Providing end-to-end user authentication for host access using digital certificates
First Claim
1. A computer program product for providing end-to-end user authentication for legacy host application access, said computer program product embodied on a computer-readable medium readable by a computing device in a computing environment and comprising:
- computer-readable program code means for establishing a secure session from a client machine to a server machine using a digital certificate transmitted from said client machine to said server machine wherein said digital certificate represents said client machine or a user thereof;
computer-readable program code means for storing said transmitted digital certificate at said server machine;
computer-readable program code means for establishing a session from said server machine to a host system on behalf of said client machine, responsive to establishment of said secure session, using a legacy host communication protocol;
computer-readable program code means for automatically sending a log-on message from said client machine to said server machine, responsive to receiving, at said client machine, a request from said host system for log-on information of said user, wherein said log-on message uses placeholder syntax in place of a user identifier and a password of said user;
computer-readable program code means for passing said stored digital certificate from said server machine to a host access security system, responsive to receiving, at said server machine, said log-on message from said client machine;
computer-readable program code means, operable in said host access security system, for using said passed digital certificate to locate access credentials for said user;
computer-readable program code means for returning, from said host access credentials and system to said server machine, a user identifier associated with said located access credentials and either a stored password or a generated password substitute representing said located credentials;
computer-readable program code means for modifying, by said server machine, said received log-on message by replacing said placeholder syntax with said returned user identifier and password or password substitute; and
computer-readable program code means for forwarding said modified log-on message from said server to said host system as a response to said request for log-on information, such that said user identifier and password or password substitute from said forwarded log-on message can be used by said host system to transparently log said user on to a secure legacy host application executing at said host system, without requiring change to said host system.
1 Assignment
0 Petitions
Accused Products
Abstract
A method, system, and computer program product for using a digital certificate to access legacy host applications and/or data which are protected by a host-based security system such as RACF (Resource Access Control Facility, a product offered by the IBM Corporation) and which typically require a separate user identification and password. Use of the present invention enables the client to access the host applications and/or data using a single system log on, without requiring modification to host programs.
78 Citations
26 Claims
-
1. A computer program product for providing end-to-end user authentication for legacy host application access, said computer program product embodied on a computer-readable medium readable by a computing device in a computing environment and comprising:
-
computer-readable program code means for establishing a secure session from a client machine to a server machine using a digital certificate transmitted from said client machine to said server machine wherein said digital certificate represents said client machine or a user thereof;
computer-readable program code means for storing said transmitted digital certificate at said server machine;
computer-readable program code means for establishing a session from said server machine to a host system on behalf of said client machine, responsive to establishment of said secure session, using a legacy host communication protocol;
computer-readable program code means for automatically sending a log-on message from said client machine to said server machine, responsive to receiving, at said client machine, a request from said host system for log-on information of said user, wherein said log-on message uses placeholder syntax in place of a user identifier and a password of said user;
computer-readable program code means for passing said stored digital certificate from said server machine to a host access security system, responsive to receiving, at said server machine, said log-on message from said client machine;
computer-readable program code means, operable in said host access security system, for using said passed digital certificate to locate access credentials for said user;
computer-readable program code means for returning, from said host access credentials and system to said server machine, a user identifier associated with said located access credentials and either a stored password or a generated password substitute representing said located credentials;
computer-readable program code means for modifying, by said server machine, said received log-on message by replacing said placeholder syntax with said returned user identifier and password or password substitute; and
computer-readable program code means for forwarding said modified log-on message from said server to said host system as a response to said request for log-on information, such that said user identifier and password or password substitute from said forwarded log-on message can be used by said host system to transparently log said user on to a secure legacy host application executing at said host system, without requiring change to said host system.
-
-
2. A system for providing end-to-end user authentication for legacy host application access in a computing environment, comprising:
-
means for establishing a secure session from a client machine to a server machine using a digital certificate transmitted from said client machine to said server machine, wherein said digital certificate represents said client machine or a user thereof;
means for storing said transmitted digital certificate at said server machine;
means for establishing a session from said server machine to a host system on behalf of said client machine, responsive to establishment of said secure session, using a legacy host communication protocol;
means for automatically sending a log-on message from said client machine to said server machine, responsive to receiving, at said client machine, a request from said host system for log-on information of said user, wherein said log-on message uses placeholder syntax in place of a user identifier and a password of said user;
means for passing said stored digital certificate from said server machine to a host access security system, responsive to receiving, at said server machine, said log-on message from said client machine;
means, operable in said host access security system, for using said passed digital certificate to locate access credentials for said user;
means for returning, from said host access security system to said server machine, a user identifier associated with said located access credentials and either a stored password or a generated password substitute representing said located credentials;
means for modifying, by said server machine, said received log-on message by replacing said placeholder syntax with said returned user identifier and password or password substitute; and
means for forwarding said modified log-on message from said server to said host system as a response to said request for log-on information, such that said user identifier and password or password substitute from said forwarded log-on message can be used by said host system to transparently log said user on to a secure legacy host application executing at said host system, without requiring change to said host system.
