CN108718316B - Method and system for realizing secure migration of virtual machine password information - Google Patents

Method and system for realizing secure migration of virtual machine password information Download PDF

Info

Publication number
CN108718316B
CN108718316B CN201810593151.0A CN201810593151A CN108718316B CN 108718316 B CN108718316 B CN 108718316B CN 201810593151 A CN201810593151 A CN 201810593151A CN 108718316 B CN108718316 B CN 108718316B
Authority
CN
China
Prior art keywords
migration
virtual machine
management system
information
key management
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Active
Application number
CN201810593151.0A
Other languages
Chinese (zh)
Other versions
CN108718316A (en
Inventor
孙晓妮
朱书杉
陈小龙
李若寒
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
Chaoyue Technology Co Ltd
Original Assignee
Shandong Chaoyue CNC Electronics Co Ltd
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Shandong Chaoyue CNC Electronics Co Ltd filed Critical Shandong Chaoyue CNC Electronics Co Ltd
Priority to CN201810593151.0A priority Critical patent/CN108718316B/en
Publication of CN108718316A publication Critical patent/CN108718316A/en
Application granted granted Critical
Publication of CN108718316B publication Critical patent/CN108718316B/en
Active legal-status Critical Current
Anticipated expiration legal-status Critical

Links

Images

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/20Network architectures or network communication protocols for network security for managing network security; network security policies in general
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F9/00Arrangements for program control, e.g. control units
    • G06F9/06Arrangements for program control, e.g. control units using stored programs, i.e. using an internal store of processing equipment to receive or retain programs
    • G06F9/44Arrangements for executing specific programs
    • G06F9/455Emulation; Interpretation; Software simulation, e.g. virtualisation or emulation of application or operating system execution engines
    • G06F9/45533Hypervisors; Virtual machine monitors
    • G06F9/45558Hypervisor-specific management and integration aspects
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/06Network architectures or network communication protocols for network security for supporting key management in a packet data network
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/08Network architectures or network communication protocols for network security for authentication of entities
    • H04L63/083Network architectures or network communication protocols for network security for authentication of entities using passwords
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/20Network architectures or network communication protocols for network security for managing network security; network security policies in general
    • H04L63/205Network architectures or network communication protocols for network security for managing network security; network security policies in general involving negotiation or determination of the one or more network security mechanisms to be used, e.g. by negotiation between the client and the server or between peers or by selection according to the capabilities of the entities involved
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F9/00Arrangements for program control, e.g. control units
    • G06F9/06Arrangements for program control, e.g. control units using stored programs, i.e. using an internal store of processing equipment to receive or retain programs
    • G06F9/44Arrangements for executing specific programs
    • G06F9/455Emulation; Interpretation; Software simulation, e.g. virtualisation or emulation of application or operating system execution engines
    • G06F9/45533Hypervisors; Virtual machine monitors
    • G06F9/45558Hypervisor-specific management and integration aspects
    • G06F2009/4557Distribution of virtual machine instances; Migration and load balancing
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F9/00Arrangements for program control, e.g. control units
    • G06F9/06Arrangements for program control, e.g. control units using stored programs, i.e. using an internal store of processing equipment to receive or retain programs
    • G06F9/44Arrangements for executing specific programs
    • G06F9/455Emulation; Interpretation; Software simulation, e.g. virtualisation or emulation of application or operating system execution engines
    • G06F9/45533Hypervisors; Virtual machine monitors
    • G06F9/45558Hypervisor-specific management and integration aspects
    • G06F2009/45587Isolation or security of virtual machine instances

Landscapes

  • Engineering & Computer Science (AREA)
  • Computer Security & Cryptography (AREA)
  • General Engineering & Computer Science (AREA)
  • Signal Processing (AREA)
  • Computing Systems (AREA)
  • Computer Networks & Wireless Communication (AREA)
  • Computer Hardware Design (AREA)
  • Software Systems (AREA)
  • Theoretical Computer Science (AREA)
  • Physics & Mathematics (AREA)
  • General Physics & Mathematics (AREA)
  • Computer And Data Communications (AREA)
  • Storage Device Security (AREA)

Abstract

The invention discloses a method and a system for realizing the safe migration of virtual secret code information, belonging to the field of the safe and secret migration of the virtual secret code information, aiming at solving the technical problem that the migration of password information such as password equipment, keys and the like configured by a virtual machine cannot be guaranteed due to the introduction of the password equipment in the migration process of the virtual machine, and adopting the technical scheme that: the method is characterized in that a monitoring module and a migration module are deployed on each computing node, interaction among components in OpenStack is realized through a message queue, the monitoring module monitors information in the message queue constantly, and the migration module is triggered when a message that the virtual machine is migrated successfully is monitored; and after the migration module is triggered, the migration module sends a unbinding request to the key management system, and the key management system calls a corresponding interface to realize the migration of the virtual secret code information. The invention also discloses a system for safely migrating the password information of the virtual machine.

