Key Store Service

US 20180041336A1
Filed: 05/30/2017
Published: 02/08/2018
Est. Priority Date: 08/05/2016
Status: Active Grant

First Claim

Patent Images

1. A computer-readable medium having instructions stored thereon that, when executed by a processor, cause the processor to provide a key store microservice for a cloud based identity management system, the providing comprising:

receiving, over a network, a request from a client application to retrieve a key, the request including a tenancy identifier;

determining whether the key is present in a tenant-specific memory cache associated with the tenancy identifier; and

when the key is determined to be present in the tenant-specific memory cache;

retrieving the key from the tenant-specific memory cache,retrieving a decryption key from a key wallet,decrypting the key retrieved from the tenant-specific memory cache using the decryption key retrieved from the key wallet, andsending, over the network, the key to the client.

View all claims

1 Assignment

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

A key store microservice is provided for a cloud based identity management system. The key store microservice receives, over a network, a request from a client application to retrieve a key, the request including a tenancy identifier, and determines whether the key is present in a tenant specific memory cache associated with the tenancy identifier. When the key is determined to be present in the tenant specific memory cache, the key store microservice retrieves the key from the tenant specific memory cache, retrieves a decryption key from a key wallet, decrypts the key retrieved from the tenant specific memory cache using the decryption key retrieved from the key wallet, and sends, over the network, the key to the client.

105 Citations

View as Search Results

20 Claims

1. A computer-readable medium having instructions stored thereon that, when executed by a processor, cause the processor to provide a key store microservice for a cloud based identity management system, the providing comprising:
- receiving, over a network, a request from a client application to retrieve a key, the request including a tenancy identifier;
  
  determining whether the key is present in a tenant-specific memory cache associated with the tenancy identifier; and
  
  when the key is determined to be present in the tenant-specific memory cache;
  
  retrieving the key from the tenant-specific memory cache,retrieving a decryption key from a key wallet,decrypting the key retrieved from the tenant-specific memory cache using the decryption key retrieved from the key wallet, andsending, over the network, the key to the client.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10)
- - 2. The computer-readable medium of claim 1, wherein the request includes a client identifier, and said determining whether the key is present includes determining whether the client identifier is authorized to access the tenant-specific memory cache associated with the tenancy identifier.
  - 3. The computer-readable medium of claim 2, wherein:
    - determining whether the key is present includes searching for the key in the tenant-specific memory cache associated with the tenancy identifier based on a unique key property.
  - 4. The computer-readable medium of claim 3, wherein the unique key property is a secure hash algorithm thumbprint or a unique alias.
  - 5. The computer-readable medium of claim 1, further comprising:
    - when the key is determined not to be present in the tenant-specific memory cache;
      
      retrieving the key from a tenant-specific database table associated with the tenancy identifier;
      
      retrieving a key from a key wallet,encrypting the key retrieved from the tenant-specific database table using the key retrieved from the key wallet;
      
      storing the key in the tenant-specific memory cache associated with the tenancy identifier; and
      
      sending, over the network, the key to the client.
  - 6. The computer-readable medium of claim 5, wherein the request includes a client identifier, and said retrieving the key includes determining whether the client identifier is authorized to access the tenant-specific data table associated with the tenancy identifier.
  - 7. The computer-readable medium of claim 6, wherein:
    - retrieving the key includes searching for the key in the tenant-specific database table associated with the tenancy identifier based on a secure hash algorithm thumbprint.
  - 8. The computer-readable medium of claim 7, wherein the tenant-specific data table associated with the tenancy identifier is one stripe in a data tier or a separate partition in a database.
  - 9. The computer-readable medium of claim 1, wherein the tenancy identifier is a customer tenancy type.
  - 10. The computer-readable medium of claim 1, wherein the key has a JavaScript Object Notation (JSON) web key format.

