Method and Apparatus for Authentication Service Application Processes During Service Reallocation in High Availability Clusters

US 20090190758A1
Filed: 01/25/2008
Published: 07/30/2009
Est. Priority Date: 01/25/2008
Status: Active Grant

First Claim

Patent Images

1. A method for providing secure communications in a High Availability (HA) cluster, the method comprising the steps of:

detecting an unavailability of a first service application process;

switching a second service application process from a first state to a second state, the second service application being selected for taking over service currently provided from the first service application process, the first state and the second state each being associated to a set of rights in the cluster;

generating a private key for the second service application process based on the second state of the second service application process; and

wherein the set of rights associated to the second state of the second service application process allows the second service application process to replace the first service application process for providing secure communications between the second service application and other service application processes in the HA cluster as provided prior the detection of the unavailability of the first service application process.

View all claims

1 Assignment

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

A method and communication node for providing secure communications and services in a High Availability (HA) cluster. The communication node comprises an Operating System (OS) that detects an unavailability of a first service application process and switches a second service application process from the first state to the second state, the second service application being selected for taking over service currently provided from the first service application process, the first state and the second state each being associated to a set of rights in the cluster. The OS generates a private key for the second service application process based on its second state. The set of rights associated to the second state allows the OS to replace the first service application process with the second service application process for providing secure communications between the second service application and other service application processes in the HA cluster.

Citations

20 Claims

1. A method for providing secure communications in a High Availability (HA) cluster, the method comprising the steps of:
- detecting an unavailability of a first service application process;
  
  switching a second service application process from a first state to a second state, the second service application being selected for taking over service currently provided from the first service application process, the first state and the second state each being associated to a set of rights in the cluster;
  
  generating a private key for the second service application process based on the second state of the second service application process; and
  
  wherein the set of rights associated to the second state of the second service application process allows the second service application process to replace the first service application process for providing secure communications between the second service application and other service application processes in the HA cluster as provided prior the detection of the unavailability of the first service application process.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9)
- - 2. The method of claim 1, wherein the method further comprises the steps of:
    - sending messages from the second service application process to a third service application, the messages being signed using the private key corresponding to a public key of the second service application process; and
      
      determining whether the second service application process is from a same security domain and whether the second service application process is in an active state based on a public key of the second service application process, the public key encoding a component name, a state of the second service application process and a security domain of the second service application process.
  - 3. The method of claim 2, wherein the method further comprises the steps of:
    - rejecting a request message from the second service application process, if the second service application process is in a state that is different than an active state; and
      
      allowing the request message of the second service application process, if the second service application process is in an active state.
  - 4. The method of claim 2, wherein the at least third service application process is a service application process in a standby state.
  - 5. The method of claim 2, wherein the at least third service application process is a service application process in an active state.
  - 6. The method of claim 1, wherein the step of generating further comprises the step of:
    - determining whether the second state of the second service application is an active state;
      
      sending a request from the second service application process to an operating system (OS) of a communication node for obtaining a private key; and
      
      generating the private key using a private key generator for generating pairs of private and public keys for the second service application process, the private key corresponding to the public key of the second service application process.
  - 7. The method of claim 1, wherein secure communications between the second service application process and other service application process are provided with signed messages sent from the second service application process to other service application processes, the signed messages being signed with the private key of the second service application process.
  - 8. The method of claim 1, wherein the first service application process and the second service application process are located in the same security domain.
  - 9. The method of claim 1, wherein the first service application process and the second service application process are part of the same component name.

10. A communication node for providing services in a High Availability (HA) cluster of interconnected communication nodes, the communication node comprising:
- an Operating System (OS) for detecting an unavailability of a first service application process and switching a second service application process from a first state to a second state, the second service application being selected for taking over service currently provided from the first service application process, the first state and the second state each being associated to a set of rights in the cluster;
  
  a private key generator located in the OS for generating a private key for the second service application process based on the second state of the second service application process; and
  
  wherein the set of rights associated to the second state of the second service application process allows the OS to replace the first service application process with the second service application process for providing secure communications between the second service application and other service application processes in the HA cluster as provided prior the detection of the unavailability of the first service application process.
- View Dependent Claims (11, 12, 13, 14, 15, 16, 17, 18, 19, 20)
- - 11. The communication node of claim 10, wherein the OS further comprises a table for listing a component name, a state and the security domain of the second service application process, component name, a state and the security domain of the second service application process being encoded in a public key of the second service application process.
  - 12. The communication node of claim 11, wherein the second service application process sends messages to a third service application, the messages being signed using the private key corresponding to the public key of the second service application process.
  - 13. The communication node of claim 12, wherein the OS determines following the reception of a message at the third service application process, whether the second service application process is from a same security domain and whether the second service application process is in an active state based on a public key of the second service application process based on the public key of the second service application process.
  - 14. The communication node of claim 13, wherein the OS rejects a sent message from the second service application process, if the second service application process is in a state that is different than an active state and allows the request message of the second service application process, if the second service application process is in an active state.
  - 15. The communication node of claim 12, wherein the third service application process is a service application process in a standby state.
  - 16. The communication node of claim 12, wherein the at least third service application process is a service application process in an active state.
  - 17. The communication node of claim 10, wherein the OS further determines whether the second state of the second service application is an active state, receives from the second service application process a request for obtaining a private key, the private key corresponding to the public key of the second service application process.
  - 18. The communication node of claim 10, wherein secure communications between the second service application process and other service application process are provided with signed messages sent from the second service application process to other service application processes, the signed messages being signed with the private key of the second service application process.
  - 19. The communication node of claim 10, wherein the first service application process and the second service application process are located in the same security domain.
  - 20. The communication node of claim 10, wherein the first service application process and the second service application process are part of the same component name.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Telefonaktiebolaget LM Ericsson
Original Assignee
Telefonaktiebolaget LM Ericsson
Inventors
Naslund, Mats, Rossi, Frederic, Pourzandi, Makan

Granted Patent

US 8,630,415 B2
Time in Patent Office

Days
Field of Search
US Class Current

380/255
CPC Class Codes

G06F 11/1482   by means of middleware or O...

G06F 11/2025   using centralised failover ...

G06F 11/203   using migration

G06F 9/468   Specific access rights for ...

Method and Apparatus for Authentication Service Application Processes During Service Reallocation in High Availability Clusters

First Claim

1 Assignment

0 Petitions

Accused Products

Abstract

Citations

20 Claims

Specification

Solutions

Use Cases

Quick Links

Method and Apparatus for Authentication Service Application Processes During Service Reallocation in High Availability Clusters

First Claim

1 Assignment

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

Citations

20 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links