AUTHENTICATED IDENTITY PROPAGATION AND TRANSLATION WITHIN A MULTIPLE COMPUTING UNIT ENVIRONMENT

US 20060288228A1
Filed: 08/29/2006
Published: 12/21/2006
Est. Priority Date: 03/15/2002
Status: Active Grant

First Claim

Patent Images

1. An authenticated identity propagation and translation method implemented via one or more computer programs executing at one or more computing components of a multi-component transaction processing environment, the method comprising:

establishing an authenticated client-user identity at a distributed component of a multi-component transaction processing environment, the multi-component transaction processing environment further comprising at least one mainframe component, the distributed component and the at least one mainframe component employing security services with disparate user registries and different user identities for the client-user, and wherein the security services of the distributed component and the at least one mainframe component have a security trust relationship established therebetween and are coupled together via a secure networking function;

responsive to an initiated transaction request by the authenticated client-user at the distributed component requiring processing of a further transaction request at the at least one mainframe component, constructing a distributed security information message at the distributed component, the distributed security information message comprising an identity of the distributed component as known at the at least one mainframe component, and the authenticated client-user identity as known at the distributed component, and appending the distributed security information message to the further transaction request for forwarding from the distributed component to the at least one mainframe component;

validating the distributed security information message at the at least one mainframe component, and once validated, mapping at the at least one mainframe component the authenticated client-user identity of the client-user at the distributed component to a local mainframe identity employing the distributed security information message, and creating a local authenticated runtime security context representative of the local mainframe identity and the authenticated client-user identity for execution of the further transaction request at the at least one mainframe component; and

further employing the distributed security message information at the at least one mainframe component when creating an audit record representative of execution of the further transaction request at the at least one mainframe component to associate the authenticated client-user identity at the distributed component therewith, wherein audit records of the at least one mainframe component can be employed in tracking execution of the further transaction request at the at least one mainframe component, and hence, tracking processing of the initiated transaction request of the client-user within the multi-component transaction processing environment.

View all claims

1 Assignment

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

An authenticated identity propagation and translation technique is provided based on a trust relationship between multiple user identification and authentication services resident on different computing components of a multi-component transaction processing computing environment including distributed and mainframe computing components. The technique includes, in one embodiment, forwarding, in association with transaction requests, identified and authenticated user identification and authentication information from a distributed component to a mainframe component, facilitating the selection of the appropriate mainframe user identity with which to execute the mainframe portion of the transaction, and creating the appropriate run-time security context.

90 Citations

View as Search Results

20 Claims

1. An authenticated identity propagation and translation method implemented via one or more computer programs executing at one or more computing components of a multi-component transaction processing environment, the method comprising:
- establishing an authenticated client-user identity at a distributed component of a multi-component transaction processing environment, the multi-component transaction processing environment further comprising at least one mainframe component, the distributed component and the at least one mainframe component employing security services with disparate user registries and different user identities for the client-user, and wherein the security services of the distributed component and the at least one mainframe component have a security trust relationship established therebetween and are coupled together via a secure networking function;
  
  responsive to an initiated transaction request by the authenticated client-user at the distributed component requiring processing of a further transaction request at the at least one mainframe component, constructing a distributed security information message at the distributed component, the distributed security information message comprising an identity of the distributed component as known at the at least one mainframe component, and the authenticated client-user identity as known at the distributed component, and appending the distributed security information message to the further transaction request for forwarding from the distributed component to the at least one mainframe component;
  
  validating the distributed security information message at the at least one mainframe component, and once validated, mapping at the at least one mainframe component the authenticated client-user identity of the client-user at the distributed component to a local mainframe identity employing the distributed security information message, and creating a local authenticated runtime security context representative of the local mainframe identity and the authenticated client-user identity for execution of the further transaction request at the at least one mainframe component; and
  
