MANAGING SECURITY CERTIFICATES OF STORAGE DEVICES

US 20140013105A1
Filed: 07/03/2012
Published: 01/09/2014
Est. Priority Date: 07/03/2012
Status: Active Grant

First Claim

Patent Images

1. A method for managing security certificates in a data processing environment, the method comprising:

identifying, by a computer, a security certificate associated with a management interface of a device in the data processing environment;

determining, by the computer, whether the security certificate was issued by a certificate authority that is trusted;

responsive to determining that the security certificate was not issued by the certificate authority that is trusted, identifying, by the computer, the security certificate as invalid;

subsequent to identifying the security certificate as invalid based on the determination that the security certificate was not issued by the certificate authority that is trusted, determining, by the computer, if a service exists in the data processing environment that includes a feature for sending information about critical events associated with the data processing environment; and

responsive to determining that the service with the feature for sending information about critical events associated with the data processing environment exists in the data processing environment, generating, by the computer, a certificate-signing request for the management interface of the device and sending the certificate-signing request via the feature in the service.

View all claims

1 Assignment

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

A method and data processing system for managing security certificates in a data processing environment is disclosed. A computer identifies a security certificate associated with a management interface of a device in the data processing environment. The computer determines whether the security certificate was issued by a certificate authority that is trusted. In response to determining that the security certificate was not issued by the certificate authority, the computer identifies the security certificate as invalid. Subsequent to identifying the security certificate as invalid, the computer determines if a service exists in the data processing environment that includes a feature for sending information about critical events associated with the data processing environment. Responsive to determining that the service with the feature exists in the data processing environment, the computer generates a certificate-signing request for the management interface of the device and sends the certificate-signing request via the feature in the service.

Citations

20 Claims

1. A method for managing security certificates in a data processing environment, the method comprising:
- identifying, by a computer, a security certificate associated with a management interface of a device in the data processing environment;
  
  determining, by the computer, whether the security certificate was issued by a certificate authority that is trusted;
  
  responsive to determining that the security certificate was not issued by the certificate authority that is trusted, identifying, by the computer, the security certificate as invalid;
  
  subsequent to identifying the security certificate as invalid based on the determination that the security certificate was not issued by the certificate authority that is trusted, determining, by the computer, if a service exists in the data processing environment that includes a feature for sending information about critical events associated with the data processing environment; and
  
  responsive to determining that the service with the feature for sending information about critical events associated with the data processing environment exists in the data processing environment, generating, by the computer, a certificate-signing request for the management interface of the device and sending the certificate-signing request via the feature in the service.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12, 13, 14)
- - 2. The method of claim 1, further comprising:
    - subsequent to sending the request for certificate-signing, receiving, by the computer, a response to the request comprising a signed certificate from the certificate authority.
  - 3. The method of claim 2 wherein the security certificate associated with the management interface of the device is associated with the device by a configuration of the management interface of the device in the data processing environment, and further comprising:
    - responsive to receiving the certificate signed by the certificate authority, modifying, by the computer, the configuration of the management interface of the device to use the certificate signed by the certificate authority instead of the security certificate that was not issued by the certificate authority that is trusted.
  - 4. The method of claim 3 wherein modifying the configuration of the management interface of the device to use the certificate signed by the certificate authority is further responsive to receiving, by the computer, a notification that a user has selected a link provided in the received response, and wherein modifying, by the computer, the configuration of the management interface of the device to use the certificate signed by the certificate authority further comprises:
    - executing, by the computer, a sequence of program instructions which replace the security certificate of the device in the configuration of the management interface of the device with the certificate signed by the certificate authority.
  - 5. The method of claim 1, wherein sending, by the computer, the request for certificate-signing is further responsive to receiving, by the computer, a notification that a user has requested generation of a security certificate signed by the certificate authority that is trusted.
  - 6. The method of claim 1, wherein the security certificate includes a domain name of a network of the data processing environment and the generated certificate-signing request for the management interface of the device includes the domain name of the network in the data processing system.
  - 7. The method of claim 6, wherein the domain name of the network of the data processing environment is determined, by the computer, from one of an internet protocol address of the network and an identification of the domain name by the user.
  - 8. The method of claim 1, wherein the service in the data processing environment that includes the feature for sending, by the computer, information about critical events associated with the data processing environment is provided by a customer support program module that includes a pre-configured set of information about the data processing environment at least comprising a domain name of the data processing environment, a destination where requests are sent, a selection of a protocol to use when sending requests, a name identifying a legal entity that owns the data processing environment, a physical address of the location where the data processing environment is located, and contact information for an administrator of the data processing environment.
  - 9. The method of claim 8, wherein the generated certificate-signing request for the management interface of the device further includes, the name identifying the legal entity that owns the data processing environment, the physical address of the location where the data processing environment is located, and the contact information for the administrator of the data processing environment.
  - 10. The method of claim 1, wherein the security certificate is generated and signed by another service associated with installation of the management interface of the device in the data processing environment, wherein the another service is not the certificate authority that is trusted.
  - 11. The method of claim 1, wherein determining, by the computer, if the security certificate was issued by the certificate authority that is trusted further comprises:
    - parsing, by the computer, the security certificate to identify a signer of the security certificate; and
      
      comparing, by the computer, the signer of the security certificate to the certificate authority that is trusted.
  - 12. The method of claim 1, wherein the feature in the service for sending, by the computer, information about critical events associated with the data processing environment is further configured to send and receive information through a network firewall of the network of the data processing environment using a protocol configured to pass the information through the network firewall.
  - 13. The method of claim 1, wherein the device is a storage device.
  - 14. The method of claim 1, wherein the security certificate is a secure socks layer certificate.

