公开(公告)号：WO2005015387A3

公开(公告)日：2005-06-16

申请号：PCT/EP2004051434

申请日：2004-07-09

Applicant: IBM ,  IBM UK ,  ASHLEY PAUL ANTHONY ,  MUPPIDI SRIDHAR ,  VANDENWAUVER MARK

Inventor： ASHLEY PAUL ANTHONY ,  MUPPIDI SRIDHAR ,  VANDENWAUVER MARK

IPC: G06F9/40 ,  G06F9/44 ,  G06F9/46 ,  G06F11/30 ,  H04L9/00 ,  H04L29/06

CPC classification number: H04L63/0227 ,  H04L63/0263 ,  H04L63/0281 ,  H04L63/08 ,  H04L63/083 ,  H04L63/101 ,  H04L63/166

Abstract: A method, system, and computer program product is presented for restricting access to a set of resources in a distributed data processing system. A server determines a set of authorized resources for which a user is authorized to access; the set of authorized resources is a subset of the set of resources that are operational within the distributed data processing system. An evaluation is made about the availability of the set of authorized resources based upon state information about the set of authorized resources. A list of a set of entitled resources for the user is then generated; the set of entitled resources is a subset of the set of authorized resources. An indication of the set of entitled resources may be sent to the user, after which the system would respond to requests for the user to access the set of entitled resources.

Abstract translation: 介绍了用于限制对分布式数据处理系统中的一组资源的访问的方法，系统和计算机程序产品。 服务器确定用户被授权访问的一组授权资源; 该组授权资源是在分布式数据处理系统内操作的该组资源的子集。 基于关于授权资源集合的状态信息评估授权资源集合的可用性。 然后生成用户的一组有权资源的列表; 该组有权限的资源是该组授权资源的子集。 可以向用户发送对该组有权资源的指示，之后系统将响应用户访问该组有权资源的请求。

公开(公告)号：DE602005001613T2

公开(公告)日：2008-04-10

申请号：DE602005001613

申请日：2005-01-05

Applicant: IBM

Inventor： ASHLEY PAUL ANTHONY ,  FYFE ROBERT ANDREW ,  THOMAS MICHAEL JAMES

IPC: H04L9/08 ,  H04L9/30 ,  H04L9/32 ,  H04L29/06

Abstract: A method for establishing a secure context for communicating messages between a client and a server is presented that is compliant with the Generic Security Service application programming interface (GSS-API). The client sends to the server a first message containing a first symmetric secret key generated by the client and an authentication token; the first message is secured with the public key from the server's public key certificate. After the server authenticates the client based on the authentication token, the client then receives from the server a second message that has been secured with the first symmetric secret key and that contains a second symmetric secret key. The client and the server employ the second symmetric secret key to secure subsequent messages sent between the client and the server. The authentication token may be a public key certificate associated with the client, a username-password pair, or a secure ticket.

公开(公告)号：DE602004023728D1

公开(公告)日：2009-12-03

申请号：DE602004023728

申请日：2004-07-09

Applicant: IBM

Inventor： ASHLEY PAUL ANTHONY ,  MUPPIDI SRIDHAR ,  VANDENWAUVER MARK

IPC: H04L29/06 ,  G06F21/00 ,  H04L9/00

Abstract: A method is presented for performing authentication operations. When a client requests a resource from a server, a non-certificate-based authentication operation is performed through an SSL (Secure Sockets Layer) session between the server and the client. When the client requests another resource, the server determines to step up to a more restrictive level of authentication, and a certificate-based authentication operation is performed through the SSL session without exiting or renegotiating the SSL session prior to completion of the certificate-based authentication operation. During the certificate-based authentication procedure, an executable module is downloaded to the client from the server through the SSL session, after which the server receives through the SSL session a digital signature that has been generated by the executable module using a digital certificate at the client. In response to successfully verifying the digital signature at the server, the server provides access to a requested resource.

公开(公告)号：CA2528486A1

公开(公告)日：2005-02-17

申请号：CA2528486

申请日：2004-07-09

Applicant: IBM

Inventor： MUPPIDI SRIDHAR ,  VANDENWAUVER MARK ,  ASHLEY PAUL ANTHONY

IPC: H04L29/06 ,  G06F21/00 ,  H04L9/00

Abstract: A method is presented for performing authentication operations. When a clien t requests a resource from a server, a non-certificate~based authentication operation is performed through an SSL (Secure Sockets Layer) session between the server and the client, When the client requests another resource, the server determines to step up to a more restrictive level of authentication, and a certificate-based authentication operation is performed through the SS L session without exiting or renegotiating the SSL session prior to completion of the certificate-based authentication operation. During the certificate- based authentication procedure, an executable module is downloaded to the client from the server through the SSL session, after which the server receives through the SSL session a digital signature that has been generated by the executable module using a digital certificate at the client. In response to successfully verifying the digital signature at the server, the server provides access to a requested resource.

公开(公告)号：CA2528486C

公开(公告)日：2012-07-24

申请号：CA2528486

申请日：2004-07-09

Applicant: IBM

Inventor： ASHLEY PAUL ANTHONY ,  MUPPIDI SRIDHAR ,  VANDENWAUVER MARK

IPC: H04L29/06 ,  G06F21/00 ,  H04L9/00

Abstract: A method is presented for performing authentication operations. When a client requests a resource from a server, a non-certificate~based authentication operation is performed through an SSL (Secure Sockets Layer) session between the server and the client, When the client requests another resource, the server determines to step up to a more restrictive level of authentication, and a certificate-based authentication operation is performed through the SSL session without exiting or renegotiating the SSL session prior to completion of the certificate-based authentication operation. During the certificate-based authentication procedure, an executable module is downloaded to the client from the server through the SSL session, after which the server receives through the SSL session a digital signature that has been generated by the executable module using a digital certificate at the client. In response to successfully verifying the digital signature at the server, the server provides access to a requested resource.

公开(公告)号：DE602005001613D1

公开(公告)日：2007-08-23

申请号：DE602005001613

申请日：2005-01-05

Applicant: IBM

Inventor： ASHLEY PAUL ANTHONY ,  FYFE ROBERT ANDREW ,  THOMAS MICHAEL JAMES

IPC: H04L9/08 ,  H04L9/30 ,  H04L9/32 ,  H04L29/06

Abstract: A method for establishing a secure context for communicating messages between a client and a server is presented that is compliant with the Generic Security Service application programming interface (GSS-API). The client sends to the server a first message containing a first symmetric secret key generated by the client and an authentication token; the first message is secured with the public key from the server's public key certificate. After the server authenticates the client based on the authentication token, the client then receives from the server a second message that has been secured with the first symmetric secret key and that contains a second symmetric secret key. The client and the server employ the second symmetric secret key to secure subsequent messages sent between the client and the server. The authentication token may be a public key certificate associated with the client, a username-password pair, or a secure ticket.