Technique for handling subsequent user identification and password requests with identity change within a certificate-based host session
First Claim
1. A computer program product for enabling an identity change during a certificate-based host access session, said computer program product embodied on a computer-readable medium and comprising:
- computer-readable program code means for processing a first sign-on during a secure session using a digital certificate, further comprising;
computer-readable program code means for establishing said secure session from a client machine to a server machine using said digital certificate, wherein said digital certificate represents an identity of said client machine or a user thereof;
computer-readable program code means for storing said digital certificate or a reference thereto at said server machine;
computer-readable program code means for establishing a session from said server machine to a host system using a legacy host communication protocol, responsive to receiving, at said server machine, a first sign-on request from said client machine, wherein said first sign-on request identifies a first secure legacy host application to which said first sign-on is requested;
computer-readable program code means for passing said stored digital certificate or said reference from said server machine to a host access security system;
computer-readable program code means, operable in said host access security system, for authenticating said identity using said passed digital certificate or a retrieved certificate which is retrieved using said reference;
computer-readable program code means, operable in said host access security system, for using said passed or retrieved digital certificate to locate access credentials for said user;
computer-readable program code means, operable in said host access security system, for accessing a stored password or generating a password substitute representing said located credentials;
computer-readable program code means, operable in said host access security system, for returning said stored password or generated password substitute to said server machine, along with a first user identifier corresponding to said located credentials;
computer-readable program code means for requesting by said first secure legacy host application, responsive to said computer-readable program code means for establishing said session, first sign-on information for said user; and
computer-readable program code means for responding to said request for first sign-on information by sending a first sign-on message with placeholder syntax from said client machine to said server machine, said placeholder syntax representing a user identification and a password of said user, wherein said user identification and said password are expected in said first sign-on message by said first secure legacy host application; and
computer-readable program code means, operable in said server machine, for using said returned password or password substitute and said returned first user identifier to transparently complete said first sign-on, on behalf of said user of said client machine, to said first secure legacy host application executing at said host system by substituting said returned first user identifier and said returned password or password substitute for said placeholder syntax in said first sign-on message, thereby creating a revised first sign-on message, and forwarding said revised first sign-on message from said server machine to said first secure legacy host application; and
computer-readable program code means for processing a second sign-on during said secure session, without requiring establishment of a new secure session between said client machine and said server machine, using a second digital certificate that represents a second identity, further comprising;
computer-readable program code means for receiving a second sign-on request, at said server machine from said client machine, wherein;
(1) said second sign-on request identifies a second secure legacy host application to which said second sign-on is requested;
(2) said second sign-on request includes said second digital certificate, or a second certificate reference that references said second digital certificate, for said second identity;
(3) said second secure legacy host application may be identical to said first secure legacy host application; and
(4) said second identity is for a second user, wherein said second user may be identical to said user;
computer-readable program code means for passing said second digital certificate or said second certificate reference from said server machine to said host access security system;
computer-readable program code means, operable in said host access security system, for authenticating said second identity using said passed second digital certificate or a second retrieved certificate which is retrieved using said second certificate reference;
computer-readable program code means, operable in said host access security system, for using said passed second digital certificate or said second retrieved certificate to locate second access credentials for said second user;
computer-readable program code means, operable in said host access security system, for accessing a second stored password or generating a second password substitute representing said second located credentials;
computer-readable program code means, operable in said host access security system, for returning said second stored password or second generated password substitute to said server machine, along with a second user identifier corresponding to said second located credentials; and
computer-readable program code means, operable in said server machine, for using said returned second password or second password substitute and said returned second user identifier to transparently complete said second sign-on, on behalf of said second user of said client machine, to said second secure legacy host application executing at said host system.
1 Assignment
0 Petitions
Accused Products
Abstract
The present invention provides a method, system, and computer program product which enables changing user credentials that are used to access legacy host applications and/or systems which provide legacy host data during a secure host access session which is authenticated using a digital certificate and is protected by a host-based security system, such as RACF (Resource Access Control Facility, a product offered by the IBM Corporation), where these changed credentials are used to authenticate a user after previously-provided credentials have been used for authentication earlier in the same session. The changed credentials may belong to the same user, where that user happens to have a different user ID and/or password for different legacy host applications and wishes to change from accessing one legacy host application to accessing another. Or, the changed credentials may be used to enable a different user to interact with the same legacy host application used by the previously-authenticated user. The disclosed technique may also be used advantageously to authenticate a user for accessing an application, when the user'"'"'s credentials are not changing.
