Provision of secure access to external resources from a distributed computing environment
First Claim
1. In a distributed computing environment having a security server that includes an attribute registry containing data concerning client identities and attributes and client privileges in relation to resources within the distributed computing environment, the security server issuing a ticket on demand to a client within the distributed computing environment requiring service by an application server within the distributed computing environment, the ticket including a privilege attribute certificate containing encoded data which, on presentation to said application server, is decoded by said application server to provide information as to the client'"'"'s identity and privilege attributes within the distributed computing environment, said distributed computing environment further comprising:
- a gateway server within the distributed computing environment for providing access for clients within the distributed computing environment to a resource external to the distributed computing environment, the external resource having security requirements incompatible with those of the distributed computing environment;
an extended registry within the security server, the extended registry containing additional information as to client identities and privilege attributes with respect to said external resource, together with data as to the structure in which said external resource requires the additional information;
said security server automatically including said additional information as further encoded data in a ticket requested by a client for the gateway server; and
means within said gateway server for recognizing said further encoded data in said ticket, and for decoding said further encoded data and placing the additional information in a structure required for access to the external resource.
1 Assignment
0 Petitions
Accused Products
Abstract
In a distributed computing environment, in which a client needing to access a server is issued, by a security server, with a ticket including an encoded certificate identifying, when decoded, the identity and privilege attributes of the client in a format understood by a server within the environment, access to a resource external to the environment through such a server within the environment is provided, when a request involving such access is received by the security server, by issuing an extended certificate including additional data which can be decoded to provide information decoded as to the identity and privilege attributes of the client with respect to and in a format acceptable to the external server, the additional data being recognized and decodable and formatable by that server within the environment which provides access to the external server, but transmitted within the environment in a format compatible with the certificates in regular tickets. A security server issuing a ticket including such an extended privilege attribute certificate has a registry extended to include data as to a client'"'"'s privilege attributes with respect to accessible external servers, together with data as to the structure in which such data is to be presented, and an application server required to handle such extended certificates has attribute handlers to structure the decoded data for presentation to the external server.
221 Citations
4 Claims
-
1. In a distributed computing environment having a security server that includes an attribute registry containing data concerning client identities and attributes and client privileges in relation to resources within the distributed computing environment, the security server issuing a ticket on demand to a client within the distributed computing environment requiring service by an application server within the distributed computing environment, the ticket including a privilege attribute certificate containing encoded data which, on presentation to said application server, is decoded by said application server to provide information as to the client'"'"'s identity and privilege attributes within the distributed computing environment, said distributed computing environment further comprising:
-
a gateway server within the distributed computing environment for providing access for clients within the distributed computing environment to a resource external to the distributed computing environment, the external resource having security requirements incompatible with those of the distributed computing environment; an extended registry within the security server, the extended registry containing additional information as to client identities and privilege attributes with respect to said external resource, together with data as to the structure in which said external resource requires the additional information; said security server automatically including said additional information as further encoded data in a ticket requested by a client for the gateway server; and means within said gateway server for recognizing said further encoded data in said ticket, and for decoding said further encoded data and placing the additional information in a structure required for access to the external resource. - View Dependent Claims (2, 3)
-
-
4. A programming extension to a distributed computing environment in which a security server issues tickets to clients wishing to access servers, the tickets including privilege attribute certificates containing encoded information as to a client'"'"'s identity and privilege attributes, and in which a gateway server provides access to a resource external to the environment, the external resource having security requirements incompatible with those of the computing environment, the programming extension comprising:
-
means for reconfiguring the security server to issue a ticket in which the privilege attribute certificate is automatically extended to include within its structure additional encoded data from a database within the security server whenever the ticket is for the gateway server, the additional encoded data providing an identity for the client requesting the ticket and that client'"'"'s privilege attributes with respect to the external resource, and means for reconfiguring a security module of the gateway server to recognize such extended privilege attribute certificate, to decode therefrom the additional data, and to structure the additional data for presentation to the external resource.
-
Specification
-
- Resources
-
Current AssigneeInternational Business Machines Corporation
-
Original AssigneeInternational Business Machines Corporation
-
InventorsFortinsky, Michael S.
-
Primary Examiner(s)CANGIALOSI, SALVATORE A
-
Application NumberUS08/563,692Time in Patent Office1,036 DaysField of Search380/25, 380/21US Class Current713/153CPC Class CodesG06F 21/335 for accessing specific reso...G06F 21/6218 to a system of files or obj...
