Web-based security proxy for computing system environment scanning

US 8,990,904 B2
Filed: 06/29/2012
Issued: 03/24/2015
Est. Priority Date: 06/27/2012
Status: Active Grant

First Claim

Patent Images

1. A method, in a data processing system, for collecting configuration data from components of a managed computing system, comprising:

obtaining, by the data processing system, a portion of code from a data collection system, wherein the data collection system does not have security credentials to allow the data collection system to directly access a managed computing system, distinct from the data processing system, and wherein the data collection system does not receive configuration data directly from the managed computing system;

executing the portion of code in the data processing system using security credentials maintained in the data processing system, where executing the portion of code causes the data processing system to automatically access the managed computing system using the security credentials, and collect configuration data from the managed computing system; and

providing, by the data processing system via the portion of code, the configuration data collected from the managed computing system to the data collection system which stores the collected configuration data in a data storage, wherein;

the portion of code is an applet and wherein the applet is executed in a browser environment on the data processing system without installing the portion of code on the data processing system,the managed computing system responds to requests in accordance with an established white list data structure specifying identities of devices to which the managed computing system may respond in response to requests for configuration information, andthe data collection system is not listed in the white list data structure but the data processing system is listed in the white list data structure.

View all claims

0 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

Mechanisms are provided for collecting configuration data from components of a managed computing system environment. A portion of code is obtained, in a data processing system, from a data collection system that does not have security credentials to allow the data collection system to directly access to the managed computing system environment. The portion of code is executed by the data processing system using security credentials maintained in the data processing system. Executing the portion of code causes the data processing system to access the managed computing system environment and collect configuration data from the managed computing system environment. The data processing system, via the portion of code, provides the configuration data collected from the managed computing system to the data collection system which stores the collected configuration data in a data storage.

Citations

18 Claims

1. A method, in a data processing system, for collecting configuration data from components of a managed computing system, comprising:
- obtaining, by the data processing system, a portion of code from a data collection system, wherein the data collection system does not have security credentials to allow the data collection system to directly access a managed computing system, distinct from the data processing system, and wherein the data collection system does not receive configuration data directly from the managed computing system;
  
  executing the portion of code in the data processing system using security credentials maintained in the data processing system, where executing the portion of code causes the data processing system to automatically access the managed computing system using the security credentials, and collect configuration data from the managed computing system; and
  
  providing, by the data processing system via the portion of code, the configuration data collected from the managed computing system to the data collection system which stores the collected configuration data in a data storage, wherein;
  
  the portion of code is an applet and wherein the applet is executed in a browser environment on the data processing system without installing the portion of code on the data processing system,the managed computing system responds to requests in accordance with an established white list data structure specifying identities of devices to which the managed computing system may respond in response to requests for configuration information, andthe data collection system is not listed in the white list data structure but the data processing system is listed in the white list data structure.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12, 13, 14, 15, 16, 17, 18)
- - 2. The method of claim 1, wherein the applet is downloaded from the data collection system in response to either a user input initiating the download of the applet or an automated mechanism initiating the download of the applet.
  - 3. The method of claim 1, further comprising:
    - performing at least one management operation on the managed computing system environment based on the collected configuration data stored in the data storage of the data collection system.
  - 4. The method of claim 3, wherein the at least one management operation comprises one or more operations for facilitating a relocation of the data center to another computing system environment.
  - 5. The method of claim 1, wherein the portion of code is executed in a virtual machine executing on the data processing system without installing the portion of code on the data processing system.
  - 6. The method of claim 1, wherein the security credentials are not transmitted to any other computing device other than the managed computing system environment.
  - 7. The method of claim 1, further comprising:
    - identifying one or more target components of the managed computing system from which to obtain configuration data, wherein the portion of code is executed to collect configuration data from the identified one or more target components of the managed computing system.
  - 8. The method of claim 7, wherein the one or more target components are identified automatically using a check list data structure specifying an identity of one the one or more target components and corresponding security credential information for the one or more target components.
  - 9. The method of claim 8, further comprising:
    - dynamically updating the check list data structure to include an indicator, for each target component in the one or more target components listed in the check list data structure, that indicates either a successful access of configuration information for the target component or the occurrence of an error condition in response to an unsuccessful attempt to access configuration information for the target component.
  - 10. The method of claim 1, wherein the data processing system comprises a management console and wherein one or more target components of the managed computing system are configured to permit the management console to access the one or more target components via corresponding ports of the one or more target components.
  - 11. The method of claim 10, wherein the one or more target components are configured to permit the management console to access the one or more target components via corresponding ports by including an identification of at least one of the management console or the data processing system in a whitelist data structure associated with the one or more target components.
  - 12. The method of claim 10, wherein the one or more target components are configured to block access by the data collection system to the one or more target components.
  - 13. The method of claim 1, wherein providing the configuration data collected from the managed computing system to the data collection system comprises:
    - outputting the collected configuration data to a user of the data processing system; and
      
      receiving an input from the user specifying whether transmission of the collected configuration data to the data collection system is authorized or not, wherein the collected configuration data is provided to the data collection system only in response to the input from the user specifying that transmission of the collected configuration data to the data collection system is authorized.
  - 14. The method of claim 1, further comprising:
    - creating a connection, via one or more data networks, between a browser environment of the data processing system and a web server of the data collection system, wherein;
      
      obtaining the portion of code comprises downloading the portion of code as a signed applet from the web server of the data collection system;
      
      executing the portion of code in the data processing system using security credentials maintained in the data processing system comprises executing the signed applet in a virtual machine of the browser environment using security credentials stored in a data structure stored local to the data processing system; and
      
      providing the configuration data collected from the managed computing system to the data collection system comprises transmitting the configuration data over the secure connection between the browser environment and the web server.
  - 15. The method of claim 14, wherein the data collection system cannot establish a connection directly with the managed computing system to collect the configuration information.
  - 16. The method of claim 1, wherein executing the portion of code in the data processing system comprises executing the code to perform one or more operations to analyze and collect Simple Network Management Protocol (SNMP) management information.
  - 17. The method of claim 1, wherein the data processing system, executing the computer readable instructions of the computer program product, is not part of the managed computing system and is distinct from the managed computing system.
  - 18. The method of claim 1, wherein:
    - the security credentials are maintained in a storage device associated with the data processing system and are retrieved from the storage device when executing the portion of code, and the obtaining, executing, and providing operations are performed automatically without user intervention.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
International Business Machines Corporation
Original Assignee
International Business Machines Corporation
Inventors
Branch, Joel W., Nidd, Michael E., Rissmann, Ruediger
Primary Examiner(s)
Mehedi, Morshed
Assistant Examiner(s)
LYNCH, SHARON S

Application Number

US13/537,865
Publication Number

US 20140007204A1
Time in Patent Office

998 Days
Field of Search
US Class Current

726/5
CPC Class Codes

H04L 41/0213   Standardised network manage...

H04L 41/0843   based on generic templates

H04L 41/0853   by actively collecting conf...

H04L 41/28   Restricting access to netwo...

H04L 63/0884   by delegation of authentica...

H04L 63/101   Access control lists [ACL]

H04L 63/168   above the transport layer

Web-based security proxy for computing system environment scanning

First Claim

0 Assignments

0 Petitions

Accused Products

Abstract

Citations

18 Claims

Specification

Solutions

Use Cases

Quick Links

Web-based security proxy for computing system environment scanning

First Claim

0 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

Citations

18 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links