Extending SSL to a multi-tier environment using delegation of authentication and authority
First Claim
1. In a computing environment having a connection to a network, computer readable code readable by a computer system in said environment, for delegating authority and authentication from a client to a middle-tier server (MTS), comprising:
- a client application and a client security implementation operating at said client;
an MTS application and an MTS security implementation operating at said MTS;
an end-tier application and an end-tier security implementation operating at an end-tier server (ETS);
a first subprocess for establishing a first secure session between said client security implementation and said MTS security implementation; and
a second subprocess for establishing a second secure session between said MTS security implementation and said end-tier security implementation, wherein said MTS security implementation establishes said second secure session on behalf of an identity of said client application.
1 Assignment
0 Petitions
Accused Products
Abstract
A method, system, and computer-readable code for delegating authority and authentication from a client to a server in order that the server can establish a secure connection (using SSL or an analogous security protocol) to a back-end application on behalf of the client. This enables the true client'"'"'s identity to be known to the application on the end-tier server. The proposed solution provides several alternative techniques, whereby the client establishes a secure session with a middle-tier server (MTS), and then delegates authority and authentication to the MTS in order that the MTS can establish a second SSL session to the ETS on behalf of this client.
327 Citations
30 Claims
-
1. In a computing environment having a connection to a network, computer readable code readable by a computer system in said environment, for delegating authority and authentication from a client to a middle-tier server (MTS), comprising:
-
a client application and a client security implementation operating at said client;
an MTS application and an MTS security implementation operating at said MTS;
an end-tier application and an end-tier security implementation operating at an end-tier server (ETS);
a first subprocess for establishing a first secure session between said client security implementation and said MTS security implementation; and
a second subprocess for establishing a second secure session between said MTS security implementation and said end-tier security implementation, wherein said MTS security implementation establishes said second secure session on behalf of an identity of said client application. - View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10, 12)
a subprocess in said MTS security implementation for requesting an X.509 delegate certificate from said client security implementation;
a subprocess in said client security implementation, responsive to said request from said MTS security implementation, for creating said X.509 delegate certificate and sending said created delegate certificate to said MTS security implementation;
a subprocess in said MTS security implementation for receiving said delegate certificate sent from said client security implementation and forwarding said received delegate certificate to said end-tier security implementation along with a certificate for said client; and
a subprocess in said end-tier security implementation for extracting a subject identity from said forwarded delegate certificate, wherein said extracted identity is said identity of said client application.
-
-
3. Computer readable code for delegating authority and authentication from a client to an MTS according to claim 1, wherein said second subprocess further comprises:
-
a subprocess in said MTS security implementation for requesting an X.509 delegate certificate from said client security implementation;
a subprocess in said client security implementation, responsive to said request from said MTS security implementation, for creating said X.509 delegate certificate and sending said created delegate certificate to said MTS security implementation;
a subprocess in said MTS security implementation for receiving said delegate certificate sent from said client security implementation and forwarding said received delegate certificate to said end-tier security implementation along with a certificate and a certificate hierarchy for said client; and
a subprocess in said end-tier security implementation for extracting a subject identity from said forwarded certificate hierarchy, wherein said extracted subject identity is said identity of said client application.
-
-
4. Computer readable code for delegating authority and authentication from a client to an MTS according to claim 1, wherein said second subprocess further comprises:
-
a subprocess in said MTS security implementation for requesting a signed delegate document from said client security implementation;
a subprocess in said client security implementation, responsive to said request from said MTS security implementation, for creating said signed delegate document and sending said created delegate document to said MTS security implementation;
a subprocess in said MTS security implementation for receiving said delegate document sent from said client security implementation and forwarding said received delegate document to said end-tier security implementation along with a certificate for said MTS; and
a subprocess in said end-tier security implementation for extracting a subject identity from said forwarded delegate document, wherein said extracted subject identity is said identity of said client application.
