Techniques for managing heterogeneous key stores

US 20080123855A1
Filed: 11/28/2006
Published: 05/29/2008
Est. Priority Date: 11/28/2006
Status: Active Grant

First Claim

Patent Images

1. A method, comprising:

receiving a key instruction in a first format, wherein the key instruction is directed to a first key store and a second key store, and wherein the first and second key stores use disparate interfaces from one another and use second and third formats, respectively to process instructions;

sending the key instruction in the first format to a first agent that is in communication with the first key store, wherein the first agent translates the key instruction from the first format to the second format and processes the key instruction against the first key store; and

forwarding the key instruction in the first format to a second agent that is in communication with the second key store, wherein the second agent translates the key instruction from the first format to the third format and processes the key instruction against the second key store.

View all claims

3 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

Techniques for managing heterogeneous key stores are presented. A centralized key management service receives key instructions in a generic format. These key instructions are communicated to distributed key agents distributed over a network. The key agents translate the key instructions into native formats expected by distributed key stores. The key agents then process the key instructions in the native formats against the distributed key stores on behalf of the centralized key management service.

Citations

25 Claims

1. A method, comprising:
- receiving a key instruction in a first format, wherein the key instruction is directed to a first key store and a second key store, and wherein the first and second key stores use disparate interfaces from one another and use second and third formats, respectively to process instructions;
  
  sending the key instruction in the first format to a first agent that is in communication with the first key store, wherein the first agent translates the key instruction from the first format to the second format and processes the key instruction against the first key store; and
  
  forwarding the key instruction in the first format to a second agent that is in communication with the second key store, wherein the second agent translates the key instruction from the first format to the third format and processes the key instruction against the second key store.
- View Dependent Claims (2, 3, 4, 5, 6, 7)
- - 2. The method of claim 1 further comprising, presenting one or more graphical views of keys to an administrator that identifies one or more of the following:
    - where each key is within a network, what resources are using each key within the network, expiration information associated with each key, valid uses of each key, certificate authorities associated with each key, and signers associated with each key.
  - 3. The method of claim 1, wherein receiving further includes identifying the key instruction as one of the following:
    - an instruction to create a new key store, an instruction to create or add a new key, an instruction to renew an existing key, an instruction to expire or delete the existing key, an instruction to import the new key or the existing key, an instruction to export the existing key, an instruction to move the existing key, an instruction to copy the existing key, and an instruction to modify metadata associated with the existing key.
  - 4. The method of claim 1 further comprising, securely communicating with the first and second agents over a wide area network (WAN).
  - 5. The method of claim 1 further comprising, authenticating an administrator that supplies the key instruction before communicating the key instruction to the first and second agents, wherein the administrator is authenticated to access both the first and second key stores during authentication.
  - 6. The method of claim 1 further comprising, synchronizing a master key store with the first and second key stores via ongoing communications with the first and second agents.
  - 7. The method of claim 1, wherein identifying further includes recognizing that the first key store and first agent reside in a different and disparate environment from the second key store and the second agent.

8. A method, comprising:
- receiving a key instruction from a master key management service, wherein the key instruction is in a first format;
  
  translating the key instruction from the first format to a native format associated with a first key store;
  
  processing the key instruction in the native format against the first key store; and
  
  reporting that the key instruction processed against the first key store to the master key management service.
- View Dependent Claims (9, 10, 11, 12, 13, 14)
- - 9. The method of claim 8 further comprising, establishing a trust relationship with the master key management service before receiving the key instruction.
  - 10. The method of claim 9 further comprising, parsing the key instruction in the first format to obtain a command identifier that identifies a command to process on the first key store and to obtain a corresponding parameter value or set of values to use with that command.
  - 11. The method of claim 10, wherein parsing further includes parsing the key instruction as an extensible markup language (XML) document represented as the first format.
  - 12. The method of claim 8 further comprising, logging history associated with accesses made to first key store by the key management service and by other services and reporting the history to the key management service upon request.
  - 13. The method of claim 8, wherein receiving further includes recognizing the key instruction as multiple chained instructions to perform against the first key store.
  - 14. The method of claim 8, wherein processing further includes performing one or more of the following actions in response to processing the key instruction on the first key store:
    - creating the first key store for a first time;
      
      changing an existing password for accessing the first key store;
      
      importing a private key certificate into the first key store;
      
      removing the private key certificate from the first key store;
      
      importing a trusted root into the first key store;
      
      removing the trusted root from the first key store;
      
      importing a signed certificate and associating it with a corresponding private key;
      
      retrieving a list of names or available private keys that are housed in the first key store;
      
      retrieving a particular private key from the first key store;
      
      retrieving each of the available private keys from the first key store; and
      
      generating and retrieving certificate signing requests (CSR'"'"'s) for a given private key after generating that private key.

