System and method for implementing a distributed keystore within an enterprise network

US 7,823,190 B1
Filed: 06/02/2004
Issued: 10/26/2010
Est. Priority Date: 06/02/2004
Status: Active Grant

First Claim

Patent Images

1. A method comprising:

receiving a request from a user and/or an application component to view keystore data;

implementing a first set of security restrictions associated with the request to view the keystore data, the keystore data comprising a full set of keys and/or certificates;

providing a limited view of the keystore data to the requesting user and/or application component based on the results of the first set of security restrictions, wherein the limited view of the keystore data comprises a subset of the full set of keys and/or certificates, and wherein the subset is specific to the user and/or application component;

detecting an attempt by the user and/or application component to access specified portions of the keystore data provided in the view;

implementing a second set of security restrictions associated with the attempt to access the specified portions of the keystore data; and

providing limited access to the keystore data to the user and/or application component based on the results of the second set of security restrictions.

View all claims

2 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

A keystore is described which provides unique views of certificates and keys to particular application components and/or users. Upon receiving a request from a user and/or an application component to view keystore data, the keystore system implements a first set of security restrictions associated with the request and provides a limited view of the keystore data to the requesting user and/or application component based on the results of the first set of security restrictions. Then, upon detecting an attempt by the user and/or application component to access specified portions of the keystore data provided in the view, the keystore system implements a second set of security restrictions associated with the attempt to access the specified portions of the keystore data, and provides access to the keystore data to the user and/or application component based on the results of the second set of security restrictions.

38 Citations

View as Search Results

20 Claims

1. A method comprising:
- receiving a request from a user and/or an application component to view keystore data;
  
  implementing a first set of security restrictions associated with the request to view the keystore data, the keystore data comprising a full set of keys and/or certificates;
  
  providing a limited view of the keystore data to the requesting user and/or application component based on the results of the first set of security restrictions, wherein the limited view of the keystore data comprises a subset of the full set of keys and/or certificates, and wherein the subset is specific to the user and/or application component;
  
  detecting an attempt by the user and/or application component to access specified portions of the keystore data provided in the view;
  
  implementing a second set of security restrictions associated with the attempt to access the specified portions of the keystore data; and
  
  providing limited access to the keystore data to the user and/or application component based on the results of the second set of security restrictions.
- View Dependent Claims (2, 3, 4, 5, 6, 7)
- - 2. The method as in claim 1 wherein the keystore data comprises a digital certificate and wherein implementing the first set of security restrictions comprises determining whether the user and/or application component is permitted to view the digital certificate.
  - 3. The method as in claim 2 wherein the digital certificate is an X.509 certificate.
  - 4. The method as in claim 2 wherein implementing the second set of security restrictions comprises determining whether the user and/or application component is permitted to access the digital certificate.
  - 5. The method as in claim 1 wherein implementing the first set of security restrictions and/or the second set of security restrictions includes authenticating the user and/or application component.
  - 6. The method as in claim 5 wherein authenticating the user and/or application component comprises requiring entry of a valid password from the user and/or application component.
  - 7. The method as in claim 1 further comprising:
    - distributing copies of the keystore data across a plurality of server nodes; and
      
      implementing a distributed keystore management policy to ensure that the distributed copies of the keystore data remain valid at each of the server nodes.

8. A system comprising:
- a plurality of server nodes communicatively coupled on an enterprise network, the plurality of server nodes to serve applications over the enterprise network to a plurality of clients;
  
  a keystore to store security data on one or more of the server nodes; and
  
  a keystore provider service executed on one or more of the server nodes, the keystore provider service to;
  
  implement a first set of security restrictions associated with a request from a user and/or an application component to view keystore data, the keystore data comprising a full set of keys and/or certificates;
  
  provide a limited view of the keystore data to the requesting user and/or application component based on the results of the first set of security restrictions, wherein the limited view of the keystore data comprises a subset of the full set of keys and/or certificates, and wherein the subset is specific to the requesting user and/or application component;
  
  detect an attempt by the user and/or application component to access specified portions of the keystore data provided in the view;
  