-
-
5. Computer readable code for delegating authority and authentication from a client to an MTS according to claim 1, wherein said second subprocess further comprises:
-
a subprocess in said MTS security implementation for requesting a signed delegate document from said client security implementation;
a subprocess in said client security implementation, responsive to said request from said MTS security implementation, for creating said signed delegate document and sending said created delegate document to said MTS security implementation;
a subprocess in said MTS security implementation for receiving said delegate document sent from said client security implementation;
a subprocess in said MTS security implementation for receiving a certificate request from said end-tier security implementation and forwarding a further certificate request to said client security implementation wherein said further certificate request contains an identification of said end-tier application;
a subprocess in said client security implementation, responsive to said further certificate request from said MTS security implementation, for creating a further signed delegate document based on said identification of said end-tier application, and wherein said further signed delegate document specifies said identification, and sending said created further delegate document to said MTS security implementation;
a subprocess in said MTS security implementation for receiving said further delegate document sent from said client security implementation and forwarding said received further delegate document to said end-tier security implementation along with a certificate for said MTS; and
a subprocess in said end-tier security implementation for extracting a subject identity and said identification from said forwarded further delegate document, wherein said extracted subject identity is said identity of said client application, and verifying that said extracted identification is an identification of said extracting end-tier security implementation.
-
-
6. Computer readable code for delegating authority and authentication from a client to an MTS according to claim 1, wherein said second subprocess further comprises:
-
a subprocess in said MTS security implementation for receiving a certificate request from said end-tier security implementation;
a subprocess in said MTS security implementation for receiving said certificate request and forwarding a further certificate request to said client security implementation wherein said further certificate request comprises a collection of handshaking data received from said end-tier security implementation;
a subprocess in said client security implementation, responsive to said further certificate request from said MTS security implementation and based upon an identification of said end-tier application extracted from said handshaking data, for creating a digital signature and sending said digital signature embedded in a message to said MTS security implementation;
a subprocess in said MTS security implementation for receiving said message sent from said client security implementation, extracting said digital signature, and forwarding said extracted digital signature to said end-tier security implementation along with a certificate for said client; and
a subprocess in said end-tier security implementation for extracting said identity of said client application from said forwarded certificate for said client.
-
-
7. Computer readable code for delegating authority and authentication from a client to an MTS according to claim 1, wherein said second subprocess further comprises:
-
a subprocess in said MTS security implementation for receiving a certificate request from said end-tier security implementation;
a subprocess in said MTS security implementation, responsive to receiving said certificate request, for extracting a name of said client application from a client certificate receiving during said first subprocess;
a subprocess in said MTS security implementation for creating a temporary public key, private key pair for representing said client application;
a subprocess in said MTS security implementation for creating an X.509 delegate certificate, said created delegate certificate comprising said extracted name and said temporary public key;
a subprocess in said MTS security implementation for forwarding said created delegate certificate to said end-tier security implementation along with a digital signature created by said MTS security implementation using said temporary private key; and
a subprocess in said end-tier security implementation for extracting a subject identity from said forwarded delegate certificate, wherein said extracted identity is said identity of said client application.
-
-
8. Computer readable code for delegating authority and authentication from a client to an MTS according to claim 7, wherein said second subprocess further comprises a subprocess in said MTS security implementation for storing said created key pair and said created delegate certificate for use with any subsequent first secure sessions between said client security implementation and said MTS security implementation.
-
9. Computer readable code for delegating authority and authentication from a client to an MTS according to claim 1, wherein said client security implementation, said MTS security implementation, and said end-tier security implementation use a Secure Sockets Layer protocol.
-
10. Computer readable code for delegating authority and authentication from a client to an MTS according to claim 1, wherein said client security implementation, said MTS security implementation, and said end-tier security implementation use a Transaction Layer Security protocol.
