database assigned to manage the access to said second database is arranged to receive said request, at least one said third database is arranged to send at least one challenge relating to said security material to said application program of said second database, and said application'"'"'s access to at least one said second database is arranged to be granted or revoked by said third database on the basis of the response of said application program to said challenge, said challenge relating to said security material.
  - 36. A system according to claim 35, wherein said third database is arranged to be synchronized with said first database.
  - 37. A system according to claim 35, wherein said second database is arranged to be one of the following:
    - a master database or a replica database.
  - 38. A system according to claim 24, where an access to said second database is authorized, wherein the system comprises means for determining said security material for said second database in said first database, means for distributing said security material to said third database from said first database, means for logging in to said second database server, means for sending a request to access application data of said second database from said client application to said third database, means for receiving said request from said client application in said third database and sending at least one challenge relating to said security material to said client application from said third database, means for responding to said challenge, said challenge relating to said security material, said challenge sent from said third database to said client application, means for approving the request from said client application by said third database using said security material and opening said second database by said third database, and means for allowing said client application to access to said application data of said second database.
  - 39. A system according to claim 38, wherein a failure to respond said challenge, said challenge sent from said third database to said client application, is arranged to result a security alert to be propagated to said first database.
  - 40. A system according to claim 22, wherein said second database is arranged to be assigned in a role of said third database in a database system.
  - 41. A system according to claim 22, wherein the system is compliant with at least one of the following communication specifications:
    - TCP/IP, CDMA, GSM, HSCSD, GPRS, WCDMA, EDGE, Bluetooth, UMTS, Teledesic, Iridium, Inmarsat, WLAN, DIGI-TV, ISDN, xDSL, RPC, Home-PNA, and imode.
  - 42. A system according to claim 22, wherein at least one of the following operating systems is used in at least one terminal comprising at least one of the second databases of the database system:
    - UNIX, MS-Windows, Symbian, NT, MS Windows CE, Linux, PalmOS, and GEOS.
  - 43. A system according to claim 22, wherein at least one of the following operation systems is used in at least one server comprising at least one of the first databases of the database system:
    - UNIX, MS-Windows, Linux.

44. A first database server for managing security material in a database system, the first database server comprising at least one first database, where said first database is in data connection with at least one second database server comprising at least one second database in a database system, wherein;
- said first database is arranged to store security material to be used in the database system, said security material is arranged to be synchronized between said first database server and said second database server, and said second database server is arranged to use said security material to do one of the following;
  
  to authenticate at least one application program and to authorize the said at least one application program to access said second database in the database system.
- View Dependent Claims (45, 46, 47, 48, 49, 50, 51, 52, 53, 54)
- - 45. A first database server according to claim 44, wherein said second database server is arranged to use said security material to authenticate at least one application program and to authorize the said at least one application program to access said second database in the database system.
  - 46. A first database server according to claim 44, wherein at least one second database server comprises at least one second database and at least one third database in a database system, and said third database is arranged to use said security material to control access authentication to said second database in the database system.
  - 47. A first database server according to claim 44, wherein said first database comprises means for providing a global view of at least some of said security material in the database system.
  - 48. A first database server according to claim 44, wherein said security material is arranged to comprise at least some material that relates to managing access to the data of at least one said second database.
  - 49. A first database server according to claim 44, wherein said first database is arranged to be a master database which is in data connection with said third database of said second database server.
  - 50. A first database server according to claim 44, wherein at least one first database comprises:
    - means for defining said security material in said first database, means for distributing said security material to said third database, and means for authenticating on the basis of said security material at least one application program wanting to access data of a said second database.
  - 51. A first database server according to claim 50, wherein a security alert is arranged to be received from said second database server in a failure to respond said challenge, said challenge sent from said third database to said client application.
  - 52. A first database server according to claim 50, wherein said first database is arranged to be a master database created for managing said security material.
  - 53. A first database server according to claim 44, wherein the first database server is compliant with at least one of the following communication specifications:
    - TCP/IP, CDMA, GSM, HSCSD, GPRS, WCDMA, EDGE, Bluetooth, UMTS, Teldesic, Iridium, Inmarsat, WLAN, DIGI-TV, ISDN, xDSL, RPC, Home-PNA, and imode.
  - 54. A first database server according to claim 44, wherein at least one of the following operation systems is used:
    - UNIX, MS-Windows, Linux.

55. A second database server for managing security material in a database system, the second database server comprising at least one second database and at least one third database, where at least one third database is in data connection with at least one first database server comprising at least one first database, wherein;
- said second database is arranged to use security material created by said first database, said security material relating to said second database is arranged to be synchronized between said first database and said third database, and said third database is arranged to do one of the following;
  
  to authenticate at least one application program and to authorize said at least one application program to access said second database in the database system, on the basis of the said security material.
- View Dependent Claims (56, 57, 58, 59, 60, 61, 62, 63, 64, 65, 66, 67)
- - 56. A second database server according to claim 55, wherein:
    - said third database is arranged authenticate at least one application program and to authorize said at least one application program to access said second database in the database system, on the basis of the said security material.
  - 57. A second database server according to claim 55, wherein said security material is arranged to comprise at least some material that relates to managing access to the data of at least one said second database.
  - 58. A second database server according to claim 55, wherein said second database is arranged to be one of the following:
    - a master database or a replica database.
  - 59. A second database server according to claim 55, wherein said third database assigned to said second database is arranged to be a replica database which is in data connection with said first database.
  - 60. A second database server according to claim 55, wherein the second database server comprises means for distributing said security material relating to said second database from said first database to said third database, and means for authenticating on the basis of said security material at least one application program attempting to access data of a specified second database.
  - 61. A second database server according to claim 60, wherein said first database is arranged to be a master database for managing said security material in a database system.
  - 62. A second database server according to claim 60, wherein said third database is arranged to be a replica database for managing said security material.
  - 63. A second database server according to claim 60, wherein said security material is arranged to be related to at least some application identity information embedded in an application program.
  - 64. A second database server according to claim 60, wherein said security material is arranged to be encrypted.
  - 65. A second database server according to claim 55, wherein a security alert is arranged to be sent to said first database server in a failure to respond said challenge, said challenge sent from said third database to said client application.
  - 66. A second database server according to claim 55, wherein the second database server is compliant with at least one of the following communication specifications:
    - TCP/IP, CDMA, GSM, HSCSD, GPRS, WCDMA, EDGE, Bluetooth, UMTS, Telsedic, Iridium, Inmarsat, WLAN, DIGI-TV, ISDN, xDSL, RPC, Home-PNA, and imode.
  - 67. A second database server according to claim 55, wherein at least one of the following operation systems is used:
    - UNIX, MS-Windows, Linux.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
International Business Machines Corporation
Original Assignee
Solid Information Technology Oy (International Business Machines Corporation)
Inventors
Hotti, Timo

Granted Patent

US 7,266,702 B2
Time in Patent Office

Days
Field of Search
US Class Current

713/165
CPC Class Codes

G06F 21/6227 where protection concerns t...

Y10S 707/99939 Privileged access

Method and system for managing security material and sevices in a distributed database system

First Claim

5 Assignments

0 Petitions

Accused Products

Abstract

125 Citations

67 Claims

Specification

Solutions

Use Cases

Quick Links

Method and system for managing security material and sevices in a distributed database system

First Claim

5 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

125 Citations

67 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links