Network management using secure mesh command and control framework

US 9,313,105 B2
Filed: 02/27/2009
Issued: 04/12/2016
Est. Priority Date: 02/27/2009
Status: Active Grant

First Claim

Patent Images

1. A method comprising:

receiving, by a processor of a first target client machine of a set of target client machines operatively coupled to a first host machine, first command data from the first host machine, wherein the first host machine receives the first command data from a network server operatively coupled to a plurality of host machines comprising the first host machine;

executing, by the processor of the first target client machine, the first command data;

receiving, by the processor of the first client machine, a request from a second target client machine of the set of target client machines, the request for the first client machine to execute second command data received from the second target client machine, wherein the request comprises a security credential;

authenticating, by the processor of the first target client machine, the second target client machine by determining that the security credential associated with the second target client machine is signed by a common certificate authority associated with the first host machine;

establishing, in view of the authenticating, a secure channel between the first target client machine and the second target client machine operatively coupled to the first target client machine;

determining, by the processor of the first target client machine, that the second target client machine is listed on an access control list of the first target client machine as authorized to initiate execution of the second command data on the first target client machine; and

executing, by the processor of the first target client machine, the second command data in response to determining that the second target client machine is authorized to initiate execution of the second command data on the first target client machine.

View all claims

1 Assignment

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

Embodiments relate to systems and methods for network management using a secure mesh command and control framework. A network management server can communicate with a set of supervisory hosts, which in turn communicate with an underlying set of targets. The set of targets can have associated digital certificates which can be authenticated by common certificate authorities. A controlled target can authenticate one or more other target requesting access to the controlled target via the trusted common certificate authority. One authenticated target can therefore mesh on a trusted basis with another target to perform installation, monitoring, testing, or other activities directly on the target of interest, without channeling commands through an intervening supervisory host.

64 Citations

17 Claims

1. A method comprising:
- receiving, by a processor of a first target client machine of a set of target client machines operatively coupled to a first host machine, first command data from the first host machine, wherein the first host machine receives the first command data from a network server operatively coupled to a plurality of host machines comprising the first host machine;
  
  executing, by the processor of the first target client machine, the first command data;
  
  receiving, by the processor of the first client machine, a request from a second target client machine of the set of target client machines, the request for the first client machine to execute second command data received from the second target client machine, wherein the request comprises a security credential;
  
  authenticating, by the processor of the first target client machine, the second target client machine by determining that the security credential associated with the second target client machine is signed by a common certificate authority associated with the first host machine;
  
  establishing, in view of the authenticating, a secure channel between the first target client machine and the second target client machine operatively coupled to the first target client machine;
  
  determining, by the processor of the first target client machine, that the second target client machine is listed on an access control list of the first target client machine as authorized to initiate execution of the second command data on the first target client machine; and
  
  executing, by the processor of the first target client machine, the second command data in response to determining that the second target client machine is authorized to initiate execution of the second command data on the first target client machine.
- View Dependent Claims (2, 3, 4, 5, 6)
- - 2. The method of claim 1, wherein the secure channel is established in view of the security credential of at least one of the first target client machine or the second target client machine, the security credential comprising a digital certificate.
  - 3. The method of claim 2, further comprising:
    - authenticating the digital certificate via the common certificate authority.
  - 4. The method of claim 1, wherein the secure channel comprises a secure socket layer.
  - 5. The method of claim 1, further comprising:
    - communicating the second command data from the first target client machine to a third target client machine.
  - 6. The method of claim 1, wherein the second command data comprises a network management command and the network management command comprises at least one of an inventory command, a test command, a setup command, a configuration command, a trend command, or a security command.

