Authentication and access control in a management console program for managing services in a computer network

US 6,157,953 A
Filed: 07/28/1998
Issued: 12/05/2000
Est. Priority Date: 07/28/1998
Status: Expired due to Term

First Claim

Patent Images

1. A method of securing access to the administration of a plurality of distinct services residing on one or more service host computers from an administration server computer connected to the one or more service host computers, there being a service manager residing on the administration server computer, the method comprising:

providing a selected user identifier and a corresponding private keyword, the user identifier being arranged to identify a user having administrative access to at least one of the distinct services;

authenticating the user by comparing the selected user identifier and the corresponding private keyword against a plurality of user identifiers and private keywords stored in a persistent storage area, the comparing performed under control of the service manager;

deriving a list of services to which the user associated with the user identifier has administrative access;

when a request is made to administer a selected one of the services in the derived list of services, verifying at the service host computer associated with the selected service that the user associated with the selected user identifier is permitted to access the selected service by examining access control data associated with the selected user identifier in the persistent storage area; and

transferring one or more management files on the service host computer to the administration server thereby facilitating manipulation of the management files utilizing the service manager.

View all claims

2 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

A method and apparatus of securing access to a service manager for the administration of services residing on multiple service host computers from an administration server computer is described. A user identifier, such as a user name, and a corresponding password are provided to the service manager. The user identifier is associated with a system administrator having administrative access to the services. The service manager authenticates the user by comparing the user identifier and password against a list of user identifiers and corresponding passwords stored in a persistent memory. A list of services to which the system administrator has administrative access is derived from the data in persistent memory. When the system administrator makes a request to administer one or more services from the list of services, the administrator'"'"'s access control is verified at the service host computers on which the requested services reside by examining access control data in the persistent memory. Management files are transferred from the service host computers to the administration server computer thereby facilitating manipulation of the management files utilizing the service manager.

Citations

15 Claims

1. A method of securing access to the administration of a plurality of distinct services residing on one or more service host computers from an administration server computer connected to the one or more service host computers, there being a service manager residing on the administration server computer, the method comprising:
- providing a selected user identifier and a corresponding private keyword, the user identifier being arranged to identify a user having administrative access to at least one of the distinct services;
  
  authenticating the user by comparing the selected user identifier and the corresponding private keyword against a plurality of user identifiers and private keywords stored in a persistent storage area, the comparing performed under control of the service manager;
  
  deriving a list of services to which the user associated with the user identifier has administrative access;
  
  when a request is made to administer a selected one of the services in the derived list of services, verifying at the service host computer associated with the selected service that the user associated with the selected user identifier is permitted to access the selected service by examining access control data associated with the selected user identifier in the persistent storage area; and
  
  transferring one or more management files on the service host computer to the administration server thereby facilitating manipulation of the management files utilizing the service manager.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12)
- - 2. A method as recited in claim 1 wherein the administration server computer is connected to an administration client computer suitable for running a browser program and wherein the selected user identifier and the corresponding private keyword are provided over a communications connection between the administration client computer and the administration server computer, the communications connections among the administration server computer, the administration client computer and the one or more service host computers utilizing an Internet protocol.
  - 3. A method as recited in claim 1 wherein providing a selected user identifier and a corresponding private keyword further comprises logging on to the service manager through the administration client computer.
  - 4. A method as recited in claim 1 wherein authenticating the user further comprises utilizing a lightweight directory access protocol to communicate the user identifier and corresponding private keyword to the persistent storage area.
  - 5. A method as recited in claim 1 wherein each user identifier has a corresponding user profile that represents a global user identity corresponding to a particular service manager user.
  - 6. A method as recited in claim 1 wherein deriving a list of services further comprises searching the persistent storage area, the persistent storage area containing a user profile database including, for each user, a user access level, a list of allowable services, and a password.
  - 7. A method as recited in claim 1 wherein verifying at the service host computer that the user associated with the selected user identifier is permitted to access the selected service from the list of services further comprises communicating the selected user identifier and the corresponding private keyword to the host server computer using a common gateway interface.
  - 8. A method as recited in claim 1 wherein the service host computer contains an authentication and access control segment.
  - 9. A method as recited in claim 1 wherein the selected user identifier and the corresponding private keyword are automatically passed to the one or more service host computers for use in.
  - 10. A method as recited in claim 1 further comprising displaying the list of services in a user interface displayed on the administration client computer.
  - 11. A method as recited in claim 1 further comprising constructing a service locator by the management console program for locating a service on a host server computer.
  - 12. A method as recited in claim 1 wherein transferring one or more management files on the host server to the administration server further comprises initiating a common gateway interface on the administration server computer thereby enabling the transfer of one or more management files and a plurality of operating system commands.

