Extending SSL to a multi-tier environment using delegation of authentication and authority

US 6,367,009 B1
Filed: 12/17/1998
Issued: 04/02/2002
Est. Priority Date: 12/17/1998
Status: Expired due to Term

First Claim

Patent Images

1. In a computing environment having a connection to a network, computer readable code readable by a computer system in said environment, for delegating authority and authentication from a client to a middle-tier server (MTS), comprising:

a client application and a client security implementation operating at said client;

an MTS application and an MTS security implementation operating at said MTS;

an end-tier application and an end-tier security implementation operating at an end-tier server (ETS);

a first subprocess for establishing a first secure session between said client security implementation and said MTS security implementation; and

a second subprocess for establishing a second secure session between said MTS security implementation and said end-tier security implementation, wherein said MTS security implementation establishes said second secure session on behalf of an identity of said client application.

View all claims

1 Assignment

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

A method, system, and computer-readable code for delegating authority and authentication from a client to a server in order that the server can establish a secure connection (using SSL or an analogous security protocol) to a back-end application on behalf of the client. This enables the true client'"'"'s identity to be known to the application on the end-tier server. The proposed solution provides several alternative techniques, whereby the client establishes a secure session with a middle-tier server (MTS), and then delegates authority and authentication to the MTS in order that the MTS can establish a second SSL session to the ETS on behalf of this client.

327 Citations

30 Claims

1. In a computing environment having a connection to a network, computer readable code readable by a computer system in said environment, for delegating authority and authentication from a client to a middle-tier server (MTS), comprising:
- a client application and a client security implementation operating at said client;
  
  an MTS application and an MTS security implementation operating at said MTS;
  
  an end-tier application and an end-tier security implementation operating at an end-tier server (ETS);
  
  a first subprocess for establishing a first secure session between said client security implementation and said MTS security implementation; and
  
  a second subprocess for establishing a second secure session between said MTS security implementation and said end-tier security implementation, wherein said MTS security implementation establishes said second secure session on behalf of an identity of said client application.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10, 12)
- - 2. Computer readable code for delegating authority and authentication from a client to an MTS according to claim 1, wherein said second subprocess further comprises:
3. Computer readable code for delegating authority and authentication from a client to an MTS according to claim 1, wherein said second subprocess further comprises:
- a subprocess in said MTS security implementation for requesting an X.509 delegate certificate from said client security implementation;
  
  a subprocess in said client security implementation, responsive to said request from said MTS security implementation, for creating said X.509 delegate certificate and sending said created delegate certificate to said MTS security implementation;
  
  a subprocess in said MTS security implementation for receiving said delegate certificate sent from said client security implementation and forwarding said received delegate certificate to said end-tier security implementation along with a certificate and a certificate hierarchy for said client; and
  
  a subprocess in said end-tier security implementation for extracting a subject identity from said forwarded certificate hierarchy, wherein said extracted subject identity is said identity of said client application.
4. Computer readable code for delegating authority and authentication from a client to an MTS according to claim 1, wherein said second subprocess further comprises:
- a subprocess in said MTS security implementation for requesting a signed delegate document from said client security implementation;
  
  a subprocess in said client security implementation, responsive to said request from said MTS security implementation, for creating said signed delegate document and sending said created delegate document to said MTS security implementation;
  
  a subprocess in said MTS security implementation for receiving said delegate document sent from said client security implementation and forwarding said received delegate document to said end-tier security implementation along with a certificate for said MTS; and
  
  a subprocess in said end-tier security implementation for extracting a subject identity from said forwarded delegate document, wherein said extracted subject identity is said identity of said client application.
5. Computer readable code for delegating authority and authentication from a client to an MTS according to claim 1, wherein said second subprocess further comprises:
- a subprocess in said MTS security implementation for requesting a signed delegate document from said client security implementation;
  
  a subprocess in said client security implementation, responsive to said request from said MTS security implementation, for creating said signed delegate document and sending said created delegate document to said MTS security implementation;
  
