CN101699893B - Method for changing states of authentication service entities of certificate server cluster - Google Patents
Method for changing states of authentication service entities of certificate server cluster Download PDFInfo
- Publication number
- CN101699893B CN101699893B CN200910193828A CN200910193828A CN101699893B CN 101699893 B CN101699893 B CN 101699893B CN 200910193828 A CN200910193828 A CN 200910193828A CN 200910193828 A CN200910193828 A CN 200910193828A CN 101699893 B CN101699893 B CN 101699893B
- Authority
- CN
- China
- Prior art keywords
- certificate server
- ase
- service entities
- state
- certificate
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Expired - Fee Related
Links
Images
Landscapes
- Computer And Data Communications (AREA)
Abstract
The invention relates to the technical field of wireless communication systems, in particular to a method and a device for changing states of multiple authentication service entities (ASE) of a certificate server cluster. The invention aims to solve the problem of certification failure of a corresponding identification service request happened when one authentication service entity has been used in a certificate server of the certificate server cluster, but not used in other certificate servers in the certification server cluster. The invention provides the method for changing the states of the authentication service entities of the certificate server cluster. The method comprises the following steps of: acquiring the state changing information of the authentication service entities by a certification server; and sending the acquired state changing information of the authentication service entities to other certificate servers of the certification server cluster to make the states of the authentication service entities of all certificate servers in the cluster uniformly changed to the same state according to the information.
Description
Technical field
The present invention relates to the technical field of wireless communication system, particularly the change method of a plurality of discriminating service entities of certificate server cluster ASE state.
Background technology
In recent years, be that the broadband wireless network of representative obtains fast development with wireless lan (wlan) and wireless MAN (WMAN) technology, various Wideband technology are used widely in the world.For wireless network, its fail safe is more much lower than cable network.The network monitoring person possibly pretend to be other users to obtain useful information, also can illegally obtain user's information through the eavesdropping user's communications.China's wide-band wireless IP standard operation group has proposed the ternary equity and has differentiated (Triple-element Peer Authentication; Be called for short TePA) trusted infrastructure; Be applied to WLAN and formed WAPI (WLAN Authentication and Privacy Infrastructure; Be called for short WAPI) agreement, can effectively solve the safety problem that IEEE 802.11 agreements exist.We can say that WAPI is the application example of TePA, is used to solve WLAN access security problem.Application number is that 200810027930.0 patent " a kind of safety access method of wireless MAN " (hereinafter to be referred as WMAN-SA) is the Another application instance of TePA, is used to solve wireless MAN access security problem.Above-mentioned WAPI and WMAN-SA secure network all comprise three NEs: terminal, access point and certificate server.
In a wireless network based on TePA (like WAPI and WMAN-SA network), terminal and access point reach the target of mutual authenticating identity through discriminating service entities (ASE) the discriminating service that is provided in the certificate server.Can see at present; Certificate server based on WAPI or WMAN-SA agreement; Specific access point and terminal all need specify one to differentiate service entities (ASE); If the certificate at terminal differentiates that by difference service entities (ASE) issues, then the access point request of certificate authentication message that needs to comprise access point and the terminal certificate discriminating service entities that sends to correspondence carries out authentication.
Because under typical network environment, Internet resources belong to different tissues, and the different different discriminating service entities of possible configuration of organizing.In this case, should support the concurrent running of a plurality of discriminating service entities in the certificate server, calculate with collaborative, save computational resource to realize striding the resource-sharing of differentiating service entities.
In addition, along with popularizing of network, certificate server need provide the access authentication service for more and more users (access point and terminal); Under this condition, even separate unit certificate server performance is high again, the access authentication service that can provide also is limited; Therefore, generally adopt many certificate servers to constitute the certificate server group system, for numerous users provide service; But hope the cluster set inside to user transparent, the external performance of authentication authorization and accounting server cluster such as same certificate server.This mode has been used for reference the relevant technologies in parallel computation and the load balancing research, has formed present certificate server Clustering.
If adopt the certificate server Clustering, will have many certificate servers in the cluster.For each certificate server; All can support a plurality of discriminating service entities; May exist between some certificate server and to differentiate the not change in time of service entities state, make that a certain discriminating service entities is launched in a certain certificate server, and this discriminating service entities of another certificate server not enabled still; At this moment; Like load balance scheduler the user authentication request of this discriminating service entities is sent to the certificate server of this discriminating service entities of not enabled, then this user's request will be dropped and not handle, thereby cause authentification failure.The failure of verification process will cause the user can't access network.