Description

Method and system for realizing secure migration of virtual machine password information
Technical Field
The invention relates to the field of security and secrecy of password information security migration during virtual machine migration in a cloud computing environment, in particular to a method and a system for realizing security migration of virtual machine password information.
Background
The virtual machine dynamic migration technology refers to a technology for moving a virtual machine from a current physical host to other physical hosts without interrupting the running of the virtual machine. The virtual machine migration process mainly aims at achieving the problems that the user is transparent, all network states and application program states need to be maintained during migration, the service quality of other applications cannot be affected through resource contention in the migration process, and the like.
In order to ensure the security of the cloud data center and realize the identity authentication, access control, calculation, storage and the security of network resources of the cloud data center, a large number of password devices are usually introduced, and a security policy is created based on the password devices to meet the security requirement, so that the secure operation of the cloud data center is ensured.
When a virtual machine is migrated, in addition to ensuring that the migration process is completed transparently, it is most important to maintain consistency of states before and after migration, especially consistency of security states before and after migration. The OpenStack mechanism only ensures the migration of the security group rules of the virtual machine during the migration, but due to the introduction of the cryptographic device, the migration of cryptographic information such as cryptographic devices and keys configured by the virtual machine cannot be guaranteed.
Disclosure of Invention
The technical task of the invention is to provide a method and a system for realizing the safe migration of the virtual machine secret code information, so as to solve the problem that the migration of the secret code information such as the secret code equipment and the secret key configured by the virtual machine cannot be guaranteed due to the introduction of the secret code equipment in the migration process of the virtual machine.
The technical task of the invention is realized in the following way, a method for realizing the safe migration of the information of the virtual machine secret code is characterized in that a monitoring module and a migration module are arranged on each computing node, the interaction among components in OpenStack is realized through a message queue, the monitoring module monitors the information in the message queue constantly, and the migration module is triggered when the message that the virtual machine is migrated successfully is monitored; and after the migration module is triggered, the migration module sends a unbinding request to the key management system, and the key management system calls a corresponding interface to realize the migration of the virtual secret code information. The key management system is a key management system commonly used in the prior art.
Preferably, the specific working process of the monitoring module is as follows:
(1) the monitoring module continuously monitors whether the live _ migrate () method of Nova sends a virtual machine migration message:
firstly, if a monitoring module monitors a message of sending a live migration virtual machine in a topic mode, executing a step (2);
if the virtual machine migration message is not monitored, jumping to the step (1);
(2) the monitoring module continuously monitors the return result of the Nova computer _ rpcapi.live _ migration () method, and whether the monitoring module monitors the messages of the virtual machine and the host:
if yes, executing the step (3);
if not, skipping to the step (2);
(3) the monitoring module continuously monitors a return result of the wait _ for _ live _ migration () method of Nova, and whether the monitoring module monitors a message that the virtual machine is migrated successfully:
if yes, the monitoring module triggers the migration module;
and secondly, if not, skipping to the step (3).
Preferably, the specific working process of the migration module is as follows:
(1) the computing node sends a unbinding request to the key management system;
(2) the key management system calls a key recovery interface to recover the key information of the cryptographic equipment bound by the virtual machine;
(3) the key management system calls an equipment unbinding interface to unbind the original password equipment bound by the virtual machine;
(4) and the key management system evaluates whether the second computing node meets the password requirement of the virtual machine:
if yes, executing step (5);
(5) the key management system calls an equipment binding interface to bind new password equipment for the target virtual machine;
(6) and the key management system calls a key distribution interface to inject key information into the new password equipment bound by the target virtual machine, so as to complete the safe migration of the virtual machine password information.
A system for safely migrating virtual machine password information comprises a key management system and a plurality of computer nodes, wherein each computer node is provided with a monitoring module and a migration module, the key management system is used for managing the password information, the monitoring module is used for constantly monitoring information in an information queue and is responsible for triggering the migration module, and the migration module is used for calling a corresponding interface to complete the safe migration of the virtual machine password information.
