Public-key infrastructure in network management

US 8,019,989 B2
Filed: 06/06/2003
Issued: 09/13/2011
Est. Priority Date: 06/06/2003
Status: Expired due to Fees

First Claim

Patent Images

1. A method of selectively granting a public-key certificate to a managed node in an IT network having certification capability, the managed node having an initialization time associated with the installation time of a software agent in the managed node, the method comprising:

detecting, by a computer system, the initialization time;

after the initialization time, receiving, by the computer system, a request to grant the certificate from the managed node;

detecting, by the computer system, the time of the request by the managed node;

responding, by the computer system, to the detected times by ascertaining whether an initialization-to request time interval between the detected initialization time and the detected request time is within a maximum time interval for automatic certificate grant;

automatically granting, by the computer system, the requested certificate to the requesting managed node only if the ascertained initialization-to-request time interval is within the maximum time interval, and if the ascertained initialization-to-request time interval is outside the maximum time interval, preventing the automatic granting of the requested certificate to the requesting managed node.

View all claims

3 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

A method of granting a public-key certificate to a managed node in an IT network is provided. A request from the managed node to grant the certificate is received at a certification server. It is ascertained whether an initialization-to-request time interval between an initialization time of the managed node and a request time assigned to the request is within a maximum time interval for automatic certificate grant. The requested certificate is automatically granted if the initialization-to-request time interval is within the maximum time interval.

46 Citations

View as Search Results

34 Claims

1. A method of selectively granting a public-key certificate to a managed node in an IT network having certification capability, the managed node having an initialization time associated with the installation time of a software agent in the managed node, the method comprising:
- detecting, by a computer system, the initialization time;
  
  after the initialization time, receiving, by the computer system, a request to grant the certificate from the managed node;
  
  detecting, by the computer system, the time of the request by the managed node;
  
  responding, by the computer system, to the detected times by ascertaining whether an initialization-to request time interval between the detected initialization time and the detected request time is within a maximum time interval for automatic certificate grant;
  
  automatically granting, by the computer system, the requested certificate to the requesting managed node only if the ascertained initialization-to-request time interval is within the maximum time interval, and if the ascertained initialization-to-request time interval is outside the maximum time interval, preventing the automatic granting of the requested certificate to the requesting managed node.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10, 11)
- - 2. The method of claim 1, wherein the maximum time interval for automatic certificate grant is set by an administrator or operator of the IT network.
  - 3. The method of claim 1, wherein the initialization time is the time a management agent is sent to the managed node, the management agent, during its installation at the managed node, installing public and private keys in the managed node.
  - 4. The method of claim 1, wherein the initialization time is the time when a management server or a combined management and certification server initiates the installation of the management agent at the managed node.
  - 5. The method of claim 1, further including storing the initialization time as a property of the managed node.
  - 6. The method of claim 5, wherein the ascertaining step includes using the stored initialization time to determine the initialization-to-request time interval.
  - 7. The method of claim 1, wherein the detected request time is the time of receipt, by a management server or a combined management and certification server, of the managed node'"'"'s request to grant a certificate.
  - 8. The method of claim 1, further including authenticating the managed node after the certificate has been granted to the managed node, the managed node being authenticated in management communications with a management server or combined management and certification server using the managed node'"'"'s public key and public-key certificate and a private key of the managed node associated with its public key.
  - 9. The method of claim 8, further including authenticating the management server or the combined server or the other managed node by using a public key of the management server or the combined server or the other managed node.
  - 10. The method of claim 1 further including the following steps after the initialization time and before the managed node transmits the request:
    - loading, at the managed node, an agent including the capability of generating public and private keys at the managed node;
      
      then causing the agent to generate the public and private keys at the managed node;
      
      then transmitting the request for the certificate from the managed node.
  - 11. The method of claim 1, wherein the initialization time is any of the following:
    - actual installation time of the software agent on the managed node;
      
      the time when a management node deploys the software agent to the managed node;
      
      the time when a management node sends a request to the managed node to start installation of the software agent;
      
      the time the managed node sends a confirmation indicating it has started installation of the software agent;
      
      the time the managed node sends a confirmation indicating it has completed installation of the software agent;
      
      the time a management node receives a confirmation of the managed node sending a confirmation indicating the managed node has started installation of the software agent;
      
      the time a management node receives a confirmation of the managed node sending a confirmation indicating the managed node has completed installation of the software agent.