Summary of the invention
The present invention is intended to solve a discriminating service entities and launches in the certificate server in the certificate server cluster, and the problem of the authentification failure of corresponding discriminating services request but takes place because this discriminating service entities of other certificate servers does not launch.
For solving the problems of the technologies described above; The present invention provides the change method of the discriminating service entities state of certificate server cluster; The change method of the discriminating service entities state of certificate server cluster; Obtain to differentiate service entities state changed information through a certificate server; The discriminating service entities state changed information that is obtained is sent to other certificate server in the cluster, make that the discriminating service entities state of all certificate servers all can be changed to consistent state according to this information unification in the cluster, concrete steps comprise:
A certain certificate server in keeper's login authentication server cluster through this certificate server, is provided with or changes the ASE state in ASE (discriminating service entities) configuration information table in shared storage device;
After accomplishing the setting or change of ASE configuration information table, this certificate server carries out the change of state to the ASE protocol process module of this locality, sends other certificate server in the ASE configuration change broadcast notice cluster simultaneously.
Said ASE state is activation or time-out or withdraws from.
The present invention with respect to the beneficial effect of prior art is:
The inventive method is through a certain certificate server in the certificate server cluster obtained to differentiate service entities state changed information; The discriminating service entities state changed information that is obtained is sent to other certificate servers in the cluster; Make that the discriminating service entities state of all certificate servers all can be according to the unified change of this information in the cluster; A certificate server in the certificate server cluster is launched if this just makes a discriminating service entities; Then all certificate servers are all launched this discriminating service entities in the cluster, differentiate that so accordingly which platform certificate server no matter services request be scheduled for, and can both carry out authentication.
Description of drawings
Fig. 1 is that certificate server cluster of the present invention is formed sketch map.
Embodiment
Below in conjunction with accompanying drawing and embodiment the present invention is done further detailed explanation.
Referring to Fig. 1, the certificate server cluster comprises load balance scheduler, certificate server pond and shared storage device etc.Certificate server pond and load balance scheduler carry out the network interconnection through converging node (like switch etc.).
Load balance scheduler is used to receive the authenticating user identification request message, and distributes this request message and give certain certificate server.
The certificate server pond comprises many certificate servers.Operation has a plurality of discriminating service entities (ASE) protocol process module in every certificate server; Each differentiates that the processing of service entities (ASE) protocol process module belongs to the user identity request message of certain specific discriminating service entities, and sends to the user to authentication response message.
The information of service entities and certificate server is respectively differentiated in the shared storage device storage, and its memory contents is following:
1. each differentiates the ASE configuration information table of service entities, and information in the table: ASE numbers (ASE ID, ID=1; 2 ..., m); ASE type (supporting WAPI or WMAN-SA or other types authentication protocol), ASE state (un-activation/activate/suspend/withdraw from), and corresponding ASE certificate information;
2. each certificate server information table (AS information table), information in the table: the certificate server numbering (AS ID, ID=1,2 ..., n), running status (normal/fault), loading condition (packet loss, CPU take situation) etc.
With the WAPI network is example, and the certificate server cluster is handled the ID authentication request flow process and is described below:
A. load balance scheduler is waited for the WAPI authentication request message that receives the user;
B. after receiving user's WAPI authentication request message; Load balance scheduler is in shared storage device; Inquire about each AS information table,, adopt load balancing and dispatching algorithm according to its running status (normal/fault), loading condition (packet loss, CPU take situation); Give certain certificate server in the certificate server pond this ID authentication request forwards, then continue to receive ID authentication request message.
C. certain certificate server in the certificate server pond receives after the ID authentication request message that load balance scheduler sends; Resolve the subscriber identity information in this message; The ASE configuration information table of inquiry shared storage device; Locate the affiliated discriminating service entities (like ASE i) of this user, then
If the discriminating service entities that c1. can not get mating in the ASE configuration information table, this certificate server sends warning information to the keeper, and possibly there is certain ASE that differentiates service entities service not enabled in explanation.