15. A system, comprising:
- a centralized key management service; and
  
  distributed key agents, wherein the centralized key management service is to present a unified administrative interface to administrators to perform key instructions in a generic format, and wherein the centralized key management service is to securely communicate the key instructions to the distributed key agents in the generic format, and each distributed key agent is to translate the key instructions into native formats recognized by distributed key stores and to further process the key instructions in those native formats on the distributed key stores on behalf of the centralized key management service.
- View Dependent Claims (16, 17, 18, 19, 20)
- - 16. The system of claim 15 further comprising, a centralized key store, which is to be maintained and to be managed by the centralized key management service, to house keys and key information dispersed over a network in the distributed key stores, and wherein the keys and key information are housed in the centralized key store in the generic format.
  - 17. The system of claim 15, wherein the centralized key management service is to present custom views to the administrators to discern information regarding keys appearing in a network within each of the distributed key stores.
  - 18. The system of claim 15, wherein at least one of the distributed key agents is responsible for managing one or more of the distributed key stores.
  - 19. The system of claim 15, wherein the centralized key management service is to resolve instruction category types for the key instructions that a particular one of the administrators may request in response to identity and policy resolution.
  - 20. The system of claim 15, wherein the centralized key management service and the distributed key agents are to cooperate to synchronize the distribute key stores with a centralized key store maintained and managed by the centralized key management service.

21. A centralized key store implemented in a machine-accessible medium to dispense and maintain access information for resources of a network, the centralized key store including a plurality of records and each record comprising:
- a distributed key store identifier to identify a distributed key store;
  
  a category type that is to be associated with the distributed key store;
  
  a path, within an environment of the distributed key store, that is to be used to reach the distributed key store;
  
  an access secret that is to be used to access the distributed key store; and
  
  key store elements that is to define keys and other key information included within the distributed key store.
- View Dependent Claims (22, 23, 24, 25)
- - 22. The centralized key store of claim 21, wherein each record is encoded in extensible markup language (XML) format or a database format.
  - 23. The centralized key store of claim 21, wherein each record further includes one or more of the following:
    - a flag to indicate whether the distributed key store includes just trusted roots;
      
      a resource identifier to identify a resource that requests a login to the distributed key store;
      
      a tree structure to represent a tree relationship for the key store elements;
      
      a server identifier to identify a key generation service used by the distributed key store;
      
      a trust container structure to represent a directory name of a trusted root container object;
      
      an Internet Protocol (IP) address to use to connect to the distributed key store;
      
      a port identifier to identify a predefined port of a machine used to connect to the distributed key store; and
      
      a post update command to identify a command to invoke after the distributed key store is updated.
  - 24. The centralized key store of claim 21, wherein an Application Programming Interface (API) is to provide access to each of the records, and wherein changes made via commands of the API are propagated to the distributed key store over a network and propagated in a native format expected by the distributed key store.
  - 25. The centralized key store of claim 24, wherein policy restricts which resources can access which of the commands associated with the API.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Oracle International Corporation (Oracle Corporation)
Original Assignee
Novell Incorporated (Open Text Corporation)
Inventors
Thomas, James Gordon

Granted Patent

US 8,116,456 B2
Time in Patent Office

Days
Field of Search
US Class Current

380/277
CPC Class Codes

H04L 9/083 involving central third par...

H04L 9/0894 Escrow, recovery or storing...

Techniques for managing heterogeneous key stores

First Claim

3 Assignments

0 Petitions

Accused Products

Abstract

Citations

25 Claims

Specification

Solutions

Use Cases

Quick Links

Techniques for managing heterogeneous key stores

First Claim

3 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

Citations

25 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links