  a subprocess in said MTS security implementation for receiving said delegate document sent from said client security implementation;
  
  a subprocess in said MTS security implementation for receiving a certificate request from said end-tier security implementation and forwarding a further certificate request to said client security implementation wherein said further certificate request contains an identification of said end-tier application;
  
  a subprocess in said client security implementation, responsive to said further certificate request from said MTS security implementation, for creating a further signed delegate document based on said identification of said end-tier application, and wherein said further signed delegate document specifies said identification, and sending said created further delegate document to said MTS security implementation;
  
  a subprocess in said MTS security implementation for receiving said further delegate document sent from said client security implementation and forwarding said received further delegate document to said end-tier security implementation along with a certificate for said MTS; and
  
  a subprocess in said end-tier security implementation for extracting a subject identity and said identification from said forwarded further delegate document, wherein said extracted subject identity is said identity of said client application, and verifying that said extracted identification is an identification of said extracting end-tier security implementation.
6. Computer readable code for delegating authority and authentication from a client to an MTS according to claim 1, wherein said second subprocess further comprises:
- a subprocess in said MTS security implementation for receiving a certificate request from said end-tier security implementation;
  
  a subprocess in said MTS security implementation for receiving said certificate request and forwarding a further certificate request to said client security implementation wherein said further certificate request comprises a collection of handshaking data received from said end-tier security implementation;
  
  a subprocess in said client security implementation, responsive to said further certificate request from said MTS security implementation and based upon an identification of said end-tier application extracted from said handshaking data, for creating a digital signature and sending said digital signature embedded in a message to said MTS security implementation;
  
  a subprocess in said MTS security implementation for receiving said message sent from said client security implementation, extracting said digital signature, and forwarding said extracted digital signature to said end-tier security implementation along with a certificate for said client; and
  
  a subprocess in said end-tier security implementation for extracting said identity of said client application from said forwarded certificate for said client.
7. Computer readable code for delegating authority and authentication from a client to an MTS according to claim 1, wherein said second subprocess further comprises:
- a subprocess in said MTS security implementation for receiving a certificate request from said end-tier security implementation;
  
  a subprocess in said MTS security implementation, responsive to receiving said certificate request, for extracting a name of said client application from a client certificate receiving during said first subprocess;
  
  a subprocess in said MTS security implementation for creating a temporary public key, private key pair for representing said client application;
  
  a subprocess in said MTS security implementation for creating an X.509 delegate certificate, said created delegate certificate comprising said extracted name and said temporary public key;
  
  a subprocess in said MTS security implementation for forwarding said created delegate certificate to said end-tier security implementation along with a digital signature created by said MTS security implementation using said temporary private key; and
  
  a subprocess in said end-tier security implementation for extracting a subject identity from said forwarded delegate certificate, wherein said extracted identity is said identity of said client application.
8. Computer readable code for delegating authority and authentication from a client to an MTS according to claim 7, wherein said second subprocess further comprises a subprocess in said MTS security implementation for storing said created key pair and said created delegate certificate for use with any subsequent first secure sessions between said client security implementation and said MTS security implementation.
9. Computer readable code for delegating authority and authentication from a client to an MTS according to claim 1, wherein said client security implementation, said MTS security implementation, and said end-tier security implementation use a Secure Sockets Layer protocol.
10. Computer readable code for delegating authority and authentication from a client to an MTS according to claim 1, wherein said client security implementation, said MTS security implementation, and said end-tier security implementation use a Transaction Layer Security protocol.
12. The system for delegating authority and authentication from a client to an MTS according to claim 10, wherein said second means further comprises:
- means in said MTS security implementation for requesting an X.509 delegate certificate from said client security implementation;
  
  means in said client security implementation, responsive to said request from said MTS security implementation, for creating said X.509 delegate certificate and sending said created delegate certificate to said MTS security implementation;
  
  means in said MTS security implementation for receiving said delegate certificate sent from said client security implementation and forwarding said received delegate certificate to said end-tier security implementation along with a certificate for said client; and
  
  means in said end-tier security implementation for extracting a subject identity from said forwarded delegate certificate, wherein said extracted identity is said identity of said client application.