12. A process of setting-up a management agent in a node of an IT network in which managed nodes are authenticated in management communications, the IT network having a certification capability, the authentication being based on public-key cryptography, comprising:
- starting, by a computer system, the process;
  
  at the start of the process installing, by the computer system, the agent at the node;
  
  requesting, by the agent, the server to grant a public-key certificate, at a request time;
  
  determining, by the processor, (a) the start time of the process, (b) the request time by the agent, (c) the time interval between the determined start and request times, and automatically granting the requested certificate only in response to the determined time interval between the determined start time of the process and the determined request time is within a maximum time interval for automatic certificate grant;
  
  or in the alternative, preventing the automatic granting of the requested certificate to the requesting managed node, in response to the determined time interval between the determined start time and the determined request time being outside the maximum time interval for automatic certificate grant.
- View Dependent Claims (13, 14, 15, 16, 17, 18, 19, 20, 21, 22)
- - 13. The process of claim 12, wherein the maximum time interval for automatic certificate grant is set by an administrator or operator of the IT network.
  - 14. The process of claim 12, wherein the start time is the time of installation of the management agent at the managed node.
  - 15. The process of claim 12, wherein the time when a management server initiates the installation of the management agent at the managed node is the start time.
  - 16. The process of claim 12, further including storing the start time as a property of the managed node.
  - 17. The process of claim 16, further including using the stored start time to determine whether the time interval between the start time and the request time is within the maximum time interval for automatic certificate grant.
  - 18. The process of claim 12, wherein the request time is the time of receipt of the managed node'"'"'s request to grant a certificate at the certification server.
  - 19. The method of claim 12, further including, after the certificate has been granted to the managed node, authenticating the managed node in management communications with a management server or combined management and certification server by using the managed node'"'"'s public key and public-key certificate and a private key of the managed node associated with its public key.
  - 20. The method of claim 12, further including authenticating the management server or the other managed node by using a public key of the management server or combined management and certification server.
  - 21. The process of claim 12 further comprising a certification server or combined management and certification server.
  - 22. The process of claim 21 further including performing the following steps after the start of the process and before the managed node transmits the request:
    - loading, at the managed node, an agent including the capability of generating public and private keys at the managed node;
      
      then causing the agent to generate the public and private keys at the managed node;
      
      then transmitting the request for the certificate from the managed node to the certification server.

23. A certification server or combined management and certification server arranged to:
- determine (a) an initialization time associated with the installation of a software agent at a managed node and (b) a request time by a managed node in an IT network for a public-key certificate, andascertain whether the time interval between the determined initialization time and the determined request time is within a maximum time interval for automatic certificate grant; and
  
  automatically granting the requested certificate to the managed node only if the ascertained time interval is within the maximum time interval and preventing automatic granting of the requested certificate to the managed node if the ascertained time interval exceeds the maximum time interval.
- View Dependent Claims (24)
- - 24. The server of claim 23, wherein the initialization time is any of the following:
    - actual installation time of the software agent in the managed node;
      
      the time when the server deploys the software agent to the managed node;
      
      the time when the server sends a request to the managed node to start installation of the software agent;
      
      the time when the managed node sends to the server a confirmation indicating the managed node has started installation of the software agent;
      
      the time the managed node sends to the server a confirmation indicating the managed node has completed installation of the software agent;
      
      the time the server receives a confirmation of the managed node sending a confirmation indicating the managed node has started installation of the software agent;
      
      the time the server receives a confirmation of the managed node sending a confirmation indicating the managed node has completed installation of the software agent.

25. A managed IT network comprising:
- a management server, a certification server and a node, ora combined management/certification server and a node,wherein the management server or the management/certification server is arranged to initiate installation of a management agent at the node at an initialization time;
  
  wherein the agent is arranged to request the certification server or the management/certification server to grant a public-key certificate, at a request time; and
  
  wherein the certification server or the combined management/certification server is arranged to (a) determine the initialization time and the request time;
  
  (b) automatically grant the requested certificate to the managed node only if the time interval between the determined initialization time and the determined request time is within a maximum time interval for automatic certificate grant; and
  
  (c) prevent automatic granting of the requested certificate to the managed node if the time interval between the determined initialization time and determined request time exceeds the maximum time interval.
- View Dependent Claims (26)
- - 26. The network of claim 25 wherein the agent is arranged to generate public and private keys at the node after the initialization time and prior to the agent requesting the public key certificate.

27. A managed IT network comprising at least first and second management systems, wherein a private-public key pair is assigned to at least the first management system and the second system has certification capabilities, wherein the IT network is arranged, by a processor, to authenticate, in management communications between the first and second management facilities, at least the first management system by using the private-public key pair of the first management system;
- wherein the second system is arranged, by a processor, to (a) detect initialization time associated with installation of a software agent at the first management element and a certificate request time by the first management element, (b) verify the authenticity of the first management element'"'"'s public key by automatically granting a public-key certificate to the first management element only in response to a time interval between the detected times being within a maximum time interval for automatic certificate grant, and (c) prevent automatic issuing a public-key certificate to the first management element in response to a time interval between the detected times exceeding the maximum time interval for certificate grant.
- View Dependent Claims (28, 29)
- - 28. The network of claim 27 wherein the first managed element is arranged to perform the following steps after the initialization time and prior to a request being made to verify the authenticity of the first management elements public key by a public key certificate loading an agent including the capability of generating public and private keys at the managed node;
    - then causing the agent to generate the public and private keys at the managed node;
      