-
12. The system for delegating authority and authentication from a client to an MTS according to claim 10, wherein said second means further comprises:
-
means in said MTS security implementation for requesting an X.509 delegate certificate from said client security implementation;
means in said client security implementation, responsive to said request from said MTS security implementation, for creating said X.509 delegate certificate and sending said created delegate certificate to said MTS security implementation;
means in said MTS security implementation for receiving said delegate certificate sent from said client security implementation and forwarding said received delegate certificate to said end-tier security implementation along with a certificate for said client; and
means in said end-tier security implementation for extracting a subject identity from said forwarded delegate certificate, wherein said extracted identity is said identity of said client application.
-
-
11. A system for delegating authority and authentication from a client to a middle-tier server (MTS) in a computing environment having a connection to a network, comprising:
-
a client application and a client security implementation operating at said client;
an MTS application and an MTS security implementation operating at said MTS;
an end-tier application and an end-tier security implementation operating at an end-tier server (ETS);
first means for establishing a first secure session between said client security implementation and said MTS security implementation; and
second means for establishing a second secure session between said MTS security implementation and said end-tier security implementation wherein said MTS security implementation establishes said second secure session on behalf of an identity of said client application. - View Dependent Claims (13, 14, 15, 16, 17, 18, 19, 20)
means in said MTS security implementation for requesting an X.509 delegate certificate from said client security implementation;
means in said client security implementation, responsive to said request from said MTS security implementation, for creating said X.509 delegate certificate and sending said created delegate certificate to said MTS security implementation;
means in said MTS security implementation for receiving said delegate certificate sent from said client security implementation and forwarding said received delegate certificate to said end-tier security implementation along with a certificate and a certificate hierarchy for said client; and
means in said end-tier security implementation for extracting a subject identity from said forwarded certificate hierarchy, wherein said extracted subject identity is said identity of said client application.
-
-
14. The system for delegating authority and authentication from a client to an MTS according to claim 11, wherein said second means further comprises:
-
means in said MTS security implementation for requesting a signed delegate document from said client security implementation;
means in said client security implementation, responsive to said request from said MTS security implementation, for creating said signed delegate document and sending said created delegate document to said MTS security implementation;
means in said MTS security implementation for receiving said delegate document sent from said client security implementation and forwarding said received delegate document to said end-tier security implementation along with a certificate for said MTS; and
means in said end-tier security implementation for extracting a subject identity from said forwarded delegate document, wherein said extracted subject identity is said identity of said client application.
-
-
15. The system for delegating authority and authentication from a client to an MTS according to claim 11, wherein said second means further comprises:
-
means in said MTS security implementation for requesting a signed delegate document from said client security implementation;
means in said client security implementation, responsive to said request from said MTS security implementation, for creating said signed delegate document and sending said created delegate document to said MTS security implementation;
means in said MTS security implementation for receiving said delegate document sent from said client security implementation;
means in said MTS security implementation for receiving a certificate request from said end-tier security implementation and forwarding a further certificate request to said client security implementation wherein said further certificate request contains an identification of said end-tier application;
means in said client security implementation, responsive to said further certificate request from said MTS security implementation, for creating a further signed delegate document based on said identification of said end-tier application, and wherein said further signed delegate document specifies said identification, and sending said created further delegate document to said MTS security implementation;
means in said MTS security implementation for receiving said further delegate document sent from said client security implementation and forwarding said received further delegate document to said end-tier security implementation along with a certificate for said MTS; and
means in said end-tier security implementation for extracting a subject identity and said identification from said forwarded further delegate document, wherein said extracted subject identity is said identity of said client application, and verifying that said extracted identification is an identification of said extracting end-tier security implementation.
-
-
16. The system for delegating authority and authentication from a client to an MTS according to claim 11, wherein said second means further comprises:
-
means in said MTS security implementation for receiving a certificate request from said end-tier security implementation;
means in said MTS security implementation for receiving said certificate request and forwarding a further certificate request to said client security implementation wherein said further certificate request comprises a collection of handshaking data received from said end-tier security implementation;
means in said client security implementation, responsive to said further certificate request from said MTS security implementation and based upon an identification of said end-tier application extracted from said handshaking data, for creating a digital signature and sending said digital signature embedded in a message to said MTS security implementation;
means in said MTS security implementation for receiving said message sent from said client security implementation, extracting said digital signature, and forwarding said extracted digital signature to said end-tier security implementation along with a certificate for said client; and
means in said end-tier security implementation for extracting said identity of said client application from said forwarded certificate for said client.
