Key store service

US 10,530,578 B2
Filed: 05/30/2017
Issued: 01/07/2020
Est. Priority Date: 08/05/2016
Status: Active Grant

First Claim

Patent Images

1. A non-transitory computer-readable medium having instructions stored thereon that, when executed by a processor, cause the processor to provide a key store microservice for a multi-tenant cloud based identity management system, the providing comprising:

receiving, over a network, a request from a client application to retrieve a tenant-specific key, the request including a tenancy identifier that identifies a tenant of a plurality of tenants of the multi-tenant cloud based identity management system, wherein the tenancy identifier comprises one of a customer tenancy type, a client tenancy type or a user tenancy type;

determining whether the key is present in a tenant-specific memory cache associated with the tenancy identifier; and

when the key is determined to be present in the tenant-specific memory cache;

retrieving the key from the tenant-specific memory cache;

retrieving a decryption key from a key wallet; and

decrypting the key retrieved from the tenant-specific memory cache using the decryption key retrieved from the key wallet;

when the key is determined not to be present in the tenant-specific memory cache;

retrieving the key from a tenant-specific database table associated with the tenancy identifier and based on a unique key property corresponding to the key, wherein the unique key property is stored in a separate column in the tenant-specific database table; and

sending, over the network, the key to the client.

View all claims

1 Assignment

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

A key store microservice is provided for a cloud based identity management system. The key store microservice receives, over a network, a request from a client application to retrieve a key, the request including a tenancy identifier, and determines whether the key is present in a tenant specific memory cache associated with the tenancy identifier. When the key is determined to be present in the tenant specific memory cache, the key store microservice retrieves the key from the tenant specific memory cache, retrieves a decryption key from a key wallet, decrypts the key retrieved from the tenant specific memory cache using the decryption key retrieved from the key wallet, and sends, over the network, the key to the client.

388 Citations

20 Claims

1. A non-transitory computer-readable medium having instructions stored thereon that, when executed by a processor, cause the processor to provide a key store microservice for a multi-tenant cloud based identity management system, the providing comprising:
- receiving, over a network, a request from a client application to retrieve a tenant-specific key, the request including a tenancy identifier that identifies a tenant of a plurality of tenants of the multi-tenant cloud based identity management system, wherein the tenancy identifier comprises one of a customer tenancy type, a client tenancy type or a user tenancy type;
  
  determining whether the key is present in a tenant-specific memory cache associated with the tenancy identifier; and
  
  when the key is determined to be present in the tenant-specific memory cache;
  
  retrieving the key from the tenant-specific memory cache;
  
  retrieving a decryption key from a key wallet; and
  
  decrypting the key retrieved from the tenant-specific memory cache using the decryption key retrieved from the key wallet;
  
  when the key is determined not to be present in the tenant-specific memory cache;
  
  retrieving the key from a tenant-specific database table associated with the tenancy identifier and based on a unique key property corresponding to the key, wherein the unique key property is stored in a separate column in the tenant-specific database table; and
  
  sending, over the network, the key to the client.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9)
- - 2. The computer-readable medium of claim 1, wherein the request includes a client identifier, and said determining whether the key is present includes determining whether the client identifier is authorized to access the tenant-specific memory cache associated with the tenancy identifier.
  - 3. The computer-readable medium of claim 2, wherein:
    - determining whether the key is present includes searching for the key in the tenant-specific memory cache associated with the tenancy identifier based on the unique key property.
  - 4. The computer-readable medium of claim 1, wherein the unique key property is a secure hash algorithm thumbprint or a unique alias.
  - 5. The computer-readable medium of claim 1, further comprising:
    - when the key is determined not to be present in the tenant-specific memory cache;
      
      retrieving a key from a key wallet,encrypting the key retrieved from the tenant-specific database table using the key retrieved from the key wallet; and
      
      storing the key in the tenant-specific memory cache associated with the tenancy identifier.
  - 6. The computer-readable medium of claim 5, wherein the request includes a client identifier, and said retrieving the key includes determining whether the client identifier is authorized to access the tenant-specific data table associated with the tenancy identifier.
  - 7. The computer-readable medium of claim 6, wherein:
    - retrieving the key includes searching for the key in the tenant-specific database table associated with the tenancy identifier based on a secure hash algorithm thumbprint.
  - 8. The computer-readable medium of claim 7, wherein the tenant-specific data table associated with the tenancy identifier is one stripe in a data tier or a separate partition in a database.
  - 9. The computer-readable medium of claim 1, wherein the key has a JavaScript Object Notation (JSON) web key format.