      then transmitting the request for the certificate from the first management element.
  - 29. The network of claim 27, wherein the initialization time is any of the following:
    - actual installation time of the software agent in the first management element;
      
      the time when the second system deploys the software agent to the first management element;
      
      the time when the second facility sends a request to the first management element to start installation of the software agent;
      
      the time the first management element sends, to the second system, a confirmation indicating the first element has started installation of the software agent;
      
      the time the first management element sends a confirmation to the second system indicating the first element has completed installation of the software agent;
      
      the time the second system receives a confirmation of the first management element sending a confirmation indicating the first management element has started installation of the software agent;
      
      the time the second system receives a confirmation of the first management element sending a confirmation to the second facility indicating the second system has completed installation of the software agent.

30. A storage drive unit including program code for carrying out a method, when executed on a computer system, of granting a public key certificate to a managed node in an IT network, the managed node having an initialization time associated with the installation time of a software agent in the managed node, the program code being arranged to cause a certification server or a combined management and certification server of the computer system to:
- receive, after the initialization time, a request to grant a certificate from the managed node;
  
  detect the initialization time;
  
  detect the time of the request;
  
  ascertain whether the time interval between the detected initialization time and the detected request time is within a maximum time interval for automatic certificate grant;
  
  automatically grant the requested certificate to the requesting managed node only if the ascertained initialization-to-request time interval is within the maximum time interval, and prevent the automatic granting of the requested certificate to the requesting managed node if the ascertained initialization-to-request time interval exceeds the maximum time interval.
- View Dependent Claims (31, 32)
- - 31. The computer program product of claim 30 wherein the computer program product is arranged to cause the computer system to perform the following steps after the initialization time and before the managed node transmits the request:
    - loading, at the managed node, an agent including the capability of generating public and private keys at the managed node;
      
      then causing the agent to generate the public and private keys at the managed node;
      
      then transmitting the request for the certificate from the managed node to the server.
  - 32. The product of claim 30 wherein the initialization time is any of the following:
    - actual installation time of the software agent in the managed node;
      
      the time when the server deploys the software agent to the managed node;
      
      the time when the server sends a request to the managed node to start installation of the software agent;
      
      the time the managed node sends, to the second system a confirmation indicating the management node has started installation of the software agent;
      
      the time the managed node sends to the second system a confirmation indicating the management node has completed installation of the software agent;
      
      the time the second system receives a confirmation of the managed node sending a confirmation to the second system indicating the managed node has started installation of the software agent;
      
      the time a management node receives a confirmation of the managed node sending a confirmation indicating the managed node has completed installation of the software agent.

33. A storage drive unit including program code for carrying out a process, when executed in a managed IT network in which managed nodes are authenticated in management communications, the authentication being based on public-key cryptography, of setting-up a management agent in a node, the program code being arranged to cause the network to perform the following steps after the process has been started:
- the agent to be installed at the node at the start of the process;
  
  the agent to request a certification server or a combined management and certificate server to grant a public-key certificate, at a request time;
  
  the server to (a) detect the start time of the process, (b) detect the request time, (c) automatically grant the requested certificate only if the time interval between the detected start of the process and the detected request time is within a maximum time interval for automatic certificate grant, and (d) to prevent the automatic granting of the requested certificate if the time interval between the detected start of the process and the detected request time is outside the maximum time interval for certificate grant.
- View Dependent Claims (34)
- - 34. The computer program product of claim 33 wherein the computer program product is arranged to cause the network to perform the following steps after the start of the process and before the managed node transmits the request:
    - loading, at the managed node, an agent including the capability of generating public and private keys at the managed node;
      
      then causing the agent to generate the public and private keys at the managed node;
      
      then transmitting the request for the certificate from the managed node to the server.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Hewlett Packard Enterprise Development LP (Hewlett-Packard Enterprise Company)
Original Assignee
Hewlett-Packard Development Company, L.P. (HP Inc.)
Inventors
Bosler, Martin
Primary Examiner(s)
Moazzami; Nasser
Assistant Examiner(s)
HOANG, DANIEL L

Application Number

US10/455,691
Publication Number

US 20050010757A1
Time in Patent Office

3,021 Days
Field of Search

713/156, 713/175, 713/178, 717/11, 717/174
US Class Current

713/156
CPC Class Codes

H04L 63/0823   using certificates cryptogr...

H04L 63/10   for controlling access to d...

H04L 63/12   Applying verification of th...

H04L 63/20   for managing network securi...

H04L 9/3263   involving certificates, e.g...

H04L 9/3273   for mutual authentication n...

H04L 9/3297   involving time stamps, e.g....

Public-key infrastructure in network management

First Claim

3 Assignments

0 Petitions

Accused Products

Abstract

46 Citations

34 Claims

Specification

Solutions

Use Cases

Quick Links

Public-key infrastructure in network management

First Claim

3 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

46 Citations

34 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links