Techniques for managing heterogeneous key stores

US 8,116,456 B2
Filed: 11/28/2006
Issued: 02/14/2012
Est. Priority Date: 11/28/2006
Status: Active Grant

First Claim

Patent Images

1. A method implemented and residing in a non-transitory machine-readable medium and for processing on a machine, comprising:

receiving, by the machine, a key instruction in a first format, the key instruction is directed to a first key store and a second key store, and the first and second key stores use disparate interfaces from one another and use second and third formats, respectively to process instructions, the disparate interfaces are disparate Applicant Programming Interfaces (API'"'"'s) from one another and that are incompatible with one another, each API directed to a particular key store;

sending, by the machine, the key instruction in the first format to a first agent that is in communication with the first key store, the first agent translates the key instruction from the first format to the second format and processes the key instruction against the first key store using a first API of the first key store; and

forwarding, by the machine, the key instruction in the first format to a second agent that is in communication with the second key store, the second agent translates the key instruction from the first format to the third format and processes the key instruction against the second key store using a second API of the second key store.

View all claims

3 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

Techniques for managing heterogeneous key stores are presented. A centralized key management service receives key instructions in a generic format. These key instructions are communicated to distributed key agents distributed over a network. The key agents translate the key instructions into native formats expected by distributed key stores. The key agents then process the key instructions in the native formats against the distributed key stores on behalf of the centralized key management service.

50 Citations

View as Search Results

20 Claims

1. A method implemented and residing in a non-transitory machine-readable medium and for processing on a machine, comprising:
- receiving, by the machine, a key instruction in a first format, the key instruction is directed to a first key store and a second key store, and the first and second key stores use disparate interfaces from one another and use second and third formats, respectively to process instructions, the disparate interfaces are disparate Applicant Programming Interfaces (API'"'"'s) from one another and that are incompatible with one another, each API directed to a particular key store;
  
  sending, by the machine, the key instruction in the first format to a first agent that is in communication with the first key store, the first agent translates the key instruction from the first format to the second format and processes the key instruction against the first key store using a first API of the first key store; and
  
  forwarding, by the machine, the key instruction in the first format to a second agent that is in communication with the second key store, the second agent translates the key instruction from the first format to the third format and processes the key instruction against the second key store using a second API of the second key store.
- View Dependent Claims (2, 3, 4, 5, 6, 7)
- - 2. The method of claim 1 further comprising, presenting, by the machine, one or more graphical views of keys to an administrator that identifies one or more of the following:
    - where each key is within a network, what resources are using each key within the network, expiration information associated with each key, valid uses of each key, certificate authorities associated with each key, and signers associated with each key.
  - 3. The method of claim 1, wherein receiving further includes identifying the key instruction as one of the following:
    - an instruction to create a new key store, an instruction to create or add a new key, an instruction to renew an existing key, an instruction to expire or delete the existing key, an instruction to import the new key or the existing key, an instruction to export the existing key, an instruction to move the existing key, an instruction to copy the existing key, and an instruction to modify metadata associated with the existing key.
  - 4. The method of claim 1 further comprising, securely communicating, by the machine, with the first and second agents over a wide area network (WAN).
  - 5. The method of claim 1 further comprising, authenticating, by the machine, an administrator that supplies the key instruction before communicating the key instruction to the first and second agents, wherein the administrator is authenticated to access both the first and second key stores during authentication.
  - 6. The method of claim 1 further comprising, synchronizing, by the machine, a master key store with the first and second key stores via ongoing communications with the first and second agents.
  - 7. The method of claim 1, wherein identifying further includes recognizing that the first key store and first agent reside in a different and disparate environment from the second key store and the second agent.

