Authentication of network nodes

US 9,800,567 B2
Filed: 03/31/2014
Issued: 10/24/2017
Est. Priority Date: 03/31/2014
Status: Active Grant

First Claim

Patent Images

1. A computer-readable non-transitory medium storing instructions which, when executed by at least one processor, cause a computer system to perform activities comprising:

upon receiving an online service request, establish a connection to a server hosting an application configured to provide the requested service, wherein the online service request is routed to the application on the server by establishing the connection with the server from a plurality of servers based on an identification, wherein the identification is based on a current load in response to performing a load balancing on the plurality of servers, when the plurality of servers host the application configured to provide the requested service, and wherein before routing the online service request to the application on the server, authorizing the online service request based on information obtained via a security certificate assigned to the application hosted on the server;

extract a global unique identifier (GUID) of the application hosted on the server from the security certificate associated with the application, wherein the GUID is embedded in the security certificate, and wherein the GUID is uniquely associated with the application;

identify one or more of a network address and a host name corresponding to the GUID of the application, wherein identifying the one or more of the network address and the host name corresponding to the GUID of the application, comprises;

looking up the GUID of the application in a map table, wherein the map table defines correspondence between one or more GUIDs correspondingly associated with one or more applications and one or more of a plurality of network addresses and a plurality of host names; and

when an identified network address or a host name corresponding to the GUID of the application from the map table matches a network address or a host name associated with the server hosting the application, based on a comparison between the identified network address or the host name corresponding to the GUID of the application and the network address or the host name associated with the server hosting the application, allow access to the application for processing the service request or reject the service request.

View all claims

2 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

Various embodiments of systems and methods of network nodes authentication are described herein. In one aspect, a provisioning of an application in a specified computing environment is requested, where the application is operable of providing at least one kind of services to online clients. One or more servers are instantiated to deploy the application, where at least one of the servers may be a virtual machine. A globally unique identifier (GUID) for the application is generated and embedded in a security certificate associated with the deployed application. A correspondence between the GUID and the network address or the host name of the server is stored. In another aspect, a server request is forwarded for processing by the application or canceled based on a comparison between the network address or the host name of the server deploying the application, and the network address or the host name corresponding to the GUID.

Citations

14 Claims

1. A computer-readable non-transitory medium storing instructions which, when executed by at least one processor, cause a computer system to perform activities comprising:
- upon receiving an online service request, establish a connection to a server hosting an application configured to provide the requested service, wherein the online service request is routed to the application on the server by establishing the connection with the server from a plurality of servers based on an identification, wherein the identification is based on a current load in response to performing a load balancing on the plurality of servers, when the plurality of servers host the application configured to provide the requested service, and wherein before routing the online service request to the application on the server, authorizing the online service request based on information obtained via a security certificate assigned to the application hosted on the server;
  
  extract a global unique identifier (GUID) of the application hosted on the server from the security certificate associated with the application, wherein the GUID is embedded in the security certificate, and wherein the GUID is uniquely associated with the application;
  
  identify one or more of a network address and a host name corresponding to the GUID of the application, wherein identifying the one or more of the network address and the host name corresponding to the GUID of the application, comprises;
  
  looking up the GUID of the application in a map table, wherein the map table defines correspondence between one or more GUIDs correspondingly associated with one or more applications and one or more of a plurality of network addresses and a plurality of host names; and
  
  when an identified network address or a host name corresponding to the GUID of the application from the map table matches a network address or a host name associated with the server hosting the application, based on a comparison between the identified network address or the host name corresponding to the GUID of the application and the network address or the host name associated with the server hosting the application, allow access to the application for processing the service request or reject the service request.
- View Dependent Claims (2, 3, 4, 5)
- - 2. The computer-readable non-transitory medium of claim 1, wherein establishing the connection to the server comprises:
    - establishing a secure connection to the server based on a server side security certificate.
  - 3. The computer-readable non-transitory medium of claim 1, wherein establishing the connection to the server comprises:
    - receiving the GUID of the application hosted at the server associated with the online service request; and
      
      identifying the server from a plurality of servers hosting the application, based on the GUID of the application hosted by the server.
  - 4. The computer-readable non-transitory medium of claim 1, wherein identifying one or more of the network address and the host name corresponding to the GUID of the application comprises:
    - extracting at least one of the network address and the host name corresponding to the GUID of the application from the security certificate associated with the application.
  - 5. The computer-readable non-transitory medium of claim 1 storing instructions which, when executed by the at least one processor, cause a computer system to perform activities further comprising:
    - forward a request to provision the application on at least one server; and
      
      upon deploying the application at the at least one server, receive at least one new mapping defining correspondence between at least one GUID of the application and one or more of at least one network address and at least one host name of the at least one server.

