System and method for controlling user access to a service processor
First Claim
1. A service processor, comprising:
- a processor, and a memory storing firmware which, when executed by the processor, is configured to-perform management functions for a target computer, wherein the service processor is provided within the target computer, and the firmware includes;
(a) a registration module configured to perform functions including;
receiving a device identifier associated with a personal computing device over a communications link;
associating the device identifier with user access data of a user at the service processor, wherein a first set of the user access data is an Intelligent Platform Management Interface (IPMI) industry standard access data of the service processor, and a second set of the user access data is different from the first set of the user access data;
obtaining a cryptographic key for the device identifier; and
transmitting the cryptographic key to the personal computing device over the communications link;
(b) a management access module configured to perform functions including;
performing a first authentication operation, wherein the first authentication operation includes;
(i) receiving a first set of login data from a management computer, wherein the management computer is communicatively coupled to the service processor via the communications link, and is separate from the personal computing device and the target computer;
(ii) verifying whether the received first set of login data corresponds to the first set of the user access data; and
when the first set of login data corresponds to the first set of the user access data, performing a second authentication operation, wherein the second authentication operation includes;
(iii) retrieving the device identifier associated with the user access data;
(iv) retrieving the cryptographic key corresponding to the device identifier;
(v) encrypting the second set of the user access data to generate an encrypted code based on the cryptographic key and a current time of day, and transmitting a visual representation of the encrypted code to the management computer for displaying at the management computer, wherein the second set of user access data are dynamically generated at the management access module;
(vi) receiving a second set of login data from the management computer, wherein the second set of login data is displayed on the personal computing device to be viewable by the user such that the user is capable of entering the second set of login data at the management computer, and wherein the second set of login data is generated by the personal computing device by capturing an image of the visual presentation of the encrypted code and processing and decrypting the captured image of the visual representation of the encrypted code based on the cryptographic key;
(vii) verifying whether the received second set of login data corresponds to the second set of the user access data; and
(viii) when the second set of login data corresponds to the second set of the user access data, granting remote access of the service processor to the management computer.
3 Assignments
0 Petitions
Accused Products
Abstract
According to one aspect, a system for managing user access to a service processor is disclosed. In one embodiment, the system includes a computer-executable management access module for performing functions to authenticate a user. A management computer that is communicatively coupled to the service processor is operative to perform management functions for at least one target computer. User authentication functions include receiving a first set of login data from a user of the management computer and verifying whether the received login data corresponds to an approved user. If the first set of login data corresponds to an approved user, a code is generated and then displayed on the management computer. When recognized by the personal computing device, data from the code is used for providing a second set of login information to the user, for permitting the user to access the service processor via the management computer.
-
Citations
24 Claims
-
1. A service processor, comprising:
-
a processor, and a memory storing firmware which, when executed by the processor, is configured to-perform management functions for a target computer, wherein the service processor is provided within the target computer, and the firmware includes; (a) a registration module configured to perform functions including; receiving a device identifier associated with a personal computing device over a communications link; associating the device identifier with user access data of a user at the service processor, wherein a first set of the user access data is an Intelligent Platform Management Interface (IPMI) industry standard access data of the service processor, and a second set of the user access data is different from the first set of the user access data; obtaining a cryptographic key for the device identifier; and transmitting the cryptographic key to the personal computing device over the communications link; (b) a management access module configured to perform functions including; performing a first authentication operation, wherein the first authentication operation includes; (i) receiving a first set of login data from a management computer, wherein the management computer is communicatively coupled to the service processor via the communications link, and is separate from the personal computing device and the target computer; (ii) verifying whether the received first set of login data corresponds to the first set of the user access data; and when the first set of login data corresponds to the first set of the user access data, performing a second authentication operation, wherein the second authentication operation includes; (iii) retrieving the device identifier associated with the user access data; (iv) retrieving the cryptographic key corresponding to the device identifier; (v) encrypting the second set of the user access data to generate an encrypted code based on the cryptographic key and a current time of day, and transmitting a visual representation of the encrypted code to the management computer for displaying at the management computer, wherein the second set of user access data are dynamically generated at the management access module; (vi) receiving a second set of login data from the management computer, wherein the second set of login data is displayed on the personal computing device to be viewable by the user such that the user is capable of entering the second set of login data at the management computer, and wherein the second set of login data is generated by the personal computing device by capturing an image of the visual presentation of the encrypted code and processing and decrypting the captured image of the visual representation of the encrypted code based on the cryptographic key; (vii) verifying whether the received second set of login data corresponds to the second set of the user access data; and (viii) when the second set of login data corresponds to the second set of the user access data, granting remote access of the service processor to the management computer. - View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9)
-
-
10. A system, comprising:
-
