Secure deployment of provable identity for dynamic application environments
First Claim
1. A method for establishing a provable identity for a virtual machine, comprising:
- launching the virtual machine;
creating an account for the virtual machine on a second computer;
in response to creating the account for the virtual machine on the second computer, sending the virtual machine first data, and sending the second computer the first data;
sending, by the virtual machine, the first data to the second computer and the second computer verifying the first data as received from the virtual machine against the first data already possessed by the second computer;
in response to the second computer verifying the first data as received from the virtual machine against the first data already possessed by the second computer, creating a full token that comprises an assertion of an identity of the virtual machine, and sending the full token to the virtual machine;
sending a public key to a third computer; and
sending, by the virtual machine, the full token to the third computer, the third computer confirming the identity of the virtual machine based on determining that combining the full token of the virtual machine and the public key produces a result consistent with the identity of the virtual machine.
2 Assignments
0 Petitions
Accused Products
Abstract
An invention is described for securely deploying a provable identity for virtual machines (VMs) in a dynamic environment. In an embodiment, a fabric controller instructs a VM host to create a VM and sends that VM a secret. The fabric controller sends that same secret (or a second secret, such as the private key of a public/private key pair) to the security token service along with an instruction to make an account for the VM. The VM presents proof that it possesses the secret to the security token service and in return receives a full token. When a client connects to the deployment, it receives the public key from the security token service, which it trusts, and the full token from the VM. It validates the full token with the public key to determine that the VM has the identity that it purports to have.
11 Citations
20 Claims
-
1. A method for establishing a provable identity for a virtual machine, comprising:
-
launching the virtual machine; creating an account for the virtual machine on a second computer; in response to creating the account for the virtual machine on the second computer, sending the virtual machine first data, and sending the second computer the first data; sending, by the virtual machine, the first data to the second computer and the second computer verifying the first data as received from the virtual machine against the first data already possessed by the second computer; in response to the second computer verifying the first data as received from the virtual machine against the first data already possessed by the second computer, creating a full token that comprises an assertion of an identity of the virtual machine, and sending the full token to the virtual machine; sending a public key to a third computer; and sending, by the virtual machine, the full token to the third computer, the third computer confirming the identity of the virtual machine based on determining that combining the full token of the virtual machine and the public key produces a result consistent with the identity of the virtual machine. - View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9)
-
-
10. A system for establishing a provable identity for a virtual machine, comprising:
a memory bearing instructions that, upon execution by a processor, cause the system to at least; launch the virtual machine; create an account for the virtual machine on a second computer; in response to creating the account for the virtual machine on the second computer, send the virtual machine first data, and sending the second computer the first data; send, by the virtual machine, the first data to the second computer and the second computer verifying the first data as received from the virtual machine against the first data already possessed by the second computer; in response to the second computer verifying the first data as received from the virtual machine against the first data already possessed by the second computer, create a full token that comprises an assertion of an identity of the virtual machine, and sending the full token to the virtual machine; send a public key to a third computer; and send, by the virtual machine, the full token to the third computer, the third computer confirming the identity of the virtual machine based on determining that combining the full token of the virtual machine and the public key produces a result consistent with the identity of the virtual machine. - View Dependent Claims (11, 12, 13, 14, 15, 16, 17, 18, 19)
-
20. A computer-readable storage device for establishing a provable identity for a virtual machine, bearing computer-readable instructions that, upon execution by a computer, cause the computer to perform operations comprising:
-
launching the virtual machine; creating an account for the virtual machine on a second computer; in response to creating the account for the virtual machine on the second computer, sending the virtual machine first data, and sending the second computer the first data; sending, by the virtual machine, the first data to the second computer and the second computer verifying the first data as received from the virtual machine against the first data already possessed by the second computer; in response to the second computer verifying the first data as received from the virtual machine against the first data already possessed by the second computer, creating a full token that comprises an assertion of an identity of the virtual machine, and sending the full token to the virtual machine; sending a public key to a third computer; and sending, by the virtual machine, the full token to the third computer, the third computer confirming the identity of the virtual machine based on determining that combining the full token of the virtual machine and the public key produces a result consistent with the identity of the virtual machine.
-
Specification