Preferably, the corresponding interfaces called by the migration module include a key recovery interface, a device unbinding interface, a device binding interface and a key distribution interface.
The method and the system for realizing the safe migration of the virtual machine secret code information have the following advantages:
in order to ensure the safe operation of the cloud data center, the migration of the virtual secret code information is realized through the cooperation of the password management system, the monitoring module and the migration module which are deployed on each computing node, and the safety of the cloud data center is improved;
and secondly, the invention enables the password information configured during the virtual machine migration to be dynamically adjusted so as to ensure the consistency of the safety state during the virtual machine migration.
Drawings
The invention is further described below with reference to the accompanying drawings.
FIG. 1 is a block diagram of the flow of the monitoring module process;
FIG. 2 is a flow diagram of the migration module process.
Detailed Description
The method and system for implementing secure migration of virtual secret code information according to the present invention are described in detail below with reference to the drawings and specific embodiments.
Example (b):
the method for realizing the safe migration of the information of the virtual machine secret code comprises the steps that a monitoring module and a migration module are arranged on each computing node, interaction among components in OpenStack is realized through a message queue, the monitoring module monitors the information in the message queue constantly, and the migration module is triggered when the message that the virtual machine is successfully migrated is monitored; and after the migration module is triggered, the migration module sends a unbinding request to the key management system, and the key management system calls a corresponding interface to realize the migration of the virtual secret code information. The migration of virtual machines may be manual migration and automatic migration.
As shown in fig. 1, the specific working process of the monitoring module is as follows:
(1) the monitoring module continuously monitors whether the live _ migrate () method of Nova sends a virtual machine migration message:
firstly, if a monitoring module monitors a message of sending a live migration virtual machine in a topic mode, executing a step (2);
if the virtual machine migration message is not monitored, jumping to the step (1);
(2) the monitoring module continuously monitors the return result of the Nova computer _ rpcapi.live _ migration () method, and whether the monitoring module monitors the messages of the virtual machine and the host:
if yes, executing the step (3);
if not, skipping to the step (2);
(3) the monitoring module continuously monitors a return result of the wait _ for _ live _ migration () method of Nova, and whether the monitoring module monitors a message that the virtual machine is migrated successfully:
if yes, the monitoring module triggers the migration module;
and secondly, if not, skipping to the step (3).
As shown in fig. 2, the specific operation process of the migration module is as follows:
(1) the computing node sends a unbinding request to the key management system;
(2) the key management system calls a key recovery interface to recover the key information of the cryptographic equipment bound by the virtual machine;
(3) the key management system calls an equipment unbinding interface to unbind the original password equipment bound by the virtual machine;
(4) and the key management system evaluates whether the second computing node meets the password requirement of the virtual machine:
if yes, executing step (5);
(5) the key management system calls an equipment binding interface to bind new password equipment for the target virtual machine;
(6) and the key management system calls a key distribution interface to inject key information into the new password equipment bound by the target virtual machine, so as to complete the safe migration of the virtual machine password information.
Example 2:
the system for safely migrating the cryptographic information of the virtual machine based on the embodiment 1 comprises a key management system, a first computer node and a second computer node, wherein the first computer node and the second computer node are respectively provided with a message queue, a monitoring module and a migration module, the key management system is used for managing the cryptographic information, the monitoring module is used for constantly monitoring messages in the message queue and is responsible for triggering the migration module, and the migration module is used for calling a corresponding interface to complete the safe migration of the cryptographic information of the virtual machine. The corresponding interfaces called by the migration module comprise a key recovery interface, an equipment unbinding interface, an equipment binding interface and a key distribution interface.
The first computer node and the second computer node comprise a password device besides the bottom hardware of the computer, and the virtual machine can be allocated with a virtual password device.
The present invention can be easily implemented by those skilled in the art from the above detailed description. It should be understood, however, that the intention is not to limit the invention to the particular embodiments described. On the basis of the disclosed embodiments, a person skilled in the art can combine different technical features at will, thereby implementing different technical solutions.
In addition to the technical features described in the specification, the technology is known to those skilled in the art.