  further employing the distributed security message information at the at least one mainframe component when creating an audit record representative of execution of the further transaction request at the at least one mainframe component to associate the authenticated client-user identity at the distributed component therewith, wherein audit records of the at least one mainframe component can be employed in tracking execution of the further transaction request at the at least one mainframe component, and hence, tracking processing of the initiated transaction request of the client-user within the multi-component transaction processing environment.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10)
- - 2. The method of claim 1, further comprising responsive to receiving the further transaction request and associated distributed security information message at the at least one mainframe component, determining whether a local authenticated runtime security context already exists for the client-user initiating the transaction request at the distributed component, and if so, employing the existing local authenticated runtime security context in executing the further transaction request at the at least one mainframe component.
  - 3. The method of claim 2, wherein constructing the distributed security information message further comprises establishing a cryptographic hash of a payload of the distributed security information message using a secret key shared between security services of the distributed component and the at least one mainframe component, and forwarding the cryptographic hash with the distributed security information message to the at least one mainframe component, and wherein the determining comprises employing the cryptographic hash at the at least one mainframe component to determine whether the local authenticated runtime security context already exists at the at least one mainframe component for the client-user of the distributed component.
  - 4. The method of claim 1, wherein the constructing further comprises affixing a time-stamp to the distributed security information message, and wherein the further employing includes employing the time-stamp associated with the distributed security information message when creating the audit record representative of execution of the further transaction request at the at least one mainframe component, wherein tracking of the initiated transaction request and further transaction request is accomplished employing the authenticated client-user identity and the time-stamp associated with the distributed security information message constructed at the distributed component.
  - 5. The method of claim 4, wherein constructing the distributed security information message further comprises establishing a cryptographic hash of a payload of the distributed security information message using a secret key shared between security services of the distributed component and the at least one mainframe component, and the constructing including affixing as a prefix the cryptographic hash and the time-stamp to the payload of the distributed security information message at the distributed component for forwarding to the at least one mainframe component.
  - 6. The method of claim 1, further comprising transmitting the further transaction request and distributed security information message from the distributed component to the at least one mainframe component employing the security trust relationship therebetween, and wherein the validating at the at least one mainframe component occurs transparent to the client-user.
  - 7. The method of claim 1, wherein the distributed security information message further comprises a mainframe security realm within which the distributed component is defined, a security realm of the client-user at the distributed component, and an indication of a method by which the client-user was authenticated at the distributed component.
  - 8. The method of claim 7, wherein the further employing comprises employing the distributed security message information when creating the audit record so that the audit record describes the authenticated client-user identity initiating the transaction request at the distributed component, a security domain of the distributed component where the client-user was identified and authenticated, and the time-stamp indicating an approximate time that the transaction request was initiated.
  - 9. The method of claim 1, wherein the multi-component transaction processing environment further comprises a shared memory or storage securely accessible by the distributed component and by the at least one mainframe component, and wherein the method further comprises determining whether there is insufficient data bandwidth in existing communication protocol in use between the distributed component and the at least one mainframe component to include the distributed security information message with the further transaction request, and if so:
    - temporarily writing the distributed security information message to the shared memory or storage, generating a token representative thereof, passing the token from the distributed component to the at least one mainframe component through the existing communication protocol in use between the distributed component and the at least one mainframe component, and employing the token at the at least one mainframe component to retrieve the distributed security information message from the shared memory or storage.
  - 10. The method of claim 1, wherein the initiated transaction request at the distributed component results in multiple further transaction requests being forwarded to multiple mainframe components of the multi-component transaction processing environment, and wherein at least some mainframe components of the multiple mainframe components map the authenticated client-user identity of the client user at the distributed component to a different local mainframe identity employing the same distributed security information message, the at least some mainframe components of the multiple mainframe components employing different security services with disparate user registries and different user identities for the client-user.