If the discriminating service entities that c2. obtains mating in the ASE configuration information table is then verified and authenticating user identification this ID authentication request message, construct the authentication response message, and send to the user to this authentication response message.
For this reason, must guarantee that each certificate server has identical discriminating service entities state in the cluster, and realize that each certificate server differentiates that the method for service entities state synchronized is following in the certificate server cluster:
A certain certificate server in keeper's login authentication server cluster through this certificate server, is provided with or changes the ASE state (activating/suspend/withdraw from) in the ASE configuration information table in shared storage device.After accomplishing the modification of ASE configuration information table, this certificate server carries out the change of state to the ASE protocol process module of this locality, sends other certificate server equipment in the ASE configuration change broadcast notification authentication server pools simultaneously.Field contents in the ASE configuration change broadcast comprises: current authentication server numbering, the ASE state after ASE numbering, ASE type, message freshness sign, the change.
Also there is other guide in other certificate server in the message sink formation like its module after receiving this ASE configuration change broadcast, then should preferentially carry out this message.Resolve this message, obtain each field contents of message, and operate as follows:
(1) inspection message freshness sign; If it is consistent that certain bar message freshness of the message freshness of this message sign (in a period of time) local storage with before identifies, confirm that then this message is resend message, need abandon, and should identify in the local storage of certificate server;
(2) confirm that ASE numbering in the message, ASE type (WAPI authentication protocol), ASE identity information and certificate server local ASE numbering, ASE type are consistent; If certificate server this locality is not also created this ASE and is differentiated service entities, then should from shared storage device, read certificate information and private key, create and differentiate service entities, and be set to " the ASE state after the change " that message field is described; Created this discriminating service entities like certificate server this locality, whether " the ASE state after the change " that reply is described than local ASE state and message field be consistent.
(3) state of the discriminating service entities that this locality is corresponding changes to " the ASE state after the change " in the message.
Claims (2)
1. the change method of the discriminating service entities ASE state of certificate server cluster; Obtain to differentiate service entities state changed information through a certificate server; It is characterized in that the discriminating service entities state changed information that is obtained is sent to other certificate servers in the cluster; Make that the discriminating service entities state of all certificate servers all can be changed to consistent state according to this information unification in the cluster, concrete steps comprise:
A certain certificate server in keeper's login authentication server cluster through this certificate server, is provided with or changes the ASE state in the ASE configuration information table in shared storage device;
After accomplishing the setting or change of ASE configuration information table, this certificate server carries out the change of state to the ASE protocol process module of this locality, sends other certificate server in the ASE configuration change broadcast notice cluster simultaneously.
2. the change method of the discriminating service entities ASE state of certificate server cluster according to claim 1 is characterized in that said ASE state is activation or time-out or withdraws from.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN200910193828A CN101699893B (en) | 2009-11-10 | 2009-11-10 | Method for changing states of authentication service entities of certificate server cluster |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN200910193828A CN101699893B (en) | 2009-11-10 | 2009-11-10 | Method for changing states of authentication service entities of certificate server cluster |
Publications (2)
| Publication Number | Publication Date |
|---|---|
| CN101699893A CN101699893A (en) | 2010-04-28 |
| CN101699893B true CN101699893B (en) | 2012-09-05 |
Family
ID=42148333
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN200910193828A Expired - Fee Related CN101699893B (en) | 2009-11-10 | 2009-11-10 | Method for changing states of authentication service entities of certificate server cluster |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN101699893B (en) |
Families Citing this family (6)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| WO2012162952A1 (en) * | 2011-08-17 | 2012-12-06 | 华为技术有限公司 | Credential authentication method and single sign-on server |
