公开(公告)号：WO2008046888A3

公开(公告)日：2008-06-12

申请号：PCT/EP2007061161

申请日：2007-10-18

Applicant: IBM ,  IBM UK ,  HINTON HEATHER MARIA ,  MILMAN IVAN MATTHEW

Inventor： HINTON HEATHER MARIA ,  MILMAN IVAN MATTHEW

IPC: G06F21/24 ,  H04L29/06

CPC classification number: H04L63/20 ,  H04L63/101

Abstract: Policy controls for Web service resource objects in a hierarchical resource space are loosely coupled so that policy changes are applied and enforced across the objects. This technique ensures that different policies are not applied unintentionally to the same resource (for example, one at the Web services entry level, and the other at the resource level). By synchronizing the object in the manner described, neither the entity that deploys the applicat ion nor the security administrator need to be aware of the differences between the various types of requests that occur within a Web services environment. In a representative embodiment, resource objects are linked within a hierarchical resource space to provide synchronized policy control, where the policy is an audit policy, a quality-of-service (QoS) policy, a service level agreement (SLA) policy, a governance policy, a compliance policy, a patch management/vulnerability management policy, a user management policy, or a rights management policy.

Abstract translation: 分层资源空间中的Web服务资源对象的策略控制松散耦合，以便跨对象应用和实施策略更改。 此技术可确保不同意的策略不会无意中应用于相同的资源（例如，在Web服务入门级和资源级别）。 通过以所描述的方式同步对象，部署应用程序的实体和安全管理员都不需要知道在Web服务环境中发生的各种类型的请求之间的差异。 在代表性实施例中，资源对象在分级资源空间内链接以提供同步的策略控制，其中策略是审计策略，服务质量（QoS）策略，服务级别协议（SLA）策略，治理 策略，合规策略，修补程序管理/漏洞管理策略，用户管理策略或权限管理策略。

公开(公告)号：MY120912A

公开(公告)日：2005-12-30

申请号：MYPI9604543

申请日：1996-10-31

Applicant: IBM

Inventor： MILMAN IVAN MATTHEW ,  SIGLER WAYNE DUBE ,  BLAKLEY GEORGE ROBERT III

IPC: G06F12/14 ,  H04K1/00 ,  G06F1/00 ,  G06F12/00 ,  G06F13/00 ,  G06F21/00 ,  G06F21/20 ,  G06F21/24 ,  H04L9/00

Abstract: A NETWORK SYSTEM SERVER THAT PROVIDES PASSWORD SYNCHRONIZATION BETWEEN A MAIN DATA STORE (102) AND A PLURALITY OF SECONDARY DATA STORES (108) IS DISCLOSED. THE NETWORK SERVER FURTHER INCLUDES A SECURITY SERVER (104), WHICH IS COUPLED TO THE MAIN DATA STORE, A PLURALITY OF CLIENTS (114), COUPLED TO THE SECURITY SERVER FOR ACCESSING THE MAIN DATA STORE WHEREIN EACH CLIENT MAINTAINS A UNIQUE, MODIFIABLE PASSWORD, AND A PASSWORD SYNCHRONIZATION SERVER (106), COUPLED TO THE SECURITY SERVER AND THE PLURALITY OF SECONDARY DATA STORES, THAT PROVIDES PASSWORD PROPAGATION SYNCHRONIZATION TO EACH OF THE SECONDARY DATA STORES FROM A USER ASSOCIATED WITH ONE OF THE PLURALITY OF CLIENTS SO THAT USER IS ABLE TO MAINTAIN A SINGLE, UNIQUE PASSWORD AMONG PLURALITY OF SECONDARY DATA STORES. THE PASSWORD PROPAGATION IS IMPOSED ON THE PLURALITY OF SECONDARY DATA STORES REGARDLESS OF THE CURRENT PASSWORD STATUS OF THE SECONDARY DATA STORES.

公开(公告)号：DE69618325T2

公开(公告)日：2002-09-19

申请号：DE69618325

申请日：1996-10-17

Applicant: IBM

Inventor： BLAKLEY III ,  MILMAN IVAN MATTHEW ,  SIGLER WAYNE DUBE

IPC: G06F21/31 ,  G06F21/46 ,  G06F1/00

Abstract: A network system server that provides password synchronization between a main data store and a plurality of secondary data stores is disclosed. The network server further includes a security server, which is coupled to the main data store, a plurality of clients, coupled to the security server for accessing the main data store. Also disclosed is a network system server that provides password composition checking for a plurality of clients.

公开(公告)号：GB2521198A

公开(公告)日：2015-06-17

申请号：GB201322053

申请日：2013-12-13

Applicant: IBM

Inventor： OBERHOFER MARTIN ,  LIMBURN JONATHAN ,  MILMAN IVAN MATTHEW ,  KANELLOS NICHOLAS

IPC: G06F17/30

Abstract: A method of refactoring or normalising databases to convert soft type information, e.g. tuples of or columns of XML data into hard type information, comprising: profiling the soft type data to generate an attribute list with mapping suggestions to a hardened database structure; generating a data model definition and extract, transform, and load logic for transforming the soft type data based on the attribute list and mapping suggestions; executing the data model definition to create a new or modified database structure; moving data from an existing database structure to the new or modified database structure; and regenerating a services interface for access to the data.