11. An authenticated identity propagation and translation system for a multi-component transaction processing environment, the system comprising:
- means for establishing an authenticated client-user identity at a distributed component of a multi-component transaction processing environment, the multi-component transaction processing environment further comprising at least one mainframe component, the distributed component and the at least one mainframe component employing security services with disparate user registries and different user identities for the client-user, and wherein the security services of the distributed component and the at least one mainframe component have a security trust relationship established therebetween and are coupled together via a secure networking function;
  
  means for constructing a distributed security information message at the distributed component responsive to an initiated transaction request by the authenticated client-user at the distributed component requiring processing of a further transaction request at the at least one mainframe component, the distributed security information message comprising an identity of the distributed component as known at the at least one mainframe component, and the authenticated client-user identity as known at the distributed component, and for appending the distributed security information message to the further transaction request for forwarding from the distributed component to the at least one mainframe component;
  
  means for validating the distributed security information message at the at least one mainframe component, and once validated, for mapping at the at least one mainframe component the authenticated client-user identity of the client-user at the distributed component to a local mainframe identity employing the distributed security information message, and for creating a local authenticated runtime security context representative of the local mainframe identity and the authenticated client-user identity for execution of the further transaction request at the at least one mainframe component; and
  
  means for further employing the distributed security message information at the at least one mainframe component when creating an audit record representative of execution of the further transaction request at the at least one mainframe component to associate the authenticated client-user identity at the distributed component therewith, wherein audit records of the at least one mainframe component can be employed in tracking execution of the further transaction request at the at least one mainframe component, and hence, tracking processing of the initiated transaction request of the client-user within the multi-component transaction processing environment.
- View Dependent Claims (12, 13, 14, 15, 16, 17, 18, 19)
- - 12. The system of claim 11, further comprising means for determining, responsive to receiving the further transaction request and associated distributed security information message at the at least one mainframe component, whether a local authenticated runtime security context already exists for the client-user initiating the transaction request at the distributed component, and if so, for employing the existing local authenticated runtime security context in executing the further transaction request at the at least one mainframe component.
  - 13. The system of claim 12, wherein the means for constructing the distributed security information message further comprises means for establishing a cryptographic hash of a payload of the distributed security information message using a secret key shared between security services of the distributed component and the at least one mainframe component, and for forwarding the cryptographic hash with the distributed security information message to the at least one mainframe component, and wherein the means for determining comprises means for employing the cryptographic hash at the at least one mainframe component to determine whether the local authenticated runtime security context already exists at the at least one mainframe component for the client-user of the distributed component.
  - 14. The system of claim 11, wherein the means for constructing further comprises means for affixing a time-stamp to the distributed security information message, and wherein the means for further employing includes means for employing the time-stamp associated with the distributed security information message when creating the audit record representative of execution of the further transaction request at the at least one mainframe component, wherein tracking of the initiated transaction request and further transaction request is accomplished employing the authenticated client-user identity and the time-stamp associated with the distributed security information message constructed at the distributed component.
  - 15. The system of claim 14, wherein the means for constructing the distributed security information message further comprises means for establishing a cryptographic hash of a payload of the distributed security information message using a secret key shared between security services of the distributed component and the at least one mainframe component, and the means for constructing includes means for affixing as a prefix the cryptographic hash and the time-stamp to the payload of the distributed security information message at the distributed component for forwarding to the at least one mainframe component.
  - 16. The system of claim 11, wherein the distributed security information message further comprises a mainframe security realm within which the distributed component is defined, a security realm of the client-user at the distributed component, and an indication of a method by which the client-user was authenticated at the distributed component.
  - 17. The system of claim 16, wherein the means for further employing comprises means for employing the distributed security message information when creating the audit record so that the audit record describes the authenticated client-user identity initiating the transaction request at the distributed component, a security domain of the distributed component where the client-user was identified and authenticated, and the time-stamp indicating an approximate time that the transaction request was initiated.
  - 18. The system of claim 11, wherein the multi-component transaction processing environment further comprises a shared memory or storage securely accessible by the distributed component and by the at least one mainframe component, and wherein the system further comprises means for determining whether there is insufficient data bandwidth in existing communication protocol in use between the distributed component and the at least one mainframe component to include the distributed security information message with the further transaction request, and if so:
    - for temporarily writing the distributed security information message to the shared memory or storage, generating a token representative thereof, passing the token from the distributed component to the at least one mainframe component through the existing communication protocol in use between the distributed component and the at least one mainframe component, and employing the token at the at least one mainframe component to retrieve the distributed security information message from the shared memory or storage.
  - 19. The system of claim 11, wherein the initiated transaction request at the distributed component results in multiple further transaction requests being forwarded to multiple mainframe components of the multi-component transaction processing environment, and wherein at least some mainframe components of the multiple mainframe components map the authenticated client-user identity of the client user at the distributed component to a different local mainframe identity employing the same distributed security information message, the at least some mainframe components of the multiple mainframe components employing different security services with disparate user registries and different user identities for the client-user.

