SECURELY AND AUTOMATICALLY CONNECTING VIRTUAL MACHINES IN A PUBLIC CLOUD TO CORPORATE RESOURCE

US 20120233678A1
Filed: 03/10/2011
Published: 09/13/2012
Est. Priority Date: 03/10/2011
Status: Active Grant

First Claim

Patent Images

1. A method, implemented by an enterprise computing system programmed to perform the following, comprising:

starting, by a cloud engine of the enterprise computing system, an exchange with an authentication server that leads to a state in which both the cloud engine and the authentication server know a one-time password (OTP) and an identifier (ID) of a virtual machine (VM), the VM hosted by a cloud computing system coupled to the enterprise computing system via a network;

sending, by the enterprise computing system, the OTP and the ID to the VM; and

establishing, by the enterprise computing system, a secure connection to the VM upon authenticating credentials submitted by the VM against the OTP and the ID.

View all claims

1 Assignment

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

A method and system for securely and automatically connecting a virtual machine in a public cloud to corporate resources. A cloud computing system is coupled to an enterprise computing system via a network. The enterprise computing system includes a management server, an authentication server and a virtual private network (VPN) server. A cloud engine runs on the management server. The cloud engine starts an exchange with the authentication server that leads to a state in which both parties know a one-time password (OTP) and an identifier (ID) of a virtual machine (VM) hosted by the cloud computing system. The cloud engine sends the OTP and the ID to the VM. The VPN server then receives credentials from the VM. If the credentials are successfully authenticated against the OTP and the ID, a secure connection is established between the enterprise computing system and the VM.

Citations

20 Claims

1. A method, implemented by an enterprise computing system programmed to perform the following, comprising:
- starting, by a cloud engine of the enterprise computing system, an exchange with an authentication server that leads to a state in which both the cloud engine and the authentication server know a one-time password (OTP) and an identifier (ID) of a virtual machine (VM), the VM hosted by a cloud computing system coupled to the enterprise computing system via a network;
  
  sending, by the enterprise computing system, the OTP and the ID to the VM; and
  
  establishing, by the enterprise computing system, a secure connection to the VM upon authenticating credentials submitted by the VM against the OTP and the ID.
- View Dependent Claims (2, 3, 4, 5, 6, 7)
- - 2. The method of claim 1, further comprising:
    - generating the OTP by each of the cloud engine and the authentication server based on information shared between the cloud engine and the authentication server.
  - 3. The method of claim 1, further comprising:
    - generating the OTP by one of the cloud engine and the authentication server; and
      
      passing the OTP to the other one of the cloud engine and the authentication server.
  - 4. The method of claim 1, further comprising:
    - generating the OTP using a software token or a seed shared between the cloud engine and the authentication server.
  - 5. The method of claim 1, further comprising:
    - creating an account for the VM in the authentication server, the account comprising the OTP and the ID.
  - 6. The method of claim 5, further comprising:
    - creating the account for the VM before receiving a request to start he VM; and
      
      enabling the account upon receiving the request to start the VM.
  - 7. The method of claim 1, wherein receiving credentials from the VM further comprises:
    - receiving, by a virtual private network (VPN) server, the credentials from the VM; and
      
      sending, by the VPN server, the credentials to the authentication server for authentication.

8. A system comprising:
- a management server, which includes a cloud engine that sends a one-time password (OTP) and an identifier (ID) to a virtual machine (VM), the VM hosted by a cloud computing system coupled to the management server via a network, wherein the cloud engine starts an exchange with an authentication server that leads to a state in which both the cloud engine and the authentication server know the OTP and the ID;
  
  a virtual private network (VPN) server to receive credentials from the VM; and
  
  the authentication server coupled to the management server and the VPN server to establish a secure connection to the VM upon authenticating the credentials against the OTP and the ID.
- View Dependent Claims (9, 10, 11, 12, 13)
- - 9. The system of claim 8, wherein the OTP is generated by each of the cloud engine and the authentication server based on information shared between the cloud engine and the authentication server.
  - 10. The system of claim 8, wherein the OTP is generated by one of the cloud engine and the authentication server, and passed to the other one of the cloud engine and the authentication server.
  - 11. The system of claim 8, wherein the OTP is generated based on a software token or a seed shared between the cloud engine and the authentication server.
  - 12. The system of claim 8, wherein the authentication server stores an account for the VM, the account comprising the OTP and the ID.
  - 13. The system of claim 12, wherein the account is pre-created before a request is received to start the VM, and is enabled upon receipt of the request to start the VM.

14. A non-transitory computer readable storage medium including instructions that, when executed by a processing system, cause the processing system to perform a method comprising:
- starting, by a cloud engine of an enterprise computing system, an exchange with an authentication server that leads to a state in which both the cloud engine and the authentication server know a one-time password (OTP) and an identifier (ID) of a virtual machine (VM), the VM hosted by a cloud computing system coupled to the enterprise computing system via a network;
  
  sending, by the enterprise computing system, the OTP and the ID to the VM; and
  
  establishing, by the enterprise computing system, a secure connection to the VM upon authenticating credentials submitted by the VM against the OTP and the ID.
- View Dependent Claims (15, 16, 17, 18, 19, 20)
- - 15. The computer readable storage medium of claim 14, further comprising:
    - generating the OTP by each of the cloud engine and the authentication server based on information shared between the cloud engine and the authentication server.
  - 16. The computer readable storage medium of claim 14, further comprising:
    - generating the OTP by one of the cloud engine and the authentication server; and
      
      passing the OTP to the other one of the cloud engine and the authentication server.
  - 17. The computer readable storage medium of claim 14, further comprising:
    - generating the OTP using a software token or a seed shared between the cloud engine and the authentication server.
  - 18. The computer readable storage medium of claim 14, further comprising:
    - creating an account for the VM in the authentication server, the account comprising the OTP and the ID.
  - 19. The computer readable storage medium of claim 18, further comprising:
    - creating the account for the VM before receiving a request to start the VM; and
      
      enabling the account upon receiving the request to start the VM.
  - 20. The computer readable storage medium of claim 14, wherein receiving credentials from the VM further comprises:
    - receiving, by a virtual private network (VPN) server, the credentials from the VM; and
      
      sending, by the VPN server, the credentials to the authentication server for authentication.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Red Hat, Inc. (International Business Machines Corporation)
Original Assignee
Red Hat, Inc. (International Business Machines Corporation)
Inventors
Pal, Dmitri V.

Granted Patent

US 8,863,257 B2
Time in Patent Office

Days
Field of Search
US Class Current

726/7
CPC Class Codes

G06F 21/445   by mutual authentication, e...

H04L 63/0209   Architectural arrangements,...

H04L 63/0272   Virtual private networks

H04L 63/0838   using one-time-passwords

H04L 9/321   involving a third party or ...

H04L 9/3228   One-time or temporary data,...

SECURELY AND AUTOMATICALLY CONNECTING VIRTUAL MACHINES IN A PUBLIC CLOUD TO CORPORATE RESOURCE

First Claim

1 Assignment

0 Petitions

Accused Products

Abstract

Citations

20 Claims

Specification

Solutions

Use Cases

Quick Links

SECURELY AND AUTOMATICALLY CONNECTING VIRTUAL MACHINES IN A PUBLIC CLOUD TO CORPORATE RESOURCE

First Claim

1 Assignment

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

Citations

20 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links