-
-
17. The system for delegating authority and authentication from a client to an MTS according to claim 11, wherein said second means further comprises:
-
means in said MTS security implementation for receiving a certificate request from said end-tier security implementation;
means in said MTS security implementation, responsive to receiving said certificate request, for extracting a name of said client application from a client certificate receiving during said first subprocess;
means in said MTS security implementation for creating a temporary public key, private key pair for representing said client application;
means in said MTS security implementation for creating an X.509 delegate certificate, said created delegate certificate comprising said extracted name and said temporary public key;
means in said MTS security implementation for forwarding said created delegate certificate to said end-tier security implementation along with a digital signature created by said MTS security implementation using said temporary private key; and
means in said end-tier security implementation for extracting a subject identity from said forwarded delegate certificate, wherein said extracted identity is said identity of said client application.
-
-
18. The system for delegating authority and authentication from a client to an MTS according to claim 17, wherein said second means further comprises means in said MTS security implementation for storing said created key pair and said created delegate certificate for use with any subsequent first secure sessions between said client security implementation and said MTS security implementation.
-
19. The system for delegating authority and authentication from a client to an MTS according to claim 11, wherein said client security implementation, said MTS security implementation, and said end-tier security implementation use a Secure Sockets Layer protocol.
-
20. The system for delegating authority and authentication from a client to an MTS according to claim 11, wherein said client security implementation, said MTS security implementation, and said end-tier security implementation use a Transaction Layer Security protocol.
-
21. A method for delegating authority and authentication from a client to a middle-tier server (MTS) in a computing environment having a connection to a network, comprising the steps of:
-
a first step of establishing a first secure session between a client security implementation operating at said client, said client also having a client application operating therein, and an MTS security implementation operating at said MTS, said MTS also having an MTS application operating therein; and
a second step of establishing a second secure session between said MTS security implementation and an end-tier security implementation operating at an end-tier server (ETS), said ETS also having an ETS application operating therein, wherein said MTS security implementation establishes said second secure session on behalf of an identity of said client application. - View Dependent Claims (22, 23, 24, 25, 26, 27, 28, 29, 30)
in said MTS security implementation, requesting an X.509 delegate certificate from said client security implementation;
in said client security implementation, responsive to said request from said MTS security implementation, creating said X.509 delegate certificate and sending said created delegate certificate to said MTS security implementation;
in said MTS security implementation, receiving said delegate certificate sent from said client security implementation and forwarding said received delegate certificate to said end-tier security implementation along with a certificate for said client; and
in said end-tier security implementation, extracting a subject identity from said forwarded delegate certificate, wherein said extracted identity is said identity of said client application.
-
-
23. The method for delegating authority and authentication from a client to an MTS according to claim 21, wherein said second step further comprises the steps of:
-
in said MTS security implementation, requesting an X.509 delegate certificate from said client security implementation;
in said client security implementation, responsive to said request from said MTS security implementation, creating said X.509 delegate certificate and sending said created delegate certificate to said MTS security implementation;
in said MTS security implementation, receiving said delegate certificate sent from said client security implementation and forwarding said received delegate certificate to said end-tier security implementation along with a certificate and a certificate hierarchy for said client; and
in said end-tier security implementation, extracting a subject identity from said forwarded certificate hierarchy, wherein said extracted subject identity is said identity of said client application.