-
Citations
27 Claims
-
1. A computer program product for enabling an identity change during a certificate-based host access session, said computer program product embodied on a computer-readable medium and comprising:
-
computer-readable program code means for processing a first sign-on during a secure session using a digital certificate, further comprising; computer-readable program code means for establishing said secure session from a client machine to a server machine using said digital certificate, wherein said digital certificate represents an identity of said client machine or a user thereof; computer-readable program code means for storing said digital certificate or a reference thereto at said server machine; computer-readable program code means for establishing a session from said server machine to a host system using a legacy host communication protocol, responsive to receiving, at said server machine, a first sign-on request from said client machine, wherein said first sign-on request identifies a first secure legacy host application to which said first sign-on is requested; computer-readable program code means for passing said stored digital certificate or said reference from said server machine to a host access security system; computer-readable program code means, operable in said host access security system, for authenticating said identity using said passed digital certificate or a retrieved certificate which is retrieved using said reference; computer-readable program code means, operable in said host access security system, for using said passed or retrieved digital certificate to locate access credentials for said user; computer-readable program code means, operable in said host access security system, for accessing a stored password or generating a password substitute representing said located credentials; computer-readable program code means, operable in said host access security system, for returning said stored password or generated password substitute to said server machine, along with a first user identifier corresponding to said located credentials; computer-readable program code means for requesting by said first secure legacy host application, responsive to said computer-readable program code means for establishing said session, first sign-on information for said user; and computer-readable program code means for responding to said request for first sign-on information by sending a first sign-on message with placeholder syntax from said client machine to said server machine, said placeholder syntax representing a user identification and a password of said user, wherein said user identification and said password are expected in said first sign-on message by said first secure legacy host application; and computer-readable program code means, operable in said server machine, for using said returned password or password substitute and said returned first user identifier to transparently complete said first sign-on, on behalf of said user of said client machine, to said first secure legacy host application executing at said host system by substituting said returned first user identifier and said returned password or password substitute for said placeholder syntax in said first sign-on message, thereby creating a revised first sign-on message, and forwarding said revised first sign-on message from said server machine to said first secure legacy host application; and computer-readable program code means for processing a second sign-on during said secure session, without requiring establishment of a new secure session between said client machine and said server machine, using a second digital certificate that represents a second identity, further comprising; computer-readable program code means for receiving a second sign-on request, at said server machine from said client machine, wherein;
(1) said second sign-on request identifies a second secure legacy host application to which said second sign-on is requested;
(2) said second sign-on request includes said second digital certificate, or a second certificate reference that references said second digital certificate, for said second identity;
(3) said second secure legacy host application may be identical to said first secure legacy host application; and
(4) said second identity is for a second user, wherein said second user may be identical to said user;computer-readable program code means for passing said second digital certificate or said second certificate reference from said server machine to said host access security system; computer-readable program code means, operable in said host access security system, for authenticating said second identity using said passed second digital certificate or a second retrieved certificate which is retrieved using said second certificate reference; computer-readable program code means, operable in said host access security system, for using said passed second digital certificate or said second retrieved certificate to locate second access credentials for said second user; computer-readable program code means, operable in said host access security system, for accessing a second stored password or generating a second password substitute representing said second located credentials; computer-readable program code means, operable in said host access security system, for returning said second stored password or second generated password substitute to said server machine, along with a second user identifier corresponding to said second located credentials; and computer-readable program code means, operable in said server machine, for using said returned second password or second password substitute and said returned second user identifier to transparently complete said second sign-on, on behalf of said second user of said client machine, to said second secure legacy host application executing at said host system. - View Dependent Claims (2, 3, 4, 5, 6, 7, 18, 19, 20, 21, 22, 23)
-
-
8. A system for enabling an identity change during a certificate-based host access session, comprising:
-
