Certificate based security in SNA data flows
First Claim
Patent Images
1. A computer program for execution on a first computer system having a communications session established with one or more second computer systems, said computer program comprising the steps of:
- a first subprocess for identifying a token and a token signature for a computer user having a certificate;
a second subprocess for identifying a certificate chain for said computer user;
a third subprocess for creating a communications packet having at least said token, said token signature and said certificate chain;
a fourth subprocess for sending said communications packet across said communications session from said first computer to said one or more second computer systems; and
a fifth subprocess wherein said one or more second computer systems verify the authority of said user to access data on said one or more second computer systems using said communications packet wherein said token comprises said computer user'"'"'s certificate plus said session identifier for the session on which said packet will be transmitted.
1 Assignment
0 Petitions
Accused Products
Abstract
A method and system for enabling the use of a single client certificate to be used in SNA communications to ensure security such that the certificate cannot be intercepted and reused yet still allowing the use of a single certificate for multiple applications. This avoids the need for a connected trusted third party or a multiplicity of user id and password pairs.
111 Citations
5 Claims
-
1. A computer program for execution on a first computer system having a communications session established with one or more second computer systems, said computer program comprising the steps of:
-
a first subprocess for identifying a token and a token signature for a computer user having a certificate; a second subprocess for identifying a certificate chain for said computer user; a third subprocess for creating a communications packet having at least said token, said token signature and said certificate chain; a fourth subprocess for sending said communications packet across said communications session from said first computer to said one or more second computer systems; and a fifth subprocess wherein said one or more second computer systems verify the authority of said user to access data on said one or more second computer systems using said communications packet wherein said token comprises said computer user'"'"'s certificate plus said session identifier for the session on which said packet will be transmitted.
-
-
2. A method for controlling access by a client to one or more host applications, said one or more host applications residing on one or more hosts, said method comprising the steps of:
-
creating a token representing said client, said token comprising at least a client certificate and a session id; signing said token using a signer'"'"'s private key; sending said token over a session with said one or more host applications, said session having a session id, wherein said one or more hosts receive said token, verify said signature on said token, and verify said session id within said token is the same as the session id for the session upon which the token was received and rejecting the session if the session id was not for the session upon which the token was received. - View Dependent Claims (3)
-
-
4. In a computer system, an apparatus for controlling access by a client to one or more host applications, said one or more host applications residing on one or more hosts, said apparatus comprising:
-
means for creating a token representing said client, said token comprising at least a client certificate and a session id; means for signing said token using a signer'"'"'s private key; means for sending said token over a session with said one or more host applications, said session having a session id, wherein said one or more hosts receive said token, verify said signature on said token, and verify said session id within said token is the same as the session id for the session upon which the token was received, rejecting the session if the session id was not for the session upon which the token was received. - View Dependent Claims (5)
-
Specification