| CN102685100B (en) * | 2012-03-08 | 2015-05-20 | 珠海市君天电子科技有限公司 | Distribution document security identification method |
| CN104660409B (en) * | 2013-11-25 | 2018-10-23 | 北京神州泰岳软件股份有限公司 | The method of system login and certificate server cluster under cluster environment |
| CN106487706A (en) * | 2016-09-28 | 2017-03-08 | 苏州迈科网络安全技术股份有限公司 | License authentication method and authentication platform that functions of the equipments based on Transmission Control Protocol are permitted |
| CN109450621B (en) * | 2018-10-12 | 2021-06-18 | 广州杰赛科技股份有限公司 | Information verification method and device of equipment |
| CN110688646B (en) * | 2019-10-14 | 2021-12-03 | 广州麦仑信息科技有限公司 | Multi-server cluster security authentication method applied to palm vein recognition |
Citations (4)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN1486013A (en) * | 2002-09-23 | 2004-03-31 | 华为技术有限公司 | Method for network access user authentication |
| CN1585326A (en) * | 2004-05-26 | 2005-02-23 | 华南理工大学 | Digital certificate signing server schooling method and system |
| CN101232514A (en) * | 2008-01-24 | 2008-07-30 | 创新科存储技术(深圳)有限公司 | Metadata synchronization method of network additional memory node and network additional memory node |
| CN101431410A (en) * | 2007-11-09 | 2009-05-13 | 康佳集团股份有限公司 | Authentication method for network game client and server cluster |
-
2009
- 2009-11-10 CN CN200910193828A patent/CN101699893B/en not_active Expired - Fee Related
Patent Citations (4)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN1486013A (en) * | 2002-09-23 | 2004-03-31 | 华为技术有限公司 | Method for network access user authentication |
| CN1585326A (en) * | 2004-05-26 | 2005-02-23 | 华南理工大学 | Digital certificate signing server schooling method and system |
| CN101431410A (en) * | 2007-11-09 | 2009-05-13 | 康佳集团股份有限公司 | Authentication method for network game client and server cluster |
| CN101232514A (en) * | 2008-01-24 | 2008-07-30 | 创新科存储技术(深圳)有限公司 | Metadata synchronization method of network additional memory node and network additional memory node |
Also Published As
| Publication number | Publication date |
|---|---|
| CN101699893A (en) | 2010-04-28 |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| US20130174239A1 (en) | Reinforced authentication system and method using context information at the time of access to mobile cloud service | |
| CN101699893B (en) | Method for changing states of authentication service entities of certificate server cluster | |
| CN103597799B (en) | service access authentication method and system | |
| CN100581170C (en) | Trusted network management method based on ternary peer-to-peer identification trusted network connections | |
| CN101699894B (en) | Method and device for processing authentication request in authentication server cluster | |
| CN101032107A (en) | Method and system for fast roaming of a mobile unit in a wireless network | |
| CN102195957A (en) | Resource sharing method, device and system | |
| CN110958111A (en) | Electric power mobile terminal identity authentication mechanism based on block chain | |
| CN109995769B (en) | Multi-stage heterogeneous trans-regional full-real-time safety management and control method and system | |
| CN101800986A (en) | Method and device for realizing network locking and unlocking of terminal | |
| CN102984045A (en) | Access method of Virtual Private Network and Virtual Private Network client | |
| CN113343196A (en) | Internet of things security authentication method | |
| Erroutbi et al. | Secure and lightweight HMAC mutual authentication protocol for communication between IoT devices and fog nodes | |
| Sudha et al. | A review on privacy requirements and application layer security in internet of things (IoT) | |
| Tawfik et al. | A review: the risks and weakness security on the IoT | |
| CN102045310A (en) | Industrial Internet intrusion detection as well as defense method and device | |
| Mishra et al. | Security perspectives of various IoT cloud platforms: a review & case study | |
| Muniasamy et al. | Formal methods based security for cloud-based manufacturing cyber physical system | |
| CN110035082A (en) | A kind of interchanger admission authentication method, interchanger and system | |
| KR20070102830A (en) | Method for access control in wire and wireless network | |
| Gomba et al. | Architecture and security considerations for Internet of Things | |
| CN101610509A (en) | A kind of method, Apparatus and system of protecting communication security | |
| US11496504B2 (en) | SSL proxy whitelisting | |
| CN109040313B (en) | Internet of things system with network mask based on object description method | |
| CN113992379A (en) | Communication method, communication system, medium and electronic device for active identification device |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| C06 | Publication | ||
| PB01 | Publication | ||
| C10 | Entry into substantive examination | ||
| SE01 | Entry into force of request for substantive examination | ||
| C14 | Grant of patent or utility model | ||
| GR01 | Patent grant | ||
| CF01 | Termination of patent right due to non-payment of annual fee | ||
| CF01 | Termination of patent right due to non-payment of annual fee |
Granted publication date: 20120905 Termination date: 20201110 |