Identity management certificate operations

US 9,225,525 B2
Filed: 02/26/2010
Issued: 12/29/2015
Est. Priority Date: 02/26/2010
Status: Active Grant

First Claim

Patent Images

1. A method comprising:

establishing a secure connection between a client computing system and an identity management system for the client computing system using a Kerberos authentication protocol that uses symmetric-key cryptography;

receiving, by a processing device in the identity management system, a request from the client computing system over the secure connection to perform a certificate operation associated with a certificate, wherein the certificate operation comprises at least one of requesting issuance of the certificate, renewing the certificate, checking a request status of the certificate, retrieving the certificate from a certificate authority (CA) system, putting the certificate on hold, removing the certificate from being on hold, or revoking the certificate;

determining to approve the request from the client computing system;

sending, by a registration authority (RA) at the identity management system, a proxy of the request to the CA system to perform the certificate operation in response to determining to approve the request, wherein the RA is a trusted manager of the CA system and uses the authentication of the secure connection between the identity management system and the client computing system to send the proxy of the request to the CA system which performs the certificate operation without authenticating the request; and

receiving, by the RA, a reply from the CA system in response to sending the proxy of the request to perform the certificate operation to the CA system and sending the reply to the client computing system without user intervention at the client computing system.

View all claims

1 Assignment

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

A method and system for identity management certificate operations is described.

Citations

18 Claims

1. A method comprising:
- establishing a secure connection between a client computing system and an identity management system for the client computing system using a Kerberos authentication protocol that uses symmetric-key cryptography;
  
  receiving, by a processing device in the identity management system, a request from the client computing system over the secure connection to perform a certificate operation associated with a certificate, wherein the certificate operation comprises at least one of requesting issuance of the certificate, renewing the certificate, checking a request status of the certificate, retrieving the certificate from a certificate authority (CA) system, putting the certificate on hold, removing the certificate from being on hold, or revoking the certificate;
  
  determining to approve the request from the client computing system;
  
  sending, by a registration authority (RA) at the identity management system, a proxy of the request to the CA system to perform the certificate operation in response to determining to approve the request, wherein the RA is a trusted manager of the CA system and uses the authentication of the secure connection between the identity management system and the client computing system to send the proxy of the request to the CA system which performs the certificate operation without authenticating the request; and
  
  receiving, by the RA, a reply from the CA system in response to sending the proxy of the request to perform the certificate operation to the CA system and sending the reply to the client computing system without user intervention at the client computing system.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10)
- - 2. The method of claim 1, wherein the client computing system comprises a service provider that provides a service to one or more clients over a network.
  - 3. The method of claim 1, wherein the certificate operation comprises requesting issuance of the certificate, wherein receiving the request comprises receiving a certificate signing request (CSR) from the client computing system, wherein the CSR comprises information identifying an owner of the certificate and a public key, and wherein determining to approve the request comprises:
    - determining if the client computing system has permission to request issuance of certificates;
      
      determining if a hostname of the client computing system matches a subject name of the certificate;
      
      stopping the sending of the CSR to the CA system when the hostname and the subject name do not match or the client computing system does not have permission to request issuance of certificates; and
      
      allowing the sending of the CSR to the CA system to approve and issue the certificate when the hostname and the subject name match and the client computing system has permission to request issuance of certificates, wherein the CSR is not authenticated by the CA system.
  - 4. The method of claim 3, wherein determining if the client computing system has permission to request issuance of certificates comprises checking an access control instruction (ACI) that specifies whether the client computing system has permission to request issuance of certificates.
  - 5. The method of claim 1, wherein the certificate operation comprises requesting issuance of the certificate, wherein receiving the request comprises receiving a certificate signing request (CSR) from the client computing system, wherein the CSR comprises information identifying an owner of the certificate and a public key, and wherein determining to approve the request comprises:
    - retrieving a service principle record associated with the client computing system;
      
      determining if the service principle record already has a user certificate attribute;
      
      stopping the sending of the CSR to the CA system when the service record already has the user certificate attribute; and
      
      allowing the sending of the CSR to the CA system to approve and issue the certificate when the service principle record does not already have the user certificate attribute, wherein the CSR is not authenticated by the CA system.
  - 6. The method of claim 5, further comprising:
    - determining that the service principle record associated with the CSR does not exist;
      
      in response to determining that the service principle record does not exist, determining if an add argument is received in connection with the CSR, wherein the add argument requests permission to modify the user certificate attribute;
      
