SYSTEM AND METHOD FOR AUTHORIZING A NETWORK USER AS ENTITLED TO ACCESS A COMPUTING NODE WHEREIN AUTHENTICATED CERTIFICATE RECEIVED FROM THE USER IS MAPPED INTO THE USER IDENTIFICATION AND THE USER IS PRESENTED WITH THE OPPRTUNITY TO LOGON TO THE COMPUTING NODE ONLY AFTER THE VERIFICATION IS SUCCESSFUL

US 6,785,729 B1
Filed: 08/25/2000
Issued: 08/31/2004
Est. Priority Date: 08/25/2000
Status: Active Grant

First Claim

Patent Images

1. A method of authorizing a network user as entitled to access a computing node of the network, comprisingperforming an initial exchange of protocol messages between the network user and the computing node to establish initial communications without presenting to the user any screen that might be used to access the computing node, presenting an authenticated user certificate from the user to the computing node, mapping the authenticated user certificate into a user identification associated with the user, verifying from the user certificate that the user represented by the user certificate is entitled to access the computing node based on the user identification and a resource name assigned to the computing node, denying further access to the computing node if the user is not entitled to access the computing node, and presenting the user with an opportunity to logon to the computing node if the user is verified to access the computing node.

View all claims

2 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

An authenticated network user is verified as entitled to access a network node or server on the network node, before the user is presented with any opportunity to access the system. An initial exchange of conventional protocol messages occurs between the user and the node to establish initial communications. This is done without presenting to the user any opportunity to logon or to access an application. The network node requests the transmission of an authenticated user certificate from the user and the network node verifies from the user certificate that the user represented by the user certificate is entitled to access the node. If the user as identified by the certificate is not entitled to access, the initial connection is dropped and the user is denied any further access opportunity.

Citations

9 Claims

1. A method of authorizing a network user as entitled to access a computing node of the network, comprisingperforming an initial exchange of protocol messages between the network user and the computing node to establish initial communications without presenting to the user any screen that might be used to access the computing node, presenting an authenticated user certificate from the user to the computing node, mapping the authenticated user certificate into a user identification associated with the user, verifying from the user certificate that the user represented by the user certificate is entitled to access the computing node based on the user identification and a resource name assigned to the computing node, denying further access to the computing node if the user is not entitled to access the computing node, and presenting the user with an opportunity to logon to the computing node if the user is verified to access the computing node.
- View Dependent Claims (9)
- - 9. The apparatus of claim 1, wherein the computing node is a server and wherein the authenticated certificate is passed from the server to a Resource Access Control Facility (RACF) where the mapping is performed, wherein the RACF accesses an access list that contains user identifications associated with resource names to verify that the user is entitled to access the computing node, and wherein the user is entitled to access the computing node if the user identification is associated with the resource name on the access list.

2. A method of authorizing a network user as entitled to access the network, comprisingreceiving at a node of the network one or more initial protocol messages from a user station to establish initial communications with the user station without presenting to the user station a logon screen, receiving an authenticated user certificate from the user station, mapping the authenticated user certificate into a user identification associated with the user, verifying from the user certificate that the user represented by the user certificate is entitled to access a computing node based on the user identification and a resource name assigned to the node, denying further access to the computing node if the user is not entitled to access the computing node, and displaying an access screen to the user if the user is verified to access the computing node.

3. Apparatus for authorizing a network user as entitled to access a computing node of the network, comprisingmeans for performing an initial exchange of protocol messages between the user and the computing node to establish initial communications without presenting to the user an access screen, means for presenting an authenticated user certificate from the user to the computing node, means for mapping the authenticated user certificate into a user identification associated with the user, means for verifying from the user certificate that the user represented by the user certificate is entitled to access the computing node based on the user identification and a resource name assigned to the computing node, means for denying further access to the computing node if the user is not entitled to access the computing node, and means for presenting the user with an opportunity to logon to the computing node if the network user is verified to access the computing node.