-
-
3. A method for providing end-to-end user authentication for legacy host application access in a computing environment, comprising steps of:
-
establishing a secure session from a client machine to a server machine using a digital certificate transmitted from said client machine to said server machine, wherein said digital certificate represents said client machine or a user thereof;
storing said transmitted digital certificate at said server machine;
establishing a session from said server machine to a host system on behalf of said client machine, responsive to establishment of said secure session, using a legacy host communication protocol;
automatically sending a log-on message from said client machine to said server machine, responsive to receiving, at said client machine, a request from said host system for log-on information of said user, wherein said log-on message uses placeholder syntax in place of a user identifier and a password of said user;
passing said stored digital certificate from said server machine to a host access security system, responsive to receiving, at said server machine, said log-on message from said client machine;
using, by said host access security system, said passed digital certificate to locate access credentials for said user;
returning, from said host access security system to said server machine, a user identifier associated with said located access credentials and either a stored password or a generated password substitute representing said located credentials;
modifying, by said server machine, said received log-on message by replacing said placeholder syntax with said returned user identifier and password or password substitute; and
forwarding said modified log-on message from said server to said host system as a response to said request for log-on information, such that said user identifier and password or password substitute from said forwarded log-on message can be used by said host system to transparently log said user on to a secure legacy host application executing at said host system, without requiring change to said host system. - View Dependent Claims (4, 5, 6, 7, 8)
-
-
9. A method of enabling a user at a client device to transparently log on to a legacy session with a legacy host application, without requiring change to said legacy host application, comprising steps of:
-
caching a digital certificate associated with said client device, or a user thereof, at a server to which said digital certificate has been provided for authentication of said client device or said user;
initiating, by said server on behalf of said client device, said legacy session with said legacy host application;
automatically responding, by said client device, to a log-on request from said legacy host application, where said log-on request is sent by said legacy host application responsive to said initiating step, by sending a log-on message in which placeholder syntax is used in place of a user identifier and password expected by said legacy host application; and
before forwarding said sent log-on message from said server to said legacy host application, performing steps of;
using said cached digital certificate to obtain, at said server from a host access security system, said expected user identifier and either said expected password or a password substitute therefor which is generated by said host access security system; and
replacing said placeholder syntax in said sent log-on message with said obtained user identifier and password or password substitute. - View Dependent Claims (10, 11, 12, 13, 14)
-
-
15. A system for enabling a user at a client device to transparently log on to a legacy session with a legacy host application, without requiring change to said legacy host application, comprising:
-
means for caching a digital certificate associated with said client device, or a user thereof, at a server to which said digital certificate has been provided for authentication of said client device or said user;
means for initiating, by said server on behalf of said client device, said legacy session with said legacy host application;
means for automatically responding, by said client device, to a log-on request from said legacy host application, where said log-on request is sent by said legacy host application responsive to said means for initiating, by sending a log-on message in which placeholder syntax is used in place of a user identifier and password expected by said legacy host application; and
before forwarding said sent log-on message from said server to said legacy host application, means for performing steps of;
using said cached digital certificate to obtain, at said server from a host access security system, said expected user identifier and either said expected password or a password substitute therefor which is generated by said host access security system; and
replacing said placeholder syntax in said sent log-on message with said obtained user identifier and password or password substitute. - View Dependent Claims (16, 17, 18, 19, 20)
-
-
21. A computer program product for enabling a user at a client device to transparently log on to a legacy session with a legacy host application, without requiring change to said legacy host application, said computer program product embodied on a computer-readable medium readable by a computing device in a computing environment and comprising:
-
computer-readable program code means for caching a digital certificate associated with said client device, or a user thereof, at a server to which said digital certificate has been provided for authentication of said client device or said user;
computer-readable program code means for initiating, by said server on behalf of said client device, said legacy session with said legacy host application;
computer-readable program code means for automatically responding, by said client device, to a log-on request from said legacy host application, where said log-on request is sent by said legacy host application responsive to said computer-readable program code means for initiating, by sending a log-on message in which placeholder syntax is used in place of a user identifier and password expected by said legacy host application; and
before forwarding said sent log-on message from said server to said legacy host application, computer-readable program code means for performing steps of;
using said cached digital certificate to obtain, at said server from a host access security system, said expected user identifier and either said expected password or a password substitute therefor which is generated by said host access security system; and
replacing said placeholder syntax in said sent log-on message with said obtained user identifier and password or password substitute. - View Dependent Claims (22, 23, 24, 25, 26)
-
Specification