Claims (3)

1. A method for realizing safe migration of virtual machine secret code information is characterized in that a monitoring module and a migration module are deployed on each computing node, interaction among components in OpenStack is realized through a message queue, the monitoring module monitors information in the message queue constantly, and the migration module is triggered when a message that the virtual machine is successfully migrated is monitored; after the migration module is triggered, the migration module sends a unbinding request to the key management system, and the key management system calls a corresponding interface to realize the migration of the virtual secret code information;
the specific working process of the migration module is as follows:
(1) the computing node sends a unbinding request to the key management system;
(2) the key management system calls a key recovery interface to recover the key information of the cryptographic equipment bound by the virtual machine;
(3) the key management system calls an equipment unbinding interface to unbind the original password equipment bound by the virtual machine;
(4) and the key management system evaluates whether the second computing node meets the password requirement of the virtual machine:
if yes, executing step (5);
(5) the key management system calls an equipment binding interface to bind new password equipment for the target virtual machine;
(6) and the key management system calls a key distribution interface to inject key information into the new password equipment bound by the target virtual machine, so as to complete the safe migration of the virtual machine password information.
2. The method for implementing secure migration of cryptographic information of a virtual machine according to claim 1, wherein the specific working process of the monitoring module is as follows:
(1) the monitoring module continuously monitors whether the live _ migrate () method of Nova sends a virtual machine migration message:
firstly, if a monitoring module monitors a message of sending a live migration virtual machine in a topic mode, executing a step (2);
if the virtual machine migration message is not monitored, jumping to the step (1);
(2) the monitoring module continuously monitors the return result of the Nova computer _ rpcapi.live _ migration () method, and whether the monitoring module monitors the messages of the virtual machine and the host:
if yes, executing the step (3);
if not, skipping to the step (2);
(3) the monitoring module continuously monitors a return result of the wait _ for _ live _ migration () method of Nova, and whether the monitoring module monitors a message that the virtual machine is migrated successfully:
if yes, the monitoring module triggers the migration module;
and secondly, if not, skipping to the step (3).
3. A system for safely migrating virtual machine password information is characterized by comprising a key management system and a plurality of computer nodes, wherein each computer node is provided with a monitoring module and a migration module, the key management system is used for managing the password information, the monitoring module is used for constantly monitoring information in an information queue and is responsible for triggering the migration module, and the migration module is used for calling a corresponding interface to complete the safe migration of the virtual machine password information;
the specific working process of the migration module is as follows:
(1) the computing node sends a unbinding request to the key management system;
(2) the key management system calls a key recovery interface to recover the key information of the cryptographic equipment bound by the virtual machine;
(3) the key management system calls an equipment unbinding interface to unbind the original password equipment bound by the virtual machine;
(4) and the key management system evaluates whether the second computing node meets the password requirement of the virtual machine:
if yes, executing step (5);
(5) the key management system calls an equipment binding interface to bind new password equipment for the target virtual machine;
(6) and the key management system calls a key distribution interface to inject key information into the new password equipment bound by the target virtual machine, so as to complete the safe migration of the virtual machine password information.
CN201810593151.0A 2018-06-11 2018-06-11 Method and system for realizing secure migration of virtual machine password information Active CN108718316B (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
CN201810593151.0A CN108718316B (en) 2018-06-11 2018-06-11 Method and system for realizing secure migration of virtual machine password information

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN201810593151.0A CN108718316B (en) 2018-06-11 2018-06-11 Method and system for realizing secure migration of virtual machine password information

Publications (2)

Publication Number Publication Date
CN108718316A CN108718316A (en) 2018-10-30
CN108718316B true CN108718316B (en) 2020-11-24

Family

ID=63912067

Family Applications (1)

Application Number Title Priority Date Filing Date
CN201810593151.0A Active CN108718316B (en) 2018-06-11 2018-06-11 Method and system for realizing secure migration of virtual machine password information

Country Status (1)

Country Link
CN (1) CN108718316B (en)

Families Citing this family (1)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN113495777A (en) * 2020-04-03 2021-10-12 中移动信息技术有限公司 Virtual machine online method, device, equipment and medium

Citations (5)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN104951688A (en) * 2014-03-24 2015-09-30 国家计算机网络与信息安全管理中心 Special data encryption method and encryption card suitable for Xen virtualized environment
CN105094964A (en) * 2014-05-20 2015-11-25 苏宁云商集团股份有限公司 Virtual machine migration method and system
CN106681802A (en) * 2015-11-06 2017-05-17 华为技术有限公司 Virtual machine migration method, device and system
CN107294710A (en) * 2017-06-30 2017-10-24 浪潮(北京)电子信息产业有限公司 A kind of key migration method and device of vTPM2.0
CN107465689A (en) * 2017-09-08 2017-12-12 大唐高鸿信安(浙江)信息科技有限公司 The key management system and method for virtual credible platform module under cloud environment