-
-
24. The method for delegating authority and authentication from a client to an MTS according to claim 21, wherein said second step further comprises the steps of:
-
in said MTS security implementation, requesting a signed delegate document from said client security implementation;
in said client security implementation, responsive to said request from said MTS security implementation, creating said signed delegate document and sending said created delegate document to said MTS security implementation;
in said MTS security implementation, receiving said delegate document sent from said client security implementation and forwarding said received delegate document to said end-tier security implementation along with a certificate for said MTS; and
in said end-tier security implementation, extracting a subject identity from said forwarded delegate document, wherein said extracted subject identity is said identity of said client application.
-
-
25. The method for delegating authority and authentication from a client to an MTS according to claim 21, wherein said second step further comprises the steps of:
-
in said MTS security implementation, requesting a signed delegate document from said client security implementation;
in said client security implementation, responsive to said request from said MTS security implementation, creating said signed delegate document and sending said created delegate document to said MTS security implementation;
in said MTS security implementation, receiving said delegate document sent from said client security implementation;
in said MTS security implementation, receiving a certificate request from said end-tier security implementation and forwarding a further certificate request to said client security implementation wherein said further certificate request contains an identification of said end-tier application;
in said client security implementation, responsive to said further certificate request from said MTS security implementation, creating a further signed delegate document based on said identification of said end-tier application, and wherein said further signed delegate document specifies said identification, and sending said created further delegate document to said MTS security implementation;
in said MTS security implementation, receiving said further delegate document sent from said client security implementation and forwarding said received further delegate document to said end-tier security implementation along with a certificate for said MTS; and
in said end-tier security implementation, extracting a subject identity and said identification from said forwarded further delegate document, wherein said extracted subject identity is said identity of said client application, and verifying that said extracted identification is an identification of said extracting end-tier security implementation.
-
-
26. The method for delegating authority and authentication from a client to an MTS according to claim 21, wherein said second step further comprises the steps of:
-
in said MTS security implementation, receiving a certificate request from said end-tier security implementation;
in said MTS security implementation, receiving said certificate request and forwarding a further certificate request to said client security implementation wherein said further certificate request comprises a collection of handshaking data received from said end-tier security implementation;
in said client security implementation, responsive to said further certificate request from said MTS security implementation and based upon an identification of said end-tier application extracted from said handshaking data, creating a digital signature and sending said digital signature embedded in a message to said MTS security implementation;
in said MTS security implementation, receiving said message sent from said client security implementation, extracting said digital signature, and forwarding said extracted digital signature to said end-tier security implementation along with a certificate for said client; and
in said end-tier security implementation, extracting said identity of said client application from said forwarded certificate for said client.
-
-
27. The method for delegating authority and authentication from a client to an MTS according to claim 21, wherein said second step further comprises the steps of:
-
in said MTS security implementation, receiving a certificate request from said end-tier security implementation;
in said MTS security implementation, responsive to receiving said certificate request, extracting a name of said client application from a client certificate receiving during said first subprocess;
in said MTS security implementation, creating a temporary public key, private key pair for representing said client application;
in said MTS security implementation, creating an X.509 delegate certificate, said created delegate certificate comprising said extracted name and said temporary public key;
in said MTS security implementation, forwarding said created delegate certificate to said end-tier security implementation along with a digital signature created by said MTS security implementation using said temporary private key; and
in said end-tier security implementation, extracting a subject identity from said forwarded delegate certificate, wherein said extracted identity is said identity of said client application.
-
-
28. The method for delegating authority and authentication from a client to an MTS according to claim 27, wherein said second step further comprises the step of, in said MTS security implementation, storing said created key pair and said created delegate certificate for use with any subsequent first secure sessions between said client security implementation and said MTS security implementation.
-
29. The method for delegating authority and authentication from a client to an MTS according to claim 21, wherein said client security implementation, said MTS security implementation, and said end-tier security implementation use a Secure Sockets Layer protocol.
-
30. The method for delegating authority and authentication from a client to an MTS according to claim 21, wherein said client security implementation, said MTS security implementation, and said end-tier security implementation use a Transaction Layer Security protocol.
Specification