means for processing a first sign-on during a secure session using a digital certificate, further comprising; means for establishing said secure session from a client machine to a server machine using said digital certificate, wherein said digital certificate represents an identity of said client machine or a user thereof; means for storing said digital certificate or a reference thereto at said server machine; means for establishing a session from said server machine to a host system using a legacy host communication protocol, responsive to receiving, at said server machine, a first sign-on request from said client machine, wherein said first sign-on request identifies a first secure legacy host application to which said first sign-on is requested; means for passing said stored digital certificate or said reference from said server machine to a host access security system; means, operable in said host access security system, for authenticating said identity using said passed digital certificate or a retrieved certificate which is retrieved using said reference; means, operable in said host access security system, for using said passed or retrieved digital certificate to locate access credentials for said user; means, operable in said host access security system, for accessing a stored password or generating a password substitute representing said located credentials; means, operable in said host access security system, for returning said stored password or generated password substitute to said server machine, along with a first user identifier corresponding to said located credentials; means for requesting by said first secure legacy host application, responsive to said means for establishing said session, first sign-on information for said user; and means for responding to said request for first sign-on information by sending a first sign-on message with placeholder syntax from said client machine to said server machine, said placeholder syntax representing a user identification and a password of said user, wherein said user identification and said password are expected in said first sign-on message by said first secure legacy host application; and means, operable in said server machine, for using said returned password or password substitute and said returned first user identifier to transparently complete said first sign-on, on behalf of said user of said client machine, to said first secure legacy host application executing at said host system by substituting said returned first user identifier and said returned password or password substitute for said placeholder syntax in said first sign-on message, thereby creating a revised first sign-on message, and forwarding said revised first sign-on message from said server machine to said first secure legacy host application; and means for processing a second sign-on during said secure session, without requiring establishment of a new secure session between said client machine and said server machine, using a second digital certificate that represents a second identity, further comprising; means for receiving a second sign-on request, at said server machine from said client machine, wherein;
(1) said second sign-on request identifies a second secure legacy host application to which said second sign-on is requested;
(2) said second sign-on request includes said second digital certificate, or a second certificate reference that references said second digital certificate, for said second identity;
(3) said second secure legacy host application may be identical to said first secure legacy host application; and
(4) said second identity is for a second user, wherein said second user may be identical to said user;means for passing said second digital certificate or said second certificate reference from said server machine to said host access security system; means, operable in said host access security system, for authenticating said second identity using said passed second digital certificate or a second retrieved certificate which is retrieved using said second certificate reference; means, operable in said host access security system, for using said passed second digital certificate or said second retrieved certificate to locate second access credentials for said second user; means, operable in said host access security system, for accessing a second stored password or generating a second password substitute representing said second located credentials; means, operable in said host access security system, for returning said second stored password or second generated password substitute to said server machine, along with a second user identifier corresponding to said second located credentials; and means, operable in said server machine, for using said returned second password or second password substitute and said returned second user identifier to transparently complete said second sign-on, on behalf of said second user of said client machine, to said second secure legacy host application executing at said host system. - View Dependent Claims (9, 10, 11, 12, 24)
-
-
13. A method for enabling an identity change during a certificate-based host access session, comprising the steps of:
-
processing a first sign-on during a secure session using a digital certificate, further comprising the steps of; establishing said secure session from a client machine to a server machine using said digital certificate, wherein said digital certificate represents an identity of said client machine or a user thereof; storing said digital certificate or a reference thereto at said server machine; establishing a session from said server machine to a host system using a legacy host communication protocol, responsive to receiving, at said server machine, a first sign-on request from said client machine, wherein said first sign-on request identifies a first secure legacy host application to which said first sign-on is requested; passing said stored digital certificate or said reference from said server machine to a host access security system; authenticating, by said host access security system, said identity using said passed digital certificate or a retrieved certificate which is retrieved using said reference; using, by said host access security system, said passed or retrieved digital certificate to locate access credentials for said user; accessing, by said host access security system, a stored password or generating a password substitute representing said located credentials; returning, by said host access security system, said stored password or generated password substitute to said server machine, along with a first user identifier corresponding to said located credentials; requesting by said first secure legacy host application, responsive to said computer-readable program code means for establishing said session, first sign-on information for said user; and responding to said request for first sign-on information by sending a first sign-on message with placeholder syntax from said client machine to said server machine, said placeholder syntax representing a user identification and a password of said user, wherein said user identification and said password are executed in said first sign-on message by said first secure legacy host application; and using, by said server machine, said returned password or password substitute and said returned first user identifier to transparently complete said first sign-on, on behalf of said user of said client machine, to said first secure legacy host application executing at said host system by substituting said returned first user identifier and said returned password or password substitute for said placeholder syntax in said first sign-on message, thereby creating a revised first sign-on message, and forwarding said revised first sign-on message from said server machine to said first secure legacy host application; and processing a second sign-on during said secure session, without requiring establishment of a new secure session between said client machine and said server machine, using a second digital certificate that represents a second identity, further comprising the steps of; receiving a second sign-on request, at said server machine from said client machine, wherein;