Family Cites Families (1)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN104067288B (en) * 2012-01-23 2017-03-29 西里克斯系统公司 Storage encryption method

Patent Citations (5)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN104951688A (en) * 2014-03-24 2015-09-30 国家计算机网络与信息安全管理中心 Special data encryption method and encryption card suitable for Xen virtualized environment
CN105094964A (en) * 2014-05-20 2015-11-25 苏宁云商集团股份有限公司 Virtual machine migration method and system
CN106681802A (en) * 2015-11-06 2017-05-17 华为技术有限公司 Virtual machine migration method, device and system
CN107294710A (en) * 2017-06-30 2017-10-24 浪潮(北京)电子信息产业有限公司 A kind of key migration method and device of vTPM2.0
CN107465689A (en) * 2017-09-08 2017-12-12 大唐高鸿信安(浙江)信息科技有限公司 The key management system and method for virtual credible platform module under cloud environment

Also Published As

Publication number Publication date
CN108718316A (en) 2018-10-30

Similar Documents

Publication Publication Date Title
US20190123963A1 (en) Method and apparatus for managing resources of network slice
CN107924383B (en) System and method for network function virtualized resource management
CN107534579B (en) System and method for resource management
US10148657B2 (en) Techniques for workload spawning
KR20200012981A (en) Network slice management methods, devices, and computer readable storage media
RU2568282C2 (en) System and method for ensuring fault tolerance of antivirus protection realised in virtual environment
CN107707622B (en) Method and device for accessing desktop cloud virtual machine and desktop cloud controller
US20170373931A1 (en) Method for updating network service descriptor nsd and apparatus
CN106776067B (en) Method and device for managing system resources in multi-container system
KR20160139493A (en) Method and apparatus for managing encryption keys for cloud service
JP2013513174A (en) Method and system for managing virtual machine storage space and physical hosts
CN106354559A (en) Method and device for processing cloud desktop resources
CN110012074B (en) Cloud environment trusted context management method
CN108063813B (en) Method and system for parallelizing password service network in cluster environment
CN106571978B (en) Data packet capturing method and device
CN103595801A (en) Cloud computing system and real-time monitoring method for virtual machine in cloud computing system
CN114221994B (en) Dynamic allocation method for PCIE (peripheral component interface express) password card virtualized resources
WO2024021703A1 (en) Server control method, server, and storage medium
WO2023236397A1 (en) Key management method, key management apparatus, key management device and storage medium
CN112416594A (en) Micro-service distribution method, electronic equipment and computer storage medium
CN108718316B (en) Method and system for realizing secure migration of virtual machine password information
EP3056988A1 (en) Method, apparatus and system for home management device virtualization
CN107342972B (en) Method and device for realizing remote access
CN110019475B (en) Data persistence processing method, device and system
WO2018137363A1 (en) Method and apparatus for adjusting acceleration capability of virtual machine

Legal Events

Date Code Title Description
PB01 Publication
PB01 Publication
SE01 Entry into force of request for substantive examination
SE01 Entry into force of request for substantive examination
GR01 Patent grant
GR01 Patent grant
CP01 Change in the name or title of a patent holder

Address after: 250104 No. 2877 Kehang Road, Sun Village Town, Jinan High-tech Zone, Shandong Province

Patentee after: Chaoyue Technology Co.,Ltd.

Address before: 250104 No. 2877 Kehang Road, Sun Village Town, Jinan High-tech Zone, Shandong Province

Patentee before: SHANDONG CHAOYUE DATA CONTROL ELECTRONICS Co.,Ltd.

CP01 Change in the name or title of a patent holder
PE01 Entry into force of the registration of the contract for pledge of patent right

Denomination of invention: An implementation method and system of virtual machine password information security migration

Effective date of registration: 20211104

Granted publication date: 20201124

Pledgee: China Merchants Bank Co.,Ltd. Jinan Branch

Pledgor: Chaoyue Technology Co.,Ltd.

Registration number: Y2021370000126

PE01 Entry into force of the registration of the contract for pledge of patent right
PC01 Cancellation of the registration of the contract for pledge of patent right

Date of cancellation: 20230413

Granted publication date: 20201124

Pledgee: China Merchants Bank Co.,Ltd. Jinan Branch

Pledgor: Chaoyue Technology Co.,Ltd.

Registration number: Y2021370000126

PC01 Cancellation of the registration of the contract for pledge of patent right