11. A method for providing a key store microservice for a cloud based identity management system, the method comprising:
- receiving, over a network, a request from a client application to retrieve a key, the request including a tenancy identifier;
  
  determining whether the key is present in a tenant-specific memory cache associated with the tenancy identifier; and
  
  when the key is determined to be present in the tenant-specific memory cache;
  
  retrieving the key from the tenant-specific memory cache,retrieving a decryption key from a key wallet,decrypting the key retrieved from the tenant-specific memory cache using the decryption key retrieved from the key wallet, andsending, over the network, the key to the client.
- View Dependent Claims (12, 13, 14, 15)
- - 12. The method of claim 11, wherein the request includes a client identifier, and said determining whether the key is present includes determining whether the client identifier is authorized to access the tenant-specific memory cache associated with the tenancy identifier, and searching for the key in the tenant-specific memory cache associated with the tenancy identifier based on a unique key property including a secure hash algorithm thumbprint or a unique alias.
  - 13. The method of claim 12, further comprising:
    - when the key is determined not to be present in the tenant-specific memory cache;
      
      retrieving the key from a tenant-specific database table associated with the tenancy identifier;
      
      retrieving a key from a key wallet,encrypting the key retrieved from the tenant-specific database table using the key retrieved from the key wallet;
      
      storing the key in the tenant-specific memory cache associated with the tenancy identifier; and
      
      sending, over the network, the key to the client.
  - 14. The method of claim 13, wherein the request includes a client identifier, and said retrieving the key includes determining whether the client identifier is authorized to access the tenant-specific data table associated with the tenancy identifier, and searching for the key in the tenant-specific database table associated with the tenancy identifier based on a secure hash algorithm thumbprint.
  - 15. The method of claim 14, wherein the tenancy identifier is a customer tenancy type, and the tenant-specific data table associated with the tenancy identifier is one stripe in a data tier or a separate partition in a database.

16. A system comprising a server, coupled to a network, including a processor coupled to a memory storing instructions that, when executed by the processor, cause the processor to provide a key store microservice for a cloud based identity management system, the providing comprising:
- receiving, over a network, a request from a client application to retrieve a key, the request including a tenancy identifier;
  
  determining whether the key is present in a tenant-specific memory cache associated with the tenancy identifier; and
  
  when the key is determined to be present in the tenant-specific memory cache;
  
  retrieving the key from the tenant-specific memory cache,retrieving a decryption key from a key wallet,decrypting the key retrieved from the tenant-specific memory cache using the decryption key retrieved from the key wallet, andsending, over the network, the key to the client.
- View Dependent Claims (17, 18, 19, 20)
- - 17. The system of claim 16, wherein the request includes a client identifier, and said determining whether the key is present includes determining whether the client identifier is authorized to access the tenant-specific memory cache associated with the tenancy identifier, and searching for the key in the tenant-specific memory cache associated with the tenancy identifier based on a unique key property including a secure hash algorithm thumbprint or a unique alias.
  - 18. The system of claim 17, wherein the providing further comprises:
    - when the key is determined not to be present in the tenant-specific memory cache;
      
      retrieving the key from a tenant-specific database table associated with the tenancy identifier;
      
      retrieving a key from a key wallet,encrypting the key retrieved from the tenant-specific database table using the key retrieved from the key wallet;
      
      storing the key in the tenant-specific memory cache associated with the tenancy identifier; and
      
      sending, over the network, the key to the client.
  - 19. The system of claim 18, wherein the request includes a client identifier, and said retrieving the key includes determining whether the client identifier is authorized to access the tenant-specific data table associated with the tenancy identifier, and searching for the key in the tenant-specific database table associated with the tenancy identifier based on a secure hash algorithm thumbprint.
  - 20. The system of claim 19, wherein the tenancy identifier is a customer tenancy type, and the tenant-specific data table associated with the tenancy identifier is one stripe in a data tier or a separate partition in a database.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Oracle International Corporation (Oracle Corporation)
Original Assignee
Oracle International Corporation (Oracle Corporation)
Inventors
Keshava, Rakesh, Katti, Sreedhar, Vepa, Sirish, Sastry, Hari

Granted Patent

US 10,530,578 B2
Time in Patent Office

Days
Field of Search
US Class Current
CPC Class Codes

G06F 12/1466   Key-lock mechanism

G06F 21/33   using certificates

G06F 21/604   Tools and structures for ma...

H04L 63/0281   Proxies

H04L 9/0891   Revocation or update of sec...

H04L 9/0894   Escrow, recovery or storing...

H04L 9/3234   involving additional secure...

Key Store Service

First Claim

1 Assignment

0 Petitions

Accused Products

Abstract

105 Citations

20 Claims

Specification

Solutions

Use Cases

Quick Links

Key Store Service

First Claim

1 Assignment

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

105 Citations

20 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links