      determining if the client computing system has permission to modify the user certificate attribute, wherein the client computing system has permission to modify the user certificate attribute when the client computing system is listed in the service principal record;
      
      stopping the sending of the CSR to the CA system when the add argument is not received in connection with the CSR or when the client computing system does not have permissions to modify the user certificate attribute; and
      
      allowing the sending of the CSR to the CA system when the add argument is received in connection with the CSR and the client computing system has permission to modify the user certificate attribute, wherein the CSR is not authenticated by the CA system.
  - 7. The method of claim 1, wherein the certificate operation comprises retrieving the certificate from the CA system, wherein the request identifies the certificate to be retrieved, and wherein determining to approve the request comprises:
    - determining that a hostname of the client computing system matches a subject name of the certificate, andwherein sending the reply comprises delivering the certificate to the client computing system in response to determining that the hostname and the subject name match, wherein delivering the certificate comprises delivering the certificate to the client computing system without user intervention at the client computing system.
  - 8. The method of claim 1, wherein the certificate operation comprises retrieving the certificate from the CA system, wherein the request identifies the certificate to be retrieved, and wherein determining to approve the request comprises:
    - determining that the client computing system has permission to retrieve the certificate from the CA system; and
      
      determining that a hostname of the client computing system matches a subject name of the certificate, andwherein sending the reply comprises delivering the certificate to the client computing system in response to determining that the hostname and the subject name match and that the client computing system has permission to retrieve the certificate from the CA system, wherein delivering the certificate comprises delivering the certificate to the client computing system without user intervention at the client computing system.
  - 9. The method of claim 1, further comprising:
    - creating a host principal for the client computing system using a password;
      
      creating a Hypertext Transfer Protocol (HTTP) service principal for the host principal;
      
      allowing the host principal to manage a user certificate attribute of the HTTP service principal; and
      
      allowing the host principal to manage certificates, comprising allowing the host principal to request the certificate operation.
  - 10. The method of claim 9, further comprising:
    - configuring the host principal to use a Kerberos realm of the identity management system;
      
      allowing the host principal to join the Kerberos realm and retrieve a Kerberos keytab to allow the host principal to authenticate to the identity management system, wherein the Kerberos keytab comprises a file that comprises an unencrypted list of principals of the Kerberos realm and their corresponding keys; and
      
      sending a Kerberos ticket to the host principal for the client computing system to establish the secure connection for receiving the request to perform the certificate operation.

11. A system comprising:
- one or more processing devices, in an identity management system for a client computing system, to;
  
  establish a secure connection between the client computing system and the identity management system using a Kerberos authentication protocol that uses symmetric-key cryptography;
  
  receive a request from the client computing system over the secure connection to perform a certificate operation associated with a certificate, wherein the certificate operation comprises at least one of requesting issuance of the certificate, renewing the certificate, checking a request status of the certificate, retrieving the certificate from a certificate authority (CA) system, putting the certificate on hold, removing the certificate from being on hold, or revoking the certificate;
  
  determine to approve the request from the client computing system;
  
  send, by a registration authority (RA) at the identity management system, a proxy of the request to the CA system to perform the certificate operation in response to the determination to approve the request, wherein the RA is a trusted manager of the CA system and uses the authentication of the secure connection between the identity management system and the client computing system to send the proxy of the request to the CA system which is to perform the certificate operation without authentication of the request; and
  
  receive, by the RA, a reply from the CA system in response to the delivery of the proxy of the request to perform the certificate operation to the CA system and send the reply to the client computing system without user intervention at the client computing system.
- View Dependent Claims (12, 13, 14, 15)
- - 12. The system of claim 11, wherein the certificate operation comprises requesting issuance of the certificate, wherein to receive the request the one or more processing devices are to receive a certificate signing request (CSR) from the client computing system, wherein the CSR comprises information identifying an owner of the certificate and a public key, and wherein the CSR is digitally signed by a private key.
  - 13. The system of claim 12, further comprising a directory server coupled to a data storage device, wherein the data storage device is to store a service principal record associated with the client computing system, and wherein the one or more processing devices are to retrieve the service principal record via the directory server to determine to approve the request.
  - 14. The system of claim 11, further comprising a certificate services manager to receive a certificate signing request (CSR) from the client computing system, wherein the CSR comprises information identifying an owner of the certificate and a public key, and wherein the certificate services manager comprises:
    - a user authorization module to determine that the client computing system has permission to request issuance of certificates; and
      
      a certificate request authorization module to determine that a hostname of the client computing system matches a subject name of the certificate, and wherein the certificate services manager is to send the CSR to the CA system to approve and issue the certificate in response to the determination that the hostname and the subject name match and that the client computing system has permission to request issuance of certificates, wherein the CSR is not authenticated by the CA system.
  - 15. The system of claim 11, further comprising:
    - a network time protocol (NTP) server to synchronize clocks of the identity management system and the client computing system; and
      
      a domain name system (DNS) server to resolve a machine name of the client computing system or to inversely resolve a network address of the client computing system.