a service processor provided within a target computer; and a management computer communicatively coupled to the service processor via a communications link; wherein the service processor comprises a processor, and a memory storing firmware which, when executed by the processor, is configured to-perform management functions for the target computer, wherein the firmware includes; (a) a registration module configured to perform functions including; receiving a device identifier associated with a personal computing device over the communications link; associating the device identifier with a first set of user access data of a user at the service processor, wherein the first set of the user access data is an Intelligent Platform Management Interface (IPMI) industry standard access data of the service processor, and a second set of the user access data is different from the first set of the user access data; obtaining a cryptographic key based on the device identifier; and transmitting the cryptographic key to the personal computing device over the communications link; (b) a management access module configured to perform functions including; performing a first authentication operation, wherein the first authentication operation includes; (i) receiving a first set of login data from the management computer; (ii) verifying whether the received first set of login data corresponds to the first set of the user access data; and when the first set of login data corresponds to the first set of the user access data, performing a second authentication operation, wherein the second authentication operation includes; (iii) retrieving the device identifier associated with the user access data; (iv) retrieving the cryptographic key corresponding to the device identifier; (v) encrypting the second set of the user access data to generate an encrypted code based on the cryptographic key and a current time of day, and transmitting a visual representation of the encrypted code to the management computer for displaying at the management computer, wherein the second set of user access data are dynamically generated at the management access module; (vi) receiving a second set of login data from the-management computer, wherein the second set of login data is displayed on the personal computing device to be viewable by the user such that the user is capable of entering the second set of login data at the management computer, and wherein the second set of login data is generated by the personal computing device by capturing an image of the visual presentation of the encrypted code and processing and decrypting the captured image of the visual representation of the encrypted code based on the cryptographic key; (vii) verifying whether the received second set of login data corresponds to a second set of the user access data; and (viii) when the second set of login data corresponds to the second set of the user access data, granting remote access of the BMC to the management computer; and wherein the management computer comprises a web-based application configured to, when executed by one or more processors, perform functions including; receiving the first set of login data, and transmitting the first set of login data to the service processor over the communications link; receiving the visual representation of the encrypted code from the service processor, and displaying the visual representation of the encrypted code; and receiving the second set of login data, and transmitting the second set of login data to the service processor over the communications link; wherein the personal computing device comprises a user module configured to, when executed by one or more processors, capture the image of the visual representation of the encrypted code displayed on the management computer, process and decrypt the captured image of the visual representation of the encrypted code based on the cryptographic key received by the personal computing device, generate the second set of login data, and display the second set of login data on the personal computing device. - View Dependent Claims (11, 12, 13, 14, 15, 16)
-
-
17. A method for managing user access to a service processor, comprising the steps of:
-
(a) executing, at a processor of the service processor, a registration module to perform functions including; (i) receiving a device identifier from a personal computing device over a communications link; (ii) associating the device identifier with user access data of a user at the service processor, wherein a first set of the user access data is an Intelligent Platform Management Interface (IPMI) industry standard access data of the service processor, and a second set of the user access data is different from the first set of the user access data; (iii) obtaining a cryptographic key based on the device identifier; and (iv) transmitting the cryptographic key to the personal computing device over the communications link; (b) executing, at the processor of the service processor, a management access module to perform a first authentication operation, wherein the first authentication operation includes; (v) receiving a first set of login data from a management computer over the communications link, wherein the management computer is communicatively coupled to the service processor via the communications link, and is separate from the personal computing device and a target computer, wherein the service processor is provided within the target computer to perform management functions for the target computer, and wherein the first set of login data is entered by the user at the management computer; and (vi) verifying whether the received first set of login data corresponds to the first set of the user access data; (c) when the first set of login data corresponds to the first set of the user access data, performing, by the management access module executed at the processor of the service processor, a second authentication operation, wherein the second authentication operation includes; (vii) retrieving the device identifier associated with the user access data; (viii) retrieving the cryptographic key corresponding to the device identifier; and (viii) encrypting the second set of user access data to generate an encrypted code based on the cryptographic key and a current time of day, and transmitting a visual representation of the encrypted code to the management computer such that the management computer displays the visual representation of the encrypted code, wherein the second set of user access data is dynamically generated at the management access module; and (ix) receiving a second set of login data from the management computer, wherein the second set of login data is displayed on the personal computing device to be viewable by the user such that the user is capable of entering the second set of login data at the management computer, and wherein the second set of login data is generated by the personal computing device by capturing an image of the visual presentation of the encrypted code and processing and decrypting the captured image of the visual representation of the encrypted code based on the cryptographic key; (x) verifying whether the received second set of login data corresponds to a second set of the user access data; and (xi) when the second set of login data corresponds to the second set of the user access data, granting remote access of the service processor to the management computer. - View Dependent Claims (18, 19, 20, 21, 22, 23, 24)
-
Specification