4. Apparatus for authorizing a network user as entitled to access a network, comprisingmeans for receiving at a node of the network one or more initial protocol messages from a user station to establish initial communications with the user without presenting to the user an access screen, means for receiving an authenticated user certificate from the user station, means for mapping the authenticated user certificate into a user identification associated with the user, means for verifying from the user certificate that the user represented by the user certificate is entitled to access the computing node based on the user identification and a resource name assigned to the node, means for denying further access to the computing node if the user is not entitled to access the computing node, and means for transmitting an access screen to the user node if the user is verified to access the computing node.

5. A program product embodied in a storage media and containing program instructions readable by a computer for authorizing a network user as entitled to access a computing node of the network, comprisinga first program segment for performing an initial exchange of protocol messages between the user and the computing node to establish initial communications without presenting to the user an access screen, a second program segment for presenting an authenticated user certificate from the user to the computing node, a third program segment for mapping the authenticated user certificate into a user identification associated with the user, a fourth program segment for verifying from the user certificate that the user represented by the user certificate is entitled to access the computing node based on the user identification and a resource name assigned to the computing node, a fifth program segment for denying further access to the computing node if the user is not entitled to access the computing node, and a sixth program segment for presenting the user with an opportunity to logon to the computing node if the user is verified to access the computing node.

6. A program product embodied in a storage media and containing program instructions readable by a computer for authorizing a network user as entitled to access the network, comprisinga first program segment for receiving at a node of the network one or more initial protocol messages from a user to establish initial communications with the user station without presenting to the user station an access screen, a second program segment for receiving an authenticated user certificate from the user station, a third program segment for mapping the authenticated user certificate into a user identification associated with the user, a fourth program segment for verifying from the user certificate that the user represented by the user certificate is entitled to access the computing node based on the user identification and a resource name assigned to the node, a fifth program segment for denying further access to the computing node if the user is not entitled to access the computing node, and a sixth program segment for transmitting an access screen to the user if the user is verified to access the computing node.

7. A carrier wave embodying program instructions readable by a computer for authorizing a network user as entitled to access a computing node of the network, the computer instructions comprisinga first program segment for performing an initial exchange of protocol messages between the user and the computing node to establish initial communications without presenting to the user an access screen, a second program segment for presenting an authenticated user certificate from the user to the computing node, a third program segment for mapping the authenticated user certificate into a user identification, a fourth program segment for verifying from the user certificate that the user represented by the user certificate is entitled to access the computing node based on the user identification and a resource name assigned to the computing node, a fifth program segment for denying further access to the computing node if the user is not entitled to access the computing node, and a sixth program segment for presenting the user with an opportunity to access the computing node if the user is verified to access the computing node.

8. A carrier wave embodying program instructions readable by a computer for authorizing a network user as entitled to access the network, the computer instructions comprisinga first program segment for receiving at a node of the network one or more initial protocol messages from a user to establish initial communications with the user without presenting to the user an access screen, a second program segment for receiving an authenticated user certificate from the user, a third program segment for mapping the authenticated user certificate into a user identification associated with the user, a fourth program segment for verifying from the user certificate that the user represented by the user certificate is entitled to access the computing node based on the user identification and a resource name assigned to the node, a fifth program segment for denying further access to the computing node if the user is not entitled to access the computing node, and a sixth program segment for transmitting an access screen to the computing node if the user is verified to access the computing node.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Marshman Research LLC
Original Assignee
International Business Machines Corporation
Inventors
Jakubik, Patricia, Overby, Linwood Hugh Jr.
Primary Examiner(s)
Winder, Patrice
Assistant Examiner(s)
Tran, Philip B.

Application Number

US09/648,653
Time in Patent Office

1,467 Days
Field of Search

709/229, 709/201, 709/203, 709/217-219, 709/223-224, 709/225, 709/227, 713/201
US Class Current

709/229
CPC Class Codes

H04L 63/0823 using certificates cryptogr...

H04L 63/102 Entity profiles

First Claim

2 Assignments

0 Petitions

Accused Products

Abstract

Citations

9 Claims

Specification

Solutions

Use Cases

Quick Links

First Claim

2 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

Citations

9 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links