11. A system for delegating authority and authentication from a client to a middle-tier server (MTS) in a computing environment having a connection to a network, comprising:
- a client application and a client security implementation operating at said client;
  
  an MTS application and an MTS security implementation operating at said MTS;
  
  an end-tier application and an end-tier security implementation operating at an end-tier server (ETS);
  
  first means for establishing a first secure session between said client security implementation and said MTS security implementation; and
  
  second means for establishing a second secure session between said MTS security implementation and said end-tier security implementation wherein said MTS security implementation establishes said second secure session on behalf of an identity of said client application.
- View Dependent Claims (13, 14, 15, 16, 17, 18, 19, 20)
- - 13. The system for delegating authority and authentication from a client to an MTS according to claim 11, wherein said second means further comprises:
14. The system for delegating authority and authentication from a client to an MTS according to claim 11, wherein said second means further comprises:
- means in said MTS security implementation for requesting a signed delegate document from said client security implementation;
  
  means in said client security implementation, responsive to said request from said MTS security implementation, for creating said signed delegate document and sending said created delegate document to said MTS security implementation;
  
  means in said MTS security implementation for receiving said delegate document sent from said client security implementation and forwarding said received delegate document to said end-tier security implementation along with a certificate for said MTS; and
  
  means in said end-tier security implementation for extracting a subject identity from said forwarded delegate document, wherein said extracted subject identity is said identity of said client application.
15. The system for delegating authority and authentication from a client to an MTS according to claim 11, wherein said second means further comprises:
- means in said MTS security implementation for requesting a signed delegate document from said client security implementation;
  
  means in said client security implementation, responsive to said request from said MTS security implementation, for creating said signed delegate document and sending said created delegate document to said MTS security implementation;
  
  means in said MTS security implementation for receiving said delegate document sent from said client security implementation;
  
  means in said MTS security implementation for receiving a certificate request from said end-tier security implementation and forwarding a further certificate request to said client security implementation wherein said further certificate request contains an identification of said end-tier application;
  
  means in said client security implementation, responsive to said further certificate request from said MTS security implementation, for creating a further signed delegate document based on said identification of said end-tier application, and wherein said further signed delegate document specifies said identification, and sending said created further delegate document to said MTS security implementation;
  
  means in said MTS security implementation for receiving said further delegate document sent from said client security implementation and forwarding said received further delegate document to said end-tier security implementation along with a certificate for said MTS; and
  
  means in said end-tier security implementation for extracting a subject identity and said identification from said forwarded further delegate document, wherein said extracted subject identity is said identity of said client application, and verifying that said extracted identification is an identification of said extracting end-tier security implementation.
16. The system for delegating authority and authentication from a client to an MTS according to claim 11, wherein said second means further comprises:
- means in said MTS security implementation for receiving a certificate request from said end-tier security implementation;
  
  means in said MTS security implementation for receiving said certificate request and forwarding a further certificate request to said client security implementation wherein said further certificate request comprises a collection of handshaking data received from said end-tier security implementation;
  
  means in said client security implementation, responsive to said further certificate request from said MTS security implementation and based upon an identification of said end-tier application extracted from said handshaking data, for creating a digital signature and sending said digital signature embedded in a message to said MTS security implementation;
  
  means in said MTS security implementation for receiving said message sent from said client security implementation, extracting said digital signature, and forwarding said extracted digital signature to said end-tier security implementation along with a certificate for said client; and
  
  means in said end-tier security implementation for extracting said identity of said client application from said forwarded certificate for said client.
17. The system for delegating authority and authentication from a client to an MTS according to claim 11, wherein said second means further comprises:
- means in said MTS security implementation for receiving a certificate request from said end-tier security implementation;
  