13. A system for securing administration of services residing on one or more service host computers from an administration server computer, the administration server computer connected to an administration client having a browser-type program and to the one or more service host computers using an Internet protocol, the system comprising:
- a user profile data repository for storing data relating to user privileges, the data including, for each user, a user access level, a list of services, and a password;
  
  a service manager subcomponent of a communication interface residing on the administration server computer for accepting a user identifier and a corresponding keyword and passing the user identifier and the corresponding keyword to the user profile data repository;
  
  a component configuration directory suitable for residing on the one or more service hosts containing component configuration files for storing management modules associated with the plurality of services, the management modules containing management data utilized in administering the plurality of services;
  
  a service host subcomponent of the communication interface residing on the administration server computer for accepting the user identifier and the corresponding keyword and passing the user identifier and the corresponding keyword to the plurality of service host computers for verification by examining data relating to user privileges stored in the user profile data repository.

14. A system for securing access to the administration of a plurality of distinct services residing on one or more service host computers from an administration server computer connected to the one or more service host computers and to an administration client computer, there being a service manager residing on the administration server computer, the system comprising:
- a communication connection between the administration client computer and the administration server computer that can be used for providing a selected user identifier and a corresponding private keyword to the service manager, the user identifier being arranged to identify a user having administrative access to at least one of the services;
  
  an authenticator configured for authenticating the user by comparing the selected user identifier and the corresponding private keyword against a plurality of user identifiers and private keywords stored in a persistent storage area, the comparing performed under control of the service manager;
  
  an access control mechanism for deriving a list of services to which the user associated with the user identifier has administrative access;
  
  a service host verifier for verifying that the user associated with the selected user identifier is permitted to access a selected one of the services in the derived list of services, the verifier residing at the service host computer associated with the selected service and utilizing access control data associated with the selected user identifier in the persistent storage area; and
  
  a data transfer component for transferring one or more management files on the service host computer to the administration server computer thereby facilitating manipulation of the management files utilizing the service manager.

15. A computer readable medium configured to store computer programming instructions for securing access to the administration of a plurality of distinct services residing on one or more service host computers from an administration server computer connected to the one or more service host computers, there being a service manager residing on the administration server computer, the computer readable medium comprising:
- computer programming instructions for providing a selected user identifier and a corresponding private keyword, the user identifier being arranged to identify a user having administrative access to at least one of the distinct services;
  
  computer programming instructions for authenticating the user by comparing the selected user identifier and the corresponding private keyword against a plurality of user identifiers and private keywords stored in a persistent storage area, the comparing performed under control of the service manager;
  
  computer programming instructions for deriving a list of services to which the user associated with the user identifier has administrative access;
  
  when a request is made to administer a selected one of the services in the derived list of services, computer programming instructions for verifying at the service host computer associated with the selected service that the user associated with the selected user identifier is permitted to access the selected service by examining access control data associated with the selected user identifier in the persistent storage area; and
  
  computer programming instructions for transferring one or more management files on the service host computer to the administration server thereby facilitating manipulation of the management files utilizing the service manager.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Oracle America, Inc. (Oracle Corporation)
Original Assignee
Sun Microsystems Incorporated (Oracle Corporation)
Inventors
Snyder, Alan, Large, Andrew R., Chang, April S.
Primary Examiner(s)
Harrell, Robert B.

Application Number

US09/124,181
Time in Patent Office

861 Days
Field of Search

709/223, 709/225, 707/103, 707/107
US Class Current

709/225
CPC Class Codes

H04L 41/22   comprising specially adapte...

H04L 41/28   Restricting access to netwo...

H04L 63/08   for authentication of entit...

H04L 63/10   for controlling access to d...

H04L 9/40   Network security protocols

Authentication and access control in a management console program for managing services in a computer network

First Claim

2 Assignments

0 Petitions

Accused Products

Abstract

Citations

15 Claims

Specification

Solutions

Use Cases

Quick Links

Authentication and access control in a management console program for managing services in a computer network

First Claim

2 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

Citations

15 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links