  implement a second set of security restrictions associated with the attempt to access the specified portions of the keystore data; and
  
  provide limited access to the keystore data to the user and/or application component based on the results of the second set of security restrictions.
- View Dependent Claims (9, 10, 11, 12, 13)
- - 9. The system as in claim 8 wherein the keystore data comprises a digital certificate and wherein implementing the first set of security restrictions comprises determining whether the user and/or application component is permitted to view the digital certificate.
  - 10. The system as in claim 9 wherein the digital certificate is an X.509 certificate.
  - 11. The system as in claim 9 wherein implementing the second set of security restrictions comprises determining whether the user and/or application component is permitted to access the digital certificate.
  - 12. The system as in claim 8 wherein implementing the first set of security restrictions and/or the second set of security restrictions includes authenticating the user and/or application component.
  - 13. The system as in claim 12 wherein authenticating the user and/or application component comprises requiring entry of a valid password from the user and/or application component.

14. An article of manufacture including a non-transitory machine-readable medium for storing program code which, when executed by a machine, causes the machine to perform the operations of:
- receiving a request from a user and/or an application component to view keystore data;
  
  implementing a first set of security restrictions associated with the request to view the keystore data, the keystore data comprising a full set of keys and/or certificates;
  
  providing a limited view of the keystore data to the requesting user and/or application component based on the results of the first set of security restrictions, wherein the limited view of the keystore data comprises a subset of the full set of keys and/or certificates, and wherein the subset is specific to the user and/or application component;
  
  detecting an attempt by the user and/or application component to access specified portions of the keystore data provided in the view;
  
  implementing a second set of security restrictions associated with the attempt to access the specified portions of the keystore data; and
  
  providing limited access to the keystore data to the user and/or application component based on the results of the second set of security restrictions.
- View Dependent Claims (15, 16, 17, 18, 19, 20)
- - 15. The article of manufacture as in claim 14 wherein the keystore data comprises a digital certificate and wherein implementing the first set of security restrictions comprises determining whether the user and/or application component is permitted to view the digital certificate.
  - 16. The article of manufacture as in claim 15 wherein the digital certificate is an X.509 certificate.
  - 17. The article of manufacture as in claim 15 wherein implementing the second set of security restrictions comprises determining whether the user and/or application component is permitted to access the digital certificate.
  - 18. The article of manufacture as in claim 14 wherein implementing the first set of security restrictions and/or the second set of security restrictions includes authenticating the user and/or application component.
  - 19. The article of manufacture as in claim 18 wherein authenticating the user and/or application component comprises requiring entry of a valid password from the user and/or application component.
  - 20. The article of manufacture as in claim 14 comprising additional instructions to cause the machine to perform the operations of:
    - distributing copies of the keystore data across a plurality of server nodes; and
      
      implementing a distributed keystore management policy to ensure that the distributed copies of the keystore data remain valid at each of the server nodes.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
SAP SE
Original Assignee
SAP AG (SAP SE)
Inventors
Jaeschke, Hiltrud, Zlatarev, Stephan, Kacarov, Ilia
Primary Examiner(s)
Vu; Kimyen
Assistant Examiner(s)
Zee; Edward

Application Number

US10/860,477
Time in Patent Office

2,337 Days
Field of Search

713/157, 713/155, 713/156, 713/165, 713/166, 380/278, 380/279, 380/286, 726/5, 726/6, 726/18
US Class Current

726/6
CPC Class Codes

G06F 21/6218   to a system of files or obj...

H04L 63/06   for supporting key manageme...

H04L 63/0823   using certificates cryptogr...

H04L 9/0836   using tree structure or hie...

H04L 9/0894   Escrow, recovery or storing...

H04L 9/3226   using a predetermined code,...

H04L 9/3263   involving certificates, e.g...

System and method for implementing a distributed keystore within an enterprise network

First Claim

2 Assignments

0 Petitions

Accused Products

Abstract

38 Citations

20 Claims

Specification

Solutions

Use Cases

Quick Links

System and method for implementing a distributed keystore within an enterprise network

First Claim

2 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

38 Citations

20 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links