  means in said MTS security implementation, responsive to receiving said certificate request, for extracting a name of said client application from a client certificate receiving during said first subprocess;
  
  means in said MTS security implementation for creating a temporary public key, private key pair for representing said client application;
  
  means in said MTS security implementation for creating an X.509 delegate certificate, said created delegate certificate comprising said extracted name and said temporary public key;
  
  means in said MTS security implementation for forwarding said created delegate certificate to said end-tier security implementation along with a digital signature created by said MTS security implementation using said temporary private key; and
  
  means in said end-tier security implementation for extracting a subject identity from said forwarded delegate certificate, wherein said extracted identity is said identity of said client application.
18. The system for delegating authority and authentication from a client to an MTS according to claim 17, wherein said second means further comprises means in said MTS security implementation for storing said created key pair and said created delegate certificate for use with any subsequent first secure sessions between said client security implementation and said MTS security implementation.
19. The system for delegating authority and authentication from a client to an MTS according to claim 11, wherein said client security implementation, said MTS security implementation, and said end-tier security implementation use a Secure Sockets Layer protocol.
20. The system for delegating authority and authentication from a client to an MTS according to claim 11, wherein said client security implementation, said MTS security implementation, and said end-tier security implementation use a Transaction Layer Security protocol.

21. A method for delegating authority and authentication from a client to a middle-tier server (MTS) in a computing environment having a connection to a network, comprising the steps of:
- a first step of establishing a first secure session between a client security implementation operating at said client, said client also having a client application operating therein, and an MTS security implementation operating at said MTS, said MTS also having an MTS application operating therein; and
  
  a second step of establishing a second secure session between said MTS security implementation and an end-tier security implementation operating at an end-tier server (ETS), said ETS also having an ETS application operating therein, wherein said MTS security implementation establishes said second secure session on behalf of an identity of said client application.
- View Dependent Claims (22, 23, 24, 25, 26, 27, 28, 29, 30)
- - 22. The method for delegating authority and authentication from a client to an MTS according to claim 21, wherein said second step further comprises the steps of:
23. The method for delegating authority and authentication from a client to an MTS according to claim 21, wherein said second step further comprises the steps of:
- in said MTS security implementation, requesting an X.509 delegate certificate from said client security implementation;
  
  in said client security implementation, responsive to said request from said MTS security implementation, creating said X.509 delegate certificate and sending said created delegate certificate to said MTS security implementation;
  
  in said MTS security implementation, receiving said delegate certificate sent from said client security implementation and forwarding said received delegate certificate to said end-tier security implementation along with a certificate and a certificate hierarchy for said client; and
  
  in said end-tier security implementation, extracting a subject identity from said forwarded certificate hierarchy, wherein said extracted subject identity is said identity of said client application.
24. The method for delegating authority and authentication from a client to an MTS according to claim 21, wherein said second step further comprises the steps of:
- in said MTS security implementation, requesting a signed delegate document from said client security implementation;
  
  in said client security implementation, responsive to said request from said MTS security implementation, creating said signed delegate document and sending said created delegate document to said MTS security implementation;
  
  in said MTS security implementation, receiving said delegate document sent from said client security implementation and forwarding said received delegate document to said end-tier security implementation along with a certificate for said MTS; and
  
  in said end-tier security implementation, extracting a subject identity from said forwarded delegate document, wherein said extracted subject identity is said identity of said client application.
25. The method for delegating authority and authentication from a client to an MTS according to claim 21, wherein said second step further comprises the steps of:
- in said MTS security implementation, requesting a signed delegate document from said client security implementation;
  
  in said client security implementation, responsive to said request from said MTS security implementation, creating said signed delegate document and sending said created delegate document to said MTS security implementation;
  
  in said MTS security implementation, receiving said delegate document sent from said client security implementation;
  
  in said MTS security implementation, receiving a certificate request from said end-tier security implementation and forwarding a further certificate request to said client security implementation wherein said further certificate request contains an identification of said end-tier application;
  
