Method and system for providing certificates holding authentication and authorization information for users/machines
First Claim
1. In a distributed system having computer resources and a facility for checking credentials information to authenticate principals and provide with authorization data, a method for authenticating and authorizing principals comprising the computer implemented steps of:
- providing a principal with a secure package holding credentials information for a client;
receiving a principal request to connect to the distributed system at a location in the distributed system that lacks credentials information about the principal to gain access to at least some of the computing resources;
accessing the credentials information held in the secure package to enable the facility for checking credentials information to determine whether the principal is authorized and authenticated to be connected to the distributed system without obtaining credentials information about the principal from a source other than the secure package;
where the principal is not authorized or not authenticated to connect to the distributed system, denying the principal request to be connected to the distributed system; and
where the principal is authorized and authenticated to connect to the distributed system, granting the principal request to be connected to the distributed system.
2 Assignments
0 Petitions
Accused Products
Abstract
Logon certificates are provided to support disconnected operation within the distributed system. Each logon certificate is a secure package holding credentials information sufficient to establish the identity and rights and privileges for a user/machine in a domain that is not their home domain. When a user/machine attempts to connect to the system at a domain other than the home domain of the user/machine, the user/machine presents a logon certificate that evidences his credentials. The domain where the user/machine attempts to connect to the system, decrypts and unseals the secure package as required to obtain the credentials information contained therein. If the user/machine has sufficient credentials, the user/machine is permitted to connect to the system. If the user/machine lacks sufficient credentials, the user/machine is not permitted to connect to the system.
-
Citations
16 Claims
-
1. In a distributed system having computer resources and a facility for checking credentials information to authenticate principals and provide with authorization data, a method for authenticating and authorizing principals comprising the computer implemented steps of:
-
providing a principal with a secure package holding credentials information for a client; receiving a principal request to connect to the distributed system at a location in the distributed system that lacks credentials information about the principal to gain access to at least some of the computing resources; accessing the credentials information held in the secure package to enable the facility for checking credentials information to determine whether the principal is authorized and authenticated to be connected to the distributed system without obtaining credentials information about the principal from a source other than the secure package; where the principal is not authorized or not authenticated to connect to the distributed system, denying the principal request to be connected to the distributed system; and where the principal is authorized and authenticated to connect to the distributed system, granting the principal request to be connected to the distributed system. - View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9)
-
-
10. In a distributed system logically partitioned into domains, wherein each user has an associated home domain, a method of maintaining secure access to the distributed system, comprising the computer implemented steps of:
-
providing a user with a secure package holding credentials information for the user; receiving a user request to logon to the distributed system in a domain other than the associated home domain of the user, said domain lacking credentials information about the user; accessing the secure package to examine the credentials information for the user; and without obtaining credentials information about the user from another source, based on the credentials information for the user provided in the secure package, deciding whether to allow the user to logon or not. - View Dependent Claims (11, 12, 13, 14)
-
-
15. In a distributed system having a facility for checking credentials information, a method of authorizing connections to the distributed system, comprising the computer implemented steps of:
-
providing a portable computer with a secure package holding credentials information for the portable computer; requiring the portable computer to present the secure package when the portable computer wishes to connect to the distributed system at a location lacking credentials information about the portable computer to become part of the distributed system; examining the credentials information contained within the secure package by the facility for checking credentials information to determine whether the portable computer is authorized to connect to the distributed system, wherein the portable computer is authorized to connect to the distributed system, allowing the portable computer to connect to the distributed system; and wherein the portable computer is not authorized to correct to the distributed system, not allowing the portable computer to connect to the distributed system.
-
-
16. In a distributed system that is logically partitioned into domains and having a plurality of computers, wherein each computer in the distributed system has an associated home domain, a method of authorizing access to the distributed system, comprising the computer implemented steps of:
-
providing a secure package at the home domain of a selected computer to the selected computer, said secure package holding credentials information for the selected computer; receiving a request from the selected computer, to connect to the distributed system at a target domain other than the home domain of the selected computer said target domain lacking credentials information about the selected computer; and examining the credentials information contained in the secure package to determine whether the selected computer is authorized to be connected to the distributed system at the target domain to become part of the distributed system without obtaining credentials information about the selected computer from a source other than the secure package.
-
Specification