16. A non-transitory machine-readable storage medium having instructions that, when executed by a processing device, cause the processing device to:
- establish a secure connection between a client computing system and an identity management system for the client computing system using a Kerberos authentication protocol that uses symmetric-key cryptography;
  
  receive, by the processing device in the identity management system, a request from the client computing system over the secure connection to perform a certificate operation associated with a certificate, wherein the certificate operation comprises at least one of requesting issuance of the certificate, renewing the certificate, checking a request status of the certificate, retrieving the certificate from a certificate authority (CA) system, putting the certificate on hold, removing the certificate from being on hold, or revoking the certificate;
  
  determine to approve the request from the client computing system;
  
  send, by a registration authority (RA) at the identity management system, a proxy of the request to the CA system to perform the certificate operation in response to the determination to approve the request, wherein the RA is a trusted manager of the CA system and uses the authentication of the secure connection between the identity management system and the client computing system to send the proxy of the request to the CA system which is to perform the certificate operation without authentication of the request; and
  
  receive, by the RA, a reply from the CA system in response to the delivery of the proxy of the request to perform the certificate operation to the CA system and send the reply to the client computing system without user intervention at the client computing system.
- View Dependent Claims (17, 18)
- - 17. The non-transitory machine-readable storage medium of claim 16, wherein the certificate operation comprises requesting issuance of the certificate, wherein to receive the request the processing device is to receive a certificate signing request (CSR) from the client computing system, wherein the CSR comprises information identifying an owner of the certificate and a public key, and wherein to determine to approve the request the processing device is to:
    - determine that the client computing system has permission to request issuance of certificates;
      
      determine that a hostname of the client computing system matches a subject name of the certificate, and wherein to send the request the processing device is to send the CSR to the CA system to approve and issue the certificate in response to the determination that the hostname and the subject name match and that the client computing system has permission to request issuance of certificates, wherein the CSR is not authenticated by the CA system.
  - 18. The non-transitory machine-readable storage medium of claim 16, wherein the processing device is further to:
    - configure a host principal for the client computing system to use a Kerberos realm of the identity management system;
      
      allow the host principal to join the Kerberos realm and retrieve a Kerberos keytab to allow the host principal to authenticate to the identity management system, wherein the Kerberos keytab comprises a file that comprises an unencrypted list of principals of the Kerberos realm and their corresponding keys; and
      
      send a Kerberos ticket to the host principal for the client computing system to establish the secure connection to receive the request to perform the certificate operation.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Red Hat, Inc. (International Business Machines Corporation)
Original Assignee
Red Hat, Inc. (International Business Machines Corporation)
Inventors
Fu, Christina, Wnuk, Andrew
Primary Examiner(s)
Chao, Michael
Assistant Examiner(s)
MEJIA, FELICIANO S

Application Number

US12/714,108
Publication Number

US 20110213965A1
Time in Patent Office

2,132 Days
Field of Search

380/279, 380/30, 380/282, 709/248, 713156-158, 713/168, 713/175, 726/10, 726/18, 726/2
US Class Current

1/1
CPC Class Codes

H04L 2209/76   Proxy, i.e. using intermedi...

H04L 2209/80   Wireless

H04L 61/4505   using standardised director...

H04L 63/0807   using tickets, e.g. Kerbero...

H04L 63/0823   using certificates cryptogr...

H04L 63/104   Grouping of entities

H04L 63/20   for managing network securi...

H04L 9/3213   using tickets or tokens, e....

H04L 9/3268   using certificate validatio...

Identity management certificate operations

First Claim

1 Assignment

0 Petitions

Accused Products

Abstract

Citations

18 Claims

Specification

Solutions

Use Cases

Quick Links

Identity management certificate operations

First Claim

1 Assignment

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

Citations

18 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links