20. At least one program storage device readable by a machine, tangibly embodying at least one program of instructions executable by the machine to perform an authenticated identity propagation and translation method for a multi-component transaction processing environment, the method comprising:
- establishing an authenticated client-user identity at a distributed component of a multi-component transaction processing environment, the multi-component transaction processing environment further comprising at least one mainframe component, the distributed component and the at least one mainframe component employing security services with disparate user registries and different user identities for the client-user, and wherein the security services of the distributed component and the at least one mainframe component have a security trust relationship established therebetween and are coupled together via a secure networking function;
  
  responsive to an initiated transaction request by the authenticated client-user at the distributed component requiring processing of a further transaction request at the at least one mainframe component, constructing a distributed security information message at the distributed component, the distributed security information message comprising an identity of the distributed component as known at the at least one mainframe component, and the authenticated client-user identity as known at the distributed component, and appending the distributed security information message to the further transaction request for forwarding from the distributed component to the at least one mainframe component;
  
  validating the distributed security information message at the at least one mainframe component, and once validated, mapping at the at least one mainframe component the authenticated client-user identity of the client-user at the distributed component to a local mainframe identity employing the distributed security information message, and creating a local authenticated runtime security context representative of the local mainframe identity and the authenticated client-user identity for execution of the further transaction request at the at least one mainframe component; and
  
  further employing the distributed security message information at the at least one mainframe component when creating an audit record representative of execution of the further transaction request at the at least one mainframe component to associate the authenticated client-user identity at the distributed component therewith, wherein audit records of the at least one mainframe component can be employed in tracking execution of the further transaction request at the at least one mainframe component, and hence, tracking processing of the initiated transaction request of the client-user within the multi-component transaction processing environment.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
International Business Machines Corporation
Original Assignee
International Business Machines Corporation
Inventors
Dillenberger, Donna N., Dayka, John C., Guski, Richard H., Nelson, Mark A., Botz, Patrick S., Hahn, Timothy J., LaBelle, Margaret K.

Granted Patent

US 7,822,980 B2
Time in Patent Office

Days
Field of Search
US Class Current

713/182
CPC Class Codes

G06F 21/31   User authentication

G06F 2221/2151   Time stamp

H04L 63/08   for authentication of entit...

AUTHENTICATED IDENTITY PROPAGATION AND TRANSLATION WITHIN A MULTIPLE COMPUTING UNIT ENVIRONMENT

First Claim

1 Assignment

0 Petitions

Accused Products

Abstract

90 Citations

20 Claims

Specification

Use Cases

Quick Links

Others

AUTHENTICATED IDENTITY PROPAGATION AND TRANSLATION WITHIN A MULTIPLE COMPUTING UNIT ENVIRONMENT

First Claim

1 Assignment

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

90 Citations

20 Claims

Specification

Subscription Required

Use Cases

Quick Links

Others