  in said client security implementation, responsive to said further certificate request from said MTS security implementation, creating a further signed delegate document based on said identification of said end-tier application, and wherein said further signed delegate document specifies said identification, and sending said created further delegate document to said MTS security implementation;
  
  in said MTS security implementation, receiving said further delegate document sent from said client security implementation and forwarding said received further delegate document to said end-tier security implementation along with a certificate for said MTS; and
  
  in said end-tier security implementation, extracting a subject identity and said identification from said forwarded further delegate document, wherein said extracted subject identity is said identity of said client application, and verifying that said extracted identification is an identification of said extracting end-tier security implementation.
26. The method for delegating authority and authentication from a client to an MTS according to claim 21, wherein said second step further comprises the steps of:
- in said MTS security implementation, receiving a certificate request from said end-tier security implementation;
  
  in said MTS security implementation, receiving said certificate request and forwarding a further certificate request to said client security implementation wherein said further certificate request comprises a collection of handshaking data received from said end-tier security implementation;
  
  in said client security implementation, responsive to said further certificate request from said MTS security implementation and based upon an identification of said end-tier application extracted from said handshaking data, creating a digital signature and sending said digital signature embedded in a message to said MTS security implementation;
  
  in said MTS security implementation, receiving said message sent from said client security implementation, extracting said digital signature, and forwarding said extracted digital signature to said end-tier security implementation along with a certificate for said client; and
  
  in said end-tier security implementation, extracting said identity of said client application from said forwarded certificate for said client.
27. The method for delegating authority and authentication from a client to an MTS according to claim 21, wherein said second step further comprises the steps of:
- in said MTS security implementation, receiving a certificate request from said end-tier security implementation;
  
  in said MTS security implementation, responsive to receiving said certificate request, extracting a name of said client application from a client certificate receiving during said first subprocess;
  
  in said MTS security implementation, creating a temporary public key, private key pair for representing said client application;
  
  in said MTS security implementation, creating an X.509 delegate certificate, said created delegate certificate comprising said extracted name and said temporary public key;
  
  in said MTS security implementation, forwarding said created delegate certificate to said end-tier security implementation along with a digital signature created by said MTS security implementation using said temporary private key; and
  
  in said end-tier security implementation, extracting a subject identity from said forwarded delegate certificate, wherein said extracted identity is said identity of said client application.
28. The method for delegating authority and authentication from a client to an MTS according to claim 27, wherein said second step further comprises the step of, in said MTS security implementation, storing said created key pair and said created delegate certificate for use with any subsequent first secure sessions between said client security implementation and said MTS security implementation.
29. The method for delegating authority and authentication from a client to an MTS according to claim 21, wherein said client security implementation, said MTS security implementation, and said end-tier security implementation use a Secure Sockets Layer protocol.
30. The method for delegating authority and authentication from a client to an MTS according to claim 21, wherein said client security implementation, said MTS security implementation, and said end-tier security implementation use a Transaction Layer Security protocol.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
International Business Machines Corporation
Original Assignee
International Business Machines Corporation
Inventors
Kuehr-McLaren, David G., Shoriak, Timothy Glenn, Davis, Mark Charles
Primary Examiner(s)
Peeso, Thomas R.

Application Number

US09/215,601
Time in Patent Office

1,202 Days
Field of Search

713/150, 713/152, 713/161, 713/164, 713/165, 713/166, 713/168
US Class Current

713/166
CPC Class Codes

H04L 63/0442   wherein the sending and rec...

H04L 63/0823   using certificates cryptogr...

H04L 63/0884   by delegation of authentica...

H04L 63/166   at the transport layer

Extending SSL to a multi-tier environment using delegation of authentication and authority

First Claim

1 Assignment

0 Petitions

Accused Products

Abstract

327 Citations

30 Claims

Specification

Solutions

Use Cases

Quick Links

Extending SSL to a multi-tier environment using delegation of authentication and authority

First Claim

1 Assignment

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

327 Citations

30 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links