公开(公告)号：DE112011102224T5

公开(公告)日：2013-04-04

申请号：DE112011102224

申请日：2011-06-16

Applicant: IBM

Inventor： MILMAN IVAN MATTHEW ,  FOT DMITRIY ,  OBERHOFER MARTIN

IPC: G06F21/00

Abstract: Bei Verfahren zum Bereitstellen von Sicherheit in einem Datenverarbeitungssystem mit Identitätsvermittlungsrichtlinien, die vom Enterprise-Service-Bus (EBS) unabhängig sind, führt eine Vermittlungskomponente auf der Dienstebene Operationen wie z. B. das Vermitteln von Nachrichten (message brokering), die Vermittlung und die Umsetzung von Identitäten durch, um die Interoperabilität zwischen Dienstnutzern und Dienstanbietern zu verbessern. Eine Vermittlerkomponente kann außerdem mit der Identität zusammenhängende Operationen an einen Token-Service oder Handler delegieren. Zur Identitätsvermittlung können Operationen wie z. B. die Identitätsermittlung oder „Erkennung”, die Authentifizierung, Berechtigung, Identitätsumsetzung und Sicherheitsüberprüfung gehören.

公开(公告)号：AT378645T

公开(公告)日：2007-11-15

申请号：AT05112266

申请日：2005-12-15

Applicant: IBM

Inventor： FALOLA DOLAPO ,  HINTON HEATHER MARIA ,  MILMAN IVAN MATTHEW ,  MORAN ANTHONY SCOTT ,  WARDROP PATRICK RYAN

IPC: G06F21/00 ,  H04L29/06

Abstract: The invention provides federated functionality within a data processing system by means of a set of specialized runtimes. Each of the plurality of specialized runtimes provides requested federation services for selected ones of the requestors according to configuration data of respective federation relationships of the requestors with the identity provider. The configuration data is dynamically retrieved during initialization of the runtimes which allows the respective runtime to be specialized for a given federation relationship. Requests are routed to the appropriate specialized runtime using the first requestor identity and the given federation relationship. The data which describes each federation relationship between the identity provider and each of the plurality of requestors is configured prior to initialization of the runtimes. Configuration data is structured into global specified data, federation relationship data and requestor specific data to minimize data change, making the addition or deletion of requestors very scalable.

公开(公告)号：GB2526476A

公开(公告)日：2015-11-25

申请号：GB201515683

申请日：2014-01-16

Applicant: IBM

Inventor： OBERHOFER MARTIN ,  MILMAN IVAN MATTHEW ,  PADILLA DONALD ANDREW ,  LITHERLAND MICHAEL BARNEY

IPC: G06F17/30

Abstract: Provided are techniques for secure matching supporting fuzzy data. A first bloom filter for a first data element is retrieved, wherein each of the characters in the data element has been encrypted with a beginning offset position of the character and encrypted with an end offset position of the character to produce two encrypted values that are added to the first bloom filter. A second bloom filter for a second data element is retrieved. The first bloom filter and the second bloom filter are compared to determine whether there is a match between the first data element and the second data element.

公开(公告)号：DE602005003314T2

公开(公告)日：2008-09-04

申请号：DE602005003314

申请日：2005-12-15

Applicant: IBM

Inventor： FALOLA DOLAPO MARTIN ,  HINTON HEATHER MARIA ,  MILMAN IVAN MATTHEW ,  MORAN ANTHONY SCOTT ,  WARDROP PATRICK RYAN

IPC: G06F21/00 ,  H04L29/06

Abstract: The invention provides federated functionality within a data processing system by means of a set of specialized runtimes. Each of the plurality of specialized runtimes provides requested federation services for selected ones of the requestors according to configuration data of respective federation relationships of the requestors with the identity provider. The configuration data is dynamically retrieved during initialization of the runtimes which allows the respective runtime to be specialized for a given federation relationship. Requests are routed to the appropriate specialized runtime using the first requestor identity and the given federation relationship. The data which describes each federation relationship between the identity provider and each of the plurality of requestors is configured prior to initialization of the runtimes. Configuration data is structured into global specified data, federation relationship data and requestor specific data to minimize data change, making the addition or deletion of requestors very scalable.

公开(公告)号：BR0304267A

公开(公告)日：2004-08-31

申请号：BR0304267

申请日：2003-09-26

Applicant: IBM

Inventor： LUO MING ,  MILMAN IVAN MATTHEW

IPC: H04L9/32

Abstract: A method, system, apparatus, and computer program product are presented for processing certificate revocation lists (CRLs) in a data processing system. Rather than using CRLs for authentication purposes, CRLs are used for authorization purposes, and the responsibility of processing CRLs is placed on a monitoring process within a centralized authorization subsystem rather than the applications that authenticate certificates. A monitoring process obtain newly published CRLs and determines whether revoked certificates are associated with users that possess authorized privileges. If so, then the monitoring process updates one or more authorization databases to reduce or eliminate the authorized privileges for those users.

公开(公告)号：DE112011102224B4

公开(公告)日：2016-01-21

申请号：DE112011102224

申请日：2011-06-16

Applicant: IBM

Inventor： FOT DMITRIY ,  OBERHOFER MARTIN ,  MILMAN IVAN MATTHEW

IPC: G06F21/00

Abstract: Bei Verfahren zum Bereitstellen von Sicherheit in einem Datenverarbeitungssystem mit Identitätsvermittlungsrichtlinien, die vom Enterprise-Service-Bus (EBS) unabhängig sind, führt eine Vermittlungskomponente auf der Dienstebene Operationen wie z. B. das Vermitteln von Nachrichten (message brokering), die Vermittlung und die Umsetzung von Identitäten durch, um die Interoperabilität zwischen Dienstnutzern und Dienstanbietern zu verbessern. Eine Vermittlerkomponente kann außerdem mit der Identität zusammenhängende Operationen an einen Token-Service oder Handler delegieren. Zur Identitätsvermittlung können Operationen wie z. B. die Identitätsermittlung oder „Erkennung”, die Authentifizierung, Berechtigung, Identitätsumsetzung und Sicherheitsüberprüfung gehören.