8. A method implemented and residing in a non-transitory machine-readable medium and for executing on a machine, comprising:
- receiving, by the machine, a key instruction from a master key management service, the key instruction is in a first format;
  
  translating, by the machine, the key instruction from the first format to a native format associated with a first key store the native format expected by an Application Programming Interface of the first key store that is different from what is used with the master key management service and that is different from other key stores managed by the key management service, each of the Application programming interfaces are disparate from and incompatible with one another;
  
  processing, by the machine, the key instruction in the native format against the first key store; and
  
  reporting, by the machine, that the key instruction processed against the first key store to the master key management service.
- View Dependent Claims (9, 10, 11, 12, 13, 14)
- - 9. The method of claim 8 further comprising, establishing, by the machine, a trust relationship with the master key management service before receiving the key instruction.
  - 10. The method of claim 9 further comprising, parsing, by the machine, the key instruction in the first format to obtain a command identifier that identifies a command to process on the first key store and to obtain a corresponding parameter value or set of values to use with that command.
  - 11. The method of claim 10, wherein parsing further includes parsing the key instruction as an extensible markup language (XML) document represented as the first format.
  - 12. The method of claim 8 further comprising, logging, by the machine, history associated with accesses made to first key store by the key management service and by other services and reporting the history to the key management service upon request.
  - 13. The method of claim 8, wherein receiving further includes recognizing the key instruction as multiple chained instructions to perform against the first key store.
  - 14. The method of claim 8, wherein processing further includes performing in response to processing the key instruction on the first key store:
    - creating the first key store for a first time;
      
      changing an existing password for accessing the first key store;
      
      importing a private key certificate into the first key store;
      
      removing the private key certificate from the first key store;
      
      importing a trusted root into the first key store;
      
      removing the trusted root from the first key store;
      
      importing a signed certificate and associating it with a corresponding private key;
      
      retrieving a list of names or available private keys that are housed in the first key store;
      
      retrieving a particular private key from the first key store;
      
      retrieving each of the available private keys from the first key store; and
      
      generating and retrieving certificate signing requests (CSR'"'"'s) for a given private key after generating that private key.

15. A system, comprising:
- a server machine configured with a centralized key management service implemented in a non-transitory machine-readable medium and for executing on the server; and
  
  client machines, each client machine configured with a distributed key agent and each distributed key agent implemented in a non-transitory machine-readable medium and for executing on that distributed key agent'"'"'s client machine, the centralized key management service is to present a unified administrative interface to administrators to perform key instructions in a generic format, and the centralized key management service is to securely communicate the key instructions to the distributed key agents in the generic format, and each distributed key agent is to translate the key instructions into native formats recognized by distributed key stores and to further process the key instructions in those native formats on the distributed key stores on behalf of the centralized key management service, each native format associated with a particular distributed key store and that distributed key store'"'"'s Application Programming Interface (API), and each API is disparate from and incompatible with remaining API'"'"'s.
- View Dependent Claims (16, 17, 18, 19, 20)
- - 16. The system of claim 15 further comprising, a centralized key store, which is to be maintained and to be managed by the centralized key management service, to house keys and key information dispersed over a network in the distributed key stores, and wherein the keys and key information are housed in the centralized key store in the generic format.
  - 17. The system of claim 15, wherein the centralized key management service is to present custom views to the administrators to discern information regarding keys appearing in a network within each of the distributed key stores.
  - 18. The system of claim 15, wherein at least one of the distributed key agents is responsible for managing one or more of the distributed key stores.
  - 19. The system of claim 15, wherein the centralized key management service is to resolve instruction category types for the key instructions that a particular one of the administrators may request in response to identity and policy resolution.
  - 20. The system of claim 15, wherein the centralized key management service and the distributed key agents are to cooperate to synchronize the distribute key stores with a centralized key store maintained and managed by the centralized key management service.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Oracle International Corporation (Oracle Corporation)
Original Assignee
Oracle International Corporation (Oracle Corporation)
Inventors
Thomas, James Gordon
Primary Examiner(s)
Flynn, Nathan
Assistant Examiner(s)
Almamun, Abdullah

Application Number

US11/605,067
Publication Number

US 20080123855A1
Time in Patent Office

1,904 Days
Field of Search

380/277, 380/286, 713/153, 713/160
US Class Current

380/277
CPC Class Codes

H04L 9/083 involving central third par...

H04L 9/0894 Escrow, recovery or storing...

Techniques for managing heterogeneous key stores

First Claim

3 Assignments

0 Petitions

Accused Products

Abstract

50 Citations

20 Claims

Specification

Solutions

Use Cases

Quick Links

Techniques for managing heterogeneous key stores

First Claim

3 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

50 Citations

20 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links