(1) said second sign-on request identifies a second secure legacy host application to which said second sign-on is requested;
(2) said second sign-on request includes said second digital certificate, or a second certificate reference that references said second digital certificate, for said second identity;
(3) said second secure legacy host application may be identical to said first secure legacy host application; and
(4) said second identity is for a second user, wherein said second user may be identical to said user;passing said second digital certificate or said second certificate reference from said server machine to said host access security system; authenticating, by said host access security system, said second identity using said passed second digital certificate or a second retrieved certificate which is retrieved using said second certificate reference; using, by said host access security system, said passed second digital certificate or said second retrieved certificate to locate second access credentials for said second user; accessing, by said host access security system, a second stored password or generating a second password substitute representing said second located credentials; returning, by said host access security system, said second stored password or second generated password substitute to said server machine, along with a second identifier corresponding to said second located credentials; and using, by said server machine, said returned second password or second password substitute and said returned second user identifier to transparently complete said second sign-on, on behalf of said second user of said client machine, to said second secure legacy host application executing at said host system. - View Dependent Claims (14, 15, 16, 17, 25)
-
-
26. A computer-implemented method for enabling an identity change during a certificate-based host access session, comprising steps of:
-
establishing a secure session between a client and a server using a digital certificate owned by a user of said client; remembering said digital certificate at said server; completing a first sign-on to a host application, by said server on behalf of said user, responsive to receiving an asynchronous sign-on request from said client that identifies said host application, further comprising the steps of; using said remembered digital certificate to authenticate said user to a host access security component; if said user is authenticated, locating, by said host access security component, access credentials of said user; creating, by said host access security component, a passticket that represents said located access credentials; returning said passticket from said host access security component to said server, along with a user identifier associated with said located access credentials; and inserting, by said server, said passticket and said user identifier into a log-on message in place of placeholders for a user password and said user identifier, when said log-on message is received at said server from said client, thereby creating a revised log-on message, in a form expected by said host application, that is then sent from said server to sign said user on to said host application; and completing a second sign-on to a second host application, by said server on behalf of a second user, responsive to receiving a second asynchronous sign-on request from said client that identifies said second host application, wherein said second host application may be identical to said host application and said second user may be identical to said user, further comprising the steps of; using a new digital certificate and proof therefor to authenticate said second user to said host access security component, wherein said new digital certificate and said proof therefor are included in said second asynchronous sign-on request; if said second user is authenticated, locating, by said host access security component, access credentials of said second user; creating, by said host access security component, a second passticket that represents said located access credentials of said second user; returning said second passticket from said host access security component to said server, along with a second user identifier associated with said located access credentials of said second user; and inserting, by said server, said returned second passticket and said returned second user identifier into a second log-on message in place of placeholders for a second user password and said second user identifier, when said second log-on message is received at said server from said client, thereby creating a revised second log-on message, in said form expected by said second host application, that is then sent from said server to sign said second user on to said second host application.
-
-
27. A method of providing identity change during a secure session, comprising steps of:
-
upon receiving a first log-on message containing placeholder syntax from a client during a secure session, substituting therefor a first user identifier and a first password substitute provided by a host access security system upon authentication of user credentials associated with the client and with a user thereof, thereby creating a revised first log-on message in a form expected by a first legacy host application, the first password substitute representing access privileges associated with the user credentials for the first legacy host application; forwarding the revised first log-on message to the first legacy host application for completing a secure sign-on thereto; upon receiving a second log-on message containing placeholder syntax from the client during the secure session, substituting therefor a second user identifier and a second password substitute provided by the host access security system upon authentication of second user credentials associated with the client and with the user thereof or a different user thereof, thereby creating a revised second log-on message in a form expected by a second legacy host application, the second password substitute representing access privileges associated with the second user credentials for the second legacy host application, wherein the second legacy host application may be identical to the first legacy host application; and forwarding the revised second log-on message to the second legacy host application for completing a secure sign-on thereto.
-
Specification