7. A system comprising:
- a first target client machine of a set of target client machines supported by a first host machine, the first target client machine comprising;
  
  a memory to store an access control list; and
  
  a processor operatively coupled to the memory, the processor to;
  
  receive, by the processor, first command data from the first host machine, wherein the host machine receives the first command data from a network server operatively coupled to a plurality of host machines comprising the first host machine;
  
  execute the first command data;
  
  receive a request from a second target client machine of the set of target client machines, the request for the first target client machine to execute second command data received from the second target client machine, wherein the request comprises a security credential;
  
  authenticate, by the processor of the first target client machine, the second target client machine by determining that the security credential associated with the second target client machine is signed by a common certificate authority associated with the first host machine;
  
  establish a secure channel between the first target client machine and the second target client machine operatively coupled to the first target client machine;
  
  determine that the second target client machine is listed on the access control list as authorized to initiate execution of the second command data on the first target client machine; and
  
  execute the second command data in response to determining that the second target client machine is authorized to initiate execution of the second command data on the first target client machine.
- View Dependent Claims (8, 9, 10, 11, 12)
- - 8. The system of claim 7, wherein the processor establishes the secure channel in view of a security credential of at least one of the first target client machine or the second target client machine, the security credential comprising a digital certificate.
  - 9. The system of claim 8, wherein the processor is to:
    - authenticate the digital certificate via a certificate authority.
  - 10. The system of claim 7, wherein the secure channel comprises a secure socket layer.
  - 11. The system of claim 7, wherein the processor is to:
    - communicate the second command data to a third target client machine.
  - 12. The system of claim 7, wherein the second command data comprises a network management command and the network management command comprises at least one of an inventory command, a test command, a setup command, a configuration command, a trend command, or a security command.

13. A non-transitory computer readable medium comprising instructions that, when executed by a processor, cause the processor to:
- receive, by the processor of a first target client machine of a set of target client machines supported by a first host machine, first command data from the first host machine, wherein the first host machine receives the first command data from a network server operatively coupled to a plurality of host machines comprising the first host machine;
  
  execute, by the processor of the first target client machine, the first command data;
  
  receive, by the processor of the first client machine, a request from a second target client machine of the set of target client machines, the request for the first client machine to execute second command data received from the second target client machine, wherein the request comprises a security credential;
  
  authenticate, by the processor of the first target client machine, the second target client machine by determining that the security credential associated with the second target client machine is signed by a common certificate authority associated with the first host machine;
  
  establish a secure channel between the first target client machine and the second target client machine operatively coupled to the first target client machine;
  
  determine, by the processor of the first target client machine, that the second target client machine is listed on an access control list of the first target client machine as authorized to initiate execution of the second command data on the first target client machine; and
  
  execute, by the processor of the first target client machine, the second command data in response to determining that the second target client machine is authorized to initiate execution of the second command data on the first target client machine.
- View Dependent Claims (14, 15, 16, 17)
- - 14. The memory of claim 13, wherein establishing the secure channel is based on a security credential of at least one of the first client machine or the second client machine, the security credential comprising a digital certificate.
  - 15. The non-transitory computer readable medium of claim 14,the processor to authenticate the digital certificate via a certificate authority.
  - 16. The non-transitory computer readable medium of claim 13, wherein the secure channel comprises a secure socket layer.
  - 17. The non-transitory computer readable medium of claim 13, wherein the second command data comprises a network management command and the network management command comprises at least one of an inventory command, a test command, a setup command, a configuration command, a trend command, or a security command.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Red Hat, Inc. (International Business Machines Corporation)
Original Assignee
Red Hat, Inc. (International Business Machines Corporation)
Inventors
DeHaan, Michael Paul, Likins, Adrian Karstan, Vidal, Seth Kelby
Primary Examiner(s)
MOORTHY, ARAVIND K

Application Number

US12/395,536
Publication Number

US 20100223473A1
Time in Patent Office

2,601 Days
Field of Search

726/10, 726/27, 713/156, 713/168, 713/176
US Class Current

1/1
CPC Class Codes

G06F 21/33   using certificates

H04L 41/02   Standardisation; Integration

H04L 41/28   Restricting access to netwo...

H04L 63/08   for authentication of entit...

H04L 63/0823   using certificates cryptogr...

H04L 63/101   Access control lists [ACL]

H04L 9/321   involving a third party or ...

H04L 9/3263   involving certificates, e.g...

Network management using secure mesh command and control framework

First Claim

1 Assignment

0 Petitions

Accused Products

Abstract

64 Citations

17 Claims

Specification

Use Cases

Quick Links

Others

Network management using secure mesh command and control framework

First Claim

1 Assignment

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

64 Citations

17 Claims

Specification

Subscription Required

Use Cases

Quick Links

Others