6. A computer implemented method for authentication of network nodes via a reverse proxy server, the method comprising:
- upon receiving an online service request, establishing a network connection to a server hosting an application configured to provide the requested service, wherein the online service request is routed to the application on the server by establishing the connection with the server from a plurality of servers based on an identification, wherein the identification is based on a current load in response to performing a load balancing on the plurality of servers, when the plurality of servers host the application configured to provide the requested service, and wherein before routing the online service request to the application on the server, authorizing the online service request based on information obtained via a security certificate assigned to the application hosted on the server;
  
  extracting a global unique identifier (GUID) of the application hosted on the server from a security certificate associated with the application, wherein the GUID is embedded in the security certificate, and wherein the GUID is uniquely associated with the application;
  
  identifying, by a processor, one or more of a network address and a host name corresponding to the GUID of the application, wherein identifying the one or more of the network address and the host name corresponding to the GUID of the application, comprises;
  
  looking up the GUID of the application in a map table, wherein the map table defines correspondence between one or more GUIDs correspondingly associated with one or more applications and one or more of a plurality of network addresses and a plurality of host names; and
  
  when an identified network address or a host name corresponding to the GUID of the application from the map table matches a network address or a host name associated with the server hosting the application, based on a comparison between the identified network address or the host name corresponding to the GUID of the application and the network address or the host name associated with the server hosting the application, allowing access to the application for processing the service request or rejecting the service request.
- View Dependent Claims (7, 8, 9, 10)
- - 7. The computer implemented method of claim 6, wherein establishing the connection to the server comprises:
    - establishing a secure connection to the server based on a server side security certificate.
  - 8. The computer implemented method of claim 6, wherein establishing the connection to the server comprises:
    - receiving the GUID of the application hosted at the server associated with the online service request; and
      
      identifying the server from a plurality of servers hosting the application, based on the GUID of the application hosted by the server.
  - 9. The computer implemented method of claim 6, wherein identifying one or more of the network address and the host name corresponding to the GUID of the application comprises:
    - extracting at least one of the network address and the host name corresponding to the GUID of the application from the security certificate associated with the application.
  - 10. The computer implemented method of claim 6 further comprising:
    - forwarding a request to provision the application on at least one server; and
      
      upon deploying the application at the at least one server, receiving at least one new mapping defining correspondence between at least one GUID of the application and one or more of at least one network address and at least one host name of the at least one server.

11. A computer system to authenticate network nodes via a reverse proxy server, the system comprising:
- a memory to store instructions; and
  
  a processor coupled to the memory to execute the instructions to perform operations comprising;
  
  upon receiving an online service request, establish a network connection to a server hosting an application configured to provide the requested service wherein the online service request is routed to the application on the server by establishing the connection with the server from a plurality of servers based on an identification, wherein the identification is based on a current load in response to performing a load balancing on the plurality of servers, when the plurality of servers host the application configured to provide the requested service, and wherein before routing the online service request to the application on the server, authorizing the online service request based on information obtained via a security certificate assigned to the application hosted on the server;
  
  extract a global unique identifier (GUID) of the application hosted on the server from a security certificate associated with the application, wherein the GUID is embedded in the security certificate, and wherein the GUID is uniquely associated with the application;
  
  identify one or more of a network address and a host name corresponding to the GUID of the application, wherein identifying the one or more of the network address and the host name corresponding to the GUID of the application, comprises;
  
  looking up the GUID of the application in a map table, wherein the map table defines correspondence between one or more GUIDs correspondingly associated with one or more applications and one or more of a plurality of network addresses and a plurality of host names; and
  
  when an identified network address or a host name corresponding to the GUID of the application from the map table matches a network address or a host name associated with the server hosting the application, based on a comparison between the identified network address or the host name corresponding to the GUID of the application and a network address or a host name associated with the server hosting the application, allow access to the application for processing the service request or rejecting the service request.
- View Dependent Claims (12, 13, 14)
- - 12. The computer system of claim 11, wherein establishing the connection to the server comprises:
    - establishing a secure connection to the server based on a server side security certificate.
  - 13. The computer system of claim 11, wherein establishing the connection to the server comprises:
    - receiving the GUID of the application hosted at the server associated with the online service request; and
      
      identifying the server from a plurality of servers hosting the application, based on the GUID of the application hosted by the server.
  - 14. The computer system of claim 11, wherein identifying one or more of the network address and the host name corresponding to the GUID of the application comprises:
    - extracting at least one of the network address and the host name corresponding to the GUID of the application from the security certificate associated with the application.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
SAP SE
Original Assignee
SAP SE
Inventors
Petrov, Petar D., Tankov, Nikolai
Primary Examiner(s)
Armouche, Hadi
Assistant Examiner(s)
Huang, Cheng-Feng

Application Number

US14/230,428
Publication Number

US 20150281217A1
Time in Patent Office

1,303 Days
Field of Search
US Class Current
CPC Class Codes

H04L 63/0823   using certificates cryptogr...

H04L 63/0876   based on the identity of th...

H04L 63/105   Multiple levels of security

H04L 67/1004   Server selection for load b...

Authentication of network nodes

First Claim

2 Assignments

0 Petitions

Accused Products

Abstract

Citations

14 Claims

Specification

Solutions

Use Cases

Quick Links

Authentication of network nodes

First Claim

2 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

Citations

14 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links