10. A method for providing a key store microservice for a multi-tenant cloud based identity management system, the method comprising:
- receiving, over a network, a request from a client application to retrieve a tenant-specific key, the request including a tenancy identifier that identifies a tenant of a plurality of tenants of the multi-tenant cloud based identity management system, wherein the tenancy identifier comprises one of a customer tenancy type, a client tenancy type or a user tenancy type;
  
  determining whether the key is present in a tenant-specific memory cache associated with the tenancy identifier; and
  
  when the key is determined to be present in the tenant-specific memory cache;
  
  retrieving the key from the tenant-specific memory cache;
  
  retrieving a decryption key from a key wallet; and
  
  decrypting the key retrieved from the tenant-specific memory cache using the decryption key retrieved from the key wallet;
  
  when the key is determined not to be present in the tenant-specific memory cache;
  
  retrieving the key from a tenant-specific database table associated with the tenancy identifier and based on a unique key property corresponding to the key, wherein the unique key property is stored in a separate column in the tenant-specific database table; and
  
  sending, over the network, the key to the client.
- View Dependent Claims (11, 12, 13, 14)
- - 11. The method of claim 10, wherein the request includes a client identifier, and said determining whether the key is present includes determining whether the client identifier is authorized to access the tenant-specific memory cache associated with the tenancy identifier, and searching for the key in the tenant-specific memory cache associated with the tenancy identifier based on the unique key property including a secure hash algorithm thumbprint or a unique alias.
  - 12. The method of claim 11, further comprising:
    - when the key is determined not to be present in the tenant-specific memory cache;
      
      retrieving a key from a key wallet,encrypting the key retrieved from the tenant-specific database table using the key retrieved from the key wallet; and
      
      storing the key in the tenant-specific memory cache associated with the tenancy identifier.
  - 13. The method of claim 12, wherein the request includes a client identifier, and said retrieving the key includes determining whether the client identifier is authorized to access the tenant-specific data table associated with the tenancy identifier, and searching for the key in the tenant-specific database table associated with the tenancy identifier based on a secure hash algorithm thumbprint.
  - 14. The method of claim 13, wherein the tenant-specific data table associated with the tenancy identifier is one stripe in a data tier or a separate partition in a database.

15. A system comprising a server, coupled to a network, including a processor coupled to a memory storing instructions that, when executed by the processor, cause the processor to provide a key store microservice for a multi-tenant cloud based identity management system, the providing comprising:
- receiving, over a network, a request from a client application to retrieve a tenant-specific key, the request including a tenancy identifier that identifies a tenant of a plurality of tenants of the multi-tenant cloud based identity management system, wherein the tenancy identifier comprises one of a customer tenancy type, a client tenancy type or a user tenancy type;
  
  determining whether the key is present in a tenant-specific memory cache associated with the tenancy identifier; and
  
  when the key is determined to be present in the tenant-specific memory cache;
  
  retrieving the key from the tenant-specific memory cache;
  
  retrieving a decryption key from a key wallet;
  
  decrypting the key retrieved from the tenant-specific memory cache using the decryption key retrieved from the key wallet;
  
  when the key is determined not to be present in the tenant-specific memory cache;
  
  retrieving the key from a tenant-specific database table associated with the tenancy identifier and based on a unique key property corresponding to the key, wherein the unique key property is stored in a separate column in the tenant-specific database table; and
  
  sending, over the network, the key to the client.
- View Dependent Claims (16, 17, 18, 19, 20)
- - 16. The system of claim 15, wherein the request includes a client identifier, and said determining whether the key is present includes determining whether the client identifier is authorized to access the tenant-specific memory cache associated with the tenancy identifier, and searching for the key in the tenant-specific memory cache associated with the tenancy identifier based on the unique key property including a secure hash algorithm thumbprint or a unique alias.
  - 17. The system of claim 16, wherein the providing further comprises:
    - when the key is determined not to be present in the tenant-specific memory cache;
      
      retrieving a key from a key wallet,encrypting the key retrieved from the tenant-specific database table using the key retrieved from the key wallet; and
      
      storing the key in the tenant-specific memory cache associated with the tenancy identifier.
  - 18. The system of claim 17, wherein the request includes a client identifier, and said retrieving the key includes determining whether the client identifier is authorized to access the tenant-specific data table associated with the tenancy identifier, and searching for the key in the tenant-specific database table associated with the tenancy identifier based on a secure hash algorithm thumbprint.
  - 19. The system of claim 18, wherein tenant-specific data table associated with the tenancy identifier is one stripe in a data tier or a separate partition in a database.
  - 20. The system of claim 16, wherein the unique key property is a secure hash algorithm thumbprint or a unique alias.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Oracle International Corporation (Oracle Corporation)
Original Assignee
Oracle International Corporation (Oracle Corporation)
Inventors
Keshava, Rakesh, Katti, Sreedhar, Vepa, Sirish, Sastry, Hari
Primary Examiner(s)
Moorthy, Aravind K
Assistant Examiner(s)
Chao, Michael W

Application Number

US15/608,708
Publication Number

US 20180041336A1
Time in Patent Office

952 Days
Field of Search

None
US Class Current
CPC Class Codes

G06F 12/1466   Key-lock mechanism

G06F 21/33   using certificates

G06F 21/604   Tools and structures for ma...

H04L 63/0281   Proxies

H04L 9/0891   Revocation or update of sec...

H04L 9/0894   Escrow, recovery or storing...

H04L 9/3234   involving additional secure...

Key store service

First Claim

1 Assignment

0 Petitions

Accused Products

Abstract

388 Citations

20 Claims

Specification

Solutions

Use Cases

Quick Links

Key store service

First Claim

1 Assignment

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

388 Citations

20 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links