15. A data processing system for managing security certificates in a data processing environment, the data processing system comprising:
- a processor unit, a memory, and a computer readable storage device;
  
  first program code to identify a security certificate associated with a management interface of a device in the data processing environment;
  
  second program code to determine if the security certificate was issued by a certificate authority that is trusted;
  
  third program code to identify the security certificate as invalid responsive to determining that the security certificate was not issued by the certificate authority that is trusted;
  
  fourth program code to determine if a second service exists in the data processing environment that includes a feature for sending information about critical events associated with the data processing environment subsequent to the third program code identifying the security certificate as invalid based on the determination that the security certificate was not issued by the certificate authority that is trusted; and
  
  fifth program code to generate a certificate-signing request for the management interface of the device and send the certificate-signing request via the feature in the second service responsive to a determination that the second service with the feature for sending information about critical events associated with the data processing environment exists in the data processing environment, wherein the first program code, the second program code, the third program code, the fourth program code, and fifth program code are stored in the computer readable storage device for execution by the processor unit via the memory.
- View Dependent Claims (16, 17, 18, 19)
- - 16. The data processing system of claim 15, further comprising:
    - sixth program code to receive a response to the request comprising a signed certificate from the certificate authority, wherein the sixth program code is stored in the computer readable storage device for execution by the processor unit via the memory.
  - 17. The data processing system of claim 16 wherein the security certificate associated with the management interface of the device is associated with the device by a configuration of the management interface of the device in the data processing environment, and further comprising:
    - seventh program code to modify the configuration of the management interface of the device to use the certificate signed by the certificate authority instead of the security certificate that was not issued by the certificate authority that is trusted in response to receiving the certificate signed by the certificate authority, wherein the seventh program code is stored in the computer readable storage device for execution by the processor unit via the memory.
  - 18. The data processing system of claim 17, wherein the seventh program code to modify the configuration of the management interface of the device to use the certificate signed by the certificate authority is further responsive to receiving a notification that a user has selected a link provided in the received response, and wherein the seventh program code to modify the configuration of the management interface of the device to use the certificate signed by the certificate authority further comprises:
    - program code to execute a sequence of program instructions which replace the security certificate of the device in the configuration of the management interface of the device with the certificate signed by the certificate authority.
  - 19. The data processing system of claim 15, wherein the device is a storage device, the security certificate is a secure socks layer certificate, the service in the data processing environment that includes the feature for sending information about critical events associated with the data processing environment is provided by a customer support program module that includes a pre-configured set of information about the data processing environment at least comprising a domain name of the data processing environment, a destination where requests are sent, a selection of a protocol to use when sending requests, a name identifying a legal entity that owns the data processing environment, a physical address of the location where the data processing environment is located, and contact information for an administrator of the data processing environment, and the generated certificate-signing request for the management interface of the device further includes, the name identifying the legal entity that owns the data processing environment, the physical address of the location where the data processing environment is located, and the contact information for the administrator of the data processing environment.

20. A computer program product for monitoring changes to a block of data, the computer program product comprising:
- a computer readable storage device;
  
  program code, stored on the computer readable storage device, for identifying a security certificate associated with a management interface of a device in the data processing environment;
  
  program code, stored on the computer readable storage device, for determining if the security certificate was issued by a certificate authority that is trusted;
  
  program code, stored on the computer readable storage device, responsive to determining that the security certificate was not issued by the certificate authority that is trusted, for identifying the security certificate as invalid;
  
  program code, stored on the computer readable storage device, for determining if a second service exists in the data processing environment that includes a feature for sending information about critical events associated with the data processing environment subsequent to identifying the security certificate as invalid based on the determination that the security certificate was not issued by the certificate authority that is trusted; and
  
  program code, stored on the computer readable storage device, responsive to a determination that the second service with the feature for sending information about critical events associated with the data processing environment exists in the data processing environment, for generating a certificate-signing request for the management interface of the device and sending the certificate-signing request via the feature in the second service.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
International Business Machines Corporation
Original Assignee
International Business Machines Corporation
Inventors
Niemeyer, Terry W.

Granted Patent

US 8,966,247 B2
Time in Patent Office

Days
Field of Search
US Class Current

713/156
CPC Class Codes

G06F 21/33   using certificates

G06F 21/44   Program or device authentic...

H04L 63/062   for key distribution, e.g. ...

H04L 63/0823   using certificates cryptogr...

H04L 63/20   for managing network securi...

H04L 9/3268   using certificate validatio...

MANAGING SECURITY CERTIFICATES OF STORAGE DEVICES

First Claim

1 Assignment

0 Petitions

Accused Products

Abstract

Citations

20 Claims

Specification

Solutions

Use Cases

Quick Links

MANAGING SECURITY CERTIFICATES OF STORAGE DEVICES

First Claim

1 Assignment

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

Citations

20 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links